Messaging Gateway

I am using two SBG 9 servers over the internet to test TLS email, I am using a self signed cert for testing.  I know the server sending TLS works, I can email other companies and they verified TLS is on but my server doing the receiving will not accept a TLS connection.  When I run the openssl commmand from the sending server to other I get and error

CONNECTED(00000003)
28395:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:475:

I only have port 25 open on the firewall, does starttls need some other port to work? 

Thanks

Alex,

     There are two documents that come tomind regarding your situation.  The first is that you can't use a self signed cert for TLS.  The second is that we do actually have a way of testing TLS from the command line.  Docs are below for both situations.  As for the port, as long as 25 is open it should work just fine.


Title: 'Can a self signed certificate be used for TLS?'
Document ID: 2009042110425854
> Web URL: http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2009042110425854?Open&seg=ent


Title: 'Command-line test of TLS SMTP capability'
Document ID: 2007112711584954
> Web URL: http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2007112711584954?Open&seg=ent

OK, if I can't use a self signed cert for testing how can I add a cert that I already have to SBG?  My cert through  Verisign doesn't include an email field but in the cert menu in SBG I am forced to put one, how I add a cert without creating the request.  I don't want to spend $500 on a new cert.

Currently there is no way to add a certificate without a CSR.  I have heard that future releases should enable this functionality but I can't absolutely confirm that.

What is your concern that you are testing?  Is it functionality in general or do you have a specific issue or scenario you are trying to test?

We currently do TLS with IIS and want to switch it over to SBG.  So right now just basic testing to make sure it works as intended.

I can definately understand that.  My hope is that one of our members here on the forums that is currently using TLS can chime in but I have dealt with it on many occasions and never seen an actual "issue."  Unfortunately right now it is a little leap of faith to create a new CSR and install a newly purchased cert. 

So after some digging around I was able to receive a TLS email using my self signed cert.  We use Nokia Checkpoint firewalls and use the SMTP resource which store & forward emails for content filtering.  When a TLS connection attempt is made, the firewall is stopping the request since it doesn't understand TLS and is just another hop in the email chain.  Changing the firewall rule to just forward SMTP to SBG allows TLS connections to work even with the self sign cert.

You still should look at getting a commerical cert at some point.  If you look at Protocols / Domains, there is an option on the domain delivery tab "Require TLS encryption and verify certificate".  Someday, some third party may require that of your domain, and a self-signed cert should fail that test - no trust chain.

In our testing you can use a self signed cert.

One additional thing to check similar to what alexdc03 said is to make sure that SMTP packet inspection is not being done by your FW for inbound traffic. This will break any TLS handshake and email will end up coming over regular port 25 to your SBG.

We had this issue on our PIX.