Hello,

First off all you need to accept mails from the second connector. If second connector have different ip then the first one,you need to enter it to Brightmail. (Administration/Configuration/SMTP/Outbound/Non-Local Mail Acceptance)

Second, if domain like you mentioned abc.com is not in the list of Brightmail domains,Brightmail will reject. So add the domain if not in the list.(Protocols/Domains)

Finally,you need to create a self-signed certificate or import a public certificate to Brightmail for sending and accepting emails with TLS.(Administration/Certificates)

After you created also you need select the certificate for inbound and outbound connections(Administration/Configuration/SMTP/Inbound|Outbound/Use TLS) 

And also there some other options about TLS under Administration/Configuration/SMTP/Advanced.

By the way please check Message Audit Logs to see what happened the messages from Brightmail side.

Regards,

Oykun

The second connector has the same IP address and it forwarding to Brightmail.

the domain abc.com is in protocols>Domains

We have purchased a certificate from Global sign, do we need to apply this to brightmail? We don't have the content encryption license for Brightmail and that's why i am trying to configure Exchange 2003.

I assume if i have Content encryption license on Brightmail, i don't need to do anything on exchange?

Hello,

You can use TLS in Brightmail. Content Encryption is different thing and not related with TLS.

So you can use it in Brightmail if you don't need to start TLS from Exchange.

You buy one for the domain your scanner helo/ehlo's as.

So I have a certificate for smtp1.example.com which matches the MTA Hostname of smtp1.example.com under Admin, Config, SMTP, Advanced Settings.

Test will a self-signed certificate and look at http://www.checktls.com/  to validate.

Thanks Cricket17.

We have 2 sets of MX record one for LIVE and ONE for DR.

Mail1.abc.com (Pointed to LIVE Scanner)

Mail2.abc.com (Points to DR Scanner)

Will I need one for Mail1.abc.com and one for Mail2.abc.com

I have now created a self signed Certificate and configured the scanner for TLS, however when run a test using checktls.com I see the attached (see attached screenshot), there are failures on the certificate, do all these need to be green for mail2.??

You don't want to perform TLS with a self-signed certificate. You need a certificate authority signed cert.

I have generated a csr from certificate>https/tls on brightmail, when I paste the csr in globalsign I receive an error

Key length error

What type of cert do I need? Domain SQL?

I have generated a csr from certificate>https/tls on brightmail, when I paste the csr in globalsign I receive an error

Key length error

What type of cert do I need? Domain SSL?

do I need to configure anything on exchange?

Really appreciate your input guys

Just a plain old SSL cert

By the way if you have a certificate for *.abc.com ,you can also use that.

Regards,

Oykun

Thank you for your help on this guys.

I have now created a certficate and uploaded to the Scanner, however when i enable TLS in SMTP inbound and outbound no one in the organisation is able to send emails?

Seems like its trying to send all emails encrypted? I have checked the advanced options and try sending all emails TLS is not enabled/checked.

Please advise?

Are you running SMG version 10.0.0-6? If so, you need to upgrade to 10.0.0-7.

We are on Version 9.5.3.3