profile tls

profile tls

Use this command to configure TLS profiles that can be used by policy access-control receive and policy access-control delivery.

A common use of TLS profiles is to enforce encrypted transport to a specific domain, and to authenticate the identity of the receiving servers. This provides more specific control than basic TLS support. For global settings on connections that FortiMail receives, see smtps-tls-status {enable | disable}.

Syntax

config profile tls

edit <profile_name>

set level {none | preferred | secure}

set check-ssl-version {enable | disable}

set min-ssl-version {ssl3 | tls1_0 | tls1_1 | tls1_2 | tls1_3}

set check-encryption-strength {enable | disable}

set encryption-strength <bits_int>

set check-ca-name {enable | disable}

set check-ca-type {match | substring | wildcard}

set ca-name "<ca-dn_str>"

set check-cert-subject {enable | disable}

set check-cert-type {match | substring | wildcard}

set cert-subject "<subject-dn_str>"

set dane-support {mandatory | none | opportunistic}

set mtasts-status {enable | monitor | none}

set action {fail | tempfail}

end

Variable	Description	Default
<profile_name>	Enter the name of the profile.
level {none \| preferred \| secure}	Select whether SSL/TLS is supported or required: `none`: Disables SSL/TLS. Requests for secure connections will be ignored. `preferred`: If the other device in the SMTP session supports STARTTLS, then FortiMail tries to use it. `secure`: Require a certificate-authenticated SSL/TLS connection. See information on installing a CA certificate on FortiMail. Effects vary by directionality and global settings. For details, see FortiMail TLS behavior in both directions of mail flow.	none
action {fail \| tempfail}	Select the action FortiMail performs when an SSL/TLS connection cannot be established, either: `fail`: Reject the email and reply to the SMTP client with SMTP reply code 550. `tempfail`: Reply to the SMTP client with a code indicating temporary failure. This option does not apply if `level {none \| preferred \| secure}` is `preferred`. Tip: Optionally, you can configure `protocol {ibe \| ibe-on-tls-failure \| smime}` to try IBE if TLS fails. IBE also ensures that the email message is encrypted in transit.	tempfail
ca-name "<ca-dn_str>"	Enter a string that matches only trusted CAs. Use forward slashes to separate each part of the Distinguished Name (DN). For example: /CN=ca.example.com/O=Example Inc. This option is only available when `level {none \| preferred \| secure}` is `secure`, and only takes effect if `check-ca-name {enable \| disable}` is `enable`.
cert-subject "<subject-dn_str>"	Enter a string that matches only accepted certificate subjects. Use forward slashes to separate each part of the Distinguished Name (DN). For example: /CN=mail.example.com/O=Example Inc. This option is only available when `level {none \| preferred \| secure}` is `secure`, and only takes effect if `check-cert-subject {enable \| disable}` is `enable`.
check-ca-name {enable \| disable}	Enable to perform the action in `action {fail \| tempfail}` if connection peer's certificate's `CA Issuer` field (its signing CA) does not match `ca-name "<ca-dn_str>"`. Each certificate's signature is validated with the list of trusted CA certificates (for information on installing CA certificates, see the FortiMail Administration Guide.), so this additional CA setting effectively filters which trusted CAs can be used by specific sessions. This option is only available when `level {none \| preferred \| secure}` is set to `secure`.	disable
check-ca-type {match \| substring \| wildcard}	Select how to compare this setting with the peer certificate's `CA Issuer` field: `match` (equal) `substring` (contain) `wildcard` (some characters may vary, which are indicated by a question mark ( `?` ) or asterisk ( `*` ) ) This option is only available when `level {none \| preferred \| secure}` is `secure`, and only takes effect if `check-ca-name {enable \| disable}` is `enable`.	match
check-cert-subject {enable \| disable}	Enable to perform the action in `action {fail \| tempfail}` if connection peer's certificate's `Subject` field does not match `cert-subject "<subject-dn_str>"`. This option is only available when `level {none \| preferred \| secure}` is `secure`.	disable
check-cert-type {match \| substring \| wildcard}	Select how to compare this setting with the peer certificate's `Subject` field: `match` (equal) `substring` (contain) `wildcard` (some characters may vary, which are indicated by a question mark ( `?` ) or asterisk ( `*` ) ) This option is only available when `level {none \| preferred \| secure}` is `secure`, and only takes effect if `check-cert-subject {enable \| disable}` is `enable`.	match
check-encryption-strength {enable \| disable}	Enable to perform the action in `action {fail \| tempfail}` if the connection does not meet `encryption-strength <bits_int>`. This option is only available when `level {none \| preferred \| secure}` is `secure`.	disable
check-ssl-version {enable \| disable}	Enable to perform the action in `action {fail \| tempfail}` if the connection does not meet `min-ssl-version {ssl3 \| tls1_0 \| tls1_1 \| tls1_2 \| tls1_3}`. This option is only available when `level {none \| preferred \| secure}` is `secure`.	disable
dane-support {mandatory \| none \| opportunistic}	Select the DNS-based Authentication of Named Entities (DANE) support level: None Opportunistic Mandatory (only available if `level {none \| preferred \| secure}` is `secure`) See also RFC 7929.	none
encryption-strength <bits_int>	Enter the bit size of the encryption key. Greater key size results in stronger encryption, but requires more processing resources. This setting takes effect only if `check-encryption-strength {enable \| disable}` is enabled. Effects also can be overridden by encryption strength settings such as `strong-crypto {enable \| disable}`.	256
min-ssl-version {ssl3 \| tls1_0 \| tls1_1 \| tls1_2 \| tls1_3}	Select the required minimum secure connection protocol and version, either: TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0 SSL 3.0 This option is only available when `check-ssl-version {enable \| disable}` is `enable`. Effects also can be overridden by encryption strength settings such as strong-crypto {enable \| disable}.	tls1_1
mtasts-status {enable \| monitor \| none}	Select the MTA Strict Transport Security (MTA-STS) domain verification level. This setting applies only when smtp-mtasts-status {check-all-domain \| check-external-domain \| disable} is not `disable`, and is only available if `level {none \| preferred \| secure}` is either `preferred` or `secure`.	none

Syntax

config profile tls

edit <profile_name>

set level {none | preferred | secure}

set check-ssl-version {enable | disable}

set min-ssl-version {ssl3 | tls1_0 | tls1_1 | tls1_2 | tls1_3}

set check-encryption-strength {enable | disable}

set encryption-strength <bits_int>

set check-ca-name {enable | disable}

set check-ca-type {match | substring | wildcard}

set ca-name "<ca-dn_str>"

set check-cert-subject {enable | disable}

set check-cert-type {match | substring | wildcard}

set cert-subject "<subject-dn_str>"

set dane-support {mandatory | none | opportunistic}

set mtasts-status {enable | monitor | none}

set action {fail | tempfail}

end

Variable	Description	Default
<profile_name>	Enter the name of the profile.
level {none \| preferred \| secure}	Select whether SSL/TLS is supported or required: `none`: Disables SSL/TLS. Requests for secure connections will be ignored. `preferred`: If the other device in the SMTP session supports STARTTLS, then FortiMail tries to use it. `secure`: Require a certificate-authenticated SSL/TLS connection. See information on installing a CA certificate on FortiMail. Effects vary by directionality and global settings. For details, see FortiMail TLS behavior in both directions of mail flow.	none
action {fail \| tempfail}	Select the action FortiMail performs when an SSL/TLS connection cannot be established, either: `fail`: Reject the email and reply to the SMTP client with SMTP reply code 550. `tempfail`: Reply to the SMTP client with a code indicating temporary failure. This option does not apply if `level {none \| preferred \| secure}` is `preferred`. Tip: Optionally, you can configure `protocol {ibe \| ibe-on-tls-failure \| smime}` to try IBE if TLS fails. IBE also ensures that the email message is encrypted in transit.	tempfail
ca-name "<ca-dn_str>"	Enter a string that matches only trusted CAs. Use forward slashes to separate each part of the Distinguished Name (DN). For example: /CN=ca.example.com/O=Example Inc. This option is only available when `level {none \| preferred \| secure}` is `secure`, and only takes effect if `check-ca-name {enable \| disable}` is `enable`.
cert-subject "<subject-dn_str>"	Enter a string that matches only accepted certificate subjects. Use forward slashes to separate each part of the Distinguished Name (DN). For example: /CN=mail.example.com/O=Example Inc. This option is only available when `level {none \| preferred \| secure}` is `secure`, and only takes effect if `check-cert-subject {enable \| disable}` is `enable`.
check-ca-name {enable \| disable}	Enable to perform the action in `action {fail \| tempfail}` if connection peer's certificate's `CA Issuer` field (its signing CA) does not match `ca-name "<ca-dn_str>"`. Each certificate's signature is validated with the list of trusted CA certificates (for information on installing CA certificates, see the FortiMail Administration Guide.), so this additional CA setting effectively filters which trusted CAs can be used by specific sessions. This option is only available when `level {none \| preferred \| secure}` is set to `secure`.	disable
check-ca-type {match \| substring \| wildcard}	Select how to compare this setting with the peer certificate's `CA Issuer` field: `match` (equal) `substring` (contain) `wildcard` (some characters may vary, which are indicated by a question mark ( `?` ) or asterisk ( `*` ) ) This option is only available when `level {none \| preferred \| secure}` is `secure`, and only takes effect if `check-ca-name {enable \| disable}` is `enable`.	match
check-cert-subject {enable \| disable}	Enable to perform the action in `action {fail \| tempfail}` if connection peer's certificate's `Subject` field does not match `cert-subject "<subject-dn_str>"`. This option is only available when `level {none \| preferred \| secure}` is `secure`.	disable
check-cert-type {match \| substring \| wildcard}	Select how to compare this setting with the peer certificate's `Subject` field: `match` (equal) `substring` (contain) `wildcard` (some characters may vary, which are indicated by a question mark ( `?` ) or asterisk ( `*` ) ) This option is only available when `level {none \| preferred \| secure}` is `secure`, and only takes effect if `check-cert-subject {enable \| disable}` is `enable`.	match
check-encryption-strength {enable \| disable}	Enable to perform the action in `action {fail \| tempfail}` if the connection does not meet `encryption-strength <bits_int>`. This option is only available when `level {none \| preferred \| secure}` is `secure`.	disable
check-ssl-version {enable \| disable}	Enable to perform the action in `action {fail \| tempfail}` if the connection does not meet `min-ssl-version {ssl3 \| tls1_0 \| tls1_1 \| tls1_2 \| tls1_3}`. This option is only available when `level {none \| preferred \| secure}` is `secure`.	disable
dane-support {mandatory \| none \| opportunistic}	Select the DNS-based Authentication of Named Entities (DANE) support level: None Opportunistic Mandatory (only available if `level {none \| preferred \| secure}` is `secure`) See also RFC 7929.	none
encryption-strength <bits_int>	Enter the bit size of the encryption key. Greater key size results in stronger encryption, but requires more processing resources. This setting takes effect only if `check-encryption-strength {enable \| disable}` is enabled. Effects also can be overridden by encryption strength settings such as `strong-crypto {enable \| disable}`.	256
min-ssl-version {ssl3 \| tls1_0 \| tls1_1 \| tls1_2 \| tls1_3}	Select the required minimum secure connection protocol and version, either: TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0 SSL 3.0 This option is only available when `check-ssl-version {enable \| disable}` is `enable`. Effects also can be overridden by encryption strength settings such as strong-crypto {enable \| disable}.	tls1_1
mtasts-status {enable \| monitor \| none}	Select the MTA Strict Transport Security (MTA-STS) domain verification level. This setting applies only when smtp-mtasts-status {check-all-domain \| check-external-domain \| disable} is not `disable`, and is only available if `level {none \| preferred \| secure}` is either `preferred` or `secure`.	none

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference

profile tls

Syntax

Related topics

profile tls

profile tls

Syntax

Related topics