| Description | This article describes how to identify and troubleshoot self-signed certificates in SMTP server configuration. |
| Scope | FortiAuthenticator. |
| Solution |
When configuring an SMTP server with 'STARTTLS' as 'Secure connection' setting, it is required to load the full CA chain, the CA certificate trust store, even if they are public CAs, as described in the following KB article: Technical Tip: Configure Gmail (STARTTLS) as a mail server
When the SMTP server certificate is self-signed, the following error appears:
The following log is also generated:
To be noting that while the SMTP error might be different, if a 'self-signed certificate' is present, the problem still lies with the certificate.
To confirm this, it is possible to start a packet capture and test the connection: Technical Tip: How to run a Packet Capture with FortiAuthenticator
To understand how to extract the certificate for analysis from the server-hello during TLS negotiation, the related KB article: Technical Tip: Extracting SSL Server certificate from PCAP file
For self-signed certificates, there is no CA, and the issuer of the certificate is the same as the public key certificate, so importing the certificate itself is mandatory, but if the certificate is not compliant (i.e., SAN or CN does not match the server name), this will not help fix the issue.
It is needed to generate and import a valid public certificate on the SMTP server and upload the CA chain on FortiAuthenticator. |
