We would like to inform you about upcoming changes to Hornetsecurity's in- and outbound mail server configuration for TLS.

The TLS certificates used by Hornetsecurity for the email connection encryption will be changed on 25th July 2025 – 17h CET. We will replace the certificates. Supported protocols and ciphers will NOT change.

MTAs (inbound): mx-gate<number>-<location-Tag>.hornetsecurity.com
MTAs (outbound): mx-relay-haj2<number>-<location-Tag>.hornetsecurity.com
Mail domain: Different mail domains of our customers
                                                                                                
Old Certificate Serial Number: 1BB4C74AD54ECD14DBAAC1477F089223
Old Certificate Validity Not Before: Jul 23 05:28:38 2024 GMT
Old Certificate Validity Not After: Jul 27 23:59:59 2025 GMT

In case you are using certificate pinning, the certificate needs to be updated accordingly. Your environments need to trust the new certificate including new root and intermediate certificate listed below. The configuration of your system’s Trust Center has to be adapted until the change day. The configuration can be done immediately and does not influence the current e-mail exchange.

The new certificate information is as followed:

Certificate details:
Serial Number: 070322C101AF3301582F925694AEA979
Validity Not Before: Jul 15 09:55:48 2025 GMT
Validity Not After : Jul 19 23:59:59 2026 GMT
Organisation: Hornetsecurity GmbH

SHA256 Fingerprint= A0:10:45:D4:C9:73:5E:53:43:97:E6:17:79:21:75:2B:64:83:CC:07:C3:FC:6E:6B:7E:3B:0F:72:C2:89:2F:95

---
Intermediate CA: Telekom Security ServerID OV Class 2 CA
Download Intermediate Certificate: http://crt.serverid.telesec.de/crt/Telekom_Security_ServerID_OV_Class_2_CA.crt
Intermediate CA: Fingerprint (SHA1):
52:86:9C:EF:1A:21:95:C4:16:82:0C:18:3B:80:C9:95:BB:BF:BE:DC
---
Root CA: T-TeleSec GlobalRoot Class 2
Download Root Certificate: http://pki.telesec.de/rl/GlobalRoot_Class_2.crt
Root Certificate Fingerprint (SHA1):
59:0D:2D:7D:88:4F:40:2E:61:7E:A5:62:32:17:65:CF:17:D8:94:E9

What do I need to do?

If you do not utilize certificate pinning, no changes are generally required on your end. However, if you are required to share SSL/TLS certificate details with specific communication partners due to internal policies or compliance guidelines, please refer to the certificate information provided above.

How do I know if I use certificate pinning?

Certificate pinning is a security technique used to ensure that your application only trusts specific SSL/TLS certificates, typically those from a trusted source. This helps prevent man-in-the-middle attacks by rejecting unexpected or forged certificates, even if they appear valid.

If your mail system has been explicitly configured to trust only certain public key fingerprints or certificate hashes you're likely using certificate pinning. This is common in mobile apps, custom API clients, or environments with strict security requirements. If you're unsure whether certificate pinning is in use, we recommend consulting with your IT department, managed service provider (MSP), cybersecurity team, or local Admin responsible for managing your mail infrastructure. Hornetsecurity is unfortunately not able to provide you with this information from our side.

We would like to inform you about upcoming changes to Hornetsecurity's in- and outbound mail server configuration for TLS.

The TLS certificates used by Hornetsecurity for the email connection encryption will be changed on 25th July 2025 – 17h CET. We will replace the certificates. Supported protocols and ciphers will NOT change.

MTAs (inbound): mx-gate<number>-<location-Tag>.hornetsecurity.com
MTAs (outbound): mx-relay-haj2<number>-<location-Tag>.hornetsecurity.com
Mail domain: Different mail domains of our customers
                                                                                                
Old Certificate Serial Number: 1B4A467D9B07361003CF0F23056FC4FC
Old Certificate Validity Not Before: Sep 9 15:40:57 2024 GMT
Old Certificate Validity Not After: Sep 13 23:59:59 2025 GMT

In case you are using certificate pinning, the certificate needs to be updated accordingly. Your environments need to trust the new certificate including new root and intermediate certificate listed below. The configuration of your system’s Trust Center has to be adapted until the change day. The configuration can be done immediately and does not influence the current e-mail exchange.

The new certificate information is as followed:

 

Certificate details:
Serial Number: 01C0945EF55EA21142ED09BB36DAAA2F
Validity Not Before: Aug 15 05:27:23 2025 GMT
Validity Not After : Aug 19 23:59:59 2026 GMT
Organisation: Hornetsecurity GmbH

SHA256 Fingerprint= D8:52:51:C0:F1:0E:A3:92:C4:09:99:5F:FF:97:6E:B6:2B:E0:C0:DE:BB:02:F8:9C:0C:B5:0C:2E:5B:C3:18:87

---
Intermediate CA: Telekom Security ServerID OV Class 2 CA
Download Intermediate Certificate: http://crt.serverid.telesec.de/crt/Telekom_Security_ServerID_OV_Class_2_CA.crt
Intermediate CA: Fingerprint (SHA1):
52:86:9C:EF:1A:21:95:C4:16:82:0C:18:3B:80:C9:95:BB:BF:BE:DC
---
Root CA: T-TeleSec GlobalRoot Class 2
Download Root Certificate: http://pki.telesec.de/rl/GlobalRoot_Class_2.crt
Root Certificate Fingerprint (SHA1):
59:0D:2D:7D:88:4F:40:2E:61:7E:A5:62:32:17:65:CF:17:D8:94:E9

What do I need to do?

If you do not utilize certificate pinning, no changes are generally required on your end. However, if you are required to share SSL/TLS certificate details with specific communication partners due to internal policies or compliance guidelines, please refer to the certificate information provided above.

How do I know if I use certificate pinning?

Certificate pinning is a security technique used to ensure that your application only trusts specific SSL/TLS certificates, typically those from a trusted source. This helps prevent man-in-the-middle attacks by rejecting unexpected or forged certificates, even if they appear valid.

If your mail system has been explicitly configured to trust only certain public key fingerprints or certificate hashes you're likely using certificate pinning. This is common in mobile apps, custom API clients, or environments with strict security requirements. If you're unsure whether certificate pinning is in use, we recommend consulting with your IT department, managed service provider (MSP), cybersecurity team, or local Admin responsible for managing your mail infrastructure. Hornetsecurity is unfortunately not able to provide you with this information from our side.