Configuring certificate bindings
Go to System > Encryption > Certificate Binding to create certificate binding profiles, which establish the relationship between an email address and the certificate that:
- proves an individual’s identity
- provides their keys for use with encryption profiles
Use this relationship and that information for secure MIME (S/MIME) as per RFC 2634.
How certificate bindings are used varies by whether an email is incoming or outgoing.
- Incoming
The FortiMail unit compares the sender’s identity with the list of certificate bindings to determine if it has a key that can decrypt the email. If it has a matching private key, it will decrypt the email before delivering it. If it does not, it forwards the still-encrypted email to the recipient.
- Outgoing
If you have selected an encryption profile in the message delivery rule that applies to the session, the FortiMail unit compares the sender’s identity with the list of certificate bindings to determine if it has a certificate and public key. If it has a matching public key, it will encrypt the email using the algorithm specified in the encryption profile (see “Configuring encryption profiles” on page 594). If it does not, it performs the failure action indicated in the encryption profile.
The FortiMail unit does not check if an outgoing email is already encrypted. Email clients can apply their own additional layer of S/MIME encryption if they want to (such as if they require non-repudiation) before they submit email for delivery through the FortiMail unit.
The destination of an S/MIME email can be another FortiMail unit, for gateway-to-gateway S/MIME, but it could alternatively be any email gateway or server, as long as one of the following supports S/MIME and possesses the sender’s certificate and public key:
- the destination’s MTA or mail server
- the recipient’s MUA
This is necessary to decrypt the email; otherwise, the recipient cannot read the email.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.
Before any personal certificate that you upload will be valid for use, you must upload the certificate of its signing certificate authority (CA). For details, see “Managing certificate authority certificates” on page 354.
To view and configure certificate binding
- Go to System > Encryption > Certificate Binding.
Figure 150:Certificate Binding tab
GUI item | Description |
Type
(drop-down list) |
Select whether the keys and certificate are used for validating the signature of and decrypting incoming email (External), or to sign and encrypt outgoing email (Internal). |
Profile ID | Displays the name of the profile. |
Address Pattern | Displays the email address or domain associated with the identity represented by the personal or server certificate. |
Type
(column) |
Displays how the keys and certificate are applied: to all mail, just incoming (External) mail, or just outgoing (Internal) mail. |
Identity | Displays the identity, often a first and last name, included in the common name (CN) field of the Subject line of the personal or server certificate. |
Public Key | Displays the public key associated with the identity, used for decrypting and validating the signature of an email from that identity. |
Private Key | Displays the private key associated with the identity, used to encrypt and sign email from that identity. |
GUI item | Description |
Valid From | Displays the beginning date of the period of time during which the certificate and its keys are valid for use by signing and encryption. |
Valid To | Displays the end date of the certificate’s period of validity. After this date and time, the certificate expires, although the keys may be retained for the purpose of decrypting and reading email that was signed and encrypted previously. |
Status | Indicates whether the certificate is currently not yet valid, valid, or expired, depending on the current system time and the certificate’s validity period. For information on configuring the time, see “Configuring the time and date” on page 265. |
(Green dot in column heading.) | Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
- Either click New to add a profile or double-click a profile to modify it.
- From Type, select whether the keys and certificate will be used for validating the signature of and decrypting incoming email (External), or to sign and encrypt outgoing email (Internal).
Certificate import formats vary by this selection.
Figure 151:Configuration for incoming/external email
Figure 152:Configuration for outgoing/internal email
- In Address Pattern, enter the email address or email domain that you want to use the certificate in this binding.
For example, you might bind a personal certificate for User1 to the email address, user1@example.com.
- For internal address bindings, from Choose import type, select one of the following ways to either import and bind a personal certificate, or to bind an existing server certificate:
- Import PKCS12 file: Upload and bind a personal certificate-and-key file that uses the public key cryptography standard #12 (PKCS #12), stored in a password-protected file format (.p12).
- Import PEM files: Upload and bind a pair of personal certificates and public and private keys that use privacy-enhanced email (PEM), a password-protected file format (.pem).
- Choose from local certificate list: Bind a server certificate that you have previously uploaded to the FortiMail unit. For details, see “Managing local certificates” on page 347.
Depending on your selection in Choose import type, either upload the personal certificate files and enter their password, or select the name of a local certificate from Choose local certificate list.
If a certificate import does not succeed and event logging is enabled, to determine the cause of the failure, you can examine the event log messages. Log messages may indicate errors such as an unsupported password-based encryption (PBE) algorithm:
PKCS12 Import: err=0x6074079: digital envelope routines / EVP_PBE_CipherInit / unknown pbe algorithm
- For external address bindings, upload and bind a privacy-enhanced email (PEM) file that contains a personal or server certificate and its public key.
- Click Create.
Certificate bindings will be used automatically as needed for matching message delivery rules in which you have selected an encryption profile. For details, see “Configuring encryption profiles” on page 594 and “Configuring delivery rules” on page 464.
I wonder how IBE behaves in a HA active/active (config only) setup. Can I point the same url with a load balancer to both units? Is the encrypted mail, and user with private key available on both units?
Great question Paul,
When FML is deployed in config only HA, the data store information, which include the IBE data, is not shared between the two devices – only the configuration settings are synced.
There are a couple of ways of dealing with the data store limitation in config-only HA. FML GUI: Mail Settings > Settings > Storage
1.Add a Central Quarantine device (or two setup in active/passive HA) to store the IBE data separately from the two FML units that are processing the mail. Requirement for Centralized IBE unit: FML 1000D or higher physical appliance | FML VM04 or higher virtual appliance
2.Set the two FML units to store data to the same remote data store mounted via NAS
The first option will require an additional FML purchase
The second option will require you have a common NAS mount point that both FML units can reliably communicate with.
FML online help on this topic: http://help.fortinet.com/fmail/5-3-4/admin/index.html#page/FortiMail_Online_Help/mail_settings_07_13.html
Please let me know if you have any additional questions on this topic.