Skip to main content
nicolasross
nicolasross
New Member
November 24, 2017
Question

Fortimail with SSL and SNI

  • November 24, 2017
  • 1 reply
  • 12852 views

We are planing on installer fortimail (vm) to protect our mail server. We avec more than 100 domains on our server. Curently, when a users connects to sendmail via our smtp, they use mostly mail.maindomain.com as smtp host, with ssl and authentification.

 

Some users are configured differently, so they use mail.theirdomain.com as smtp host, still in SSL with auth. That host points to the same IP of mail.maindomain.com, and our mail server uses SNI to offer the right certificat to the client.

 

If we implement fortimail, it's outside hostname will probably be let's say fortimail.maindomain.com, and an ssl cert for that name will be made. I will point client's domains MX to that name. But if I want to prevent anyone to send mail directly to the mailserver, I must either tell all users to modify their config to use fortimail.maindomain.com, which I would like to avoid, or point mail.theirdomain.com to the fortimail server.

 

So far, I was not able to specify multiple certs to be used by the fortimail, and was only able to select the certificate to be used by setting the default one to fortimail.maindomain.com

 

Is there a way to import multiple certificate and make them availaible with SNI ?

    1 reply

    emnoc
    emnoc
    New Member
    November 25, 2017

    Can you not use a SLB in front of the  FML appliance? Here you can load the server-cert and handle the SNI

     

    Ken

    nicolasross
    nicolasrossAuthor
    New Member
    November 25, 2017

    SLB ? SSL Load balancer ?

    I was trying to avoid another vm/service in front of the Fortimail...

    emnoc
    emnoc
    New Member
    November 26, 2017

    Could you buy a  SAN-cert and consolidate all ( sitesnames )  into one certificate. ( you will need to investigate what  CAs offers 100+ altNames  ). Be advise, you might want to test a dummy  selfSign SAN certificate with the FML to ensure that would work.

     

    Since a MX record is what  drive  the traffic,  why can't you just use the one single  name for  SMTP gateway? When I used to host mail we have a MX01.<myhostingcompany>.com for all of  the protect-domains and enable each domain that we protected.

     

    We didn't apply a unique mailgateway hostname, the protect-domain is what drive what we protected

     

     

    Now if you are doing servermode-model and you want a unique domainname, that would be very  different and difficult.

     

    e.g

     

    https://yourmwebmail.customer1domain.com

    https://yourmwebmail.customer2domain.com

    https://yourmwebmail.customer3domain.com

     

    Again a SANs  certificate might come in handy.

     

    I believe IronPoint has multiple SSL/TLS listener support for a few years now. Here you could bind a TLS certificate to a UNIQUE listener ( not SNI ).

     

    Why I suggested a SLB, they do SNI with ease and will fill your  requirement and provide some type of HA if you wanted just one single MX entry. Again in my  past mailhosting experinces"  We did dns round-robin  and offer mail in two region, in each region we have a SLB in front of the mail  gateway. This was more of act-act mail-gateway if you wanted to look at it that way."

     

     

     

    Ken

     

     

    Terms & ConditionsAccessibility statement