Fortinet white logo
Fortinet white logo

Administration Guide

Configuring security profiles

Configuring security profiles

Go to Profile > Security to create transport layer security (TLS) profiles and encryption profiles.

This section includes:

Configuring TLS security profiles

The TLS tab lets you create TLS profiles, which contain settings for TLS-secured connections.

TLS profiles, unlike other types of profiles, are applied through access control rules and message delivery rules, not policies. For more information, see Controlling SMTP access and delivery.

To view the list of TLS profiles, go to Profile > Security > TLS.

GUI item

Description

Clone

(button)

Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.

Profile Name

Displays the name of the profile.

TLS option

Displays the security level of the TLS connection.

  • None: Disables TLS. Requests for a TLS connection will be ignored.
  • Preferred: Allow a simple TLS connection, but do not require it. Data is not encrypted, nor is the identity of the server validated with a certificate.
  • Secure: Requires a certificate-authenticated TLS connection. CA certificates must be installed on the FortiMail unit before they can be used for secure TLS connections. For information on installing CA certificates, see Managing certificate authority certificates.

Check TLS version

Enable to select a Minimum TLS version to apply for the TLS profile.

Note

The connection will be refused if the Minimum TLS version is not met, regardless of whether TLS option is set to Preferred or Secure.

  • SSL 3.0

  • TLS 1.0

  • TLS 1.1
  • TLS 1.2

  • TLS 1.3

DANE support

Assign a DNS-based Authentication of Named Entities (DANE) support level:

  • None

  • Opportunistic

  • Mandatory (only available when TLS option is set to Secure)

For more information, see RFC 7929.

Check encryption strength

The bit size of the encryption key. Greater key size results in stronger encryption, but requires more processing resources.

This option does not apply and will be empty for profiles whose TLS Level is None or Preferred.

Check CA issuer

The type of the match, and the text that the CA Issuer field of the server’s certificate must match.

This text must correlate to a CA certificate that you have installed on the FortiMail unit. For information on installing CA certificates, see “Managing certificate authority certificates” on page 198.

The text is prefixed by a letter that indicates the type of the match that you have configured in the profile:

  • E: The text of the CA Issuer field must equal this value exactly.
  • S: The text of the CA Issuer field must contain this value.
  • W: The text of the CA Issuer field must be similar to this value in the pattern indicated by wild cards.

This option does not apply and will be empty for profiles whose TLS Level is not Secure. It may also be empty if you have not configured the TLS profile to require a specific CA Issuer.

Check certificate subject

The type of the match, and the text that the CN Subject field of the server’s certificate must match.

The text is prefixed by a letter that indicates the type of the match that you have configured in the profile:

  • Equal: The text of the CA Subject field must equal this value exactly.
  • Contain: The text of the CA Subject field must contain this value.
  • Wildcard: The text of the CA Subject field must be similar to this value in the pattern indicated by wild cards.

This option does not apply and will be empty for profiles whose TLS Level is not Secure. It may also be empty if you have not configured the TLS profile to require a specific CA Issuer.

Action on failure

Indicates the action the FortiMail unit takes when a TLS connection cannot be established, either:

  • Temporarily Fail: Reply to the SMTP client with a code indicating temporary failure.
  • Fail: Reject the email and reply to the SMTP client with SMTP reply code 550.

(Green dot in column heading)

Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

To configure a TLS profile
  1. Go to Profile > Security > TLS.
  2. A dialog appears.

  3. Either click New to add a profile or double-click a profile to modify it.
  4. For a new profile, enter the name of the profile in Profile name. The profile name is editable later.
  5. From TLS option, select the security level of the TLS profile:
  • None: Disables TLS. Requests for a TLS connection will be ignored.
  • Preferred: Allows a simple TLS connection, but does not require it. Data is not encrypted, nor is the identity of the server validated with a certificate.
  • Secure: Requires a certificate-authenticated TLS connection. CA certificates must be installed on the FortiMail unit before they can be used for secure TLS connections.
  • The availability of the following options varies by your selection in TLS level.

  • Configure the following, as applicable:
  • GUI item

    Description

    Action on failure

    Select whether to fail or temporarily fail if a TLS connection with the parameters described in the TLS profile cannot be established.

    This option does not appear if TLS level is Preferred.

    Check encryption strength

    Enable to require a minimum level of encryption strength. Also configure Minimum encryption strength.

    This option appears only if TLS level is Encrypt or Secure.

    Minimum encryption strength

    Enter the bit size of the encryption key. Greater key size results in stronger encryption, but requires more processing resources.

    Check CA issuer

    Enable and enter a string on the CA issuer field. The FortiMail unit will compare the string in the CA issuer field with the field with that same name in the installed CA certificates.

    Note

    The CA issuer string format must use no spaces, and must use slashes "/" to separate the certificate components. For example:

    /CN=Fortinet/O=Fortinet Ltd.

    This option appears only if TLS level is Secure.

    CA issuer

    Select the type of match required when the FortiMail unit compares the string in the CA Issuer field and the same field in the installed CA certificates. For more information on CA certificates, see Managing certificate authority certificates.

    Check CA issuer must be enabled for CA issuer to have any effect.

    This option appears only if TLS level is Secure.

    Lookup CA

    To populate the CA issuer field with text from a CA certificate’s CA Issuer, select the name of a CA certificate that you have uploaded to the FortiMail unit.

    Check certificate subject

    Enable and enter a string in the Certificate subject field. The FortiMail unit will compare the string in the Certificate subject field with the field with that same name in the installed CA certificates.

    Note

    The certificate subject string format must use no spaces, and must use slashes "/" to separate the certificate components. For example:

    /CN=Fortinet/O=Fortinet Ltd.

    This option appears only if TLS level is Secure.

    Certificate subject

    Select the type of match required when the FortiMail unit compares the string in the Certificate subject and the same field in the installed CA certificates.

    Check certificate subject must be enabled for Certificate subject to have any effect.

    This option appears only if TLS level is Secure.

    Configuring encryption profiles

    The Encryption tab lets you create encryption profiles, which contain encryption settings for secure MIME (S/MIME) and identity-based encryption (IBE).

    Encryption profiles are applied through either message delivery rules or content action profiles used in content profiles which are included in policies. For more information, see Configuring delivery rules and Configuring content action profiles.

    Before S/MIME encryption will work, you must also create at least one internal address certificate binding. For details, see Configuring certificate bindings.

    For more information about using S/MIME encryption, see Using S/MIME encryption.

    For more information about using IBE, see Configuring IBE encryption.

    To view or configure encryption profiles
    1. Go to Profile > Security > Encryption.
    2. GUI item

      Description

      Clone

      (button)

      Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.

      Profile Name

      Displays the name of the profile.

      Protocol

      Displays the protocol used for this profile, S/MIME or IBE.

      Encryption Algorithm

      Displays the encryption algorithm that will be used to encrypt the email (AES 128, AES 192, AES 256, CAST5 128, or Triple DES).

      Action

      For S/MIME, the actions are Encrypt, Sign, or Encrypt and Sign. For IBE, the action will be Encrypt only.

      Action On Failure

      Indicates the action the FortiMail unit takes when S/MIME or IBE cannot be used:

      • Drop and send DSN: Send a delivery status notification (DSN) email to the sender’s email address, indicating that the email is permanently undeliverable.
      • Send plain message: Deliver the email without encryption.
      • Enforce TLS: If the TLS level in the TLS profile selected in the message delivery rule is Encrypt or Secure, the FortiMail unit will not do anything. If the message delivery rule has no TLS profile or the TLS level in its profile is None or Preferred, the FortiMail unit will enforce the Encrypt level. For more information, see Configuring delivery rules and Configuring TLS security profiles.

      IBE Action

      Displays the action used by the mail recipients to retrieve IBE messages.

      • Push: A notification and a secure mail is delivered to the recipient who needs to go to the FortiMail unit to open the message. The FortiMail unit does not store the message.
      • Pull: A notification is delivered to the recipient who needs to go to the FortiMail unit to open the message. The FortiMail unit stores the message.

      Max Push Size (KB)

      Displays the settings of the maximum message size (KB) of the secure mail delivered (or pushed) to the recipient.

      If the message exceeds the size limit, it will be delivered with the Pull method.

      (Green dot in column heading)

      Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

    3. Either click New to add a profile or double-click a profile to modify it.
    4. A dialog appears.

    5. For a new profile, enter the name of the profile in Profile name.
    6. In Protocol, select S/MIME or IBE.
    7. The availability of the following options varies by your selection in Protocol.

    8. If you selected IBE as the protocol:
    • Select the Action method (Push or Pull) for the mail recipients.
    • For Push, specify the maximum message size (KB) for the Push method (messages exceeding the size limit will be delivered with the Pull method).
  • If you select S/MIME as the protocol, select an action: Encrypt, Sign, or Encrypt and Sign. To use S/MIME encryption, you must also configure certificate binding. For details, see Using S/MIME encryption and Configuring certificate bindings.
  • From Encryption algorithm, select the encryption algorithm that will be used to encrypt email (AES 128, AES 192, AES 256, CAST5 128, or Triple DES).
  • From Action on failure, select the action the FortiMail unit takes when encryption cannot be used.
    • Drop and send DSN: Send a delivery status notification (DSN) email to the sender’s email address, indicating that the email is permanently undeliverable.
    • Send plain message: Deliver the email without encryption.
    • Enforce TLS: If the TLS level in the TLS profile selected in the message delivery rule is Encrypt or Secure, the FortiMail unit will not do anything. If the message delivery rule has no TLS profile or the TLS level in its profile is None or Preferred, the FortiMail unit will enforce the Encrypt level.
  • Click Create or OK.
  • Using S/MIME encryption

    S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data. The FortiMail unit supports S/MIME encryption.

    You can encrypt email messages with S/MIME between two FortiMail units. For example, if you want to encrypt and send an email from FortiMail unit A to FortiMail unit B, you need to do the following:

    1. On FortiMail unit A:
    Note

    If the email to be encrypted is matched both by the message delivery rule and the policy, the email will be encrypted based on the content profile in the policy.

  • On FortiMail unit B:
    • import the CA certificate. For details, see Managing certificates.
    • create a certificate binding for the incoming email and import both FortiMail unit B’s private key and certificate to decrypt the email encrypted by FortiMail unit A using FortiMail unit B’s public key.

    Configuring security profiles

    Configuring security profiles

    Go to Profile > Security to create transport layer security (TLS) profiles and encryption profiles.

    This section includes:

    Configuring TLS security profiles

    The TLS tab lets you create TLS profiles, which contain settings for TLS-secured connections.

    TLS profiles, unlike other types of profiles, are applied through access control rules and message delivery rules, not policies. For more information, see Controlling SMTP access and delivery.

    To view the list of TLS profiles, go to Profile > Security > TLS.

    GUI item

    Description

    Clone

    (button)

    Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.

    Profile Name

    Displays the name of the profile.

    TLS option

    Displays the security level of the TLS connection.

    • None: Disables TLS. Requests for a TLS connection will be ignored.
    • Preferred: Allow a simple TLS connection, but do not require it. Data is not encrypted, nor is the identity of the server validated with a certificate.
    • Secure: Requires a certificate-authenticated TLS connection. CA certificates must be installed on the FortiMail unit before they can be used for secure TLS connections. For information on installing CA certificates, see Managing certificate authority certificates.

    Check TLS version

    Enable to select a Minimum TLS version to apply for the TLS profile.

    Note

    The connection will be refused if the Minimum TLS version is not met, regardless of whether TLS option is set to Preferred or Secure.

    • SSL 3.0

    • TLS 1.0

    • TLS 1.1
    • TLS 1.2

    • TLS 1.3

    DANE support

    Assign a DNS-based Authentication of Named Entities (DANE) support level:

    • None

    • Opportunistic

    • Mandatory (only available when TLS option is set to Secure)

    For more information, see RFC 7929.

    Check encryption strength

    The bit size of the encryption key. Greater key size results in stronger encryption, but requires more processing resources.

    This option does not apply and will be empty for profiles whose TLS Level is None or Preferred.

    Check CA issuer

    The type of the match, and the text that the CA Issuer field of the server’s certificate must match.

    This text must correlate to a CA certificate that you have installed on the FortiMail unit. For information on installing CA certificates, see “Managing certificate authority certificates” on page 198.

    The text is prefixed by a letter that indicates the type of the match that you have configured in the profile:

    • E: The text of the CA Issuer field must equal this value exactly.
    • S: The text of the CA Issuer field must contain this value.
    • W: The text of the CA Issuer field must be similar to this value in the pattern indicated by wild cards.

    This option does not apply and will be empty for profiles whose TLS Level is not Secure. It may also be empty if you have not configured the TLS profile to require a specific CA Issuer.

    Check certificate subject

    The type of the match, and the text that the CN Subject field of the server’s certificate must match.

    The text is prefixed by a letter that indicates the type of the match that you have configured in the profile:

    • Equal: The text of the CA Subject field must equal this value exactly.
    • Contain: The text of the CA Subject field must contain this value.
    • Wildcard: The text of the CA Subject field must be similar to this value in the pattern indicated by wild cards.

    This option does not apply and will be empty for profiles whose TLS Level is not Secure. It may also be empty if you have not configured the TLS profile to require a specific CA Issuer.

    Action on failure

    Indicates the action the FortiMail unit takes when a TLS connection cannot be established, either:

    • Temporarily Fail: Reply to the SMTP client with a code indicating temporary failure.
    • Fail: Reject the email and reply to the SMTP client with SMTP reply code 550.

    (Green dot in column heading)

    Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

    To configure a TLS profile
    1. Go to Profile > Security > TLS.
    2. A dialog appears.

    3. Either click New to add a profile or double-click a profile to modify it.
    4. For a new profile, enter the name of the profile in Profile name. The profile name is editable later.
    5. From TLS option, select the security level of the TLS profile:
    • None: Disables TLS. Requests for a TLS connection will be ignored.
    • Preferred: Allows a simple TLS connection, but does not require it. Data is not encrypted, nor is the identity of the server validated with a certificate.
    • Secure: Requires a certificate-authenticated TLS connection. CA certificates must be installed on the FortiMail unit before they can be used for secure TLS connections.
    • The availability of the following options varies by your selection in TLS level.

  • Configure the following, as applicable:
  • GUI item

    Description

    Action on failure

    Select whether to fail or temporarily fail if a TLS connection with the parameters described in the TLS profile cannot be established.

    This option does not appear if TLS level is Preferred.

    Check encryption strength

    Enable to require a minimum level of encryption strength. Also configure Minimum encryption strength.

    This option appears only if TLS level is Encrypt or Secure.

    Minimum encryption strength

    Enter the bit size of the encryption key. Greater key size results in stronger encryption, but requires more processing resources.

    Check CA issuer

    Enable and enter a string on the CA issuer field. The FortiMail unit will compare the string in the CA issuer field with the field with that same name in the installed CA certificates.

    Note

    The CA issuer string format must use no spaces, and must use slashes "/" to separate the certificate components. For example:

    /CN=Fortinet/O=Fortinet Ltd.

    This option appears only if TLS level is Secure.

    CA issuer

    Select the type of match required when the FortiMail unit compares the string in the CA Issuer field and the same field in the installed CA certificates. For more information on CA certificates, see Managing certificate authority certificates.

    Check CA issuer must be enabled for CA issuer to have any effect.

    This option appears only if TLS level is Secure.

    Lookup CA

    To populate the CA issuer field with text from a CA certificate’s CA Issuer, select the name of a CA certificate that you have uploaded to the FortiMail unit.

    Check certificate subject

    Enable and enter a string in the Certificate subject field. The FortiMail unit will compare the string in the Certificate subject field with the field with that same name in the installed CA certificates.

    Note

    The certificate subject string format must use no spaces, and must use slashes "/" to separate the certificate components. For example:

    /CN=Fortinet/O=Fortinet Ltd.

    This option appears only if TLS level is Secure.

    Certificate subject

    Select the type of match required when the FortiMail unit compares the string in the Certificate subject and the same field in the installed CA certificates.

    Check certificate subject must be enabled for Certificate subject to have any effect.

    This option appears only if TLS level is Secure.

    Configuring encryption profiles

    The Encryption tab lets you create encryption profiles, which contain encryption settings for secure MIME (S/MIME) and identity-based encryption (IBE).

    Encryption profiles are applied through either message delivery rules or content action profiles used in content profiles which are included in policies. For more information, see Configuring delivery rules and Configuring content action profiles.

    Before S/MIME encryption will work, you must also create at least one internal address certificate binding. For details, see Configuring certificate bindings.

    For more information about using S/MIME encryption, see Using S/MIME encryption.

    For more information about using IBE, see Configuring IBE encryption.

    To view or configure encryption profiles
    1. Go to Profile > Security > Encryption.
    2. GUI item

      Description

      Clone

      (button)

      Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.

      Profile Name

      Displays the name of the profile.

      Protocol

      Displays the protocol used for this profile, S/MIME or IBE.

      Encryption Algorithm

      Displays the encryption algorithm that will be used to encrypt the email (AES 128, AES 192, AES 256, CAST5 128, or Triple DES).

      Action

      For S/MIME, the actions are Encrypt, Sign, or Encrypt and Sign. For IBE, the action will be Encrypt only.

      Action On Failure

      Indicates the action the FortiMail unit takes when S/MIME or IBE cannot be used:

      • Drop and send DSN: Send a delivery status notification (DSN) email to the sender’s email address, indicating that the email is permanently undeliverable.
      • Send plain message: Deliver the email without encryption.
      • Enforce TLS: If the TLS level in the TLS profile selected in the message delivery rule is Encrypt or Secure, the FortiMail unit will not do anything. If the message delivery rule has no TLS profile or the TLS level in its profile is None or Preferred, the FortiMail unit will enforce the Encrypt level. For more information, see Configuring delivery rules and Configuring TLS security profiles.

      IBE Action

      Displays the action used by the mail recipients to retrieve IBE messages.

      • Push: A notification and a secure mail is delivered to the recipient who needs to go to the FortiMail unit to open the message. The FortiMail unit does not store the message.
      • Pull: A notification is delivered to the recipient who needs to go to the FortiMail unit to open the message. The FortiMail unit stores the message.

      Max Push Size (KB)

      Displays the settings of the maximum message size (KB) of the secure mail delivered (or pushed) to the recipient.

      If the message exceeds the size limit, it will be delivered with the Pull method.

      (Green dot in column heading)

      Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

    3. Either click New to add a profile or double-click a profile to modify it.
    4. A dialog appears.

    5. For a new profile, enter the name of the profile in Profile name.
    6. In Protocol, select S/MIME or IBE.
    7. The availability of the following options varies by your selection in Protocol.

    8. If you selected IBE as the protocol:
    • Select the Action method (Push or Pull) for the mail recipients.
    • For Push, specify the maximum message size (KB) for the Push method (messages exceeding the size limit will be delivered with the Pull method).
  • If you select S/MIME as the protocol, select an action: Encrypt, Sign, or Encrypt and Sign. To use S/MIME encryption, you must also configure certificate binding. For details, see Using S/MIME encryption and Configuring certificate bindings.
  • From Encryption algorithm, select the encryption algorithm that will be used to encrypt email (AES 128, AES 192, AES 256, CAST5 128, or Triple DES).
  • From Action on failure, select the action the FortiMail unit takes when encryption cannot be used.
    • Drop and send DSN: Send a delivery status notification (DSN) email to the sender’s email address, indicating that the email is permanently undeliverable.
    • Send plain message: Deliver the email without encryption.
    • Enforce TLS: If the TLS level in the TLS profile selected in the message delivery rule is Encrypt or Secure, the FortiMail unit will not do anything. If the message delivery rule has no TLS profile or the TLS level in its profile is None or Preferred, the FortiMail unit will enforce the Encrypt level.
  • Click Create or OK.
  • Using S/MIME encryption

    S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data. The FortiMail unit supports S/MIME encryption.

    You can encrypt email messages with S/MIME between two FortiMail units. For example, if you want to encrypt and send an email from FortiMail unit A to FortiMail unit B, you need to do the following:

    1. On FortiMail unit A:
    Note

    If the email to be encrypted is matched both by the message delivery rule and the policy, the email will be encrypted based on the content profile in the policy.

  • On FortiMail unit B:
    • import the CA certificate. For details, see Managing certificates.
    • create a certificate binding for the incoming email and import both FortiMail unit B’s private key and certificate to decrypt the email encrypted by FortiMail unit A using FortiMail unit B’s public key.