Some TLS connections fail when the "Request client certificate" option is checked
search cancel

Some TLS connections fail when the "Request client certificate" option is checked

book

Article ID: 229734

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Following the upgrade to Messaging Gateway (SMG) 10.7.5, connections from mail servers which were previously able to send to SMG now shows the actions "Rejected message by MTA, TLS on reception enforced" even though TLS secured delivery is not required by the SMG configuration.

Environment

Release : 10.7.5

Component :

Cause

Following the 10.7.5 release, Messaging Gateway became more strict with respect to certificate validation, including validation of client certificates supplied by servers sending to Messaging Gateway. When requesting a client certificate from a sending server:

  • If no client certificate is supplied by the sending server, TLS is negotiated without client authentication
  • If a client certificate is supplied but fails validation or is otherwise untrusted, TLS negotiation fails
  • If a client certificate is supplied and is both valid and trusted, TLS negotiation proceeds

In many cases, an SMTP server sending to Messaging Gateway may provide a client certificate that is not trusted by Messaging Gateway which prevents TLS from proceeding.

Resolution

This issue may be resolved by unchecking the "Request client certificate" checkbox in Administration > Configuration > host > SMTP > Inbound  

Powered by Wolken Software