My Oracle Support Banner

MTA Channel With mTLS (Mutual TLS) Does Not Find Available Client Certificate (Doc ID 2984635.1)

Last updated on NOVEMBER 02, 2023

Applies to:

Oracle Communications Messaging Server - Version 8.1.0 and later
Information in this document applies to any platform.

Symptoms

Using: Oracle Communications Messaging Server 8.1.0.24.20230724 64bit (built Jul 24 2023)

The goal is to enable mTLS on outbound connections to a Microsoft tenant that has RestrictDomainsToCertificate enabled. For Microsoft to authenticate the connection, the MTA has to present its certificate in response to the Server Hello (which include the Certificate Request).

After enabling master_debug on the outbound channel, the following warning was observed in the master log:



The musttls channel option only enforces TLS for transport encryption, where mTLS implies transport encryption but also requires TLS authentication of both the client and the server (the SMTP client authenticates the remote server by the server certificate as normal for TLS but the remote server also authenticates the SMTP client by the client certificate). In order for mTLS to work, the remote server must include Certificate Request (type 13) along with the Server Hello and the SMTP client must send Certificate (type 11) as part of the response. The Microsoft tenant for which the goal is to communicate with is sending the Certificate Request but the Messaging Server 8.1 SMTP client is not sending Certificate in the response. The "musttls" channel keyword is set for the outgoing channel.

An attempt was made to set external identity using both the legacy method (EXTERNAL_IDENTITY) and unified config method (externalidentity) but they have had no effect. Additional attempts were made with various combinations of mustsasl mustsaslclient and mustsaslserver but these all appear to require SASL on the Messaging Server SMTP server, whereas the goal is to only have SASL on the Messaging Server SMTP client.

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.