Description
This article explains how to configure a FortiMail unit to encrypt email traffic to one specific domain.
Scope
All FortiMail
Solution
To secure SMTP sessions initiated from a FortiMail unit a combination of TLS profiles and Access Delivery Rules must be created.
1. To create a TLS profile via the GUI go to Profile > Security > TLS > New. Give the profile a name, choose the TLS level that is required for this Profile, and then select Create. Depending on the TLS level that has been selected you can also specify which action the FortiMail unit should take in case the TLS session could not be established.
The table below provides a short description of TLS levels and available actions:
| TLS Level |
Description |
Actions if fail |
| None |
TLS is disabled |
Temporary fail
Fail
|
| Preferred |
TLS allowed but not required. Best effort |
Not applicable |
| Encrypt |
TLS required |
Temporary fail
Fail
|
| Secure |
TLS and certificate authentication required |
Temporary fail
Fail
|
2. Once the TLS profile has been created, go to Policy > Access Control > Delivery Tab > New > Set and enter the domain name of the remote domain and/or the IP of their email server and select the TLS profile that was just created. Once 'Create' have been selected, all SMTP sessions for this specific domain will be encrypted with the TLS level configured in step 1.
