Troubleshooting Emails to Gmail when MTA-STS is enabled


Gmail.com is one of the early adopters of the MTA-STS technology, which enhances confidentiality by enforcing in-transit encryption. This technology works in both directions: when sending messages to and receiving emails from Gmail to your domain.

MTA-STS requires the following to be true:

  • The sending MTA (mail transfer agent) throws an error if encryption cannot be used.
  • The sending MTA will only establish an encrypted channel if the SSL certificate is trusted.
  • TLS 1.2 is used.

Encryption Breaks When Using a Firewall that Filters SMTP Traffic

Many firewalls/routers contain a module for SMTP filtering. This is done by inserting an SMTP proxy server between the two email servers. Consider the image below as an example:

Often firewalls/routers contain an email filtering module that inspects the contents of the message before letting the email reach your MTA. The only way a firewall can intercept messages between your company's MTA and GMail is by acting as an SMTP proxy server. Here is a sequence of events that occur in the background:

  • Your MTA tries to connect to Gmail's SMTP server, which is hosted on gmail-smtp-in.l.google.com.
  • This request is intercepted by your router/firewall, which tries connecting gmail-smtp-in.l.google.com on your MTA's behalf.
  • Although the firewall connects successfully to Gmail, it tries to encrypt this data again before sending the response back to your MTA. However, it cannot do that using Gmail's SSL certificate.
  • Since MTA-STS requires a valid certificate from Google and not a self-signed cert from your firewall, it will throw an error during communication.

What Can You Do

You have two options to resolve this:

  1. Disable the SMTP filtering module in your firewall/router.
  2. Disable MTA-STS on your email server. This, however, is not recommended because the spam filter on your email server is presumably better than the built-in spam filter in a router.

Confirming an SSL Certificate

It is important to confirm you're connecting to Google's SMTP server when trying to send emails to a GMail address. Use the following steps to do that.

  • Download Email Sender, a free tool from Synametrics to the machine where you're running your email server. If that is a Linux machine without GUI, download it on another machine with GUI that is on the same subnet.
  • Try sending an email to any GMail address
  • The following screen shot display details about the SSL cert.



  • Seeing a certificate other than GMail will cause a problem when MTA-STS is enabled.