Secure Email Gateway

 View Only
Expand all | Collapse all

FortiMail STARTTLS

Jump to Best Answer
  Thread closed by the administrator, not accepting new replies.
  • 1.  FortiMail STARTTLS

    Posted Aug 08, 2020 01:11 AM
    No replies, thread closed.
    Hi community,

    I'm trying to setup STARTTLS between FortiMail and internal Exchange servers, using wildcard cert (*.domain.com) signed by a CA. Mail flow is like below:

    exch.domain.com > fml.domain.com > outside

    Whenever mail is coming from outside, FortiMail happily forwards email to the Exchange server with STARTTLS successfully negotiated (according to the logs). However, when mail is sent outbound from the internal Exchange server, FortiMail complains that the certificate is of "unsupported certificate purpose".

    Being new to FortiMail (and mail security gateway) as I am, how do I start troubleshoot this issue?

    Thanks in advance.


  • 2.  RE: FortiMail STARTTLS

    Posted Aug 11, 2020 06:12 AM
    No replies, thread closed.
    Hi Tuan,

    It sounds like a cert issue, you can double check keyUsage and extendedKeyUsage of the cert.


  • 3.  RE: FortiMail STARTTLS

    Posted Aug 12, 2020 02:09 AM
    No replies, thread closed.
    Hi Jiajie,

    Thanks for your reply. The key usage are Digital Signature and Key Encipherment. The extended key usage are Server Authentication and Client Authentication

    Regards,
    Tuan


  • 4.  RE: FortiMail STARTTLS
    Best Answer

    Posted Aug 14, 2020 07:35 PM
    No replies, thread closed.
    Hi Tuan,

    This is the result of Factory cert in FortiMail, you can do a comparison with the one being used
    $ openssl x509 -in Factory.cer -purpose -noout -text
    Certificate purposes:
    SSL client : Yes
    SSL client CA : No
    SSL server : Yes
    SSL server CA : No
    Netscape SSL server : Yes
    Netscape SSL server CA : No
    S/MIME signing : Yes
    S/MIME signing CA : No
    S/MIME encryption : Yes
    S/MIME encryption CA : No
    CRL signing : Yes
    CRL signing CA : No
    Any Purpose : Yes
    Any Purpose CA : Yes
    OCSP helper : Yes
    OCSP helper CA : No
    Time Stamp signing : No
    Time Stamp signing CA : No