Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alexander_Mueller
New Contributor

FortiMail 200E and TLS issue

Hello,

i hope somebody can help me.

We have a FortiMail 200E with v6.0,build91,180524 (6.0.0 GA)

The problem is, we send to a customer Email with TLS Profile, but we got allway an error

 

STARTTLS=client, error: connect failed=-1, reason=unsupported protocol, SSL_error=1, errno=0, retry=-1

 

to=<SipB@bkk-akademie.de>, delay=00:00:20, xdelay=00:00:20, mailer=esmtp, pri=40596, relay=mailtic.bkknet.de. [62.156.211.1], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake.(Reason:403 4.7.0 TLS handshake.)

 

Under Policy ->Acces Control -> Delivery

 

The Domain is enabled with TLS Profile " TLS Preferred"

 

I'm not really sure what the problem is, because with other Domains/Customers the TLS is working.

 

best regards from Germany

8 REPLIES 8
Alexander_Mueller
New Contributor

Ok, we updated the Fortimail to v6.0,build108,180731 (6.0.2 GA), but the same problem

 

STARTTLS=client, error: connect failed=-1, reason=unsupported protocol, SSL_error=1, errno=0, retry=-1

 

to=SipB@bkk-akademie.de, delay=00:00:21, xdelay=00:00:21, mailer=esmtp, pri=0, relay=mailtic.bkknet.de. [62.156.211.1], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake.(Reason:403 4.7.0 TLS handshake.)

Bromont_FTNT

Looks like mailtic2.bkknet.de only support TLS 1.0, Fortimail 6 has TLS 1.0 disabled by default. 

 

You can enable TLS 1.0 via CLI:

 

#config system global 

#set ssl-versions tls1_0 tls1_1 tls1_2

#end

 

emnoc
Esteemed Contributor III

Yes, I was going to say the same thing  chk support  TLSverison and adjust as needed. With PCIJUNE2018 and various state and federal level agencies they are disabling  TLSv1 support soTLS v1.1. or V1.2 at minimum

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

Alexander_Mueller

Thank you very much for the solution,

 

i tried with

config system global     set strong-crypto disable end

 

 

but with the solution from Bromont_FTNT its working

 

raul_lobo

Good afternoon.

Dear.

I have a FortiMail VM00 trail mode, configured with 2 domains. Both domains were configured with port 465. But an error is being presented

to = &lt Test01@adtesting.local>, delay = 00: 45: 25, xdelay = 00: 00: 00, mailer = esmtp, pri = 301093, relay = [192.168.248.98] [192.168.248.98], dsn = 4.0 .0, stat = Deferred: 403 4.7.0 TLS handshake. (Reason: 403 4.7.0 TLS handshake.)

What was indicated in messages was configured in FortiMail,

End of keyboard-interactive prompts from server FEVM000000000000 # config system global

FEVM000000000000 (global) # show config system global set strong-crypto disable set ssl-versions ssl3 tls1_0 tls1_1 tls1_2 tls1_3 set data-loss-prevention disable end

FEVM000000000000 (global) #

What other configuration is missing?

 

Bromont_FTNT

These are logs on the Fortimail when it's trying to relay to the backend server? 

Can you provide a screeshot of the SMTP server config?

raul_lobo