Common error messages

There are two most commonly seen error messages on the FortiMail unit or other email systems: verify=CAFail and CAFail.

This error message appears when the remote certificate is not issued by a trusted CA or the CA certificate is not available for verification. Usually this error is not fatal and the encryption can be applied without any problems. The only issue is that the communication is susceptible to man-in-the-middle or server-spoofing attacks. However, if there is a TLS profile with Secure level enabled in a delivery rule, the connection will fail if the remote certificate is validated by the FortiMail unit.

If you are not concerned with email server-spoofing or man-in-the-middle attacks, you can just ignore this error message.

• Configure the remote server to send all the CA certificates together with its server certificate during the TLS/SSL handshake. This can be achieved by copying and pasting all the CA certificates into the server certificate file, assuming that they are all in PEM format.

In many cases, this is not possible. For example, the remote server belongs to another organization. Therefore, you can only fix this problem on the FortiMail unit, as described in the following option.

• Import the certificate of root CA and all intermediate CAs that issued the server certificate to the FortiMail unit, so that the FortiMail unit can validate the server certificate all the way to the root CA. For information on how to get CA certificates, see “Useful tools”.

This error message may appear on the external email server talking to the FortiMail unit. This is because that the FortiMail CA certificate is not available to external server for verification. In early versions of the FortiMail firmware, the system does not send out all CA certificates even though they are imported onto the FortiMail unit. This issue was fixed in release 4.1.1 (build 232).

2. Import the certificates of the root CA and all intermediate CAs that issued the FortiMail certificate in effect.