Messaging Gateway

http://www.checktls.com/testreceiver.html   Enter a email address in the box on the left.

Also from the SBG Support login, try this, which will show you what SBG is seeing

openssl s_client -connect <remote_MTA_Host_or_IP>:25 -crlf -CAfile /usr/share/ssl/certs/ca-bundle.crt -starttls smtp

I've used the url above and both my mail server and the supplier mail server got the same result. what bothered me is that the certifcate couldn't be verified ?

do I need to do anything for my end ?

Ok I've understood why the certificate couldn't be verified. due to the common name in the certificate. I changed the brightmail gateway option on the domain to require and don't verify certificate from require and verify certificate.

I think this could be the issue, what do you think ?

Yes.  I've found that when SBG sends to a remote MTA, it expect the hostname from the MX record, to match either the common name, or one of the Subject Alternate Names (SANs) in the certificate.   If you are verifying a certificate, it should have a valid CA chain, and be for the host you expected to talk to, and not some other poser.

The remote MTA's admin didn't correctly implement the certificate.  They are not alone.  IBM India does the same.

As the original poster mentioned, you can set "require TLS", but I have not found a way to "allow" (but not force) TLS, but require a valid certificate if TLS is attempted.

Is there a way?

It really bugs me to be doing TLS transactions with spammers who don't present a cert.

Dear Cricket17,

The URL seems to be broken because of embedded trailing spaces and shows an error as in the attachment. Can you trim the trailing spaces in the URL so that it shows up as http://www.checktls.com/testreceiver.html

Phill - are you wanting inbound mail from spammers asking you to do TLS, to present a client certificate from their side?

Look at your scanner, SMTP, Inbound and the 'request client certificate' option.

They'll just use a self-signed certificate.   It doesn't look like SBG can require a signed TLS client certificate.

Cricket: I already have that setting enabled.

As the wording implies, I think that is "request" not "require". So according to the message headers, I've seen a number of spams where they have used a TLS connection but provided no cert at all (self-signed or legit CA signed). Just got another one (missed spam) today:

Received: from host-78-129-142-32.rsclientdns.com (mail-book.info [78.129.142.32])
(using TLS with cipher AES256-SHA (AES256-SHA/256 bits))
(Client did not present a certificate)
 by [my BMG box] (My BMG ehlo string) with SMTP id XX.XX.XXXXX.XXXXXXXX; Wed, 3 Nov 2010 14:25:33 -0700 (PDT)