Messaging Gateway

 View Only

  • 1.  SMG 9.5.2 and TLS

    Posted Dec 29, 2011 10:09 AM

    Hi All,

    We currently use SMG to filter inbound emails only, but want to use it as an outbound gateway for TLS encryption.  I've purchased and installed a SSL certificate, setup my domains to send to in the Protocols>Domains section, deselected the Local Delivery checkbox etc, but still get bounce messages when sending:

    Diagnostic-Code: smtp; 553 This route requires encryption (TLS)

    And I've also seen emails queing in the delivery queue saying:

     

    451 4.7.6 [internal] STARTTLS required but not advertised

    The way it's configured, is the email connector is set to deliver any domains we require TLS encryption to go via the brightmail box.  This is working, as I can see the mails on the SMG box.  However, I can't work out where the issue lies as to why mails bounce back to me from the SMG.  I've tried running a malquery, but get no hits.  Do I need to set TLS on my exchange connector?, and is the sending of TLS email part of the separately licensed content encryption?, I'm really struggling here so any suggestions would be welcome!  We can receive TLS mail no problems.

     

    A



  • 2.  RE: SMG 9.5.2 and TLS

    Posted Dec 29, 2011 11:45 AM

    Try http://www.checktls.com/ to verify that the extenal recipient's mail system actually supports TLS.

    I'm confused by "setup my domains to send to in the Protocols>Domains section"  are you referring to the domains (not yours) that you are sending outbound to?

    You didn't need a certificate if you are SENDING mail that requires TLS. You'd only need the cert if you are ACCEPTING inbound mail. 



  • 3.  RE: SMG 9.5.2 and TLS

    Posted Jan 17, 2012 09:39 PM

    We've had this exact same problem, but unfortunately support weren't able to provide much information.

    It appears that this is actually by design rather than simply not working.

    The important issue here is to distinguish between TLS and SSL. While SSL and TLS are very similar, in practice they are usually implemented quiet differently. SSL is implemented on a separate port than the non-secure version of the protocol (443 for HTTPS, 587 for SMTPS submission between servers etc.). TLS is implemented on the same port as the non-secure version (25 for SMTP TLS etc.).

    Brightmail only supports the later form of communication and so tries to establish a connection to the recipients SMTP server on port 25, and then issues the STARTTLS command. Unfortunately most organisations have not implemented or updated a gateway that supports this command so Brightmail will return an error.

    Brightmail only supports the sending and receiving of TLS SMTP traffic (port 25), not SSL SMTP traffic (port 587).