Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Joel_Fagnant
New Contributor

Fortimail: mail rejected because of unknown SSL protocol

Hi everybody,

I'm pretty new with fortimail but I got an issue with a external sender: everytime he tries to send us a mail, the communication is cut off by our fortimail right after the startTLS.

When looking up in the "mail event" log, it says something about an unknown SSL protocol.

Have you ever encountered this situation? Is there something to do on our side or does the sender have a security issue?

Here the log error:

 

STARTTLS=server, error: accept failed=-1, reason=unknown protocol, SSL_error=1, errno=0, retry=-1, relay=mail.uni-media.be [194.78.234.25]

 

 

Thank you for your help,

Joel

1 Solution
Carl_Windsor_FTNT

Running the following:

openssl s_client -connect mail.uni-media.be:25 -starttls smtp

shows that the server only supports TLSv1.0 so I assume that you running FortiMail 6.0.0?  In this release we "set strong-crypto enable" by default which disabled TLS 1.0 for email but we found this to be too restrictive (some Exchange 2010 servers still require this).  We changed the defaults in 6.0.1 so try to upgrade to 6.0.1 or later.    

 

If you upgrade, you can leave set strong crypto enable and just modify the mail protocol to include TLS1.0 under config system security crypto.

 

Dr. Carl Windsor Field Chief Technology Officer Fortinet

View solution in original post

4 REPLIES 4
Carl_Windsor_FTNT

Running the following:

openssl s_client -connect mail.uni-media.be:25 -starttls smtp

shows that the server only supports TLSv1.0 so I assume that you running FortiMail 6.0.0?  In this release we "set strong-crypto enable" by default which disabled TLS 1.0 for email but we found this to be too restrictive (some Exchange 2010 servers still require this).  We changed the defaults in 6.0.1 so try to upgrade to 6.0.1 or later.    

 

If you upgrade, you can leave set strong crypto enable and just modify the mail protocol to include TLS1.0 under config system security crypto.

 

Dr. Carl Windsor Field Chief Technology Officer Fortinet

Joel_Fagnant

Thanx for your answer Carl! Indeed we're in version 6.0.0 ... we intend to go full HA very soon, we'll do the update at this time (if no one else experiences the issue again).

 

Thanx again,

Joel

emnoc
Esteemed Contributor III

Or use a  SMTP domain checker if you don't have openssl or a systems that does not have it

 

https://luxsci.com/smtp-tls-checker

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Carl_Windsor_FTNT

If you do experience the issue before you upgrade, you can do the following:

 

config system global

    set strong-crypto disable

end

 

....but be aware this also allows TLS1.0 for the Web UI (but you can specifically modify this under config system security crypto).

 

Carl

 

Dr. Carl Windsor Field Chief Technology Officer Fortinet

Labels
Top Kudoed Authors