FortiMail support of TLS/SSL
By default, the FortiMail unit supports TLS/SSL in two slightly different ways:
- SMTPS
- STARTTLS
SMTPS is also called SMTP over SSL. It runs on a different port than the regular email port (465 by default). To connect with SMTPS, the client needs to start the TLS handshake directly at the very beginning.
STARTTLS is a command that runs on a regular email service port, 25 by default. If the server supports STARTTLS, this command shows up in the welcome banner and the client runs it to establish a TLS session to protect all subsequent communication. If the server does not support this feature, it will not advertise the STARTTLS command and the client will use clear text communication. The STARTTLS command is more flexible than SMTPS.
Although this document mainly covers STARTTLS, most is applicable to SMTPS.
FortiMail TLS behavior in two mail flow directions
This section explains FortiMail TLS behavior in mail receiving and delivering.
- Mail receiving
- If you uncheck the SMTP over SSL/TLS option, STARTTLS will not be advertised to the client and the SMTPS port (465) will not be listening. As a result, the FortiMail unit will not accept emails through TLS/SSL.
- Mail delivering
- If the receiving MTA supports STARTTLS, the FortiMail unit will use TLS and transmit emails in the protected session.
- If the receiving MTA does not advertise STARTTLS, the FortiMail unit will use clear text SMTP session to transmit emails.
- If the receiving MTA supports STARTTLS, but the TLS session does not succeed, the FortiMail unit will fall back to the clear text SMTP session to retransmit emails after the third failed attempt.
By default both SMTPS and STARTTLS are supported when the FortiMail unit receives messages. Whether the email will be encrypted with TLS/SSL depends on the mail client or sending MTA. The TLS support can be turned on or off globally by going to System > Mail Setting > Mail Server Settings.
There is no global setting to control how TLS is used when the FortiMail unit delivers emails to the next hop receiving MTA. By default, it uses STARTTLS "preferred" option which means:
TLS profile
The default behavior of FortiMail TLS/SSL support may not meet your specific requirements. In order to add more flexibility to the TLS/SSL support, the FortiMail unit supports TLS profiles. This document uses FortiMail v4.1 as an example.
TLS profiles allow you to selectively disable or enable TLS for specific email recipient patterns, IP subnets, and so on. A common use of TLS profiles is to enforce TLS transport to a specific domain and verify the certificate of the receiving servers.
To configure a TLS profile, go to Profile > Security > TLS.
The TLS level option has four choices that you need to understand to configure this feature.
None |
Disables TLS and the FortiMail unit does not accept STARTTLS command from the client in receiving direction or does not start TLS in the delivering direction (even if STARTTLS is advertised by the receiving MTA), depending on which direction the TLS profile is applied. |
Preferred |
This is the default behavior. Whether TLS is used depends on the other party of the session. |
Edit |
Select to change settings for the widget. This option appears only on the CLI Console widget. |
Encrypt |
Enforces TLS encryption. Failure of server certificate validation will not fail the delivery of the email in encryption. In other words, this option only cares about the encryption of the message. |
Secure |
Enforces both TLS encryption and certificate validation. Failure of server certificate validation will fail mail delivery. |
The Action on failure option has two choices: Temporarily Fail and Fail.
Temporarily Fail |
If a TLS session cannot be established, the FortiMail unit will fail temporarily and retry later. No DSN will be bounced back. |
Fail |
If a TLS session cannot be established, the FortiMail unit will fail the mail delivery immediately and a DSN will be bounced back to notify the sender about the failure. |
Example
This example shows how to enforce TLS on a specific domain and verify the validity of the receiving server certificate.
Scenario
All emails to example.mil
have to be encrypted with TLS and the FortiMail unit needs to verify the certificate of the receiving server to defend against email server spoofing or man-in-the-middle attack. If the certificate validation fails, the FortiMail unit will not deliver emails to that server, example.mil
.
To verify the certificate of the receiving server and apply the TLS profile
- Import the server CA certificate.
- Create a TLS profile.
- Create delivery policy and apply the profile.
Add the certificate of the CA that issued the server certificate to the FortiMail unit. If more than one level of CAs was used, import all intermediate and root CA certificates to the FortiMail unit. Any missing CA certificate will break the chain of trust and fail the validation of the certificate.
Select Secure for TLS level. Find the CA from the drop down list after enabling Check CA issuer. If the certificate subject also needs to be verified, select Check certificate subject and configure the substring that is contained in the server certificate. Minimum encryption strength can be configured if needed. A failure of any checks enabled in the profile will fail the TLS session and email delivery to the destination domain.
Apply the newly created TLS profile in the delivery policy by going to Policy > Access Control > Delivery.
From now on, all emails from the FortiMail unit to example.mil
will be delivered through TLS and the server certificate will be verified. If the certificate validation does not succeed, the FortiMail unit will not deliver emails to example.mil
.