Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

TuanNguy
New Contributor

Created on ‎08-08-2020 01:11 AM

FortiMail STARTTLS

Hi community,

I'm trying to setup STARTTLS between FortiMail and internal Exchange servers, using wildcard cert (*.domain.com) signed by a CA. Mail flow is like below:

exch.domain.com > fml.domain.com > outside

Whenever mail is coming from outside, FortiMail happily forwards email to the Exchange server with STARTTLS successfully negotiated (according to the logs). However, when mail is sent outbound from the internal Exchange server, FortiMail complains that the certificate is of "unsupported certificate purpose".

Being new to FortiMail (and mail security gateway) as I am, how do I start troubleshoot this issue?

Thanks in advance.
Labels:
540
0 Kudos
1 Solution
Jjchen_FTNT
Staff
Staff
In response to TuanNguy

Created on ‎08-14-2020 07:35 PM

Hi Tuan,

This is the result of Factory cert in FortiMail, you can do a comparison with the one being used
$ openssl x509 -in Factory.cer -purpose -noout -text
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

View solution in original post

522
0 Kudos
3 REPLIES 3
Jjchen_FTNT
Staff
Staff

Created on ‎08-11-2020 06:12 AM

Hi Tuan,

It sounds like a cert issue, you can double check keyUsage and extendedKeyUsage of the cert.
522
0 Kudos
TuanNguy
New Contributor
In response to Jjchen_FTNT

Created on ‎08-12-2020 02:09 AM

Hi Jiajie,

Thanks for your reply. The key usage are Digital Signature and Key Encipherment. The extended key usage are Server Authentication and Client Authentication

Regards,
Tuan
522
0 Kudos
Jjchen_FTNT
Staff
Staff
In response to TuanNguy

Created on ‎08-14-2020 07:35 PM

Hi Tuan,

This is the result of Factory cert in FortiMail, you can do a comparison with the one being used
$ openssl x509 -in Factory.cer -purpose -noout -text
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
523
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.