Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 2167 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 17.5.4 MR-4-1 MTA Mode GMail says no route to host but grey listing is off. Reports from some clients says that there is an error with the TLS encryption. StartTLS rejected

Shaun Sturby1

We upgraded from 17.1 MR3 to 17.5 MR3 over the weekend and are now getting errors related to SSL/TLS

www.checktls.com/TestReceiver

Trying TLS on sf2.mydomain.net[xx.xx.xx.83:25] (10):

seconds   test stage and result
[000.052]   Connected to server
[000.245] <--  220 SF2.mydomain.Net ESMTP ready
[000.245]   We are allowed to connect
[000.245]  --> EHLO www6.CheckTLS.com
[000.297] <--  250-SF2.mydomain.Net Hello www6.checktls.com [159.89.187.50]
250-SIZE
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
[000.298]   We can use this server
[000.298]   TLS is an option on this server
[000.298]  --> STARTTLS
[000.351] <--  454 TLS currently unavailable
[000.351]   STARTTLS command rejected
[000.351]  --> MAIL FROM:<test@checktls.com>
[000.404] <--  250 OK
[000.404]   Sender is OK
[000.404]  --> RCPT TO:<shaun@mydomain.com>
[003.857] <--  250 Accepted
[003.857]   Recipient OK, email address proofed
[003.858]  --> QUIT
[003.909] <--  221 SF2.mydomain.Net closing connection


This thread was automatically locked due to age.
Parents
  • 0

    After 2 hours on the phone with Sophos support we found out that the original TLS certificate / Key pair had a password as is best practices but the password didn't seem to be saved anywhere that the SMTPD engine could use. Ended up using OpenSSL to remove the password from the .key file and uploaded it again.

    It works and e-mail is flowing but we are getting a chain error now on the TLS test site.

     Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): unable to get local issuer certificate; unable to verify the first certificate
            So email is encrypted but the recipient domain is not verified

    We did upload the intermediate certificate but the root CA cert was already there.

    Since mail is flowing (mostly) again I will leave the troubleshooting of this error for another day.

  • 0 in reply to Shaun Sturby1

    I know it's not a fix, but with XG you can revert back, to the old firmware, easily, just to get things moving :-)

    I hope you do not have the Sophos C0nnect issues though in 17.5 MR-4-0 ;)

  • 0 in reply to twister5800

    This virtual appliance is dedicated to protecting a mail server so I don't use Sophos Connect on this particular box. It was upgraded all the way to SF 17.5 MR4-1 (17.5.4.429) so I guess I'm at the bleading edge now :)

Reply Children
No Data