cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3625
Views
60
Helpful
22
Replies

SMA PVO 7025 SSL certificates

Lemat
Beginner
Beginner

On "mx" in destination controls I have default "preferred TLS", but our RAT domain has there "required TLS":

since yesterday I have messages in ESA active queue which cannot be delivered to SMA:

Down
7,001
0
238.8k
0
0

mx: Info: New SMTP DCID 19262028 interface 1.2.3.4 address 1.2.3.5 port 7025
mx: Info: DCID 19262028 TLS deferring: verify error: certificate has expired
mx: Info: DCID 19262028 TLS was required but could not be successfully negotiated

sma: Info: New CPQ ICID 893770 interface Management (1.2.3.5) address 1.2.3.4 reverse dns host mx verified yes
sma: Info: ICID 893770 RELAY SG RELAYLIST match 1.2.3.4 SBRS not enabled
sma: Info: ICID 893770 TLS failed: (336151573, 'error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired')
sma: Info: ICID 893770 lost

mx> tlsverify

Enter the TLS domain to verify against:
[]> the.cpq.host

Enter the destination host to connect to. Append the port (example.com:26) if you are not connecting on port 25:
[the.cpq.host]> 1.2.3.5:7025

Connecting to 1.2.3.5 on port 7025.
Connected to 1.2.3.5 from interface 1.2.3.4.
Checking TLS connection.
Certificate verification failed: certificate has expired.
TLS connection to 1.2.3.5 failed: verify error.
TLS was required but could not be successfully negotiated.

Failed to connect to [1.2.3.5].
TLS verification completed.

Temporarily lowering "required" to "preferred" TLS in destination controls on ESA did not help, adding the.cpq.host, or [1.2.3.5] to destination controls did not help either.

uploading certificate pair on SMA using > certconfig []> certificate - did not help

which certificate has expired and how to replace it? 

1 Accepted Solution

Accepted Solutions

UdupiKrishna
Cisco Employee
Cisco Employee
22 Replies 22

stefan-stefan
Beginner
Beginner

I am having the precise same problem, cant be a coincidence.

UdupiKrishna
Cisco Employee
Cisco Employee

There is a ongoing issue with SMA(s) - 

https://community.cisco.com/t5/security-urgent-notices/urgent-esa-issue-2022-08-08-1/ta-p/4665516

Work with TAC for available options

Is all delivery from the SMA broken? Or just "release"? Can I forward mail?

I tried forwarding from SMA and that didnt work either. updatepvocert CLI command appears to only resolve half of the issue?

We are experiencing the same issue, when will this be resolved? Is there a workaround?

Hi,

is this public acess ?
cant acess  

Tanks

Access Denied

Thank you for your interest in this Cisco Community.

You are not authorized to access this page.

Many pages on the community are accessible only to Cisco customers, partners or logged in entitled guests.

If you believe you should have access, please contact us

Lemat
Beginner
Beginner

the original post is about esa->sma email delivery, which was solved for me by updatepvocert CLI command.

BUT I can see also email released from quarantines (SMA -> ESA) have similar issue. On ESA there is no updatepvocert CLI command. 

This is correct. updatepvocert is only fixing the connectivity issues from ESA to SMA.

However there are still problems to release them from SMA and being reviewed for possible options (workaround, fix etc)

mailsecurity
Beginner
Beginner

After cli updatepvocert on SMA >> communication in both directions resumes to normal work in our configuration

 

UdupiKrishna
Cisco Employee
Cisco Employee

A quick update

= For CES customers, fix is added to both ESA and SMA by our internal teams.

= For on-prem ESA(s), fix was added via the updater service last night. This fixes connectivity problems from SMA to ESA(to release emails)

= For on-prem SMA(s) - please run updatepvocert to fix connectivity problems from ESA to SMA

stefan-stefan
Beginner
Beginner

I can confirm that it is working again. I myself already did the updatepvocert yesterday and disabled the centralised quarantine on the ESA's (which I enabled again just now). A save way to test, before releasing messages, is to open a flagged email in the PVO quarantine and send a copy to yourself (that also didnt work yesterday). 

 

Untitled.png

We have the same issue, but our SMA is on version 12.5.0-683 and the updatepvocert command does not work. 

Is there another possibilty to solve this problem?

Work with TAC to get necessary assistance for versions older than 13.X.

Is there already news from TAC for support on this issue from versions older than 13.x?

Thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers