Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Holy
Contributor

using TLS level Secure

Hello guys,

 

we should enforce TLS to a specifig Domain and verify a specific Certifikate. We have a mail from that Partner he gave us his TLS Certificate CN, TLS Certificate Issuer CA and a link to download the Root CA (its a public CA). 

 

so we must now konfigure TLS for that Specific domain.

 

It should be that way?

 

goint to Access Policy > Delivery > create new > sender pattern * > recipinet patter "*domain of the partner > TLS Profile > Secure .

 

But on this TLS Secure level profile are so many possible options + you have to import a CA first.

 

So we should import that Root Public CA into FortiMail and then choose it there?

 

What should we wright in Check CA Issuer? its a Verisign CA, will it be ok if we chosse "Contain" + "Verisign" ?

 

Whats the Certificate Subject means? is that the Certificate CN? The Domain of our Partner?

 

Did someone have already expierience with such setup?

 

 

Thank you 

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
1 Solution
abelio

Hi Holy

briefly:

- import CA certificate that signed your partner' s certificate (system->certificate->CA certificate). Important: if you  are dealing with a big CA, also import all the intermediate certificates to prevent anything strange in trust chain

 

- create TLS profile choosing Secure as TLS level option. (profile->secirity->TLS)

  Check CA Issuer matching your CA

  If you need also match certificate subject, verify strings involved

 Also check with your partner, strength encryption , default minimum 256

 

- create a delivery message rule in order to match desired traffic.

   policy->access rule-> delivery

  sender pattern: as you need

  recipient pattern: *@your_partner_domain

  TLS profile: that you set before

 

Then, all mails delivered to *@your_partner_domain will be delivered through TLS verifying server certificate.

(and failing to deliver if that verification doesn't happen)

 

I hope it helps

 

 

 

 

 

 

 

 

 

 

 

 

 

regards




/ Abel

View solution in original post

regards / Abel
3 REPLIES 3
Holy
Contributor

And another Question.

 

how can i change the own Certificate that should be used for TLS?

 

i have to import the Certificate in .pfx Format , but how can i configure that Certificate to be used for TLS now?

 

Thank you

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
abelio

Hi Holy

briefly:

- import CA certificate that signed your partner' s certificate (system->certificate->CA certificate). Important: if you  are dealing with a big CA, also import all the intermediate certificates to prevent anything strange in trust chain

 

- create TLS profile choosing Secure as TLS level option. (profile->secirity->TLS)

  Check CA Issuer matching your CA

  If you need also match certificate subject, verify strings involved

 Also check with your partner, strength encryption , default minimum 256

 

- create a delivery message rule in order to match desired traffic.

   policy->access rule-> delivery

  sender pattern: as you need

  recipient pattern: *@your_partner_domain

  TLS profile: that you set before

 

Then, all mails delivered to *@your_partner_domain will be delivered through TLS verifying server certificate.

(and failing to deliver if that verification doesn't happen)

 

I hope it helps

 

 

 

 

 

 

 

 

 

 

 

 

 

regards




/ Abel

regards / Abel
Holy

Hello,

 

Thank you very much. That works now :)

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors