Skip to main content
train_wreck
train_wreck
New Member
March 30, 2018
Question

Fortigate 30E in front of mail server - enabling SSL inspection breaks connections

  • March 30, 2018
  • 1 reply
  • 8778 views

I have a 30E in front of my Arch Linux mail server running Postfix. I have added requisite VIP entries for TCP ports 25,465,587 and 993 port forwarded so the mail server is accessible from the internet. I have downloaded the 30E SSL certificate onto the Linux server and have copied it to the /etc/ssl/certs directory, and Postfix is configured to look in that directory for certs (main.cf has the entry "smtpd_tls_CApath = /etc/ssl/certs").

 

When I enable SSL inspection for SMTP, I am no longer able to send or receive mail. The only thing I see in the postfix logs is the following:

 

Mar 30 01:25:10 pLAN9-MX postfix/smtpd[20363]: connect from <OTHERMAILSERVERDOMAIN>[x.x.x.x]

Mar 30 01:25:29 pLAN9-MX postfix/smtpd[20363]: connect from <OTHERMAILSERVERDOMAIN>[x.x.x.x]

Mar 30 01:25:50 pLAN9-MX postfix/smtpd[20363]: connect from <OTHERMAILSERVERDOMAIN>[x.x.x.x]

 

There is no information as to why the connection is being blocked in the "System Events "log on the Fortigate. If I go to "Security Profiles" -> "Proxy Options" and deselect the "SMTP" option, connections resume, although of course they are not being scanned and so this defeats the purpose of enabling inspection.

 

Why are the connections being blocked? How do I stop this behavior?

    1 reply

    emnoc
    emnoc
    New Member
    March 30, 2018

     

     

    Q:Did you check the target directory "/etc/ssl/certs"

     

    Q: is the certificate   used by the postfix  includes the CAchain+server.crt ?

     

    Q: did you run diag debug flow on the flow

     

    Q: Was the CA cert added to  the TLS inspection

     

    Q: have you capture what the SSL/TLS server/client hellos and what is provided to postfix

     

    Q: can you run  postfix in debug mode  with the peer list

     

    train_wreck
    train_wreckAuthor
    New Member
    March 30, 2018

    emnoc wrote:

    Q: is the certificate   used by the postfix  includes the CAchain+server.crt ?

    Your language is confusing; my postfix server has its own certificate generated from my own private CA. This CA has been imported onto the Fortigate. As well, the /etc/ssl/certs directory contains a copy of the Fortigate's SSL inspection certificate. As far as I know, it is a CA certificate itself (it has to be, in order to re-sign the inspected traffic...).

     

    emnoc wrote:
    Q: did you run diag debug flow on the flow

     

    Yes, here is the output during a failed connection attempt. Nothing useful I can see here:

     

    id=20085 trace_id=2686 func=resolve_ip6_tuple_fast line=3763 msg="vd-root received a packet(proto=6, 2607:f8b0:4002:c05::22e:35081->2603:3018:1502:62ff::2:25) from wan." id=20085 trace_id=2686 func=resolve_ip6_tuple line=3879 msg="allocate a new session-0001af53" id=20085 trace_id=2686 func=vf_ip6_route_input line=925 msg="find a route: gw-2603:3018:1502:62ff::2 via lan1 err 0 flags 01000001" id=20085 trace_id=2686 func=fw6_forward_handler line=332 msg="Check policy between wan -> lan1" id=20085 trace_id=2686 func=iprope6_fwd_check line=372 msg="in-[wan], out-[lan1], skb_flags-00000000, vid-0, app_id: 0, url_cat_id: 0" id=20085 trace_id=2686 func=__iprope6_tree_check line=561 msg="use addr/intf src tree: len=2 saddr=0:0:0:0:0:0:0:0, eaddr=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff" id=20085 trace_id=2686 func=iprope6_check_one_policy line=988 msg="checked policy-4, ret-matched, act-accept" id=20085 trace_id=2686 func=__iprope6_check line=1115 msg="gnum-4e20, check-7f0ae364" id=20085 trace_id=2686 func=iprope6_check_one_policy line=988 msg="checked policy-4294967295, ret-no-match, act-accept" id=20085 trace_id=2686 func=iprope6_check_one_policy line=988 msg="checked policy-9, ret-no-match, act-accept" id=20085 trace_id=2686 func=iprope6_check_one_policy line=988 msg="checked policy-10, ret-no-match, act-accept" id=20085 trace_id=2686 func=iprope6_check_one_policy line=988 msg="checked policy-11, ret-no-match, act-accept" id=20085 trace_id=2686 func=iprope6_check_one_policy line=988 msg="checked policy-12, ret-matched, act-accept" id=20085 trace_id=2686 func=iprope6_check_one_policy line=1093 msg="policy-12 is matched, act-accept" id=20085 trace_id=2686 func=iprope6_check_one_policy line=1093 msg="policy-4 is matched, act-accept" id=20085 trace_id=2686 func=iprope6_fwd_check line=390 msg="after iprope6_captive_check(): is_captive-0, ret-matched, act-accept, idx-4" id=20085 trace_id=2686 func=fw6_forward_handler line=465 msg="Allowed by Policy-4: AV" id=20085 trace_id=2687 func=resolve_ip6_tuple_fast line=3763 msg="vd-root received a packet(proto=6, 2603:3018:1502:62ff::2:25->2607:f8b0:4002:c05::22e:35081) from local." id=20085 trace_id=2687 func=resolve_ip6_tuple_fast line=3799 msg="Find an existing session, id-0001af53, reply direction" id=20085 trace_id=2688 func=resolve_ip6_tuple_fast line=3763 msg="vd-root received a packet(proto=6, 2607:f8b0:4002:c05::22e:35081->2603:3018:1502:62ff::2:25) from wan." id=20085 trace_id=2688 func=resolve_ip6_tuple_fast line=3799 msg="Find an existing session, id-0001af53, original direction" id=20085 trace_id=2689 func=resolve_ip6_tuple_fast line=3763 msg="vd-root received a packet(proto=6, 2607:f8b0:4002:c05::22e:35081->2603:3018:1502:62ff::2:25) from local." id=20085 trace_id=2689 func=resolve_ip6_tuple_fast line=3799 msg="Find an existing session, id-0001af53, original direction" id=20085 trace_id=2690 func=resolve_ip6_tuple_fast line=3763 msg="vd-root received a packet(proto=6, 2603:3018:1502:62ff::2:25->2607:f8b0:4002:c05::22e:35081) from lan1." id=20085 trace_id=2690 func=resolve_ip6_tuple_fast line=3799 msg="Find an existing session, id-0001af53, reply direction" id=20085 trace_id=2690 func=vf_ip6_route_input line=925 msg="find a route: gw-fe80::7454:7dff:fe80:a7b2 via wan err 0 flags 00450003" id=20085 trace_id=2691 func=resolve_ip6_tuple_fast line=3763 msg="vd-root received a packet(proto=6, 2607:f8b0:4002:c05::22e:35081->2603:3018:1502:62ff::2:25) from local." id=20085 trace_id=2691 func=resolve_ip6_tuple_fast line=3799 msg="Find an existing session, id-0001af53, original direction" id=20085 trace_id=2692 func=resolve_ip6_tuple_fast line=3763 msg="vd-root received a packet(proto=6, 2603:3018:1502:62ff::2:25->2607:f8b0:4002:c05::22e:35081) from lan1." id=20085 trace_id=2692 func=resolve_ip6_tuple_fast line=3799 msg="Find an existing session, id-0001af53, reply direction" id=20085 trace_id=2693 func=resolve_ip6_tuple_fast line=3763 msg="vd-root received a packet(proto=6, 2607:f8b0:4002:c05::22e:35081->2603:3018:1502:62ff::2:25) from local." id=20085 trace_id=2693 func=resolve_ip6_tuple_fast line=3799 msg="Find an existing session, id-0001af53, original direction"

    emnoc wrote:
    Q: Was the CA cert added to  the TLS inspection

     

    Again, your language is confusing. What does this mean?

     

    emnoc wrote:
    Q: have you capture what the SSL/TLS server/client hellos and what is provided to postfix

     

    In regards to my Postfix server, all I see is a TLS helllo on the Postfix server; I see no other traffic beyond that, and Postfix eventually times out the connection due to lack of response and closes the connection.

     

    This is a public mail server; I obviously have no idea what the other end is sending/not sending.

     

    emnoc wrote:
    Q: can you run  postfix in debug mode  with the peer list

     

    I am trying this at the moment, will post back if I find anything.

    train_wreck
    train_wreckAuthor
    New Member
    April 6, 2018

    So here is slightly more output fro postfix; this is during an attempt to send an email to myself, using my iPhone on Verizon. The iPhone has has the SSL scanning certificate downloaded from the gateway and has been imported correctly into the phone; it shows a green "Verified" in the cert profile configuration screen, and the global trust slider is turned on under "Settings" -> "About phone" -> "Certificate Trust Settings". (Though this should not be necessary to send email since as I mentioned this is a public e-mail server. Of course no one will have my local certificates):

     

    Apr 05 21:08:37 pLAN9-MX postfix/submission/smtpd[552]: warning: database /etc/postfix/aliases.db is older than source file /etc/postfix/aliases Apr 05 21:08:37 pLAN9-MX postfix/submission/smtpd[552]: connect from 57.sub-174-196-159.myvzw.com[174.196.159.57] Apr 05 21:08:37 pLAN9-MX postfix/submission/smtpd[552]: SSL_accept error from 57.sub-174-196-159.myvzw.com[174.196.159.57]: lost connection Apr 05 21:08:37 pLAN9-MX postfix/submission/smtpd[552]: lost connection after STARTTLS from 57.sub-174-196-159.myvzw.com[174.196.159.57] Apr 05 21:08:37 pLAN9-MX postfix/submission/smtpd[552]: disconnect from 57.sub-174-196-159.myvzw.com[174.196.159.57] ehlo=1 starttls=0/1 commands=1/2

     

    So the phone is reporting an "SSL_accept error". Where do I go from here? Will it just not be possible to have the Fortigate scan the traffic for malware/spam if it is SSL encrypted? (If not then it makes it largely useless for what I had in mind).

    Terms & ConditionsAccessibility statement