This article describes how to disable FortiMail from offering STARTTLS.
Scope
FortiMail
Solution
Step 1: Test the connection from [FortiMail Gateway] acting as an MTA and it is possible to see that FortiMail offers STARTTLS in the initial EHLO:
![Test the connection from [FortiMail Gateway] acting as an MTA and it is possible to see that FortiMail offers STARTTLS in the initial EHLO.](https://lh3.googleusercontent.com/pw/AP1GczOuhUueUDnVOE_nyIA8z3Vd2AoZC8k1zZ4re2EgHI2buspSSvqFt2I9fSGeQmQKyZVsI7ekgr6vaIeWch8EKlMG8nvJ4_Gq5DCGUIVwz4moLWAyZ-FWHjaiIGqYCWdcjq5Zudbw7PszJA1zhoIShSQTPQ=w713-h912-s-no-gm?authuser=0)
Step 2: Go to the target receiving host, in this case, it will be [FortiMail Server mode].
Step 3: Go under Policy > Access Control > Receiving.
Step 4: Create a new Policy that defines the source IP and Recipient pattern.
Step 5: Under the TLS Profile, create a new TLS profile namely NO_STARTTLS with the TLS Option set to NONE.
Step 6: When performing a second test connection from [FortiMail Gateway], the result no longer offers STARTTLS in the initial connection.
![When performing a second test connection from [FortiMail Gateway], the result no longer offers STARTTLS in the initial connection.](https://lh3.googleusercontent.com/pw/AP1GczMwMl6oM2ZEjebJETC5XiggINf0gNF3rdq5TgJOnAc6_d2KRCVbdgFppO_-7X7ffWpCxwKt075ix41AB381em2rKQjSVxoLkB_NijD5k3aMR5rLD7obVv12xSf3InydWmESq2DK2jb4fpTfgI-VKP0ESQ=w635-h912-s-no-gm?authuser=0)