cancel
Showing results for 
Search instead for 
Did you mean: 
duwang
Level 7

Lots of bounced back email, 554 Certificate rejected over TLS.

Jump to solution

I follow the instruction below,

How to troubleshoot the error 554:Certificate rejected over TLS.
This message occurs when the onward mail server fails to verify the appliance's identity using TLS certificates.

Email Gateway Appliance

  1. Log on to the Appliance Management Console.
  2. Select Email, Encryption, Encryption Settings, TLS.
  3. Under TLS connections when sending email (gateway is acting as a client), locate the topmost entry matching the onward mail server.
    • If the option Authenticate Self is not set, change it to When requested and select an appropriate certificate.
    • If the option Authenticate Self is already set to the correct value, confirm that the certificate used is appropriate and valid. If the problem persists, confirm with the administrator of the onward mail server that it uses the appropriate root and intermediate CA certificates. These certificates are the ones used to generate the certificate for the Appliance.

IMPORTANT: By default, this option is set to When requested for the "*" entry. If the option must be disabled for the default entry, you can create a new entry based on the FQDN, domain name, or IP of the onward mail server or the domain name or IP address of the recipient email address. Apply settings as explained above.

I am not sure how i can verify "the certificate used is apporpriate and valid" Thanks all.

0 Kudos
1 Solution

Accepted Solutions
galaxyus
Level 9

Re: Lots of bounced back email, 554 Certificate rejected over TLS.

Jump to solution

I have got the same error with TLS:  Certificate rejected over TLS. (sslv3 alert bad record mac)

example domain: home.pl, aol.com, .....

follow the kb78818 did not resolve

follow the kb74897 we have to manual add the IP of remote MTA, add by wildcard domain not effect. ( I have to used: never use TLS with there domains, not comfortable, not safe?)

As duwang said- if we have alot of domain get the error return how can? the issues really effect on bussiness. seem no more choice.

Gala.

0 Kudos
9 Replies
mdnramos
Level 11

Re: Lots of bounced back email, 554 Certificate rejected over TLS.

Jump to solution

Hi duwang,

Are you using the appliance default certificate or a certificate from a CA?

Also, what is the version of MEG in question? Is this affecting incoming, outgoing or email in both directions?

0 Kudos
duwang
Level 7

Re: Lots of bounced back email, 554 Certificate rejected over TLS.

Jump to solution

I am using the appliance default certificate, version of MEG is 7.5, this affect the outbound email so far...

0 Kudos
mdnramos
Level 11

Re: Lots of bounced back email, 554 Certificate rejected over TLS.

Jump to solution

Have a look at KB78818 as it may help you in this case.

0 Kudos
duwang
Level 7

Re: Lots of bounced back email, 554 Certificate rejected over TLS.

Jump to solution

According to the article,

"Solution: The ideal solution for this issue is for the remote server administrators to fix their mail server so that it will use TLS 1.2, if available."

so does it means we need to contact the recipient side? but more than 10 receipian domain have this error...that's too many isnt it? is there a way we can send a email with no TLS encryption?


0 Kudos
galaxyus
Level 9

Re: Lots of bounced back email, 554 Certificate rejected over TLS.

Jump to solution

I have got the same error with TLS:  Certificate rejected over TLS. (sslv3 alert bad record mac)

example domain: home.pl, aol.com, .....

follow the kb78818 did not resolve

follow the kb74897 we have to manual add the IP of remote MTA, add by wildcard domain not effect. ( I have to used: never use TLS with there domains, not comfortable, not safe?)

As duwang said- if we have alot of domain get the error return how can? the issues really effect on bussiness. seem no more choice.

Gala.

0 Kudos
duwang
Level 7

Re: Lots of bounced back email, 554 Certificate rejected over TLS.

Jump to solution

Hi Galaxyus, I follow your instruction, manual add the IP of remote MTA, add by wildcard domain not effect and choose never use TLS with their domains. Thank you so much.

0 Kudos
ijahnke
Level 11

Re: Lots of bounced back email, 554 Certificate rejected over TLS.

Jump to solution

You cant use the default cert unless the recipient side has the CA cert otherwise it will fail the client authentication. Here are a couple things to try:

1.) Make sure that the certificate has the ability to authenticate as a server and a client:

#Note the example is assuming the default cert is being used otherwise the path is /config/wsxmlconf/cert/<cert_name>

Fri Sep 27:root  ~ infantile$  openssl x509 -noout -in /config/wsxmlconf/cert/appliance_ssl.crt -purpose

Certificate purposes:

SSL client : Yes

SSL client CA : No

SSL server : Yes

SSL server CA : No

Netscape SSL server : Yes

Netscape SSL server CA : No

S/MIME signing : Yes

S/MIME signing CA : No

S/MIME encryption : Yes

S/MIME encryption CA : No

CRL signing : Yes

CRL signing CA : No

Any Purpose : Yes

Any Purpose CA : Yes

OCSP helper : Yes

OCSP helper CA : No

Time Stamp signing : No

Time Stamp signing CA : No

2.) Connect to the server that is requesting client authentication and check the results (The error will be at the beginning)

openssl s_client  -connect 10.10.130.215:25 -starttls smtp -cert /config/wsxmlconf/cert/appliance_ssl.crt -key /config/wsxmlconf/cert/appliance_ssl.key -CApath /config/wsxmlconf/cadir/


Fri Sep 27:root  ~ infantile$ openssl s_client  -connect 10.10.130.215:25 -starttls smtp -cert /config/wsxmlconf/cert/appliance_ssl.crt -key /config/wsxmlconf/cert/appliance_ssl.key -CApath /config/wsxmlconf/cadir/

CONNECTED(00000003)

depth=1 DC = com, DC = mfesupport, CN = pride

verify return:1

depth=0 C = US, ST = MN, L = Saint Paul, O = Mfesupport, OU = Email Gateway, CN = lackadaisical.mfesupport.com, emailAddress = support@mfesupport.com

verify return:1

139710746654536:error:14094413Smiley FrustratedSL routinesSmiley FrustratedSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1256Smiley FrustratedSL alert number 43

139710746654536:error:140790E5Smiley FrustratedSL routinesSmiley FrustratedSL23_WRITE:ssl handshake failure:s23_lib.c:177:

---

Certificate chain

0 s:/C=US/ST=MN/L=Saint Paul/O=Mfesupport/OU=Email Gateway/CN=lackadaisical.mfesupport.com/emailAddress=support@mfesupport.com

   i:/DC=com/DC=mfesupport/CN=pride

1 s:/DC=com/DC=mfesupport/CN=pride

   i:/DC=com/DC=mfesupport/CN=pride

Here is an example of a successful connection and it will have a very large TLS Session Ticket and end with a "250 STARTTLS" command:

CONNECTED(00000003)

depth=1 DC = com, DC = mfesupport, CN = pride

verify return:1

depth=0 C = US, ST = MN, L = Saint Paul, O = Mfesupport, OU = Email Gateway, CN = infantile.megsupport.com, emailAddress = support@mfesupport.com

verify return:1

---

Certificate chain

0 s:/C=US/ST=MN/L=Saint Paul/O=Mfesupport/OU=Email Gateway/CN=infantile.megsupport.com/emailAddress=support@mfesupport.com

   i:/DC=com/DC=mfesupport/CN=pride

1 s:/DC=com/DC=mfesupport/CN=pride

   i:/DC=com/DC=mfesupport/CN=pride

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFxDCCBKygAwIBAgIKJCLk4AAAAAAACzANBgkqhkiG9w0BAQsFADBBMRMwEQYK

CZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKbWZlc3VwcG9ydDEOMAwG

A1UEAxMFcHJpZGUwHhcNMTMwOTI3MTkxNzQyWhcNMTUwOTI3MTkxNzQyWjCBpjEL

MAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1OMRMwEQYDVQQHEwpTYWludCBQYXVsMRMw

EQYDVQQKEwpNZmVzdXBwb3J0MRYwFAYDVQQLEw1FbWFpbCBHYXRld2F5MSEwHwYD

VQQDExhpbmZhbnRpbGUubWVnc3VwcG9ydC5jb20xJTAjBgkqhkiG9w0BCQEWFnN1

cHBvcnRAbWZlc3VwcG9ydC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK

AoIBAQDTc/W4ueNQ0NMwO89mmy8X5dM/UBNqFYc7FBkogVdpjyiLrodv7hurtG3T

p+ZY1YkBOlDkoJPpCxArBnOaRQ7KXiBePe7Lkui9YUKUM6UGn1DER8z/6ch5cfwD

v8EcHjULvMUqTjcS0jHYmwZ5tY2gV/VYQd30Ic8bTuSlhxNsavgnQ2sNpW7lwK5f

2uGaZtZUl346apmjER1oAUDL1T/9Fo/aTVHlYZA38IDDqSW8pi4YW2m+pKE9gGnn

Pf0FeiT/1YPLse8Tyn9F8VLMENpvPIC601XUzyxoD3PNp5D5th51HWaZU1wngeJH

pi/0BMHZQROUdh/VKgYUFkH0owxBAgMBAAGjggJWMIICUjA6BgNVHREEMzAxgglp

bmZhbnRpbGWCGGluZmFudGlsZS5tZWdzdXBwb3J0LmNvbYcECgqAyYcEfwAAATAd

BgNVHQ4EFgQUZ1Audvh3A6x8TPJKZRs1Y2JOwaswHwYDVR0jBBgwFoAUPjS4PWXS

bb8mLoWoB1u7uhg2hqkwgc4GA1UdHwSBxjCBwzCBwKCBvaCBuoaBt2xkYXA6Ly8v

Q049cHJpZGUsQ049V0lOLUI5ODlUQUpGTDJFLENOPUNEUCxDTj1QdWJsaWMlMjBL

ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1m

ZXN1cHBvcnQsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v

YmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBugYIKwYBBQUHAQEEga0w

gaowgacGCCsGAQUFBzAChoGabGRhcDovLy9DTj1wcmlkZSxDTj1BSUEsQ049UHVi

bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv

bixEQz1tZmVzdXBwb3J0LERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0

Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAhBgkrBgEEAYI3FAIEFB4SAFcA

ZQBiAFMAZQByAHYAZQByMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEF

BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAePdiSNJujodyyj4/upmVXemWMQ2+gMj0

7mCrtcr3TX484OV8aaMTnWS7EUYcRmii5G5ZroVLlTzE3s1YVCrz2LQFs+SHlEBI

fqUoPq0wDtpttDU8VJZIq/Viv7xcsNPVby3i1nDCtyaH6JEwEqFtfKp3L6kZXGmA

xHpJjJsXOXoPxGg5D5nKuryJdOkk7Fk+8SAyzCmSR8HylBQ4LURa5sZBunS5VmJy

ng2BpUd6VFt1WhLCHen0gU9YTxLKznSO3rnvsg7+Iv9buddHCaIyPGoTSyIlIXbM

g9Uk7YqzPDdDtLe8JSe1M94bkTR0zQHM5a4NMxRgy5KhZUNDrHIiCQ==

-----END CERTIFICATE-----

subject=/C=US/ST=MN/L=Saint Paul/O=Mfesupport/OU=Email Gateway/CN=infantile.megsupport.com/emailAddress=support@mfesupport.com

issuer=/DC=com/DC=mfesupport/CN=pride

---

No client certificate CA names sent

---

SSL handshake has read 3832 bytes and written 2710 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: zlib compression

Expansion: zlib compression

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : AES256-GCM-SHA384

    Session-ID: 23467590BE1BCE53BA5F3A4A401C44DFA84748D1ADF4AA86EFB74608E092FF79

    Session-ID-ctx:

    Master-Key: 4F538A7E6A8DB95537524CD673E0A9B4FFA26FE9D80CA90D8B7A34BA1C291284BCA98E7166CFB80A4D65A9A4E16422B1

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    TLS session ticket lifetime hint: 300 (seconds)

    TLS session ticket:

    0000 - 15 e5 d1 e1 f8 ea 53 a0-5d af 80 db 2a 66 bf e8   ......S.]...*f..

    0010 - 9e 4f 7a 41 18 43 ca fa-b3 a4 a8 26 da 3d 6f 04   .OzA.C.....&.=o.

    0020 - 56 ec 3a 14 c9 20 49 3e-d6 86 fa a5 57 96 bb f4   V.:.. I>....W...

    0030 - e6 47 1a 8f 02 c3 1e dd-3b a9 fb 27 1f e3 c8 f1   .G......;..'....

    0040 - 2a e0 cb 6f a0 c6 24 59-ea 7a 05 10 85 11 43 3c   *..o..$Y.z....C<

    0050 - 44 27 67 d2 09 42 ed a7-cc 53 67 ab d9 36 b2 03   D'g..B...Sg..6..

    0060 - 90 97 84 da 9f a9 5c 2d-7e 2b dc f0 72 03 92 75   ......\-~+..r..u

    0070 - 1e 10 b3 2d 0d e6 41 25-74 74 aa 6d 61 a1 65 54   ...-..A%tt.ma.eT

    0080 - 8f d1 09 06 f8 82 d5 6e-ab 27 be 44 18 ac 99 02   .......n.'.D....

    0090 - 25 79 62 a8 c0 4e d5 3f-15 65 e8 45 00 70 22 39   %yb..N.?.e.E.p"9

    00a0 - 17 09 e9 11 80 2e 64 09-16 a0 56 8d 1e e9 e9 a5   ......d...V.....

    00b0 - 53 93 b8 e8 2c 00 51 56-6a 21 20 8f 1d 89 e0 4f   S...,.QVj! ....O

    00c0 - 51 da 27 22 cb b5 13 2b-4b 9e 62 3e e7 33 cf 46   Q.'"...+K.b>.3.F

    00d0 - cd a2 1b 41 cd f8 d3 8c-74 d6 bb c4 5e 5b 2c 28   ...A....t...^[,(

    00e0 - 07 22 d7 2c d5 0b 0d ba-73 a9 15 92 d5 58 ae 0e   .".,....s....X..

    00f0 - bc de 32 2e 06 ef 0e eb-12 96 72 3a 3f d8 38 d4   ..2.......r:?.8.

    0100 - a7 57 77 e4 5d 7d ed fa-27 db 15 3e 4a fa 89 e7   .Ww.]}..'..>J...

    0110 - 35 15 55 b4 0f 4a 18 8b-66 0b f4 7a f2 70 b9 b8   5.U..J..f..z.p..

    0120 - 34 80 c7 22 12 0d 58 4c-c5 d4 8b d4 95 93 6b 7a   4.."..XL......kz

    0130 - 91 0b bf 4d 1f 4a c5 9f-db 4b 62 43 7d 14 3a 3d   ...M.J...KbC}.:=

    0140 - 15 08 df e5 c6 0b 02 6c-5b f8 4a 61 82 9b 31 b5   .......l[.Ja..1.

    0150 - f6 6b c9 9d 72 2a 42 1c-3d 53 66 6f 77 99 c6 48   .k..r*B.=Sfow..H

    0160 - 4f cb 68 ab da a9 f5 ca-3f 4a ca 7b 6c 52 b0 90   O.h.....?J.{lR..

    0170 - 8c c2 37 3d 3e 66 07 44-ec d1 4e 66 9f 97 e4 d3   ..7=>f.D..Nf....

    0180 - 3d 3d cd 3e 34 75 42 5b-49 cd 36 09 ed 76 78 43   ==.>4uB[I.6..vxC

    0190 - 0d 78 95 10 0e c8 11 fa-47 75 93 fa b4 eb f8 77   .x......Gu.....w

    01a0 - b2 a1 39 e7 63 df 2f 45-6f d4 62 86 fa b3 0f 43   ..9.c./Eo.b....C

    01b0 - dc e8 c4 bb f7 46 81 4d-75 f1 e7 22 1f ad b5 53   .....F.Mu.."...S

    01c0 - 43 69 3c 75 e1 19 dc 0e-43 52 91 ab 6c b5 6f 75   Ci<u....CR..l.ou

    01d0 - 25 8e c2 41 3c e7 cb 5b-bc 24 b2 a7 ec 81 c1 b2   %..A<..[.$......

    01e0 - 22 b1 2e 8d 64 6e e2 bf-c3 77 bf 26 c6 b9 d8 26   "...dn...w.&...&

    01f0 - eb fa 4a 68 e4 4d c6 14-96 87 c0 4a 85 a5 89 10   ..Jh.M.....J....

    0200 - b2 d7 8a 2e a5 27 49 bf-2d d3 5d ba d1 d5 0f ec   .....'I.-.].....

    0210 - 89 ce 6e 0d f8 58 c3 da-a1 2c 32 06 81 56 e1 71   ..n..X...,2..V.q

    0220 - e5 5d b1 51 ec 7f be 49-53 74 85 67 36 00 f0 2e   .].Q...ISt.g6...

    0230 - 9b 0a 0a 25 d0 7e 7e aa-94 81 fb b7 ac 7c 98 bd   ...%.~~......|..

    0240 - 5f f9 01 24 9f af c0 bd-4a 00 8c 96 ab e8 f9 91   _..$....J.......

    0250 - 05 31 f5 13 04 63 a9 0f-03 33 75 25 7e e5 af 1e   .1...c...3u%~...

    0260 - 92 d0 b5 df 76 6d 2e cf-99 32 76 8f 22 a0 a3 66   ....vm...2v."..f

    0270 - 53 b8 07 1a 9a ef 96 bc-6e 02 24 61 fd 28 e4 41   S.......n.$a.(.A

    0280 - ee 50 74 f7 a0 96 b4 3b-9b 92 bb 93 68 72 d1 9b   .Pt....;....hr..

    0290 - 98 f9 58 e4 43 17 4b a2-63 88 49 37 08 31 38 49   ..X.C.K.c.I7.18I

    02a0 - 12 2a 72 ad 98 e0 56 f9-58 c3 96 a5 9a 64 30 fd   .*r...V.X....d0.

    02b0 - e4 19 a2 af ca 3d 39 49-cf 80 cc 61 60 37 ac c7   .....=9I...a`7..

    02c0 - 61 fa 7a 72 10 d4 ea da-12 eb 26 52 4d b3 d4 23   a.zr......&RM..#

    02d0 - ac a3 9f 7a 77 43 c6 cc-4c fb a1 31 07 30 7f 3f   ...zwC..L..1.0.?

    02e0 - d9 ed 9c 2d d2 46 69 a1-8d 9a b0 c7 47 ff 19 68   ...-.Fi.....G..h

    02f0 - cf f0 61 e3 3c 4a 24 46-f7 98 50 d6 ec 1e b3 5c   ..a.<J$F..P....\

    0300 - 27 1b d0 12 a8 8b 94 a2-17 ec 9a fa 12 8a 7a d3   '.............z.

    0310 - d5 67 e1 58 94 57 89 2c-e1 8a ce 94 15 ef 7c 70   .g.X.W.,......|p

    0320 - 21 ab 46 ef ad e6 7a 3d-14 b1 a0 cf ce e1 88 1b   !.F...z=........

    0330 - 88 31 31 a2 1f f4 17 c0-b9 2c 33 11 de 91 62 9b   .11......,3...b.

    0340 - 21 df e3 48 07 32 15 fe-ad 90 c0 87 af 34 e3 01   !..H.2.......4..

    0350 - df 6a ed 2e 95 46 75 46-58 02 39 75 11 85 2c 4b   .j...FuFX.9u..,K

    0360 - 40 1a 47 4d 2d ee 61 d7-16 b5 cf 29 04 ec bc 3f   @.GM-.a....)...?

    0370 - d7 ac b0 77 7a b9 88 b4-f3 46 9f 18 f7 5b 7a 19   ...wz....F...[z.

    0380 - a0 e3 3f cd 94 2b 56 ac-a5 3a 4b 9b b0 b8 40 10   ..?..+V..:K...@.

    0390 - 11 f7 48 b3 35 e4 37 d7-26 e7 84 22 8a 8e 21 87   ..H.5.7.&.."..!.

    03a0 - 0d a7 b9 ec ac 62 db 2e-47 1f f9 ab f6 d4 d0 67   .....b..G......g

    03b0 - b4 cf 52 c8 1b 2c c5 cb-84 bf cb 59 d7 05 7e b1   ..R..,.....Y..~.

    03c0 - fc 34 9d be 67 11 73 e8-ae 29 3b 3e 30 30 a8 d6   .4..g.s..);>00..

    03d0 - 87 d2 5f 9f 2b 3c 13 53-26 6e 28 bd 1d d1 ec a9   .._.+<.S&n(.....

    03e0 - 92 ca d1 6b 5c bf e2 c6-27 82 a0 94 55 2e 17 4a   ...k\...'...U..J

    03f0 - 49 e8 72 00 92 b0 1a 54-5b 40 ae 7b 64 2f a4 a4   I.r....T[@.{d/..

    0400 - 34 a8 44 e6 7e cc 98 de-87 02 51 63 48 dc b3 c5   4.D.~.....QcH...

    0410 - 2b 93 cb d2 25 ac 83 25-eb c2 c0 c9 36 f1 70 ef   +...%..%....6.p.

    0420 - e8 64 63 1c 1e e9 5a cc-5f 7f 34 ca e8 d7 7f b4   .dc...Z._.4.....

    0430 - a3 a3 6d 8b 8e d6 15 a8-24 92 82 25 5c 21 9f 28   ..m.....$..%\!.(

    0440 - 6b 11 62 62 10 0b d0 17-15 ee 2b cb 99 3c b4 bf   k.bb......+..<..

    0450 - ce 28 a5 1b a0 c0 91 da-1a f5 f7 fa 8e 30 67 b9   .(...........0g.

    0460 - 4e 34 c0 a6 17 5f 7d 5a-55 d1 08 98 55 97 0b 22   N4..._}ZU...U.."

    0470 - 93 f1 7d 0f 3c 1b 5f 8e-37 de a3 99 b3 dd d6 ff   ..}.<._.7.......

    Compression: 1 (zlib compression)

    Start Time: 1380320766

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

250 STARTTLS

on 9/27/13 5:39:12 PM CDT
0 Kudos
rbarboza
Level 7

Re: Lots of bounced back email, 554 Certificate rejected over TLS.

Jump to solution

Hi

Maybe can you resolved checking the option:

TLS Options (Advanced)

put a check: Allow anonymous key exchange

0 Kudos
duwang
Level 7

Re: Lots of bounced back email, 554 Certificate rejected over TLS.

Jump to solution

Hi Rbarboza, this doest work. Thanks anyway.

0 Kudos