Troubleshooting Emails to Gmail when MTA-STS is enabled
Gmail.com is one of the early adopters of the MTA-STS technology, which enhances confidentiality by enforcing
in-transit encryption. This technology works in both directions: when sending messages to and receiving
emails from Gmail to your domain.
MTA-STS requires the following to be true:
- The sending MTA (mail transfer agent) throws an error if encryption cannot be used.
- The sending MTA will only establish an encrypted channel if the SSL certificate is trusted.
- TLS 1.2 is used.
Encryption Breaks When Using a Firewall that Filters SMTP Traffic
Many firewalls/routers contain a module for SMTP filtering. This is done by inserting an SMTP proxy server between
the two email servers. Consider the image below as an example:
Often firewalls/routers contain an email filtering module that inspects the contents of the message before letting the email reach your MTA. The only way a firewall can
intercept messages between your company's MTA and GMail is by acting as an SMTP proxy server. Here is a sequence of events that occur in the background:
- Your MTA tries to connect to Gmail's SMTP server, which is hosted on
- This request is intercepted by your router/firewall, which tries connecting
gmail-smtp-in.l.google.com in your MTA's behalf.
- Although the firewall connects successfully to Gmail, it tries to encrypt this data again before sending the response back to your MTA. However,
it cannot do that using Gmail's SSL certificate.
- Since MTA-STS requires a valid certificate from Google and not a self-signed cert from your firewall, it will throw an error during
What Can You Do
You have two options to resolve this:
- Disable the SMTP filtering module in your firewall/router.
- Disable MTA-STS on your email server. This, however, is not recommended because the spam filter on your email server is presumably better than the built-in
spam filter in a router.