Step 3 - Configuring "other" email systems

You can integrate FortiMail Workspace Security with various email services. This enables FortiMail Workspace Security to protect all incoming mail from the integrated services.

This page discusses how to connect FortiMail Workspace Security to an email service that is not Google Workspace, Microsoft 365, or Microsoft Exchange. We will refer to these as "other" email services.

This is the 3rd step of the procedure to integrate FortiMail Workspace Security with other email services:

To enable your FortiMail Workspace Security integration with other email services, some configurations must be made in your email service. Perform these configurations as described below.

Note: The procedures below will differ depending on the specific email service that you are using.

  1. Depending on your organization's AWS environment, add the following IP addresses to the list of allowed IP addresses in your environment: [See the drop-down below for details on on how to determine your environment]

    1. In FortiMail Workspace Security, go to Settings > Account.

    2. The Environment of your organization will appear under General > Info: US, EU, or AUS.

    For US environments

    For EU environments

    For AUS environments

    • 54.227.64.76

    • 3.81.182.154

    • 3.93.155.149

    • 3.95.118.12

    • 3.95.142.181

    • 52.12.169.124 [required only if Muti-region is enabled]

    • 99.81.216.78

    • 34.249.190.60

    • 108.128.137.108

    • 99.80.189.20

    • 52.12.169.124 [required only if Muti-region is enabled]

    • 13.236.255.231

    • 54.66.125.250

    • 52.12.169.124 [required only if Muti-region is enabled]

Perform this step only if your email service supports rules with headers.

This procedure enhances the ability of suspected spam to be sent to the user’s junk/spam folder.

The example shown below is for Microsoft Exchange. The procedure will differ depending on the email service that you are using.

  1. In Exchange Admin, select Mail flow > Rules > "Create a new rule…"

  2. Scroll to the bottom, and click "More options…"

    1. Name: Perception Point Spam Rule

  3. Select "Apply this rule if…" > "A message header…" > "Matches these exact patterns"

  4. Select "Enter text" and then specify the header name: X-PERCEPTION-POINT-SPAM

  5. Select "Enter text patterns" and then specify the following words or phrases: FAIL - and then click "+"

  6. Select "Do the following…" > "Modify the Message Properties"

  7. Set the Spam Confidence Level to "6"

Recommendation:

Changing MX records to Perception Point Inbound relay

When updating the MX records to route emails through the Perception Point inbound relay, it is strongly recommended to follow the best practices that are shown below, to ensure optimal security and functionality:

  1. Delete the old MX record.

  2. After updating the MX to Perception Point, ensure that the old MX record is removed from public DNS. Keeping the old MX record publicly accessible can expose your mail infrastructure to potential misuse or unauthorized access.

  3. Implement IP restrictions.

    • To enhance security, configure the receiver server to accept emails only from IPs of Perception Point. This measure prevents attackers from bypassing the FortiMail Workspace Security email scanning by attempting to send emails directly to your original mail server.

    • Restricting access to trusted IPs significantly reduces the risk of direct delivery attempts by malicious actors.

TLS considerations

Before changing or adding the MX record as described below, check if the domain that you're adding supports TLS encryption. If not, in FortiMail Workspace Security, disable TLS encryption for the domain. [See below for instructions.]

  • Non-TLS communication means that emails are sent as plain text, giving a "man-in-the middle" attacker the ability to monitor the network traffic. In contrast, TLS communication encrypts the emails while they are transmitted.

When you edit the TLS configuration in FortiMail Workspace Security, you can enable or disable TLS encryption. By default, TLS encryption is enabled, and FortiMail Workspace Security uses TLS version 1.2 - and not earlier versions. When TLS encryption is enabled, you can enable support for legacy versions as well [earlier than version 1.2].

  1. In FortiMail Workspace Security, go to the Settings > Protected Email Assets page.

  2. Under Inline Domains, locate the domain that you want to edit.

  3. Click the blue arrow on the left of the domain name to display details of the domain.

  4. Locate TLS configuration and then click Edit on the right.

  5. In the Configure TLS Encryption dialog box, make the required changes.

    1. Use TLS encryption: When enabled, FortiMail Workspace Security will use TLS encryption when sending emails to this domain. By default, TLS version 1.2 is used.

      Note: Before you disable TLS encryption, it is recommended that you try "Allow legacy TLS versions" [see below] - unless you’re sure that the receiving server doesn't support TLS at all.

    2. Allow legacy TLS versions: When enabled, FortiMail Workspace Security will be able to use a TLS version earlier than 1.2, if that is what is required by the domain server that receives the emails from FortiMail Workspace Security.

  6. Click Confirm.

 

In some cases, you may encounter an error similar to one of the following:

SSLCertVerificationError [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'mail.CAV-TYL.IT'. (_ssl.c:1010)
 

These errors typically occur when:

  • The destination mail server uses a TLS version lower than 1.2

    - or -

  • The server’s SSL certificate is mis-configured, such as a hostname mismatch.

What you need to do

To avoid email delivery failures, before changing the MX record, configure support for legacy TLS versions [earlier than version 1.2] for the domain. This should be done after the domain has been added to FortiMail Workspace Security, but before the MX record is updated. See TLS considerations above.

Troubleshooting

If you see this error in FortiMail Workspace Security, or you notice that emails are not being delivered to your server:

  • Check for terms like "TLS" or "certificate" in the error message.

  • Contact FortiMail Workspace Security Support [support@perception-point.io], and send them the affected domain name - for further assistance.

SSLError [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1010)
 

This indicates that the server you are using is configured to support weak Diffie-Hellman (DH) parameters, specifically a key size that is considered insecure by modern TLS standards. Most up-to-date clients and libraries — including those of FortiMail Workspace Security — enforce a minimum DH key size of 2048 bits to ensure secure communications.

In your case, the server is likely offering DH keys that are smaller than this threshold (often 1024 bits or less), which are vulnerable to attacks and therefore rejected by our client for security reasons.

What you need to do

We recommend that you review your server’s TLS configuration and ensure the following:

  • You use DH parameters with at least 2048 bits.

  • Your TLS library and OpenSSL version are up to date.

If the issue persists, it may be necessary configure support for legacy TLS versions [earlier than version 1.2] for the domain. See TLS considerations above.

Note:

  • When changing or adding the MX record, make sure that the MX record has the highest priority [0].

    Setting the MX record with the highest priority [0] ensures that email traffic is directed to the specified mail server first. This is crucial for ensuring that your email service is properly routed and protected by FortiMail Workspace Security, as it allows the security measures to be applied to incoming emails. Having the highest priority makes sure that this server is the primary point of contact for email delivery, enhancing security and reliability.

  1. On your network provider, change the MX record as follows: [Open the drop-down below for details on your environment.]

    1. In FortiMail Workspace Security, go to Settings > Account.

    2. The Environment of your organization will appear under General > Info: US, EU, or AUS.

     

    		 Multi-region enabled Multi-region not enabled

    For US environments:

    us.mx-pp.com

    inbound-smtp.us-east-1.amazonaws.com

    For EU environments:

    eu.mx-pp.com

    inbound-smtp.eu-west-1.amazonaws.com

    For AUS environments:

    australia.mx-pp.com

    inbound-smtp.eu-west-1.amazonaws.com

 

Email in your email service is now protected by FortiMail Workspace Security.

IMPORTANT: After you have configured the "Other" integration, in the Bundles and Channels page, under Enabled Channels, Email Service will appear as Inactive [and not as Active]. This is the expected behavior - and you are not required to activate the new integration.

See also: