When attempting to send an email, such as a report, from the Enforce server through an SMTP server that requires TLS it fails with the "Unable to send to the following addresses" error message:

The main cause for this issue is that as per the log the Enforce server does not attempt to send the email using TLS and is using a non-TLS connection instead. The Enforce server determines whether the SMTP server uses TLS, or not, when the SMTP configuration is saved in System -> Settings General. When it happens the Enforce server performs a connection test and based on the result saves the configuration to either use TLS or not. There are 2 mains reasons why the connection may be saved as non-TLS:

1. The SMTP server did not support TLS at the time when the configuration was saved
2. The Enforce server did not trust the certificate presented by the SMTP server at the time the configuration was saved. Checking and resolving this point will be the focus of this KB

To determine if the second cause is the root of the issue follow the below steps:

1. Since the connection check is only made during the configuration save it is necessary to remove and re-add the SMTP settings in the Enforce Console. To do so go to System -> Settings -> General and hit Configure, then remove any properties in the SMTP section and mark "Do not allow sending of reports and alerts" and save the settings. Next go back to the same configuration and fill in all the details back - make sure to mark one of the options - "Send reports as links, login required" to view or "Send report data with emails" and save the settings.
2. Attempt to send an email. For example a report
3. If it succeeds then the first cause listed above was the most likely culprit
4. Otherwise If it fails again it will be necessary to consult the localhost log to learn more details. Locate and open the localhost log which by default will be written into C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\<version>\logs\tomcat and will be named localhost.YYYY-MM-DD.log where YYYY-MM-DD will be the current date. In the log look for the below line/s at the time of the settings save:
   
   

   19 Dec 2025 09:22:19,177- Thread: 130 WARNING [com.vontu.enforce.mail.MailClient] SMTP server connection test failed
   Cause:
   javax.mail.MessagingException: Could not convert socket to TLSjavax.mail.MessagingException: Could not convert socket to TLS;
     nested exception is:
   	javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

   
   This error indicates that the Enforce server was unable to establish a TLS connection with the SMTP server and the cause for it was the certification path. This in most cases means the the Enforce server does not trust the certificate which the SMTP server presents for the incoming connections. 
   
   Supporting evidence can be obtained by using Wireshark and capturing a trace when the settings are saved. In the Wireshark trace the TLS handshake will fail with "Certificate Unknown" alert:
   
   

To resolve the issue it will be necessary to obtain and import the SMTP certificate to the default Java (JRE) truststore - cacerts. Alternatively the root certificate used to sign it can also be used. This needs to be cooperated with either the SMTP server administrator, or Certificate Authority within the organization.

1. Place the certificate on the Enforce host. In this article a root certificate will be used as an example. It's placed in C:\temp with the name CA_root.cer
2. Determine the JRE path used by DLP. In Windows this can be done by looking up the JREDirectory value in the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Data Loss Prevention\Enforce Server\<version>\Installation registry key. This article will use "C:\Program Files\AdoptOpenJRE\jdk8u422-b05-jre" path as an example
3. Open Command Prompt as an administrator and change the directory found in step 2
4. Run the following command:
   .\bin\keytool -importcert -alias smtp_certificate -keystore .\lib\security\cacerts -file my-smtpcertificate.cer
   
   Replace smtp_certificate with a name of preference, or leave it as-is. It is only used to easily identify the certificate in the cacerts keystore and it does not play a role in the certificate recognition. Do not use spaces in the alias name. Since this example is using a root certificate the alias used in the screenshot of the command below is renamed appropriately to ca_root_certificate for easy identification in the future.
   
   Replace my-smtpcertificate.cer with the full path to the certificate file. If the path contains any spaces make sure to enclose the full path in quotes. The screenshot below uses the CA_root.cer in C:\temp.
   
   
   
   
5. The command will prompt for a password. The default cacerts password is "changeit" without quotes
6. Next command will ask whether the certificate should be trusted. Type "yes" and hit Enter
7. If everything goes well the command will report "Certificate was added to keystore"
   
   
   
   
8. Lastly, for DLP to trust the new certificate it is necessary to restart the Symantec DLP services in the right order as listed in the below KB:
   Restart DLP Enforce services in the correct order