Inbound TLS/SMTP inspection (to FortiMail)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inbound TLS/SMTP inspection (to FortiMail)

L1 Bithead

Hi,

I'm wondering if anyone happens to be doing successful inbound inspection of SMTP/TLS to a FortiMail appliance? Or any other mail server for that matter.  I've run in to a brick wall when it comes to renegotiation. The Palo is serving the correct certificate and a manual connections using openssl (openssl s_client -debug -connect mx1.XXXXX.com:25 -crlf -starttls smtp -showcerts) over a "decrypted" session and an "untouched" session shows identical output up until this point:

Screenshot 2021-02-04 at 14.43.04.png

Decrypted (or well, attempted decryption) on the left and undecrypted normal session on the right.
I've made the decryption profile as generous as possible (i.e. not blocking any sessions and allowing all sorts keys and cryptos) and ECDHE-RSA-AES256-GCM-SHA384 is supported according to the docs. Anyone have any good ideas what to try next?
It feels somewhat like https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection/td-p/246059 but I have no idea how to configure ciphers on the FortiMail.

1 REPLY 1

L6 Presenter

The palo alto may not have openssl tool to test the ciphers but in version 10 there is the improved that will tell you the needed info:

 

Monitor>Logs>Decryption

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/decryption-features/enhanced-ssl-d...

 

 

Also SSL handshake can be seen with a pcap from the firewall and you can see what ciphers are send by the server (the fortiMail):

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloUCAS

 

 

 

For more info:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgHCAS

  • 2754 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!