Skip to main content
mturic
Staff & Editor
mturic
Staff & Editor
July 4, 2017

Technical Tip: Configure Gmail (STARTTLS) as a mail server

  • July 4, 2017
  • 0 replies
  • 30889 views

Description

 

This article describes how to configure Gmail (STARTTLS) as a mail server for FortiAuthenticator. The solution has 3 parts:

  1. Google Account setup.
  2. Google Root CA import into FortiAuthenticator.
  3. FortiAuthenticator SMTP Servers setup.

 

Scope

 

FortiAuthenticator.

 

Solution

 

Google Account setup.

 

Gmail can be used as a mail server, although there are a few extra steps to get this working.

From 30.5.2022. Google no longer supports the use of third-party apps or devices to sign into the Google Account using only a username and password.

 

To overcome this limitation, it is necessary to activate 2-Step Verification and App password for the Gmail account.

 

Google Account 2-Step Verification.

Log in to the Google Mail account and select Manage the Google Account (upper right corner of the screen).

The Gmail account will be different than the account used in this example.

 

ggolubovic_0-1655887575925.png

 

Select the Security option.

 

ggolubovic_1-1655887698962.png

 

Navigate to Signing into Google and select 2-Step Verification.

 

ggolubovic_2-1655887770474.png

 

Verification: enter the mobile phone number.

 

ggolubovic_3-1655887817410.png

 

Enter the verification code from the phone.

 

ggolubovic_4-1655887904096.png

 

And select Turn ON on the last step.

 

ggolubovic_5-1655887998932.png

 

App password setup.

Get back to the Google Account and select the Security option again.

Scroll to the Signing into Google. It is possible to see now that Verification is on, and there is the option to create an App password.

If the option is not available, create it via this link: Google My Account: App Password (from Gmail Help: Sign in with app passwords).

 

Select the arrow next to the App password.

 

ggolubovic_6-1655888254726.png

 

Under select app, select mail, and under device select other.

 

ggolubovic_7-1655888304507.png

 

Enter a name for this device – FortiAuthenticator, in this example.

 

ggolubovic_8-1655888365503.png

 

Select Generate. A new screen with the generated app password will appear.

 

ggolubovic_9-1655888415561.png

 

Write down or copy this app password for later use in the FortiAuthenticator SMTP Server setup.

Select Done, and the Google Account setup part is done.

 

Import the Google Root CA into FortiAuthenticator.

STARTTLS can be used to connect to Gmail servers. 
In STARTTLS, however, the server’s certificate chain is not populated automatically on the FortiAuthenticator, and it will need to be imported as a trusted CA manually.  


Use the following steps to find info about the Gmail Root CA certificate and how to download it from the Google cert repository and import it into FortiAuthenticator trusted CA.

To retrieve the info about the Gmail Root CA certificate.

 

  1. Download OpenSSL.
  2. Navigate to the OpenSSL directory and issue the command OpenSSL.
  3. Run the following command in OpenSSL.

 

ggolubovic_10-1655888830654.png

 

C:\Users\userX\Documents\OpenSSL\bin\openssl.exe  
OpenSSL> s_client -connect smtp.gmail.com:587 -starttls smtp
CONNECTED(00000220)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify error:num=20:unable to get local issuer certificate
---

 

Certificate chain.

 

 0 s:/CN=smtp.gmail.com
   i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
 1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
   i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
 2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---

 

Server certificate.

 

-----BEGIN CERTIFICATE-----MIIFUzCCBDugAwIBAgIQNqm/[...]fFRIzc=
-----END CERTIFICATE-----
subject=/CN=smtp.gmail.com
issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5155 bytes and written 469 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: [...]
    Session-ID-ctx:
    Master-Key: [...]
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 01 25 0d d4 28 7c 52 41-4e 73 5e cb 62 85 96 04   .%..(|RANs^.b...
    [...]
    00d0 - 78 11 cd 7f 07 91 04 f4-ee 8a 87 a1 fa            x............

    Start Time: 1629661528
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 SMTPUTF8

 

The output of the OpenSSL command shows the server [0] smtp.gmail.com, Intermediate [1] GTS CA 1C3, and Root CA [2] GTS Root R1 certs.

 

The Root CA of interest is GTS Root R1.

 

Note that the server is not obliged to send info about Root CA, but in the case of smtp.gmail.com, there is a complete cert chain from the server.

 

Google has all Root CA available for download on Google Trust Services: Repository.

Scroll down to Root CAs, select action next to GTS Root R1 CA, and under Downloads select Certificate (PEM).

 

ggolubovic_11-1655889658877.png

 

File gtsr1.pem is downloaded and now needs to be imported into FortiAuthenticator.

 

Log in to the FortiAuthenticator and navigate to Certificate Authorities ->Trusted CAs -> Import.

 

ggolubovic_12-1655889708674.png

 

Put the desired name in the Certificate ID field, select Upload file, select downloaded gtsr1.pem, and select Open.

 

ggolubovic_13-1655889731764.png

 

Select OK.

 

ggolubovic_14-1655889731767.png

 

 

The new Root CA should be visible now in the list view.

 

FortiAuthenticator SMTP Servers setup.

Log in to FortiAuthenticator, go to System -> Messaging, and configure an SMTP server.

  • Configure the server name, and select PORT 587 and STARTTLS for a secure connection.
  • In the Account username, put the Gmail account
  • Password: enter the App Password, created in step 1. Not Gmail account password.

 

ggolubovic_16-1655889851448.png

 

Test connection: put the recipient address and select Send.

 

ggolubovic_17-1655889851450.png

 

A green checkmark notification will appear.


Note:

  • For FortiAuthenticator Cloud, it will not be possible to set up a custom SMTP server, as there is no option for System -> Messaging. FortiAuthenticator Cloud uses the FortiToken Cloud SMTP server for email services. Refer to the Limitations of FortiAuthenticator Cloud guide.
  • For the error 'unable to get local issuer certificate',  the chain can be verified on the website 'What's My Chain Cert?' or in OpenSSL, with the command 'openssl s_client -starttls smtp -crlf -connect <smtp_url:port>'

Certificate chain
0 s:CN=smtp.gmail.com
i:C=US, O=Google Trust Services, CN=WE2
a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA256
v:NotBefore: Jan 26 08:41:00 2026 GMT; NotAfter: Apr 20 08:40:59 2026 GMT
1 s:C=US, O=Google Trust Services, CN=WE2
i:C=US, O=Google Trust Services LLC, CN=GTS Root R4
a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384
v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R4
i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
v:NotBefore: Nov 15 03:43:21 2023 GMT; NotAfter: Jan 28 00:00:42 2028 GMT

 

Related article:

Technical Tip: Configure Gmail (STARTTLS) as mail server

    Terms & ConditionsAccessibility statement