NSX Defender - Custom client-side SSL/TLS certificates for SMTP delivery
search cancel

NSX Defender - Custom client-side SSL/TLS certificates for SMTP delivery

book

Article ID: 333585

calendar_today

Updated On:

Products

VMware

Issue/Introduction

When full MTA email analysis is enabled on an NSX Lastline Sensor, the sensor will deliver analyzed emails to the next hop, optionally using SSL/TLS.

The default SSL certificate the SMTP server will present is a self-signed one. If needed, it is possible to manually replace it with a custom certificate. Here are the steps that need to be followed:

  1. Install certificate at /etc/ssl/certs/<hostname>.pem
    • ensure file has the 644 permissions
  2. Install certificate key at /etc/ssl/private/<hostname>.key (make sure it is readable by group "ssl-cert")
    • ensure file has the 644 permissions
  3. Add in /etc/appliance-config/override.yaml
    llmail::ssl_client_cert_file: "/etc/ssl/certs/<hostname>.pem"
    llmail::ssl_client_key_file: "/etc/ssl/private/<hostname>.key"
  4. Run
    lastline_apply_config

The certificate and key should be in the PEM format (Base64 encoded ASCII). For examples of the certificate and the key, see the other files in the same directories.

"<hostname>" should be the hostname for which the SSL certificate has been generated.