Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
theglossy1
New Contributor

Created on ‎04-29-2015 12:34 PM

Choosing outbound SMTP cipher

I notice that when the FortiMail sends outbound mail, it's using the RC4 cipher: it looks like (version=TLSv1.2 cipher=RC4-SHA bits=128/128) when I view headers for a message sent from the FortiMail. We're using version 5.2. I'm sure it can be set to AES128 or something better, but I'm not sure how to achieve this. Any thoughts?

31287
0 Kudos
2 Solutions
emnoc
Esteemed Contributor III

Created on ‎04-29-2015 02:55 PM

But there's another means . It's called FIPS mode, just be aware of the limits within FIPS mode of operation.

 

execute fips

 

That would be the correct means. I believe  set srtong-crypto does nothing for TLS connections between MTAs.

 

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
6389
0 Kudos
abelio
SuperUser
SuperUser
In response to emnoc

Created on ‎04-29-2015 03:06 PM

emnoc wrote:

 

execute fips

 

Be careful with this; all your current config settings is lost after enter it.

 

Beside of that, it's  valid only if you have installed a FIPS-certified firmware build provided by TAC

 

regards

 

 

regards




/ Abel

View solution in original post

regards / Abel
6389
0 Kudos
17 REPLIES 17
Bromont_FTNT
Staff
Staff

Created on ‎04-29-2015 12:50 PM

try at CLI:

 

config system global

set strong-crypto enable

end

 

 

 

3500
0 Kudos
theglossy1
New Contributor
In response to Bromont_FTNT

Created on ‎04-29-2015 08:49 PM

@Bromont_FTNT: That only sets the administrative interface to stronger crypto, not the outbound MTA. It was already set.

3500
0 Kudos
Bromont_FTNT
Staff
Staff
In response to theglossy1

Created on ‎04-30-2015 04:43 AM

on my system with a test to gmail:

 

With strong-crypto disabled: (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);

 

With strong-crypto enabled:  (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);

 

 

3501
0 Kudos
theglossy1
New Contributor
In response to Bromont_FTNT

Created on ‎04-30-2015 04:57 AM

As I said, that is enabled. However, it refuses to send to Gmail with anything besides RC4, but I sent it to another mailbox I have that I know also accepts TLS messages and this was the header (IPs and hostnames are changed to protect the innocent):

Received: from something.example.com (HELO something.example.com) ([1.1.1.1])
  by sfpop-ironport07.merit.edu with ESMTP/TLS/DHE-RSA-AES256-SHA; 30 Apr 2015 07:50:39 -0400
Received: (from [IPv6:::1])
	by something.example.com  with ESMTP id t3UBnu8O015913-t3UBnu8P015913
	for <somebody@a-remote-place.it>; Thu, 30 Apr 2015 06:50:28 -0500

Bingo, AES256-SHA... not bad! So weird why Gmail accepts AES128 from Fortinet, but not from my FortiMail. Oh well... without a packet analyzer (which I don't have handy) or debug logs (which I haven't tried playing with) I can't watch the negotiation happen. Thanks for everybody's help.

3501
0 Kudos
Bromont_FTNT
Staff
Staff
In response to theglossy1

Created on ‎04-30-2015 07:11 AM

 

Looks like RC4 is still present in the 14 ciphers offered in the ClientHello when strong-crypto is enabled. I'll bring this up with dev, it should likely also be removed from the 49 offered with strong-crypto disabled.

 

 

3501
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎04-29-2015 02:55 PM

But there's another means . It's called FIPS mode, just be aware of the limits within FIPS mode of operation.

 

execute fips

 

That would be the correct means. I believe  set srtong-crypto does nothing for TLS connections between MTAs.

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
6390
0 Kudos
abelio
SuperUser
SuperUser
In response to emnoc

Created on ‎04-29-2015 03:06 PM

emnoc wrote:

 

execute fips

 

Be careful with this; all your current config settings is lost after enter it.

 

Beside of that, it's  valid only if you have installed a FIPS-certified firmware build provided by TAC

 

regards

 

 

regards




/ Abel

regards / Abel
6390
0 Kudos
theglossy1
New Contributor

Created on ‎04-29-2015 08:58 PM

Okay, I think the answer is running 

execute fips
from the cli. The fact that it requires a special build and resets the whole configuration is ridiculous though. How about a command like 
mta encryption aes128 hash sha256
... or even an option within the GUI that simply changes it rather than all the complexity and disruption that "execute fips" entails. If somebody from the FortiMail development team is reading this, I think this would be worthy of considering for the next version of software.

3501
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎04-30-2015 02:26 AM

Also keep in mind that no matter what you do,the  both parties have to "Negotiated" the cipher used. I'll check here  today on a old  FML appliance but I believe the  current  versions are  fips supported. But you can ask support.

 

fwiw, I got worried when I seen the OP original post and I check a few mails headers and seen none that used RC4 over TLS. I believe this was also striked by a current  RFC for denying RC4 over TLS connections. I would still raise a support ticket with  TAC if you suspect this is a  issue.

 

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3501
0 Kudos
Related Posts
View all
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.