Skip to main content
Joel_Fagnant
Joel_Fagnant
New Member
August 14, 2018
Solved

Fortimail: mail rejected because of unknown SSL protocol

  • August 14, 2018
  • 1 reply
  • 16328 views

Hi everybody,

I'm pretty new with fortimail but I got an issue with a external sender: everytime he tries to send us a mail, the communication is cut off by our fortimail right after the startTLS.

When looking up in the "mail event" log, it says something about an unknown SSL protocol.

Have you ever encountered this situation? Is there something to do on our side or does the sender have a security issue?

Here the log error:

 

STARTTLS=server, error: accept failed=-1, reason=unknown protocol, SSL_error=1, errno=0, retry=-1, relay=mail.uni-media.be [194.78.234.25]

 

 

Thank you for your help,

Joel

    Best answer by Carl_Windsor_FTNT

    Running the following:

    openssl s_client -connect mail.uni-media.be:25 -starttls smtp

    shows that the server only supports TLSv1.0 so I assume that you running FortiMail 6.0.0?  In this release we "set strong-crypto enable" by default which disabled TLS 1.0 for email but we found this to be too restrictive (some Exchange 2010 servers still require this).  We changed the defaults in 6.0.1 so try to upgrade to 6.0.1 or later.    

     

    If you upgrade, you can leave set strong crypto enable and just modify the mail protocol to include TLS1.0 under config system security crypto.

     

    1 reply

    Carl_Windsor_FTNT
    Staff
    Carl_Windsor_FTNTAnswer
    Staff
    August 14, 2018

    Running the following:

    openssl s_client -connect mail.uni-media.be:25 -starttls smtp

    shows that the server only supports TLSv1.0 so I assume that you running FortiMail 6.0.0?  In this release we "set strong-crypto enable" by default which disabled TLS 1.0 for email but we found this to be too restrictive (some Exchange 2010 servers still require this).  We changed the defaults in 6.0.1 so try to upgrade to 6.0.1 or later.    

     

    If you upgrade, you can leave set strong crypto enable and just modify the mail protocol to include TLS1.0 under config system security crypto.

     

    Joel_Fagnant
    Joel_FagnantAuthor
    New Member
    August 14, 2018

    Thanx for your answer Carl! Indeed we're in version 6.0.0 ... we intend to go full HA very soon, we'll do the update at this time (if no one else experiences the issue again).

     

    Thanx again,

    Joel

    Terms & ConditionsAccessibility statement