From: | Bobby |
---|---|
Date: | 3/20/24 9:13 AM |
Topic: | MTA-STS enabled but SSL cert not trusted |
Type: | General Discussions |
Post a follow up |
We're evaluating Xeams for production use as a secure email gateway (firewall mode.) I'm nearly done with the setup but have run into a problem. I've sent a test message from my work PC to Xeams and addressed it from my work email address to my personal Gmail address. The message sits in Xeams outbound queue. After an hour an NDR is generated. I'll include all relevant logs below. I have left MTA-STS enabled. Our domain is not configured for it. I also have obtained a LetsEncrypt certificate and enabled the HTTPS, SMTPS ports and enabled STARTTLS. Xeams ver 9.0 build 6304.
OutboundAuditTrailFailure.log 2024-03-19 17:17:07,947 - [ 13] 172.253.123.27,redacted@gmail.com,redacted@redacted.com,748,[Failure reason: MTA-STS is enabled for gmail.com but SSL certificate is not trusted. Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target],Test Message
SMTPOutboundConversation.log 2024-03-19 16:46:46,071 - [ 12] ************ New connection to: 142.251.162.26
|
|
Top |
From: | Synametrics Support |
---|---|
Date: | 3/20/24 1:08 PM |
Topic: | MTA-STS enabled but SSL cert not trusted |
Type: | General Discussions |
Post a follow up |
Bobby, Please refer to https://www.xeams.com/troubleshooting-emails-to-gmail-with-mta-sts.htm for an explanation. |
|
Top |
From: | Bobby |
---|---|
Date: | 3/20/24 4:09 PM |
Topic: | MTA-STS enabled but SSL cert not trusted |
Type: | General Discussions |
Post a follow up |
Our Xeams host is directly connected to the internet - it's in a public cloud. There's no firewall handling of SMTP. I was able to successfully test with the email sender tool. The certificates presented look normal.
SSL Certificate for: gmail.com ============================================================= =============================================================
|
|
Top |
From: | Synametrics Support |
---|---|
Date: | 3/20/24 4:18 PM |
Topic: | MTA-STS enabled but SSL cert not trusted |
Type: | General Discussions |
Post a follow up |
Could you please try the following:
|
|
Top |
From: | Bobby |
---|---|
Date: | 3/21/24 7:32 AM |
Topic: | MTA-STS enabled but SSL cert not trusted |
Type: | General Discussions |
Post a follow up |
As of this morning I can't reproduce the issue. MTA-STS is enabled and test messages are going through to Google. I see the TLS connection in the SMTPOutbound log. Yesterday in my testing I saw five different Google IPs and a sixth this morning. I'm not sure what conclusion to draw from this. It's working so I guess that's a win.
Just for fun here is results of DNS lookup this morning.
|
|||||||||
Top |
From: | Synametrics Support |
---|---|
Date: | 3/21/24 8:17 AM |
Topic: | MTA-STS enabled but SSL cert not trusted |
Type: | General Discussions |
Post a follow up |
Hmm. That is strange indeed. The good news is it is working now. One peculiar thing regarding GMail is that their DNS server returns different IPs based on the load (I think). For example, the same test on our end returns the following values.
Although unlikely, I wonder if there was a problem with an SSL certificate on one of Google's servers. The log you posted earlier shows 172.253.123.27 as the IP address. I tried using Email Sender by specifying this IP, but it shows a valid certificate. Let us know if this happens again.
|
|||
Top |