|
FortiMail uses the '# config system global' configuration by default. The admin users can modify the size of the Diffie-Helman prime, SSL versions (such as TLS1.0 TLS1.1 TLS1.2 TLS1.3), and strong encryption for SMTP and HTTP protocols. However, there is no permission to edit cipher suit there.
To be able to modify the cipher suite, '# config system security crypto' configuration should be used on the FortiMail system.
For example:
Let the following configuration be the config in the device.
The expectation is that the weak cipher will be removed from the list.
# config system global
set strong-crypto enable
set ssl-versions tls1_2 tls1_3
set dh-params 2048
The following configuration should be used:
# config system security crypto
edit http
set strong-crypto enable
set ssl-versions tls1_2 tls1_3
set dh-params 2048
set custom-ciphers -RC4-SHA
set status enable
next
edit mail
set strong-crypto enable
set ssl-versions tls1_2 tls1_3
set dh-params 2048
set custom-ciphers -RC4-SHA
set status enable
end
Note 1:
While updating custom ciphers;
+ means include the cipher in the list offered.
- means exclude it from the list.
Note 2:
All ciphers used can be seen with the 'get' command:
# config system security crypto
(crypto) # edit mail
(mail) # get
|
