In Symantec Mail Security for Exchange (SMSMSE), when trying to enable Premium AntiSpam the deployment fails with the following generic error:
"Symantec Premium AntiSpam registration failed. The product will not receive definition updates".
In Conduit.log:
(ERROR:4632.4636): [12034] Network error occurred, SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (60), check your network connection settings, check your proxy settings (if applicable), and check to ensure that port 443 (HTTPS) is open through any relevant firewalls.
Curl for Windows:
C:\Temp\curl>Curl.exe -v -1 -4 -i -cacert CURL_CA_BUNDLE https://register.brightmail.com:443
curl: (6) Could not resolve host: -v; Host not found
curl: (6) Could not resolve host: -i; Host not found
curl: (6) Could not resolve host: -cacert; Host not found
curl: (6) Could not resolve host: CURL_CA_BUNDLE; Host not found
curl: (1) Protocol https not supported or disabled in libcurl
The license is confirmed to be correct and the communication to register.brightmail.com 443 is also working fine.
Symantec Mail Security for Exchange version 6.x or 7.x
The network Firewall or Proxy inspects and intercepts the SSL validation between the Exchange/SMSMSE server and register.brightmail.com
Although the Firewall port 443 is open, an additional inspection on SSL traffic is intercepting the SSL traffic between the SMSMSE server and register.brightmail.com. This causes SMSMSE to fail verifying its internal SSL certificate and then fail the registration.
To get a clearer idea of the SSL error the tool curl for windows can be downloaded. Run the following command:
curl.exe -v -1 -4 -i -cacert CURL_CA_BUNDLE https://register.brightmail.com:443
The output will provide a better idea on where in the Firewall the verification process is failing. In addition the manual register script for PAS or a Wireshark capture can also be used for further output. Please see the attached articles on how to run the manual PAS register script and a Wireshark capture. Then provide the output to the Firewall administrator which can then disable the SSL inspection or whitelist the appropriate process. Once SSL traffic is no longer intercepted, the Premium AntiSpam can be enabled and the antispam definitions downloaded correctly.