After enabling opportunistic TLS delivery via Messaging Gateway's Administration->Configuration->host->SMTP->Advanced Settings page, you notice messages to one or more domains are queued with a queue message indicating that there was a problem negotiating a secure connection with TLS. Delivery attempts for these messages continue to fail until they are eventually bounced.
2014 Jul 20 23:19:43 IST (notice) ecelerity:  Failed to negotiate TLS wth #sms#0000002e
Whem Messaging Gateway (SMG) is unable to negotiate a TLS session the message is queued for redelivery but subsequent delivery attempts also attempt to secure the connection via TLS. Since a TLS connection can't be esablished, all attempts to deliver messages to that route will fail. This is a design choice to preserve the secure delivery of messages for which the receiving MTA offers the STARTTLS delivery option. Fail over to unencrypted delivery is meant for receiving MTAs that do not offer the STARTTLS delivery option.
This issue has largely been addressed with the SMG 10.6 release. Messages are redelivered in plain text when opportunistic TLS is enabled but the TLS negotiation returns an error. If, however, the remote mail server does not return a TLS error but instead closes the connection this is registered as a failed network connection and the message is queued for redelivery without being marked to bypass TLS.
Currently, the only way to address the issue of routes which offer TLS but do not return a TLS error but instead close the connection is to either specify an alternate route for the affected domains via the Protocols->Domains page or to disable opportunistic TLS.
Configuring an alternate route for a domain
Log into the Messaging Gateway Control Center as an administrator
Open the Protocols->Domains page
Click the 'Add' button
Under domain, enter the domain name you want to re-route
If this is for outbound delivery, uncheck the 'Local domain' checkbox
Under the 'Delivery' tab, check 'Destination routing'
Enter the alternate destination host or route in 'Destination hosts'
Disabling oppotunistic TLS
Log into the Messaging Gateway as an Administrator
Open the 'Adminstration->Configuration' page
Select the host you want to modify
Select the SMTP tab
Click the 'Advanced Settings' button
Select the 'Delivery' tab
Uncheck the 'Attempt TLS encryption of all messages' checkbox
Symantec Messaging Gateway
Imported Document ID: TECH223776
Subscribing will provide email updates when this Article is updated. Login is required.