Configuring security profiles
Go to Profile > Security to create transport layer security (TLS) profiles and encryption profiles.
This section includes:
Configuring TLS security profiles
The TLS tab lets you create TLS profiles, which contain settings for TLS-secured connections.
TLS profiles, unlike other types of profiles, are applied through access control rules and message delivery rules, not policies. For more information, see Controlling SMTP access and delivery.
To view the list of TLS profiles, go to Profile > Security > TLS.
GUI item |
Description |
||
---|---|---|---|
Clone (button) |
Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK. |
||
Profile Name |
Displays the name of the profile. |
||
TLS Level |
Displays the security level of the TLS connection.
|
||
Action On Failure |
Indicates the action the FortiMail unit takes when a TLS connection cannot be established, either:
|
||
(Green dot in column heading) |
Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
To configure a TLS profile
- Go to Profile > Security > TLS.
- Either click New to add a profile or double-click a profile to modify it.
- For a new profile, enter the Profile name.
- From TLS option, select the security level of the TLS profile.
- Configure the following, as applicable:
- SSL 3.0
- TLS 1.0
- TLS 1.1
- TLS 1.2
- TLS 1.3
- None
- Opportunistic
- Mandatory (only available when TLS option is set to Secure)
A dialog appears.
The availability of the following options varies by your selection in TLS option.
GUI item |
Description |
|||
Check TLS version |
Enable to select a Minimum TLS version to apply for the TLS profile.
|
|||
DANE |
Assign a DNS-based Authentication of Named Entities (DANE) support level: For more information, see RFC 7929. |
|||
MTA-STS |
Assign an MTA Strict Transport Security (MTA-STS) domain checking level. Note that the MTA-STS feature may only take effect when enabled under System > Mail Setting > Mail Server Settings, or via the CLI Console: config system mailserver set smtp-mtasts-status {check-all-domain | check-external-domain | disable} end For more information, see Configuring SMTP service |
|||
Action on failure |
Select whether to fail or temporarily fail if a TLS connection with the parameters described in the TLS profile cannot be established. |
|||
Check encryption strength |
Enable to require a minimum level of encryption strength. Also configure Minimum encryption strength. This option appears only if TLS option is Secure. |
|||
|
Enter the bit size of the encryption key. Greater key size results in stronger encryption, but requires more processing resources. |
|||
Enable and enter a string on the CA issuer field. The FortiMail unit will compare the string in the CA issuer field with the field with that same name in the installed CA certificates.
This option appears only if TLS level is Secure. |
||||
|
Select the type of match required when the FortiMail unit compares the string in the Check CA issuer must be enabled for CA issuer to have any effect. This option appears only if TLS level is Secure. |
|||
|
To populate the CA issuer field with text from a CA certificate’s |
|||
Enable and enter a string in the Certificate subject field. The FortiMail unit will compare the string in the Certificate subject field with the field with that same name in the installed CA certificates.
This option appears only if TLS level is Secure. |
||||
|
Select the type of match required when the FortiMail unit compares the string in the Certificate subject and the same field in the installed CA certificates. Check certificate subject must be enabled for Certificate subject to have any effect. This option appears only if TLS level is Secure. |
Configuring encryption profiles
The Encryption tab lets you create encryption profiles, which contain encryption settings for secure MIME (S/MIME), identity-based encryption (IBE), and fallback to IBE if TLS delivery fails.
The ability to fallback automatically to IBE if TLS encryption fails ensures that all email is sent encrypted, even in instances where encryption keywords are used.
Encryption profiles are applied through either message delivery rules or content action profiles used in content profiles which are included in policies. For more information, see Configuring delivery rules and Configuring content action profiles.
Before S/MIME encryption will work, you must also create at least one internal address certificate binding. For details, see Configuring certificate bindings.
For more information about using S/MIME encryption, see Using S/MIME encryption.
For more information about using IBE, see Configuring IBE encryption.
To view or configure encryption profiles
- Go to Profile > Security > Encryption.
- Drop and send DSN: Send a delivery status notification (DSN) email to the sender’s email address, indicating that the email is permanently undeliverable.
- Send plain message: Deliver the email without encryption.
- Enforce TLS: If the message delivery rule has no TLS profile or the TLS level in its profile is Preferred, the FortiMail unit will enforce the TLS Secure level. If the TLS level in its profile is None, then the email will temp fail because it contradicts with Enforce TLS. For more information, see Configuring delivery rules and Configuring TLS security profiles.
- Push: A notification and a secure mail is delivered to the recipient who needs to go to the FortiMail unit to open the message. The FortiMail unit does not store the message.
- Pull: A notification is delivered to the recipient who needs to go to the FortiMail unit to open the message. The FortiMail unit stores the message.
- Either click New to add a profile or double-click a profile to modify it.
- For a new profile, enter the name of the profile in Profile name.
- In Protocol, select S/MIME or IBE.
- If you selected IBE as the protocol:
GUI item |
Description |
Clone (button) |
Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK. |
Profile Name |
Displays the name of the profile. |
Protocol |
Displays the protocol used for this profile, S/MIME, IBE, or IBE on TLS failure. |
TLS profile |
Select the TLS profile for FortiMail to use first before falling back to the IBE profile, when necessary. |
Encryption algorithm |
Displays the encryption algorithm that will be used to encrypt the email (AES 128, AES 192, AES 256, CAST5 128, or Triple DES). |
Action |
For S/MIME, the actions are Encrypt, Sign, or Encrypt and Sign. For IBE, the action will be Encrypt only. |
Action on failure |
Indicates the action the FortiMail unit takes when S/MIME or IBE cannot be used: |
Access method |
Displays the action used by the mail recipients to retrieve IBE messages. |
Maximum size (KB) for Push method |
Displays the settings of the maximum message size (KB) of the secure mail delivered (or pushed) to the recipient. If the message exceeds the size limit, it will be delivered with the Pull method. |
(Green dot in column heading) |
Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
A dialog appears.
The availability of the following options varies by your selection in Protocol.
- Select the Action method (Push or Pull) for the mail recipients.
- For Push, specify the maximum message size (KB) for the Push method (messages exceeding the size limit will be delivered with the Pull method).
- Drop and send DSN: Send a delivery status notification (DSN) email to the sender’s email address, indicating that the email is permanently undeliverable.
- Send plain message: Deliver the email without encryption.
- Enforce TLS: If the TLS level in the TLS profile selected in the message delivery rule is Encrypt or Secure, the FortiMail unit will not do anything. If the message delivery rule has no TLS profile or the TLS level in its profile is None or Preferred, the FortiMail unit will enforce the Encrypt level.
Using S/MIME encryption
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data. The FortiMail unit supports S/MIME encryption.
You can encrypt email messages with S/MIME between two FortiMail units. For example, if you want to encrypt and send an email from FortiMail unit A to FortiMail unit B, you need to do the following:
- On FortiMail unit A:
- import the CA certificate. For details, see Managing certificates.
- create a certificate binding for the outgoing email to obtain FortiMail unit B’s public key in the certificate to encrypt the email. For details, see Configuring certificate bindings.
- create an S/MIME encryption profile. For details, see Configuring encryption profiles.
- apply the S/MIME encryption profile in a policy to trigger the S/MIME encryption by either creating a message delivery rule to use the S/MIME encryption profile (see Configuring delivery rules), or creating a policy to include a content profile containing a content action profile with an S/MIME encryption profile (see Controlling email based on sender and recipient addresses, Controlling email based on IP addresses, Configuring content action profiles, and Configuring content profiles).
If the email to be encrypted is matched both by the message delivery rule and the policy, the email will be encrypted based on the content profile in the policy. |
- import the CA certificate. For details, see Managing certificates.
- create a certificate binding for the incoming email and import both FortiMail unit B’s private key and certificate to decrypt the email encrypted by FortiMail unit A using FortiMail unit B’s public key.