Skip to main content
marco_digirolamo
marco_digirolamo
New Member
July 23, 2020
Question

FortiMail STARTTLS unable to get local certificate from Exchange

  • July 23, 2020
  • 1 reply
  • 5368 views

Hello,

we are in trouble with a certificate error delivering mail.

Our delivery chain is Exchange Servers -> Load Balancer -> FortiMail -> Outside.

Incoming email are correctly verified with TLS 1.2 and i have verify=OK, but when we send out we have this message:

 

STARTTLS=server, cert-subject=/CN=NAMEEXC01, cert-issuer=/CN=NAMEEXC01, verifymsg=unable to get local issuer certificate

STARTTLS=server, relay=[NAMEEXC01_IP], version=TLSv1.2, verify=CAFAIL, cipher=ECDHE-RSA-AES256-SHA384, bits=256/256

 

The message is the same for all of our 4 Exchange Servers that relay to FortiMail.

 

I tried to import local NAMEEXC certificates from the 4 Servers into FortiMail, but message still appears.

Did someone have same issue or can someone help me?

Thanks.

M

 

    1 reply

    nqtuan_qtuan
    nqtuan_qtuan
    New Member
    August 8, 2020

    marco.digirolamo wrote:

    Hello,

    we are in trouble with a certificate error delivering mail.

    Our delivery chain is Exchange Servers -> Load Balancer -> FortiMail -> Outside.

    Incoming email are correctly verified with TLS 1.2 and i have verify=OK, but when we send out we have this message:

     

    STARTTLS=server, cert-subject=/CN=NAMEEXC01, cert-issuer=/CN=NAMEEXC01, verifymsg=unable to get local issuer certificate

    STARTTLS=server, relay=[NAMEEXC01_IP], version=TLSv1.2, verify=CAFAIL, cipher=ECDHE-RSA-AES256-SHA384, bits=256/256

     

    The message is the same for all of our 4 Exchange Servers that relay to FortiMail.

     

    I tried to import local NAMEEXC certificates from the 4 Servers into FortiMail, but message still appears.

    Did someone have same issue or can someone help me?

    Thanks.

    M

     

    I once had the same issue, but tried talking to the Exchange team to apply the cert other than self-signed, then remove the self-signed cert should deal with this.

     

    I, however, stumble upon another issue where FortiMail complains that my cert is "unsupported certificate purpose"... Using internal Windows CA to generate and sign certificate for STARTTLS

     

    STARTTLS=server, cert-subject=/C=/ST=/L=/O=/OU=/CN=*.domain.com, cert-issuer=/DC=com/DC=domain/CN=ca, verifymsg=unsupported certificate purpose

     

    The other way around (FortiMail delivering email to Exchange) does not have the same issue.

     

    Has anyone dealt with the problem before?

    Terms & ConditionsAccessibility statement