We're evaluating Xeams for production use as a secure email gateway (firewall mode.)  I'm nearly done with the setup but have run into a problem.  I've sent a test message from my work PC to Xeams and addressed it from my work email address to my personal Gmail address.  The message sits in Xeams outbound queue.  After an hour an NDR is generated.

I'll include all relevant logs below.  I have left MTA-STS enabled.  Our domain is not configured for it.  I also have obtained a LetsEncrypt certificate and enabled the HTTPS, SMTPS ports and enabled STARTTLS.  Xeams ver 9.0 build 6304.

OutboundAuditTrailFailure.log

2024-03-19 17:17:07,947 - [        13] 172.253.123.27,redacted@gmail.com,redacted@redacted.com,748,[Failure reason: MTA-STS is enabled for gmail.com but SSL certificate is not trusted. Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target],Test Message

SMTPOutboundConversation.log

2024-03-19 16:46:46,071 - [ 12] ************ New connection to: 142.251.162.26
2024-03-19 16:46:46,086 - [ 12] C --> 220 mx.google.com ESMTP g17-20020a056102081100b00471e6a50a3dsi1306821vsb.580 - gsmtp
2024-03-19 16:46:46,086 - [ 12] S <-- EHLO xeams.redacted.com
2024-03-19 16:46:46,110 - [ 12] C --> 250-mx.google.com at your service, [149.28.109.235]
2024-03-19 16:46:46,110 - [ 12] C --> 250-SIZE 157286400
2024-03-19 16:46:46,110 - [ 12] C --> 250-8BITMIME
2024-03-19 16:46:46,110 - [ 12] C --> 250-STARTTLS
2024-03-19 16:46:46,110 - [ 12] C --> 250-ENHANCEDSTATUSCODES
2024-03-19 16:46:46,110 - [ 12] C --> 250-PIPELINING
2024-03-19 16:46:46,110 - [ 12] C --> 250-CHUNKING
2024-03-19 16:46:46,110 - [ 12] C --> 250 SMTPUTF8
2024-03-19 16:46:46,110 - [ 12] S <-- STARTTLS
2024-03-19 16:46:46,123 - [ 12] C --> 220 2.0.0 Ready to start TLS
2024-03-19 16:46:46,123 - [ 12] ************ New (secure) connection to: 142.251.162.26
2024-03-19 16:46:46,124 - [ 12] S <-- EHLO spam.gohypersonic.com
2024-03-19 16:46:46,172 - [ 12] S <-- QUIT
2024-03-19 16:46:46,172 - [ 12] ~~~~~~~~~~~~ Connection Terminated ( 49)

Bobby,

Please refer to https://www.xeams.com/troubleshooting-emails-to-gmail-with-mta-sts.htm for an explanation.

Our Xeams host is directly connected to the internet - it's in a public cloud.  There's no firewall handling of SMTP.  I was able to successfully test with the email sender tool.  The certificates presented look normal.  

SSL Certificate for: gmail.com
Issued by: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US, valid until: Mon May 20 04:18:12 EDT 2024, Host: CN=mx.google.com
Issued by: CN=GTS Root R1,O=Google Trust Services LLC,C=US, valid until: Wed Sep 29 20:00:42 EDT 2027, Host: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
Issued by: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, valid until: Thu Jan 27 19:00:42 EST 2028, Host: CN=GTS Root R1,O=Google Trust Services LLC,C=US
Total certificates: 3

=============================================================
SSL Certificate for: gmail.com
Issued by: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US, valid until: Mon May 20 04:18:12 EDT 2024, Host: CN=mx.google.com
Issued by: CN=GTS Root R1,O=Google Trust Services LLC,C=US, valid until: Wed Sep 29 20:00:42 EDT 2027, Host: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
Issued by: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, valid until: Thu Jan 27 19:00:42 EST 2028, Host: CN=GTS Root R1,O=Google Trust Services LLC,C=US
Total certificates: 3

=============================================================

Could you please try the following:

• First, disable MTA-STS. Click Reports/MTA-STS & TLS Reporting, then uncheck MTA-STS Enabled. Once you've done this, try sending the message again from the Outbound Queue.
  
  Let me know if the message goes through.
• Next, click on the Tools menu (the word Tools itself). The following page will display a few tools. Run a DNS Lookup on gmail.com and paste the text for the MX record here.

As of this morning I can't reproduce the issue.  MTA-STS is enabled and test messages are going through to Google.  I see the TLS connection in the SMTPOutbound log.  Yesterday in my testing I saw five different Google IPs and a sixth this morning.  I'm not sure what conclusion to draw from this.  It's working so I guess that's a win.

Just for fun here is results of DNS lookup this morning.

Hmm. That is strange indeed. The good news is it is working now.

One peculiar thing regarding GMail is that their DNS server returns different IPs based on the load (I think). For example, the same test on our end returns the following values.

Although unlikely, I wonder if there was a problem with an SSL certificate on one of Google's servers. The log you posted earlier shows 172.253.123.27 as the IP address. I tried using Email Sender by specifying this IP, but it shows a valid certificate.

Let us know if this happens again.