Email Security 10.0.10 TLS changes
05/19/2021 3 People found this article helpful 31,807 Views
Email Security Version 10.0.10 has upgraded OpenSSL to Version 1.1.1i which is far more strict in terms of its verification and handshake.
This can cause TLS to fail if the mail server certificate is expired or incorrectly chained.
On HES, we always attempt TLS to downstream if downstream supports STARTTLS.
HES tries to establish a connection to the downstream, if it sees STARTTLS being configured.
The mail Server certificate has issues that causes our handshake to fail.
Although our TLS is opportunistic, it is only to see if STARTTLS is supported or not, once STARTTLS support is seen, we cannot revert to plain text.
This issue can occur for Hosted as well as On-prem Email Security customers and customers would need to ensure the mail server certificate is up to date and correct.
For On-prem Email security deployment in MTA mode, the symptoms may be that the messages appear to be stuck in the MTA and cannot deliver.
Check the mail server certificate and ensure it is not expired and ensure it is chained including the Root CA Cert and intermediate certificates.
To allow mail flow to resume while you fix the Mail Sever Certificate you can turn off TLS at the mail server until the new certificate is in place.
Was This Article Helpful?