If Encryption Management Server has mail proxies configured under Mail / Proxies in the administration console with TLS permitted, the mail log under Reporting / Logs / Mail in the administration console may contain a warning. There will be an information entry and a warning entry similar to the following where mail.example.com is the DNS name of the mail proxy:
SMTP-12345: mail.example.com (DNS name) presented a TLS certificate with domain name (example.com), which does not match DNS name
SMTP-12345: remote TLS certificate: "CN=example.com" (issuer: "CN=example.com")
This means that there is a mismatch between the DNS name of the mail proxy and the CN (Common Name) of its TLS certificate. Valid TLS connections require that the DNS name matches either the CN or one of the SAN (Subject Alternative Name) entries of the certificate.
If there is no mismatch, only the information entry appears in the mail log. For example:
SMTP-12345: remote TLS certificate: "CN=mail.example.com" (issuer: "CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US")
If you have recently made changes to either of the following, you may see incorrect warnings in the Mail log:
The warning is incorrect if:
Symantec Encryption Management Server release 3.4.2 and above.
Restart the Encryption Management Server mail proxy service by doing the following in the administration console:
Alternatively, to restart just the mail proxy service, ssh to the Encryption Management Server and enter the following command:
pgpsysconf --restart pgpuniversal