Created on 
    
	
		
		
		07-04-2017
	
		
		07:16 AM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
  Edited on 
    
	
		
		
		08-24-2025
	
		
		05:22 AM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
 By  
				
		 Jean-Philippe_P
		
			Jean-Philippe_P
		
		
		
		
		
		
		
		
	
			 
		
Description
This article describes how to configure Gmail (STARTTLS) as a mail server for FortiAuthenticator. The solution has 3 parts:
Scope
FortiAuthenticator.
Solution
Google Account setup.
Gmail can be used as a mail server, although there are a few extra steps to get this working.
From 30.5.2022. Google no longer supports the use of third-party apps or devices to sign into the Google Account using only a username and password.
To overcome this limitation, it is necessary to activate 2-Step Verification and App password for the Gmail account.
Google Account 2-Step Verification.
Log in to the Google Mail account and select Manage the Google Account (upper right corner of the screen).
The Gmail account will be different than the account used in this example.
Select the Security option.
Navigate to Signing into Google and select 2-Step Verification.
Verification: enter the mobile phone number.
Enter the verification code from the phone.
And select Turn ON on the last step.
App password setup.
Get back to the Google Account and select the Security option again.
Scroll to the Signing into Google. It is possible to see now that Verification is on, and there is the option to create an App password.
If the option is not available, create it via this link: https://myaccount.google.com/apppasswords (from https://support.google.com/mail/answer/185833?hl=en).
Select the arrow next to the App password.
Under select app, select mail, and under device select other.
Enter a name for this device – FortiAuthenticator, in this example.
Select Generate. A new screen with the generated app password will appear.
Write down or copy this app password for later use in the FortiAuthenticator SMTP Server setup.
Select Done, and the Google Account setup part is done.
Import the Google Root CA into FortiAuthenticator.
STARTTLS can be used to connect to Gmail servers.  
In STARTTLS, however, the server’s certificate chain is not populated automatically on the FortiAuthenticator, and it will need to be imported as a trusted CA manually.  
Use the following steps to find info about the Gmail Root CA certificate and how to download it from the Google cert repository and import it into FortiAuthenticator trusted CA. 
To retrieve the info about the Gmail Root CA certificate.
C:\Users\userX\Documents\OpenSSL\bin\openssl.exe  
OpenSSL> s_client -connect smtp.gmail.com:587 -starttls smtp
CONNECTED(00000220)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain.
 0 s:/CN=smtp.gmail.com
   i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
 1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
   i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
 2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate.
-----BEGIN CERTIFICATE-----MIIFUzCCBDugAwIBAgIQNqm/77JA/3sKAAAAAPbuCTANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yMTA3MjYwMzEwMzJaFw0yMTEwMTgw
MzEwMzFaMBkxFzAVBgNVBAMTDnNtdHAuZ21haWwuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAw9x7gduhKcy1ko44ywwG+371bhJMCT9JCvIr5DgC
ntHHTNiulG0h2gMmauQNxI1Tzq56rzAYngFQRnElr+Xq76c7vSC7IwY9U/Psnyer
3H+al17TeRZXeLnaB3TcsU87P1vfqoon0j80BKDjLQpmlzOjtQtpkcABdSq50A7b
WB7S4dc3bwJuHcm9J8KmpE+06DFZbZMDiU0eMBQ9G4x19TO5eI6pLIgjacMDkdts
saUJac1HrTFvBlFXLr09c5MzTaRsIRNwuGFhilCTsle+9SiD4tgr9XkSjFICITyV
KaXPMgR9VwxVgE/7jLWdNmMYjqJKJJSoch410DHcCk77BwIDAQABo4ICaDCCAmQw
DgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFPtZU5dxwYX8XYKQvCk9kzKojL0qMB8GA1UdIwQYMBaAFIp0
f6+Fze6VzT2c0OJGFPNxNR0nMGoGCCsGAQUFBwEBBF4wXDAnBggrBgEFBQcwAYYb
aHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMWMzMDEGCCsGAQUFBzAChiVodHRwOi8v
cGtpLmdvb2cvcmVwby9jZXJ0cy9ndHMxYzMuZGVyMBkGA1UdEQQSMBCCDnNtdHAu
Z21haWwuY29tMCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYD
VR0fBDUwMzAxoC+gLYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMWMzL3pkQVR0
MEV4X0ZrLmNybDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AO7Ale6NcmQPkuPD
uRvHEqNpagl7S2oaFDjmR7LL7cX5AAABeuEB2oMAAAQDAEcwRQIhAIKcGn1ViFz0
wDYand+hVMDVn+68jeucluCjyzidREl3AiAUYTnmECwOecEd9Jv4Te3bEvVAjEaV
cFY7NTFIoReGaQB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAAB
euEB2m8AAAQDAEgwRgIhALygKtj+tDfC4RQVikCDxsgbSYVIwqbBxuaBuCJ4wl25
AiEAuuA2XbYTPzJOVROJU306HT+vjD6Yo+qZjYhLr/NvqfIwDQYJKoZIhvcNAQEL
BQADggEBALhpi9EuBBojFGCrtR0ojo5oa1rhqqkVIJu6Zg3+H4KotGSe6yNxHeti
kfkEqUEWFkJFyirOmER20hVW7KHEkSRgJqmArUl0JiGyHGRnulqW93Vq5qlJKPnQ
YSwOe4rKWFiZTKgArWYOoeL4m8Z24ElicSa6i947pIBb7vF/D7TBA4zT3GR6fvYe
psEVwtuYd3BG5fjAqxD7b4xIf2s8KwKCC5+PrfQWSrvU6RnmLXtI65gT81T7LBQD
iYMd/4qUYUDsa2oL4tH+fVdVwj0ULaDJXNJ9kX20xRp/v5x9X5n5Iigjfz0KilsL
CR0relJ8MrIi9kY4ems6TH1L/fFRIzc=
-----END CERTIFICATE-----
subject=/CN=smtp.gmail.com
issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5155 bytes and written 469 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 350CACCF92466E9BC447EB570B8915892A13831CDCCDA494A7C83B6948567E61
    Session-ID-ctx:
    Master-Key: 67472BDA86EF8E0FA1BA153DC633F0302E03059D6D9DB17927731F8977344EAFF088FA0B8A069F8EA4DD5E6AAED06FAA
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 01 25 0d d4 28 7c 52 41-4e 73 5e cb 62 85 96 04   .%..(|RANs^.b...
    0010 - 20 32 dc 1a 0b aa 8f 87-ee 66 a6 06 2e 4a 56 fe    2.......f...JV.
    0020 - bc a7 9a 7c 99 67 ef d4-77 22 bc 94 65 02 9e 47   ...|.g..w"..e..G
    0030 - e3 10 5e 2d 83 4e a8 47-72 cd 9d 13 5b 01 68 c5   ..^-.N.Gr...[.h.
    0040 - dd 9d 25 3e 1d 4d 80 df-06 a2 c8 f2 56 ee 40 b3   ..%>.M......V.@.
    0050 - b3 de 88 81 27 df 42 32-01 d6 d6 85 41 eb e5 19   ....'.B2....A...
    0060 - 06 09 c5 e5 b9 e4 c7 58-35 5c 2a 3c 43 25 d8 3e   .......X5\*<C%.>
    0070 - b7 45 1e f8 05 64 5f 69-43 db 38 85 6d 55 63 80   .E...d_iC.8.mUc.
    0080 - 85 54 3d 7a 79 3a 54 39-9a 35 93 d4 25 6f ea ed   .T=zy:T9.5..%o..
    0090 - 98 f3 8d 79 8f 50 96 62-40 1e 21 ab 3d b2 72 4d   ...y.P.b@.!.=.rM
    00a0 - f8 85 15 d9 63 48 d1 de-b0 3f ea e3 92 15 e7 6e   ....cH...?.....n
    00b0 - f0 d9 2e af d7 eb cd 2a-f1 ba 1b 90 31 99 0d 60   .......*....1..`
    00c0 - 38 75 fd 27 d4 56 c4 ef-66 1e 78 5e c9 dd 33 cc   8u.'.V..f.x^..3.
    00d0 - 78 11 cd 7f 07 91 04 f4-ee 8a 87 a1 fa            x............
    Start Time: 1629661528
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 SMTPUTF8
The output of the OpenSSL command shows us that we have server [0] smtp.gmail.com, Intermediate [1] GTS CA 1C3, and Root CA [2] GTS Root R1 certs.
The Root CA of interest is GTS Root R1.
Be aware that the server is not obliged to send info about Root CA, but in the case of smtp.gmail.com, there is a complete cert chain from the server.
Google has all Root CA available for download on https://pki.goog/repository/ .
Scroll down to Root CAs, select action next to GTS Root R1 CA, and under Downloads select Certificate (PEM).
File gtsr1.pem is downloaded and now needs to be imported into FortiAuthenticator.
Log in to the FortiAuthenticator and navigate to Certificate Authorities ->Trusted CAs -> Import.
Put the desired name in the Certificate ID field, select Upload file, select downloaded gtsr1.pem, and select Open.
Select OK.
The new Root CA should be visible now in the list view.
FortiAuthenticator SMTP Servers setup.
Log in to FortiAuthenticator, go to System -> Messaging, and configure an SMTP server.
Test connection: put the recipient address and select Send.
A green checkmark notification will appear.
 Congratulations, it has been a successful configuration of Gmail SMTP for FortiAuthenticator.
Note: For FortiAuthenticator Cloud, it will not be possible to set up a custom SMTP server, as there is no option for System -> Messaging. FortiAuthenticator Cloud uses the FortiToken Cloud SMTP server for email services. Refer to the Limitations of FortiAuthenticator Cloud guide.
Related article:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.