Hello,
we are in trouble with a certificate error delivering mail.
Our delivery chain is Exchange Servers -> Load Balancer -> FortiMail -> Outside.
Incoming email are correctly verified with TLS 1.2 and i have verify=OK, but when we send out we have this message:
STARTTLS=server, cert-subject=/CN=NAMEEXC01, cert-issuer=/CN=NAMEEXC01, verifymsg=unable to get local issuer certificate
STARTTLS=server, relay=[NAMEEXC01_IP], version=TLSv1.2, verify=CAFAIL, cipher=ECDHE-RSA-AES256-SHA384, bits=256/256
The message is the same for all of our 4 Exchange Servers that relay to FortiMail.
I tried to import local NAMEEXC certificates from the 4 Servers into FortiMail, but message still appears.
Did someone have same issue or can someone help me?
Thanks.
M
marco.digirolamo wrote:I once had the same issue, but tried talking to the Exchange team to apply the cert other than self-signed, then remove the self-signed cert should deal with this.Hello,
we are in trouble with a certificate error delivering mail.
Our delivery chain is Exchange Servers -> Load Balancer -> FortiMail -> Outside.
Incoming email are correctly verified with TLS 1.2 and i have verify=OK, but when we send out we have this message:
STARTTLS=server, cert-subject=/CN=NAMEEXC01, cert-issuer=/CN=NAMEEXC01, verifymsg=unable to get local issuer certificate
STARTTLS=server, relay=[NAMEEXC01_IP], version=TLSv1.2, verify=CAFAIL, cipher=ECDHE-RSA-AES256-SHA384, bits=256/256
The message is the same for all of our 4 Exchange Servers that relay to FortiMail.
I tried to import local NAMEEXC certificates from the 4 Servers into FortiMail, but message still appears.
Did someone have same issue or can someone help me?
Thanks.
M
I, however, stumble upon another issue where FortiMail complains that my cert is "unsupported certificate purpose"... Using internal Windows CA to generate and sign certificate for STARTTLS
STARTTLS=server, cert-subject=/C=/ST=/L=/O=/OU=/CN=*.domain.com, cert-issuer=/DC=com/DC=domain/CN=ca, verifymsg=unsupported certificate purpose
The other way around (FortiMail delivering email to Exchange) does not have the same issue.
Has anyone dealt with the problem before?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.