Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

TuanNguy
New Contributor

FortiMail STARTTLS

Hi community,

I'm trying to setup STARTTLS between FortiMail and internal Exchange servers, using wildcard cert (*.domain.com) signed by a CA. Mail flow is like below:

exch.domain.com > fml.domain.com > outside

Whenever mail is coming from outside, FortiMail happily forwards email to the Exchange server with STARTTLS successfully negotiated (according to the logs). However, when mail is sent outbound from the internal Exchange server, FortiMail complains that the certificate is of "unsupported certificate purpose".

Being new to FortiMail (and mail security gateway) as I am, how do I start troubleshoot this issue?

Thanks in advance.
1 Solution
Jjchen_FTNT

Hi Tuan,

This is the result of Factory cert in FortiMail, you can do a comparison with the one being used
$ openssl x509 -in Factory.cer -purpose -noout -text
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

View solution in original post

3 REPLIES 3
Jjchen_FTNT
Staff
Staff

Hi Tuan,

It sounds like a cert issue, you can double check keyUsage and extendedKeyUsage of the cert.
TuanNguy

Hi Jiajie,

Thanks for your reply. The key usage are Digital Signature and Key Encipherment. The extended key usage are Server Authentication and Client Authentication

Regards,
Tuan
Jjchen_FTNT

Hi Tuan,

This is the result of Factory cert in FortiMail, you can do a comparison with the one being used
$ openssl x509 -in Factory.cer -purpose -noout -text
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.