Skip to main content
Holy
Holy
New Member
May 20, 2016
Solved

using TLS level Secure

  • May 20, 2016
  • 1 reply
  • 27328 views

Hello guys,

 

we should enforce TLS to a specifig Domain and verify a specific Certifikate. We have a mail from that Partner he gave us his TLS Certificate CN, TLS Certificate Issuer CA and a link to download the Root CA (its a public CA). 

 

so we must now konfigure TLS for that Specific domain.

 

It should be that way?

 

goint to Access Policy > Delivery > create new > sender pattern * > recipinet patter "*domain of the partner > TLS Profile > Secure .

 

But on this TLS Secure level profile are so many possible options + you have to import a CA first.

 

So we should import that Root Public CA into FortiMail and then choose it there?

 

What should we wright in Check CA Issuer? its a Verisign CA, will it be ok if we chosse "Contain" + "Verisign" ?

 

Whats the Certificate Subject means? is that the Certificate CN? The Domain of our Partner?

 

Did someone have already expierience with such setup?

 

 

Thank you 

    Best answer by abelio

    Hi Holy

    briefly:

    - import CA certificate that signed your partner' s certificate (system->certificate->CA certificate). Important: if you  are dealing with a big CA, also import all the intermediate certificates to prevent anything strange in trust chain

     

    - create TLS profile choosing Secure as TLS level option. (profile->secirity->TLS)

      Check CA Issuer matching your CA

      If you need also match certificate subject, verify strings involved

     Also check with your partner, strength encryption , default minimum 256

     

    - create a delivery message rule in order to match desired traffic.

       policy->access rule-> delivery

      sender pattern: as you need

      recipient pattern: *@your_partner_domain

      TLS profile: that you set before

     

    Then, all mails delivered to *@your_partner_domain will be delivered through TLS verifying server certificate.

    (and failing to deliver if that verification doesn't happen)

     

    I hope it helps

     

     

     

     

     

     

     

     

     

     

     

     

     

    1 reply

    Holy
    HolyAuthor
    New Member
    May 22, 2016

    And another Question.

     

    how can i change the own Certificate that should be used for TLS?

     

    i have to import the Certificate in .pfx Format , but how can i configure that Certificate to be used for TLS now?

     

    Thank you

    abelio
    SuperUser
    abelioAnswer
    SuperUser
    May 22, 2016

    Hi Holy

    briefly:

    - import CA certificate that signed your partner' s certificate (system->certificate->CA certificate). Important: if you  are dealing with a big CA, also import all the intermediate certificates to prevent anything strange in trust chain

     

    - create TLS profile choosing Secure as TLS level option. (profile->secirity->TLS)

      Check CA Issuer matching your CA

      If you need also match certificate subject, verify strings involved

     Also check with your partner, strength encryption , default minimum 256

     

    - create a delivery message rule in order to match desired traffic.

       policy->access rule-> delivery

      sender pattern: as you need

      recipient pattern: *@your_partner_domain

      TLS profile: that you set before

     

    Then, all mails delivered to *@your_partner_domain will be delivered through TLS verifying server certificate.

    (and failing to deliver if that verification doesn't happen)

     

    I hope it helps

     

     

     

     

     

     

     

     

     

     

     

     

     

    Holy
    HolyAuthor
    New Member
    May 23, 2016

    Hello,

     

    Thank you very much. That works now :)

    Terms & ConditionsAccessibility statement