The three actors must have all certificates, NP for email, Sender MTA, and forward MTA. Also, don't forget to set up a keystore password at the enforce console for the NP for mail configuration, remove trial mode, configure MX option (MX record must exit, test it wit nslookup)and add the domains, and make sure STARTTLS is added to the RequestProcessor.AllowExtensions in the Server advanced settings. If all this is done, then a Wireshark at the NP for mail will reveal what is happening for troubleshooting.
Note: Assuming you are setting up DLP 15.7 and you added a license for NP for mail.
Good luck,
A.C.
Original Message:
Sent: 10-15-2020 12:57 AM
From: Vladimir Vucinic
Subject: DLP Network Prevent for Email - client certificate authentication?
Hi,
Thank you for your reply. Those instructions are for secure communication, to be able to use SMTP with TLS, and that part works. My issue is that EOP would relay emails only from hosts with appropriate certificate, so my DLP NPE need to send certificate for authentication, after TLS is established. We did what you wrote and this is procedure to establish secure SMTP or SMTP with TLS, but I need to use my server certificate to authenticate server to EOP!
Regards,
Vladimir
------------------------------
Net++ technology d.o.o.
Original Message:
Sent: 10-15-2020 12:34 AM
From: Unknown User
Subject: DLP Network Prevent for Email - client certificate authentication?
Hey Vladamir,
We actually just got over this hump:
1) suggest using CMAIL SMTP Client to test with
2) create new keystore must be named prevent.ks (verbatim)
3) verify in your logs that its not saying "file is missing" this would indicate that its looking in another directory for the keystore file.
4) download Public Certs from your EOP Provider using the openssl key tool ( you can google docs )
5) import both GSA and O365 EOP certs
6) dont forget to set your requestor logs and smtp logs to FINEST
7) create the keystore using this command
keytool -genkeypair -alias < SMTPPreventHostName > -keyalg RSA -keystore /opt/SymantecDLP/Protect/keystore/prevent.ks ( if you put custom location double check )
hit enter then input your password it should ask you multiple questions for the cert its going ot auto generate. for the name ( Must use the FQDN of the host )
8) import the public certs from EOP (
Original Message:
Sent: 10-14-2020 08:50 AM
From: Vladimir Vucinic
Subject: DLP Network Prevent for Email - client certificate authentication?
Hi,
How can we configure Network Prevent for Email (NPE) to send emails in forward mode to Exchange Online (EOP) that requires client authentication using certificate. We have certificate, it was imported by keytool, but it is not used, in other words, NPE does not authenticate itself as a client with certificate. Is there any options/settings or something similar to force certificate auth?
Regards,
Vladimir Vucinic
------------------------------
Net++ technology d.o.o.
------------------------------