Symantec Messaging Gateway (SMG) Transport Layer Security (TLS) settings for a domain are set to "Require TLS and verify certificate", but TLS connections fail.
Mail Exchange (MX) host has a signed TLS certificate.
2010 Aug 17 19:01:11 GMT (debug) ecelerity:  Host Name: mx1.domain.com
2010 Aug 17 19:01:11 GMT (debug) ecelerity:  Host SSL certificate Subject: /C=US/ST=Statesota/L=Moralton/O=Company Co/CN=server1.domain.com
2010 Aug 17 19:01:11 GMT (debug) ecelerity:  Subject Common Name: server1.domain.com
2010 Aug 17 19:01:11 GMT (info) ecelerity:  Subject Common Name does not match host name
2010 Aug 17 19:01:11 GMT (info) ecelerity:  DNS Subject Alternative Name does not match host name
The SMG TLS certificate validation operates in this order:
The signing chain for the server certificate is valid
The certificate is not out of date
The signing certificate authority is trusted by the Brightmail Gateway
The Domain Name System ( DNS ) hostname matches the certificate subject common name or subject alternative name
If the DNS hostname referred to by the domain's MX records do not match the common name (CN) attribute of the certificate Subject or Subject Alternative Name then certificate validation will fail and a secure connection cannot be established.
This may be resolved if you modify the TLS policy for the domain to "Require TLS and don't verify certificate".
Log into the Control Center as an administrator
Navigate to the Protocols --> Domains page
Select the domain you wish to update and click the "Edit" button
On the "Delivery" tab, select "Require TLS and don't verify certificate"
Save the changes to the domain.
ENHANCEMENT - Include TLS option to validate server CA signature but not hostname / common name match.
Imported Document ID: TECH141351
Subscribing will provide email updates when this Article is updated. Login is required.