9 Replies Latest reply: Sep 27, 2013 5:39 PM by ijahnke RSS

    Lots of bounced back email, 554 Certificate rejected over TLS.

    duwang

      I follow the instruction below,

      How to troubleshoot the error 554:Certificate rejected over TLS.
      This message occurs when the onward mail server fails to verify the appliance's identity using TLS certificates.

      Email Gateway Appliance

      1. Log on to the Appliance Management Console.
      2. Select Email, Encryption, Encryption Settings, TLS.
      3. Under TLS connections when sending email (gateway is acting as a client), locate the topmost entry matching the onward mail server.
        • If the option Authenticate Self is not set, change it to When requested and select an appropriate certificate.
        • If the option Authenticate Self is already set to the correct value, confirm that the certificate used is appropriate and valid. If the problem persists, confirm with the administrator of the onward mail server that it uses the appropriate root and intermediate CA certificates. These certificates are the ones used to generate the certificate for the Appliance.

      IMPORTANT: By default, this option is set to When requested for the "*" entry. If the option must be disabled for the default entry, you can create a new entry based on the FQDN, domain name, or IP of the onward mail server or the domain name or IP address of the recipient email address. Apply settings as explained above.

       

      I am not sure how i can verify "the certificate used is apporpriate and valid" Thanks all.

        • 1. Re: Lots of bounced back email, 554 Certificate rejected over TLS.

          Hi duwang,

           

          Are you using the appliance default certificate or a certificate from a CA?

           

          Also, what is the version of MEG in question? Is this affecting incoming, outgoing or email in both directions?

          • 2. Re: Lots of bounced back email, 554 Certificate rejected over TLS.
            duwang

            I am using the appliance default certificate, version of MEG is 7.5, this affect the outbound email so far...

            • 3. Re: Lots of bounced back email, 554 Certificate rejected over TLS.

              Have a look at KB78818 as it may help you in this case.

              • 4. Re: Lots of bounced back email, 554 Certificate rejected over TLS.
                duwang

                According to the article,

                "Solution: The ideal solution for this issue is for the remote server administrators to fix their mail server so that it will use TLS 1.2, if available."

                so does it means we need to contact the recipient side? but more than 10 receipian domain have this error...that's too many isnt it? is there a way we can send a email with no TLS encryption?


                • 5. Re: Lots of bounced back email, 554 Certificate rejected over TLS.
                  galaxyus

                  I have got the same error with TLS:  Certificate rejected over TLS. (sslv3 alert bad record mac)

                  example domain: home.pl, aol.com, .....

                   

                  follow the kb78818 did not resolve

                  follow the kb74897 we have to manual add the IP of remote MTA, add by wildcard domain not effect. ( I have to used: never use TLS with there domains, not comfortable, not safe?)

                   

                  As duwang said- if we have alot of domain get the error return how can? the issues really effect on bussiness. seem no more choice.

                   

                   

                  Gala.

                  • 6. Re: Lots of bounced back email, 554 Certificate rejected over TLS.
                    rbarboza

                    Hi

                     

                    Maybe can you resolved checking the option:

                     

                    TLS Options (Advanced)

                     

                    put a check: Allow anonymous key exchange

                    • 7. Re: Lots of bounced back email, 554 Certificate rejected over TLS.
                      duwang

                      Hi Galaxyus, I follow your instruction, manual add the IP of remote MTA, add by wildcard domain not effect and choose never use TLS with their domains. Thank you so much.

                      • 8. Re: Lots of bounced back email, 554 Certificate rejected over TLS.
                        duwang

                        Hi Rbarboza, this doest work. Thanks anyway.

                        • 9. Re: Lots of bounced back email, 554 Certificate rejected over TLS.
                          ijahnke

                          You cant use the default cert unless the recipient side has the CA cert otherwise it will fail the client authentication. Here are a couple things to try:

                           

                          1.) Make sure that the certificate has the ability to authenticate as a server and a client:

                          #Note the example is assuming the default cert is being used otherwise the path is /config/wsxmlconf/cert/<cert_name>

                          Fri Sep 27:root  ~ infantile$  openssl x509 -noout -in /config/wsxmlconf/cert/appliance_ssl.crt -purpose

                          Certificate purposes:

                          SSL client : Yes

                          SSL client CA : No

                          SSL server : Yes

                          SSL server CA : No

                          Netscape SSL server : Yes

                          Netscape SSL server CA : No

                          S/MIME signing : Yes

                          S/MIME signing CA : No

                          S/MIME encryption : Yes

                          S/MIME encryption CA : No

                          CRL signing : Yes

                          CRL signing CA : No

                          Any Purpose : Yes

                          Any Purpose CA : Yes

                          OCSP helper : Yes

                          OCSP helper CA : No

                          Time Stamp signing : No

                          Time Stamp signing CA : No

                           

                           

                          2.) Connect to the server that is requesting client authentication and check the results (The error will be at the beginning)

                          openssl s_client  -connect 10.10.130.215:25 -starttls smtp -cert /config/wsxmlconf/cert/appliance_ssl.crt -key /config/wsxmlconf/cert/appliance_ssl.key -CApath /config/wsxmlconf/cadir/

                           


                          Fri Sep 27:root  ~ infantile$ openssl s_client  -connect 10.10.130.215:25 -starttls smtp -cert /config/wsxmlconf/cert/appliance_ssl.crt -key /config/wsxmlconf/cert/appliance_ssl.key -CApath /config/wsxmlconf/cadir/

                          CONNECTED(00000003)

                          depth=1 DC = com, DC = mfesupport, CN = pride

                          verify return:1

                          depth=0 C = US, ST = MN, L = Saint Paul, O = Mfesupport, OU = Email Gateway, CN = lackadaisical.mfesupport.com, emailAddress = support@mfesupport.com

                          verify return:1

                          139710746654536:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1256:SSL alert number 43

                          139710746654536:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:

                          ---

                          Certificate chain

                          0 s:/C=US/ST=MN/L=Saint Paul/O=Mfesupport/OU=Email Gateway/CN=lackadaisical.mfesupport.com/emailAddress=support@mfesupport.com

                             i:/DC=com/DC=mfesupport/CN=pride

                          1 s:/DC=com/DC=mfesupport/CN=pride

                             i:/DC=com/DC=mfesupport/CN=pride

                           

                           

                           

                          Here is an example of a successful connection and it will have a very large TLS Session Ticket and end with a "250 STARTTLS" command:

                           

                           

                          CONNECTED(00000003)

                          depth=1 DC = com, DC = mfesupport, CN = pride

                          verify return:1

                          depth=0 C = US, ST = MN, L = Saint Paul, O = Mfesupport, OU = Email Gateway, CN = infantile.megsupport.com, emailAddress = support@mfesupport.com

                          verify return:1

                          ---

                          Certificate chain

                          0 s:/C=US/ST=MN/L=Saint Paul/O=Mfesupport/OU=Email Gateway/CN=infantile.megsupport.com/emailAddress=support@mfesupport.com

                             i:/DC=com/DC=mfesupport/CN=pride

                          1 s:/DC=com/DC=mfesupport/CN=pride

                             i:/DC=com/DC=mfesupport/CN=pride

                          ---

                          Server certificate

                          -----BEGIN CERTIFICATE-----

                          MIIFxDCCBKygAwIBAgIKJCLk4AAAAAAACzANBgkqhkiG9w0BAQsFADBBMRMwEQYK

                          CZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKbWZlc3VwcG9ydDEOMAwG

                          A1UEAxMFcHJpZGUwHhcNMTMwOTI3MTkxNzQyWhcNMTUwOTI3MTkxNzQyWjCBpjEL

                          MAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1OMRMwEQYDVQQHEwpTYWludCBQYXVsMRMw

                          EQYDVQQKEwpNZmVzdXBwb3J0MRYwFAYDVQQLEw1FbWFpbCBHYXRld2F5MSEwHwYD

                          VQQDExhpbmZhbnRpbGUubWVnc3VwcG9ydC5jb20xJTAjBgkqhkiG9w0BCQEWFnN1

                          cHBvcnRAbWZlc3VwcG9ydC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK

                          AoIBAQDTc/W4ueNQ0NMwO89mmy8X5dM/UBNqFYc7FBkogVdpjyiLrodv7hurtG3T

                          p+ZY1YkBOlDkoJPpCxArBnOaRQ7KXiBePe7Lkui9YUKUM6UGn1DER8z/6ch5cfwD

                          v8EcHjULvMUqTjcS0jHYmwZ5tY2gV/VYQd30Ic8bTuSlhxNsavgnQ2sNpW7lwK5f

                          2uGaZtZUl346apmjER1oAUDL1T/9Fo/aTVHlYZA38IDDqSW8pi4YW2m+pKE9gGnn

                          Pf0FeiT/1YPLse8Tyn9F8VLMENpvPIC601XUzyxoD3PNp5D5th51HWaZU1wngeJH

                          pi/0BMHZQROUdh/VKgYUFkH0owxBAgMBAAGjggJWMIICUjA6BgNVHREEMzAxgglp

                          bmZhbnRpbGWCGGluZmFudGlsZS5tZWdzdXBwb3J0LmNvbYcECgqAyYcEfwAAATAd

                          BgNVHQ4EFgQUZ1Audvh3A6x8TPJKZRs1Y2JOwaswHwYDVR0jBBgwFoAUPjS4PWXS

                          bb8mLoWoB1u7uhg2hqkwgc4GA1UdHwSBxjCBwzCBwKCBvaCBuoaBt2xkYXA6Ly8v

                          Q049cHJpZGUsQ049V0lOLUI5ODlUQUpGTDJFLENOPUNEUCxDTj1QdWJsaWMlMjBL

                          ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1m

                          ZXN1cHBvcnQsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v

                          YmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBugYIKwYBBQUHAQEEga0w

                          gaowgacGCCsGAQUFBzAChoGabGRhcDovLy9DTj1wcmlkZSxDTj1BSUEsQ049UHVi

                          bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv

                          bixEQz1tZmVzdXBwb3J0LERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0

                          Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAhBgkrBgEEAYI3FAIEFB4SAFcA

                          ZQBiAFMAZQByAHYAZQByMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEF

                          BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAePdiSNJujodyyj4/upmVXemWMQ2+gMj0

                          7mCrtcr3TX484OV8aaMTnWS7EUYcRmii5G5ZroVLlTzE3s1YVCrz2LQFs+SHlEBI

                          fqUoPq0wDtpttDU8VJZIq/Viv7xcsNPVby3i1nDCtyaH6JEwEqFtfKp3L6kZXGmA

                          xHpJjJsXOXoPxGg5D5nKuryJdOkk7Fk+8SAyzCmSR8HylBQ4LURa5sZBunS5VmJy

                          ng2BpUd6VFt1WhLCHen0gU9YTxLKznSO3rnvsg7+Iv9buddHCaIyPGoTSyIlIXbM

                          g9Uk7YqzPDdDtLe8JSe1M94bkTR0zQHM5a4NMxRgy5KhZUNDrHIiCQ==

                          -----END CERTIFICATE-----

                          subject=/C=US/ST=MN/L=Saint Paul/O=Mfesupport/OU=Email Gateway/CN=infantile.megsupport.com/emailAddress=support@mfesupport.com

                          issuer=/DC=com/DC=mfesupport/CN=pride

                          ---

                          No client certificate CA names sent

                          ---

                          SSL handshake has read 3832 bytes and written 2710 bytes

                          ---

                          New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384

                          Server public key is 2048 bit

                          Secure Renegotiation IS supported

                          Compression: zlib compression

                          Expansion: zlib compression

                          SSL-Session:

                              Protocol  : TLSv1.2

                              Cipher    : AES256-GCM-SHA384

                              Session-ID: 23467590BE1BCE53BA5F3A4A401C44DFA84748D1ADF4AA86EFB74608E092FF79

                              Session-ID-ctx:

                              Master-Key: 4F538A7E6A8DB95537524CD673E0A9B4FFA26FE9D80CA90D8B7A34BA1C291284BCA98E7166CFB80 A4D65A9A4E16422B1

                              Key-Arg   : None

                              Krb5 Principal: None

                              PSK identity: None

                              PSK identity hint: None

                              TLS session ticket lifetime hint: 300 (seconds)

                              TLS session ticket:

                              0000 - 15 e5 d1 e1 f8 ea 53 a0-5d af 80 db 2a 66 bf e8   ......S.]...*f..

                              0010 - 9e 4f 7a 41 18 43 ca fa-b3 a4 a8 26 da 3d 6f 04   .OzA.C.....&.=o.

                              0020 - 56 ec 3a 14 c9 20 49 3e-d6 86 fa a5 57 96 bb f4   V.:.. I>....W...

                              0030 - e6 47 1a 8f 02 c3 1e dd-3b a9 fb 27 1f e3 c8 f1   .G......;..'....

                              0040 - 2a e0 cb 6f a0 c6 24 59-ea 7a 05 10 85 11 43 3c   *..o..$Y.z....C<

                              0050 - 44 27 67 d2 09 42 ed a7-cc 53 67 ab d9 36 b2 03   D'g..B...Sg..6..

                              0060 - 90 97 84 da 9f a9 5c 2d-7e 2b dc f0 72 03 92 75   ......\-~+..r..u

                              0070 - 1e 10 b3 2d 0d e6 41 25-74 74 aa 6d 61 a1 65 54   ...-..A%tt.ma.eT

                              0080 - 8f d1 09 06 f8 82 d5 6e-ab 27 be 44 18 ac 99 02   .......n.'.D....

                              0090 - 25 79 62 a8 c0 4e d5 3f-15 65 e8 45 00 70 22 39   %yb..N.?.e.E.p"9

                              00a0 - 17 09 e9 11 80 2e 64 09-16 a0 56 8d 1e e9 e9 a5   ......d...V.....

                              00b0 - 53 93 b8 e8 2c 00 51 56-6a 21 20 8f 1d 89 e0 4f   S...,.QVj! ....O

                              00c0 - 51 da 27 22 cb b5 13 2b-4b 9e 62 3e e7 33 cf 46   Q.'"...+K.b>.3.F

                              00d0 - cd a2 1b 41 cd f8 d3 8c-74 d6 bb c4 5e 5b 2c 28   ...A....t...^[,(

                              00e0 - 07 22 d7 2c d5 0b 0d ba-73 a9 15 92 d5 58 ae 0e   .".,....s....X..

                              00f0 - bc de 32 2e 06 ef 0e eb-12 96 72 3a 3f d8 38 d4   ..2.......r:?.8.

                              0100 - a7 57 77 e4 5d 7d ed fa-27 db 15 3e 4a fa 89 e7   .Ww.]}..'..>J...

                              0110 - 35 15 55 b4 0f 4a 18 8b-66 0b f4 7a f2 70 b9 b8   5.U..J..f..z.p..

                              0120 - 34 80 c7 22 12 0d 58 4c-c5 d4 8b d4 95 93 6b 7a   4.."..XL......kz

                              0130 - 91 0b bf 4d 1f 4a c5 9f-db 4b 62 43 7d 14 3a 3d   ...M.J...KbC}.:=

                              0140 - 15 08 df e5 c6 0b 02 6c-5b f8 4a 61 82 9b 31 b5   .......l[.Ja..1.

                              0150 - f6 6b c9 9d 72 2a 42 1c-3d 53 66 6f 77 99 c6 48   .k..r*B.=Sfow..H

                              0160 - 4f cb 68 ab da a9 f5 ca-3f 4a ca 7b 6c 52 b0 90   O.h.....?J.{lR..

                              0170 - 8c c2 37 3d 3e 66 07 44-ec d1 4e 66 9f 97 e4 d3   ..7=>f.D..Nf....

                              0180 - 3d 3d cd 3e 34 75 42 5b-49 cd 36 09 ed 76 78 43   ==.>4uB[I.6..vxC

                              0190 - 0d 78 95 10 0e c8 11 fa-47 75 93 fa b4 eb f8 77   .x......Gu.....w

                              01a0 - b2 a1 39 e7 63 df 2f 45-6f d4 62 86 fa b3 0f 43   ..9.c./Eo.b....C

                              01b0 - dc e8 c4 bb f7 46 81 4d-75 f1 e7 22 1f ad b5 53   .....F.Mu.."...S

                              01c0 - 43 69 3c 75 e1 19 dc 0e-43 52 91 ab 6c b5 6f 75   Ci<u....CR..l.ou

                              01d0 - 25 8e c2 41 3c e7 cb 5b-bc 24 b2 a7 ec 81 c1 b2   %..A<..[.$......

                              01e0 - 22 b1 2e 8d 64 6e e2 bf-c3 77 bf 26 c6 b9 d8 26   "...dn...w.&...&

                              01f0 - eb fa 4a 68 e4 4d c6 14-96 87 c0 4a 85 a5 89 10   ..Jh.M.....J....

                              0200 - b2 d7 8a 2e a5 27 49 bf-2d d3 5d ba d1 d5 0f ec   .....'I.-.].....

                              0210 - 89 ce 6e 0d f8 58 c3 da-a1 2c 32 06 81 56 e1 71   ..n..X...,2..V.q

                              0220 - e5 5d b1 51 ec 7f be 49-53 74 85 67 36 00 f0 2e   .].Q...ISt.g6...

                              0230 - 9b 0a 0a 25 d0 7e 7e aa-94 81 fb b7 ac 7c 98 bd   ...%.~~......|..

                              0240 - 5f f9 01 24 9f af c0 bd-4a 00 8c 96 ab e8 f9 91   _..$....J.......

                              0250 - 05 31 f5 13 04 63 a9 0f-03 33 75 25 7e e5 af 1e   .1...c...3u%~...

                              0260 - 92 d0 b5 df 76 6d 2e cf-99 32 76 8f 22 a0 a3 66   ....vm...2v."..f

                              0270 - 53 b8 07 1a 9a ef 96 bc-6e 02 24 61 fd 28 e4 41   S.......n.$a.(.A

                              0280 - ee 50 74 f7 a0 96 b4 3b-9b 92 bb 93 68 72 d1 9b   .Pt....;....hr..

                              0290 - 98 f9 58 e4 43 17 4b a2-63 88 49 37 08 31 38 49   ..X.C.K.c.I7.18I

                              02a0 - 12 2a 72 ad 98 e0 56 f9-58 c3 96 a5 9a 64 30 fd   .*r...V.X....d0.

                              02b0 - e4 19 a2 af ca 3d 39 49-cf 80 cc 61 60 37 ac c7   .....=9I...a`7..

                              02c0 - 61 fa 7a 72 10 d4 ea da-12 eb 26 52 4d b3 d4 23   a.zr......&RM..#

                              02d0 - ac a3 9f 7a 77 43 c6 cc-4c fb a1 31 07 30 7f 3f   ...zwC..L..1.0.?

                              02e0 - d9 ed 9c 2d d2 46 69 a1-8d 9a b0 c7 47 ff 19 68   ...-.Fi.....G..h

                              02f0 - cf f0 61 e3 3c 4a 24 46-f7 98 50 d6 ec 1e b3 5c   ..a.<J$F..P....\

                              0300 - 27 1b d0 12 a8 8b 94 a2-17 ec 9a fa 12 8a 7a d3   '.............z.

                              0310 - d5 67 e1 58 94 57 89 2c-e1 8a ce 94 15 ef 7c 70   .g.X.W.,......|p

                              0320 - 21 ab 46 ef ad e6 7a 3d-14 b1 a0 cf ce e1 88 1b   !.F...z=........

                              0330 - 88 31 31 a2 1f f4 17 c0-b9 2c 33 11 de 91 62 9b   .11......,3...b.

                              0340 - 21 df e3 48 07 32 15 fe-ad 90 c0 87 af 34 e3 01   !..H.2.......4..

                              0350 - df 6a ed 2e 95 46 75 46-58 02 39 75 11 85 2c 4b   .j...FuFX.9u..,K

                              0360 - 40 1a 47 4d 2d ee 61 d7-16 b5 cf 29 04 ec bc 3f   @.GM-.a....)...?

                              0370 - d7 ac b0 77 7a b9 88 b4-f3 46 9f 18 f7 5b 7a 19   ...wz....F...[z.

                              0380 - a0 e3 3f cd 94 2b 56 ac-a5 3a 4b 9b b0 b8 40 10   ..?..+V..:K...@.

                              0390 - 11 f7 48 b3 35 e4 37 d7-26 e7 84 22 8a 8e 21 87   ..H.5.7.&.."..!.

                              03a0 - 0d a7 b9 ec ac 62 db 2e-47 1f f9 ab f6 d4 d0 67   .....b..G......g

                              03b0 - b4 cf 52 c8 1b 2c c5 cb-84 bf cb 59 d7 05 7e b1   ..R..,.....Y..~.

                              03c0 - fc 34 9d be 67 11 73 e8-ae 29 3b 3e 30 30 a8 d6   .4..g.s..);>00..

                              03d0 - 87 d2 5f 9f 2b 3c 13 53-26 6e 28 bd 1d d1 ec a9   .._.+<.S&n(.....

                              03e0 - 92 ca d1 6b 5c bf e2 c6-27 82 a0 94 55 2e 17 4a   ...k\...'...U..J

                              03f0 - 49 e8 72 00 92 b0 1a 54-5b 40 ae 7b 64 2f a4 a4   I.r....T[@.{d/..

                              0400 - 34 a8 44 e6 7e cc 98 de-87 02 51 63 48 dc b3 c5   4.D.~.....QcH...

                              0410 - 2b 93 cb d2 25 ac 83 25-eb c2 c0 c9 36 f1 70 ef   +...%..%....6.p.

                              0420 - e8 64 63 1c 1e e9 5a cc-5f 7f 34 ca e8 d7 7f b4   .dc...Z._.4.....

                              0430 - a3 a3 6d 8b 8e d6 15 a8-24 92 82 25 5c 21 9f 28   ..m.....$..%\!.(

                              0440 - 6b 11 62 62 10 0b d0 17-15 ee 2b cb 99 3c b4 bf   k.bb......+..<..

                              0450 - ce 28 a5 1b a0 c0 91 da-1a f5 f7 fa 8e 30 67 b9   .(...........0g.

                              0460 - 4e 34 c0 a6 17 5f 7d 5a-55 d1 08 98 55 97 0b 22   N4..._}ZU...U.."

                              0470 - 93 f1 7d 0f 3c 1b 5f 8e-37 de a3 99 b3 dd d6 ff   ..}.<._.7.......

                           

                              Compression: 1 (zlib compression)

                              Start Time: 1380320766

                              Timeout   : 300 (sec)

                              Verify return code: 0 (ok)

                          ---

                          250 STARTTLS

                           

                           

                           

                          on 9/27/13 5:39:12 PM CDT