Import public key from downstream MTA for Prevent Email integration

This article will illustrate how to pull the public TLS certificate to Prevent Email using openssl on Linux. There is an openssl package for Windows but it requires installing software. If that's not available, any Linux system can do this.

If you are using TLS for prevent email and need to get the next hop's TLS public certificate, this is much faster than trying to get it from the hosting provider. If you're ''not'' on the Prevent Email server, any Linux system will work for this, you'll just need a way to copy the public certificate or text from the console window.

1.Check keys:
a. SSH to NPE Detection server as appuser
b. sudo su - protect
c. Locate keytool directory
SDLP 15.5 and newer
cd /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181/bin
cd /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_202/bin
SDLP 15.0 and older
cd /opt/SymantecDLP/jre/bin/
c. keytool.exe -list -v -keystore ../../Protect/keystore/prevent.ks
<password: protect or dummypass  or changeit>
./keytool -list -v -keystore /opt/Symantec/DataLossPrevention/DetectionServer/15.5/Protect/keystore/prevent.ks
SDLP 15.7 path changed:
./keytool -list -v -keystore /var/Symantec/DataLossPrevention/DetectionServer/15.5/keystore/prevent.ks
<password: protect or dummypass  or changeit>
**If "/opt/Symantec/DataLossPrevention/DetectionServer/15.5/Protect/keystore/prevent.ks" does not exsist that you are in default state without TLS
To view the cert you want to import to check it before the import
./keytool -printcert -file /tmp/yourcert.pem

1. In Prevent Email as the protect user:

openssl s_client -connect <SERVER_HOST_OR_IP>:25 -starttls smtp | openssl x509 -text

This opens a connection so once you get the data, hit CTRL-C to kill the connection.

This example is truncated output, you'll see more information about the certificate above this block you can use to verify you're on the right server. <br />
Change <SERVER_HOST_OR_IP> to the IP or FQDN of the server you're trying to send mail to. If the system is not accepting mail on port 25, change it to the correct port. The rest of the command will not need to be modified for port changes.

2. You'll want to copy the data starting with -----BEGIN CERTIFICATE and ending with END CERTIFICATE-----

Make sure there are not spaces before or after the required data in the file you're saving!


3. Now save this in a file on the Prevent Email system. You can copy/paste using VI or Emacs. Save as something meaningful with the .pem extension.
If you need to move this file to the Prevent Email system, do so now.

4. As the protect user, import the file into the DLP keystore:

cd /opt/Symantec/Protect/jre/bin

./keytool -importcert -alias <NAME> -file /home/protect/<FILE_NAME>.pem -keystore ../../Protect/keystore/prevent.ks


SDLP 15.5 and newer:
cd /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181/bin
cd /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_202/bin
./keytool -importcert -alias <NAME> -file /home/protect/<FILE_NAME>.pem -keystore /var/Symantec/DataLossPrevention/DetectionServer/15.5/keystore/prevent.ks


**To create a new keystore "prevent.ks" file, simply run the import command above and instead of prevent.ks use a new name like preventNew.ks. Then backup the old prevent.ks file and rename the new preventNew.ks to prevent.ks

./keytool -importcert -alias <NAME> -file /home/protect/<FILE_NAME>.pem -keystore ../../Protect/keystore/preventNew.ks

Where -alias <NAME> is whatever you want to call it (something meaningful is a good idea) in Prevent Email and <FILE_NAME>.pem is the path with file name where you saved it. In this example I saved it in the protect users home directory.

You'll be asked for the keystore password (dummypass by default). It will also display information about the certificate before import and ask if you want to import. Type yes. At this point you should be good to go.


5. Update the keystore password on Enforce Management Web Console > NPE > Configure


6. Recycle the Detection server via the Enforce Management Web Console > NPE



TIP: Issue below commands if telnet connection is established:

3. Issue below commands if telnet connection is established:

EHLO <your mail server domain>




If desired, type message text, press ENTER, type a period (.), and then press ENTER again.
If mail is working properly, you should see a response similar to the following indicating that mail is queued for delivery.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.