It is R81.20 JHF Take 99

In this case I suggest opening a ticket with Check Point Support (TAC)

The TAC case has been open for several days with no progress. That’s why I’m reaching out to the community for support.

Please send me the SR in a PM

Thank you @PhoneBoy ! 

I've sent the SR number.

From looking at the SR, it seems TAC is trying to set up a call with you.
As far as troubleshooting, have you taken any packet captures to see where the traffic might be failing?

Hi @PhoneBoy ,

Sorry for the delayed response—it took some time to coordinate and gather the necessary details.

We had a session with the customer and ran a debug on the management server. We identified a TLS version mismatch between the client and the mail server. The following Java exception was observed:

javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version

Please find the attached screenshot: "could_not_convert_socket_to_TLS.jpg".

From the packet captures, we observed that the client (SMS) is initiating the connection using TLSv1, which is being rejected by the mail server. The customer mail server team has confirmed that their server supports only TLSv1.2 and they will not change it.

Screenshot attached: "SMTP_ClientHello_and_Response.png".

The Check Point SMS is running R81.20, and the Java version is 1.8.0_411 (JRE 1.8.0). Quick research says, JRE 1.8 should default to TLS 1.2 as the enabled protocol. However, in this case, the SMS is still sending requests using TLSv1.0.

Screenshot attached: "JRE Version.png".

Could you please advise where we can configure or enforce the default TLS version on the Check Point SMS? We would like to ensure it uses TLSv1.2 for email.

Best regards,
Chethan

Unfortunately, I'm not sure what mechanism SmartTasks is using to send email in this case.
If it's internal_sendmail, I don't think it supports TLS at all (but could be wrong).

Hopefully you've also relayed this information through your TAC case.

Yes. The TAM notified the TAC internally. We will update the ticket.