Example
This example shows how to enforce TLS on a specific domain and verify the validity of the receiving server certificate.
Scenario
All emails to example.mil have to be encrypted with TLS and the FortiMail unit needs to verify the certificate of the receiving server to defend against email server spoofing or man-in-the-middle attack. If the certificate validation fails, the FortiMail unit will not deliver emails to that server, example.mil.
To verify the certificate of the receiving server and apply the TLS profile
1. Import the server CA certificate.
Add the certificate of the CA that issued the server certificate to the FortiMail unit. If more than one level of CAs was used, import all intermediate and root CA certificates to the FortiMail unit. Any missing CA certificate will break the chain of trust and fail the validation of the certificate.
2. Create a TLS profile.
Select
Secure for
TLS level. Find the CA from the drop down list after enabling
Check CA issuer. If the certificate subject also needs to be verified, select
Check certificate subject and configure the substring that is contained in the server certificate. Minimum encryption strength can be configured if needed. A failure of any checks enabled in the profile will fail the TLS session and email delivery to the destination domain.
3. Create delivery policy and apply the profile.
Apply the newly created TLS profile in the delivery policy by going to
Policy > Access Control > Delivery.
From now on, all emails from the FortiMail unit to example.mil will be delivered through TLS and the server certificate will be verified. If the certificate validation does not succeed, the FortiMail unit will not deliver emails to example.mil.
