profile tls
Use this command to configure TLS profiles that can be used by receive rules (also called access control rules) and delivery rules. Note that many subcommands are only available when level
is set to either preferred
or secure
.
Syntax
config profile tls
edit <profile_name>
set level {none | preferred | secure}
set ca-name <string>
set check-ca-name {enable | disable}
set check-ca-type {match | substring | wildcard}
set check-cert-subject {enable | disable}
set check-cert-type {match | substring | wildcard}
set check-encryption-strength {enable | disable}
set check-ssl-version {enable | disable}
set dane-support {mandatory | none | opportunistic}
set encryption-strength <integer>
set min-ssl-version {ssl3 | tls1_0 | tls1_1 | tls1_2 | tls1_3}
end
Variable |
Description |
Default |
Enter the name of the TLS profile. |
|
|
Enter the security level of the TLS connection.
|
none |
|
Select the action the FortiMail unit takes when a TLS connection cannot be established. This option does not apply for profiles whose |
tempfail |
|
Enter the name of the CA issuer. This option is only available when |
|
|
Enter the certification subject. This option is only available when |
|
|
Enable to check the CA issuer name. This option is only available when |
disable |
|
Select a CA issuer check type. This option is only available when |
match |
|
Enable to check the certificate subject name. This option is only available when |
disable |
|
Select a certificate check type. This option is only available when |
match |
|
Enable to check encryption key length. |
disable |
|
Enable to check the SSL/TLS version. |
disable |
|
Assign a DNS-based Authentication of Named Entities (DANE) support level. Note that For more information, see RFC 7929. |
none |
|
Enter the encryption key length. |
256 |
|
Enter the minimum required SSL/TLS version. This option is only available when |
tls1_1 |