Is TLS supported when using SMTP Prevent in reflecting mode ?
The docs show that TLS setup is explicitly only documented with forwarding mode.
See as reference the doc “Symantec_DLP_10.5_Email_Prevent_MTA_Integration_Guide.pdf” on pages 28ff.
Reflection mode is only documented in non-TLS mode. Documentation bug eTrack 2095098 has been filed.
TLS is supported within both: reflecting and forwarding mode.
You have to make sure you are following the documentation steps exactly for the implementation in reflecting mode. With a simple terminology change (replacing “downstream” or “next hop” MTA with something more general like “receiving MTA”), the existing instructions also work for reflecting-mode deployments. In other words, you need to follow the same steps for generating/importing/exporting certificates regardless of reflecting or forwarding mode.
From an integration standpoint any Prevent in reflect mode should be as close to the MTA as possible.
Also, since during the communication the next-hop MTA would send the initial MTA’s response back to themselves I can see that this causes confusion if the originating MTA gets as a response himself but has a different certificate.
- The certificate has to be in PEM format - You have to import the Public Key from the downstream (forward) MTA into the SMTP Prevent keystore in order for it to work - You may also want to dump the keystore content to make sure that the certificate is imported.