Appendix E: Working with TLS/SSL : FortiMail support of TLS/SSL : TLS profile
TLS profile
The default behavior of FortiMail TLS/SSL support may not meet your specific requirements. In order to add more flexibility to the TLS/SSL support, the FortiMail unit supports TLS profiles. This document uses FortiMail v4.1 as an example.
TLS profiles allow you to selectively disable or enable TLS for specific email recipient patterns, IP subnets, and so on. A common use of TLS profiles is to enforce TLS transport to a specific domain and verify the certificate of the receiving servers.
To configure a TLS profile, go to Profile > Security > TLS.
The TLS level option has four choices that you need to understand to configure this feature.
Figure 151: Configuring TLS profile
 
None
Disables TLS and the FortiMail unit does not accept STARTTLS command from the client in receiving direction or does not start TLS in the delivering direction (even if STARTTLS is advertised by the receiving MTA), depending on which direction the TLS profile is applied.
Preferred
This is the default behavior. Whether TLS is used depends on the other party of the session.
Encrypt
Enforces TLS encryption. Failure of server certificate validation will not fail the delivery of the email in encryption. In other words, this option only cares about the encryption of the message.
Secure
Enforces both TLS encryption and certificate validation. Failure of server certificate validation will fail mail delivery.
The Action on failure option has two choices: Temporarily Fail and Fail.
 
Temporarily Fail
If a TLS session cannot be established, the FortiMail unit will fail temporarily and retry later. No DSN will be bounced back.
Fail
If a TLS session cannot be established, the FortiMail unit will fail the mail delivery immediately and a DSN will be bounced back to notify the sender about the failure.