- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Choosing outbound SMTP cipher
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Choosing outbound SMTP cipher
I notice that when the FortiMail sends outbound mail, it's using the RC4 cipher: it looks like (version=TLSv1.2 cipher=RC4-SHA bits=128/128) when I view headers for a message sent from the FortiMail. We're using version 5.2. I'm sure it can be set to AES128 or something better, but I'm not sure how to achieve this. Any thoughts?
Solved! Go to Solution.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But there's another means . It's called FIPS mode, just be aware of the limits within FIPS mode of operation.
execute fips
That would be the correct means. I believe set srtong-crypto does nothing for TLS connections between MTAs.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:
execute fips
Be careful with this; all your current config settings is lost after enter it.
Beside of that, it's valid only if you have installed a FIPS-certified firmware build provided by TAC
regards
regards
/ Abel
regards
/ Abel
- « Previous
-
- 1
- 2
- Next »
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I'm aware of negotiating. I'm checking the headers in my Gmail account which show the following:
Received: from somewhere.example.com (somewhere.example.com [1.1.1.1])
by mx.google.com with ESMTPS id f192si290559iof.16.2015.04.29.14.58.53
for <someguy@gmail.com>
(version=TLSv1.2 cipher=RC4-SHA bits=128/128);
Wed, 29 Apr 2015 14:58:54 -0700 (PDT)
Interestingly, when I get messages from Fortinet indicating that I have a new forum message, I see these headers:
Received: from smtp.fortinet.com (smtp.fortinet.com. [208.91.113.81])
by mx.google.com with ESMTPS id gl1si2655455pbd.121.2015.04.30.02.26.49
for <someguy@gmail.com>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Thu, 30 Apr 2015 02:26:50 -0700 (PDT)
I'm guessing that Fortinet is using their own product, but they must have FIPS support enabled or something else magical because they are sending another cipher...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interestingly, when I get messages from Fortinet indicating that I have a new forum message, I see these headers:
The latter is because the following was negoiated as ECDHE-RSA-AES128-SHA , the funny tho Ijust did the same thing to my personal gmail account and got the following; version=TLSv1.2 cipher=RC4-SHA bits=128/128 also.But if I send from gmail, I get the same ( version=TLSv1.2 cipher=RC4-SHA bits=128 verify=CAFAIL) ) .So this might be gmail doing this ans restricted to this cipher all others MTA are using AEAS128 or 256 as the cipher of choice
I agreed that RC4 is not a suitable cipher by all means and this is very disturbing ;) I'm writing up some new fortimail documents and going to reference this in my mail.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like I stated earlier, your mis-understanding strong-crypto enable/disable the services. The above has NOTHING to do w/TLS and SMTP services.
See the screenshot attached. enabling FIPS is a sure 100% way to eliminate RC4-SHA/MD5. In the OP case google is supporting RC4 in it's tls offerings.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
run the following on your Fortimail with both strong-crypto enabled and disabled:
openssl s_client -cipher RC4-MD5 -connect 192.168.113.202:25 -starttls smtp
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't figure out how to load 2files, but either way here the webGUI admin access with and witout strong-crypto. FIPS mode is your friend
http://socpuppet.blogspot.com.es/2013/02/testing-for-tls-support-wwwsmtp-with.html
ken@socpuppets
Enjoy
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But STARTTLS has to be in the EHLO ;)
Repeat after me;
The global command strong crypto enabled does not stop "your fortimail" from using RC4 if the far end supports and negotiate the use of RC4-MD5|SHA" , which is the case of gmail.com and quite a few others mail systems I just tested.
Here's the RFC about this, but again it's just a RFC and not ever thing follows the RFCs.
https://tools.ietf.org/html/rfc7465
I also notice on the date it's quite new 2015. So obvious the fortimail and gmail for example, has ignored this.
:)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's why I said I'd contact dev about this as RC4 should also be removed when strong-cryto is disabled.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When strong crypto is enabled, RC4 is disabled in non-mail protocols. RC4 is however still included for SMTP to support legacy MS Exchange Servers and Outlook clients which do not support other cypher suites due to bugs e.g. https://support.microsoft.com/en-us/kb/938857
In all cases, the receiving server should negotiate with FortiMail the strongest possible mutually supported method. As Bromont tested (and I have reproduced), GMail is negotiating version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA in the majority of cases. If you are seeing differently, let us know which Google IP as it may be a badly configured server somewhere or an Exchange server as per the MS bug referenced above.
Whilst RC4 might mot be the most secure method, the alternative if we were to disable it totally would be to fall back to plaintext SMTP, so this is considered an acceptable compromise in this instance.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Introducing FortiMail 6.0.0 12090 Views
- Choosing outbound SMTP cipher 31361 Views
- ... 3751 Views
- ... 2287 Views
Labels
-
FortiGate
6,860 -
FortiClient
1,361 -
5.2
801 -
5.4
639 -
FortiManager
587 -
FortiAnalyzer
432 -
6.0
416 -
5.6
362 -
FortiAP
358 -
FortiSwitch
353 -
FortiClient EMS
277 -
FortiMail
268 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
165 -
6.4
128 -
FortiNAC
115 -
FortiGuard
109 -
IPsec
94 -
FortiSIEM
91 -
FortiGateCloud
90 -
FortiCloud Products
85 -
SSL-VPN
76 -
FortiToken
74 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
47 -
FortiADC
45 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
36 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiDNS
35 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
27 -
VLAN
26 -
FortiAuthenticator
25 -
FortiConnect
24 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiGate v5.2
17 -
FortiSwitch v6.2
16 -
DNS
16 -
LDAP
16 -
Certificate
16 -
SAML
15 -
BGP
15 -
VDOM
15 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Authentication
12 -
fortilink
12 -
Routing
12 -
FortiCASB
12 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Traffic shaping policy
6 -
FortiBridge
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
FortiAP profile
5 -
WAN optimization
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.