Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
8542 Views 9 Replies Latest reply: Sep 27, 2013 5:33 PM by ijahnke RSS
duwang Newcomer 14 posts since
Aug 14, 2013
Currently Being Moderated

Sep 4, 2013 7:43 AM

Lots of bounced back email, 554 Certificate rejected over TLS.

I follow the instruction below,

How to troubleshoot the error 554:Certificate rejected over TLS.
This message occurs when the onward mail server fails to verify the appliance's identity using TLS certificates.

Email Gateway Appliance

  1. Log on to the Appliance Management Console.
  2. Select Email, Encryption, Encryption Settings, TLS.
  3. Under TLS connections when sending email (gateway is acting as a client), locate the topmost entry matching the onward mail server.
    • If the option Authenticate Self is not set, change it to When requested and select an appropriate certificate.
    • If the option Authenticate Self is already set to the correct value, confirm that the certificate used is appropriate and valid. If the problem persists, confirm with the administrator of the onward mail server that it uses the appropriate root and intermediate CA certificates. These certificates are the ones used to generate the certificate for the Appliance.

IMPORTANT: By default, this option is set to When requested for the "*" entry. If the option must be disabled for the default entry, you can create a new entry based on the FQDN, domain name, or IP of the onward mail server or the domain name or IP address of the recipient email address. Apply settings as explained above.

 

I am not sure how i can verify "the certificate used is apporpriate and valid" Thanks all.

  • mdnramos Apprentice 52 posts since
    Nov 23, 2009

    Hi duwang,

     

    Are you using the appliance default certificate or a certificate from a CA?

     

    Also, what is the version of MEG in question? Is this affecting incoming, outgoing or email in both directions?


    --------------------------------------------------
    -Marcelo

    McAfee SupportPortal - https://mysupport.mcafee.com/Eservice/Default.aspx

    FAQs for Network DLP - http://kc.mcafee.com/corporate/index?page=content&id=KB77088

    FAQs for Email Gateway 7.x - http://kc.mcafee.com/corporate/index?page=content&id=KB76144

  • mdnramos Apprentice 52 posts since
    Nov 23, 2009

    Have a look at KB78818 as it may help you in this case.


    --------------------------------------------------
    -Marcelo

    McAfee SupportPortal - https://mysupport.mcafee.com/Eservice/Default.aspx

    FAQs for Network DLP - http://kc.mcafee.com/corporate/index?page=content&id=KB77088

    FAQs for Email Gateway 7.x - http://kc.mcafee.com/corporate/index?page=content&id=KB76144

  • galaxyus Newcomer 31 posts since
    Jul 12, 2011

    I have got the same error with TLS:  Certificate rejected over TLS. (sslv3 alert bad record mac)

    example domain: home.pl, aol.com, .....

     

    follow the kb78818 did not resolve

    follow the kb74897 we have to manual add the IP of remote MTA, add by wildcard domain not effect. ( I have to used: never use TLS with there domains, not comfortable, not safe?)

     

    As duwang said- if we have alot of domain get the error return how can? the issues really effect on bussiness. seem no more choice.

     

     

    Gala.

  • rbarboza Newcomer 31 posts since
    Nov 21, 2011

    Hi

     

    Maybe can you resolved checking the option:

     

    TLS Options (Advanced)

     

    put a check: Allow anonymous key exchange

  • ijahnke McAfee Employee 118 posts since
    May 12, 2010

    You cant use the default cert unless the recipient side has the CA cert otherwise it will fail the client authentication. Here are a couple things to try:

     

    1.) Make sure that the certificate has the ability to authenticate as a server and a client:

    #Note the example is assuming the default cert is being used otherwise the path is /config/wsxmlconf/cert/<cert_name>

    Fri Sep 27:root  ~ infantile$  openssl x509 -noout -in /config/wsxmlconf/cert/appliance_ssl.crt -purpose

    Certificate purposes:

    SSL client : Yes

    SSL client CA : No

    SSL server : Yes

    SSL server CA : No

    Netscape SSL server : Yes

    Netscape SSL server CA : No

    S/MIME signing : Yes

    S/MIME signing CA : No

    S/MIME encryption : Yes

    S/MIME encryption CA : No

    CRL signing : Yes

    CRL signing CA : No

    Any Purpose : Yes

    Any Purpose CA : Yes

    OCSP helper : Yes

    OCSP helper CA : No

    Time Stamp signing : No

    Time Stamp signing CA : No

     

     

    2.) Connect to the server that is requesting client authentication and check the results (The error will be at the beginning)

    openssl s_client  -connect 10.10.130.215:25 -starttls smtp -cert /config/wsxmlconf/cert/appliance_ssl.crt -key /config/wsxmlconf/cert/appliance_ssl.key -CApath /config/wsxmlconf/cadir/

     


    Fri Sep 27:root  ~ infantile$ openssl s_client  -connect 10.10.130.215:25 -starttls smtp -cert /config/wsxmlconf/cert/appliance_ssl.crt -key /config/wsxmlconf/cert/appliance_ssl.key -CApath /config/wsxmlconf/cadir/

    CONNECTED(00000003)

    depth=1 DC = com, DC = mfesupport, CN = pride

    verify return:1

    depth=0 C = US, ST = MN, L = Saint Paul, O = Mfesupport, OU = Email Gateway, CN = lackadaisical.mfesupport.com, emailAddress = support@mfesupport.com

    verify return:1

    139710746654536:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1256:SSL alert number 43

    139710746654536:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:

    ---

    Certificate chain

    0 s:/C=US/ST=MN/L=Saint Paul/O=Mfesupport/OU=Email Gateway/CN=lackadaisical.mfesupport.com/emailAddress=support@mfesupport.com

       i:/DC=com/DC=mfesupport/CN=pride

    1 s:/DC=com/DC=mfesupport/CN=pride

       i:/DC=com/DC=mfesupport/CN=pride

     

     

     

    Here is an example of a successful connection and it will have a very large TLS Session Ticket and end with a "250 STARTTLS" command:

     

     

    CONNECTED(00000003)

    depth=1 DC = com, DC = mfesupport, CN = pride

    verify return:1

    depth=0 C = US, ST = MN, L = Saint Paul, O = Mfesupport, OU = Email Gateway, CN = infantile.megsupport.com, emailAddress = support@mfesupport.com

    verify return:1

    ---

    Certificate chain

    0 s:/C=US/ST=MN/L=Saint Paul/O=Mfesupport/OU=Email Gateway/CN=infantile.megsupport.com/emailAddress=support@mfesupport.com

       i:/DC=com/DC=mfesupport/CN=pride

    1 s:/DC=com/DC=mfesupport/CN=pride

       i:/DC=com/DC=mfesupport/CN=pride

    ---

    Server certificate

    -----BEGIN CERTIFICATE-----

    MIIFxDCCBKygAwIBAgIKJCLk4AAAAAAACzANBgkqhkiG9w0BAQsFADBBMRMwEQYK

    CZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKbWZlc3VwcG9ydDEOMAwG

    A1UEAxMFcHJpZGUwHhcNMTMwOTI3MTkxNzQyWhcNMTUwOTI3MTkxNzQyWjCBpjEL

    MAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1OMRMwEQYDVQQHEwpTYWludCBQYXVsMRMw

    EQYDVQQKEwpNZmVzdXBwb3J0MRYwFAYDVQQLEw1FbWFpbCBHYXRld2F5MSEwHwYD

    VQQDExhpbmZhbnRpbGUubWVnc3VwcG9ydC5jb20xJTAjBgkqhkiG9w0BCQEWFnN1

    cHBvcnRAbWZlc3VwcG9ydC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK

    AoIBAQDTc/W4ueNQ0NMwO89mmy8X5dM/UBNqFYc7FBkogVdpjyiLrodv7hurtG3T

    p+ZY1YkBOlDkoJPpCxArBnOaRQ7KXiBePe7Lkui9YUKUM6UGn1DER8z/6ch5cfwD

    v8EcHjULvMUqTjcS0jHYmwZ5tY2gV/VYQd30Ic8bTuSlhxNsavgnQ2sNpW7lwK5f

    2uGaZtZUl346apmjER1oAUDL1T/9Fo/aTVHlYZA38IDDqSW8pi4YW2m+pKE9gGnn

    Pf0FeiT/1YPLse8Tyn9F8VLMENpvPIC601XUzyxoD3PNp5D5th51HWaZU1wngeJH

    pi/0BMHZQROUdh/VKgYUFkH0owxBAgMBAAGjggJWMIICUjA6BgNVHREEMzAxgglp

    bmZhbnRpbGWCGGluZmFudGlsZS5tZWdzdXBwb3J0LmNvbYcECgqAyYcEfwAAATAd

    BgNVHQ4EFgQUZ1Audvh3A6x8TPJKZRs1Y2JOwaswHwYDVR0jBBgwFoAUPjS4PWXS

    bb8mLoWoB1u7uhg2hqkwgc4GA1UdHwSBxjCBwzCBwKCBvaCBuoaBt2xkYXA6Ly8v

    Q049cHJpZGUsQ049V0lOLUI5ODlUQUpGTDJFLENOPUNEUCxDTj1QdWJsaWMlMjBL

    ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1m

    ZXN1cHBvcnQsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v

    YmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBugYIKwYBBQUHAQEEga0w

    gaowgacGCCsGAQUFBzAChoGabGRhcDovLy9DTj1wcmlkZSxDTj1BSUEsQ049UHVi

    bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv

    bixEQz1tZmVzdXBwb3J0LERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0

    Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAhBgkrBgEEAYI3FAIEFB4SAFcA

    ZQBiAFMAZQByAHYAZQByMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEF

    BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAePdiSNJujodyyj4/upmVXemWMQ2+gMj0

    7mCrtcr3TX484OV8aaMTnWS7EUYcRmii5G5ZroVLlTzE3s1YVCrz2LQFs+SHlEBI

    fqUoPq0wDtpttDU8VJZIq/Viv7xcsNPVby3i1nDCtyaH6JEwEqFtfKp3L6kZXGmA

    xHpJjJsXOXoPxGg5D5nKuryJdOkk7Fk+8SAyzCmSR8HylBQ4LURa5sZBunS5VmJy

    ng2BpUd6VFt1WhLCHen0gU9YTxLKznSO3rnvsg7+Iv9buddHCaIyPGoTSyIlIXbM

    g9Uk7YqzPDdDtLe8JSe1M94bkTR0zQHM5a4NMxRgy5KhZUNDrHIiCQ==

    -----END CERTIFICATE-----

    subject=/C=US/ST=MN/L=Saint Paul/O=Mfesupport/OU=Email Gateway/CN=infantile.megsupport.com/emailAddress=support@mfesupport.com

    issuer=/DC=com/DC=mfesupport/CN=pride

    ---

    No client certificate CA names sent

    ---

    SSL handshake has read 3832 bytes and written 2710 bytes

    ---

    New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384

    Server public key is 2048 bit

    Secure Renegotiation IS supported

    Compression: zlib compression

    Expansion: zlib compression

    SSL-Session:

        Protocol  : TLSv1.2

        Cipher    : AES256-GCM-SHA384

        Session-ID: 23467590BE1BCE53BA5F3A4A401C44DFA84748D1ADF4AA86EFB74608E092FF79

        Session-ID-ctx:

        Master-Key: 4F538A7E6A8DB95537524CD673E0A9B4FFA26FE9D80CA90D8B7A34BA1C291284BCA98E7166CFB80 A4D65A9A4E16422B1

        Key-Arg   : None

        Krb5 Principal: None

        PSK identity: None

        PSK identity hint: None

        TLS session ticket lifetime hint: 300 (seconds)

        TLS session ticket:

        0000 - 15 e5 d1 e1 f8 ea 53 a0-5d af 80 db 2a 66 bf e8   ......S.]...*f..

        0010 - 9e 4f 7a 41 18 43 ca fa-b3 a4 a8 26 da 3d 6f 04   .OzA.C.....&.=o.

        0020 - 56 ec 3a 14 c9 20 49 3e-d6 86 fa a5 57 96 bb f4   V.:.. I>....W...

        0030 - e6 47 1a 8f 02 c3 1e dd-3b a9 fb 27 1f e3 c8 f1   .G......;..'....

        0040 - 2a e0 cb 6f a0 c6 24 59-ea 7a 05 10 85 11 43 3c   *..o..$Y.z....C<

        0050 - 44 27 67 d2 09 42 ed a7-cc 53 67 ab d9 36 b2 03   D'g..B...Sg..6..

        0060 - 90 97 84 da 9f a9 5c 2d-7e 2b dc f0 72 03 92 75   ......\-~+..r..u

        0070 - 1e 10 b3 2d 0d e6 41 25-74 74 aa 6d 61 a1 65 54   ...-..A%tt.ma.eT

        0080 - 8f d1 09 06 f8 82 d5 6e-ab 27 be 44 18 ac 99 02   .......n.'.D....

        0090 - 25 79 62 a8 c0 4e d5 3f-15 65 e8 45 00 70 22 39   %yb..N.?.e.E.p"9

        00a0 - 17 09 e9 11 80 2e 64 09-16 a0 56 8d 1e e9 e9 a5   ......d...V.....

        00b0 - 53 93 b8 e8 2c 00 51 56-6a 21 20 8f 1d 89 e0 4f   S...,.QVj! ....O

        00c0 - 51 da 27 22 cb b5 13 2b-4b 9e 62 3e e7 33 cf 46   Q.'"...+K.b>.3.F

        00d0 - cd a2 1b 41 cd f8 d3 8c-74 d6 bb c4 5e 5b 2c 28   ...A....t...^[,(

        00e0 - 07 22 d7 2c d5 0b 0d ba-73 a9 15 92 d5 58 ae 0e   .".,....s....X..

        00f0 - bc de 32 2e 06 ef 0e eb-12 96 72 3a 3f d8 38 d4   ..2.......r:?.8.

        0100 - a7 57 77 e4 5d 7d ed fa-27 db 15 3e 4a fa 89 e7   .Ww.]}..'..>J...

        0110 - 35 15 55 b4 0f 4a 18 8b-66 0b f4 7a f2 70 b9 b8   5.U..J..f..z.p..

        0120 - 34 80 c7 22 12 0d 58 4c-c5 d4 8b d4 95 93 6b 7a   4.."..XL......kz

        0130 - 91 0b bf 4d 1f 4a c5 9f-db 4b 62 43 7d 14 3a 3d   ...M.J...KbC}.:=

        0140 - 15 08 df e5 c6 0b 02 6c-5b f8 4a 61 82 9b 31 b5   .......l[.Ja..1.

        0150 - f6 6b c9 9d 72 2a 42 1c-3d 53 66 6f 77 99 c6 48   .k..r*B.=Sfow..H

        0160 - 4f cb 68 ab da a9 f5 ca-3f 4a ca 7b 6c 52 b0 90   O.h.....?J.{lR..

        0170 - 8c c2 37 3d 3e 66 07 44-ec d1 4e 66 9f 97 e4 d3   ..7=>f.D..Nf....

        0180 - 3d 3d cd 3e 34 75 42 5b-49 cd 36 09 ed 76 78 43   ==.>4uB[I.6..vxC

        0190 - 0d 78 95 10 0e c8 11 fa-47 75 93 fa b4 eb f8 77   .x......Gu.....w

        01a0 - b2 a1 39 e7 63 df 2f 45-6f d4 62 86 fa b3 0f 43   ..9.c./Eo.b....C

        01b0 - dc e8 c4 bb f7 46 81 4d-75 f1 e7 22 1f ad b5 53   .....F.Mu.."...S

        01c0 - 43 69 3c 75 e1 19 dc 0e-43 52 91 ab 6c b5 6f 75   Ci<u....CR..l.ou

        01d0 - 25 8e c2 41 3c e7 cb 5b-bc 24 b2 a7 ec 81 c1 b2   %..A<..[.$......

        01e0 - 22 b1 2e 8d 64 6e e2 bf-c3 77 bf 26 c6 b9 d8 26   "...dn...w.&...&

        01f0 - eb fa 4a 68 e4 4d c6 14-96 87 c0 4a 85 a5 89 10   ..Jh.M.....J....

        0200 - b2 d7 8a 2e a5 27 49 bf-2d d3 5d ba d1 d5 0f ec   .....'I.-.].....

        0210 - 89 ce 6e 0d f8 58 c3 da-a1 2c 32 06 81 56 e1 71   ..n..X...,2..V.q

        0220 - e5 5d b1 51 ec 7f be 49-53 74 85 67 36 00 f0 2e   .].Q...ISt.g6...

        0230 - 9b 0a 0a 25 d0 7e 7e aa-94 81 fb b7 ac 7c 98 bd   ...%.~~......|..

        0240 - 5f f9 01 24 9f af c0 bd-4a 00 8c 96 ab e8 f9 91   _..$....J.......

        0250 - 05 31 f5 13 04 63 a9 0f-03 33 75 25 7e e5 af 1e   .1...c...3u%~...

        0260 - 92 d0 b5 df 76 6d 2e cf-99 32 76 8f 22 a0 a3 66   ....vm...2v."..f

        0270 - 53 b8 07 1a 9a ef 96 bc-6e 02 24 61 fd 28 e4 41   S.......n.$a.(.A

        0280 - ee 50 74 f7 a0 96 b4 3b-9b 92 bb 93 68 72 d1 9b   .Pt....;....hr..

        0290 - 98 f9 58 e4 43 17 4b a2-63 88 49 37 08 31 38 49   ..X.C.K.c.I7.18I

        02a0 - 12 2a 72 ad 98 e0 56 f9-58 c3 96 a5 9a 64 30 fd   .*r...V.X....d0.

        02b0 - e4 19 a2 af ca 3d 39 49-cf 80 cc 61 60 37 ac c7   .....=9I...a`7..

        02c0 - 61 fa 7a 72 10 d4 ea da-12 eb 26 52 4d b3 d4 23   a.zr......&RM..#

        02d0 - ac a3 9f 7a 77 43 c6 cc-4c fb a1 31 07 30 7f 3f   ...zwC..L..1.0.?

        02e0 - d9 ed 9c 2d d2 46 69 a1-8d 9a b0 c7 47 ff 19 68   ...-.Fi.....G..h

        02f0 - cf f0 61 e3 3c 4a 24 46-f7 98 50 d6 ec 1e b3 5c   ..a.<J$F..P....\

        0300 - 27 1b d0 12 a8 8b 94 a2-17 ec 9a fa 12 8a 7a d3   '.............z.

        0310 - d5 67 e1 58 94 57 89 2c-e1 8a ce 94 15 ef 7c 70   .g.X.W.,......|p

        0320 - 21 ab 46 ef ad e6 7a 3d-14 b1 a0 cf ce e1 88 1b   !.F...z=........

        0330 - 88 31 31 a2 1f f4 17 c0-b9 2c 33 11 de 91 62 9b   .11......,3...b.

        0340 - 21 df e3 48 07 32 15 fe-ad 90 c0 87 af 34 e3 01   !..H.2.......4..

        0350 - df 6a ed 2e 95 46 75 46-58 02 39 75 11 85 2c 4b   .j...FuFX.9u..,K

        0360 - 40 1a 47 4d 2d ee 61 d7-16 b5 cf 29 04 ec bc 3f   @.GM-.a....)...?

        0370 - d7 ac b0 77 7a b9 88 b4-f3 46 9f 18 f7 5b 7a 19   ...wz....F...[z.

        0380 - a0 e3 3f cd 94 2b 56 ac-a5 3a 4b 9b b0 b8 40 10   ..?..+V..:K...@.

        0390 - 11 f7 48 b3 35 e4 37 d7-26 e7 84 22 8a 8e 21 87   ..H.5.7.&.."..!.

        03a0 - 0d a7 b9 ec ac 62 db 2e-47 1f f9 ab f6 d4 d0 67   .....b..G......g

        03b0 - b4 cf 52 c8 1b 2c c5 cb-84 bf cb 59 d7 05 7e b1   ..R..,.....Y..~.

        03c0 - fc 34 9d be 67 11 73 e8-ae 29 3b 3e 30 30 a8 d6   .4..g.s..);>00..

        03d0 - 87 d2 5f 9f 2b 3c 13 53-26 6e 28 bd 1d d1 ec a9   .._.+<.S&n(.....

        03e0 - 92 ca d1 6b 5c bf e2 c6-27 82 a0 94 55 2e 17 4a   ...k\...'...U..J

        03f0 - 49 e8 72 00 92 b0 1a 54-5b 40 ae 7b 64 2f a4 a4   I.r....T[@.{d/..

        0400 - 34 a8 44 e6 7e cc 98 de-87 02 51 63 48 dc b3 c5   4.D.~.....QcH...

        0410 - 2b 93 cb d2 25 ac 83 25-eb c2 c0 c9 36 f1 70 ef   +...%..%....6.p.

        0420 - e8 64 63 1c 1e e9 5a cc-5f 7f 34 ca e8 d7 7f b4   .dc...Z._.4.....

        0430 - a3 a3 6d 8b 8e d6 15 a8-24 92 82 25 5c 21 9f 28   ..m.....$..%\!.(

        0440 - 6b 11 62 62 10 0b d0 17-15 ee 2b cb 99 3c b4 bf   k.bb......+..<..

        0450 - ce 28 a5 1b a0 c0 91 da-1a f5 f7 fa 8e 30 67 b9   .(...........0g.

        0460 - 4e 34 c0 a6 17 5f 7d 5a-55 d1 08 98 55 97 0b 22   N4..._}ZU...U.."

        0470 - 93 f1 7d 0f 3c 1b 5f 8e-37 de a3 99 b3 dd d6 ff   ..}.<._.7.......

     

        Compression: 1 (zlib compression)

        Start Time: 1380320766

        Timeout   : 300 (sec)

        Verify return code: 0 (ok)

    ---

    250 STARTTLS

     

     

     

    on 9/27/13 5:39:12 PM CDT

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points