DOCUMENT LIBRARY

CLI Reference

Home FortiMail 7.6.1 CLI Reference

7.6.1

profile tls

profile tls

Use this command to configure TLS profiles that can be used by policy access-control receive and policy access-control delivery.

Note: Many subcommands are only available when level is set to either preferred or secure.

Syntax

config profile tls

edit <profile_name>

set level {none | preferred | secure}

set action {fail | tempfail}

set ca-name <ca_name>

set cert-subject <subject_str>

set check-ca-name {enable | disable}

set check-ca-type {match | substring | wildcard}

set check-cert-subject {enable | disable}

set check-cert-type {match | substring | wildcard}

set check-encryption-strength {enable | disable}

set check-ssl-version {enable | disable}

set dane-support {mandatory | none | opportunistic}

set encryption-strength <bits_int>

set min-ssl-version {ssl3 | tls1_0 | tls1_1 | tls1_2 | tls1_3}

set mtasts-status {enable | monitor | none}

end

Variable	Description	Default
<profile_name>	Enter the name of the TLS profile.
level {none \| preferred \| secure}	Enter the security level of the TLS connection. none: Disables TLS. Requests for a TLS connection will be ignored. preferred: Allow a simple TLS connection, but do not require it. Data is not encrypted, nor is the identity of the server validated with a certificate. secure: Requires a certificate-authenticated TLS connection. CA certificates must be installed on the FortiMail unit before they can be used for secure TLS connections. For information on installing CA certificates, see the FortiMail Administration Guide.	none
action {fail \| tempfail}	Select the action the FortiMail unit takes when a TLS connection cannot be established. This option does not apply if `level` is `preferred`.	tempfail
ca-name <ca_name>	Enter the name of the CA issuer. This option is only available when `level` is set to `secure`.
cert-subject <subject_str>	Enter the certification subject. This option is only available when `level` is set to `secure`.
check-ca-name {enable \| disable}	Enable to check the CA issuer name. This option is only available when `level` is set to `secure`.	disable
check-ca-type {match \| substring \| wildcard}	Select a CA issuer check type. This option is only available when `level` is `secure`.	match
check-cert-subject {enable \| disable}	Enable to check the certificate subject name. This option is only available when `level` is `secure`.	disable
check-cert-type {match \| substring \| wildcard}	Select a certificate check type. This option is only available when `level` is `secure`.	match
check-encryption-strength {enable \| disable}	Enable to check encryption key length.	disable
check-ssl-version {enable \| disable}	Enable to check the SSL/TLS version. Also configure min-ssl-version {ssl3 \| tls1_0 \| tls1_1 \| tls1_2 \| tls1_3}.	disable
dane-support {mandatory \| none \| opportunistic}	Assign a DNS-based Authentication of Named Entities (DANE) support level. Note: `mandatory` is only applicable when `level` is `secure`. For more information, see RFC 7929.	none
encryption-strength <bits_int>	Enter the encryption key length.	256
min-ssl-version {ssl3 \| tls1_0 \| tls1_1 \| tls1_2 \| tls1_3}	Enter the minimum required SSL/TLS version. This option is only available when `check-ssl-version` is `enable`.	tls1_1
mtasts-status {enable \| monitor \| none}	Enable MTA Strict Transport Security (MTA-STS) domain checking. This option is only available when `level` is either `preferred` or `secure`. Note: The MTA-STS status may only be set when `smtp-mtasts-status` is enabled under system mailserver.	none

Related topics

cloud-api profile antivirus

system mailserver

Previous

Next

profile tls

profile tls

Use this command to configure TLS profiles that can be used by policy access-control receive and policy access-control delivery.

Note: Many subcommands are only available when level is set to either preferred or secure.

Syntax

config profile tls

edit <profile_name>

set level {none | preferred | secure}

set action {fail | tempfail}

set ca-name <ca_name>

set cert-subject <subject_str>

set check-ca-name {enable | disable}

set check-ca-type {match | substring | wildcard}

set check-cert-subject {enable | disable}

set check-cert-type {match | substring | wildcard}

set check-encryption-strength {enable | disable}

set check-ssl-version {enable | disable}

set dane-support {mandatory | none | opportunistic}

set encryption-strength <bits_int>

set min-ssl-version {ssl3 | tls1_0 | tls1_1 | tls1_2 | tls1_3}

set mtasts-status {enable | monitor | none}

end

Variable	Description	Default
<profile_name>	Enter the name of the TLS profile.
level {none \| preferred \| secure}	Enter the security level of the TLS connection. none: Disables TLS. Requests for a TLS connection will be ignored. preferred: Allow a simple TLS connection, but do not require it. Data is not encrypted, nor is the identity of the server validated with a certificate. secure: Requires a certificate-authenticated TLS connection. CA certificates must be installed on the FortiMail unit before they can be used for secure TLS connections. For information on installing CA certificates, see the FortiMail Administration Guide.	none
action {fail \| tempfail}	Select the action the FortiMail unit takes when a TLS connection cannot be established. This option does not apply if `level` is `preferred`.	tempfail
ca-name <ca_name>	Enter the name of the CA issuer. This option is only available when `level` is set to `secure`.
cert-subject <subject_str>	Enter the certification subject. This option is only available when `level` is set to `secure`.
check-ca-name {enable \| disable}	Enable to check the CA issuer name. This option is only available when `level` is set to `secure`.	disable
check-ca-type {match \| substring \| wildcard}	Select a CA issuer check type. This option is only available when `level` is `secure`.	match
check-cert-subject {enable \| disable}	Enable to check the certificate subject name. This option is only available when `level` is `secure`.	disable
check-cert-type {match \| substring \| wildcard}	Select a certificate check type. This option is only available when `level` is `secure`.	match
check-encryption-strength {enable \| disable}	Enable to check encryption key length.	disable
check-ssl-version {enable \| disable}	Enable to check the SSL/TLS version. Also configure min-ssl-version {ssl3 \| tls1_0 \| tls1_1 \| tls1_2 \| tls1_3}.	disable
dane-support {mandatory \| none \| opportunistic}	Assign a DNS-based Authentication of Named Entities (DANE) support level. Note: `mandatory` is only applicable when `level` is `secure`. For more information, see RFC 7929.	none
encryption-strength <bits_int>	Enter the encryption key length.	256
min-ssl-version {ssl3 \| tls1_0 \| tls1_1 \| tls1_2 \| tls1_3}	Enter the minimum required SSL/TLS version. This option is only available when `check-ssl-version` is `enable`.	tls1_1
mtasts-status {enable \| monitor \| none}	Enable MTA Strict Transport Security (MTA-STS) domain checking. This option is only available when `level` is either `preferred` or `secure`. Note: The MTA-STS status may only be set when `smtp-mtasts-status` is enabled under system mailserver.	none

Related topics

cloud-api profile antivirus

system mailserver

Previous

Next