Technical Tip: How to configure encryption on the FortiMail to one specific domain
Description
This article describes how to configure a FortiMail unit to encrypt email traffic to one specific domain.
Scope
All supported versions of FortiMail.
Solution
To secure SMTP sessions initiated from a FortiMail unit a combination of TLS profiles and Access Delivery Rules must be created.
- To create a TLS profile via the GUI, go to Profile -> Security -> TLS -> New. Give the profile a name, choose the TLS level that is required for this Profile, and then select Create. Depending on the TLS level that has been selected you can also specify which action the FortiMail unit should take in case the TLS session could not be established.
The table below provides a short description of TLS levels and available actions:
| TLS Level | Description | Actions if fail |
| None | TLS is disabled | Temporary fail Fail |
| Preferred | TLS allowed but not required. Best effort | Not applicable |
| Encrypt | TLS required | Temporary fail Fail |
| Secure | TLS and certificate authentication required | Temporary fail Fail |
- Once the TLS profile has been created, go to Policy -> Access Control -> Delivery Tab -> New -> Set and enter the domain name of the remote domain and/or the IP of their email server and select the TLS profile that was just created. Once 'Create' has been selected, all SMTP sessions for this specific domain will be encrypted with the TLS level configured in step 1.
