Secure Email Gateway

Hi community,

I'm trying to setup STARTTLS between FortiMail and internal Exchange servers, using wildcard cert (*.domain.com) signed by a CA. Mail flow is like below:

exch.domain.com > fml.domain.com > outside

Whenever mail is coming from outside, FortiMail happily forwards email to the Exchange server with STARTTLS successfully negotiated (according to the logs). However, when mail is sent outbound from the internal Exchange server, FortiMail complains that the certificate is of "unsupported certificate purpose".

Being new to FortiMail (and mail security gateway) as I am, how do I start troubleshoot this issue?

Thanks in advance.

Hi Tuan,

It sounds like a cert issue, you can double check keyUsage and extendedKeyUsage of the cert.
Original Message:
Sent: Aug 08, 2020 01:10 AM
From: Tuan Nguyen
Subject: FortiMail STARTTLS

Hi community,

I'm trying to setup STARTTLS between FortiMail and internal Exchange servers, using wildcard cert (*.domain.com) signed by a CA. Mail flow is like below:

exch.domain.com > fml.domain.com > outside

Whenever mail is coming from outside, FortiMail happily forwards email to the Exchange server with STARTTLS successfully negotiated (according to the logs). However, when mail is sent outbound from the internal Exchange server, FortiMail complains that the certificate is of "unsupported certificate purpose".

Being new to FortiMail (and mail security gateway) as I am, how do I start troubleshoot this issue?

Thanks in advance.

Hi Jiajie,

Thanks for your reply. The key usage are Digital Signature and Key Encipherment. The extended key usage are Server Authentication and Client Authentication

Regards,
Tuan
Original Message:
Sent: Aug 11, 2020 06:11 AM
From: Jiajie Chen
Subject: FortiMail STARTTLS

Hi Tuan,

It sounds like a cert issue, you can double check keyUsage and extendedKeyUsage of the cert.
Original Message:
Sent: Aug 08, 2020 01:10 AM
From: Tuan Nguyen
Subject: FortiMail STARTTLS

Hi community,

I'm trying to setup STARTTLS between FortiMail and internal Exchange servers, using wildcard cert (*.domain.com) signed by a CA. Mail flow is like below:

exch.domain.com > fml.domain.com > outside

Whenever mail is coming from outside, FortiMail happily forwards email to the Exchange server with STARTTLS successfully negotiated (according to the logs). However, when mail is sent outbound from the internal Exchange server, FortiMail complains that the certificate is of "unsupported certificate purpose".

Being new to FortiMail (and mail security gateway) as I am, how do I start troubleshoot this issue?

Thanks in advance.

Hi Tuan,

This is the result of Factory cert in FortiMail, you can do a comparison with the one being used
$ openssl x509 -in Factory.cer -purpose -noout -text
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
Original Message:
Sent: Aug 12, 2020 02:09 AM
From: Tuan Nguyen
Subject: FortiMail STARTTLS

Hi Jiajie,

Thanks for your reply. The key usage are Digital Signature and Key Encipherment. The extended key usage are Server Authentication and Client Authentication

Regards,
Tuan
Original Message:
Sent: Aug 11, 2020 06:11 AM
From: Jiajie Chen
Subject: FortiMail STARTTLS

Hi Tuan,

It sounds like a cert issue, you can double check keyUsage and extendedKeyUsage of the cert.
Original Message:
Sent: Aug 08, 2020 01:10 AM
From: Tuan Nguyen
Subject: FortiMail STARTTLS

Hi community,

I'm trying to setup STARTTLS between FortiMail and internal Exchange servers, using wildcard cert (*.domain.com) signed by a CA. Mail flow is like below:

exch.domain.com > fml.domain.com > outside

Whenever mail is coming from outside, FortiMail happily forwards email to the Exchange server with STARTTLS successfully negotiated (according to the logs). However, when mail is sent outbound from the internal Exchange server, FortiMail complains that the certificate is of "unsupported certificate purpose".

Being new to FortiMail (and mail security gateway) as I am, how do I start troubleshoot this issue?

Thanks in advance.