After installing a new TLS certificate on a network interface of Encryption Management Server and deleting the old certificate, errors and warnings like this are generated in the Mail log:
SMTP-12345: SMTP service on 10.1.2.3:25 will not use TLS because there is no usable authentication key
SMTP-12345: Couldn't re-read TLS key: item not found
The Encryption Management Server mail proxy service does not restart automatically after TLS certificate changes.
Symantec Encryption Management Server 3.4.2 and above.
Restart services. From the administration console:
Alternatively, if you do not want to restart all services and have ssh access to the server, you can restart just the mail proxy service by running this command:
pgpsysconf --restart pgpuniversal
Note that by default, the mail proxy service is set to attempt TLS but not require it.