Description
This article describes how to Configure Gmail (STARTTLS) as mail server for FortiAuthenticator. Solution has 3 parts:
1) Google Account setup.
2) Google Root CA import into FortiAuthenticator.
3) FortiAuthenticator SMTP Servers setup.
Google Account setup.
Gmail can be used as a mail server although there are a few extra steps to get this working.
From 30.5.2022. Goggle no longer supports the use of third-party app or devices to sign into the Google Account using only username and password.
To overcome this limitation, we need to activate 2-Step Verification and App password for Gmail account.
Google Account 2-Step Verification.
Login to the google mail account and select Manage the Google Account (upper right corner of screen).
The Gmail account will be different than account used in this example.
Select Security option.
Navigate to Signing into Google and select 2-Step Verification.
Verification – put the mobile phone number.
Enter verification code from phone.
and select Turn ON on last step.
App password setup.
Get back to Google Account and select Security option again.
Scroll to the Signing into Google. We can see now that Verification is on, and there is the option to create App password.
Select arrow next to App password.
Under select app – select mail and under device select other.
Enter name for this device – FortiAuthenticator in this example.
And select Generate. New screen with generated app password will appear.
Write down or copy this app password for later use in FortiAuthenticator SMTP Server setup.
Select Done and Google Account setup part is done.
Import Google Root CA into FortiAuthenticator.
STARTTLS can be used to connect to Gmail servers.
In STARTTLS however, the server’s certificate chain is not populated automatically on the FortiAuthenticator and it will need to be imported as a trusted CA manually.
Use the following steps to find info about Gmail Root CA certificate and how to download it from Google cert repository and import into FortiAuthenticator trusted CA.
To retrieve the info about Gmail Root CA certificate.
1) Download openSSL.
2) Navigate to openSSL directory and issue the command OpenSSL.
3) Run the following command in OpenSSL.
C:\Users\userX\Documents\OpenSSL\bin\openssl.exe
OpenSSL> s_client -connect smtp.gmail.com:587 -starttls smtp
CONNECTED(00000220)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain.
0 s:/CN=smtp.gmail.com
i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate.
-----BEGIN CERTIFICATE-----MIIFUzCCBDugAwIBAgIQNqm/77JA/3sKAAAAAPbuCTANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yMTA3MjYwMzEwMzJaFw0yMTEwMTgw
MzEwMzFaMBkxFzAVBgNVBAMTDnNtdHAuZ21haWwuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAw9x7gduhKcy1ko44ywwG+371bhJMCT9JCvIr5DgC
ntHHTNiulG0h2gMmauQNxI1Tzq56rzAYngFQRnElr+Xq76c7vSC7IwY9U/Psnyer
3H+al17TeRZXeLnaB3TcsU87P1vfqoon0j80BKDjLQpmlzOjtQtpkcABdSq50A7b
WB7S4dc3bwJuHcm9J8KmpE+06DFZbZMDiU0eMBQ9G4x19TO5eI6pLIgjacMDkdts
saUJac1HrTFvBlFXLr09c5MzTaRsIRNwuGFhilCTsle+9SiD4tgr9XkSjFICITyV
KaXPMgR9VwxVgE/7jLWdNmMYjqJKJJSoch410DHcCk77BwIDAQABo4ICaDCCAmQw
DgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFPtZU5dxwYX8XYKQvCk9kzKojL0qMB8GA1UdIwQYMBaAFIp0
f6+Fze6VzT2c0OJGFPNxNR0nMGoGCCsGAQUFBwEBBF4wXDAnBggrBgEFBQcwAYYb
aHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMWMzMDEGCCsGAQUFBzAChiVodHRwOi8v
cGtpLmdvb2cvcmVwby9jZXJ0cy9ndHMxYzMuZGVyMBkGA1UdEQQSMBCCDnNtdHAu
Z21haWwuY29tMCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYD
VR0fBDUwMzAxoC+gLYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMWMzL3pkQVR0
MEV4X0ZrLmNybDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AO7Ale6NcmQPkuPD
uRvHEqNpagl7S2oaFDjmR7LL7cX5AAABeuEB2oMAAAQDAEcwRQIhAIKcGn1ViFz0
wDYand+hVMDVn+68jeucluCjyzidREl3AiAUYTnmECwOecEd9Jv4Te3bEvVAjEaV
cFY7NTFIoReGaQB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAAB
euEB2m8AAAQDAEgwRgIhALygKtj+tDfC4RQVikCDxsgbSYVIwqbBxuaBuCJ4wl25
AiEAuuA2XbYTPzJOVROJU306HT+vjD6Yo+qZjYhLr/NvqfIwDQYJKoZIhvcNAQEL
BQADggEBALhpi9EuBBojFGCrtR0ojo5oa1rhqqkVIJu6Zg3+H4KotGSe6yNxHeti
kfkEqUEWFkJFyirOmER20hVW7KHEkSRgJqmArUl0JiGyHGRnulqW93Vq5qlJKPnQ
YSwOe4rKWFiZTKgArWYOoeL4m8Z24ElicSa6i947pIBb7vF/D7TBA4zT3GR6fvYe
psEVwtuYd3BG5fjAqxD7b4xIf2s8KwKCC5+PrfQWSrvU6RnmLXtI65gT81T7LBQD
iYMd/4qUYUDsa2oL4tH+fVdVwj0ULaDJXNJ9kX20xRp/v5x9X5n5Iigjfz0KilsL
CR0relJ8MrIi9kY4ems6TH1L/fFRIzc=
-----END CERTIFICATE-----
subject=/CN=smtp.gmail.com
issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5155 bytes and written 469 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 350CACCF92466E9BC447EB570B8915892A13831CDCCDA494A7C83B6948567E61
Session-ID-ctx:
Master-Key: 67472BDA86EF8E0FA1BA153DC633F0302E03059D6D9DB17927731F8977344EAFF088FA0B8A069F8EA4DD5E6AAED06FAA
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 01 25 0d d4 28 7c 52 41-4e 73 5e cb 62 85 96 04 .%..(|RANs^.b...
0010 - 20 32 dc 1a 0b aa 8f 87-ee 66 a6 06 2e 4a 56 fe 2.......f...JV.
0020 - bc a7 9a 7c 99 67 ef d4-77 22 bc 94 65 02 9e 47 ...|.g..w"..e..G
0030 - e3 10 5e 2d 83 4e a8 47-72 cd 9d 13 5b 01 68 c5 ..^-.N.Gr...[.h.
0040 - dd 9d 25 3e 1d 4d 80 df-06 a2 c8 f2 56 ee 40 b3 ..%>.M......V.@.
0050 - b3 de 88 81 27 df 42 32-01 d6 d6 85 41 eb e5 19 ....'.B2....A...
0060 - 06 09 c5 e5 b9 e4 c7 58-35 5c 2a 3c 43 25 d8 3e .......X5\*<C%.>
0070 - b7 45 1e f8 05 64 5f 69-43 db 38 85 6d 55 63 80 .E...d_iC.8.mUc.
0080 - 85 54 3d 7a 79 3a 54 39-9a 35 93 d4 25 6f ea ed .T=zy:T9.5..%o..
0090 - 98 f3 8d 79 8f 50 96 62-40 1e 21 ab 3d b2 72 4d ...y.P.b@.!.=.rM
00a0 - f8 85 15 d9 63 48 d1 de-b0 3f ea e3 92 15 e7 6e ....cH...?.....n
00b0 - f0 d9 2e af d7 eb cd 2a-f1 ba 1b 90 31 99 0d 60 .......*....1..`
00c0 - 38 75 fd 27 d4 56 c4 ef-66 1e 78 5e c9 dd 33 cc 8u.'.V..f.x^..3.
00d0 - 78 11 cd 7f 07 91 04 f4-ee 8a 87 a1 fa x............
Start Time: 1629661528
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 SMTPUTF8
Output of openssl command show us that we have server [0] smtp.gmail.com, Intermediate [1] GTS CA 1C3 and Root CA [2] GTS Root R1 certs.
The Root CA of interest is GTS Root R1.
Be aware that server is not obliged to send info about Root CA, but in case of smtp.gmail.com, there is complete cert chain from server!
Google have all Root CA available for download on https://pki.goog/repository/ .
Scroll down to Root CAs, select action next to GTS Root R1 CA, under Downloads select on Certificate (PEM).
File gtsr1.pem is downloaded and now need to be imported in FortiAuthenticator.
Login to the FortiAuthenticator and navigate to Certificate Authorities ->Trusted CAs -> Import.
Put desired name in Certificate ID field, select Upload file, select downloaded gtsr1.pem and select open.
Select OK.
New Root CA should be visible now in list view.
FortiAuthenticator SMTP Servers setup.
Login to FortiAuthenticator, go to System -> Messaging and configure a SMTP server.
- Configure server name, select PORT 587 and STARTTLS for secure connection.
- in Account username put the Gmail account
- Password – enter here App Password, created in step 1. NOT Gmail account password!!!
Test connection – put recipient address and select Send.
Green checkmark notification will appear.
Congratulations, you successfully configure Gmail smtp for FortiAuthenticator.
Related Articles
