This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Inbound TLS/SMTP inspection (to FortiMail)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Inbound TLS/SMTP inspection (to FortiMail)

pkaren
L1 Bithead

‎02-04-2021 06:00 AM

Hi,

I'm wondering if anyone happens to be doing successful inbound inspection of SMTP/TLS to a FortiMail appliance? Or any other mail server for that matter.  I've run in to a brick wall when it comes to renegotiation. The Palo is serving the correct certificate and a manual connections using openssl (openssl s_client -debug -connect mx1.XXXXX.com:25 -crlf -starttls smtp -showcerts) over a "decrypted" session and an "untouched" session shows identical output up until this point:

Screenshot 2021-02-04 at 14.43.04.png

Decrypted (or well, attempted decryption) on the left and undecrypted normal session on the right.
I've made the decryption profile as generous as possible (i.e. not blocking any sessions and allowing all sorts keys and cryptos) and ECDHE-RSA-AES256-GCM-SHA384 is supported according to the docs. Anyone have any good ideas what to try next?
It feels somewhat like https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection/td-p/246059 but I have no idea how to configure ciphers on the FortiMail.

0 Likes Likes
1 REPLY 1

nikoolayy1
L6 Presenter

‎03-21-2021 03:29 PM

The palo alto may not have openssl tool to test the ciphers but in version 10 there is the improved that will tell you the needed info:

 

Monitor>Logs>Decryption

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/decryption-features/enhanced-ssl-d...

 

 

Also SSL handshake can be seen with a pcap from the firewall and you can see what ciphers are send by the server (the fortiMail):

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloUCAS

 

 

 

For more info:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgHCAS

0 Likes Likes
  • 2679 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks