Announcement

Collapse
No announcement yet.

Outbound TLS in FE/BE environment

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Outbound TLS in FE/BE environment

    E2K3 SP2, 1 BE sever, and 1 FE server.

    BE server has a single SMTP virtual server with default configuration
    FE server has 2 SMTP virtual servers:
    - Default SMTP - configuration for non-secure mail,
    - TLS SMTP - configured for TLS mail (inbound and outbound)

    2 Connectors have been established:
    - Internet Mail: Uses DNS to route, local bridge is the FE with the Default SMTP virtual server, address space of *, cost 2
    - TLS Mail: Uses DNS to route, local bridgehead is FE with the TLS SMTP virtual server, address space of domain1.com, cost 1

    TLS Required is set on the TLS Mail routing connector, advanced tab/outbound security. TLS required is NOT set on the TLS SMTP Virtual Server.

    Routing connectors are working fine, but TLS is not. When I send an e-mail to @domain1.com, the following error is returned:

    [email protected] on 5/17/2007 11:52 AM
    The recipient could not be processed because it would violate the security policy in force
    <BE-Server.mydomain.com #5.7.0 smtp;530 5.7.0 Must issue a STARTTLS command first>

    domain1.com IS configured to accept TLS connections as verified by telnetting to domain1.com and typing STARTTLS.

    Looking at the mail headers on the failed e-mails, I never see an entry where the mail goes from the BE server to the FE server. The BE server only has the single SMTP Virtual Server established and there is no certificate installed on it. I only setup the additional SMTP virtual server on the FE with the certificate. Is this the problem, or something else?
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

  • #2
    Re: Outbound TLS in FE/BE environment

    What Av are you using on the FE server? Is the AV on the back end installed correctly?
    Your log shows:
    BE-Server.mydomain.com #5.7.0 smtp;530 5.7.0 Must issue a STARTTLS command first>

    Can you add mydomain.com to the unsecured VS to allow SMTP to arrive withouth the TLS, not just the *?
    Once into the FE, the secured VS should make the delivery based on the address space.

    It looks like the BE is directing the connection to Secure Virtual Server and it is expecting the StartTLS from the BE that does not have cert install.

    Comment

    Working...
    X