topic Inbound TLS/SMTP inspection (to FortiMail) in General Topics

Inbound TLS/SMTP inspection (to FortiMail)

pkaren — Thu, 04 Feb 2021 14:00:26 GMT

Hi,

I'm wondering if anyone happens to be doing successful inbound inspection of SMTP/TLS to a FortiMail appliance? Or any other mail server for that matter. I've run in to a brick wall when it comes to renegotiation. The Palo is serving the correct certificate and a manual connections using openssl (openssl s_client -debug -connect mx1.XXXXX.com:25 -crlf -starttls smtp -showcerts) over a "decrypted" session and an "untouched" session shows identical output up until this point:

Decrypted (or well, attempted decryption) on the left and undecrypted normal session on the right.
I've made the decryption profile as generous as possible (i.e. not blocking any sessions and allowing all sorts keys and cryptos) and ECDHE-RSA-AES256-GCM-SHA384 is supported according to the docs. Anyone have any good ideas what to try next?
It feels somewhat like https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection/td-p/246059 but I have no idea how to configure ciphers on the FortiMail.

Re: Inbound TLS/SMTP inspection (to FortiMail)

nikoolayy1 — Sun, 21 Mar 2021 22:29:42 GMT

The palo alto may not have openssl tool to test the ciphers but in version 10 there is the improved that will tell you the needed info:

Monitor>Logs>Decryption

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/decryption-features/enhanced-ssl-decryption-troubleshooting.html

Also SSL handshake can be seen with a pcap from the firewall and you can see what ciphers are send by the server (the fortiMail):

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloUCAS

For more info:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgHCAS

Re: Inbound TLS/SMTP inspection (to FortiMail)

M.Ahmed681864 — Mon, 30 Dec 2024 11:44:47 GMT

Check error under decryption logs.