Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ylapidot
New Contributor

Created on ‎02-20-2015 08:31 AM

Fortigate 110C intercepting the email transactions and change the SSL certificate

Hello,

I use Fortigate 110C that that intercept secure email connections.

When I use this command

openssl s_client -connect mydomainname.com:25 -starttls smtp -tls1

 I get an answer that Fortigate is the issuer of the SSL.

this is the returned message:

 

========================================

depth=1 C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain  0 s:/serialNumber=/fnJusmZ-1IEpS0yEigopu86Q775cIv8/OU=GT64753120/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=mydomainname.com    i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FortiGate CA/emailAddress=support@fortinet.com  1 s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FortiGate CA/emailAddress=support@fortinet.com    i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FortiGate CA/emailAddress=support@fortinet.com

=========================================================== 

 

 

but when I use it local, I got the correct issuer (Rapid SSL, Geotrust...), as you can see below

 

 

==================================================

depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA verify return:1 depth=0 serialNumber = /fnJusmZ-1IEpS0yEigopu86Q775cIv8, OU = GT64753120, OU = S                                                                         ee www.rapidssl.com/resources/cps (c)14, OU = Domain Control Validated - RapidSS                                                                         L(R), CN = mydomainname.com verify return:1 --- Certificate chain  0 s:/serialNumber=/fnJusmZ-1IEpS0yEigopu86Q775cIv8/OU=GT64753120/OU=See www.rap                                                                         idssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=mydomainname.com    i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA  1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority  2 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

=========================================================== 

 

 

Is there a way to disable this? do someone know how to solve this?

 

Please Advice,

Yaron

6295
0 Kudos
3 REPLIES 3
patrick_z
New Contributor III

Created on ‎02-20-2015 11:03 AM

Hi,

you did a NAT port forward to (internal?) mailserver behind the firewall right?

You switched off any SSL inspection on that policy?

 

Cheers, Patrick

1837
0 Kudos
ashukla_FTNT
Staff
Staff

Created on ‎02-20-2015 01:00 PM

ylapidot wrote:

 

Is there a way to disable this? do someone know how to solve this?

 

Set this to disable it:

set smpts fragmail no-content-summary 

 

This is an expected behavior if you have enabled deep inspection for smtps.

 

Complete details:

http://kb.fortinet.com/kb...ateId=0%200%2067774425

1837
0 Kudos
ylapidot
New Contributor

Created on ‎02-21-2015 01:26 AM

Hi friends,

I reset the policy and it works fine.

Thank you for your help.

:)

1837
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.