This article describes how to prevent the 'Connection is not TLS encrypted' message on FortiMail if a remote MTA is configured to use ESMTP only.
Scope
FortiMail v7.2, v7.4.
Solution
As per default settings, FortiMail is configured to use 'regular' as connection-type. In such cases, FortiMail will use SMTP protocol HELO without STARTTLS only. If a remote MTA is configured to use ESMTP and FortiMail is configured with its default settings, (connection-type regular), the session will not be established, mails will not be received on final recipients and FortiMail Mail Event, the following message can be observed:
reject=454 4.7.0 Connection is not TLS encrypted. Recipient organization requires TLS
The solution would be to use auto instead of regular so that FortiMail will use the ESMTP protocol first, and fall back to the SMTP protocol.
FortiMail (smtp-rcpt-veri~i) # show config mailsetting smtp-rcpt-verification ... set connection-type auto end
