FortiMail TLS behavior in two mail flow directions
This section explains FortiMail TLS behavior in mail receiving and delivering.
• Mail receiving
By default both SMTPS and STARTTLS are supported when the FortiMail unit receives messages. Whether the email will be encrypted with TLS/SSL depends on the mail client or sending MTA. The TLS support can be turned on or off globally by the same mail setting shown below:
Figure 211: Enabling or disabling TLS
If you uncheck the SMTP over SSL/TLS option, STARTTLS will not be advertised to the client and the SMTPS port (465) will not be listening. As a result, the FortiMail unit will not accept emails through TLS/SSL.
• Mail delivering
There is no global setting to control how TLS is used when the FortiMail unit delivers emails to the next hop receiving MTA. By default, it uses STARTTLS "preferred" option which means:
• If the receiving MTA supports STARTTLS, the FortiMail unit will use TLS and transmit emails in the protected session.
• If the receiving MTA does not advertise STARTTLS, the FortiMail unit will use clear text SMTP session to transmit emails.
• If the receiving MTA supports STARTTLS, but the TLS session does not succeed, the FortiMail unit will fall back to the clear text SMTP session to retransmit emails after the first failed attempt.
