Mimecast not supporting ISRG Root certicifcates?

KendosUK · January 8, 2025, 8:55am

Hello.

I have a client unable to receive email from Mimecast users. They are using a Let's Encrypt certificate for TLS. Generally, this works ok.

However Mimecast does not list ISRG root certificates as being supported. The end result appears as bounced mail back to the sender using Mimecast stating that the mail delivery cannot be encrypted. Recommended Mimecast settings are that mail delivery must be encrypted, but if the root certificates are not, then then this will fail.

Mimecast does list a large number of Trusted Roots - is there any reason that ISRG ones are not on there? It seems a hole in at least Mimecast's system, but I wonder what ISRG does to establish its Root certificates are trusted in the world - I assumed they just work, but it looks like not.

I will be taking this up with Mimecast also where I can.

Thanks

Ken.

orangepizza · January 8, 2025, 10:00am

Mimecast supports both 1024-bit and 2048-bit certificates. The list below covers all the SSL certificates that Mimecast supports:

looks like that doesn't support any ecc or RSA bigger than 2048bits (from the list they don't have any ecc or 4096 bit rsa roots): as ISRG X1 root is 4096bits I'd not surprised if they don't support that cipher

Patryk · January 17, 2025, 12:56pm

Given on that list there are still widely distrusted CAs, Symantec and StartSSL, it indicates the list to be poorly maintained.

Topic		Replies	Views
S/MIME ACME using RFC8823 Feature Requests	10	3816	May 23, 2021
Root Certificate Help	11	1285	January 7, 2024
Certificates signed by ISRG Root X1 aren’t enabled for client authentication on Windows Help	2	1125	September 1, 2021
About SSL certificate Help	3	83	January 10, 2025
Struggling to get new ISRG root certificate to be recognized in Ubuntu 16 Help	7	7410	November 15, 2021

Mimecast not supporting ISRG Root certicifcates?

Related topics