Fortinet black logo

Administration Guide

Troubleshooting FortiMail TLS issues

Troubleshooting FortiMail TLS issues

This section describes some FortiMail TLS issues and their solutions and contains the following topics:

Common error messages

There are two most commonly seen error messages on the FortiMail unit or other email systems: verify=CAFail and CAFail.

verify=CAFail

This error message appears when the remote certificate is not issued by a trusted CA or the CA certificate is not available for verification. Usually this error is not fatal and the encryption can be applied without any problems. The only issue is that the communication is susceptible to man-in-the-middle or server-spoofing attacks. However, if there is a TLS profile with Secure level enabled in a delivery rule, the connection will fail if the remote certificate is validated by the FortiMail unit.

If you are not concerned with email server-spoofing or man-in-the-middle attacks, you can just ignore this error message.

To fix this issue
  1. Do one of the following:
  • Configure the remote server to send all the CA certificates together with its server certificate during the TLS/SSL handshake. This can be achieved by copying and pasting all the CA certificates into the server certificate file, assuming that they are all in PEM format.
  • In many cases, this is not possible. For example, the remote server belongs to another organization. Therefore, you can only fix this problem on the FortiMail unit, as described in the following option.

  • Import the certificate of root CA and all intermediate CAs that issued the server certificate to the FortiMail unit, so that the FortiMail unit can validate the server certificate all the way to the root CA. For information on how to get CA certificates, see Useful tools.

CAFail

This error message may appear on the external email server talking to the FortiMail unit. This is because that the FortiMail CA certificate is not available to external server for verification. In early versions of the FortiMail firmware, the system does not send out all CA certificates even though they are imported onto the FortiMail unit. This issue was fixed in release 4.1.1 (build 232).

To fix this issue
  1. Upgrade your FortiMail firmware to release 4.1.1 build 232 or later.
  2. Import the certificates of the root CA and all intermediate CAs that issued the FortiMail certificate in effect.

Useful tools

Openssl is useful for troubleshooting and testing TLS/SSL related issues. You can use Openssl to get the certificate of the CA that issued the remote server certificate by typing the following syntax at a command-line prompt:

Openssl s_client -connect server-ip:port -starttls smtp -showcerts

The following is an example of the Openssl tool output:

Sample Openssl tool output

Note that the certificate is displayed in Base64 format (PEM) in the output. If the server CA certificate is also displayed in the output, the FortiMail unit should be able to validate the server certificate. However, in many cases the CA certificate is not sent by the remote server. You can just copy the certificate from the command output starting from "----Begin certificate----" and ending with "----end certificate-----" and store it in a file such as server-cert.pem. Then the certificate can be read with Openssl using the following command:

Openssl x509 -in server-cert.pem -text

The following is a sample output of this command:

Sample Openssl command output

Within the certificate, there is a section called Authority Information Access (AIA) that contains a URL to the CA certificate. Download the certificate from the URL identified and import it into the FortiMail unit. If there is more than one level of CA, you can repeat the process until you get the root CA certificate. Then import all the intermediate CA and root CA certificates into the FortiMail unit.

Importing the CA certificate

Note

The FortiMail unit only supports certificates in PEM format. If the CA certificates you downloaded are in DER (binary) format, you need to convert them with Openssl using the following command:

Openssl x509 -in my-ca.crt -inform DER -out myca.pem -outform PEM

Troubleshooting FortiMail TLS issues

This section describes some FortiMail TLS issues and their solutions and contains the following topics:

Common error messages

There are two most commonly seen error messages on the FortiMail unit or other email systems: verify=CAFail and CAFail.

verify=CAFail

This error message appears when the remote certificate is not issued by a trusted CA or the CA certificate is not available for verification. Usually this error is not fatal and the encryption can be applied without any problems. The only issue is that the communication is susceptible to man-in-the-middle or server-spoofing attacks. However, if there is a TLS profile with Secure level enabled in a delivery rule, the connection will fail if the remote certificate is validated by the FortiMail unit.

If you are not concerned with email server-spoofing or man-in-the-middle attacks, you can just ignore this error message.

To fix this issue
  1. Do one of the following:
  • Configure the remote server to send all the CA certificates together with its server certificate during the TLS/SSL handshake. This can be achieved by copying and pasting all the CA certificates into the server certificate file, assuming that they are all in PEM format.
  • In many cases, this is not possible. For example, the remote server belongs to another organization. Therefore, you can only fix this problem on the FortiMail unit, as described in the following option.

  • Import the certificate of root CA and all intermediate CAs that issued the server certificate to the FortiMail unit, so that the FortiMail unit can validate the server certificate all the way to the root CA. For information on how to get CA certificates, see Useful tools.

CAFail

This error message may appear on the external email server talking to the FortiMail unit. This is because that the FortiMail CA certificate is not available to external server for verification. In early versions of the FortiMail firmware, the system does not send out all CA certificates even though they are imported onto the FortiMail unit. This issue was fixed in release 4.1.1 (build 232).

To fix this issue
  1. Upgrade your FortiMail firmware to release 4.1.1 build 232 or later.
  2. Import the certificates of the root CA and all intermediate CAs that issued the FortiMail certificate in effect.

Useful tools

Openssl is useful for troubleshooting and testing TLS/SSL related issues. You can use Openssl to get the certificate of the CA that issued the remote server certificate by typing the following syntax at a command-line prompt:

Openssl s_client -connect server-ip:port -starttls smtp -showcerts

The following is an example of the Openssl tool output:

Sample Openssl tool output

Note that the certificate is displayed in Base64 format (PEM) in the output. If the server CA certificate is also displayed in the output, the FortiMail unit should be able to validate the server certificate. However, in many cases the CA certificate is not sent by the remote server. You can just copy the certificate from the command output starting from "----Begin certificate----" and ending with "----end certificate-----" and store it in a file such as server-cert.pem. Then the certificate can be read with Openssl using the following command:

Openssl x509 -in server-cert.pem -text

The following is a sample output of this command:

Sample Openssl command output

Within the certificate, there is a section called Authority Information Access (AIA) that contains a URL to the CA certificate. Download the certificate from the URL identified and import it into the FortiMail unit. If there is more than one level of CA, you can repeat the process until you get the root CA certificate. Then import all the intermediate CA and root CA certificates into the FortiMail unit.

Importing the CA certificate

Note

The FortiMail unit only supports certificates in PEM format. If the CA certificates you downloaded are in DER (binary) format, you need to convert them with Openssl using the following command:

Openssl x509 -in my-ca.crt -inform DER -out myca.pem -outform PEM