I notice that when the FortiMail sends outbound mail, it's using the RC4 cipher: it looks like (version=TLSv1.2 cipher=RC4-SHA bits=128/128) when I view headers for a message sent from the FortiMail. We're using version 5.2. I'm sure it can be set to AES128 or something better, but I'm not sure how to achieve this. Any thoughts?
Solved! Go to Solution.
But there's another means . It's called FIPS mode, just be aware of the limits within FIPS mode of operation.
execute fips
That would be the correct means. I believe set srtong-crypto does nothing for TLS connections between MTAs.
PCNSE
NSE
StrongSwan
emnoc wrote:
execute fips
Be careful with this; all your current config settings is lost after enter it.
Beside of that, it's valid only if you have installed a FIPS-certified firmware build provided by TAC
regards
regards
/ Abel
try at CLI:
config system global
set strong-crypto enable
end
@Bromont_FTNT: That only sets the administrative interface to stronger crypto, not the outbound MTA. It was already set.
on my system with a test to gmail:
With strong-crypto disabled: (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
With strong-crypto enabled: (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
As I said, that is enabled. However, it refuses to send to Gmail with anything besides RC4, but I sent it to another mailbox I have that I know also accepts TLS messages and this was the header (IPs and hostnames are changed to protect the innocent):
Received: from something.example.com (HELO something.example.com) ([1.1.1.1])
by sfpop-ironport07.merit.edu with ESMTP/TLS/DHE-RSA-AES256-SHA; 30 Apr 2015 07:50:39 -0400
Received: (from [IPv6:::1])
by something.example.com with ESMTP id t3UBnu8O015913-t3UBnu8P015913
for <somebody@a-remote-place.it>; Thu, 30 Apr 2015 06:50:28 -0500
Bingo, AES256-SHA... not bad! So weird why Gmail accepts AES128 from Fortinet, but not from my FortiMail. Oh well... without a packet analyzer (which I don't have handy) or debug logs (which I haven't tried playing with) I can't watch the negotiation happen. Thanks for everybody's help.
Looks like RC4 is still present in the 14 ciphers offered in the ClientHello when strong-crypto is enabled. I'll bring this up with dev, it should likely also be removed from the 49 offered with strong-crypto disabled.
But there's another means . It's called FIPS mode, just be aware of the limits within FIPS mode of operation.
execute fips
That would be the correct means. I believe set srtong-crypto does nothing for TLS connections between MTAs.
PCNSE
NSE
StrongSwan
emnoc wrote:
execute fips
Be careful with this; all your current config settings is lost after enter it.
Beside of that, it's valid only if you have installed a FIPS-certified firmware build provided by TAC
regards
regards
/ Abel
Okay, I think the answer is running
execute fipsfrom the cli. The fact that it requires a special build and resets the whole configuration is ridiculous though. How about a command like
mta encryption aes128 hash sha256... or even an option within the GUI that simply changes it rather than all the complexity and disruption that "execute fips" entails. If somebody from the FortiMail development team is reading this, I think this would be worthy of considering for the next version of software.
Also keep in mind that no matter what you do,the both parties have to "Negotiated" the cipher used. I'll check here today on a old FML appliance but I believe the current versions are fips supported. But you can ask support.
fwiw, I got worried when I seen the OP original post and I check a few mails headers and seen none that used RC4 over TLS. I believe this was also striked by a current RFC for denying RC4 over TLS connections. I would still raise a support ticket with TAC if you suspect this is a issue.
PCNSE
NSE
StrongSwan
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.