Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiMail 7.2.6 CLI Reference
    7.2.6
    7.6.1
    7.6.0
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    profile tls

    profile tls

    Use this command to configure TLS profiles that can be used by receive rules (also called access control rules) and delivery rules. Note that many subcommands are only available when level is set to either preferred or secure.

    Syntax

    config profile tls

    edit <profile_name>

    set level {none | preferred | secure}

    set action {fail | tempfail}

    set ca-name <string>

    set cert-subject <string>

    set check-ca-name {enable | disable}

    set check-ca-type {match | substring | wildcard}

    set check-cert-subject {enable | disable}

    set check-cert-type {match | substring | wildcard}

    set check-encryption-strength {enable | disable}

    set check-ssl-version {enable | disable}

    set dane-support {mandatory | none | opportunistic}

    set encryption-strength <integer>

    set min-ssl-version {ssl3 | tls1_0 | tls1_1 | tls1_2 | tls1_3}

    set mtasts-status {enable | monitor | none}

    end

    Variable

    Description

    Default

    <profile_name>

    Enter the name of the TLS profile.

    level {none | preferred | secure}

    Enter the security level of the TLS connection.

    • none: Disables TLS. Requests for a TLS connection will be ignored.

    • preferred: Allow a simple TLS connection, but do not require it. Data is not encrypted, nor is the identity of the server validated with a certificate.

    • secure: Requires a certificate-authenticated TLS connection. CA certificates must be installed on the FortiMail unit before they can be used for secure TLS connections. For information on installing CA certificates, see the FortiMail Administration Guide.

    none

    action {fail | tempfail}

    Select the action the FortiMail unit takes when a TLS connection cannot be established.

    This option does not apply for profiles whose level is preferred.

    tempfail

    ca-name <string>

    Enter the name of the CA issuer.

    This option is only available when level is set to secure.

    cert-subject <string>

    Enter the certification subject.

    This option is only available when level is set to secure.

    check-ca-name {enable | disable}

    Enable to check the CA issuer name.

    This option is only available when level is set to secure.

    disable

    check-ca-type {match | substring | wildcard}

    Select a CA issuer check type.

    This option is only available when level is set to secure.

    match

    check-cert-subject {enable | disable}

    Enable to check the certificate subject name.

    This option is only available when level is set to secure.

    disable

    check-cert-type {match | substring | wildcard}

    Select a certificate check type.

    This option is only available when level is set to secure.

    match

    check-encryption-strength {enable | disable}

    Enable to check encryption key length.

    disable

    check-ssl-version {enable | disable}

    Enable to check the SSL/TLS version.

    disable

    dane-support {mandatory | none | opportunistic}

    Assign a DNS-based Authentication of Named Entities (DANE) support level.

    Note that mandatory is only applicable when level is set to secure.

    For more information, see RFC 7929.

    none

    encryption-strength <integer>

    Enter the encryption key length.

    256

    min-ssl-version {ssl3 | tls1_0 | tls1_1 | tls1_2 | tls1_3}

    Enter the minimum required SSL/TLS version.

    This option is only available when check-ssl-version is set to enable.

    tls1_1

    mtasts-status {enable | monitor | none}

    Note: The MTA-STS status may only be set when smtp-mtasts-status is enabled under system mailserver.

    Enable MTA Strict Transport Security (MTA-STS) domain checking.

    This option is only available when level is set to either preferred or secure.

    none

    Related topics

    ms365 profile antivirus

    Previous
    Next

    profile tls

    profile tls

    Use this command to configure TLS profiles that can be used by receive rules (also called access control rules) and delivery rules. Note that many subcommands are only available when level is set to either preferred or secure.

    Syntax

    config profile tls

    edit <profile_name>

    set level {none | preferred | secure}

    set action {fail | tempfail}

    set ca-name <string>

    set cert-subject <string>

    set check-ca-name {enable | disable}

    set check-ca-type {match | substring | wildcard}

    set check-cert-subject {enable | disable}

    set check-cert-type {match | substring | wildcard}

    set check-encryption-strength {enable | disable}

    set check-ssl-version {enable | disable}

    set dane-support {mandatory | none | opportunistic}

    set encryption-strength <integer>

    set min-ssl-version {ssl3 | tls1_0 | tls1_1 | tls1_2 | tls1_3}

    set mtasts-status {enable | monitor | none}

    end

    Variable

    Description

    Default

    <profile_name>

    Enter the name of the TLS profile.

    level {none | preferred | secure}

    Enter the security level of the TLS connection.

    • none: Disables TLS. Requests for a TLS connection will be ignored.

    • preferred: Allow a simple TLS connection, but do not require it. Data is not encrypted, nor is the identity of the server validated with a certificate.

    • secure: Requires a certificate-authenticated TLS connection. CA certificates must be installed on the FortiMail unit before they can be used for secure TLS connections. For information on installing CA certificates, see the FortiMail Administration Guide.

    none

    action {fail | tempfail}

    Select the action the FortiMail unit takes when a TLS connection cannot be established.

    This option does not apply for profiles whose level is preferred.

    tempfail

    ca-name <string>

    Enter the name of the CA issuer.

    This option is only available when level is set to secure.

    cert-subject <string>

    Enter the certification subject.

    This option is only available when level is set to secure.

    check-ca-name {enable | disable}

    Enable to check the CA issuer name.

    This option is only available when level is set to secure.

    disable

    check-ca-type {match | substring | wildcard}

    Select a CA issuer check type.

    This option is only available when level is set to secure.

    match

    check-cert-subject {enable | disable}

    Enable to check the certificate subject name.

    This option is only available when level is set to secure.

    disable

    check-cert-type {match | substring | wildcard}

    Select a certificate check type.

    This option is only available when level is set to secure.

    match

    check-encryption-strength {enable | disable}

    Enable to check encryption key length.

    disable

    check-ssl-version {enable | disable}

    Enable to check the SSL/TLS version.

    disable

    dane-support {mandatory | none | opportunistic}

    Assign a DNS-based Authentication of Named Entities (DANE) support level.

    Note that mandatory is only applicable when level is set to secure.

    For more information, see RFC 7929.

    none

    encryption-strength <integer>

    Enter the encryption key length.

    256

    min-ssl-version {ssl3 | tls1_0 | tls1_1 | tls1_2 | tls1_3}

    Enter the minimum required SSL/TLS version.

    This option is only available when check-ssl-version is set to enable.

    tls1_1

    mtasts-status {enable | monitor | none}

    Note: The MTA-STS status may only be set when smtp-mtasts-status is enabled under system mailserver.

    Enable MTA Strict Transport Security (MTA-STS) domain checking.

    This option is only available when level is set to either preferred or secure.

    none

    Related topics

    ms365 profile antivirus

    Previous
    Next