1. GPCC version 6.14.0 and higher
2. Greenplum Database cluster using SMTP for alert email notifications
Cause

Starting with GPCC 6.14.0, the Command Center enforces TLS 1.2 or higher for all outbound SMTP mail connections to enhance security compliance.​

This error can occur if:

• The target SMTP mail server supports only TLS 1.0 or 1.1, which are deprecated.
• There are invalid or expired certificates on either the GPCC host or the mail server.
• A cipher suite mismatch prevents negotiation of a secure session.
• Intermediary network devices (firewalls, SSL interceptors) block modern TLS connections.​

​

1. Verify supported TLS versions on the mail server. Run the following command from the GPCC host:

• openssl s_client -connect [mail.server.address]:[port] -starttls smtp

2. Check for the Protocol: field in the output.

• If it reports TLSv1 or TLSv1.1, the mail server must be upgraded or reconfigured to support TLSv1.2 or higher.

3. Validate the certificate chain. Use OpenSSL to inspect certificates:

• openssl s_client -connect [mail.server.address]:[port] -showcerts -starttls smtp

4. Ensure that:

• Certificates are not expired.
• The full chain (root → intermediate → server) is trusted by GPCC.
• The certificate’s Common Name (CN) or SAN matches the mail server’s hostname.

5. Check for intermediary TLS interception

• If your environment includes a proxy or anti-malware gateway inspecting SMTP traffic, ensure it allows TLS 1.2 passthrough to the upstream mail server.

6. Restart GPCC after reconfiguration
Once the mail server supports TLS 1.2+ and certificates are valid, restart the GPCC web and metric services.