Outbound TLS connections fail with certificate validation error
|Article:TECH134036|||||Created: 2010-01-18|||||Updated: 2010-10-19|||||Article URL http://www.symantec.com/docs/TECH134036|
|NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.|
Email messages to domains configured for TLS delivery are queued or delivered without encryption
2010 Jun 9 13:11:08 MDT (info) ecelerity:  Subject Common Name does not match host name
2010 Jun 9 13:11:08 MDT (info) ecelerity:  DNS Subject Alternative Name does not match host name
2010 Jun 9 13:11:08 MDT (notice) ecelerity:  ec_ssl_ctx 0x952d8f08 tls_verify_validca failed
The Brightmail Gateway MTA is failing to verify some otherwise valid TLS certificates. In some configurations this will cause negotiation of the transport layer security to fail.
This issue has been addressed with the Brightmail Gateway 9.0.2 release.
For earlier versions, as a workaround, TLS delivery can be configured to ignore failures in certificate validation.
- Log in to the Control Center as an administrator
- Select Protocols->Domains
- For each domain that reqiures TLS delivery
- Edit the domain
- Under "Delivery" in "TLS Encryption" select "Require TLS encryption and don't verify certificate" or "Attempt TLS encryption"
- Save your changes
The mta will attempt to validate the certificate but ignore failures and continue to negotiate an encrypted connection.
Article URL http://www.symantec.com/docs/TECH134036