Email Security 10.0.10 TLS changes

Description

Email Security Version 10.0.10 has upgraded OpenSSL to Version 1.1.1i which is far more strict in terms of its verification and handshake.


Cause

This can cause TLS to fail if the mail server certificate is expired or incorrectly chained.

On HES, we always attempt TLS to downstream if downstream supports STARTTLS.

HES tries to establish a connection to the downstream, if it sees STARTTLS being configured.

The mail Server certificate has issues that causes our handshake to fail.

Although our TLS is opportunistic, it is only to see if STARTTLS is supported or not, once STARTTLS support is seen, we cannot revert to plain text.


This issue can occur for Hosted as well as On-prem Email Security customers and customers would need to ensure the mail server certificate is up to date and correct.

For On-prem Email security deployment in MTA mode, the symptoms may be that the messages appear to be stuck in the MTA and cannot deliver.


Resolution

Check the mail server certificate and ensure it is not expired and ensure it is chained including the Root CA Cert and intermediate certificates.

To allow mail flow to resume while you fix the Mail Sever Certificate you can turn off TLS at the mail server until the new certificate is in place.

Related Articles

  • Invalid SFP Connected warning on SonicWall firewall when using supported 10G SFP+ Module
    Read More
  • How to exclude the domain from DHA scanning?
    Read More
  • Email Security: How to download the Outlook Junk Tool?
    Read More

Categories

Email Security
Email Security Appliance
Email Security
Email Security Software
Email Security
Email Security Virtual
Email Security
Hosted Email Security
not finding your answers?
Ask the Community