Hello guys,
we should enforce TLS to a specifig Domain and verify a specific Certifikate. We have a mail from that Partner he gave us his TLS Certificate CN, TLS Certificate Issuer CA and a link to download the Root CA (its a public CA).
so we must now konfigure TLS for that Specific domain.
It should be that way?
goint to Access Policy > Delivery > create new > sender pattern * > recipinet patter "*domain of the partner > TLS Profile > Secure .
But on this TLS Secure level profile are so many possible options + you have to import a CA first.
So we should import that Root Public CA into FortiMail and then choose it there?
What should we wright in Check CA Issuer? its a Verisign CA, will it be ok if we chosse "Contain" + "Verisign" ?
Whats the Certificate Subject means? is that the Certificate CN? The Domain of our Partner?
Did someone have already expierience with such setup?
Thank you
NSE 8
NSE 1 - 7
Solved! Go to Solution.
Hi Holy
briefly:
- import CA certificate that signed your partner' s certificate (system->certificate->CA certificate). Important: if you are dealing with a big CA, also import all the intermediate certificates to prevent anything strange in trust chain
- create TLS profile choosing Secure as TLS level option. (profile->secirity->TLS)
Check CA Issuer matching your CA
If you need also match certificate subject, verify strings involved
Also check with your partner, strength encryption , default minimum 256
- create a delivery message rule in order to match desired traffic.
policy->access rule-> delivery
sender pattern: as you need
recipient pattern: *@your_partner_domain
TLS profile: that you set before
Then, all mails delivered to *@your_partner_domain will be delivered through TLS verifying server certificate.
(and failing to deliver if that verification doesn't happen)
I hope it helps
regards
/ Abel
And another Question.
how can i change the own Certificate that should be used for TLS?
i have to import the Certificate in .pfx Format , but how can i configure that Certificate to be used for TLS now?
Thank you
NSE 8
NSE 1 - 7
Hi Holy
briefly:
- import CA certificate that signed your partner' s certificate (system->certificate->CA certificate). Important: if you are dealing with a big CA, also import all the intermediate certificates to prevent anything strange in trust chain
- create TLS profile choosing Secure as TLS level option. (profile->secirity->TLS)
Check CA Issuer matching your CA
If you need also match certificate subject, verify strings involved
Also check with your partner, strength encryption , default minimum 256
- create a delivery message rule in order to match desired traffic.
policy->access rule-> delivery
sender pattern: as you need
recipient pattern: *@your_partner_domain
TLS profile: that you set before
Then, all mails delivered to *@your_partner_domain will be delivered through TLS verifying server certificate.
(and failing to deliver if that verification doesn't happen)
I hope it helps
regards
/ Abel
Hello,
Thank you very much. That works now :)
NSE 8
NSE 1 - 7
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.