search cancel

Encryption Management Server does not support SMTP TLS authentication using a client certificate


Article ID: 213702


Updated On:


Encryption Management Server Encryption Management Server Powered by PGP Technology Gateway Email Encryption Gateway Email Encryption Powered by PGP Technology


During an SMTP TLS handshake, the remote MTA (message transfer agent) may issue a Certificate Request:

Usually, Certificate Request is not part of the SMTP TLS handshake:

If an MTA issues a Certificate Request, Encryption Management Server sends a zero length certificate:


Encryption Management Server does not support Certificate Requests during the SMTP TLS handshake. Therefore, in compliance with section 7.4.6 of RFC 5246, it sends a zero length certificate:

If no suitable certificate is available, the client MUST send a certificate message containing no certificates. That is, the certificate list structure has a length of zero.


Symantec Encryption Management Server 3.4.2 and above.


Since Encryption Management Server does not send its certificate in response to Certificate Requests, if you require a certificate to be sent you will need to configure Encryption Management Server to proxy to an MTA that does send its certificate.

MTAs such as Postfix can be configured to send client certificates though note that by default, Postfix does not have this functionality enabled:

Client certificates are not usually needed, and can cause problems in configurations that work well without them.

Note that Encryption Management Server 3.4.2 MP2, 3.4.2 MP3, 3.4.2 MP4, 3.4.2 MP5, 10.5 and 10.5 MP1 cannot proxy to an MTA that issues Certificate Requests. This was resolved in release 10.5 MP2. Please see article 214990 for further details.

Additional Information