search cancel

SMTP TLS negotiation fails for inbound connections to Encryption Management Server

book

Article ID: 215519

calendar_today

Updated On:

Products

Gateway Email Encryption Gateway Email Encryption Powered by PGP Technology Encryption Management Server Encryption Management Server Powered by PGP Technology

Issue/Introduction

Inbound mail to Encryption Management Server fails with this error where 10.10.10.10 is the IP address of the MTA that is routing inbound mail to Encryption Management Server:

TLS negotiation with [10.10.10.10] failed: the remote system violated the TLS handshake sequence

Cause

Encryption Management Server 3.4.2 MP5 and above supports these SMTP TLS ciphers:

OpenSSL Description IANA Description
AES256-GCM-SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256
AES256-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA
AES128-GCM-SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256
AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA
DES-CBC3-SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA


If the remote MTA does not support any of the above ciphers, the TLS handshake will fail.

Environment

Symantec Encryption Management Server 3.4.2 MP5 and above.

Resolution

Route inbound mail to Encryption Management Server from an MTA that supports any of the above ciphers.

If the MTA belongs to a third party, you may have to add a product such as Symantec Messaging Gateway into the mail flow. For example, changing the mail flow from this:

Third party MTA -> Internet -> Encryption Management Server -> Internal recipient MTA

to this:

Third party MTA -> Internet -> Symantec Messaging Gateway -> Encryption Management Server -> Internal recipient MTA

Additional Information

EPG-23363