Configuring security profiles

Go to Profile > Security to create transport layer security (TLS) profiles and encryption profiles. These can be used to authenticate and encrypt the SMTP connection and/or the email that it carries.

Configuring TLS security profiles

TLS profiles contain settings for SSL/TLS-secured connections.

A common use of TLS profiles is to enforce encrypted transport to a specific domain, and to authenticate the identity of the receiving servers. This provides more specific control than basic TLS support. For global settings on connections that FortiMail receives, see SMTP Service section.

To configure a TLS profile

1. Go to Profile > Security > TLS.

2. Either click New to add a profile or double-click a profile to modify it.

3. Configure the following settings:

   GUI item	Description
   Name	Enter a unique name for the profile.
   Comment	Optional. Enter a description or comment.
   TLS option	Select whether SSL/TLS is supported or required: None: Disables SSL/TLS. Requests for secure connections will be ignored. Preferred: If the other device in the SMTP session supports STARTTLS, then FortiMail tries to use it. Secure: Require a certificate-authenticated SSL/TLS connection. Effects vary by directionality and global settings. For details, see FortiMail TLS behavior in both directions of mail flow.

4. If TLS option is Secure or Preferred, then options related to SSL/TLS appear.

   Configure the following settings:

   GUI item		Description
   Check TLS version		Enable to perform the action in Action on failure if the connection does not meet Minimum TLS version. Tip: To avoid mail flow disruptions, verify that protected domains and others support the minimum version before you begin to enforce it. For summaries of recent connections, see Viewing SSL/TLS session statistics.
   	Minimum TLS version	Select the required minimum secure connection protocol and version, either: TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0 SSL 3.0 This setting is available only if Check TLS version is enabled. Effects also can be overridden by encryption strength settings in the CLI.
   DANE		Select the DNS-based Authentication of Named Entities (DANE) support level: None Opportunistic Mandatory (only available if TLS option is Secure) See also RFC 7929.
   MTA-STS		Select the MTA Strict Transport Security (MTA-STS) domain verification level. This setting is available only when MTA-STS service is not disabled.
   Action on failure		Select the action FortiMail performs when an SSL/TLS connection cannot be established, either: Fail: Reject the email and reply to the SMTP client with SMTP reply code 550. Temporarily Fail: Reply to the SMTP client with a code indicating temporary failure. Optionally, you can configure Protocol to try IBE if TLS fails. IBE also ensures that the email message is encrypted in transit.
   Check encryption strength		Enable to perform the action in Action on failure if the connection does not meet Minimum encryption strength.
   	Minimum encryption strength	Enter the bit size of the encryption key. Greater key size results in stronger encryption, but requires more processing resources. This setting takes effect only if Check encryption strength is enabled. Effects also can be overridden by encryption strength settings in the CLI.
   Check CA issuer		Enable to perform the action in Action on failure if the connection peer's certificate's CA Issuer field (its signing CA) does not match CA issuer. Each certificate's signature is validated with the list of trusted CA certificates (see also Managing certificate authority certificates.), so this additional CA setting effectively filters which trusted CAs can be used by specific sessions.
   	CA issuer	Select how to compare this setting with the peer certificate's CA Issuer field: Equal Contain Wildcard (some characters may vary, which are indicated by a question mark ( ? ) or asterisk ( * ) ) Either: Use Lookup CA to select a trusted CA. Manually enter a string that matches only trusted CAs. Use forward slashes to separate each part of the Distinguished Name (DN). For example: /CN=ca.example.com/O=Example Inc. This setting takes effect only if Check CA issuer is enabled. If this setting is empty, then it effectively disables Check CA issuer, and the certificate's signature is allowed to use any trusted CA certificate.
   	Lookup CA	To populate the CA issuer field with text from a trusted CA certificate that is installed on FortiMail, select the name of the CA certificate. See also Managing certificate authority certificates.
   Check certificate subject		Enable to perform the action in Action on failure if the connection peer's certificate's Subject field does not match Certificate subject.
   	Certificate subject	Select how to compare this setting with the peer certificate's Subject field: Equal Contain Wildcard (some characters may vary, which are indicated by a question mark ( ? ) or asterisk ( * ) ) Manually enter a string that matches only accepted certificate subjects. Use forward slashes to separate each part of the Distinguished Name (DN). For example: /CN=mail.example.com/O=Example Inc. This setting takes effect only if Check certificate subject is enabled.

5. To apply the TLS profile, select it in either an:

   • access control policy (see Configuring access control receiving policies)

   • delivery policy (Configuring delivery rules)

   • encryption profile (see Configuring encryption profiles)

Configuring encryption profiles

Encryption profiles contain settings for secure MIME (S/MIME), identity-based encryption (IBE), and fallback to IBE if TLS delivery fails.

Message encryption can be used to ensure that email is private and protected from tampering in transit, even if secure connections such as SMTP over TLS are not used by later mail relays or proxies.

To configure an encryption profile

1. If you will use the profile for S/MIME encryption, you must create at least one internal address certificate binding and import CA certificates required to validate signatures. See Configuring certificate bindings, and Managing certificate authority certificates.

   If you will use IBE, then you must enable IBE services. See IBE workflow.

2. Go to Profile > Security > Encryption.

3. Either click New to add a profile or double-click a profile to modify it.

4. Configure the following settings:

   GUI item	Description
   Name	Enter a unique name for the profile.
   Comment	Optional. Enter a description or comment.
   Protocol	Select which message encryption protocol to use, either: S/MIME:See Using S/MIME encryption. IBE: See Configuring IBE encryption. IBE on TLS failure: See Configuring IBE encryption and Configuring TLS security profiles.
   TLS profile	Select which TLS profile to try first. If a secure connection cannot be established, then fall back to IBE. See also Configuring TLS security profiles. This setting appears only if Protocol is IBE on TLS Failure.
   Encryption algorithm	Select which encryption algorithm will be used to encrypt the email message: AES 256 AES 192 AES 128 CAST5 128 Triple DES (3DES) DES
   Action	Select either: Encrypt Sign Encrypt and Sign This setting appears only if Protocol is S/MIME. (For IBE, encryption occurs.)
   Access method	Select how recipients can retrieve encrypted messages: Push: A notification and a secure mail is delivered to the recipient. Recipients must go to FortiMail to open the message. FortiMail does not store the message. If the message exceeds Maximum size (KB) for Push method, the pull method is used instead. Pull: A notification is delivered to the recipient. Recipients must go to FortiMail to open the message. FortiMail stores the message. This setting appears only if Protocol is IBEor IBE on TLS Failure.
   Maximum size (KB) for Push method	Select the secure message size limit in kilobytes (KB) for IBE push. If a message exceeds the limit, pull is used instead. Valid range is 0 to 10240. This setting appears only if Protocol is IBEor IBE on TLS Failure.
   Action on failure	Select what to do when encrypted messages cannot be used: Drop and send DSN: Send a delivery status notification (DSN) email to the sender’s email address, indicating that the email is permanently undeliverable. See also DSN section. Send plain message: Deliver the email in clear text, without encryption. Enforce TLS: Effect varies by other TLS settings. Continue the existing secure connection if: TLS option is Secure TLS option is Preferred and the other SMTP client or server agreed to an SSL/TLS session Temporarily fail if TLS option is Preferred but the other SMTP client or server did not agree to an SSL/TLS session, and the TLS profile's Action on failure is Temporarily Fail. Reject the email and reply with SMTP reply code 550.if: (for receiving) SMTP over SSL/TLS is disabled no TLS profile is selected TLS option is None TLS option is Preferred but the other SMTP client or server did not agree to an SSL/TLS session, and the TLS profile's Action on failure is Fail This setting appears only if Protocol is IBEor S/MIME.

5. To apply the encryption profile, select it in either a:

   • message delivery rule (see Configuring delivery rules)

   • content action profile (see Configuring content action profiles)

Using S/MIME encryption

S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data.

You can encrypt email messages with S/MIME between two systems that support it. For example, if you want to encrypt email sent from FortiMail A to FortiMail B:

1. On FortiMail A:

   • Import the CA certificate. For details, see Managing certificate authority certificates.

   • Create a certificate binding for the outgoing email to obtain FortiMail B’s public key in the certificate to encrypt the email. For details, see Configuring certificate bindings.

   • Create an encryption profile that applies S/MIME. For details, see Configuring encryption profiles.

   • Apply the encryption profile in a policy to trigger the S/MIME encryption. To do this, either:

     • Create a delivery rule to use the S/MIME encryption profile (see Configuring delivery rules).

     • Create a policy to include a content profile containing a content action profile with an S/MIME encryption profile (see Controlling email based on sender and recipient email addresses, Controlling email based on IP addresses, Configuring content action profiles, and Configuring content profiles).

     If the email that you want to encrypt matches both by the message delivery rule and the policy, then the email will be encrypted based on the content profile in the policy.

2. On FortiMail B:

   • Import the CA certificate.

   • Create a certificate binding for the incoming email. Import both FortiMailB’s private key and certificate so that it can decrypt the email from FortiMailA that was encrypted using FortiMailB’s public key.