DOCUMENT LIBRARY

Administration Guide

Email concepts and process workflow
- Email protocols
- Client-server connections in SMTP
- DNS role in email delivery
- How FortiMail processes email
- FortiMail operation modes
- FortiMail high availability
- FortiMail management methods
Setting up the FortiMail system
- Connecting to the GUI or CLI
- Choosing the operation mode
- Running the Quick Start Wizard
- Connecting to FortiGuard services
- Gateway mode deployment
- Transparent mode deployment
- Server mode deployment
- Testing the installation
- Backing up the configuration
Using the dashboard
- Viewing the dashboard
- Using the CLI Console
Using FortiView
- Viewing mail statistics
- View threat statistics
- View outbreak statistics
- Viewing top user statistics
- Viewing current IP sessions
Monitoring the system
- Viewing log messages
- Managing the quarantines
- Managing the mail queue
- Viewing DMARC report statistics
  - Viewing the DMARC and SPF report summary
  - Viewing details about DMARC and SPF report statistics
- Viewing the greylist statuses
- Viewing sender, authentication and endpoint reputation
- Managing archived email
- Viewing reports
Centrally monitoring the HA cluster
- Viewing the cluster status
- Viewing HA cluster mail statistics
- Viewing HA cluster threat statistics
- Searching the HA cluster logs
Configuring system settings
- Configuring network settings
- Configuring administrator accounts and access profiles
- Configuring system time, options, and other system options
- Configuring mail settings
- Customizing GUI, custom messages, email templates, and Security Fabric
- Configuring single sign-on (SSO)
- Configuring RAID
- Using high availability (HA)
- Managing certificates
- Using FortiNDR malware inspection
- Using FortiSandbox antivirus inspection
- Configuring FortiGuard services and licensed features
  - Configuring licensed features
    - Configuring image analysis
- System maintenance
- System utility
Configuring domains and users
- Configuring protected domains
- Managing users
- Configuring user aliases
- Configuring address mappings
- Configuring IBE users
- Configuring the address book
- Sharing calendars and address books (server mode only)
- Migrating email from other mail servers (server mode only)
Configuring policies
- What is a policy?
- How to use policies
- Controlling SMTP access and delivery
- Controlling email based on IP addresses
- Controlling email based on sender and recipient addresses
Configuring profiles
- Configuring session profiles
- Configuring antispam profiles and actions
- Configuring antivirus profiles, file signatures, and actions
- Configuring content profiles and content action profiles
- Configuring replacement message profiles and variables
- Configuring resource profiles
- Workflow to enable and configure authentication of email users
- Configuring authentication profiles
- Configuring LDAP profiles
- Configuring dictionary profiles
- Configuring security profiles
- Configuring IP pools
- Configuring email, IP and GeoIP groups
- Configuring notification profiles
Configuring security settings
- Configuring URL filter profiles
- Configuring a threat feed
  - Types and file formats of threat feeds
- Configuring content disarming and reconstruction
- Configuring authentication reputation
- Configuring email quarantines and quarantine reports
- Configuring the block lists and safe lists
- Configuring greylisting
- Configuring bounce verification and tagging
- Configuring sender rewriting scheme
- Configuring endpoint reputation
- Configuring preferences
- Training and maintaining the Bayesian databases
Configuring encryption settings
- Configuring IBE encryption
- Configuring certificate bindings
Configuring data loss prevention
- DLP configuration workflow
- Defining the sensitive data
- Configuring DLP rules
- Configuring DLP profiles
Archiving email
- Email archiving workflow
- Configuring email archiving accounts
- Configuring email archiving policies
- Configuring email archiving exemptions
Logs, reports, and alerts
- About FortiMail logging
- Configuring logging
- Configuring report profiles and generating reports
- Configuring alert email
Microsoft 365, Exchange and Google Workspace threat remediation
- Microsoft 365, Exchange, and Google Workspace protection workflow
- Configuring accounts
- Configuring scanning policies
- Configuring profiles
- Monitoring log messages
Managing firmware and configuration
- Testing firmware before installing it
- Installing firmware
- Clean installing firmware
- Upgrading firmware on HA units
Best practices and fine tuning
- General security tuning
- System security tuning
- Network topology tuning
- High availability (HA) tuning
- SMTP connectivity tuning
- Antispam tuning
- Policy tuning
- System maintenance tips
- Performance tuning
Troubleshooting
- Establish a system baseline
- Define the problem
- Search for a known solution
- Create a troubleshooting plan
- Gather system information
- Troubleshoot hardware issues
- Troubleshoot GUI and CLI connection issues
- Troubleshoot FortiGuard connection issues
- Troubleshoot MTA issues
- Troubleshoot antispam issues
- Troubleshoot HA issues
- Troubleshoot resource issues
- Troubleshoot bootup issues
- Troubleshoot installation issues
- Contact Fortinet customer support for assistance
Setup for email users
- Training Bayesian databases
- Managing tagged spam
- Accessing the personal quarantine and webmail
- Sending email from an email client (gateway and transparent mode)
Appendix A: Supported RFCs
Appendix B: Maximum Values
Appendix C: Port Numbers
Appendix D: Wildcards and regular expressions
- Special characters with regular expressions and wildcards
- Case sensitivity
- Modifiers
- Word boundary
- Syntax
- Example regular expressions
Appendix E: Working with TLS/SSL
- About TLS/SSL
- How TLS/SSL works
- FortiMail support of TLS/SSL
- Troubleshooting FortiMail TLS issues
Appendix F: PKI Authentication
- Introduction to PKI authentication
- FortiMail PKI architecture
- Configuring PKI authentication on FortiMail
Change log

Home FortiMail 7.6.0 Administration Guide

7.6.0

FortiMail support of TLS/SSL

By default, the FortiMail unit supports TLS/SSL in two slightly different ways:

SMTPS

SMTPS is also called SMTP over SSL. It runs on a different port than the regular email port (465 by default). To connect with SMTPS, the client needs to start the TLS handshake directly at the very beginning.
STARTTLS

STARTTLS is a command that runs on a regular email service port, 25 by default. If the server supports STARTTLS, this command shows up in the welcome banner and the client runs it to establish a TLS session to protect all subsequent communication. If the server does not support this feature, it will not advertise the STARTTLS command and the client will use clear text communication. The STARTTLS command is more flexible than SMTPS.

Although this document mainly covers STARTTLS, most is applicable to SMTPS.

FortiMail TLS behavior in both directions of mail flow

FortiMail may be either receiving or delivering email. TLS behavior varies by direction.

Mail receiving

By default both SMTPS and STARTTLS are supported when the FortiMail unit receives messages. Whether the email will be encrypted with TLS/SSL depends on the mail client or sending MTA. The TLS support can be turned on or off globally by going to System > Mail Setting > Mail Server Settings.

If you deselect the SMTP over SSL/TLS option, STARTTLS will not be advertised to the client and the SMTPS port (465) will not be listening. As a result, the FortiMail unit will not accept emails through TLS/SSL.
Mail delivering

There is no global setting to control how TLS is used when the FortiMail unit delivers emails to the next hop receiving MTA. By default, it uses STARTTLS "preferred" option which means:
- If the receiving MTA supports STARTTLS, the FortiMail unit will use TLS and transmit emails in the protected session.
- If the receiving MTA does not advertise STARTTLS, the FortiMail unit will use clear text SMTP session to transmit emails.
- If the receiving MTA supports STARTTLS, but the TLS session does not succeed, the FortiMail unit will fall back to the clear text SMTP session to retransmit emails after the third failed attempt.

TLS profile

The default behavior of FortiMail TLS/SSL support may not meet your specific requirements. In order to add more flexibility to the TLS/SSL support, the FortiMail unit supports TLS profiles. This document uses FortiMail v4.1 as an example.

TLS profiles allow you to selectively disable or enable TLS for specific email recipient patterns, IP subnets, and so on. A common use of TLS profiles is to enforce TLS transport to a specific domain and verify the certificate of the receiving servers.

To configure a TLS profile, go to Profile > Security > TLS.

The TLS level option has these choices:

None	Disables TLS and the FortiMail unit does not accept STARTTLS command from the client in receiving direction or does not start TLS in the delivering direction (even if STARTTLS is advertised by the receiving MTA), depending on which direction the TLS profile is applied.
Preferred	This is the default behavior. Whether TLS is used depends on the other party of the session.
Edit	Select to change settings for the widget. This option appears only on the CLI Console widget.
Secure	Enforces both TLS encryption and certificate validation. Failure of server certificate validation will fail mail delivery.

The Action on failure option has these choices:

Temporarily Fail	If a TLS session cannot be established, the FortiMail unit will fail temporarily and retry later. No DSN will be bounced back.
Fail	If a TLS session cannot be established, the FortiMail unit will fail the mail delivery immediately and a DSN will be bounced back to notify the sender about the failure.

Example

This example shows how to enforce TLS on a specific domain and verify the validity of the receiving server certificate.

Scenario

All emails to example.mil must be encrypted with TLS and the FortiMail unit needs to verify the certificate of the receiving server to defend against email server spoofing or man-in-the-middle attack. If the certificate validation fails, the FortiMail unit will not deliver emails to that server, example.mil.

To verify the certificate of the receiving server and apply the TLS profile

Import the server CA certificate.

Add the certificate of the CA that issued the server certificate to the FortiMail unit. If more than one level of CAs was used, import all intermediate and root CA certificates to the FortiMail unit. Any missing CA certificate will break the chain of trust and then certificate validation will fail.

Create a TLS profile.

Select Secure for TLS level. Find the CA from the drop down list after enabling Check CA issuer. If the certificate subject also needs to be verified, select Check certificate subject and configure the substring that is contained in the server certificate. Minimum encryption strength can be configured if needed. A failure of any checks enabled in the profile will fail the TLS session and email delivery to the destination domain.

Create delivery policy and apply the profile.

Apply the newly created TLS profile in the delivery policy by going to Policy > Access Control > Delivery.

Now all email from the FortiMail unit to example.mil will be delivered through TLS and the server certificate will be verified. If the certificate validation does not succeed, the FortiMail unit will not deliver email to example.mil.