Professional Documents
Culture Documents
www.fortinet.com
FortiMail™ Secure Messaging Platform Administration Guide
Version 3.0 MR4
September 4, 2008
06-30004-0154-20080904
© Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web,
FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse,
FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other
countries. The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
Contents
Introduction ...................................................................................... 11
About FortiMail units....................................................................................... 11
About this document....................................................................................... 11
Document conventions................................................................................ 12
Typographic conventions ............................................................................ 12
FortiMail documentation ................................................................................. 12
Comments on FortiMail technical documentation ....................................... 13
Customer service and technical support ...................................................... 13
Register your Fortinet product....................................................................... 14
AntiVirus......................................................................................................... 264
AntiVirus.................................................................................................... 264
Virus List ................................................................................................... 267
Authentication ............................................................................................... 267
SMTP ........................................................................................................ 268
IMAP ......................................................................................................... 269
POP3 ........................................................................................................ 271
Radius....................................................................................................... 272
Misc (server mode)........................................................................................ 273
Misc........................................................................................................... 273
Content ........................................................................................................... 275
Incoming ................................................................................................... 276
Outgoing ................................................................................................... 281
Session........................................................................................................... 287
Session Configuration ............................................................................... 287
Preventing clients from using open relays (transparent mode)................. 298
Dictionary ....................................................................................................... 298
How to create dictionary profiles ............................................................... 298
Profiles ...................................................................................................... 299
Dictionaries ............................................................................................... 301
Categories................................................................................................. 304
Languages ................................................................................................ 305
Groups ...................................................................................................... 306
Maintenance ............................................................................................. 310
LDAP............................................................................................................... 311
Preparing your LDAP schema for FortiMail LDAP profiles ....................... 311
LDAP Profile ............................................................................................. 320
IP Pool ............................................................................................................ 348
IP Pool Lists .............................................................................................. 348
TLS.................................................................................................................. 349
TLS Profile ................................................................................................ 350
503
Configuring the primary unit for HA operation........................................... 505
Configuring the backup unit for HA operation ........................................... 507
Connecting the gateway mode HA group to your network........................ 508
Configuring and administering the HA group ............................................ 509
HA failover scenarios.................................................................................... 509
Failover scenario: Temporary failure of the primary unit........................... 510
Failover scenario: primary heartbeat link fails........................................... 512
Failover scenario: Network connection between primary and backup units fails
(remote service monitoring detects a failure) ............................................ 516
Index................................................................................................ 537
Introduction
This section introduces you to the FortiMail™ Secure Messaging Platform
(FortiMail unit) and the following topics:
• About FortiMail units
• About this document
• FortiMail documentation
• Customer service and technical support
• Register your Fortinet product
Once your FortiMail unit is running and you have configured the optional system-
related items, you can start to configure the advanced features as described in
this guide. You have the flexibility to choose which features to enable and select
the options you want within each feature.
Document conventions
The following document conventions are used in this guide:
• In the examples, private IP addresses are used for both private and public IP
addresses.
• To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are
fictional and follow the documentation guidelines specific to Fortinet. The
addresses used are from the private IP address ranges defined in RFC 1918:
Address Allocation for Private Internets, available at
http://ietf.org/rfc/rfc1918.txt?number-1918.
• Notes and cautions are used to provide important information:
Caution: Warns you about commands or procedures that could have unexpected or
! undesirable results including loss of data or damage to equipment.
Typographic conventions
FortiMail documentation uses the following typographical conventions:
Convention Example
Keyboard input To navigate the list of sessions, select the Page Up icon or
the Page Down icon.
CLI command syntax execute restore config <filename_str>
Document names FortiMail Administration Guide
Menu commands Go to System > Network > Interface to view the interface
information.
Program output Welcome!
Variables <address_ipv4>
FortiMail documentation
You can find FortiMail documentation from the following resources:
Online Help
• FortiMail online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the web-based manager as you work.
Fortinet Documentation CD
All Fortinet documentation is available on the Fortinet Tools and Documentation
CD shipped with your Fortinet product. The documents on this CD are current at
shipping time. The CD contains the following documents:
• FortiMail QuickStart Guides
Provides basic information about connecting and installing a FortiMail unit. A
separate guide is available for each FortiMail model.
• FortiMail Installation Guide
Describes how to set up the FortiMail unit in transparent, gateway, or server
mode.
• FortiMail Administration Guide
This document. Introduces the product and describes how to configure and
manage a FortiMail unit, including how to create profiles and policies,
configure antispam and antivirus filters, create user accounts, configure email
archiving, and set up logging and reporting.
• FortiMail CLI Reference
Describes how to use the FortiMail CLI and contains a reference of all
FortiMail CLI commands.
You can dramatically improve the time that it takes to resolve your technical
support ticket by providing your configuration file, a network diagram, and other
specific information. For a list of required information, see the Fortinet Knowledge
Center article What does Fortinet Technical Support require in order to best assist
the customer?
System
• System Load – A System Load monitor on the status page displays a
measurement of resource use. This composite statistic takes into account disk,
CPU, memory and SMTP session load. See “Status” on page 111.
• Log/mail disk space allocation – A new CLI command,
execute partitionlogdisk, allows you to vary the ratio of disk space
used for log and mail data from the default 25%/75%. See the FortiMail CLI
Reference.
• Trusted hosts – A security enhancement allowing you to restrict access to the
web-based manager. Attempts to log in to the web-based manager will only
succeed if made from IP addresses configured as trusted hosts. See “Admin”
on page 138.
• Administrator RADIUS authentication – You can configure the FortiMail unit
to authenticate administrator access with a RADIUS server. See “Admin” on
page 138.
• HA slave mode indicator – When part of an HA cluster, the backup unit web-
based manager displays “SLAVE MODE” as a reminder that you should not
make configuration changes to the backup unit. See “Synchronizing the
FortiMail configuration” on page 468
• FortiManager Support – Local-mode support for remote management by a
FortiManager unit allows configuration backup and restore, and firmware
update. See “Central Management” on page 164.
Mail Settings
• Enhanced spam report customization – Customize the report title, column
titles, and many other parts of the spam report summary. See, “Custom
Messages” on page 173.
• Authentication support in access control rules – Access control rules are
now authentication aware. You can configure access control rules to apply to
all clients, or only authenticated clients. See “Access” on page 198.
• TLS enforcement – Access control rules can be configured to require TLS
connections. You can configure the connection requirement in TLS profiles
and select them in each access control rule. For more information about TLS
profiles, see “TLS” on page 349. For more information in access control rules,
see “Access” on page 198.
User
• PKI Authentication support – You can configure the FortiMail unit to allow
administrator and email user log in using certificates. See “PKI User” on
page 236.
• Webmail multipart email display selection – Email users have the option to
display the HTML or text portion of an email.
Profile
• Spam action rewrites recipient email address – When the FortiMail unit
detects a spam message, it can add to, or replace, both the local and domain
parts of the recipient email address. See “Actions options” on page 257.
• Header Manipulation – You can configure session profiles to remove any
email message header. See “Session Configuration” on page 287.
• Mail rate limiting by email message quantity – Currently, you can restrict
clients to a maximum number of connections in a specified time. If you prefer,
you can instead restrict the number of email messages a clients to a maximum
number in a specified time. Use the new CLI command set
ip_profile_setting rate_control message to make this change.
This is a system-wide setting. See the FortiMail CLI Reference.
AntiSpam
• Greylist AutoExempt – The FortiMail unit will automatically exempt certain
domains from greylisting for a period. This delays fewer messages and
reduces the number of greylist entries. See “Greylist automatic exemptions” on
page 408.
• MSISDN Reputation – You can configure the FortiMail unit to temporarily
block all MSISDN messages from repeated spam senders. Blacklist and
whitelist support is also included. See “MSISDN Reputation” on page 418.
• Bounce Verification – The FortiMail can detect and blocks invalid bounce
messages using bounce verification. See “Bounce Verification” on page 423.
Management methods
After you install the FortiMail unit, you can configure and manage it with either of:
• the web-based manager
• and/or the command line interface (CLI)
The web-based manager has two management modes:
• basic mode: this is the default mode after you log on to the system. In the basic
mode, there is also a quick start wizard to help you quickly set up the basic
network settings.
• advanced mode: this mode allows you to configure the detailed settings.
You can switch between the two modes. For more information, see “About the
web-based manager” on page 31.
If you have completed physical installation and initial configuration of your
FortiMail unit, you have already connected to one of these management methods.
For information about installing your FortiMail unit and connecting to the web-
based manager and/or the CLI, see the FortiMail Installation Guide or the
FortiMail QuickStart Guide.
Note: This Administration Guide describes the web-based manager. For equivalent
documentation of the CLI, see the FortiMail CLI Reference.
Configuration workflow
The web-based manager presents a large number of configuration options. Some
options require prior configuration of other options, or will not function correctly or
cannot be tested until other required components are functional.
Depending on the operation mode you use, the general configuration workflow
may vary.
Modes of operation
You can install the FortiMail unit to operate in either:
• gateway mode
• transparent mode
• server mode
Which mode of operation you choose will vary by its appropriateness to your
network topology and other requirements.
If you have completed physical installation and initial configuration of your
FortiMail unit, you have already selected a mode of operation. For information
about appropriate network topologies for each mode of operation, see the
FortiMail Installation Guide.
Note: All modes can scan for viruses and spam, but each mode of operation has
some features are specific to it. This Administration Guide notes features of the web-
based manager that do not appear in all modes of operation.
In most cases, you will select the mode of operation once, and will not change it:
changing the mode of operation could require you to adjust your network topology,
configuration of the MX entry of DNS records for your protected domains, and
other setup considerations that are specific to the nature of each mode of
operation. Should you want to change the mode of operation, for information on
configuring the mode of operation, see “Changing the operation mode” on
page 117.
Email domains
An email domain is a set of email accounts that reside on a particular email server.
The email domain name is the portion of the user’s email address following the
“@” symbol.
FortiMail units can be configured to protect email domains (referred to as
“protected domains” in this Administration Guide) by defining policies and profiles
to scan and relay email that is incoming to or outbound from protected domains.
If the FortiMail unit is operating in gateway mode or transparent mode, there is
one local email domain that represents the FortiMail unit itself. If the FortiMail unit
is operating in server mode, protected domains reside locally on the FortiMail
unit’s built-in email server.
For information about creating protected domains, see “Creating a protected
domain” on page 182.
In transparent mode, each network interface includes a proxy that receives and
relays email. By default, the proxy responds to SMTP greetings (HELO/EHLO)
using the host name of the SMTP server of the protected domain. For information
about configuring the proxies, see “Proxies” on page 214. For information on
configuring the SMTP greeting, see “Creating a protected domain” on page 182.
ACCEPT The FortiMail unit will deliver the message and bypass all message
processing. That is, no antispam, antivirus, or similar scans will be
performed on the message.
RELAY The FortiMail unit will deliver the message and process it normally, with
all configured scanning.
REJECT The FortiMail unit does not accept delivery of the message. The
FortiMail unit sends a reject response to the system attempting delivery
of the email message.
DISCARD The FortiMail unit accepts the message and immediately deletes it
without delivery. The FortiMail unit does not inform the client.
For information about configuring access control, see “Access” on page 198.
Antispam techniques
Spam detection is a key feature of the FortiMail unit. The feature is based on two
tiers of spam defense: Fortinet’s FortiGuard Antispam service and FortiMail
antispam techniques. Each tier plays an important role in separating spam from
legitimate email. FortiGuard Antispam delivers a highly-tuned managed service
for the classification of spam while the FortiMail unit offers superior antispam
detection and control technologies.
In addition to scanning incoming email messages, FortiMail units can also inspect
the content of outgoing email messages. This can help eliminate the possibility
that an employee or a compromised computer could send spam, resulting in the
blacklisting of your organization’s email servers.
For more information on antispam techniques, see “Profile” on page 241 and
“AntiSpam” on page 365.
Forged IP scanning
When the FortiMail unit receives an email message, it converts the sender's IP
address to a canonical host name. The FortiMail unit then compares all of the
officially listed IP addresses for that host name with the sender's IP address. If the
sender's IP address is not found, the FortiMail unit considers the IP address and
host name to be forged and treats the email as spam. For more information, see
“Forged IP scan” on page 243
Greylist scanning
Greylist scanning blocks spam based on the behavior of the sending server,
rather than the content of the messages. When receiving an email from an
unknown server, the FortiMail unit will temporarily reject the message. If the mail
is legitimate, the originating server will try to send it again later, at which time the
FortiMail unit will accept it. Spam senders rarely attempt a retry. For more
information, see “Greylist” on page 406.
DNSBL scanning
In addition to supporting Fortinet’s FortiGuard Antispam DNSBL service, the
FortiMail unit supports administrator-defined public Realtime Block List servers.
You can enable DNSBL filtering as part of the antispam profile, and define multiple
DNSBL servers for each antispam profile. For more information, see “DNSBL
scan” on page 243 and “DNSBL scan options” on page 246.
SURBL scanning
In addition to supporting Fortinet’s FortiGuard Antispam SURBL service, the
FortiMail unit supports administrator-defined public Spam URI Realtime Block
Lists servers. You can specify which public SURBL servers to use as part of an
antispam profile. For more information, see “SURBL scan” on page 243 and
“SURBL scan options” on page 248.
Bayesian scanning
Bayesian scanning uses databases to determine if an email is spam. For
Bayesian scanning to be effective, the databases must be trained with known-
spam and known-good email messages so the scanner can learn the differences
between the two types of email. To maintain its effectiveness, false positives and
false negatives must be sent to the FortiMail unit so the Bayesian scanner can
learn from its mistakes. Without this ongoing training, Bayesian scanning will
become significantly less effective over time.
The FortiMail Bayesian scanner uses three types of databases: personal, group,
and global. Personal databases are associated with individual users, the group
database applies to all users in a domain, and the global database applies to all
users hosted on domains defined on the FortiMail unit. For more information, see
“Training Bayesian databases” on page 387.
Heuristic scanning
The FortiMail unit includes rules the heuristic filter uses. Each rule has an
individual score used to calculate the total score for an email. An upper and lower
limit threshold for the heuristic filter is set for each antispam profile. To determine if
an email is spam, the heuristic filter examines an email message and adds the
score for each rule that applies to get a total score for that email. If the total is
greater than or equal to the upper threshold, the filter classifies the email as spam
and processes is accordingly. If the total is less than or equal to the lower
threshold, the email is not spam. If the total is between the two thresholds, then
the heuristic filter cannot determine whether the email is spam or not spam
determination. For more information, see “Heuristic scan” on page 243.
PDF scanning
Spammers may attach a PDF file to an otherwise empty message, to get their
email messages past spam safeguards. The PDF file contains the spam
information. Since the message body contains no text, antispam scanners cannot
determine if the message is spam. However, the FortiMail unit’s PDF scanning
option directs the heuristic, banned word, and image spam scanners to examine
the contents of PDF attachments. For more information, see “PDF” on page 257.
Sender reputation
The FortiMail unit tracks SMTP client behavior, limiting deliveries of those clients
sending excessive spam messages, infected email, or messages to invalid
recipients. Should clients continue delivering these types of messages, their
connection attempts will be rejected entirely. Sender reputation is managed by the
FortiMail unit and requires no administration. For more information, see “Display”
on page 417.
Order of execution
FortiMail units perform each of the antispam scanning and other actions in the
following order:
Deep Header The message If the Deep Header scan Proceed to the next
header. determines the message is check.
spam, the configured
individual action is invoked.
If the individual action is set
to default, then the
antispam profile default
action is used.
Content Attached files for If the Content scanner Proceed to the next
content scan and determines the message is check.
message body for spam, the action
content monitor configured in the content
scan. profile individual action is
invoked. If the individual
action is set to default, then
the antispam profile default
action is used.
Status bar
While you are logged in to the web-based manager, a status bar appears near the
bottom of the browser window while you are logged in to the web-based manager.
The left side of the status bar displays the FortiMail unit uptime and the user name
of the FortiMail administrator account that you are currently using.
If the FortiMail unit is running in high-availability (HA) mode, the status bar also
displays the host name, enabling you to differentiate members within the HA
cluster.
Basic mode
The basic mode of the web-based manager provides easy navigation using a set
of menu options that is more simple than the advanced mode.
By default, the web-based manager initially appears in basic mode when you log
in. You can configure a preference for either the basic mode or the advanced
mode of the web-based manager for each administrator account, causing the
web-based manager to start in that mode when the administrator logs in. For
more information, see “Admin” on page 57.
To manually switch from the advanced mode to the basic mode of the web-based
manager, go to Basic >>.
Note: The basic mode of the web-based manager includes the Quick Start Wizard. If you
have not yet performed the first-time setup of your FortiMail unit, you can use the Quick
Start Wizard to lead you through the required steps, then use the remaining basic mode or
advanced mode menu options if, for example, you later need to change or add to some part
of the configuration. For more information, see “Quick Start” on page 107.
This chapter describes the menu options that appear in the basic mode of the
web-based manager, and includes the following topics:
• Management
• Settings
• Log & Report
• Quick Start
Management
The Management menu enables you to view basic FortiMail unit information and
statuses, including:
• the FortiMail unit’s serial number
• current firmware version
• current virus definition version
• email statistics
• mail queues
• quarantines
You can also configure updates from the Fortinet Distribution Network (FDN),
such as FortiGuard Antivirus, change the firmware, back up and restore the
configuration, and shut down or restart the FortiMail unit.
The Management menu includes:
• Status
• Mail Queue
• Quarantine
Status
The Status menu enables you to view the statuses and other information on
various FortiMail unit aspects, such as serial numbers and email statistics.
The Status menu includes the following tabs:
• Status
• Mail Statistics
Status
The Status tab displays various system statuses, such as log disk usage, version
numbers and the history log. It also enables you to view and change firmware and
antivirus versions, configuration files, and to shut down or restart the FortiMail
unit.
To view status information, go to Management > Status > Status.
Figure 3: Status
Automatic Refresh Interval Select how often the web-based manager updates the
Status tab display.
Go Select to set the selected automatic refresh interval.
Refresh Select to manually update the Status tab display.
System Information
Serial Number The serial number of the FortiMail unit. The serial number
is unique to the FortiMail unit and does not change with
firmware upgrades.
UP Time The time in days, hours, and minutes since the FortiMail
unit was started or rebooted.
System Time The current time according to the FortiMail unit internal
clock.
Firmware Version The version of the firmware installed on the FortiMail unit.
Select Update to change the firmware. For more
information, see “Changing the firmware of your FortiMail
unit” on page 37.
Operation Mode The operation mode of the FortiMail unit. Select Change to
switch modes. For more information, see “Changing the
operation mode” on page 39.
Log Disk The capacity of the hard disk that the FortiMail unit uses to
store log messages. For more information on logging, see
“About FortiMail logging” on page 437.
For information on using the advanced mode of the web-
based manager to configure the RAID level of the log disk,
see “RAID” on page 148.
Mailbox Disk The capacity of the hard disk that the FortiMail unit uses to
store archived email and quarantined spam.
For information on using the advanced mode of the web-
based manager to configure the RAID level of the mailbox
disk, see “RAID” on page 148.
License Information
Antivirus The version of the FortiMail Antivirus Engine.
Antivirus Definitions The current installed version of the FortiMail Antivirus
Definitions.
Select Update to manually update the definitions. For more
information, see “Updating antivirus definitions from a file”
on page 42.
You can schedule the frequency at which the FortiMail unit
retrieves updates from the Fortinet Distribution Network
(FDN) using the advanced mode of the web-based
manager. For more information, see “Scheduling updates”
on page 126.
Antispam The version of FortiMail Antispam Engine.
Antispam Definitions The version of FortiMail Antispam Definitions.
System Settings
Settings Select Backup to download a configuration backup file.
Select Restore to upload a configuration backup file.
Select Restore Factory Defaults to revert the configuration
to the defaults of the firmware version.
For more information, see “Backing up the configuration”
on page 41, “Restoring the configuration” on page 41, and
“Reverting the configuration to firmware defaults” on
page 42.
System Resources
CPU Usage The current CPU activity. The web-based manager
displays CPU usage for core processes only. CPU usage
for management processes, such as HTTPS connections
to the web-based manager, is excluded.
Memory Usage The current memory (RAM) usage. The web-based
manager displays memory usage for core processes only.
Memory usage for management processes, such as
HTTPS connections to the web-based manager, is
excluded.
Log Disk Usage The current log disk usage indicates how much of the
allocated disk space is consumed. For information on log
settings, see “Logging to the hard disk” on page 439.
Mailbox Disk Usage The current mailbox disk usage indicates how much of the
allocated disk space is consumed.
You can use the advanced mode of the web-based
manager to configure an SNMP trigger to alert you when
the mailbox disk is very full. By default, it is set to trigger at
90% full. For more information, see “SNMP v1/v2c” on
page 142.
System Load A composite resource usage figure taking into account
CPU, memory, disk, and other Fortimail unit resources.
Active Sessions Shows the number of administrators and email users
logged in to the FortiMail unit.
CPU Usage The amount of workload of the CPU, relative to its maximum.
History
Memory Usage The amount of memory (RAM) in use, relative to its maximum.
History
Session History The amount of TCP sessions, relative to the number of units
displayed in the upper left corner of the graph.
You can view the connections to and from the FortiMail unit using the
advanced mode of the web-based manager. For more information,
see “Session” on page 121.
Network Utilization The amount of network bandwidth usage, relative to the number of
History units displayed in the upper left corner of the graph.
Note: Installing firmware replaces the current antivirus definitions with those included with
the firmware release that you are installing. After you install the new firmware, verify that
your antivirus definitions are up-to-date using the advanced mode of the web-based
manager. For more information, see “Manually initiating antivirus definitions updates” on
page 125.
Caution: Back up the configuration before beginning this procedure. This procedure may
! reset changes that you have made to the FortiMail unit’s configuration file. For more
information on creating a backup, see “Backing up the configuration” on page 41.
Note: Installing firmware replaces the current antivirus definitions with those included with
the firmware release that you are installing. After you install the new firmware, verify that
your antivirus definitions are up-to-date using the advanced mode of the web-based
manager. For more information, see “Manually initiating antivirus definitions updates” on
page 125.
Caution: Back up the configuration before beginning this procedure. This procedure may
! reset changes that you have made to the FortiMail unit’s configuration file. For more
information on creating a backup, see “Backing up the configuration” on page 41.
5 In Upload File, type the path and filename of the firmware image file, or select
Browse and locate the file.
6 Select OK.
The FortiMail unit installs the uploaded firmware file and restarts. Time required
varies by the speed of the connection of your management computer to your
FortiMail unit. When complete, refreshing your browser will display the login page
of the web-based manager.
7 Log in again to the web-based manager.
8 Go to Management > Status > Status.
9 Confirm that the firmware upgrade has been successfully installed by verifying the
version number located next to Firmware Version in the System Information area.
10 Restore your configuration.
For information about restoring your configuration, see “Restoring the
configuration” on page 41.
! Caution: Before performing any of these procedures, notify your email users.
Caution: Back up the configuration before beginning this procedure. This procedure may
! reset many of the configuration file changes that you have made to the FortiMail unit,
including settings that do not apply to the new operation mode. For more information on
creating a backup, see “Backing up the configuration” on page 41.
Note: If the FortiMail unit is operating in gateway mode, you must configure the MX record
on the DNS server for each protected domain to direct all email to this FortiMail unit instead
of the protected SMTP servers.
4 Select OK.
• If the client is configured for authentication and the “Use original server to
deliver mail” option under “For unknown Servers” of SMTP proxies is not
selected, configure and apply an authentication profile for the FortiMail unit,
and explicitly configure the back end mail server to allow relay. Without the
profile, the authentication will fail.
• For additional advanced options when configuring protected domains in
transparent mode, see “Creating a protected domain” on page 182.
Caution: A FortiMail configuration backup file is not a full backup of all data on the
! FortiMail unit. Backing up the FortiMail unit’s configuration does not include mail queues,
dictionaries, the Bayesian database, which must be backed up separately. For more
information, see “Queue Maintenance” on page 48, “Maintenance” on page 310 or “User”
on page 389.
Note: This procedure restores the configuration backup file only. For instructions on
restoring other FortiMail unit data, see “Queue Maintenance” on page 48, “Maintenance” on
page 310, and “User” on page 389.
Caution: Back up the configuration before beginning this procedure. This procedure resets
! all changes that you have made to the FortiMail unit’s configuration file and reverts the
system to the default values for the firmware version, including factory default settings for
the IP addresses of network interfaces. For more information on creating a backup, see
“Backing up the configuration” on page 41.
4 In Update File, type the path and filename of the firmware image file, or select
Browse and locate the file.
5 Select OK.
The FortiMail unit installs the antivirus definitions file. This takes about 1 minute.
6 Go to System > Status > Status.
7 Confirm that the antivirus definitions file has been successfully installed by
verifying the version number located next to AntiVirus Definitions in the License
Information area.
Mail Statistics
The Mail Statistics tab contains summaries of the numbers of email messages in
each time period that the FortiMail unit detected as containing viruses, spam, or
neither.
For email messages classified as spam, mail statistics include which FortiMail
feature classified the email as spam, such as Bayesian antispam databases,
access control, system wide black list (System List), or the email user-configured
black list (User List).
To use the Mail Statistics tab, you must first configure your FortiMail unit to detect
spam and/or viruses. For more information, see “AntiSpam” on page 81.
To view mail statistics, go to Management > Status > Mail Statistics.
Automatic Refresh Select the interval, such as 30 seconds, between automatic refreshes
Interval of the page. Refreshing the page displays current email statistics.
Refresh Select to manually refresh the page, displaying current email
statistics.
Statistics data Select to display the statistics in graph format. To return to displaying
extracted from log the email statistics in table format, select Realtime statistics data also
also available here available here.
Summary Select to display a summary of the hourly, daily, monthly, yearly, and
total email statistics.
The summary table includes both the total count of spam and viral
email messages and counts for each method that caused email to be
classified as spam or viral email.
Hourly History Select to display graphs of the hourly email statistics.
Daily History Select to display graphs of the daily email statistics.
Mail Queue
The Mail Queue menu enables you to view and manage the FortiMail unit’s email
queues: the deferred queue, the spam queue, and the dead email folder.
FortiMail units queue email messages when the email message is temporarily
undeliverable, and moves email messages to the dead mail folder when all retries
have failed. You can configure aspects of queueing behavior such as the interval
at which the FortiMail retries to send the email messages using the advanced
mode of the web-based manager. For more information, see “Advanced (mail
server settings)” on page 169.
The Mail Queue menu includes the following tabs:
• Deferred Queue
• Spam Queue
• Dead Mail
• Queue Maintenance
Deferred Queue
The Deferred Queue tab displays a list of email messages that currently in the
deferred queue. Unlike the spam queue, the deferred queue contains only email
messages that are not tagged spam.
FortiMail units move an email message to the deferred queue upon initial failure to
send the email message, which can be caused by various temporary reasons
such as interruptions to network connectivity. When an email message is deferred,
the FortiMail unit periodically retries to send the deferred email message.
Administrators can also manually initiate an attempt to send the email message. If
the email is subsequently sent successfully, the FortiMail unit removes the email
from the queue and does not notify the sender. But if the email message continues
to be deferred, the FortiMail unit eventually sends an initial delivery status
notification (DSN) email message to notify the sender that delivery has not yet
succeeded. Finally, if the FortiMail unit cannot send the email message by the end
of the time limit for delivery retries, the FortiMail unit sends a final DSN to notify
the sender about the delivery failure and deletes the email message from the
deferred queue. If the sender cannot receive this notification, such as if the
sender’s SMTP server is unreachable or if the sender address is invalid or empty,
the FortiMail unit will save a copy of the email in the dead mail folder. For more
information, see “Dead Mail” on page 47.
For information on configuring the delivery retry interval, maximum amount of time
that an email message can spend in a queue, and DSN timing using the advanced
mode of the web-based manager, see “Advanced (mail server settings)” on
page 169.
To view, delete, or attempt to resend an email message in the deferred queue, go
to Management > Mail Queue > Deferred Queue.
Spam Queue
The Spam Queue tab displays a list of email messages that currently in the spam
queue. Unlike the deferred queue, the spam queue contains only those deferred
email messages that are tagged spam.
Note: For information on tagging spam using the advanced mode of the web-
based manager, see “Actions options” on page 257.
FortiMail units move tagged spam to the spam queue upon initial failure to send
the email message, which can be caused by various temporary reasons such as
interruptions to network connectivity. When an email message is deferred, the
FortiMail unit periodically retries to send the deferred email message.
Administrators can also manually initiate an attempt to send the email message. If
the email is subsequently sent successfully, the FortiMail unit removes the email
from the queue and does not notify the sender. But if the email message continues
to be deferred, the FortiMail unit eventually sends an initial delivery status
notification (DSN) email message to notify the sender that delivery has not yet
succeeded. Finally, if the FortiMail unit cannot send the email message by the end
of the time limit for delivery retries, the FortiMail unit sends a final DSN to notify
the sender about the delivery failure and deletes the email message from the
deferred queue. If the sender cannot receive this notification, such as if the
sender’s SMTP server is unreachable or if the sender address is invalid or empty,
the FortiMail unit will save a copy of the email in the dead mail folder. For more
information, see “Dead Mail” on page 47.
For information on configuring the delivery retry interval, maximum amount of time
that an email message can spend in a queue, and DSN timing using the advanced
mode of the web-based manager, see “Advanced (mail server settings)” on
page 169.
To view or delete email messages in the spam queue, go to Management > Mail
Queue > Spam Queue.
Tries The number of times that the FortiMail unit has tried to send the email.
Check All Select to mark all checkboxes in the Select column for all email
messages in the queue.
Uncheck All Select to unmark all checkboxes in the Select column for all email
messages in the queue.
Delete In the Select column, mark the checkboxes in the rows corresponding to
email messages that you want to delete, then select Delete.
When you delete a deferred email, the FortiMail unit will send an
email message, with the deleted email attached to it, to notify the
sender.
Resend In the Select column, mark the checkboxes in the rows corresponding to
email messages that you want to delete, then select Resend.
Refresh Select to refresh the list of deferred email messages. This can be useful
to determine how many email messages are remaining in the queue after
selecting Resend.
Dead Mail
The Dead Mail tab displays the list of email messages that are in the dead mail
folder.
Unlike the spam and deferred queue, the dead mail folder contains copies of
delivery status notification (DSN) email messages from the FortiMail unit
(“postmaster”) to senders of email that is considered to be more permanently
undeliverable, because all previous retry attempts of the deferred email message
have failed. These email messages from "postmaster" include the original email
message for which the DSN was generated.
If an email message cannot be sent nor returned to the sender, it is usually
because both the recipient and sender addresses are invalid. Such email
messages are often sent by spammers who know the domain name of an SMTP
server but not the names of its email users, and are attempting to send spam by
guessing at valid recipient email addresses.
You can configure the FortiMail unit to automatically delete old email messages in
the dead mail folder. Alternatively, if the FortiMail unit is operating in server mode,
you can create a local email account named “postmaster” to receive these email
messages, or create an alias named “postmaster” to an existing email account,
instead of using the dead mail folder.
To view or delete email messages in the dead mail folder, go to Management >
Mail Queue > Dead Mail.
Queue Maintenance
The Queue Maintenance tab enables you to back up and restore the mail queues.
This can be useful if you need to change or reformat the mailbox hard disk.
To back up or restore email message queues, go to Management > Mail
Queue > Queue Maintenance.
Quarantine
The Quarantine menu enables you to view and delete email messages that have
been quarantined to a FortiMail unit’s hard drive.
You can quarantine email messages based upon the content of the email
messages, such as whether the email is spam or contains a prohibited word or
phrase. FortiMail units have two types of quarantine:
• Per-recipient quarantine: Quarantines email messages into separate folders
for each recipient address in each protected domain. The FortiMail periodically
sends spam reports to notify recipients, their designated group owner, and/or
another email address of the email messages that have been added to the
quarantine folder for that recipient.
• System quarantine: Quarantines email messages into a system-wide
quarantine. Unlike the per-recipient quarantine, the FortiMail unit does not
send a spam report and a FortiMail administrator should review the
quarantined email messages to decide if they should be released or deleted.
The Quarantine menu includes the following tabs:
• Recipients
• System quarantine
Recipients
The Recipients tab displays a list of per-recipient quarantine folders.
When incoming email matches a policy in whose antispam settings you have
configured the FortiMail unit to quarantine the email to the per-recipient spam
quarantine, the FortiMail unit will save the email to its hard drive and not deliver it
to the recipient. Instead, the FortiMail unit will periodically send a spam report to
email users, their designated group owner, or another recipient (if you have
configured one in the advanced mode of the web-based manager). The spam
report, by default sent once a day at 9 AM, lists all email messages that were
withheld since the previous spam report. Using the spam report, email users can
review email message details and release any email messages that are false
positives by clicking the link associated with them. The email message will then
be released from the quarantine and delivered to the email user’s inbox. Using the
web-based manager, FortiMail administrators can also manually release or delete
quarantined email. For more information on deleting email that has been
quarantined to the per-recipient quarantine, see “Managing email in per-recipient
quarantines” on page 51. For information on using the advanced mode of the
web-based manager to configure the schedule and recipients of the spam report,
see “Spam Report” on page 376.
You can configure the FortiMail unit to send email to the per-recipient quarantine
by selecting the Quarantine option for antispam settings in the basic mode of the
web-based manager, or selecting it as the action in content profiles and antispam
profiles. For more information, see “Actions options” on page 257 and “Incoming”
on page 276.
To view the recipient quarantine list, go to Management > Quarantine >
Recipients.
Check To select all quarantine folders, select the checkbox in the Check
column heading.
To select individual quarantine folders, in the Check column, mark
the checkboxes in the rows of quarantine folders that you want to
select.
Recipient The email address of a recipient for which the FortiMail unit has
quarantined email.
Select to view email messages quarantined for that recipient. For
more information, see “Managing email in per-recipient
quarantines” on page 51.
Size(KBytes) The size of the quarantine folder.
Note: Folder sizes are updated once an hour.
Note: Email users can also manage their own per-recipient quarantines through spam
reports. For more information, see “Releasing and deleting email from the per-recipient
quarantine using spam reports” on page 382.
Previous Page
Next Page
Search Result
Refresh Select to refresh the page. This can be useful to
display the current Status of a search task.
# The index number of a search task.
Select to display the search results.
Status The completion status of the search task, such
as Done or Pending.
Name The date and time on which the search task was
executed.
Select to display the search results.
Action Select View Result to display the search results.
Select Copy to New to create a new search task
by duplicating the settings of this search task.
Select “stop” to pause the search task. The icon
changes to a green “resume” arrow. Select
“resume” to resume the search task.
Select Delete to remove the search results.
5 Select OK.
The FortiMail unit executes the search, which appears in the Search Result
section.
System quarantine
The System quarantine tab displays the system quarantine.
Unlike the per-recipient quarantine, the system quarantine cannot be accessed
remotely by email users; they will not receive spam reports for email held in the
system quarantine, and cannot manage the system quarantine themselves. A
FortiMail administrator should therefore periodically review the contents of the
system quarantine. Alternatively, using the advanced mode of the web-based
manager, you can configure a special-purpose system quarantine administrator
for this task. For more information, see “System quarantine setting” on page 384.
By default, the system quarantine is not used. You can quarantine email to the
system quarantine by selecting “Quarantine to Review” in outgoing content
profiles and “Quarantine to review” in outgoing antispam profiles in the advanced
mode of the web-based manager. For more information, see “Actions options” on
page 263 and “Outgoing” on page 281.
To view the system quarantine, go to Management > Quarantine > System
Quarantine.
Rotated folder
Settings
The Settings menu enables you to configure the system and email settings of the
FortiMail unit.
The Settings menu includes:
• Config
• Network
• Domains
• User (server mode)
• AntiSpam
Config
The Config menu provides options to configure the system time and administrator
accounts.
The Config menu includes the following tabs:
• Time
• Admin
Time
The Time tab enables you to configure the system time of the FortiMail unit.
For correct scheduling and logging, the FortiMail system time must be accurate.
You can either manually set the FortiMail system time or configure the FortiMail
unit to automatically keep its system time correct by synchronizing with a Network
Time Protocol (NTP) server.
Note: FortiMail units support daylight savings time (DST), including recent changes in the
USA, Canada and Western Australia.
Set Time Select to manually the FortiMail system date and time.
Synchronize with NTP Select to use a network time protocol (NTP) server to
Server automatically set the system date and time, then configure
Server and Syn Interval.
Server Enter the IP address or domain name of an NTP server. To find
an NTP server that you can use, see http://www.ntp.org.
Syn Interval Specify how often the FortiMail unit will synchronize its time with
the NTP server. A typical Syn Interval would be 1440 minutes for
the FortiMail unit to synchronize its time once a day.
Admin
The Admin tab displays a list of the FortiMail unit’s administrator accounts.
Depending on the permission and assigned domain of your account, this list may
not display all other administrator accounts. For more information, see
“Administrator account permissions and domains” on page 58.
By default, FortiMail units have a single administrator account, “admin”. For more
granular administrative access, you can create additional administrator accounts
that are restricted to being able to configure a specific protected domain and/or
with restricted permissions. For more information, see “Administrator account
permissions and domains” on page 58 and “Creating an administrator account” on
page 59.
Note: If you have configured a system quarantine administrator account using the
advanced mode of the web-based manager, this account does not appear in the list of
standard FortiMail administrator accounts. For more information on the system quarantine
administrator account, see “System quarantine setting” on page 384.
To view the list of administrator accounts, go to Settings > Config > Admin.
Delete
Edit
Change Password
Modify Select Delete to remove an administrator account. This option does not
appear for your own administrator account.
Select Edit to change an administrator account.
Select Change Password to change the password of an administrator
account.
Create New Select to create a new administrator account. For more information, see
“Creating an administrator account” on page 59.
There can be up to five (5) administrator accounts per protected domain. The
maximum total number of administrators with Administrator access that are
assigned to protected domains is 25 for FortiMail-400 models and 50 for FortiMail-
2000 models.
Unlike other administrator accounts whose permission is Administrator and
domain is “system,” the “admin” administrator account exists by default and
cannot be deleted. The “admin” administrator account is similar to a root
administrator account. This administrator account always has full permission to
view and change all FortiMail configuration options, including viewing and
changing all other administrator accounts. Its name, permissions, and assignment
to the “system” domain cannot be changed.
Caution: Set a strong password for the “admin” administrator account, and change the
! password regularly. By default, this administrator account has no password. Failure to
maintain the password of the “admin” administrator account could compromise the security
of your FortiMail unit.
Caution: Set a strong password for each administrator account, and change the
! passwords regularly. If possible, configure each Trusted Host to restrict administrative
access to the FortiMail unit from within your trusted private network. Failure to restrict
administrative access could compromise the security of your FortiMail unit.
Note: RADIUS and PKI authentication require that you first configure a RADIUS
authentication profile or PKI user in the advanced mode of the web-based manager. For
more information, see “Radius” on page 272 and “PKI User” on page 236.
10 Select OK.
Network
The Network menu provides options to configure network connectivity and
administrative access to the web-based manager or CLI of the FortiMail unit
through each network interface.
The Network menu includes the following tabs:
• Interface
• DNS
• Routing
Interface
The Interface tab displays a list of the FortiMail unit’s network interfaces.
You must configure at least one of the FortiMail unit’s network interfaces to enable
it to connect to your network. Depending on your network topology and other
considerations, you may choose to connect the FortiMail unit to your network
using two or more of the FortiMail unit’s network interfaces. You can configure
each network interface separately. For more information, see “Editing network
interfaces” on page 62.
To view the network interface list, go to Settings > Network > Interface.
Modify
Interface Name The name (such as port2) and media access control (MAC)
address for this network interface.
Addressing mode
4 Select OK.
DNS
The DNS tab enables you to configure the DNS servers that the FortiMail unit will
query to resolve domain names into IP addresses.
FortiMail units require DNS servers for features such as reverse DNS lookups and
other aspects of email processing. Your ISP may supply IP addresses of DNS
servers, or you may want to use the IP addresses of your own DNS servers.
Note: For improved FortiMail unit performance, use DNS servers on your local network.
Caution: If the FortiMail unit is operating in gateway mode, you must configure the MX
! record of the DNS server for each protected domain to direct all email to this FortiMail unit
instead of the protected SMTP servers. Failure to update the records of your DNS server
may enable email to circumvent the FortiMail unit.
Primary DNS Server Enter the IP address of the primary DNS server.
Secondary DNS Server Enter the IP address of the secondary DNS server.
Routing
The Routing tab displays a list of routes and enables you to configure static routes
and gateways used by the FortiMail unit.
To configure routes, go to Settings > Network > Routing.
Delete
Edit
Destination The destination network IP address of traffic that will be routed. 0.0.0.0
IP indicates any IP address.
Mask The netmask for the route.
Gateway The IP address for the route gaiter.
Modify Select Delete to remove the route.
Select Edit to modify the route.
Create New Select to create a new static route.
4 Select OK.
Domains
The Domains menu enables you to create protected domains to define the SMTP
servers that the FortiMail unit protects. Usually, you will configure at least one
protected domain during installation, but you may also add more protected
domains or modify the settings of existing protected domains.
The Domains menu includes the following tabs:
• Domains
• Local Host
Domains
The Domains tab displays the list of protected domains.
Protected domains define connections and email messages for which the
FortiMail unit can performs protective email processing by describing both:
• the IP address of an SMTP server
• the domain name portion (the portion which follows the “@” symbol) of
recipient email addresses in the envelope
both of which the FortiMail unit compares to connections and email messages
when looking for traffic that involves the protected domain.
Note: For FortiMail units operating in server mode, protected domains list only the domain
name, not the IP address: the IP address of the SMTP server is the IP address of the
FortiMail unit itself.
Aside from defining the domain, protected domains also contain some settings
that apply specifically to all email destined for that domain, such as mail routing
and disclaimer messages.
Many FortiMail features require that you configure a protected domain. For
example, when applying recipient-based policies for email messages incoming to
the protected domain, the FortiMail unit will compare the domain name of the
protected domain to the domain name portion of the recipient email addresses.
When FortiMail units operating in transparent mode are proxying email
connections for a protected domain, the FortiMail unit will pass, drop or intercept
connections destined for the IP address of an SMTP server associated with the
protected domain, and can use the domain name of the protected domain during
the SMTP greeting.
Note: For more information on how the domain name and mail exchanger (MX) IP address
of protected domains are used, see “Incoming vs. outgoing SMTP connections” on
page 214 and “Incoming vs. outgoing recipient-based policies” on page 355.
Usually, you have already configured at least one protected domain during
installation of your FortiMail unit. However, you can add more domains or modify
the settings of existing ones if necessary. For more information, see “Creating a
protected domain” on page 68.
To view the list of protected domains, go to Settings > Domains > Domains.
Edit
Delete
Delete Edit
Domain The fully qualified domain name (FQDN) of the protected domain.
If the protected domain is a subdomain or domain association, select
the “+” next to a domain entry to expand the list of subdomains and
domain associations. To collapse the entry, select “-”.
Use MX Indicates whether the IP address and the port number of the
(transparent mode protected email server is manually defined in the FortiMail unit’s
and gateway mode configuration file, or if you have enabled the FortiMail unit to query
only) the DNS server’s MX record to ascertain that information for this
domain name.
• Green check mark: Indicates that Use MX Record is enabled.
• Red X icon: Indicates that Use MX Record is disabled.
For more information, see “Use MX Record” on page 70.
SMTP Server The host name or IP address and port number of the mail exchanger
(transparent mode (MX) for this protected domain.
and gateway mode If Use MX contains a green check mark, this information is
only) determined dynamically by querying the MX record of the DNS
server, and this field will be empty.
Sub A green check indicates that the entry is a subdomain of a protected
(transparent mode domain.
and gateway mode
only)
Association A green check indicates that the entry is a domain association. For
(transparent mode more information on domain associations, see “Configuring Domain
and gateway mode Associations” on page 70.
only)
Modify
Delete icon Select to remove the protected domain and all associated email user
accounts and preferences.
Edit icon Select to modify the protected domain. For more information, see
“Creating a protected domain” on page 68.
This option is not available for domain associations, as they use the
settings of the protected domain with which they are associated.
Create New Select to create a new protected domain, subdomain, or domain
association. For more information, see “Creating a protected domain”
on page 68.
Figure 26: Creating a protected domain (gateway mode and transparent mode)
Domain FQDN Enter the fully qualified domain name (FQDN) of the protected
domain.
For example, if you want to protect email user accounts such as
user1@example.com, you would enter the protected domain name
example.com.
Use MX Record Select to enable the FortiMail unit to query the DNS server’s MX
(transparent mode and record for the FQDN or IP address of the SMTP server for this
gateway mode only) domain name, instead of manually defining the SMTP server in the
fields SMTP Server and Fallback MX Host.
Note: If the FortiMail unit is operating in gateway mode and you
enable this option, you usually should also configure the FortiMail
unit to use a private DNS server. On the private DNS server,
configure the MX record with the FQDN of the SMTP server that
you are protecting for this domain, causing the FortiMail unit to
route email to the protected SMTP server. This is different from
how a public DNS server should be configured for that domain
name, where the MX record usually should contain the FQDN of
the FortiMail unit itself, causing external SMTP servers to route
email through the FortiMail unit.
If the FortiMail unit is operating in transparent mode and you
enable this option, a private DNS server is not required.
SMTP Server Enter the host name or IP address of the primary SMTP server for
(transparent mode and this protected domain, then also configure Use smtps and Port.
gateway mode only)
Port Enter the port number on which the SMTP server listens.
(transparent If you enable Use smtps, Port automatically changes to the default
mode and port number for SMTPS, but can still be customized.
gateway mode The default SMTP port number is 25; the default SMTPS port
only) number is 465.
4 Select OK.
Domain associations can be useful for saving time when you have multiple
domains for which you would otherwise need to configure protected domains with
identical settings.
For example, if you have one SMTP server handling email for ten domains, you
could create ten separate protected domains, and configure each with identical
settings. Alternatively, you could create one protected domain, listing the nine
remaining domains as domain associations. The advantage of using the second
method is that you do not have to repeatedly configure the same things when
creating or modifying the protected domains, saving time and reducing chances
for error. Changes to one protected domain automatically apply to all of its
associated domains.
The maximum number of domain associations that you can create is separate
from the maximum number of protected domains. For more information, see the
Fortinet Knowledge Center article FortiMail v3.0 MR4 Maximum Values Matrix.
Note: Domain Associations options do not appear if the FortiMail unit is operating in server
mode.
Members The list of domain names that are associated with this protected
domain. Associated domains use the settings of the protected
domain with which they are associated (with the sole exception of
their domain name), and do not have protected domain settings of
their own.
Remove Selected Select one or more domain names, then select Remove Selected
to remove them from the Members area
Add Enter a fully qualified domain name (FQDN) that you want to use
the same settings as this protected domain, the select Add to add
a domain name to the Members area.
5 Select OK.
Local Host
The Local Host tab enables you to configure the SMTP server settings of the
“system” domain, which is located on the local host (that is, your FortiMail unit).
You usually should configure the FortiMail unit with a local domain name that is
different from that of protected domains, such as mail.example.com for the
FortiMail unit and server.mail.example.com for the protected mail server. The local
domain name of the FortiMail unit will be used in many FortiMail features such as
email quarantine, Bayesian database training, spam report, and delivery status
notification (DSN) email messages, and if the FortiMail unit uses the same domain
name as your mail server, it may become difficult to distinguish email messages
that originate from the FortiMail unit.
To configure local SMTP server settings, go to Settings > Domains >
Local Host.
Figure 29: Local Host Setting (transparent mode and gateway mode)
Local Host
Host Name Enter the host name of the FortiMail unit.
You should use a different host name for each FortiMail
unit, especially when you are managing multiple FortiMail
units of the same model, or when configuring a FortiMail
high availability (HA) cluster. This will enable you to
distinguish between different members of the cluster. If
the FortiMail unit is in HA mode:
• When you connect to the web-based managed, your
web browser will display the host name of that cluster
member in its status bar.
• The FortiMail unit will add the host name to the subject
line of alert email messages.
Local Domain Name Enter the local domain name of the FortiMail unit
itself.The FortiMail unit’s fully qualified domain name
(FQDN) is in the format <Host Name>.<Local Domain
Name>.
Note: The Local Domain Name can be a subdomain of an
internal domain if the MX record for the domain on the
DNS server can direct the mail destined for this
subdomain to the intended FortiMail unit.
SMTP Server Port Enter the port number on which the FortiMail unit’s SMTP
Number server will listen for SMTP connections. The default port
number is 25.
SMTP over SSL/TLS Enable to allow SSL- and TLS-secured connections from
servers and clients requesting SSL/TLS.
When disabled, SMTP connections with the FortiMail
unit’s SMTP server will occur as clear text, unencrypted.
This option must be enabled to use SMTPS.
SMTPS Server Port Enter the port number on which the FortiMail unit’s SMTP
Number server listens for secure SMTP connections. The default
port number is 465.
This option is unavailable if SMTP over SSL/TLS is
disabled.
POP3 Server Port Enter the port number on which the FortiMail unit’s POP3
Number server will listen for POP3 connections. The default port
number is 110.
This option is available only if the FortiMail unit is
operating in server mode.
Relay Server
Relay Server Name Enter the domain name of an SMTP relay server, if any.
This is typically provided by your ISP.
Relay Server Port Enter the port number on which the SMTP relay server
listens. This is typically provided by your ISP.
Authentication If the relay server requires authentication, enable this
Required option, then select the blue arrow to expand and configure
User Name, Password, and Auth Type. Available
authentication types include:
• AUTO
• PLAIN
• LOGIN
• DIGEST-MD5
• CRAM-MD5
Note: This menu option appears only when the FortiMail unit is operating in server mode.
User
The User tab enables you to configure email user accounts for the protected
domains that are hosted on the FortiMail unit.
Note: This option appears only if the FortiMail unit is operating in server mode.
Email users can check their email using webmail or through an email client such
as Microsoft Outlook, using POP3 or IMAP. For information on webmail and other
features used directly by email users, see “Instructions for email users” on
page 531.
Some antispam behaviors can be configured specifically for each email user
account using the advanced mode of the web-based manager. For example, each
email user can train their own per-user Bayesian database and create white lists
and black lists specific to their email user account. For information on configuring
per-user white lists and black lists, see “User Preferences” on page 224. For
information on per-user Bayesian databases, see “User” on page 389.
To view the list of email user accounts, go to Settings > User > User.
Delete
Edit
Maintenance
Show Users of Select the protected domain to display its email users, or to select the
Domain protected domain to which you want to add an email user account
before selecting Create New.
Export .CSV Select to download a backup of the email users list in comma-separated
value (CSV) file format. For more information, see “To export the email
user list” on page 76.
Import .CSV In the field to the right side of Import .CSV, enter the location of a CSV-
formatted email user backup file, then select Import .CSV to upload the
file to your FortiMail unit. For more information, see “To import an email
user list” on page 76.
Browse Select to locate an email user list backup file before selecting
Import .CSV.
ALL, 0-9, A ... Z Select a letter or number to display email users whose user names
begin with that character. Alternatively, select ALL to display a list
containing all email users.
View n lines Select the number of lines to display per page.
each page
Go to line Enter the index number of the line you want to display, then select Go.
Delete Selected To delete all email user accounts, in the checkbox column, mark the
Users checkbox in the column heading to select all email users, then select
Delete Selected Users.
To delete individual email user accounts, in the checkbox column, mark
checkboxes in the rows of email users that you want to delete, then
select Delete Selected Users.
Reassign a new To change the password of all email user accounts, in the checkbox
password to the column, mark the checkbox in the column heading to select all email
selected users users, then select Reassign a new password to the selected users.
To change the password of individual email user accounts, in the
checkbox column, mark checkboxes in the rows of email users for which
you want to change the password, then select Reassign a new
password to the selected users.
# The index number of each email user in the list.
Check box Select the checkbox in the column heading to mark the checkboxes of
all email users.
Select the checkboxes in the rows of individual email users to select
only those email users.
User Name The user name of an email user, such as “user1”. This is also the user
name portion of the email user’s primary email address.
To alphabetically sort the list of email users by user name, select the
arrow icon in the column heading for this column.
Display Name The display name of an email user, such as “J Smith”. This name
appears in the “From:” field in the message headers of email messages
sent from this email user.
Disk Usage (M) The disk space used by mailboxes for the email user, in megabytes.
Modify Select Delete to remove the email user account.
Select Edit to modify the email user account.
Select Maintenance to view or delete the list of mailboxes for that email
user. For more information, see “Managing the disk usage of email
users’ mailboxes” on page 78.
Create New Select to create a new email user account. For more information, see
“Creating an email user account” on page 77.
Note: Before importing a user list or adding an email user, you must first configure one or
more protected domains to which the email users will belong. For more information, see
“Domains” on page 66.
Caution: Before beginning this procedure, back up the list of email user accounts. This
! procedure permanently deletes one or more email user accounts, which cannot be undone.
For more information on backing up email user account data, see “To export the email user
list” on page 76.
Caution: This procedure sets the same password for one or more email user accounts,
! which can result in reduced security of the email users’ accounts. To reduce risk, set a
strong password and notify each email user whose password has been reset to configure a
unique, strong password as soon as possible.
2 From Show Users Of Domain, select the name of the protected domain in which
you want to change email user account passwords.
3 To change the passwords of all email user accounts for the protected domain,
mark the checkbox located in the checkbox column heading.
To change the passwords of individual email user accounts, in the checkbox
column, mark the checkboxes of each email user account whose password you
want to change.
4 Select Reassign a new password to the selected users.
5 Select either:
• Password, then enter the password for this email account, or
• LDAP, then select the name of an LDAP profile in which you have enabled and
configured the User Auth Options query, which enables the FortiMail unit to
query the LDAP server to authenticate the email user.
Note: You can create LDAP profiles using the advanced mode of the web-based manager.
For more information, see “Creating LDAP profiles” on page 321.
6 Select OK.
Note: Before importing a user list or adding an email user, you must first configure one or
more protected domains to which the email users will belong. For more information, see
“Domains” on page 66.
4 In User Name, enter the user name portion of the email address that will be locally
deliverable on the FortiMail unit.
For example, an email user may have numerous aliases, mail routing, and other
email addresses on other systems in your network, such as
accounting@example.com; this user name, however, reflects the email user’s
account on this FortiMail unit, such as jsmith.
5 Select either:
• Password, then enter the password for this email account, or
• LDAP, then select the name of an LDAP profile in which you have enabled and
configured the User Auth Options query, which enables the FortiMail unit to
query the LDAP server to authenticate the email user.
Note: The LDAP option requires that you first create an LDAP profile in which you have
enabled and configured User Auth Options using the advanced mode of the web-based
manager. For more information, see “Creating LDAP profiles” on page 321.
6 In Display Name, enter the name of the user as it should appear in the message
envelope.
For example, an email user whose email address is user1@example.com may
prefer that their Display Name be “J Smith”.
7 Select OK.
Clear Folder
Folder Name The name of the email user’s mailbox folder, such as Sent.
Disk Usage(Byte) The amount of hard disk space used by the mailbox folder.
Folder Action Select Clear Folder to empty the contents of the email folder.
User Alias
The User Alias tab enables you to configure email address aliases for the
protected domains that are hosted on the FortiMail unit when the FortiMail unit is
operating in server mode.
Aliases are sometimes also called distribution lists, and may translate one email
address to the email addresses of several recipients, also called members, or
may be simply a literal alias — that is, an alternative email address that resolves
to the real email address of a single email user.
For example, groupa@example.com might be an alias that the FortiMail unit will
expand to user1@example.com and user2@example.com, having the effect of
distributing an email message to all email addresses that are members of that
alias, while john.smith@example.com might be an alias that the FortiMail unit
translates to j.smith@example.com. In both cases, the FortiMail unit converts the
alias in the recipient fields of incoming email messages into the member email
addresses of the alias, each of which are the email address of an email user that
is locally deliverable on the SMTP server or FortiMail unit.
Note: Members of an alias can include the email address of the alias itself.
To view the user alias list, go to Settings > User Alias > User Alias.
Delete
Edit
Select a domain Select the name of a protected domain to view email address aliases for
that protected domain.
Alias Name The email address of the alias, such as groupa@example.com.
Members The email addresses to which the alias will translate, which may be the
email addresses of one or more local or non-local email users. Multiple
email addresses are comma-delimited.
Modify Select Delete to remove the alias.
Select Edit to modify the alias.
Create New Select to add an alias. For more information, see “Creating an email
address alias” on page 79.
4 From Show Users of Domain, select the name of a protected domain to display
the email addresses of users from a specific protected domain, or select “all” to
display the email addresses of all email users in all protected domains.
The email addresses of email users from the selected protected domain appear in
the Available Local Users area.
5 In Alias Name, enter the user name portion of the email address alias.
For example, for the alias group1@example.com, you would enter group1.
6 Select the members of the alias.
• To add local email addresses as members to the alias, in the Available Local
Users area, select one or more email addresses, then select the right arrow.
The email addresses are removed from the Available Local Users area, and
appear in the Members area.
• To add non-local email addresses as members to the alias, in the External
Email Address field, enter the email address, then select the right arrow next to
the field. The email address appears in the Members area.
• To remove members from the alias, in the Members area, select one or more
email addresses, then select the left arrow. The email addresses are removed
from the Members area; local email addresses return to the Available Local
Users area.
7 Select OK.
AntiSpam
After you have integrated the FortiMail unit into your network by configuring the
network interfaces and protected domains, you can configure the antispam and
antivirus features of the FortiMail unit to protect your SMTP servers and email
users. The AntiSpam menu enables you to customize these features.
Antispam and antivirus settings can be configured separately for incoming and
outgoing email messages. For definitions of incoming and outgoing, see
“Incoming vs. outgoing email” on page 81.
Note: The Antispam menu of the basic mode of the web-based manager presents
simplified controls for typical antispam and antivirus configurations. If you need to achieve a
more sophisticated configuration, additional settings are available in profiles and recipient-
based and IP-based policies in the advanced mode of the web-based manager. For more
information, see “Profile” on page 241 and “Policy” on page 355.
Incoming
The Incoming tab displays the antispam and antivirus settings for each protected
domain, and enables you to customize these default settings.
To view the incoming antispam and antivirus settings, go to Settings >
AntiSpam > Incoming.
Edit
4 Select OK.
Incoming Action
The Incoming Action tab enables you to select which action the FortiMail unit will
take against spam and virus-infected incoming email.
AntiSpam Action
Tag Email in Enable and enter the text that will appear in the subject line
subject line of the email, such as “[SPAM]”. The FortiMail unit will add
this text to the subject line of spam before forwarding it to
the recipient.
Many email clients can sort incoming email messages into
separate mailboxes, including a spam mailbox, based on
text appearing in various parts of email messages, including
the subject line. For details, see the documentation for your
email client.
Tag Email with Enable and enter the message header text. The FortiMail
Header unit will add this text to the message header of spam before
forwarding it to the recipient.
Many email clients can sort incoming email messages into
separate mailboxes, including a spam mailbox, based on
text appearing in various parts of email messages, including
the message header. For details, see the documentation for
your email client.
Message header lines are composed of two parts: a key and
a value, which are separated by a colon. For example, you
might enter:
X-Custom-Header: Detected as spam by profile
22.
If you enter a header line that does not include a colon, the
FortiMail unit will automatically append a colon, causing the
entire text that you enter to be the key.
Note: Do not enter spaces in the key portion of the header
line, as these are forbidden by RFC 2822.
Reject Enable to reject spam and send reject responses to the
sender.
AntiVirus Action
3 Select Apply.
Outgoing
After you have created a protected domain, the FortiMail unit will apply default
outgoing antispam and antivirus settings to the protected domain. The Outgoing
tab enables you to customize these default settings.
Edit
4 Select OK.
Outgoing Action
The Outgoing Action tab enables you to select which action the FortiMail unit will
take against spam and virus-infected incoming email.
AntiSpam Action
Tag Email in Enable and enter the text that will appear in the subject line
subject line of the email, such as “[SPAM]”. The FortiMail unit will add
this text to the subject line of spam before forwarding it to the
recipient.
Many email clients can sort incoming email messages into
separate mailboxes, including a spam mailbox, based on text
appearing in various parts of email messages, including the
subject line. For details, see the documentation for your
email client.
Tag Email with Enable and enter the message header text. The FortiMail
Header unit will add this text to the message header of spam before
forwarding it to the recipient.
Many email clients can sort incoming email messages into
separate mailboxes, including a spam mailbox, based on text
appearing in various parts of email messages, including the
message header. For details, see the documentation for your
email client.
Message header lines are composed of two parts: a key and
a value, which are separated by a colon. For example, you
might enter:
X-Custom-Header: Detected as spam by profile
22.
If you enter a header line that does not include a colon, the
FortiMail unit will automatically append a colon, causing the
entire text that you enter to be the key.
Note: Do not enter spaces in the key portion of the header
line, as these are forbidden by RFC 2822.
Reject Enable to reject spam and send reject responses to the
sender.
Discard Enable to discard spam without sending reject responses to
the sender.
AntiVirus Action
Logging
The Logging menu enables you to view log files and the log messages that they
contain.
Note: You can view history log messages from either the Status tab or Log & Report >
Logging.
By default, the FortiMail unit stores all log files on a local hard disk. To ensure that
that local hard disk has sufficient disk space to store new log messages, you
should regularly download copies of older log files to your management computer
or other storage, and then delete them from the FortiMail unit. For more
information on downloading, deleting, and emptying log files, see “Downloading
log files” on page 95, “Emptying the current log file” on page 96, and “Deleting
rolled log files” on page 96.
The lists of log files for each log type display both the current log file and rolled log
files. When the current log file reaches either the configured maximum log file size
or the maximum age, the FortiMail unit renames the current log file to create a
rolled log file, and then begins a new current log file.
The lists of log files are sorted by the time range of the log messages contained in
the log file, with the most recent log files appearing near the top of the list. For
example, the current log file would appear at the top of the list, above a rolled log
file whose time ranges from “2008-05-08 11:59:36 Thu” to “2008-05-29 10:44:02
Thu”.
You can view log messages contained in a specific log file by selecting either Start
time or End time, or by selecting the View icon. For more information, see
“Viewing log messages” on page 89.
To view the list of log files, go to Log & Report > Logging, then select a log type
tab, such as History.
Go to previous page
Go to next page
Search Delete Selected Items
Empty Log
View
Download Delete
Go to previous page Select to view the previous page of the list of log files.
Go to next page Select to view the next page of the list of log files.
Search Select to search the log files. For more information, see “Searching
log messages” on page 93.
View n lines each Select the number of rows to display per page of the list of log files.
page
Total lines The total number of rows in the list of log files.
Go to line To display the log file list page that contains a specific index number
(#), enter the number and then select Go.
Delete Selected Select the log files by marking each checkbox in the rows
Items corresponding to the log files that you want to delete, then select
Delete Selected Items to remove those items from the hard disk.
# The index number for the row in the list of log files.
Start time The beginning of the log file’s time range.
End time The end of the log file’s time range.
Size The size of the log file in bytes.
Action Select Empty Log to clear the current log file of all log messages.
This option appears only for the current log file. For more
information, see “Emptying the current log file” on page 96.
Select View to display the log messages in the log file. For more
information, see “Viewing log messages” on page 89.
Select Download to download the log file to your management
computer. For more information, see “Downloading log files” on
page 95.
Select Delete to remove the selected log file from the hard disk. For
more information, see “Deleting rolled log files” on page 96.
Log messages are always displayed in columnar format, with one log field per
column. However, when viewing this columnar display, you can also view the log
message in raw format by hovering your mouse over the index number of the log
message, in the “#” column, as shown in Figure 43 on page 90.
You can select which columns to display or hide. For details, see “Displaying and
arranging log columns” on page 92.
When hovering your mouse cursor over a log message, that row is temporarily
highlighted; however, this temporary highlight automatically follows the cursor,
and will move to a different row if you move your mouse. To create a row highlight
that does not move when you move your mouse, click anywhere in the row of the
log message.
For information on individual log messages, see the FortiMail Log Message
Reference in the Fortinet Knowledge Center at http://kc.fortinet.com/.
Note: You can also view history log messages on the Status tab. For more information,
see.“Status” on page 34.
Go to previous page
Go to next page
Search
Go to previous Select to view the previous page of the list of log files.
page
Go to next page Select to view the next page of the list of log files.
Search Select to search the log files. For more information, see “Searching
log messages” on page 93.
Level Select the severity level. The FortiMail unit will display only log
messages of the selected severity level and greater.
Subtype Select the subtype. The FortiMail unit will display only the log
messages of that subtype.
This option appears only when viewing event log messages.
View n lines each Select the number of rows to display per page of the list of log files.
page
Total lines The total number of rows in the list of log files.
Go to line To display the log file list page that contains a specific index number
(#), enter the number and then select Go.
Choose Columns Select to add or remove log information columns to display. For more
information see “Displaying and arranging log columns” on page 92.
Using the Level and Subtype drop-down menus, you can constrain the display to
only event log messages with matching severity levels and subtype log fields. The
following tables describe each option of the Level and Subtype drop-down menus.
3 In the Action column, in the row corresponding to a log file whose log messages
you want to view, select View.
Alternatively, in the row corresponding to a log file whose messages you want to
view, select either Start time or End time.
Log messages contained in that log file appear.
3 In the Action column, in the row corresponding to a log file whose log messages
you want to view, select View.
Alternatively, in the row corresponding to a log file whose messages you want to
view, select either Start time or End time.
4 Select Choose Columns.
Lists of available and displayed columns for the log type appear.
5 In the Displayed Columns area, select a column name whose order of
appearance you want to change.
6 Select Move Up or Move Down to move the column in the ordered list.
Placing a column name towards the top of the Displayed Columns list will move
the column to the left side of the log message display.
7 Select Apply.
Note: Some email processing such as mail routing and subject line tagging modifies the
recipient email address, the sender email address, and/or the subject line of an email
message. If you are searching for log messages by these attributes, enter your search
criteria using text exactly as it appears in the log messages, not in the email message. For
example, you might send an email message from sender@example.com; however, if you
have configured mail routing on the FortiMail unit or other network devices, this address, at
the time it was logged by the FortiMail unit, may have been sender-1@example.com. In
that case, you would search for sender-1@example.com instead of sender@example.com.
4 Select Search.
5 Enter your search criteria by configuring one or more of the following:
Keyword Enter any word or words to search for within the log messages.
For example, you might enter “starting daemon” to locate all log
messages containing that exact phrase in any log field.
Message Enter all or part of the message log field.
Subject Enter all or part of the subject line of the email message as it appears
in the log message.
This option appears only for the History log type.
From Enter all or part of the sender’s email address as it appears in the log
message.
This option does not appear for the Event log type.
To Enter all or part of the recipient’s email address as it appears in the
log message.
This option does not appear for the Event log type.
Session Id Enter all or part of the session ID in the log message.
Log Id Enter all or part of the log ID in the log message.
Client Name Enter all or part of the domain name or IP address of the SMTP
client. For email users connecting to send email, this is usually an IP
address rather than a domain name. For SMTP servers connecting
to deliver mail, this may often be a domain name.
This option appears only for the History log type.
Time Select the time span of log messages to include in the search results.
For example, you might want to search only log messages that were
recorded during the two weeks and 8 hours previous to the current
date. In that case, you would specify the current date, and also
specify the size of the span of time (two weeks and 8 hours) before
that date.
6 Select Apply.
The FortiMail unit searches your currently selected log file for log messages that
match your search criteria, and displays any matching log messages. For
example, if you are currently viewing a rolled history log file, the search locates all
matching log messages located in that specific rolled history log file.
Normal format Downloads the log file in plain (ASCII) text format with a file
extension of .log. You can view this format in a plain text editor
such as Microsoft Notepad.
CSV format Downloads the log file in comma-separated value (CSV) format
with a file extension of .csv. You can view this format in a
spreadsheet application such as Microsoft Excel.
Compressed Downloads a compressed file with a file extension of .gz. This
format compressed file contains the log file in plain text format, with no
file extension.
If your management computer is running Microsoft Windows or
another operating system that requires file extensions, to enable
your operating system to open the file, you can rename the log file
to add a .log or .txt file extension.
If your web browser prompts you for the location to save the file, browse to select
or enter the name of the folder.
Note: Only the current log file can be emptied. Rolled log files cannot be emptied, but may
be deleted instead. For more information, see “Deleting rolled log files” on page 96.
Caution: Back up the current log file before emptying the current log file. When emptying
! the log file, log messages are permanently removed, and cannot be recovered. For
instructions on how to download a backup copy of the current log file, see “Downloading log
files” on page 95.
Note: Only rolled log files can be deleted. Current log files cannot be deleted, but may be
emptied instead. For more information, see “Emptying the current log file” on page 96.
Caution: Back up the current log file before deleting a log file. When deleting a log file, log
! messages are permanently removed, and cannot be recovered. For instructions on how to
download a backup copy of a log file, see “Downloading log files” on page 95.
Reports
The Reports menu enables you to configure report profiles, generate reports, and
to view generated reports.
FortiMail units can collate information collected from its log files and present the
information in tabular and graphical reports.
FortiMail units require log files and a report profile to be able to generate a report.
A report profile is a group of settings that contains the report name, file format,
subject matter, and other aspects that the FortiMail unit considers when
generating the report. For information on configuring a report profile, see
“Creating a report profile” on page 101.
Note: In addition to viewing full reports, you can also view summary email statistics. For
more information, see “Mail Statistics” on page 43.
Browse
The Browse tab displays a list of reports that have been generated from the report
profiles. You can delete, view, and/or download generated reports.
FortiMail units can generate reports automatically, according to the schedule that
you configure in the report profile, or manually, when you select Run Report in the
report profile list. For more information, see “Config” on page 100.
To view the list of generated reports, go to Log & Report > Reports > Browse.
Go to previous page
Go to next page Delete Selected Items
Delete
Download HTML
Download PDF
Last Access Time The date and time when the FortiMail unit completed the
generated report.
Size (bytes) The file size of the report in HTML format.
Action Select Delete to remove the report.
Select Download HTML to download a compressed (.tgz) archive
containing the report in HTML file format to your management
computer.
Select Download PDF to download the report in PDF file format to
your computer.
Figure 50: Viewing a generated report (HTML file format, all sections)
\
3 If you want to view the report in HTML file format, you can view all sections of the
report together, or you can view a section individually.
• To view all report sections together, in the row corresponding to the report that
you want to view, select the name of the report, such as “treportprofile-2008-
06-27-1039”.
• To view one of the report sections, in the row corresponding to the report that
you want to view, select “+” next to the report name to expand the list of
sections, then select the file name of the section that you want to view, such as
“Spam_Recipient.html”.
The report appears in a new browser window.
To download a report
1 Go to Log & Report > Reports > Browse.
2 In the Action column, in the row corresponding to the report that you want to
download, select the which file format to download.
Download HTML Select to download a compressed (.tgz) archive containing the report
in HTML file format to your management computer.
Download PDF Select to download the report in PDF file format to your management
computer.
Config
The Config tab displays a list of report profiles, which are used to generate
reports, and define what information will appear in the generated report.
You may want to one create report profile for each type of report that you will
generate on demand or periodically, by schedule. For more information, see
“Creating a report profile” on page 101.
If you used the Quick Start Wizard to perform initial setup of your FortiMail unit, the
Quick Start Wizard automatically created two report profiles:
• predefined_report_yesterday
• predefined_report_last_week
Otherwise, no report profiles exist by default.
To view the list of report profiles, go to Log & Report > Reports > Config.
Delete
Edit
Run Report
Time Period Select the time span of log messages from which to generate the
report. For more information, see “Configuring the time period of a
report profile” on page 102.
Query Selection Select one or more subject matters to include in the report. For
more information, see “Configuring the query selection of a report
profile” on page 102.
Schedule Select to generate reports from this report profile either manually
only or automatically, according to a schedule. For more
information, see “Configuring the schedule of a report profile” on
page 103.
Domain Select the protected domains to include in the report. For more
information, see “Configuring the protected domains of a report
profile” on page 104.
Incoming Outgoing Select whether to report upon incoming email, outgoing email, or
both. For more information, see “Configuring incoming and
outgoing of a report profile” on page 104.
Output Select to email reports generated using this report profile by
adding recipients to the Email Notification list and selecting either
“html report” or “pdf report” file format for the attached report. This
field is optional. For more information, see “Configuring the output
of a report profile” on page 104.
5 Select OK.
Time Period Select the time span of the report, such as This Month or
Last N Days.
Alternatively, select and configure From Date and To Date.
Last N Hours Enter the number N of the unit of time.
Last N Days This option appears only when you have
Last N Weeks selected Last N Hours, Last N Days, or
Last N Weeks from Time Period, and
therefore must define “N”.
From Date Select and configure the beginning of the time span. For
example, you may want the report to include log messages
starting from May 5, 2006 at 6 PM. You must also configure
To Date.
To Date Select to configure the end of the time
span. For example, you may want the
report to include log messages up to
May 6, at 12 AM. You must also select
and configure From Date.
Schedules
Not Scheduled Select if you do not want the FortiMail unit to
generate the report automatically according to a
schedule.
If you select this option, the report will only be
generated on demand, when you manually select
Run Report from the report profile list. For more
information, see “Config” on page 100.
Domain The list of protected domains whose log messages will be used when
generating the report.
Remove Selected Select one or more protected domains in the Domain area, then select
Remove Selected to remove them from that list.
Add Select All Domains or a protected domain from the drop-down menu,
then select Add to add that protected domain to the Domain area.
html report Select to attach a copy of the generated report in HTML format.
pdf report Select to attach a copy of the generated report in PDF file format.
Email Notification The list of recipients to which the FortiMail unit will send a copy of
reports generated using this report profile.
Remove From Email Notification, select one or more recipients that you want to
Selected remove, then select Remove Selected.
Add Enter the email address of a recipient, then select Add to add the email
address to the Email Notification area.
Alert Email
The Alert Email menu enables you to configure the FortiMail unit to notify you by
email message when specific types of events occur and are logged. For example,
if you require notification about virus detections, you can configure the FortiMail
unit to send an alert email message whenever the FortiMail unit detects a virus.
To configure alerts, you must configure both the recipients and which events will
trigger the FortiMail unit to send an alert email message. Alert email messages also
require that you configure the FortiMail unit with the IP address of at least one DNS server.
The FortiMail unit uses the domain name of the SMTP server to send alert email
messages; to resolve this domain name into an IP address, the FortiMail unit must be able
to query a DNS server. For information on using the advanced mode of the web-based
manager to configure DNS, see “DNS” on page 133.
The Alert Email menu includes the following tabs:
• Configuration
• Categories
Configuration
The Configuration tab enables you to configure recipient email addresses for alert
email messages.
Before the FortiMail unit can send alert email messages, you must configure one
or more recipients. You must also configure which categories of events will cause
the FortiMail unit to send alert email message. For more information, see
“Categories” on page 106.
3 Select Apply.
A Test button appears below the Email To fields.
4 To verify that alert email is configured correctly by sending a sample alert email to
all configured recipients, select Test.
Categories
The Categories tab enables you to configure which events will cause the FortiMail
unit to send an alert.
Before the FortiMail unit can send an alert email message, you must select the
event or events that will cause the FortiMail unit to send an alert email message.
You must also configure alert email message recipients. For more information,
see “Configuration” on page 105.
3 Select Apply.
Quick Start
If you are configuring your FortiMail unit for the first time, you may want to use the
Quick Start Wizard. The Quick Start Wizard leads you through required
configuration steps, helping you to quickly set up your FortiMail unit.
All settings configured by the Quick Start Wizard can also be configured through
the basic and advanced modes of the web-based manager. However, the Quick
Start Wizard presents each setting in the necessary order, and contains
descriptions to assist you in configuring each setting. These descriptions are not
available in either the basic mode or advanced mode of the web-based manager.
Completing the Quick Start Wizard will:
• change the admin password
• configure system settings such as IP address, netmask, DNS, and gateway
• configure local host settings such as host name
• configure one or more protected domains
• set the level of incoming and outgoing antispam controls
• turn incoming and outgoing antivirus scanning on or off
Caution: Before running the Quick Start Wizard, select the operation mode of the FortiMail
! unit, such as gateway mode, transparent mode, or server mode. Failure to select the
operation mode before running the Quick Start Wizard may require you to run the Quick
Start Wizard again after changing the operation mode, as changing the operation mode
may reset or change part of the configuration performed by the Quick Start Wizard. For
more information on selecting the operation mode, see “Changing the operation mode” on
page 39.
Note: The Quick Start Wizard appears only in the basic mode of the web-based manager.
If the web-based manager is currently in advanced mode and you want to use the Quick
Start Wizard, first switch to basic mode by going to Basic >>.
For more information on setting up your FortiMail unit, see the FortiMail
Installation Guide.
Advanced mode
The advanced mode of the web-based manager provides the full set of menu
options, allowing you to achieve more complex configurations than the basic
mode of the web-based manager.
By default, the web-based manager initially appears in basic mode when you log
in. You can configure a preference for either the basic mode or the advanced
mode of the web-based manager for each administrator account, causing the
web-based manager to start in that mode when the administrator logs in. For
more information, see “Creating an administrator account” on page 140.
To manually switch from the basic mode to the advanced mode of the web-based
manager, go to Advanced >>.
Note: The basic mode of the web-based manager includes the Quick Start Wizard. If you
have not yet performed the first-time setup of your FortiMail unit, you can use the Quick
Start Wizard to lead you through the required steps, then use the remaining basic mode or
advanced mode menu options if, for example, you later need to change or add to some part
of the configuration. For more information, see “Quick Start” on page 107.
The following chapters describe the menu options that appear in the advanced
mode of the web-based manager, and includes the following topics:
• System
• Mail Settings
• User
• Profile
• Policy
• AntiSpam
• Email Archiving
• Log & Report
• Configuring and operating FortiMail HA
System
The System menu enables you to view basic FortiMail unit information and
statuses, including:
• the FortiMail unit’s serial number
• current firmware version
• current virus definition version
• email statistics
• IP sessions
• mail queues
• quarantines
You can also configure updates from the Fortinet Distribution Network (FDN),
such as FortiGuard Antivirus, change the firmware, back up and restore the
configuration, and shut down or restart the FortiMail unit, and configure RAID,
high availability (HA), and network settings.
The System menu includes:
• Status
• Update
• Network
• Config
• RAID
• HA
• Certificate
• Maintenance
Status
The Status menu enables you to view the statuses and other information on
various FortiMail unit aspects, such as serial numbers and email statistics.
The Status menu includes the following tabs:
• Status
• Mail Statistics
• Session
Status
The Status tab displays various system statuses, such as log disk usage, version
numbers and the history log. It also enables you to view and change firmware and
antivirus versions, configuration files, and to shut down or restart the FortiMail
unit.
To view status information, go to System > Status > Status.
Automatic Refresh Interval Select how often the web-based manager updates the Status
tab display.
Go Select to set the selected automatic refresh interval.
Refresh Select to manually update the Status tab display.
System Information
Serial Number The serial number of the FortiMail unit. The serial number is
unique to the FortiMail unit and does not change with
firmware upgrades.
UP Time The time in days, hours, and minutes since the FortiMail unit
was started or rebooted.
System Time The current time according to the FortiMail unit internal
clock.
Firmware Version The version of the firmware installed on the FortiMail unit.
Select Update to change the firmware. For more information,
see “Changing the firmware of your FortiMail unit” on
page 114.
Operation Mode The operation mode of the FortiMail unit. Select Change to
switch modes. For more information, see “Changing the
operation mode” on page 117.
Log Disk The capacity of the hard disk that the FortiMail unit uses to
store log messages. For more information on logging, see
“About FortiMail logging” on page 437.
Mailbox Disk The capacity of the hard disk that the FortiMail unit uses to
store archived email and quarantined spam. For more
information on quarantining and email archiving, see
“Actions options” on page 257 and “Archiving Policy” on
page 432.
License Information
Antivirus The version of the FortiMail Antivirus Engine.
Antivirus Definitions The current installed version of the FortiMail Antivirus
Definitions.
Select Update to manually update the definitions. For more
information, see “Updating antivirus definitions from a file” on
page 125.
You can schedule the frequency at which the FortiMail unit
retrieves updates from the Fortinet Distribution Network
(FDN). For more information, see “Update” on page 122.
Antispam The version of FortiMail Antispam Engine.
Antispam Definitions The version of FortiMail Antispam Definitions.
System Settings
Settings Select Backup to download a configuration backup file.
Select Restore to upload a configuration backup file.
Select Restore Factory Defaults to revert the configuration to
the defaults of the firmware version.
For more information, see “Backing up the configuration” on
page 118, “Restoring the configuration” on page 119, and
“Reverting the configuration to firmware defaults” on
page 119.
System Resources
CPU Usage The current CPU activity. The web-based manager displays
CPU usage for core processes only. CPU usage for
management processes such as HTTPS connections to the
web-based manager is excluded.
Memory Usage The current memory (RAM) usage. The web-based manager
displays memory usage for core processes only. Memory
usage for management processes such as HTTPS
connections to the web-based manager is excluded.
Log Disk Usage The current log disk usage indicates how much of the
allocated disk space is consumed. For information on log
settings, see “Logging to the hard disk” on page 439.
Mailbox Disk Usage The current mailbox disk usage indicates how much of the
allocated disk space is consumed.
You can configure an SNMP trigger to alert you when the
mailbox disk is very full. By default, it is set to trigger at 90%
full. For more information, see “SNMP v1/v2c” on page 142.
System Load A composite resource usage figure taking into account CPU,
memory, disk, and other Fortimail unit resources.
Active Sessions Shows the number of administrators and email users logged
in to the FortiMail unit.
History Select History to view a graphical representation of the last
minute of CPU, memory, sessions, and network usage. For
more information, see “Viewing the system resources
history” on page 113.
• CPU Usage History: CPU usage for the previous minute.
• Memory Usage History: Memory usage for the previous
minute.
• Session History: Session history for the previous minute.
• Network Utilization History: Network utilization for the
previous minute.
System Command Select to restart or shut down the FortiMail unit. For more
information, see “Restarting and shutting down the FortiMail
unit” on page 116.
History Log Select History Log >> to view history log messages. For
more information on viewing log messages, see “Viewing log
messages” on page 444.
CPU Usage The amount of workload of the CPU, relative to its maximum.
History
Memory Usage The amount of memory (RAM) in use, relative to its maximum.
History
Session History The amount of TCP sessions, relative to the number of units
displayed in the upper left corner of the graph.
You can view the connections to and from the FortiMail unit. For more
information, see “Session” on page 121.
Network Utilization The amount of network bandwidth usage, relative to the number of
History units displayed in the upper left corner of the graph.
Note: Installing firmware replaces the current antivirus definitions with those included with
the firmware release that you are installing. After you install the new firmware, make sure
that your antivirus definitions are up-to-date. For more information, see “Manually initiating
antivirus definitions updates” on page 125.
Caution: Back up the configuration before beginning this procedure. This procedure may
! reset changes that you have made to the FortiMail unit’s configuration file. For more
information on creating a backup, see “Backing up the configuration” on page 118.
Note: Installing firmware replaces the current antivirus definitions with those included with
the firmware release that you are installing. After you install the new firmware, make sure
that your antivirus definitions are up-to-date. For more information, see “Manually initiating
antivirus definitions updates” on page 125.
Caution: Back up the configuration before beginning this procedure. This procedure may
! reset changes that you have made to the FortiMail unit’s configuration file. For more
information on creating a backup, see “Backing up the configuration” on page 118.
! Caution: Before performing any of these procedures, notify your email users.
Caution: Back up the configuration before beginning this procedure. This procedure may
! reset many of the configuration file changes that you have made to the FortiMail unit,
including settings that do not apply to the new operation mode. For more information on
creating a backup, see “Backing up the configuration” on page 118.
Note: If the FortiMail unit is operating in gateway mode, you must configure the MX record
of the DNS server for each protected domain to direct all email to this FortiMail unit instead
of the protected SMTP servers.
4 Select OK.
• Transparent: Use when a network is complex and you do not want to change
the IP address scheme.
• Server: Use if you need a secure SMTP server with integrated advanced
antispam and antivirus capabilities.
For more information about the different operation modes, see “Modes of
operation” on page 18.
Caution: A FortiMail configuration backup file is not a full backup of all data on the
! FortiMail unit. Backing up the FortiMail unit’s configuration does not include mail queues,
dictionaries, the Bayesian database, which must be backed up separately. For more
information, see “Queue Maintenance” on page 211, “Maintenance” on page 310 or “User”
on page 389.
Note: This procedure restores the configuration backup file only. For instructions on
restoring other FortiMail unit data, see “Queue Maintenance” on page 211, “Maintenance”
on page 310, and “User” on page 389.
Caution: Back up the configuration before beginning this procedure. This procedure resets
! all changes that you have made to the FortiMail unit’s configuration file and reverts the
system to the default values for the firmware version, including factory default settings for
the IP addresses of network interfaces. For more information on creating a backup, see
“Backing up the configuration” on page 118.
Mail Statistics
The Mail Statistics tab contains summaries of the numbers of email messages in
each time period that the FortiMail unit detected as containing viruses, spam, or
neither.
For email messages classified as spam, mail statistics include which FortiMail
feature classified the email as spam, such as Bayesian antispam databases,
access control, system wide black list (System List), or the email user-configured
black list (User List).
To use the Mail Statistics tab, you must first configure your FortiMail unit to detect
spam and/or viruses. For more information, see “Profile” on page 241 and “Policy”
on page 355.
To view mail statistics, go to System > Status > Mail Statistics.
Automatic Refresh Select the interval, such as 30 seconds, between automatic refreshes
Interval of the page. Refreshing the page displays current email statistics.
Refresh Select to manually refresh the page, displaying current email
statistics.
Statistics data Select to display the statistics in graph format. To return to displaying
extracted from log the email statistics in table format, select Realtime statistics data also
also available here available here.
Summary Select to display a summary of the hourly, daily, monthly, yearly, and
total email statistics.
The summary table includes both the total count of spam and viral
email messages and counts for each method that caused email to be
classified as spam or viral email.
Hourly History Select to display graphs of the hourly email statistics.
Daily History Select to display graphs of the daily email statistics.
Monthly History Select to display graphs of the monthly email statistics.
Yearly History Select to display graphs of the yearly email statistics.
Session
The Session tab displays information about the connections to and from the
FortiMail unit.
To view the session list, go to System > Status > Session.
Page Up
Refresh Page Down
Total Number of Total number of sessions currently passing through the FortiMail unit.
Sessions
Page The number of pages of sessions.
Refresh icon Select to update the session list.
Page up icon Select to view previous page in the session list.
Page down icon Select to view the next page in the session list.
View n lines Select the number of lines to display per page.
each page
Protocol The service protocol of the connection, such as ICMP, UDP, or TCP.
From IP The source IP address of the connection.
From Port The source port of the connection.
To IP The destination IP address of the connection.
To Port The destination port of the connection.
Expire(secs) The time, in seconds, before the connection expires.
Update
The Update menu enables you to configure updates that the FortiMail unit can
receive from the Fortinet Distribution Network (FDN).
The Update menu includes the following tab:
• Update
Update
The Update tab displays the current versions and the dates of the most recent
updates to antivirus and antispam definitions and the antivirus engine. It also
allows you to manually initiate a request from the FortiMail unit to the FDN for
available updates, and/or to configure how the FortiMail unit will automatically
retrieve updates.
FortiMail units can receive updates from the FortiGuard Distribution Network
(FDN). The FDN is a world-wide network of FortiGuard Distribution Servers (FDS).
FortiMail units connect to the FDN by connecting to the FDS nearest to the
FortiMail unit by its configured time zone.
FortiMail units support two kinds of automatic update mechanisms:
• scheduled updates, by which the FortiMail unit periodically polls the FDN to
determine if there are any available updates
• push updates, by which the FDN actively notifies FortiMail units when updates
become available
For information on configuring scheduled updates, see “Scheduling updates” on
page 126. For information on configuring push updates, see “Enabling push
updates” on page 127.
You may want to configure both scheduled and push updates. In this way, if the
network experiences temporary problems such as connectivity issues that
interfere with either method, the other method may still be able to provide your
FortiMail unit with updated protection. You can alternatively manually update the
FortiMail unit by uploading an update file. For more information on uploading
updates, see “Updating antivirus definitions from a file” on page 125.
To receive scheduled and push updates, you must first register your FortiMail unit.
To register your FortiMail unit, go to the Fortinet Technical Support web site,
https://support.fortinet.com/. The FortiMail unit must also be able to connect to the
FDN. If you want to enable push updates, the FDN must also be able to connect to
your FortiMail unit to be able to send it notifications of available updates. For
additional requirements, see “Troubleshooting FDN connectivity” on page 124.
To view the currently installed engine or definition versions, or to configure
scheduled or push updates from the FDN, go to System > Update > Update.
• You might need to override the default FortiGuard server to receive updates.
For more information, see “To add an override server” on page 126.
If you have enabled push updates, in addition to the above, verify the following:
• If there is a NAT device installed between the FortiMail unit and the FDN, you
must configure it to forward push traffic to the FortiMail unit. For more
information, see “To enable push updates through a NAT device” on page 127.
• If your FortiMail unit connects to the Internet using a proxy, use the CLI
command set system autoupdate tunneling to enable the FortiMail
unit to connect to the FDN through the proxy. For more information, see the
FortiMail CLI Reference.
• You may need to add routes or configure your network to allow the FortiMail
unit to use HTTPS on TCP port 8890 to connect to the FDN.
5 Select OK.
The FortiMail unit installs the antivirus definitions file. This takes about 1 minute.
6 Go to System > Status > Status.
7 Confirm that the antivirus definitions file has been successfully installed by
verifying the version number located next to AntiVirus Definitions in the License
Information area.
Scheduling updates
FortiMail units can be configured to poll for and download updated definitions
hourly, daily, or weekly, according to a schedule that you specify.
Hourly Once every 1 to 23 hours. Select the number of hours and minutes between
each update request.
Daily Once a day. You can specify the time of day to check for updates.
Weekly Once a week. You can specify the day of the week and the time of day to
check for updates.
4 Select Apply.
The FortiMail unit starts the next scheduled update according to the new update
schedule.
Whenever the FortiMail unit runs a scheduled update, the event is recorded in the
FortiMail event log. See “Log & Report” on page 437.
Note: You cannot receive push updates through a NAT device if the external IP address of
the NAT device is dynamic (for example, set using DHCP).
The following example describes how to configure a FortiGate unit running in NAT
mode to forward push updates to a FortiMail unit installed on its internal network.
Before the FortiMail unit on the internal network can receive push updates, you
must configure the FortiGate unit with a port forwarding virtual IP. This virtual IP
maps the IP address of the external interface of the FortiGate unit and a custom
port to the IP address of the FortiMail unit on the internal network.
Note: This example describes the configuration for a FortiGate NAT device. However, you
can use any NAT device with a static external IP address that can be configured for port
forwarding.
Use the following steps to configure the FortiGate NAT device and the FortiMail
unit on the internal network so that the FortiMail unit on the internal network can
receive push updates:
1 Add a port forwarding virtual IP to the FortiGate NAT device.
For more information, see the FortiGate Administration Guide.
2 Add a firewall policy to the FortiGate NAT device that includes the port forwarding
virtual IP.
For more information, see the FortiGate Administration Guide.
3 Configure the FortiMail unit on the internal network with an override push IP and
port.
Note: Before completing the following procedure, you should register the internal network
FortiMail unit so that it can receive push updates. To register your FortiMail unit, go to
Product Registration and follow the instructions.
Network
The Network menu provides options to configure network connectivity and
administrative access to the web-based manager or CLI of the FortiMail unit
through each network interface.
The Network menu includes the following tabs:
• Interface
• DNS
• DDNS
• Routing
• Management IP
Interface
The Interface tab displays a list of the FortiMail unit’s network interfaces.
If your FortiMail unit is not properly deployed and configured for the topology of
your network, email may be able to bypass the FortiMail unit. For example,
spammers can easily determine the lowest priority mail server (the highest
preference number in the MX record) and deliver spam to it in an attempt to avoid
spam defences on the FortiMail unit. To ensure maximum protection against
spam, you should:
• configure your router or firewall to forward all SMTP traffic to the FortiMail unit
for scanning
• modify the DNS records of domain names associated with protected domains
to keep a single MX record entry that resolves to the FortiMail unit
• configure policies and profiles for each of the protected domains
The FortiMail unit also provides IP addresses for administrator access to the web-
based manager and for user access to webmail. In transparent mode, you specify
a management IP address. In gateway and server modes, the IP address of the
interface serves this purpose. If the interface is configured to enable
administrative access, you can also use this IP address to access the web-based
manager. The administrative and user access URLs are as follows:
To view the list of network interfaces, go to System > Network > Interface.
Interface Name The name (such as port2) and media access control (MAC)
address for this network interface.
Addressing mode
Do not associate Enable to configure an IP address and netmask for this
with management IP network interface, separate from the management IP, then
configure IP/Netmask.
This option appears only if the FortiMail unit is operating in
transparent mode and if the network interface is not port1,
which must always be bridging. For more information, see
“Management IP” on page 135.
Manual Select to enter a static IP address, then enter the IP address
and netmask for the network interface in the IP/Netmask field.
This option appears only if the FortiMail unit is operating in
gateway mode or server mode, and the network interface is not
port1.
IP/Netmask Enter the IP address and netmask for the network interface.
If the FortiMail unit is operating in gateway mode or server
mode, this option is available only if Manual is selected.
If the FortiMail unit is operating in transparent mode, this option
is available only if Do not associate with management IP is
enabled.
DHCP Select to retrieve a dynamic IP address using DHCP.
This option appears only if the FortiMail unit is operating in
gateway mode or server mode.
Retrieve default Select to retrieve both the default gateway and DNS addresses
gateway and from the DHCP server, replacing any manually configured
DNS from server values.
Connect to Select for the FortiMail unit to attempt to obtain DNS
Server addressing information from the DHCP server. Disable this
option if you are configuring the network interface offline, and
do not want the unit to attempt to obtain addressing information
at this time.
Status Select to refresh the page and display the current DHCP status
message.
The text following this link displays the current DHCP status
message at the time that this page was last refreshed. DHCP
status messages can indicate progress as the FortiMail unit
connects to the DHCP server and retrieves addressing
information.
Access
HTTPS Enable to allow secure HTTPS connections to the web-based
manager, webmail, and per-recipient quarantine through this
network interface.
PING Enable to allow ICMP ping responses from this network
interface.
HTTP Enable to allow HTTP connections to the web-based manager,
webmail, and per-recipient quarantine through this network
interface.
For information on redirecting HTTP requests for webmail and
per-recipient quarantines to HTTPS, see “Spam Report” on
page 376.
Caution: HTTP connections are not secure, and can be
intercepted by a third party. If possible, enable this option only
for network interfaces connected to a trusted private network,
or directly to your management computer. Failure to restrict
administrative access through this protocol could compromise
the security of your FortiMail unit.
SSH Enable to allow SSH connections to the CLI through this
network interface.
SNMP Enable to allow SNMP connections to this network interface.
TELNET Enable to allow Telnet connections to the CLI through this
network interface
Caution: Telnet connections are not secure, and can be
intercepted by a third party. If possible, enable this option only
for network interfaces connected to a trusted private network,
or directly to your management computer. Failure to restrict
administrative access through this protocol could compromise
the security of your FortiMail unit.
MTU
Override default Select to change the maximum transmission unit (MTU) value,
MTU value (1500). then enter the maximum packet or Ethernet frame size in
bytes.
If network devices between the FortiMail unit and its traffic
destinations require smaller or larger units of traffic, packets
may require additional processing at each node in the network
to fragment or defragment the units, resulting in reduced
network performance. Adjusting the MTU to match your
network can improve network performance.
The default value is 1500 bytes. The MTU size must be
between 576 and 1500 bytes.
4 Select OK.
DNS
The DNS tab enables you to configure the DNS servers that the FortiMail unit will
query to resolve domain names into IP addresses.
FortiMail units require DNS servers for features such as reverse DNS lookups and
other aspects of email processing. Your ISP may supply IP addresses of DNS
servers, or you may want to use the IP addresses of your own DNS servers.
Note: For improved FortiMail unit performance, use DNS servers on your local network.
Caution: If the FortiMail unit is operating in gateway mode, you must configure the MX
! record of the DNS server for each protected domain to direct all email to this FortiMail unit
instead of the protected SMTP servers. Failure to update the records of your DNS server
may enable email to circumvent the FortiMail unit.
Primary DNS Server Enter the IP address of the primary DNS server.
Secondary DNS Server Enter the IP address of the secondary DNS server.
DDNS
The DDNS tab enables you to configure the FortiMail unit to use a dynamic DNS
(DDNS) service.
If the FortiMail unit has a static domain name and a dynamic public IP address,
you can use DDNS to update DNS servers on the Internet when the public IP
address for the domain name changes.
To configure DDNS, go to System > Network > DDNS.
Routing
The Routing tab displays a list of routes and enables you to configure static routes
and gateways used by the FortiMail unit.
To configure routes, go to System > Network > Routing.
Delete
Edit
Destination The destination network IP address of traffic that will be routed. 0.0.0.0
IP indicates any IP address.
Mask The netmask for the route.
Gateway The IP address for the route gateway.
Modify Select Delete to remove the route.
Select Edit to modify the route.
Create New Select to create a new static route.
4 Select OK.
Management IP
The Management IP tab enables you to configure the management IP address of
the FortiMail unit.
Note: This menu option appears only when the FortiMail unit is operating in transparent
mode.
When a FortiMail unit is operating in transparent mode, one or more of its network
interfaces may be configured to act as a Layer 2 bridge, without IP addresses of
their own. However, for administrators to be able to configure the FortiMail unit
through a network connection rather than a local console, the FortiMail unit must
have an IP address. The management IP address enables administrators to
connect to the FortiMail unit through port1 or other network ports, even when they
are currently bridging.
By default, the management IP address is indirectly bound to port1, through the
bridge. If other network interfaces are also included in the bridge with port1, the
FortiMail unit can be configured to respond to connections to the management IP
address that arrive on those other network interfaces. For more information, see
“Do not associate with management IP” on page 131.
Unless you have configured an override server IP address, FortiMail units will use
this IP address for connections with the FortiGuard Distribution Network (FDN).
Depending on your network topology, the management IP may be a private
network address, and therefore not routable from the FDN, making it unsuitable
for use as the destination IP address of push update connections from the FDN. In
this case, for push updates to function correctly, you must configure an override
server. For more information, see “Enabling push updates” on page 127.
IP The IP address of the FortiMail unit that administrators will connect to when
using the web-based manager.
Netmask The netmask for the IP address.
3 Select Apply.
Config
The Config menu enables you to configure an assortment of settings such as the
system time, administrator accounts, the idle timeout of the web-based manager,
and SNMP access.
The Config menu includes the following tabs:
• Time
• Options
• Admin
• SNMP v1/v2c
Time
The Time tab enables you to configure the system time of the FortiMail unit.
For correct scheduling and logging, the FortiMail system time must be accurate.
You can either manually set the FortiMail system time or configure the FortiMail
unit to automatically keep its system time correct by synchronizing with a Network
Time Protocol (NTP) server.
Note: FortiMail units support daylight savings time (DST), including recent changes in the
USA, Canada and Western Australia.
Set Time Select to manually the FortiMail system date and time.
Synchronize with NTP Select to use a network time protocol (NTP) server to
Server automatically set the system date and time, then configure
Server and Syn Interval.
Server Enter the IP address or domain name of an NTP server. To find
an NTP server that you can use, see http://www.ntp.org.
Syn Interval Specify how often the FortiMail unit will synchronize its time with
the NTP server. A typical Syn Interval would be 1440 minutes for
the FortiMail unit to synchronize its time once a day.
Options
The Options tab enables you to set the idle timeout and language of the web-
based manager, and to restrict access to the control buttons and LCD by requiring
a PIN (Personal Identification Number)
To view the web-based manager and LCD panel options, go to System >
Config > Options.
Admin
The Admin tab displays a list of the FortiMail unit’s administrator accounts.
Depending on the permission and assigned domain of your account, this list may
not display all other administrator accounts. For more information, see
“Administrator account permissions and domains” on page 139.
By default, FortiMail units have a single administrator account, “admin”. For more
granular control over administrative access, you can create additional
administrator accounts that are restricted to being able to configure a specific
protected domain and/or with restricted permissions. For more information, see
“Administrator account permissions and domains” on page 139 and “Creating an
administrator account” on page 140.
Note: If you have configured a system quarantine administrator account, this account does
not appear in the list of standard FortiMail administrator accounts. For more information on
the system quarantine administrator account, see “System quarantine setting” on
page 384.
To view the list of administrator accounts, go to System > Config > Admin.
Delete
Edit
Change Password
Modify Select Delete to remove an administrator account. This option does not
appear for your own administrator account.
Select Edit to change an administrator account.
Select Change Password to change the password of an administrator
account.
Create New Select to create a new administrator account. For more information, see
“Creating an administrator account” on page 140.
There can be up to five (5) administrator accounts per protected domain. The
maximum total number of administrators with Administrator access that are
assigned to protected domains is 25 for FortiMail-400 models and 50 for FortiMail-
2000 models.
Unlike other administrator accounts whose permission is Administrator and
domain is “system,” the “admin” administrator account exists by default and
cannot be deleted. The “admin” administrator account is similar to a root
administrator account. This administrator account always has full permission to
view and change all FortiMail configuration options, including viewing and
changing all other administrator accounts. Its name, permissions, and assignment
to the “system” domain cannot be changed.
Caution: Set a strong password for the “admin” administrator account, and change the
! password regularly. By default, this administrator account has no password. Failure to
maintain the password of the “admin” administrator account could compromise the security
of your FortiMail unit.
Caution: Set a strong password for each administrator account, and change the
! passwords regularly. If possible, configure each Trusted Host to restrict administrative
access to the FortiMail unit from within your trusted private network. Failure to restrict
administrative access could compromise the security of your FortiMail unit.
4 From Domain, either select a protected domain to which you want to assign the
administrator account, or select “system” to allow the administrator account to
view all protected domains and settings pertaining to the FortiMail unit itself.
5 In Password and Confirm password, type and confirm a password for the
administrator account.
The password can contain any characters except spaces.
6 If you want to restrict the network locations from which this administrator account
can log in, in Trusted Host #1, Trusted Host #2, and Trusted Host #3, type the IP
address and netmask of each permitted location.
If you want the administrator to be able to access the FortiMail unit from any IP
address, type 0.0.0.0/0.0.0.0.
To limit the administrator’s access to the FortiMail unit from a specific network or
IP address, enter that IP address and netmask in dotted decimal format. For
example, you might permit the administrator to log in to the FortiMail unit only from
your private network by typing 192.168.1.0/255.255.255.0.
7 From Permission, select the permissions of the administrator account.
For more information on permissions, see “Administrator account permissions and
domains” on page 139.
8 From Management mode, select either Basic or Advanced to indicate the initial
mode of the web-based manager when the administrator logs in.
9 From Auth Type, select the local or remote authentication style for the
administrator account:
• Local
• RADIUS
• RADIUS + Local
• PKI
Note: RADIUS and PKI authentication require that you first configure a RADIUS
authentication profile or PKI user in the advanced mode of the web-based manager. For
more information, see “Radius” on page 272 and “PKI User” on page 236.
10 Select OK.
SNMP v1/v2c
The SNMP v1/v2c tab enables you to configure SNMP to monitor a high
availability (HA) cluster for failover messages.
You can also use SNMP to monitor some FortiMail-2000A and FortiMail-4000
models which have monitored power supplies and RAID controllers. When a
monitored power supply or a RAID controller is removed or added, the FortiMail
unit will send configured notification for those events by log messages, alert email
messages, and/or SNMP traps.
Before you can use its SNMP queries and/or traps, you must enable SNMP
access on the network interfaces that SNMP clients will use to access the
FortiMail unit. For more information, see “Editing network interfaces” on page 130.
To configure the SNMP agent of the FortiMail unit, go to Config > SNMP v1/v2c.
Note: You can download the SNMP MIB file from the Fortinet Technical Support web site,
https://support.fortinet.com/.
Delete
Edit
SNMP Agent Select to enable the FortiMail SNMP agent. This must be enabled
to accept queries or send traps from the FortiMail unit.
Description Enter a descriptive name for the FortiMail unit.
Location Enter the location of the FortiMail unit.
Contact Enter administrator contact information.
Select the blue triangle to expand the list of traps. In this section you configure the
conditions that trigger the FortiMail unit to send a trap if the trap type is enabled for the
community.
Trap Type The type of trap, such as CPU Usage.
Trigger Either the percent of the resource in use or the number of times
the trigger level must be reached before it is triggered.
For example, using the default value, if the mailbox disk is 90% or
more full, it will trigger.
Threshold The number of triggers that will result in an SNMP trap.
For example if the CPU level exceeds the set trigger percentage
once before returning to a lower level, and the threshold is set to
more than one an SNMP trap will not be generated until that
minimum number of triggers occurs during the sample period.
Sample Period(s) The time period in seconds during which the FortiMail unit SNMP
Agent counts the number of triggers that occurred.
The default period is 600 seconds (ten minutes).
This value should not be lower than the Sample Frequency.
Community Name Enter a name to identify the SNMP community. If you are editing an
existing community, you cannot change the name.
Hosts The list of SNMP managers that can use the settings in this SNMP
community to monitor the FortiMail unit. Select Add to create a new
entry.
IP Address Enter the IP address of an SNMP manager. By default, the IP
address is 0.0.0.0, so that any SNMP manager can use this SNMP
community.
Interface Select the name of the interface that connects to the network where
this SNMP manager is located. You need to do this if the SNMP
manager is on the Internet or behind a router.
Delete icon Select to remove this SNMP manager.
Add Select to add a new default entry to the Hosts list that you can edit as
needed. You can have up to eight SNMP manager entries for a
single community.
Queries Enter the Port number (161 by default) that the SNMP managers in
this community use for SNMP v1 and SNMP v2c queries to receive
configuration information from the FortiMail unit. Select the Enable
check box to activate queries for each SNMP version.
Traps Enter the Local and Remote port numbers (162 local, 162 remote by
default) that the FortiMail unit uses to send SNMP v1 and SNMP v2c
traps to the SNMP managers in this community. Enable traps for
each SNMP version that the SNMP managers use.
SNMP Event Enable each SNMP event for which the FortiMail unit should send
traps to the SNMP managers in this community.
FortiMail MIBs
The FortiMail SNMP agent supports Fortinet proprietary MIBs as well as standard
RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of
RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to
FortiMail unit configuration.
The FortiGate MIBs are listed in Table 6. You can obtain these MIB files from
Fortinet technical support. To be able to communicate with the SNMP agent, you
must compile all of these MIBs into your SNMP manager.
Your SNMP manager may already include standard and private MIBs in a
compiled database that is ready to use. You must add the Fortinet proprietary MIB
to this database. If the standard MIBs used by the Fortinet SNMP agent are
already compiled into your SNMP manager you do not have to compile them
again.
FortiMail traps
The FortiMail agent can send traps to SNMP managers that you have added to
SNMP communities. To receive traps, you must load and compile the FortMail trap
MIB into the SNMP manager.
All traps sent include the trap message as well as the FortiMail unit serial number
and host name.
Trap Description
fmlTrapCpuHighThreshold Trap sent if CPU usage becomes too high.
fmlTrapMemLowThreshold Trap sent if memory usage becomes too
high.
fmlTrapLogDiskHighThreshold Trap sent if Log disk usage becomes too
high.
fmlTrapMailDiskHighThreshold Trap sent if Mailbox disk usage becomes too
high.
fmlTrapMailDeferredQueueHighThreshold Trap sent if the number of deferred email
messages becomes too great.
fmlTrapAvThresholdEvent Trap sent when the number of detected
viruses reaches the threshold.
fmlTrapSpamThresholdEvent Trap sent when the number of spam email
messages reaches the threshold.
fmlTrapSystemEvent Trap sent when system shuts down, reboots,
upgrades, etc.
fmlTrapRAIDEvent Trap sent for RAID operations.
fmlTrapHAEvent Trap sent when an HA event occurs.
fmlTrapArchiveEvent Trap sent when remote archive event
occurs.
fmlTrapIpChange Trap sent when the IP address of the
specified interface has been changed.
RAID
The RAID menu enables you to configure Redundant Array of Independent Disks
(RAID) for the FortiMail hard disk devices that are used to store logs and email.
The hard disks of many FortiMail models can use RAID for enhanced
performance and reliability. The default settings for RAID should give good
results, but you can modify the configuration. For more information, see
“Configuring RAID for FortiMail-400 models” on page 151 or “Configuring RAID on
FortiMail-2000/A or FortiMail-4000A models” on page 152.
You can configure the RAID levels for the FortiMail unit local disk partitions used
for storing email files or log files (in the case of FortiMail-400), depending on your
requirements for performance, resiliency, and cost.
RAID events can be logged and can be reported with alert email. These events
include disk full, or disk failure notices. For more information, see “About FortiMail
logging” on page 437, and “Alert Email” on page 452.
The RAID menu varies by FortiMail model, but may include the following tabs:
• Log Device
• Mail Device
Each of those tabs provide similar configuration options for configuring RAID.
Note: If your FortiMail model does not support RAID, tabs in the RAID menu display the
message, “RAID is not available on this system.”
RAID levels
FortiMail-400 models use software RAID which supports RAID levels 0 or 1. The
log disk and email disk on those models can each use different RAID levels.
FortiMail-2000/A and FortiMail-4000A models use hardware RAID controllers and
therefore the log disk and mail disk on these models cannot be separated.
The following tables describe the RAID levels used by the FortiMail units:
Table 12: FortiMail 400
RAID 0 Has striping but no redundancy of data. It offers the fastest performance but has
no fault-tolerance - if any hard disk fails, the whole RAID fails. So adding more
disks to a RAID 0 array increases the risk of failure.
Also known as a striped array.
RAID 1 Consists of at least two drives that duplicate the storage of data. There is no
striping. Read performance is improved since either disk can be read at the
same time. Write performance is the same as for single disk storage. This
technique provides the best performance and the best fault-tolerance in a multi-
user system. In a RAID 1 with two hard disks, one hard disk can fail and the
RAID will continue to function.
You should replace any failed drive as soon as possible. Until that failed drive is
replaced, the RAID is essentially running as a RAID 0.
Also known as a mirrored array.
RAID 10 A combination of RAID 1 and RAID 0 (see Table 12), also called RAID
1+0. Striped and mirrored arrays are good for fault tolerance and high
performance, such as for high-load databases. RAID 10 requires a
minimum of four drives. Adding two additional drives to the array will add
another RAID 1.
Any RAID 1 in the array can have a hard disk failure and continue to
function, but if both hard disks in a RAID 1 fail then the whole RAID fails.
RAID 10 + hot A RAID 10 configuration that has a backup hard disk installed that takes
spare(s) the place of a failed RAID hard disk. The RAID 10 + hot spares must use
(4000A at least five drives, one spare in addition to the RAID 10 drives. To add
another RAID 1, you would need seven drives total because at least one
model) hot spare drive is required.
RAID 50 A combination of RAID 5 with RAID 0 (see Table 12). RAID 5 provides
data striping at the byte level and also stripe error correction information.
This results in excellent performance and good fault tolerance.
The RAID 50 array type provides fault tolerance and high performance. It
requires a minimum of six drives. To add another RAID 5 requires an
additional three hard disks.
RAID 50 + hot A RAID 50 configuration that has a backup hard disk installed that takes
spare(s) the place of a failed RAID hard disk. The RAID 50 + hot spares must use
(4000A at least seven drives, one spare in addition to the RAID 50 drives.
model)
Hot spares
FortiMail-4000A models have a hot spare RAID option. This feature consists of
one or more disks that are pre-installed with the other disks in the unit. The hot
spare disk is idle until an active hard disk in the RAID fails. Then the RAID
immediately puts the hot spare disk into service and starts to rebuild the data from
the failed disk onto it. This rebuilding may take up to several hours depending on
system load and amount of data stored on the RAID, but the RAID continues
without interruption during the process.
The hot spare feature has one or more extra hard disks installed with the RAID. A
RAID 10 configuration requires two disks per RAID 1, and can have only one hot
spare disk. A RAID 50 configuration requires three disks per RAID 5, and can
have up to two hot spare disks.
Device Details
Automatic Select how often the web-based manager updates the
Refresh Interval log/mail device status display and select Go.
Refresh Select to manually update the log device status display.
Name Name of the RAID. This is hard-coded and not
configurable.
Level Level of the current RAID configuration.
Change Select to change the RAID level.
State Status of the RAID device.
• dirty: On a normal system the array will be in a dirty
state, which means that the RAID device has
information that needs to be written to disk.
• clean: When the information on the RAID device is
written to disk, the array will be marked clean.
• errors: Error were detected on the array.
• no-errors: Error were not detected on the array.
• dirty no-errors: For normal operation, this is the
expected setting.
• clean no-errors: For a system with an unmounted RAID
array, this is the expected setting.
Array Details Enables you to remove or recover disks for the array.
Resynch Status A progress bar to show how far the RAID configuration has
gone in rebuilding the RAID. If the RAID is not synched,
then the system is rebuilding itself for some reason.
This section is displayed only when [click here to check
array] has been selected and the status of the raid is
anything other than clean with no errors.
Percentage Displays the percentage of resynch that remains to be
done.
Caution: Changing the device’s RAID level suspends temporarily all mail operations and
! erases all data on the device.
The new hard disk will appear in the Device Details section.
Figure 79: Log Device and Mail Device (FortiMail-2000/A, and FortiMail-4000A)
General RAID settings Settings that apply to all RAID controllers and disks.
Web page Refresh Select how often the web-based manager updates the log
Interval device status display and select Go.
Refresh now Select to manually update the log device status display.
Controller number The RAID controller number. The following fields apply to this
controller.
Set RAID level to Select the RAID level desired. RAID level 10 and 50 are
available on the FortiMail-2000, FortiMail-2000A, and
FortiMail-4000A. Hot spares are available only on the FortiMail-
4000A.
Change Select to apply the RAID level indicated.
Model The model of the hardware RAID controller.
Driver The version of the RAID controller software driver.
Firmware The version of the RAID controller firmware.
Unit List of RAID units.
Type RAID type used. Depending on the FortiMail unit model, valid
types include:
• RAID 10
• RAID 10 + hot spare(s)
• RAID 50
• RAID 50 + hot spare(s).
Status Status of the RAID units.
• OK: The RAID controller is operating normally.
• Warning: A background task is currently being performed
(rebuilding, migrating, or initializing). Do not remove the disks
while this status is displayed.
• Error: A controller is degraded or inoperable.
• No Units: No RAID controllers are available.
Note that if both Error and Warning conditions exist, the status
will appear as Error.
Size (GB) Total disk space available for that RAID array, or individual hard
disk.
Ignore ECC Select to enable Ignore Error Correcting Code (ECC). This
option is off by default. Ignoring ECC can speed up building the
RAID, but the RAID will not be as fault-tolerant.
Port List of connections between the RAID controller and hard disks.
Part of Unit The RAID unit to which the port connection belongs.
Status Status of the hard disk.
Size Size of the hard disk.
Remove Select to swap a hard disk.
Add to u(n) Select to add a hard disk to the specified unit.
This button appears only after a disk has been deleted by the
system and the hard disk has been removed.
Click to start Select to update unit information after adding or removing a hard
controller rescan disk.
Caution: Back up data on the disk before beginning this procedure. Changing the device’s
! RAID level temporarily suspends all mail processing and erases all data on the hard disk.
For more information on creating a backup, see “Backing up the configuration” on
page 118.
Note: If you do not see the Add to buttons, select “click to start controller rescan”.
HA
The HA menu enables you to configure the FortiMail unit to act as a member of a
high availability (HA) cluster.
For information about HA of FortiMail units, see “Configuring and operating
FortiMail HA” on page 463.
Certificate
The Certificate menu enables you to generate, import, revoke, and manage other
aspects of certificates used by or with the FortiMail unit.
The Certificate menu includes the following tabs:
• Local Certificate
• CA Certificate
Local Certificate
The Local Certificate tab displays certificate requests and installed local
certificates. It also enables you to generate certificate requests, and to import
signed certificates in order to install them for local use by the FortiMail unit.
FortiMail units require a local server certificate that it can present when clients
request secure connections, including:
• the web-based manager (HTTPS connections only)
• webmail (HTTPS connections only)
• secure email, such as SMTPS, IMAPS, and POP3S
To view the list of certificates and certificate requests, go to System >
Certificate > Local Certificate.
Download
Download PKCS12 file
Set current Certificate as Select to use the certificate in the corresponding row as the
default current certificate, then select OK. A confirmation dialog
appears, and the Status column changes to indicate that the
certificate is the current (“default”) certificate.
Download Select to download a copy of the certificate request to your
management computer. You can send the request to your
certificate authority (CA) to obtain a signed certificate for the
FortiMail unit. For more information, see “Downloading a
certificate request” on page 158.
Download PKCS12 file Select to download a PKCS #12 file to your management
computer. For more information, see “Downloading a PKCS
#12 file” on page 160.
Locality (City) Type the name of the city or town where the
FortiMail unit is located. (Optional.)
State/Province Type the name of the state or province where
the FortiMail unit is located. (Optional.)
Country Select the name of the country where the
FortiMail unit is located. (Optional.)
e-mail Type an email address that may be used for
contact purposes. (Optional.)
Key Type The type of algorithm used to generate the key.
This option is unavailable, because only RSA is currently
supported.
Key Size Select a security key size of 1024 Bit, 1536 Bit or 2048 Bit.
Larger keys are slower to generate, but provide better security.
4 Select OK.
The certificate is generated, and can be downloaded to your management
computer for submission to a certificate authority (CA) for signing. For more
information, see “Downloading a certificate request” on page 158.
Importing a certificate
You can upload Base64-encoded certificates in either privacy-enhanced email
(PEM) or public key cryptography standard #12 (PKCS #12) format from your
management computer to the FortiMail unit.
Importing a certificate may be useful when:
• restoring a certificate backup
• installing a certificate that has been generated on another system
• installing a certificate, after the certificate request has been generated on the
FortiMail unit and signed by a certificate authority (CA)
If you generated the certificate request using the FortiMail unit, after you submit
the certificate request to CA, the CA will verify the information and register the
contact information in a digital certificate that contains a serial number, an
expiration date, and the public key of the CA. The CA will then sign the certificate
and return it to you for installation on the FortiMail unit. To install the certificate,
you must import it. For more information on generating certificate requests, see
“Generating a certificate signing request” on page 156.
If the FortiMail unit’s local certificate is signed by an intermediate CA rather than a
root CA, before clients will trust the FortiMail unit’s local certificate, you must
demonstrate a link with trusted root CAs, thereby proving that the FortiMail unit’s
certificate is genuine. You can demonstrate this chain of trust either by:
• installing the each intermediate CA’s certificate in the client’s list of trusted CAs
• including a signing chain in the FortiMail unit’s local certificate
To include a signing chain, before importing the local certificate to the FortiMail
unit, first open the FortiMail unit’s local certificate file in a plain text editor, append
the certificate of each intermediate CA in order from the intermediate CA who
signed the FortiMail unit’s certificate to the intermediate CA whose certificate was
signed directly by a trusted root CA, then save the certificate. For example, a local
certificate which includes a signing chain might use the following structure:
-----BEGIN CERTIFICATE-----
<FortiMail unit’s local server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 1, who signed the
FortiMail certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 2, who signed the
certificate of intermediate CA 1 and whose certificate
was signed by a trusted root CA>
-----END CERTIFICATE-----
Certificate file Enter the location of the previously exported certificate file, or
select Browse to locate the file.
This option appears only when Type is Local Certificate or
Certificate.
Certificate with key Enter the location of the previously exported certificate and key
file file, or select Browse to locate the file.
This option appears only when Type is PKCS12 Certificate.
Key file Enter the location of the previously exported key file, or select
Browse to locate the file.
This option appears only when Type is Certificate.
Password Enter the password that was used to encrypt the file, enabling the
FortiMail unit to decrypt and install the certificate.
This option appears only when Type is PKCS12 Certificate or
Certificate.
5 Select OK.
A confirmation message appears.
6 Select Return.
Password Enter the password that will be used to encrypt the export file.
Confirm Password Enter the password again to confirm its spelling.
CA Certificate
The CA Certificate tab enables you to view and import certificates for certificate
authorities (CA).
CA certificates are required by connections that use transport layer security
(TLS). For more information, see “TLS Profile” on page 350. Depending on the
configuration of each PKI user, CA certificates may also be required to
authenticate PKI users. For more information, see “PKI User” on page 236.
To view a the list of CA certificates, go to System > Certificate > CA Certificate.
Delete Download
View Certificate Detail
To import a CA certificate
1 Go to System > Certificate > CA Certificate.
2 Select Import.
3 In Upload File, enter the location of the certificate file on your management
computer, or select Browse to select the location.
4 Select OK.
A confirmation message appears.
5 Select Return.
Delete Download
View Certificate Detail
Remote
The Remote tab enables you to view and import the certificates of the online
certificate status protocol (OCSP) servers of your certificate authority (CA).
OCSP enables you to revoke or validate certificates by query, rather than by
importing certificate revocation lists (CRL). For information about importing CRLs,
see “Certificate Revocation List” on page 162.
Remote certificates are required if you enable OCSP for PKI users. For more
information, see “Creating a PKI user” on page 237.
To view a the list of remote certificates, go to System > Certificate > Remote.
Delete
View Certificate Detail
Download
Maintenance
The Maintenance menu enables you to manage your system configuration by
performing configuration backups, restoring these backups, and restoring
firmware.
The Maintenance menu includes the following tabs:
• Central Management
• Backup & Restore
Central Management
The Central Management tab enables you to use a FortiManager unit to manage
your FortiMail configuration and firmware.
You can back up the FortiMail configuration to a FortiManager unit or restore the
configuration from a FortiManager unit. You can also configure your FortiMail unit
to back up configuration settings automatically to a FortiManager unit and allow a
FortiManager unit to update the FortiMail configuration.
To configure central management, go to System > Maintenance > Central
Management.
Enable Central Select to allow a FortiManager unit to manage your FortiMail unit.
Management
IP Enter the IP address of the FortiManager unit.
Allow automatic If enabled, the FortiMail unit will send a configuration backup to
backup of the FortiManager unit every time an administrator logs out of the
configuration on FortiMail web-based manager. The FortiManager units saves
these configuration backup files.
logout
Allow configuration If enabled, the FortiMail unit accepts configuration updates from
updates initiated by the FortiManager unit.
the management
server
Limitations
Backing up the FortiMail unit’s configuration does not include dictionaries and the
Bayesian database, which must be backed up separately. For more information
see “Maintenance” on page 310 and “User” on page 389.
Backing up the FortiMail unit’s configuration does include all black/white lists,
custom messages, the Access Control List (ACL), and user preferences. For more
information see “System black/white list” on page 402, “Appearance” on
page 176, and “User Preferences” on page 224.
Restoring firmware
You can restore firmware, whether to upgrade or downgrade, from your
management computer or from the FortiManager unit configured in System >
Maintenance > Central Management.
Note: Check the release notes for the firmware version you’re upgrading to for information
about upgrade procedures. Firmware downgrades will clear your configuration and reset
the FortiMail to the factory default settings. Save your system configuration before
downgrading.
Mail Settings
The Mail Settings menu enables you configure the basic email settings of the
FortiMail unit, such as the port number of the FortiMail SMTP proxy and how the
proxy handles connections, and enables you to manage the mail queues.
The Mail Settings menu includes:
• Settings
• Domains
• Access
• Mail Queue
• Address Book
• Proxies
Settings
The Settings menu enables you to configure assorted settings that apply to the
SMTP server and webmail server that are built into the FortiMail unit itself.
The Settings menu includes the following tabs:
• Local Host
• Advanced (mail server settings)
• Disclaimer
• Custom Messages
• Appearance
• Storage
Local Host
The Local Host tab enables you to configure the SMTP server settings of the
“system” domain, which is located on the local host (that is, your FortiMail unit).
You usually should configure the FortiMail unit with a local domain name that is
different from that of protected domains, such as mail.example.com for the
FortiMail unit and server.mail.example.com for the protected mail server. The local
domain name of the FortiMail unit will be used in many FortiMail features such as
email quarantine, Bayesian database training, spam report, and delivery status
notification (DSN) email messages, and if the FortiMail unit uses the same domain
name as your mail server, it may become difficult to distinguish email messages
that originate from the FortiMail unit.
To configure local SMTP server settings, go to Mail Settings > Settings >
Local Host.
Figure 90: Local Host Setting (transparent mode and gateway mode)
Local Host
Host Name Enter the host name of the FortiMail unit.
You should use a different host name for each FortiMail
unit, especially when you are managing multiple FortiMail
units of the same model, or when configuring a FortiMail
high availability (HA) cluster. This will enable you to
distinguish between different members of the cluster. If
the FortiMail unit is in HA mode:
• When you connect to the web-based managed, your
web browser will display the host name of that cluster
member in its status bar.
• The FortiMail unit will add the host name to the subject
line of alert email messages.
Local Domain Name Enter the local domain name of the FortiMail unit
itself.The FortiMail unit’s fully qualified domain name
(FQDN) is in the format <Host Name>.<Local Domain
Name>.
Note: The Local Domain Name can be a subdomain of an
internal domain if the MX record for the domain on the
DNS server can direct the mail destined for the
subdomain to the intended FortiMail unit.
SMTP Server Port Enter the port number on which the FortiMail unit’s SMTP
Number server will listen for SMTP connections. The default port
number is 25.
SMTP over SSL/TLS Enable to allow SSL- and TLS-secured connections from
servers and clients requesting SSL/TLS.
When disabled, SMTP connections with the FortiMail
unit’s SMTP server will occur as clear text, unencrypted.
This option must be enabled to use SMTPS.
SMTPS Server Port Enter the port number on which the FortiMail unit’s SMTP
Number server listens for secure SMTP connections. The default
port number is 465.
This option is unavailable if SMTP over SSL/TLS is
disabled.
POP3 Server Port Enter the port number on which the FortiMail unit’s POP3
Number server will listen for POP3 connections. The default port
number is 110.
This option is available only if the FortiMail unit is
operating in server mode.
Relay Server
Relay Server Name Enter the domain name of an SMTP relay server, if any.
This is typically provided by your ISP.
Relay Server Port Enter the port number on which the SMTP relay server
listens. This is typically provided by your ISP.
Authentication If the relay server requires authentication, enable this
Required option, then select the blue arrow to expand and configure
User Name, Password, and Auth Type. Available
authentication types include:
• AUTO
• PLAIN
• LOGIN
• DIGEST-MD5
• CRAM-MD5
Deferred Oversize To defer sending email messages that are larger than the limit,
Message Delivery configure both “Start delivering messages at n (hour) n (mins)”
and “Stop delivering messages at n (hour) n (mins)“.
For information on the deferred delivery limit, see “Incoming” on
page 276.
Start delivering Select the hour and minute of the day at which to begin delivering
messages at n oversize email messages.
(hour) n (mins)
Stop delivering Select the hour and minute of the day at which to stop delivering
messages at n oversize email messages.
(hour) n (mins)
DSN
Sender The name of the sender, such as “FortiMail administrator”, as it
displayname should appear in delivery status notification (DSN) email
messages sent by the FortiMail unit to notify email users of
delivery failure.
If this field is empty, the FortiMail unit sends DSN from the default
name of “postmaster”.
For more information on DSN, see “Mail Queue” on page 207.
Sender address The sender email address in delivery status notification (DSN)
email messages sent by the FortiMail unit to notify email users of
delivery failure.
If this field is empty, the FortiMail unit sends DSN from the default
sender email address of “postmaster@example.com”, where
“example.com” is the domain name of the FortiMail unit.
For more information on sending of DSN, see “Mail Queue” on
page 207.
Mail Queue
Maximum time for Select the maximum number of days that deferred email
email in queue messages can remain in the deferred or spam mail queue, during
which the FortiMail unit periodically retries to send the message.
After the maximum time has been reached, the FortiMail unit will
send a final delivery status notification (DSN) email message to
notify the sender that the email message was undeliverable.
For more information on the FortiMail mail queues, see “Mail
Queue” on page 207.
Maximum time for Select the maximum number of days a delivery status notification
DSN email in (DSN) message can remain in the mail queues. If the maximum
queue time is set to zero (0) days, the FortiMail unit attempts to deliver
the DSN only once.
After the maximum time has been reached, the DSN email is
moved to the dead mail folder.
Time before delay Select the number of hours after an initial failure to deliver an
warning email message before the FortiMail unit sends the first delivery
status notification (DSN) email message to notify the sender that
the email message has been deferred.
After sending this initial DSN, the FortiMail unit will continue to
retry sending the email until reaching the limit configured in
“Maximum time for email in queue”.
Time interval for Select the number of minutes between delivery retries for email
retry messages in the deferred and spam mail queues.
Delivery Options
Disable ESMTP for Select to disable Extended Simple Mail Transfer Protocol
outgoing email (ESMTP) for outgoing email.
By default, FortiMail units can use ESMTP commands. ESMTP
supports email messages with graphics, sound, video, and text in
various languages. For more information on ESMTP, see RFC
1869.
Domain Check
(gateway mode and
transparent mode only)
Perform LDAP Select to verify the existence of domains that have not been
domain verification configured as protected domains. Also configure Ldap profile for
for unknown domain check.
domains To verify the existence of unknown domains, the FortiMail unit
queries an LDAP server for a user object that contains the email
address. If the user object exists, the verification is successful,
and:
• If “Automatically create domain association for verified
domain” is enabled, the FortiMail unit automatically adds the
unknown domain as a domain associated of the protected
domain selected in “Internal domain to hold association”.
• If “Automatically create domain association for verified
domain” is disabled, and the DNS lookup of the unknown
domain name is successful, the FortiMail unit routes the email
to the IP address resolved for the domain name during the
DNS lookup. Because the domain is not formally defined as a
protected domain, the email is considered to be outgoing, and
outgoing recipient-based policies are used to scan the email.
For more information, see “Outgoing policies” on page 358.
LDAP profile for Select the LDAP profile to use when verifying existence of
domain check unknown domains.
This option is available only if “Perform LDAP domain verification
for unknown domains” is enabled.
Disclaimer
The Disclaimer tab enables you to configure system-wide disclaimer messages.
A disclaimer message is text that is generally attached to email to warn the
recipient that the email contents may be confidential. For disclaimers added to
outgoing messages, you need to configure an IP-based policy or an outgoing
recipient-based policy.?
Disclaimer messages can be appended for either or both incoming or outgoing
email messages. For information on determining the directionality of an email
message, see “Incoming vs. outgoing recipient-based policies” on page 355.
Note: If the FortiMail unit is operating in transparent mode, to use disclaimers, you must
enable clients to send email using their specified SMTP server. For more information, see
“Use client-specified SMTP server to send email” on page 216.
Note: If Allow per domain settings is enabled, you can configure disclaimer messages that
are specific to each protected domain. For more information, see “Disclaimer” on page 197.
Custom Messages
The Custom Messages tab enables you to configure replacement messages.
When the FortiMail unit detects a virus in an email attachment, it replaces the
attachment with a replacement message that provides information about the virus
and source of the email. The FortiMail unit may also use replacement messages
when notifying a recipient when it blocks an email as spam or due to content
filtering, or when sending a spam report.
To customize replacement messages, go to Mail Settings > Settings >
Custom Messages.
Name There are three categories: Replacement, Reject, and Report. Select the
blue arrow to expand the category and view the names of individual
replacement messages. The names are one of the following:
Replacement
Virus message Replacement message for an infected
attachment.
Suspicious message Replacement message for suspicious email
attachments.
Attachment filtering Replacement message for an email whose
message attachment is blocked by filtering.
Content filtering message Replacement message for an email blocked
by content filtering.
Content filtering subject Replacement message for a subject of email
blocked by content filtering.
Reject
Virus message Reject message for email containing a virus
Suspicious message Reject message for email containing
suspicious contents.
Spam message Reject message for a spam email.
Attachment filtering Reject message for email containing banned
message attachments.
Content filtering message Reject message for email containing sensitive
contents.
Report
Spam report (HTML) Body of HTML spam report.
Spam report (Text) Body of text spam report.
Spam Report Subject Subject line of spam report email messages.
Description Description indicating when the replacement
message is used.
Modify
Edit Icon Select to modify the replacement message.
For more information, see “Editing a custom
replacement message” on page 174.
3 In the text area, enter the replacement message, or select Reset To Default to
revert the replacement message to its default.
If the replacement message is not required to be plain text, such as those which
replace subject lines, the replacement message can be either plain text or HTML.
To format replacement messages HTML formatting to replacement messages,
use HTML tags, such as <b>some bold text</b>. Acceptable formats and the
limit of the number of characters appear in the Allowed Formats and Size fields.
Replacement messages often include variables, such as the MIME type of the file
that was removed and replaced by the replacement message.
Note: Typically, you will customize text, but should not remove variables from the
replacement message. Removing variables may result in an error message and reduced
functionality.
Variable Description
%%EMAIL%% The email user's email address.
%%FILE%% The name of the file that was removed from the email.
%%FILE_TYPE%% The MIME type of file that was blocked. (Content
blocking only)
%%MESSAGE_ID_ALL%% Message ID to indicate “all messages” when using
control addresses.
%%SPAM_DELETE_EMAIL%% Spam delete control address, for example
delete-ctr-srv@examplemail.com.
%%SPAM_RELEASE_EMAIL%% Spam release control address, for example
release-ctrl-srv@examplemail.com.
%%VIRUS%% The name of the virus that was detected. %%VIRUS%%
can be used in replacement messages for antivirus
processing.
4 Select OK.
Appearance
The Appearance tab enables you to customize the default appearance of the
web-based manager, per-recipient quarantine, and webmail pages with your own
product name, product logo, and corporate logo.
You can customize the language used to display the webmail pages. If your
preferred language is not currently installed, you can create a new language file or
customize an existing language file.
To customize the appearance of the web-based manager and webmail pages, go
to Mail Settings > Settings > Appearance.
Figure 96: Customizing the appearance of the FortiMail web-based manager and
webmail
Delete
Upload
Download
Edit
Administration Interface
Product name Enter the name of the product. This name will precede
“Administrator Login” in the title on the login page of the
web-based manager.
Top logo Select “change” to upload a graphic that will appear at the
top of all pages in the web-based manager.
Note: Uploading a graphic overwrites the current graphic.
The FortiMail unit does not retain previous or default
graphics. If you want to be able to revert to the current
graphic, use your web browser to save the image to your
management computer, enabling you to upload it again at a
later time.
Bottom logo Select “change” to upload a graphic that will appear at the
bottom left edge of all pages in the web-based manager.
This logo is hyperlinked to the URL configured in Bottom
URL.
Note: Uploading a graphic overwrites the current graphic.
The FortiMail unit does not retain previous or default
graphics. If you want to be able to revert to the current
graphic, use your web browser to save the image to your
management computer, enabling you to upload it again at a
later time.
Bottom URL Enter the URL to which the Bottom logo graphic will be
hyperlinked. For example, you might enter the URL of your
organization’s web site.
Webmail Interface
Webmail Language Select the language in which webmail pages will be
displayed. By default, the FortiMail unit will use the same
language as the web-based manager. For web-based
manager language settings, see “Options” on page 137.
Webmail Language Select the blue arrow to expand the list of languages
Customization installed on the FortiMail unit, including the language names
in English, and in their own language. For each language,
you can select:
• New Language: Select to add a new language to the
list. See “To add a webmail language” on page 178.
• Edit: Select to modify the language name and individual
text strings that are associates with resource IDs and
appear in locations such as field labels and alert
messages. For more information, see “To edit a webmail
language” on page 178.
• Download Webmail Language: Select to download the
language resource file for this language to your
management computer
• Upload: Select to update the language resource file for
this language from your management computer to the
FortiMail unit.
• Delete: Select to remove the language. This option
appears only for non-default languages.
Webmail Login Enter the title that will appear on the webmail login page.
Input your email Enter the prompt text that will appear between the user
address name and password fields on the webmail login page.
The default value is “Input your email address”.
Web mail flash logo Select “change” to upload a graphic that will appear at the
top left of webmail login page.
Note: Uploading a graphic overwrites the current graphic.
The FortiMail unit does not retain previous or default
graphics. If you want to be able to revert to the current
graphic, use your web browser to save the image to your
management computer, enabling you to upload it again at a
later time.
Web mail top logo Select “change” to upload a graphic that will appear at the
top of all webmail pages.
Note: Uploading a graphic overwrites the current graphic.
The FortiMail unit does not retain previous or default
graphics. If you want to be able to revert to the current
graphic, use your web browser to save the image to your
management computer, enabling you to upload it again at a
later time.
Storage
The Storage tab enables you to configure local or remote storage of normal and
quarantined email messages.
FortiMail units can store email either locally or remotely. Your FortiMail unit
supports NFS storage on a Network Attached Storage (NAS) server, and a
Centralized Quarantine.
A NAS has the benefits of remote storage which include ease of backing up the
mail data and flexible storage limits. As well, you can still access the mail data on
the NAS server if your FortiMail unit loses connection.
Note: If you are using an NAS server in high availability (HA) mode, disable mail data
synchronization. Otherwise, both FortiMail units will write the same data to the same
location, wasting CPU cycles and network bandwidth.
NAS
Local Select to store email on the FortiMail unit local disk. This is
selected by default.
NAS Server Select to store email on a remote Network Attached Storage
(NAS) server.
Test Select to verify the NAS server settings are correct and that the
FortiMail unit can access that location.
This control is available only when NAS Server is selected.
Domains
The Domains menu enables you to create protected domains to define the SMTP
servers that the FortiMail unit protects. Usually, you will configure at least one
protected domain during installation, but you may also add more protected
domains or modify the settings of existing protected domains.
The Domains menu includes the following tab:
• Domains
Domains
The Domains tab displays the list of protected domains.
Protected domains define connections and email messages for which the
FortiMail unit can performs protective email processing by describing both:
• the IP address of an SMTP server
• the domain name portion (the portion which follows the “@” symbol) of
recipient email addresses in the envelope
both of which the FortiMail unit compares to connections and email messages
when looking for traffic that involves the protected domain.
Note: For FortiMail units operating in server mode, protected domains list only the domain
name, not the IP address: the IP address of the SMTP server is the IP address of the
FortiMail unit itself.
Aside from defining the domain, protected domains also contain some settings
that apply specifically to all email destined for that domain, such as mail routing
and disclaimer messages.
Many FortiMail features require that you configure a protected domain. For
example, when applying recipient-based policies for email messages incoming to
the protected domain, the FortiMail unit will compare the domain name of the
protected domain to the domain name portion of the recipient email addresses.
When FortiMail units operating in transparent mode are proxying email
connections for a protected domain, the FortiMail unit will pass, drop or intercept
connections destined for the IP address of an SMTP server associated with the
protected domain, and can use the domain name of the protected domain during
the SMTP greeting.
Note: For more information on how the domain name and mail exchanger (MX) IP address
of protected domains are used, see “Incoming vs. outgoing SMTP connections” on
page 214 and “Incoming vs. outgoing recipient-based policies” on page 355.
Usually, you have already configured at least one protected domain during
installation of your FortiMail unit. However, you can add more domains or modify
the settings of existing ones if necessary. For more information, see “Creating a
protected domain” on page 182.
To view the list of protected domains, go to Mail Settings > Domains > Domains.
Edit
Delete
Delete Edit
Domain The fully qualified domain name (FQDN) of the protected domain.
If the protected domain is a subdomain or domain association, select
the “+” next to a domain entry to expand the list of subdomains and
domain associations. To collapse the entry, select “-”.
Use MX Indicates whether the IP address and the port number of the
(transparent mode protected email server is manually defined in the FortiMail unit’s
and gateway mode configuration file, or if you have enabled the FortiMail unit to query
only) the DNS server’s MX record to ascertain that information for this
domain name.
• Green check mark: Indicates that Use MX Record is enabled.
• Red X icon: Indicates that Use MX Record is disabled.
For more information, see “Use MX Record” on page 185.
SMTP Server The host name or IP address and port number of the mail exchanger
(transparent mode (MX) for this protected domain.
and gateway mode If Use MX contains a green check mark, this information is
only) determined dynamically by querying the MX record of the DNS
server, and this field will be empty.
Sub A green check indicates that the entry is a subdomain of a protected
(transparent mode domain.
and gateway mode
only)
Association A green check indicates that the entry is a domain association. For
(transparent mode more information on domain associations, see “Domain
and gateway mode Associations” on page 191.
only)
Modify
Delete icon Select to remove the protected domain and all associated email user
accounts and preferences.
Edit icon Select to modify the protected domain. For more information, see
“Creating a protected domain” on page 182.
This option is not available for domain associations, as they use the
settings of the protected domain with which they are associated.
Create New Select to create a new protected domain, subdomain, or domain
association. For more information, see “Creating a protected domain”
on page 182.
Domain FQDN Enter the fully qualified domain name (FQDN) of the protected
domain.
For example, if you want to protect email user accounts such as
user1@example.com, you would enter the protected domain name
example.com.
Use MX Record Select to enable the FortiMail unit to query the DNS server’s MX
(transparent mode and record for the FQDN or IP address of the SMTP server for this
gateway mode only) domain name, instead of manually defining the SMTP server in the
fields SMTP Server and Fallback MX Host.
Note: If the FortiMail unit is operating in gateway mode and you
enable this option, you usually should also configure the FortiMail
unit to use a private DNS server. On the private DNS server,
configure the MX record with the FQDN of the SMTP server that
you are protecting for this domain, causing the FortiMail unit to
route email to the protected SMTP server. This is different from
how a public DNS server should be configured for that domain
name, where the MX record usually should contain the FQDN of
the FortiMail unit itself, causing external SMTP servers to route
email through the FortiMail unit.
If the FortiMail unit is operating in transparent mode and you
enable this option, a private DNS server is not required.
SMTP Server Enter the host name or IP address of the primary SMTP server for
(transparent mode and this protected domain, then also configure Use smtps and Port.
gateway mode only)
Port Enter the port number on which the SMTP server listens.
(transparent If you enable Use smtps, Port automatically changes to the default
mode and port number for SMTPS, but can still be customized.
gateway mode The default SMTP port number is 25; the default SMTPS port
only) number is 465.
Fallback MX Host Enter the host name or IP address of the secondary SMTP server
(transparent mode and for this protected domain, then also configure Use smtps and Port.
gateway mode only) This SMTP server will be used if the primary SMTP server is
unreachable.
Port Enter the port number on which the failover SMTP server listens.
(transparent If you enable Use smtps, Port automatically changes to the default
mode and port number for SMTPS, but can still be customized.
gateway mode The default SMTP port number is 25; the default SMTPS port
only) number is 465.
Verify Recipient Select a method of confirming that the recipient “To:” address in the
Address message header corresponds to an email user account that
actually exists on the protected email server. If the recipient
address is invalid, the FortiMail unit will not quarantine email
messages for the non-existent account, thereby conserving
quarantine hard disk space.
• Disable: Do not verify that the recipient address is an email
user account that actually exists.
• Use SMTP Server: Query the SMTP server to verify that the
recipient address is an email user account that actually exists.
• Use LDAP Server: Query an LDAP server to verify that the
recipient address is an email user account that actually exists.
Also select the LDAP profile that will be used to query the
LDAP server. For more information on configuring LDAP
profiles, see “LDAP Profile” on page 320.
This option can cause a performance impact that may be
noticeable during peak traffic times. For a lesser performance
impact, you can alternatively periodically automatically remove
quarantined email messages for invalid email user accounts,
rather than actively preventing them during each email message.
For more information, see “Automatic Removal of Invalid
Quarantine Accounts” on page 189.
Note: Spam often contains invalid recipient addresses. If you have
enabled spam quarantining, but have not prevented or scheduled
the periodic removal of quarantined email messages for invalid
email accounts, the FortiMail hard disk may be rapidly consumed
during peak traffic times, resulting in refused SMTP connections
when the hard disk becomes full. To prevent this, enable either this
option or the periodic removal of invalid quarantine accounts.
Note: This option does not operate upon the recipient address that
appears in the envelope of the SMTP session, which is governed
by access control rules. For more information on access control
rules, see “Access” on page 198.
Transparent Mode Options
This server is Select the network interface (port) to which the protected SMTP
on server is connected.
(transparent Note: Selecting the wrong network interface will result in the
mode only) FortiMail sending email traffic to the wrong network interface.
Hide the When enabled, the EHLO field of “Received:” message headers of
transparent box outgoing email messages will not contain the domain name of the
(transparent FortiMail unit; instead, it will contain the IP address of the SMTP
server that was sending the email message, masking the existence
mode only) of the FortiMail unit.
Note that when this option is enabled, you cannot use IP pools for
this protected domain, and you should allow clients to specify an
SMTP server other than the FortiMail unit for outbound mail. For
more information, see “Use client-specified SMTP server to
send email” on page 216.
When disabled, the FortiMail unit’s domain name appears in the
EHLO field of “Received:” message headers.
For example, the SMTP server associated with a protected domain
might have the IP address 172.168.1.1, and the FortiMail unit
might have the domain name fortimail.example.com. If the option is
enabled, the message header would contain (difference
highlighted in bold):
Received: from 192.168.1.1 (EHLO 172.168.1.1)
(192.168.1.1) by smtp.external.example.com with
SMTP; Fri, 24 Jul 2008 07:12:40 -0800
Received: from smtpa ([172.168.1.2]) by
[172.168.1.1] with SMTP id kAOFESEN001901 for
<user1@external.example.com>; Fri, 24 Jul 2008
15:14:28 GMT
But if the option is disabled, the message headers would contain:
Received: from 192.168.1.1 (EHLO
fortimail.example.com) (192.168.1.1) by
smtp.external.example.com with SMTP; Fri, 24 Jul
2008 07:17:45 -0800
Received: from smtpa ([172.168.1.2]) by
fortimail.example.com with SMTP id kAOFJl4j002011
for <user1@external.example.com>; Fri, 24 Jul
2008 15:19:47 GMT
Use this Select to relay mail to the SMTP server for this protected domain
domain’s SMTP for delivery, rather than delivering the email using the FortiMail unit
server to itself.
deliver the mail
(transparent
mode only)
Webmail Select the language that the FortiMail unit uses to display webmail
Language and quarantine folder pages. By default, the FortiMail unit uses the
same language as the web-based manager. For more information,
see “Options” on page 137.
IP Pool to use Select a pool of IP addresses to use for connections outgoing from
this protected domain.
Use IP pool profiles if you want outgoing email to originate from a
configured range of IP addresses. Each sent email message will
use the next IP address in the range. When the last IP address in
the range is used, the next email message will use the first IP
address.
This setting is used only for email that is outgoing from a protected
domain. This is done by checking only the envelope from address.
If the envelope “from” address indicates that the email message is
from a protected domain, the FortiMail unit performs actions
configured in this setting for the protected domain.
If the FortiMail unit is operating in transparent mode, and you have
enabled “Hide this transparent box”, you cannot use IP pools.
For more information on IP pools, see “IP Pool Lists” on page 348.
SMTP greeting Select how the FortiMail unit will identify itself during the HELO or
(ehlo/helo) EHLO greeting of outgoing SMTP connections that it initiates.
• Use this domain name: The FortiMail unit will identify itself
using the domain name for this protected domain.
If the FortiMail unit will handle internal email messages (those
for which both the sender and recipient addresses in the
envelope contain the domain name of the protected domain), to
use this option, you must also configure your protected SMTP
server to use its host name for SMTP greetings. Failure to do
this will result in dropped SMTP sessions, as both the FortiMail
unit and the protected SMTP server will be using the same
domain name when greeting each other. Alternatively, instead
select Use system host name.
• Use system host name: The FortiMail unit will identify itself
using its own host name.
By default, the FortiMail unit uses the domain name of the
protected domain. If your FortiMail unit is protecting multiple
domains and using IP pool addresses, select Use system host
name instead. This setting does not apply if email is incoming,
according to the sender address in the envelope, from an
unprotected domain.
Advanced AS / AV Settings
Check AS / AV Select to enable or disable antispam and/or antivirus processing
config for email messages destined for an email user of a protected
domain based upon an LDAP query for the email user’s
preferences, then select the blue arrow to expand the options, and
select the name of an LDAP profile in which you have enabled and
configured AS/AV On/Off Options. For more information, see
“LDAP Profile” on page 320
Use Global Enable to use the global Bayesian database instead of the
Bayesian Bayesian database for this protected domain.
Database If you do not need the Bayesian database to be specific to the
protected domain, you may want to use the global Bayesian
database instead in order to simplify database maintenance and
training.
Disable to use the per-domain Bayesian database.
This option does not apply if you have enabled use of personal
Bayesian databases in an incoming antispam profile, and if the
personal Bayesian database is mature. Instead, the FortiMail unit
will use the personal Bayesian database. For more information,
see “Bayesian scan options” on page 249.
Note: Train the global or per-domain Bayesian database before
using it. If you do not train it first, Bayesian scan results may be
unreliable. For more information on Bayesian database types and
how to train them, see “Bayesian database types” on page 387 and
“Initial training of the Bayesian databases” on page 388.
Bypass Bounce Select to disable bounce verification for this protected domain.
Verification This option appears only if bounce verification is enabled. For
more information, see “Bounce Verification” on page 423.
4 Select OK.
Domain Associations
The Domain Associations section that appears when configuring a protected
domain enables you to configure associated domains. Associated domains use
the settings of the protected domains or subdomains with which they are
associated.
Note: In FortiMail version 3.0 MR4 and earlier releases, associated domains do not inherit
the following domain related settings from the main domain. Instead, associated domains
use system level settings.
• Domain level disclaimer
• Domain level spam report format, including subject and body
• Webmail language preference
Domain associations can be useful for saving time when you have multiple
domains for which you would otherwise need to configure protected domains with
identical settings.
For example, if you have one SMTP server handling email for ten domains, you
could create ten separate protected domains, and configure each with identical
settings. Alternatively, you could create one protected domain, listing the nine
remaining domains as domain associations. The advantage of using the second
method is that you do not have to repeatedly configure the same things when
creating or modifying the protected domains, saving time and reducing chances
for error. Changes to one protected domain automatically apply to all of its
associated domains.
Exceptions to settings that associated domains will re-use include DKIM keys and
signing settings. Domain keys are by nature tied to the exact protected domain
only, and cannot be used for any other protected domain, including associated
domains.
The maximum number of domain associations that you can create is separate
from the maximum number of protected domains. For more information, see the
Fortinet Knowledge Center article FortiMail v3.0 MR4 Maximum Values Matrix.
Members The list of domain names that are associated with this protected
domain. Associated domains use the settings of the protected
domain with which they are associated (with the sole exception of
their domain name), and do not have protected domain settings of
their own.
Remove Selected Select one or more domain names, then select Remove Selected
to remove them from the Members area
Add Enter a fully qualified domain name (FQDN) that you want to use
the same settings as this protected domain, the select Add to add
a domain name to the Members area.
5 Select OK.
Note: For information on system-wide spam report settings and spam reports in general,
see “Spam Report” on page 376 and “Custom Messages” on page 173.
Send to individual Select to send the spam report to all recipients. For more
recipients information, see “Recipients” on page 366.
Send to LDAP group Select to send the spam report to a group owner, rather than
owner based on LDAP individual recipients, then select the name of an LDAP profile in
profile which you have enabled and configured Group Query Options.
For more information, see “LDAP Profile” on page 320.
Send to other recipient Select to send the spam report to a recipient other than the
individual recipients or group owner. For example, you might
delegate spam reports by sending them to an administrator
whose email address is not locally deliverable to the protected
domain, such as admin@lab.example.com.
Schedule Select the schedule to use when sending spam reports.
• Use system settings: Use the system-wide spam report
schedule. For more information, see “Spam Report” on
page 376.
• Use domain settings: Use a spam report schedule that is
specific to this protected domain, within the boundaries of
time allowed by the system-wide spam report schedule. Also
configure These Hours and These Days.
Caution: If you change the system-wide spam report schedule, it
will clear any spam report schedules for this protected domain,
requiring you to re-configure all per-domain spam report
schedules.
These Hours Select which hours to send the spam report for this protected
domain. When the FortiMail unit is reset not all hours will be
available.
This option is available only when Schedule is Use domain
settings.
These Days Select which days to send the spam report for this protected
domain. When the FortiMail unit is reset, not all days will be
available.
This option is available only when Schedule is Use domain
settings.
Report Select the text that will appear in the spam reports.
• Use system settings: Use the system-wide spam report text.
For more information, see “Custom Messages” on page 173.
• Use domain settings: Use spam report text that is specific to
this protected domain. Also configure Report Email Body
(HTML), Report Email Body (Text), and Report Email Subject
(Text).
Report Email Enable to use spam report text that is specific to this protected
Body (HTML) domain, then enter the spam report text, which may include
HTML tags. For examples, see “Editing a custom replacement
message” on page 174.
To set this per-domain spam report text to its default value for the
firmware version, select Reset to Default.
For information on the contents of the HTML format spam report,
see “Understanding the HTML formatted spam report” on
page 380.
Report Email Enable to use spam report text that is specific to this protected
Body (Text) domain, then enter the spam report text, which must be in plain
text.
To set this per-domain spam report text to its default value for the
firmware version, select Reset to Default.
For information on the contents of the plain text format spam
report, see “Understanding the plain text formatted spam report”
on page 378.
Report Email Enable to use a subject line for the spam report that is specific to
Subject (Text) this protected domain, then enter the subject line that will be
used for the spam report. The subject line must be in plain text.
To set the per-domain spam report subject line to its default value
for the firmware version, select Reset to Default.
Replacement messages often include variables, such as the MIME type of the file
that was removed and replaced by the replacement message.
Note: Typically, you will customize text, but should not remove variables from the
replacement message. Removing variables may result in an error message and reduced
functionality.
5 Select OK.
DKIM Setting
The DKIM Setting section that appears when configuring a protected domain
enables you to create domain keys for this protected domain.
The FortiMail unit will sign outgoing email messages using the domain key for this
protected domain if you have selected it when configuring sender validation in the
session profile. For more information, see “Session Configuration” on page 287.
Note: Because domain keys are tied to the domain name for which they are generated,
FortiMail units will not use the domain key of a protected domain to sign email of an
associated domain. If you require DKIM signing for an associated domain, convert it to a
standard protected domain and then generate its own, separate domain key.
DKIM signing requires a public-private key pair. The private key is kept on and
used by the FortiMail unit to generate the DKIM signatures for the email
messages; the public key is stored on the DNS server in the DNS record for the
domain name, and used by receiving parties to verify the signature.
After you generate the key pair by creating a domain key selector, you can export
the DNS record that contains the public key. The following is a sample of the
exported DNS record:
example_com._domainkey IN TXT "t=y; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5xvUazqp2sBovpfumPu
R5xC+yDvGbfndyHZuVQdSHhwdKAdsfiyOa03iPniCfQEbuM0d+4/AoPyTXHH
PFBBnChMMHkWgHYlRDm5UMjrH5J1zDT5OyFxUEur+NtfS6LF29Te+6vSS+D3
asfZ85V6WJDHSI9JV0504uwDeOOh/aewIDAQAB"
Then you can publish the public key by adding it to the DNS zone file as a text
record for the domain name on the DNS server. The recipient SMTP server, if
enabled with DKIM checking, will use the public key to decrypt the signature and
compare the HASH values of the email message to make sure the HASH values
match.
Note: Because information from the protected domain is used to generate the key pair, you
cannot create DKIM keys while initially creating the protected domain.
Note: Only one key pair can be active at a time. If a new selector is generated, the FortiMail
unit always signs email messages with the most recently generated key pair. To use an
older domain key pair, you must delete all domain key pairs that have been more recently
generated.
Disclaimer
The Disclaimer section that appears when configuring a protected domain
enables you to configure disclaimer messages specific to this protected domain.
A disclaimer message is text that is generally attached to email to warn the
recipient that the email contents may be confidential. For disclaimers added to
outgoing messages, you need to configure an IP-based policy or an outgoing
recipient-based policy.?
Disclaimer messages can be appended for either or both incoming or outgoing
email messages. For information on determining the directionality of an email
message, see “Incoming vs. outgoing recipient-based policies” on page 355.
Note: If the FortiMail unit is operating in transparent mode, to use disclaimers, you must
enable clients to send email using their specified SMTP server. For more information, see
“Use client-specified SMTP server to send email” on page 216.
5 Select OK.
Access
The Access menu enables you to configure access control rules for SMTP
sessions.
Access control rules are categorized separately based upon whether they affect
either the receipt or delivery of email messages by the FortiMail unit — that is,
whether or not the FortiMail unit initiated the SMTP session, or was the
destination.
The Access menu includes the following tabs:
• Receive rules
• Delivery rules
Receive rules
The Receive tab displays a list of access control rules that apply to SMTP
sessions being received by the FortiMail unit.
When an SMTP server attempts to deliver email through the FortiMail unit, the
FortiMail unit compares each access control rule to the commands used by the
SMTP server during the SMTP session, such as the sender address (MAIL
FROM), recipient address (RCPT TO), authentication (AUTH), and TLS
(STARTTLS). Rules are evaluated for a match in the order of their list sequence,
from top to bottom. If all the attributes of a rule match, the FortiMail unit applies the
action selected in the matching rule to the SMTP session, and no subsequent
access control rules are applied. Only one access control rule is ever applied to
any given SMTP session.
To view the access control rule list, go to Mail Settings > Access > Receive.
Move
Delete
Edit
Sender Pattern Enter a complete or partial sender email address to match. The
sender address examined by the FortiMail unit is the “mail from:” part
of the message envelope.
Wildcard characters allow you to enter partial patterns that can match
multiple sender email addresses. The asterisk (*) represents one or
more characters and the question mark (?) represents any single
character.
For example, the sender pattern ??@*.com will match messages
sent by any email user with a two letter email user name from any
“.com” domain name.
Regular Select to use regular expression syntax instead of
expression wildcards to specify the sender pattern. For more
information, see “Using Perl regular expressions” on
page 426.
Recipient Pattern Enter a complete or partial recipient email address to match. The
recipient address examined by the FortiMail unit is the “rcpt to:” part
of the message envelope.
Wildcard characters allow you to enter partial patterns that can match
multiple recipient email addresses. The asterisk (*) represents one or
more characters and the question mark (?) represents any single
character.
For example, the recipient pattern *@example.??? will match
messages sent to any email user at example.com, example.net,
example.org, or any other “example” domain ending with a
three-letter top-level domain name.
Regular Select to use regular expression syntax instead of
expression wildcards to specify the recipient pattern. For more
information, see “Using Perl regular expressions” on
page 426.
Sender IP/Netmask Enter the IP address and netmask of the system attempting to deliver
the email message. Use the netmask, the portion after the slash (/) to
specify the matching subnet.
For example, enter 10.10.10.10/24 to match a 24 bit subnet, or all
addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in
the access control rule table, with the 0 indicating that any value is
matched in that position of the address.
Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match
only the 10.10.10.10 address. Enter 0.0.0.0/0 to match any address.
Reverse DNS Enter a pattern to compare to the result of a reverse DNS look-up of
Pattern the IP address of the SMTP server delivering the email message.
Because domain names in the SMTP session are self-reported by
the connecting SMTP server and easy to fake, the FortiMail unit does
not trust the domain name that an SMTP server reports. Instead, the
FortiMail does a DNS lookup using the SMTP server’s IP address.
The resulting domain name is compared to the reverse DNS pattern
for a match. If the reverse DNS query fails, the access control rule
match will also fail. If no other access control rule matches, the
connection will be rejected with SMTP reply code 550 (Relaying
denied).
Wildcard characters allow you to enter partial patterns that can match
multiple reverse DNS lookup results. An asterisk (*) represents one
or more characters; a question mark (?) represents any single
character.
For example, the recipient pattern mail*.com will match messages
delivered by an SMTP server whose domain name starts with “mail”
and ends with “.com”.
Note: Reverse DNS queries for access control rules require that the
domain name be a valid top level domain (TLD). For example, “.lab”
is not a valid top level domain name, and thus the FortiMail unit
cannot successfully perform a reverse DNS query for it.
Regular Select to use regular expression syntax instead of
expression wildcards to specify the reverse DNS pattern. For
more information, see “Using Perl regular
expressions” on page 426.
Authentication Select whether or not to match this access control rule based upon
Status client authentication.
• any: Match or do not match this access control rule regardless of
whether the client has authenticated with the FortiMail unit.
• authenticated: Match this access control rule only for clients that
have authenticated with the FortiMail unit.
TLS Select a TLS profile to allow or reject the connection based on
whether the communication session attributes match the settings in
the TLS profile. If the attributes match, the access control action is
executed. If the attributes do not match, the FortiMail unit performs
the Failure action configured in the TLS profile. For more information
on TLS profiles, see “TLS Profile” on page 350.
Action Select the action that the FortiMail unit will perform for SMTP
sessions matching this access control rule.
• BYPASS: The FortiMail unit will deliver the email message, but
will bypass all antispam profile processing. Antivirus, content and
other scans will still be performed on the email message.
• RELAY: The FortiMail unit will deliver the email message and
process it normally, with all configured scanning.
• REJECT: The FortiMail unit rejects delivery of the email message.
The FortiMail unit returns a rejection response to the client
attempting delivery of the email message.
• DISCARD: The FortiMail unit accepts the email message but
silently deletes it without delivery. The FortiMail unit does not
inform the client.
4 Select OK.
Rule 1
The email account of former employee user932 receives a large amount of spam.
Since this employee is no longer with the company and all of his external contacts
were informed of their new Example Corporation employee contacts, messages
addressed to the former employee’s address must be spam.
Rule 1 uses only the recipient pattern. All the other access control rule attributes
are configured to match any value. This rule rejects all messages sent to the
user932@example.com recipient email address. Rejection at the access control
stage prevents these messages from being scanned for spam and viruses, saving
FortiMail system resources.
This rule is placed first because it is the most specific access control rule in the
list. It applies only to SMTP sessions for that single recipient address. SMTP
sessions sending email to any other recipient do not match it. If a rule that
matched all messages were placed at the top of the list, no rule after the first
would ever be checked for a match, because the first would always match.
SMTP sessions not matching this rule are checked against the next rule.
Rule 2
Much of the spam received by the Example Corporation has no sender specified
in the message envelope. Most valid email messages will have a sender email
address.
Rule 2 uses only the sender pattern. The regular expression “^\s*$” will match a
sender string that contains one or more spaces, or is empty. If any non-space
character appears in the sender string, this rule does not match. This rule will
reject all messages with a no sender, or a sender containing only spaces.
Not all email messages without a sender are spam, however. Delivery status
notification (DSN) messages often have no specified sender. Bounce notifications
are the most common type of DSN messages. The FortiMail administrators at the
Example Corporation decided that the advantages of this rule outweigh the
disadvantages.
Messages not matching this rule are checked against the next rule.
Rules 3 and 4
Recently, the Example Corporation has been receiving spam that appears to be
sent by example.org. The FortiMail log files revealed that the sender address is
being spoofed and the messages are sent from servers operated by spammers.
Because spam servers often change IP addresses to avoid being blocked, the
FortiMail administrators decided to use two rules to block all mail from
example.org unless delivered from a server with the proper address and host
name.
When legitimate, email messages from example.org are sent from one of multiple
mail servers. All of these servers have IP addresses within the 172.20.120.0/24
subnet and have a domain name of mail.example.org that can be verified using a
reverse DNS query.
Rule 3 uses the recipient pattern, the sender IP, and the reverse DNS pattern. This
rule will relay messages to email users of example.com sent from a client whose
domain name is mail.example.org and IP address is between 172.20.120.1 and
172.20.120.255.
Messages not matching this rule are checked against the next rule.
Rule 4 works in conjunction with rule 3. It uses only the sender pattern. Rule 4
rejects all messages from example.org. But because it is positioned after rule 3 in
the list, rule 4 affects only messages that were not already proven to be legitimate
by rule 3, thereby rejecting only email messages with a fake sender.
Rules 3 and 4 must appear in the order shown. If they were reversed, all mail from
example.org would be rejected. The more specific rule 3 (accept valid mail from
example.org) is placed first, and the more general rule 4 (reject all mail from
example.org) follows.
Messages not matching these rules are checked against the next rule.
Rules 5 and 6
The administrator of example.com has noticed that during peak traffic, a flood of
spam using random user names causes the FortiMail unit to devote a significant
amount of resources to recipient verification. Verification is performed with the aid
of an LDAP server which also expends significant resources servicing these
requests. Example Corporation email addresses start with “user” followed by the
user’s employee number, and end with “@example.com”.
Rule 5 uses only the recipient pattern. The recipient pattern is a regular
expression that will match all email addresses that start with “user”, end with
“@example.com”, and have one or more numbers in between. Email messages
matching this rule are relayed.
Messages not matching this rule are checked against the next rule.
Rule 6, the final rule, works in conjunction with rule 5. Rule 6 rejects all email
messages. But because it is positioned after rule 5 in the list, rule 6 affects only
email messages that do not contain recipient addresses of legitimate email users
according to rule 5. Since the email addresses of the Example Corporation are
formatted the same way, any messages sent to example.com addresses not
formatted in the way configured in rule 5 are not addressed to valid email users.
As with rules 3 and 4, rules 5 and 6 must appear in the order shown. The more
specific rule 5 (relay messages sent to properly formatted example.com email
addresses) is placed first, and the more general rule 6 (reject all messages)
follows.
The way rules 5 and 6 work together to form a simple recipient address format
verification is possible only because all email addresses of the Example
Corporation employees follow the same formatting rules. Even though the
FortiMail unit is configured to verify the recipient addresses, the use of these two
rules at the end of the access control rules list will reduce the amount of traffic
between the FortiMail unit and the LDAP server used for recipient verification.
Only messages with properly formatted recipient email addresses pass scrutiny
by the access control rules. All other messages will be rejected before being
subjected to more resource-intensive scans.
Delivery rules
The Delivery tab displays a list of message delivery rules that apply to SMTP
sessions being initiated by the FortiMail unit in order to deliver email.
Message delivery rules enable you to require TLS for the SMTP sessions the
FortiMail unit initiates when sending email to other email servers.
The FortiMail unit compares the domain name portion of the recipient email
address and the IP address of the mail server receiving the email message
against the delivery control rules. The FortiMail unit starts with the first rule and
continues down the list until a match is found. If no match is found, the email
message is delivered. If a match is found, the FortiMail unit compares the TLS
profile settings to the connection attributes and the email message is sent or the
connection is not allowed, depending on the result.
The TLS profile setting allows you to enforce TLS connection settings on sessions
that other servers initiate with the FortiMail unit. If the connection settings do not
match the settings in the TLS profile, the FortiMail unit will not allow the
connection. The TLS profile in the access control list only affects connections to
the FortiMail unit initiated by other servers. To enforce TLS settings when the
FortiMail unit contacts other servers, use email message delivery rules. For
information about TLS profiles, see “TLS” on page 349.
To view the message delivery rule list, go to Mail Settings > Access > Delivery.
Move
Delete
Edit
4 Select OK.
Mail Queue
The Mail Queue menu enables you to view and manage the FortiMail unit’s email
queues: the deferred queue, the spam queue, and the dead email folder.
FortiMail units queue email messages when the email message is temporarily
undeliverable, and moves email messages to the dead mail folder when all retries
have failed. You can configure aspects of queueing behavior such as the interval
at which the FortiMail retries to send the email messages. For more information,
see “Advanced (mail server settings)” on page 169.
The Mail Queue includes the following tabs:
• Deferred Queue
• Spam Queue
• Dead Mail
• Queue Maintenance
Deferred Queue
The Deferred Queue tab displays a list of email messages that currently in the
deferred queue. Unlike the spam queue, the deferred queue contains only email
messages that are not tagged spam.
FortiMail units move an email message to the deferred queue upon initial failure to
send the email message, which can be caused by various temporary reasons
such as interruptions to network connectivity. When an email message is
deferred, the FortiMail unit periodically retries to send the deferred email
message. Administrators can also manually initiate an attempt to send the email
message. If the email is subsequently sent successfully, the FortiMail unit
removes the email from the queue and does not notify the sender. But if the email
message continues to be deferred, the FortiMail unit eventually sends an initial
delivery status notification (DSN) email message to notify the sender that delivery
has not yet succeeded. Finally, if the FortiMail unit cannot send the email
message by the end of the time limit for delivery retries, the FortiMail unit sends a
final DSN to notify the sender about the delivery failure and deletes the email
message from the deferred queue. If the sender cannot receive this notification,
such as if the sender’s SMTP server is unreachable or if the sender address is
invalid or empty, the FortiMail unit will save a copy of the email in the dead mail
folder. For more information, see “Dead Mail” on page 210.
For information on configuring the delivery retry interval, maximum amount of time
that an email message can spend in a queue, and DSN timing, see “Advanced
(mail server settings)” on page 169.
To view, delete, or attempt to resend an email message in the deferred queue, go
to Management > Mail Queue > Deferred Queue.
Spam Queue
The Spam Queue tab displays a list of email messages that currently in the spam
queue. Unlike the deferred queue, the spam queue contains only those deferred
email messages that are tagged spam.
Note: For information on tagging spam, see “Actions options” on page 257.
FortiMail units move tagged spam to the spam queue upon initial failure to send
the email message, which can be caused by various temporary reasons such as
interruptions to network connectivity. When an email message is deferred, the
FortiMail unit periodically retries to send the deferred email message.
Administrators can also manually initiate an attempt to send the email message. If
the email is subsequently sent successfully, the FortiMail unit removes the email
from the queue and does not notify the sender. But if the email message
continues to be deferred, the FortiMail unit eventually sends an initial delivery
status notification (DSN) email message to notify the sender that delivery has not
yet succeeded. Finally, if the FortiMail unit cannot send the email message by the
end of the time limit for delivery retries, the FortiMail unit sends a final DSN to
notify the sender about the delivery failure and deletes the email message from
the deferred queue. If the sender cannot receive this notification, such as if the
sender’s SMTP server is unreachable or if the sender address is invalid or empty,
the FortiMail unit will save a copy of the email in the dead mail folder. For more
information, see “Dead Mail” on page 210.
For information on configuring the delivery retry interval, maximum amount of time
that an email message can spend in a queue, and DSN timing, see “Advanced
(mail server settings)” on page 169.
To view or delete email messages in the spam queue, go to Mail Settings > Mail
Queue > Spam Queue.
Check All Select to mark all checkboxes in the Select column for all email
messages in the queue.
Uncheck All Select to unmark all checkboxes in the Select column for all email
messages in the queue.
Delete In the Select column, mark the checkboxes in the rows corresponding to
email messages that you want to delete, then select Delete.
When you delete a deferred email, the FortiMail unit will send an
email message, with the deleted email attached to it, to notify the
sender.
Resend In the Select column, mark the checkboxes in the rows corresponding to
email messages that you want to delete, then select Resend.
Refresh Select to refresh the list of deferred email messages. This can be useful
to determine how many email messages are remaining in the queue
after selecting Resend.
Dead Mail
The Dead Mail tab displays the list of email messages that are in the dead mail
folder.
Unlike the spam and deferred queue, the dead mail folder contains copies of
delivery status notification (DSN) email messages from the FortiMail unit
(“postmaster”) to senders of email that is considered to be more permanently
undeliverable, because all previous retry attempts of the deferred email message
have failed. These email messages from "postmaster" include the original email
message for which the DSN was generated.
If an email message cannot be sent nor returned to the sender, it is usually
because both the recipient and sender addresses are invalid. Such email
messages are often sent by spammers who know the domain name of an SMTP
server but not the names of its email users, and are attempting to send spam by
guessing at valid recipient email addresses.
You can configure the FortiMail unit to automatically delete old email messages in
the dead mail folder. Alternatively, if the FortiMail unit is operating in server mode,
you can create a local email account named “postmaster” to receive these email
messages, or create an alias named “postmaster” to an existing email account,
instead of using the dead mail folder.
To view or delete email messages in the dead mail folder, go to Mail Settings >
Mail Queue > Dead Mail.
Queue Maintenance
The Queue Maintenance tab enables you to back up and restore the mail queues.
This can be useful if you need to change or reformat the mailbox hard disk.
To back up or restore email message queues, go to Mail Settings > Mail
Queue > Queue Maintenance.
Address Book
The Address Book menu enables you to configure the address book for local
email users.
Note: This menu option appears only when the FortiMail unit is operating in server mode.
Address Book
The Address Book tab enables you to create and maintain a global address book
Individual FortiMail webmail users can import the global address book into their
accounts, allowing them to use that information when composing email
messages. For more information, log in to FortiMail webmail and select Help.
Note: This menu option appears only when the FortiMail unit is operating in server mode.
To configure the address book, go to Mail Settings > Address Book > Address
Book.
Next page
Edit
Delete
Sort First Name Select to rearrange the list of entries, sorting by the first name.
This option appears only if the list of address book entries is
currently sorted by last names.
Name The first and last name for the select email address, not including
the middle name and/or nickname.
Email The email address for the entry.
Modify Select Delete to remove the entry.
Select Edit to modify the entry.
4 Select Save.
To delete a contact
1 Go to Mail Settings > Address Book > Address Book.
2 Mark the checkboxes of address book entries that you want to delete.
• To delete all address book entries, in the checkbox column heading, select the
checkbox.
• To delete individual address book entries, in the checkbox column, in each row
corresponding to an address book entry that you want to delete, select the
checkbox.
3 Select Delete Checked.
A confirmation message appears.
4 Select Delete.
Proxies
The Proxies menu enables you to configure the transparent proxies of the
FortiMail unit.
Note: This menu option appears only when the FortiMail unit is operating in transparent
mode.
Note: For information on the concept of incoming vs. outgoing at the application layer, see
“Incoming vs. outgoing recipient-based policies” on page 355.
Incoming connections consist of those destined for the SMTP servers that are
protected domains of the FortiMail unit. For example, if the FortiMail unit is
configured to protect the SMTP server whose IP address is 10.1.1.1, the FortiMail
unit treats all SMTP connections destined for 10.1.1.1 as incoming. For
information about configuring protected domains, see “Domains” on page 180.
Outgoing connections consist of those destined for SMTP servers that the
FortiMail unit has not been configured to protect. For example, if the FortiMail unit
is not configured to protect the SMTP server whose IP address is 192.168.1.1, all
SMTP connections destined for 192.168.1.1 will be treated as outgoing,
regardless of their origin.
For example, in the following sample diagram, an email user configures their mail
user agent (MUA) such as Microsoft Outlook to send email using 10.1.1.1, an
SMTP server that has been configured as a protected domain on the FortiMail
unit. Because 10.1.1.1 is the SMTP server for a protected domain, all SMTP
connections from the MUA to 10.1.1.1 will be considered incoming. However,
when 10.1.1.1 relays the email message to SMTP servers that have not been
configured as protected domains on the FortiMail unit, those SMTP connections
are outgoing.
If the email user configures their MUA to send email using the unprotected SMTP
server 192.168.1.1, the MUA never connects to the IP address associated with a
protected domain, and therefore all the SMTP connections from this email user
will be outgoing.
SMTP
The SMTP tab enables you to configure the following SMTP proxy settings
separately for incoming and outgoing SMTP connections.
Note: For definitions of incoming and outgoing connections, see “Incoming vs. outgoing
SMTP connections” on page 214.
When operating in transparent mode, the FortiMail unit can use transparent
proxies to inspect SMTP connections. If enabled for connections on that network
interface, transparent proxies scan and process the connection. If proxying is not
enabled, the FortiMail unit can either block or permit the connection to pass
through unmodified.
Exceptions to SMTP connections that can be proxied include SMTP connections
destined for the FortiMail unit itself. For those local connections, such as email
messages from email users requesting deletion or release of their quarantined
email, you can choose to either allow or block the connection.
Note: The FortiMail transparent SMTP proxy only picks up the SMTP traffic. Whether the
email will be scanned or not depends on the policies you specify. For more information
about policies, see “Policy” on page 355.
To configure the SMTP proxies, go to Mail Settings > Proxies > SMTP.
Use client-specified SMTP Select to allow the client to pass email to the SMTP server
server to send email that they specify, rather than using the FortiMail unit’s own
built-in relay. For more information, see “FortiMail SMTP
relay vs. unprotected SMTP servers” on page 215.
If disabled, the FortiMail unit itself relays email to its
destination.
Disclaimer messages require that this option be enabled.
For more information, see “Disclaimer” on page 172.
For security reasons, this option does not apply if there is
no session profile selected in the applicable IP-based
policy. For more information on configuring IP policies,
see “IP based policies” on page 359.
Port The name of a FortiMail network interface.
Incoming SMTP connections Select how the proxy will handle SMTP connections on
each network interface that are incoming to the IP
addresses of email servers belonging to a protected
domain.
• are passed through: The FortiMail unit permits but
does not proxy SMTP connections destined for the IP
addresses of SMTP servers for protected domains.
Because traffic is not proxied, no policies will be
applied.
• are dropped: The FortiMail unit drops SMTP
connections destined for the IP addresses of SMTP
servers for protected domains.
• are proxied: The FortiMail unit proxies SMTP
connections destined for the IP addresses of SMTP
servers for protected domains. Once proxied,
incoming policies determine any further scanning or
logging actions. For more information, see “Policy” on
page 355.
Outgoing SMTP connections Select how the proxy will handle SMTP connections on
each network interface that are incoming to the IP
addresses of email servers that are not a protected
domain.
• are passed through: The FortiMail unit permits but
does not proxy SMTP connections destined for the IP
addresses of SMTP servers that are not associated
with protected domains. Because traffic is not proxied,
no policies will be applied.
• are dropped: The FortiMail unit drops SMTP
connections destined for the IP addresses of SMTP
servers that are not associated with protected
domains.
• are proxied: The FortiMail unit proxies SMTP
connections destined for the IP addresses of SMTP
servers that are not associated with protected
domains. Once proxied, outgoing policies determine
any further scanning or logging actions. For more
information, see “Policy” on page 355.
Local SMTP connections Select how the FortiMail unit will handle SMTP
connections on each network interface that are destined
for the FortiMail unit itself.
• are allowed: SMTP connections will be allowed.
• are not allowed: SMTP connections will be blocked.
User
The User menu enables you to configure settings related to email users such as
PKI authentication, per-user white lists and email address aliases.
If the FortiMail unit is operating in server mode, the User menu also enables you
to add email user accounts that can access their email hosted on the FortiMail unit
through webmail, POP3 or IMAP.
The User menu includes:
• User
• User Preferences
• User Alias
• Address Map
• PKI User
User
The User menu enables you to view individual email user preferences and, if the
FortiMail unit is operating in server mode, configure email user accounts.
The User menu includes the following tabs:
• User
• User Preferences
User
The User tab enables you to configure email user accounts for the protected
domains that are hosted on the FortiMail unit.
Note: This option appears only if the FortiMail unit is operating in server mode.
Email users can check their email using webmail or through an email client such
as Microsoft Outlook, using POP3 or IMAP. For information on webmail and other
features used directly by email users, see “Instructions for email users” on
page 531.
Some antispam behaviors can be configured specifically for each email user
account. For example, each email user can train their own per-user Bayesian
database and create white lists and black lists specific to their email user account.
For information on configuring per-user white lists and black lists, see “User
Preferences” on page 224. For information on per-user Bayesian databases, see
“User” on page 389.
To view the list of email user accounts, go to User > User > User.
Figure 121:User
Delete
Edit
Maintenance
Show Users Of Select the protected domain to display its email users, or to select the
Domain protected domain to which you want to add an email user account
before selecting Create New.
Export .CSV Select to download a backup of the email users list in comma-separated
value (CSV) file format. For more information, see “To export the email
user list” on page 221.
Import .CSV In the field to the right side of Import .CSV, enter the location of a CSV-
formatted email user backup file, then select Import .CSV to upload the
file to your FortiMail unit. For more information, see “To import an email
user list” on page 221.
Browse Select to locate an email user list backup file before selecting
Import .CSV.
ALL, 0-9, A ... Z Select a letter or number to display email users whose user names
begin with that character. Alternatively, select ALL to display a list
containing all email users.
View n lines Select the number of lines to display per page.
each page
Go to line Enter the index number of the line you want to display, then select Go.
Delete Selected To delete all email user accounts, in the checkbox column, mark the
Users checkbox in the column heading to select all email users, then select
Delete Selected Users.
To delete individual email user accounts, in the checkbox column, mark
checkboxes in the rows of email users that you want to delete, then
select Delete Selected Users.
Reassign a new To change the password of all email user accounts, in the checkbox
password to the column, mark the checkbox in the column heading to select all email
selected users users, then select Reassign a new password to the selected users.
To change the password of individual email user accounts, in the
checkbox column, mark checkboxes in the rows of email users for which
you want to change the password, then select Reassign a new
password to the selected users.
# The index number of each email user in the list.
Check box Select the checkbox in the column heading to mark the checkboxes of
all email users.
Select the checkboxes in the rows of individual email users to select
only those email users.
User Name The user name of an email user, such as “user1”. This is also the user
name portion of the email user’s primary email address.
To alphabetically sort the list of email users by user name, select the
arrow icon in the column heading for this column.
Display Name The display name of an email user, such as “J Smith”. This name
appears in the “From:” field in the message headers of email messages
sent from this email user.
Disk Usage (M) The disk space used by mailboxes for the email user, in megabytes.
Modify Select Delete to remove the email user account.
Select Edit to modify the email user account.
Select Maintenance to view or delete the list of mailboxes for that email
user. For more information, see “Managing the disk usage of email
users’ mailboxes” on page 223.
Create New Select to create a new email user account. For more information, see
“Creating an email user account” on page 222.
Note: Before importing a user list or adding an email user, you must first configure one or
more protected domains to which the email users will belong. For more information, see
“Domains” on page 180.
Caution: Before beginning this procedure, back up the list of email user accounts. This
! procedure permanently deletes one or more email user accounts, which cannot be undone.
For more information on backing up email user account data, see “To export the email user
list” on page 221.
3 To delete all email user accounts for the protected domain, mark the checkbox
located in the checkbox column heading.
To delete individual email user accounts, in the checkbox column, mark the
checkboxes of each email user account that you want to remove.
4 Select Delete Selected Users.
A confirmation dialog appears.
5 Select OK.
Caution: This procedure sets the same password for one or more email user accounts,
! which can result in reduced security of the email users’ accounts. To reduce risk, set a
strong password and notify each email user whose password has been reset to configure a
unique, strong password as soon as possible.
Note: You can create LDAP profiles using the advanced mode of the web-based manager.
For more information, see “Creating LDAP profiles” on page 321.
6 Select OK.
Note: Before importing a user list or adding an email user, you must first configure one or
more protected domains to which the email users will belong. For more information, see
“Domains” on page 180.
4 In User Name, enter the user name portion of the email address that will be locally
deliverable on the FortiMail unit.
For example, an email user may have numerous aliases, mail routing, and other
email addresses on other systems in your network, such as
accounting@example.com; this user name, however, reflects the email user’s
account on this FortiMail unit, such as jsmith.
5 Select either:
• Password, then enter the password for this email account, or
• LDAP, then select the name of an LDAP profile in which you have enabled and
configured the User Auth Options query, which enables the FortiMail unit to
query the LDAP server to authenticate the email user.
Note: The LDAP option requires that you first create an LDAP profile in which you have
enabled and configured User Auth Options. For more information, see “Creating LDAP
profiles” on page 321.
6 In Display Name, enter the name of the user as it should appear in the message
envelope.
For example, an email user whose email address is user1@example.com may
prefer that their Display Name be “J Smith”.
7 Select OK.
Clear Folder
Folder Name The name of the email user’s mailbox folder, such as Sent.
Disk Usage(Byte) The amount of hard disk space used by the mailbox folder.
Folder Action Select Clear Folder to empty the contents of the email folder.
User Preferences
The User Preference tab enables you to configure preferences for each email
user, such as per-user white lists and preferred webmail language.
To view the webmail user preference list, go to User > User > User Preferences.
Go to line Search
Show Users Of Select the protected domain to display its email users, or to select
Domain the protected domain to which you want to add an email user
account before selecting Create New.
ALL, 0-9, A ... Z Select a letter or number to display the list of preferences of email
users whose user names begin with that character. Alternatively,
select ALL to display a list containing all email users.
Search Enter the complete user name, then select Search to display the
preferences entry for that email user.
View n lines each Select the number of lines to display per page.
page
Go to line Enter the index number of the line you want to display, then select
Go.
# The index number of each email user preference entry in the list.
Check box Select the checkbox in the column heading to mark the
checkboxes of all email user preference entries.
Select the checkboxes in the rows of individual email user
preference entries to select only those email users.
User Name The user name of an email user, such as “user1”.
To alphabetically sort the list of email user preference entries by
user name, select the arrow icon in the column heading for this
column.
Language The language in which this email user prefers to display their
quarantine and, if the FortiMail unit is operating in server mode,
webmail. By default, this language preference is the same as the
system-wide language preference for web-based manager of the
FortiMail unit. For information on the system-wide language
preference, see “Options” on page 137.
White List Indicates whether or not a personal white list currently exists for
this email user, and enables you to configure, back up, and restore
the personal white list. White lists include sender IP addresses,
domain names, and email addresses that the email user wants to
permit.
• New: A personal white list does not currently exist for this email
user. Select to create a per-user white list.
• Edit: A personal white list currently exists for this email user.
Select to modify the personal white list, or to back up or restore
the email user’s personal white list.
Note that system-level lists take precedence over domain-level
lists while domain-level lists take precedence over personal-level
lists.
For more information on white lists and black lists, see
“Black/White List” on page 399.
Black List Indicates whether or not a personal black list currently exists for
this email user, and enables you to configure, back up, and restore
the personal black list. White lists include sender IP addresses,
domain names, and email addresses that the email user wants to
block.
• New: A personal black list does not currently exist for this email
user. Select to create a personal black list.
• Edit: A personal white list currently exists for this email user.
Select to modify the personal black list, or to back up or restore
the email user’s personal black list.
Note that system-level lists take precedence over domain-level
lists while domain-level lists take precedence over personal-level
lists.
For more information on white lists and black lists, see
“Black/White List” on page 399.
Secondary Accounts Indicates whether or not this email user will also handle
quarantined email messages for other email addresses.
• New: A list of email addresses whose quarantines will be
managed by this email user does not currently exist. Select to
add this list of email addresses.
• Edit: A list of email addresses whose quarantines will be
managed by this email user already exists. Select to modify
this list of email addresses.
Add Outgoing Email Indicates whether or not the FortiMail unit will automatically add
Addresses to recipient addresses in outgoing email sent by this email user to
WhiteList their per-user white list, if it is allowed in the antispam profile. For
more information, see “Actions options” on page 257.
• Empty check box: Automatic per-user whitelisting is disabled.
• Marked check box: Automatic per-user whitelisting is
enabled.
Email users can change this setting in their webmail preferences.
For more information, log in to the FortiMail webmail, then select
Help.
This setting can be initialized manually or automatically. FortiMail
administrators can manually create and configure this setting
when configuring email user preferences. If the setting has not yet
been created when either:
• an email user logs in to FortiMail webmail
• an email user sends outgoing email through the FortiMail unit
• a FortiMail administrator configures the email user’s personal
black or white list (see “Personal black/white list” on page 404)
then the FortiMail unit will automatically initialize this setting as
disabled.
Modify Select Delete user to remove email user preferences for that email
user.
Select Edit user preference to modify email user preferences for
that email user. For more information, see “Editing email user
preferences” on page 226.
Select Reset user preference to default to reset email preferences
for that email user.
Create New Enter an email user name, then select Create New to create email
preferences for that email user. For more information, see “Editing
email user preferences” on page 226.
Go To clear selected per-user or domain white or black lists, select an
option, then select Go. Options include:
• Clear Whitelist for all selected users
• Clear Blacklist for all selected users
• Clear Whitelist for all domain users
• Clear Blacklist for all domain users
Language Select the email user’s preferred language in which to display the
quarantine and, if the FortiMail unit is operating in server mode,
FortiMail webmail. Languages available by default include:
• English
• Traditional Chinese
• Simplified Chinese
• Korean
• Japanese
• French
• German
• Italian
• Hebrew
• Spanish
• Polish
• Portuguese
• Turkish
Additional languages may be available if you have installed their
language resource files. For more information, see “Appearance”
on page 176.
On Holiday Select whether or not the FortiMail unit automatically responds to
(server mode only) email messages received for this email user, which is typically
used for out-of-office/vacation responses.
• ON: Select to enable automatic response. Also configure Set
auto-reply message.
• OFF: Select to disable automatic response.
Set auto-reply Select to enter the message body that the FortiMail unit will use to
message automatically reply when On Holiday is set to ON.
(server mode only)
Auto Forward Select whether or not the FortiMail unit will automatically forward
(server mode only) email messages received for this email user to another email
address.
• ON: Select to automatically forward, then enter the email
address to which email will be forwarded.
• OFF: Select to disable automatic forwarding.
Leave a copy in Select to retain a copy of email messages received for this user
mailbox that have been automatically forwarded.
(server mode only) This option is available only if Auto Forward is ON, after you have
entered the email address to which email will be forwarded.
Add outgoing email Select whether or not to automatically add recipient addresses in
addresses to "White" outgoing email sent by this email user to their per-user white list, if
list it is allowed in the antispam profile. For more information, see
“Actions options” on page 257.
• ON: Automatically whitelist recipient addresses in outgoing
email for this email user.
• OFF: Do not automatically whitelist recipient addresses in
outgoing email for this email user.
Email users can change this setting in their webmail preferences.
For more information, log in to the FortiMail webmail, then select
Help.
This setting can be initialized manually or automatically. FortiMail
administrators can manually create and configure this setting
when configuring email user preferences. If the setting has not yet
been created when either:
• an email user logs in to FortiMail webmail
• an email user sends outgoing email through the FortiMail unit
• a FortiMail administrator configures the email user’s personal
black or white list (see “Personal black/white list” on page 404)
then the FortiMail unit will automatically initialize this setting as
disabled.
Black/White Lists Configure the per-user white and/or black list for this email user.
• Black: Select to view, modify, back up or restore the per-user
black list for this email user.
• White: Select to view, modify, back up or restore the per-user
white list for this email user.
For information on configuring per-user white lists and black lists,
see “User Preferences” on page 224. For information on white lists
and black lists in general, see “Black/White List” on page 399.
Receive Spam Report Select whether or not the FortiMail unit will automatically
periodically generate spam reports for this email user.
• ON: Periodically generate spam reports for this email user.
Depending on your configuration, spam reports may be sent to
an email address other than the email address of this email
user. For example, you could configure the FortiMail unit to
send spam reports to the email address of a person who is
responsible for reviewing spam reports for multiple users.
FortiMail units will generate a spam report for an email user
only if all of the following conditions are true:
• In antispam profiles that have been used to process email
for this email user, you have enabled the options
“Quarantine” and “Send Spam Report”. For more
information, see “Actions options” on page 257.
• The email user’s “Bulk” folder exists.
• The email user has received spam since the previous spam
report was generated. (If no spam has been received, there
is nothing to report.)
• The email user preference “Receive Spam Report” is ON.
• OFF: Do not generate spam reports for this email user.
This option applies only if generation of spam reports has been
enabled for the protected domain. For more information, see
“Creating a protected domain” on page 182.
For more information on spam reports, see “Spam Report” on
page 376.
Primary Accounts Select an email address to view the email user preferences of that
primary account. Email addresses listed in this field are email
users for which this email user is a secondary account.
This option is not available (“None” appears) if this email user has
not been configured as the secondary account of any other email
user. For information on configuring secondary accounts, see
“Secondary Accounts” on page 230.
Secondary Accounts Select “None” or an email address to define other email addresses
whose quarantine will be managed by this email user. Email
addresses listed in this field are email users for which this email
user is a primary account.
4 Select OK.
User Group
The User Group menu enables you to configure groups of email users.
The User Group menu includes the following tab:
• User Group
User Group
The User Group tab enables you to group related email user accounts.
Email user groups can simplify the creation of policies: when creating policies, you
can select the name of an email user group, rather than entering each email user
name individually.
To view the list of user groups, go to User > User Group > User Group.
Delete
Edit
Select a domain Select the name of a protected domain to display user groups
that belong to it.
User Group Name The name of the user group.
Members The email users that are members of this user group.
Modify Select Delete to remove an email user group.
Select Edit to modify an email user group. For more information,
see “To add an email user group” on page 230.
Create New Select Create New to add an email user group. For more
information, see “To add an email user group” on page 230.
User Alias
The User Alias menu enables you to configure email address aliases.
The User Alias menu includes the following tabs:
• User Alias
User Alias
The User Alias tab enables you to configure email address aliases for protected
domains.
Aliases are sometimes also called distribution lists, and may translate one email
address to the email addresses of several recipients, also called members, or
may be simply a literal alias — that is, an alternative email address that resolves
to the real email address of a single email user.
For example, groupa@example.com might be an alias that the FortiMail unit will
expand to user1@example.com and user2@example.com, having the effect of
distributing an email message to all email addresses that are members of that
alias, while john.smith@example.com might be an alias that the FortiMail unit
translates to j.smith@example.com. In both cases, the FortiMail unit converts the
alias in the recipient fields of incoming email messages into the member email
addresses of the alias, each of which are the email address of an email user that
is locally deliverable on the SMTP server or FortiMail unit.
Note: Members of an alias can include the email address of the alias itself.
To view the user alias list, go to User > User Alias > User Alias.
Delete
Edit
Select a domain Select the name of a protected domain to view email address aliases for
that protected domain.
Alias Name The email address of the alias, such as groupa@example.com.
Members The email addresses to which the alias will translate, which may be the
email addresses of one or more local or non-local email users. Multiple
email addresses are comma-delimited.
Modify Select Delete to remove the alias.
Select Edit to modify the alias.
Create New Select to add an alias. For more information, see “Creating an email
address alias” on page 232.
4 If the FortiMail unit is operating in server mode, from Show Users of Domain,
select the name of a protected domain to display the email addresses of users
from a specific protected domain, or select “all” to display the email addresses of
all email users in all protected domains.
The email addresses of email users from the selected protected domain (that is,
local users) appear in the Available Local Users area.
5 In Alias Name, enter the user name portion of the email address alias.
For example, for the alias group1@example.com, you would enter group1.
Address Map
The Address Map menu enables you to configure email address mappings.
The Address Map menu includes the following tab:
• Address Map
Address Map
The Address Map tab enables you to configure email address mappings.
Address mappings can be useful when you want to redirect email messages or
hide internal email addresses.
You can alternatively create address mappings by configuring the FortiMail unit to
query an LDAP server that contains address mappings. For more information, see
“LDAP Profile” on page 320.
To view the address map list, go to User > Address Map > Address Map.
Delete
Edit
Select a domain Select the name of a protected domain to view address map for that
protected domain, or to select the protected domain for which you
want to make an address map before selecting Create New.
Internal Email The email address to which the external address will be converted.
Address This email address will be visible to internal clients, such as email
users on your private network.
External Email The email address to which the internal email address will be
Address converted. This email address will be visible to external clients, such
as SMTP servers on the Internet.
Modify Select Delete to remove an address map.
Select Edit to modify an address map. For more information, see
“Creating an email address mapping” on page 235.
Create New Select the name of a protected domain for which you want to create
an address map from Select a domain, then select Create New to
add an address map. For more information, see “Creating an email
address mapping” on page 235.
4 In Internal Email Address, enter the user name portion (the portion before the “@”
symbol) of the internal email address.
The internal address is an email address that is hosted on the SMTP server for
this protected domain, but that will not be visible to external networks.
5 In External Email Address, enter the user name portion (the portion before the
“@” symbol) of the external email address.
The external email address is the email address that will be visible to external
networks, and correlates to the internal email address.
6 Select the name of a protected domain that will be used as the domain name
portion (the portion after the “@” symbol) of the external email address.
7 Select OK.
PKI User
The PKI User menu enables you to configure public key infrastructure (PKI)
authentication for email users and FortiMail administrators.
The PKI User menu includes the following tab:
• PKI User
PKI User
The PKI User tab displays a list of public key infrastructure (PKI) users.
PKI users can authenticate by presenting a valid client certificate, rather than by
entering a user name and password. A PKI user can be either an email user or a
FortiMail administrator.
When the PKI user connects to the FortiMail unit with his or her web browser, the
web browser presents the PKI user’s certificate to the FortiMail unit. If the
certificate is valid, the FortiMail unit then authenticates the PKI user. To be valid, a
client certificate must:
• Not be expired
• Not be revoked by either certificate revocation list (CRL) or, if enabled, online
certificate status protocol (OCSP)
• Be signed by a certificate authority (CA), whose certificate you have imported
into the FortiMail unit
• Contain a “ca” field whose value matches the CA certificate
• Contain a “issuer” field whose value matches the “subject” field in the CA
certificate
• Contain a “subject” field whose value contains the subject, or is empty
• If LDAP Query is enabled, contain a common name (CN) or Subject Alternative
field whose value matches the email address of a user object retrieved using
the User Query Options of the LDAP profile
If the client certificate is not valid, depending on whether you have configured the
FortiMail unit to require valid certificates, authentication will either fail absolutely,
or fail over to a user name and password mode of authentication.
If the certificate is valid and authentication succeeds, the PKI user’s web browser
is redirected to either the web-based manager (for PKI users that are FortiMail
administrators) or the mailbox folder that contains quarantined spam (for PKI
users that are email users).
To view the list of PKI users, go to User > PKI User.
Delete
Edit
Domain The protected domain to which the PKI user is assigned. If Domain
is System, the PKI user belongs to all domains configured on the
FortiMail unit. For PKI users who are FortiMail administrators,
Domain is System. For more information, see “Domains” on
page 180.
CA The name of the CA certificate used when validating the CA’s
signature of the client certificate. For more information, see “CA
Certificate” on page 161.
Subject The value which must match the “subject” field of the client
certificate. If empty, matching values are not considered when
validating the client certificate presented by the PKI user’s web
browser.
LDAP If LDAP Query is enabled, the LDAP configuration of this PKI user is
shown in three parts:
• Whether the LDAP query setting is enabled (indicated by “E”) or
disabled (indicated by “-”).
• The name of the LDAP profile used for the query. For more
information, see “LDAP Profile” on page 320.
• The name of the field in the client certificate (either Subject
Alternative or CN) whose value must match the email address of
a user object in the LDAP directory.
For example, E/tldap/Subject Alternative indicates that
LDAP query is enabled, and will use the LDAP profile called tldap
to validate the Subject Alternative field of the client certificate.
OCSP If Online Certificate Status Protocol (OCSP) is enabled, the OCSP
configuration of this PKI user is shown in three parts:
• Whether OSCP is enabled (indicated by “E”) or disabled
(indicated by “-”).
• The URL of the OCSP server.
• The action to take if the OCSP server is unavailable. If set to
ignore, the FortiMail unit allows the user to authenticate. If set to
revoke, the Fortimail unit behaves as if the certificate is currently
revoked, and authentication fails.
For example, E/https://www.example.com/Revoke indicates
OCSP is enabled, using the OSCP server at
https://www.example.com, and if the OSCP server is unavailable,
the FortiMail unit prevents the user from authenticating.
Modify Delete or edit the PKI user.
Create New Select Create New to create a new PKI user. For more information,
see “Creating a PKI user” on page 237.
Note: PKI users that are email users can only be configured if the FortiMail unit is operating
in transparent mode or gateway mode.
4 Select OK.
5 Configure the following aspects of the FortiMail unit and the PKI user’s computer:
• Import each PKI user’s client certificate into the web browser of each computer
from which the PKI user will access the FortiMail unit. For details on installing
certificates, see the documentation for your web browser. Client certificates
must be valid. For information on how FortiMail units validate the client
certificates of PKI users, see “PKI User” on page 236.
• Import the CA certificate into the FortiMail unit. For more information, see “CA
Certificate” on page 161.
• For PKI users that are FortiMail administrators, select the PKI authentication
type and select a PKI user to which the administrator account corresponds.
For more information, see “Admin” on page 138.
• For PKI users that are email users, enable PKI user authentication in the
recipient-based policies which match those email users. For more information,
see “Incoming policies” on page 357.
Caution: Control access to each PKI user’s computer. Certificate-based PKI authentication
! controls access to the FortiMail unit based upon PKI certificates, which are installed on
each email user or administrator’s computer. If anyone can access the computers where
those PKI certificates are installed, they can gain access to the Fortimail unit, which can
compromise the security of your FortiMail unit.
Profile
The Profile menu enables you to configure profiles, which are a collection of
settings for antispam, antivirus, authentication, or other features.
After creating and configuring a profile, you can apply it either directly in a policy,
or indirectly, by inclusion in another profile that is selected in a policy. Policies
apply each selected profile to all email messages and SMTP connections that the
policy governs. For information about policies, see “Policy” on page 355.
Creating multiple profiles for each type of profile enables you to customize your
email service by applying different profiles to policies that govern different SMTP
connections or email users. For instance, if you are an Internet Service Provider
(ISP), you might want to create and apply antivirus profiles only to policies
governing email users who pay you to provide antivirus protection.
Using the Profile menu, you can configure the following profiles:
• AntiSpam
• AntiVirus
• Authentication
• Misc (server mode)
• Content
• Session
• Dictionary
• LDAP
• IP Pool
• TLS
AntiSpam
The AntiSpam menu enables you to configure antispam profiles.
FortiMail units can use various methods to detect spam, such as the
FortiGuard Antispam service, DNSBL queries, Bayesian scanning, and heuristic
scanning. Antispam profiles contain settings for these features that you may want
to vary by policy. Depending on the feature, before you configure antispam
policies, you may need to enable the feature or configure its system-wide settings.
For more information, see “AntiSpam” on page 365.
Antispam profiles are created and applied separately based upon the incoming or
outgoing directionality of the SMTP connection or email message. For more
information, see “Incoming vs. outgoing recipient-based policies” on page 355
and “Incoming vs. outgoing SMTP connections” on page 214.
For information on the order in which FortiMail units perform each type of
antispam scan, see “Order of execution” on page 25.
The AntiSpam menu contains the following tabs:
• Incoming
• Outgoing
Incoming
The Incoming tab enables you to configure antispam profiles for incoming email
messages and SMTP connections.
Note: For more information on determining directionality, see “Incoming vs. outgoing
recipient-based policies” on page 355 and “Incoming vs. outgoing SMTP connections” on
page 214.
To view the list of incoming antispam profiles, go to Profile > AntiSpam >
Incoming.
Delete
Edit
Copy
Image spam scan See “Image spam scan options” on page 255.
Treat messages with Enable to have the FortiMail unit classify email messages with
viruses as spam viruses as spam and treat them accordingly.
Scan Conditions See “Scan Conditions options” on page 256.
Actions See “Actions options” on page 257.
4 Select OK.
4 Select OK.
The new profile appears in the list of profiles. Changes to this new profile do not
affect the original profile from which it was created.
5 If you want to undo some of the changes or make additional changes, select
Change Profile. Otherwise, proceed by selecting Select Profiles.
6 In the Available profiles area, select the names of one or more profiles to which
you want to apply the changes, then select the right arrow to move them into the
Selected profiles area.
7 Select OK.
A success message appears. To display the list of profiles, select Return.
4 From Actions, select the action that you want the FortiMail unit to perform if the
FortiGuard Antispam scan determines that the email is spam.
For more information, see “Actions options” on page 257.
5 If you want the FortiMail unit to query the FortiGuard Antispam service to
determine if the IP address of the SMTP server is blacklisted, enable Black IP
scan.
Whether the FortiMail unit queries for the blacklist status of the IP address of only
the most recent SMTP server or of all SMTP servers in the Received: lines of
the message header varies by the configuration of Deep header scan. For more
information, see “Deep header scan options” on page 247.
If this option is disabled, the FortiMail unit will query FortiGuard Antispam for URIs
associated with spam, but will not query for IP addresses.
6 Select OK.
4 From Actions, select the action that you want the FortiMail unit to perform if the
DNSBL scan determines that the email is spam.
For more information, see “Actions options” on page 257.
5 Next to DNSBL scan, select Config.
A pop-up window appears, enabling you to enter the domain names of DNSBL
servers that will be used with this profile.
6 Configure the following:
Delete
Edit
Move
7 Select Close.
The pop-up window closes.
8 In the profile, select OK.
The FortiMail unit saves the profile and its associated DNSBL server list.
4 From Actions, select the action that you want the FortiMail unit to perform if the
deep header scan determines that the email is spam.
For more information, see “Actions options” on page 257.
Black IP scan Select to query for the blacklist status of the IP addresses of all
SMTP servers appearing in the Received: lines of header lines.
If this option is disabled, the FortiMail unit checks only the IP
address of the current SMTP client.
This option applies only if you have also configured either or both
FortiGuard-Antispam scan and DNSBL scan. For more information,
see “FortiGuard-Antispam scan options” on page 245 and “DNSBL
scan options” on page 246.
Headers analysis Select to inspect all message headers for known spam
characteristics.
If FortiGuard-Antispam scan is enabled, this option uses results from
that scan, providing up-to-date header analysis. For more
information, see “FortiGuard-Antispam scan options” on page 245.
4 From Actions, select the action that you want the FortiMail unit to perform if the
SURBL scan determines that the email is spam.
For more information, see “Actions options” on page 257.
5 Next to SURBL scan, select Config.
A pop-up window appears, enabling you to enter the domain names of SURBL
servers that will be used with this profile.
6 Configure the following:
Delete
Edit
Move
7 Select Close.
The pop-up window closes.
8 In the profile, select OK.
The FortiMail unit saves the profile and its associated SURBL server list.
2 Select Create New to add a profile, or, in the row corresponding to an existing
profile that you want to modify, select Edit.
3 Select the blue arrow to expand Bayesian scan.
4 Enable Bayesian scan.
5 From Actions, select the action that you want the FortiMail unit to perform if the
Bayesian scan determines that the email is spam.
For more information, see “Actions options” on page 257.
6 Configure the following:
Use personal Enable to use the per-user Bayesian databases instead of the global or
database per-domain Bayesian database, if the personal Bayesian database is
mature. If the email user’s personal Bayesian database is not yet mature,
the FortiMail unit will instead continue to use the global or per-domain
Bayesian database. For more information on determining the maturity of
personal Bayesian databases, see “User” on page 389.
Personal databases can provide better individual results because they
are trained by the email user and therefore contain statistics derived
exclusively from that email user's messages.
Disable to use either the global or per-domain Bayesian database.
Whether the FortiMail will use the global or per-domain Bayesian
database varies by your selection in the protected domain. For more
information, see “Domains” on page 180.
Note: Bayesian scan results may be unreliable if the Bayesian database
being used has not been sufficiently trained. For more information, see
“Initial training of the Bayesian databases” on page 388.
Accept training Enable to accept training messages from email users.
messages from Training messages are email messages that email users forward to the
users email addresses of control accounts, such as “is-spam@example.com”,
in order to train or correct Bayesian databases. For information on
Bayesian control account email addresses, see “Control Account” on
page 375. For information on how email users can train Bayesian
databases, see “Training Bayesian databases” on page 531.
FortiMail units apply training messages to either the global or per-domain
Bayesian database depending on your configuration of the protected
domain to which the email user belongs. For more information, see
“Domains” on page 180. If “Use personal database” is enabled, the
FortiMail unit will also apply training messages to the email user’s
personal Bayesian database.
Disable to discard training messages.
Use other Enable to use scan results from FortiGuard-Antispam scan, SURBL scan,
techniques for per-user and system-wide white lists to train per-user Bayesian
auto training databases until those databases are considered to be mature. For
information on database maturity, see “User” on page 389.
7 Select OK.
Each heuristic rule has an associated number of points. For example, if the
subject line of an email contains “As seen on national TV!”, it might match a
heuristic rule that increases the heuristic scan score towards the threshold. For
more information on how scores are used in heuristics, see “Heuristic scanning”
on page 24.
A default heuristic rule set is included, and is updated through the FortiGuard
service. New rules are added and rule scores are adjusted for maximum
advantage.
Default threshold values are recommended as only a starting point. You can fine-
tune the threshold values to cause higher or lower scores to be considered spam.
If the false positive ratio is too high, increase the upper level threshold value until
you achieve a satisfactory ratio. If your spam catch rate is too low, reduce the
lower level threshold value until you achieve a satisfactory rate.
Note: Heuristic scanning is resource intensive. If spam detection rates are acceptable
without heuristic scanning, consider disabling it or limiting its application to policies for
problematic hosts.
Note: You can also apply this scan to PDF attachments. For more information, see “Scan
Conditions options” on page 256.
Lower level threshold Enter the score equal to or below which the FortiMail unit
considers an email to not be spam.
Upper level threshold Enter the score equal to or above which the FortiMail unit
considers an email to be spam.
The percentage of Enter the percentage of the total number of heuristic rules that will
rules used be used to calculate the heuristic score for an email message.
The FortiMail unit compares this total score to the upper and
lower level threshold to determine if an email is:
• spam
• not spam
• indeterminable (score is between the upper and lower level
thresholds)
7 Select OK.
5 From Actions, select the action that you want the FortiMail unit to perform if the
heuristic scan determines that the email is spam.
For more information, see “Actions options” on page 257.
6 From Select dictionary profile, select the name of a dictionary profile to use with
the scan.
For information on creating dictionary profiles, see “How to create dictionary
profiles” on page 298.
7 Select OK.
Note: A banned work entry does not support regular expressions and non-ASCII charactor
encoding. If you want to use these features, you must use the dictionary scan. For more
information, see “Dictionary scan options” on page 252.
Note: You can also apply this scan to PDF attachments. For more information, see “Scan
Conditions options” on page 256.
4 From Actions, select the action that you want the FortiMail unit to perform if the
banned word scan determines that the email is spam.
For more information, see “Actions options” on page 257.
5 Next to Banned word scan, select Config.
A pop-up window appears, enabling you to enter the words or phrases that will be
prohibited with this profile.
6 Configure the following:
Delete
Edit
Move
Subject Indicates whether or not the subject line will be inspected for the banned
word.
• Empty check box: The subject line will not be inspected.
• Check mark: The subject line will be inspected.
Body Indicates whether or not the message body will be inspected for the
banned word.
• Empty check box: The message body will not be inspected.
• Check mark: The message body will be inspected.
Modify Select the Delete icon to remove a banned word.
Select the Edit icon to modify a banned word.
Select the Move icon to change the order of a banned word in the list.
New Select to add a new banned word. Wildcards are not supported.
Save Select to close the pop-up window, save the antispam profile, and return
to the profile list.
Close Select to close the banned word pop-up window.
Caution: Closing the pop-up window does not save the antispam profile
and its associated banned word list. To save changes to the banned word
list, first select Save before navigating away to another part of the web-
based manager.
7 Select Save.
Delete
Edit
Move
6 Select Save.
4 From Actions, select the action that you want the FortiMail unit to perform if the
banned word scan determines that the email is spam.
For more information, see “Actions options” on page 257.
5 Configure the following:
6 Select OK.
Max message size Enter the maximum size of email messages, in bytes, that the
to perform FortiMail unit will scan for spam. Messages larger than the
antispam scan maximum message size will not be scanned for spam.
Resource requirements for scanning messages increase with the
size of the email message. If the spam you receive tends not to be
smaller than a certain size, consider limiting antispam scanning to
messages under this size to improve performance.
Enter “0” to disable the size limit, causing all messages to be
scanned, regardless of size.
Bypass scan on Enable to bypass spam scanning for SMTP connections that have
SMTP been authenticated.
authentication If you can trust that authenticating SMTP clients will not relay spam,
consider disabling this option to improve performance.
PDF Enable to use the heuristic, banned word, and image spam scans to
inspect the first page of PDF attachments.
This option applies only if you have enabled and configured
heuristic, banned word, and/or image spam scans. For information
on configuring those scans, see “Heuristic scan options” on
page 250, “Banned word scan options” on page 253, and “Image
spam scan options” on page 255.
For more information, see “Configuring PDF scanning” on page 425
5 Select OK.
Actions options
The Actions section of antispam profiles enables you to configure one or more
actions that the FortiMail unit can perform on spam detected by this profile.
To configure Actions
1 Go to Profile > AntiSpam > Incoming.
2 Select Create New to add a profile, or, in the row corresponding to an existing
profile that you want to modify, select Edit.
3 Select the blue arrow to expand Actions, then also select the blue arrows to
expand Quarantine and Rewrite recipient address.
4 Configure the following:
Figure 156:Actions
Tag Email in Enable and enter the text that will appear in the subject line of the email,
subject line such as “[SPAM]”, in the With field. The FortiMail unit will add this text to
the subject line of spam before forwarding it to the recipient.
Many email clients can sort incoming email messages into separate
mailboxes, including a spam mailbox, based on text appearing in various
parts of email messages, including the subject line. For details, see the
documentation for your email client.
Tag Email with Enable and enter the message header line in the With field. The FortiMail
Header unit will add this text to the message header of spam before forwarding it
to the recipient.
Many email clients can sort incoming email messages into separate
mailboxes, including a spam mailbox, based on text appearing in various
parts of email messages, including the message header. For details, see
the documentation for your email client.
Message header lines are composed of two parts: a key and a value,
which are separated by a colon. For example, you might enter:
X-Custom-Header: Detected as spam by profile 22.
If you enter a header line that does not include a colon, the FortiMail unit
will automatically append a colon, causing the entire text that you enter to
be the key.
Note: Do not enter spaces in the key portion of the header line, as these
are forbidden by RFC 2822.
Reject Enable to reject spam and send reject responses to the sender.
Discard Enable to discard spam without sending reject responses to the sender.
Quarantine Enable to redirect spam to the per-recipient quarantine. For more
information, see “Recipients” on page 366.
• Delete Messages: Enter the number of days you want to keep the
quarantined email. Enter a small enough value that will prevent the
size of the quarantine from exceeding the available disk space. If you
enter 0 to prevent automatic deletion of quarantined files, you must
periodically manually remove old files.
• Send Spam Report: Select to send a spam report.For more
information, see “Spam Report” on page 376.
• Email Release: Select to enable email users to remotely release email
from the quarantine by sending email to quarantine control account
email addresses. For more information, see “Control Account” on
page 375.
• Web Release: Select to enable email users to remotely release email
from the quarantine by selecting the Release link in a spam report. For
more information, see “Understanding the HTML formatted spam
report” on page 380
• Add the sender of a released message to personal white list:
Select to, when an email user releases an email from the quarantine,
automatically add the sender email address of the quarantined email
to the email user’s personal white list.
Allow users to Enable to allow the FortiMail unit to add the recipient email addresses
automatically from an email user’s outgoing email to their personal white list, if the
update option is also enabled in the email user’s preferences.
personal White Email users’ preferences can be configured from both the Preferences tab
of FortiMail webmail and from the web-based manager. For more
list from sent information, see “User Preferences” on page 224.
emails
Rewrite Enable to change the recipient address of any email message detected as
recipient email spam.
address Configure rewrites separately for the local part (the potion of the email
address before the “@”) and the domain part (the portion of the email
address after the “@”). For each part, select either:
• None: No change.
• Prefix: Prepend the part with text that you have entered in the With
field.
• Suffix: Append the part with the text you have entered in the With
field.
• Replace: Substitute the part with the text you have entered in the With
field.
5 Select OK.
Outgoing
The Outgoing tab enables you to configure antispam profiles for outgoing email
messages and SMTP connections.
Note: For more information on determining directionality, see “Incoming vs. outgoing
recipient-based policies” on page 355 and “Incoming vs. outgoing SMTP connections” on
page 214.
To view the list of outgoing antispam profiles, go to Profile > AntiSpam >
Outgoing.
Delete
Edit
Copy
4 Select OK.
4 Select OK.
The new profile appears in the list of profiles. Changes to this new profile do not
affect the original profile from which it was created.
5 If you want to undo some of the changes or make additional changes, select
Change Profile. Otherwise, proceed by selecting Select Profiles.
6 In the Available profiles area, select the names of one or more profiles to which
you want to apply the changes, then select the right arrow to move them into the
Selected profiles area.
7 Select OK.
A success message appears. To display the list of profiles, select Return.
4 From Actions, select the action that you want the FortiMail unit to perform if the
Bayesian scan determines that the email is spam.
For more information, see “Actions options” on page 263.
5 Select OK.
Actions options
The Actions section of antispam profiles enables you to configure one or more
actions that the FortiMail unit can perform on spam detected by this profile.
To configure Actions
1 Go to Profile > AntiSpam > Outgoing.
2 Select Create New to add a profile, or, in the row corresponding to an existing
profile that you want to modify, select Edit.
3 Select the blue arrow to expand Actions, then also select the blue arrow to expand
Rewrite recipient address.
4 Configure the following:
Figure 163:Actions
Tag Email in Enable and enter the text that will appear in the subject line of the email,
subject line such as “[SPAM]”. The FortiMail unit will add this text to the subject line of
spam before forwarding it to the recipient.
Many email clients can sort incoming email messages into separate
mailboxes, including a spam mailbox, based on text appearing in various
parts of email messages, including the subject line. For details, see the
documentation for your email client.
Tag Email with Enable and enter the message header line. The FortiMail unit will add this
Header text to the message header of spam before forwarding it to the recipient.
Many email clients can sort incoming email messages into separate
mailboxes, including a spam mailbox, based on text appearing in various
parts of email messages, including the message header. For details, see
the documentation for your email client.
Message header lines are composed of two parts: a key and a value,
which are separated by a colon. For example, you might enter:
X-Custom-Header: Detected as spam by profile 22.
If you enter a header line that does not include a colon, the FortiMail unit
will automatically append a colon, causing the entire text that you enter to
be the key.
Note: Do not enter spaces in the key portion of the header line, as these
are forbidden by RFC 2822.
Reject Enable to reject spam and send reject responses to the sender.
Discard Enable to discard spam without sending reject responses to the sender.
Quarantine for Enable to redirect spam to the system quarantine. For more information,
review see “System quarantine” on page 371.
Rewrite Enable to change the recipient address of any email message detected as
recipient email spam.
address Configure rewrites separately for the local part (the potion of the email
address before the “@”) and the domain part (the portion of the email
address after the “@”). For each part, select either:
• None: No change.
• Prefix: Prepend the part with text that you have entered in the With
field.
• Suffix: Append the part with the text you have entered in the With
field.
• Replace: Substitute the part with the text you have entered in the With
field.
5 Select OK.
AntiVirus
The AntiVirus menu enables you to create antivirus profiles and to view the list of
viruses.
The AntiVirus menu includes the following tabs:
• AntiVirus
• Virus List
AntiVirus
The AntiVirus tab enables you to create antivirus profiles that you can select in a
policy in order to scan email for viruses.
You can view a list of the virus signatures currently being used by antivirus profiles
to detect viruses. For more information, see “Virus List” on page 267.
If the FortiMail unit detects a virus, it replaces the infected file with a replacement
message that notifies the email user the infected file has been removed. You can
customize replacement messages. For more information, see “Custom
Messages” on page 173.
To view the list of antivirus profiles, go to Profile > AntiVirus > AntiVirus.
Delete
Edit
Copy
4 Select OK.
4 Select OK.
The new profile appears in the list of profiles. Changes to this new profile do not
affect the original profile from which it was created.
5 If you want to undo some of the changes or make additional changes, select
Change Profile. Otherwise, proceed by selecting Select Profiles.
6 In the Available profiles area, select the names of one or more profiles to which
you want to apply the changes, then select the right arrow to move them into the
Selected profiles area.
7 Select OK.
A success message appears. To display the list of profiles, select Return.
Virus List
The Virus List tab displays a list of signatures for files that the FortiMail unit treats
as a virus for the purpose of antivirus processing configured in an antivirus profile.
FortiMail units can update their virus signatures online using the Fortinet
Distribution Network (FDN). For more information, see “Update” on page 122.
To view the list of virus files, go to Profile > AntiVirus > Virus List.
(Drop-down menu Select a number or letter to display a list of viruses beginning with
without name.) that character.
Virus number The number of viruses in the list that begin with the currently
selected letter or number.
Authentication
The Authentication menu enables you to configure authentication profiles.
FortiMail units support the following authentication methods:
• SMTP
• IMAP
• POP3
• RADIUS
• LDAP
Note: When the FortiMail unit is operating in server mode, only RADIUS authentication is
available.
Note: LDAP profiles can configure many features other than authentication, and are not
located in the Authentication menu. For information on LDAP profiles, see “LDAP Profile”
on page 320.
FortiMail units can use authentication profiles when authenticating email users
with FortiMail webmail and POP3, and when authenticating with another SMTP
server to deliver email. Depending on the mode in which your FortiMail unit is
operating, you may be able to apply authentication profiles through incoming
recipient-based policies, IP-based policies, and email user accounts. For more
information, see “Incoming policies” on page 357, “IP based policies” on
page 359, and “User” on page 219.
The Authentication menu includes the following tabs:
• SMTP
• IMAP
• POP3
• Radius
SMTP
The SMTP tab enables you to configure the FortiMail unit to support SMTP server
authentication by creating SMTP server authentication profiles.
Note: This tab does not appear if the FortiMail unit is operating in server mode.
To view the list of SMTP authentication profiles, go to Profile > Authentication >
SMTP.
Delete
Edit
Create New Select to add a profile. For more information, see “To create an
SMTP authentication profile” on page 269.
IMAP
The IMAP tab enables you to configure the FortiMail unit to support IMAP server
authentication by creating IMAP server authentication profiles.
Note: This tab does not appear if the FortiMail unit is operating in server mode.
To view the list of IMAP authentication profiles, go to Profile > Authentication >
IMAP.
Delete
Edit
8 If you want to use secure authentication to encrypt the passwords of email users
when communicating with the server, and the server supports it, enable Secure
Authentication.
9 If you want to use transport layer security (TLS) to authenticate and encrypt
communications between the FortiMail unit and this server, and the server
supports it, enable TLS.
10 Select OK.
POP3
The POP3 tab enables you to configure the FortiMail unit to support POP3 server
authentication by creating POP3 server authentication profiles.
Note: This tab does not appear if the FortiMail unit is operating in server mode.
To view the list of POP3 authentication profiles, go to Profile > Authentication >
POP3.
Delete
Edit
Radius
The Radius tab enables you to configure the FortiMail unit to support RADIUS
server authentication by creating RADIUS server authentication profiles.
To view the list of RADIUS authentication profiles, go to Profile >
Authentication > Radius.
Delete
Edit
Misc
The Misc tab enables you to create “misc” profiles, which configure miscellaneous
aspects of local email user accounts when the FortiMail unit is operating in server
mode, such as disk space quota.
For more information on settings that can be applied to email user accounts, see
“User” on page 219 and “User Preferences” on page 224.
To view the list of “misc” profiles, go to Profile > Misc > Misc.
Delete
Edit
5 If you want to undo some of the changes or make additional changes, select
Change profile. Otherwise, proceed by selecting Select Profiles.
6 In the Available profiles area, select the names of one or more profiles to which
you want to apply the changes, then select the right arrow to move them into the
Selected profiles area.
7 Select OK.
A success message appears. To display the list of profiles, select Return.
Content
The Content menu enables you to configure content profiles for incoming and
outgoing content-based scanning. While antispam profiles filter email that contain
spam-like word, image, and other content, content profiles filter non-spam content
such as words and file attachments that are not permitted by your network usage
policy.
The Content menu includes the following tabs:
• Incoming
• Outgoing
Incoming
The Incoming tab enables you to create content profiles, which you can use to
filter email subject lines, message bodies, and attachments.
Note: For more information on determining directionality, see “Incoming vs. outgoing
recipient-based policies” on page 355 and “Incoming vs. outgoing SMTP connections” on
page 214.
To view the list of incoming content profiles, go to Profile > Content > Incoming.
Delete
Edit
Copy
New To add a file name or file name extension that you want to filter,
enter a pattern, then select New.
# The index number of the attachment filtering pattern.
Enable Select to filter using the attachment filtering pattern in that row.
Name The attachment filtering pattern, which describes a file name or file
name extension that can be filtered, such as *.exe for files with the
executable file name extension.
Delete Select to delete the attachment filtering pattern.
This option does not apply immediately; it occurs when you save
the content profile.
5 Select the blue arrow to expand File Type Filtering, and in the Enable column,
mark the checkboxes of the file types that you want to filter, such as
application/executable.
application/other includes all file types not specifically described by the
other options.
6 Select the blue arrow to expand Scan Conditions, and configure the following:
Bypass scan on Select to omit content profile scanning if the SMTP session is
SMTP authentication authenticated.
Defer messages Enter the file size limit over which the FortiMail unit will defer
over processing large email messages.
For information on scheduling deferred delivery, see “Advanced
(mail server settings)” on page 169.
7 Select the blue arrow to expand Actions, and configure the following:
Figure 187:Actions
Treat as Spam Select to perform the Actions selected in the antispam profile of the
policy that matches the email. For more information, see “Actions
options” on page 257.
Reject Select to reject the email, notifying the sender.
Discard Select to discard the email without notifying the sender.
Replace Select to substitute the content with a replacement message.
For information on replacement messages, see “Custom
Messages” on page 173.
Quarantine Select to redirect matching email messages to the per-recipient
quarantine. For more information, see “Recipients” on page 366.
8 Select the blue arrow to expand Content Monitor and filtering, then configure the
following:
Edit
New profile Select to add a monitor profile, which selects the dictionary profile
that will be used to determine matching email messages, and the
actions that will be performed if a match is found.
# The index number of the content monitor profile.
Enable Enable to use the dictionary profile to inspect email for matching
email and perform the configured action.
Delete Select to delete the monitor profile.
This option does not take effect immediately; it occurs when you
save the content profile.
Dictionary Profile The name of the dictionary profile and the protected domain to
which it belongs, or “system” for system-wide dictionary profiles.
Actions The action that the FortiMail unit will perform if the content of the
email message matches words or patterns from the dictionary
profile.
Header/Subject Tag The text that the FortiMail unit will use to tag email messages
matching the dictionary profile. Each tag is prefixed by a letter:
• H: The tag is a message header.
• S: The tag will be prepended to the subject line.
This field is empty if you have not enabled either or both tagging of
the subject line and message header.
Modify Select Edit to modify the monitor profile.
Dictionary Select the dictionary profile that this monitor profile will use.
Profile The FortiMail unit will compare content in the subject line and message body
of the email message with words and patterns in the dictionary profile. If it
locates matching content, the FortiMail unit will perform the actions configured
in this monitor profile.
For information on dictionary profiles, see “Dictionary” on page 298.
Actions Tag Email in subject line Select to prepend tag text to the subject line of the
email, then enter the tag text, such as
“[FILTERED] “, in the With field.
Tag Email with Header Select to prepend tag text to the subject line of the
email, then enter the header line, such as:
X-Content-Filter: Contains banned
word.
in the With field.
9 Select Apply.
Caution: Applied monitor profile changes will not be saved until you have also saved the
! associated content profile.
10 Select OK.
4 Select OK.
The new profile appears in the list of profiles. Changes to this new profile do not
affect the original profile from which it was created.
2 In the row corresponding to an existing profile whose settings you want to modify,
select Edit.
The option to apply changes to multiple profiles does not appear when creating a
new profile. You must modify an existing profile.
3 Modify the profile, changing only those settings that you want to apply to multiple
profiles.
4 Select Apply To Profiles.
A dialog appears, summarizing the changes you are about to apply.
5 If you want to undo some of the changes or make additional changes, select
Change profile. Otherwise, proceed by selecting Select Profiles.
6 In the Available profiles area, select the names of one or more profiles to which
you want to apply the changes, then select the right arrow to move them into the
Selected profiles area.
7 Select OK.
A success message appears. To display the list of profiles, select Return.
Outgoing
The Outgoing tab enables you to create content profiles, which you can use to
filter email subject lines, message bodies, and attachments.
Note: For more information on determining directionality, see “Incoming vs. outgoing
recipient-based policies” on page 355 and “Incoming vs. outgoing SMTP connections” on
page 214.
To view the list of outgoing content profiles, go to Profile > Content > Outgoing.
Delete
Edit
Copy
New To add a file name or file name extension that you want to filter,
enter a pattern, then select New.
# The index number of the attachment filtering pattern.
Enable Select to filter using the attachment filtering pattern in that row.
Name The attachment filtering pattern, which describes a file name or file
name extension that can be filtered, such as *.exe for files with the
executable file name extension.
Delete Select to delete the attachment filtering pattern.
This option does not apply immediately; it occurs when you save
the content profile.
5 Select the blue arrow to expand File Type Filtering, and in the Enable column,
mark the checkboxes of the file types that you want to filter, such as
application/executable.
application/other includes all file types not specifically described by the
other options.
6 Select the blue arrow to expand Scan Conditions, and configure the following:
Bypass scan on Select to omit content profile scanning if the SMTP session is
SMTP authentication authenticated.
7 Select the blue arrow to expand Actions, and configure the following:
Figure 198:Actions
Treat as Spam Select to perform the Actions selected in the antispam profile of the
policy that matches the email. For more information, see “Actions
options” on page 263.
Reject Select to reject the email, notifying the sender.
Discard Select to discard the email without notifying the sender.
Replace Select to substitute the content with a replacement message.
For information on replacement messages, see “Custom
Messages” on page 173.
Forward to Select to forward email messages, then enter a recipient email
address.
8 Select the blue arrow to expand Content Monitor and filtering, then configure the
following:
Edit
New profile Select to add a monitor profile, which selects the dictionary profile
that will be used to determine matching email messages, and the
actions that will be performed if a match is found.
# The index number of the content monitor profile.
Enable Enable to use the dictionary profile to inspect email for matching
email and perform the configured action.
Delete Select to delete the monitor profile.
This option does not take effect immediately; it occurs when you
save the content profile.
Dictionary Profile The name of the dictionary profile and the protected domain to
which it belongs, or “system” for system-wide dictionary profiles.
Actions The action that the FortiMail unit will perform if the content of the
email message matches words or patterns from the dictionary
profile.
Header/Subject Tag The text that the FortiMail unit will use to tag email messages
matching the dictionary profile. Each tag is prefixed by a letter:
• H: The tag is a message header.
• S: The tag will be prepended to the subject line.
This field is empty if you have not enabled either or both tagging of
the subject line and message header.
Modify Select Edit to modify the monitor profile.
Dictionary Select the dictionary profile that this monitor profile will use.
Profile The FortiMail unit will compare content in the subject line and message body
of the email message with words and patterns in the dictionary profile. If it
locates matching content, the FortiMail unit will perform the actions configured
in this monitor profile.
For information on dictionary profiles, see “Dictionary” on page 298.
Actions Tag Email in subject line Select to prepend tag text to the subject line of the
email, then enter the tag text, such as
“[FILTERED] “, in the With field.
Tag Email with Header Select to prepend tag text to the subject line of the
email, then enter the header line, such as:
X-Content-Filter: Contains banned
word.
in the With field.
No action Select to perform no action other than tagging, if
enabled, before delivery to the recipient.
Treat As Spam Select to perform the Actions selected in the
antispam profile of the policy that matches the
email. For more information, see “Actions options”
on page 263.
Reject Select to reject the email, notifying the sender.
Discard Select to discard the email without notifying the
sender.
Replace Select to substitute the part of the content that
matches the dictionary profile with a replacement
message.
For information on replacement messages, see
“Custom Messages” on page 173.
Quarantine to Review Select to redirect matching email messages to the
system quarantine. For more information, see
“System quarantine” on page 371.
Forward to Select to forward matching email messages, then
enter a recipient email address.
9 Select Apply.
Caution: Applied monitor profile changes will not be saved until you have also saved the
! associated content profile.
10 Select OK.
4 Select OK.
The new profile appears in the list of profiles. Changes to this new profile do not
affect the original profile from which it was created.
5 If you want to undo some of the changes or make additional changes, select
Change profile. Otherwise, proceed by selecting Select Profiles.
6 In the Available profiles area, select the names of one or more profiles to which
you want to apply the changes, then select the right arrow to move them into the
Selected profiles area.
7 Select OK.
A success message appears. To display the list of profiles, select Return.
Session
The Session menu enables you to configure session profiles.
Similar to access control rules or message delivery rules, session profiles control
aspects of SMTP connection sessions.
The Session menu includes the following tabs:
• Session Configuration
Session Configuration
The Session Configuration tab enables you to create session profiles. While, like
antispam profiles, session profiles protect against spam, session profiles focus on
the connection and envelope portion of the SMTP session, rather than the
message header, body, or attachments.
To view the list of session profiles, go to Profile > Session >
Session Configuration.
Edit Delete
Profile The name of the profile.
Modify Select Edit to modify a profile. For more information, see “To create
a session profile” on page 288.
Select Delete to remove a profile. This option does not appear if the
profile is currently selected in a policy.
Create New Select to add a profile. For more information, see “To create a
session profile” on page 288.
Hide this box from the mail server Select to omit information from message headers
(transparent mode only) that would normally indicate the FortiMail unit has
intercepted, examined, and processed the message.
Restrict the number of Enter a rate limit to the number of connections per
connections per client to n per n client IP address, then enter the number of minutes
minutes that defines the time interval of the limit.
Restrict the number of messages Enter a rate limit to the number of message sent per
per client to n per n minute(s) client IP address, then enter the number of minutes
that defines the time interval of the limit.
Each client can only connect n Enter a limit to the number of simultaneous
times concurrently connections per client.
Limit the total number of Enter a limit to the total number of simultaneous
connections to n connections from all sources.
Drop connections after n seconds Enter a limit to the number of seconds a client may
of client inactivity be inactive before the FortiMail unit drops the
connection.
Do not let client connect to Select to prevent clients from using SMTP servers
blacklisted SMTP servers that have been blacklisted in antispam profiles or, if
(transparent mode only) enabled, the FortiGuard AntiSpam service.
Enable sender Select to accept or reject email based upon sender reputation
reputation checking scores.
Throttle client at n Enter a sender reputation score over which the FortiMail unit will
rate limit the number of email messages that can be sent by this
SMTP client.
The enforced rate limit is either “Restrict number of emails per hour
to n” or “Restrict email to n percent of the previous hour”, whichever
value is greater.
This option applies only if “Enable sender reputation checking” is
enabled.
Restrict number of emails Enter the maximum number of email
per hour to n messages per hour that the FortiMail
unit will accept from a throttled sender.
Restrict email to n percent Enter the maximum number of email
of the previous hour messages per hour that the FortiMail
unit will accept from a throttled sender,
as a percentage of the number of
email messages that the sender sent
during the previous hour.
Temporarily fail Enter a sender reputation score over which the FortiMail unit will
client at n return a temporary fail error when the sender attempts to initiate a
connection.
This option applies only if “Enable sender reputation checking” is
enabled.
Reject client at n Enter a sender reputation score over which the FortiMail unit will
return a rejection error when the sender attempts to initiate a
connection.
This option applies only if “Enable sender reputation checking” is
enabled.
Enable MSISDN Reputation Select to accept or reject email based upon MSISDN
reputation scores.
Auto blacklist score trigger value Enter the MSISDN reputation score over which the
FortiMail unit will add the MSISDN to the automatic
blacklist.
The trigger score is relative to the period of time
configured as the automatic blacklist window. For
more information on the automatic blacklist window,
see “Settings” on page 422.
Auto blacklist duration Enter the number of minutes that an MSISDN will be
prevented from sending email after they have been
automatically blacklisted.
Enable DKIM check Select to, if a DKIM signature is present, query the
DNS server that hosts the DNS record for the
sender’s domain name to retrieve its public key to
decrypt and verify the DKIM signature.
An invalid signature increases the client sender
reputation score and affect the deep header scan. A
valid signature decreases the client sender
reputation score.
If the sender domain DNS record does not include
DKIM information or the message is not signed, the
FortiMail unit omits the DKIM signature validation.
Enable DKIM signing for outgoing Select to sign outgoing email with a DKIM signature.
messages This option requires that you first generate a domain
key pair and publish the public key in the DNS
record for the domain name of the protected domain.
If you do not publish the public key, destination
SMTP servers will not be able to validate your DKIM
signature. For details on generating domain key
pairs and publishing the public key, see “DKIM
Setting” on page 195.
Enable DKIM signing for Select to sign outgoing email with a DKIM signature
authenticated senders only only if the sender is authenticated.
This option is available only if “Enable DKIM signing
for outgoing messages” is enabled.
Enable Domain Key check Select to, if the DNS record for the domain name of
the sender lists DomainKeys authorized IP
addresses, compare the client IP address to the IP
addresses of authorized senders.
An unauthorized client IP address increases the
client sender reputation score. An authorized client
IP address decreases the client sender reputation
score.
If the DNS record for the domain name of the sender
does not publish DomainKeys information, the
FortiMail unit omits the DomainKeys client IP
address validation.
Enable SPF check Select to, if the sender domain DNS record lists SPF
authorized IP addresses, compare the client IP
address to the IP addresses of authorized senders
in the DNS record.
An unauthorized client IP address increases the
client sender reputation score. An authorized client
IP address decreases the client sender reputation
score.
If the DNS record for the domain name of the sender
does not publish SPF information, the FortiMail unit
omits the SPF client IP address validation.
Bypass Bounce Verification check Select to, if bounce verification is enabled, omit
verification of bounce address tags on incoming
bounce messages.
This bypass does not omit bounce address tagging
of outgoing messages.
For more information, see “Bounce Verification” on
page 423.
8 Select the blue arrow to expand Session Settings, and configure the following:
Reject EHLO/HELO commands Select to return SMTP reply code 501, rejecting the
with invalid characters in the SMTP greeting, if the client or server uses a greeting
domain that contains a domain name with invalid characters.
To avoid disclosure of a real domain name,
spammers sometimes spoof an SMTP greeting
domain name with random characters, rather than
using a genuine, valid domain name. If this option is
enabled, such connections are rejected.
In the following example, the invalid command is
highlighted in bold:
220 FortiMail-400.localdomain ESMTP
Smtpd; Wed, 14 Feb 2008 13:30:20 GMT
EHLO ^^&^&^#$
501 5.0.0 Invalid domain name
Valid characters for domain names
include:
Valid domain characters include:
• alphanumerics (A to Z and 0 to 9)
• brackets ( [ and ] )
• periods ( . )
• dashes ( - )
• underscores ( _ )
• number symbols( # )
• colons ( : )
Rewrite EHLO/HELO domain to Select to rewrite the HELO domain to the IP address
[n.n.n.n] IP string of the client of the client to prevent domain name spoofing.
address
(transparent mode only)
Rewrite EHLO/HELO domain to Select to rewrite the HELO domain to the specified
(transparent mode only) value.
Prevent encryption of the session Select to block TLS/MD5 commands so that email
(transparent mode only) must pass unencrypted, enabling the FortiMail unit
to scan the email for viruses and spam.
Clear to pass TLS/MD5 commands, allowing
encrypted email to pass. The FortiMail unit cannot
scan encrypted email for viruses and spam.
Allow pipelining for the session Select to allow SMTP command pipelining, allowing
(transparent mode only) multiple SMTP commands to be accepted and
processed simultaneously, improving performance
for high-latency connections.
Deselect to accept only a single command at a time
during an SMTP session.
Enforce strict RFC compliance Select this option to limit pipelining support to strict
(transparent mode only) compliance with RFC 2920, SMTP Service
Extension for Command Pipelining.
This option is available only if Allow pipelining for the
session is enabled.
Perform strict syntax checking Select to return SMTP reply code 503, rejecting the
SMTP command, if the client or server uses SMTP
commands that are syntactically incorrect.
EHLO or HELO, MAIL FROM, RCPT TO (can be
multiple), and DATA commands must be in that
order. AUTH, STARTTLS, RSET, NOOP commands
can arrive at any time. Other commands, or
commands in an unacceptable order, return a syntax
error.
In the following example, the invalid commands are
highlighted in bold:
220 FortiMail-400.localdomain ESMTP
Smtpd; Wed, 14 Feb 2008 13:41:15 GMT
EHLO example.com
250-FortiMail-400.localdomain Hello
[192.168.1.1], pleased to meet you
RCPT TO:<user1@example.com>
503 5.0.0 Need MAIL before RCPT
Switch to SPLICE mode after n Select to enable splice mode, then type a threshold
seconds/kilobytes value based on time (seconds) or data size
(transparent mode only) (kilobytes).
Splice mode enables the FortiMail unit to
simultaneously scan an email and relay it to the
SMTP server. This increases throughput and
reduces the risk of a server timeout.
If the FortiMail unit detects spam or a virus, it
terminates the server connection and returns an
error message to the sender, listing the spam or
virus name and infected file name.
ACK EOM before AntiSpam check Select to acknowledge the end of message (EOM)
signal immediately after receiving the carriage return
and line feed (CRLF) characters that indicate the
EOM, rather than waiting for antispam scanning to
complete.
If the FortiMail unit has not yet completed antispam
scanning by the time that four (4) minutes has
elapsed, it will return SMTP reply code 451(Try
again later), resulting in no permanent problems, as
according to RFC 2281, the minimum timeout value
should be 10 minutes. However, in rare cases where
the server or client’s timeout is shorter than 4
minutes, the sending client or server could time-out
while waiting for the FortiMail unit to acknowledge
the EOM command. Enabling this option prevents
those rare cases.
Send DSN to sender when spam is Select to send a delivery status notification (DSN) to
detected the sender when spam is detected. DSN is
described in RFC1891, RFC 3461, and RFC 3463.
By default, this feature is disabled, because
enabling this feature could enable spammers to use
the FortiMail unit to spam via DSN. In this attack,
spammers spoof a legitimate sender email address,
expecting that the FortiMail unit will reject the email
and then send a DSN, containing the spam, to the
spoofed sender address, which is the true target of
the attack. However, there may be reasons why you
want to enable this option. For example:
• If you have disabled recipient validation but
enabled tagging of spam, after the FortiMail unit
sends tagged spam to the protected email
server, the protected email server will return the
SMTP reply code 550 (user unknown), thereby
wasting system resources of both the FortiMail
unit and the protected email server.
• According to RFC 2821, the FortiMail unit should
send a DSN to notify the sender of the delivery
failure.
9 Select the blue arrow to expand For Unauthenticated Sessions, and configure the
following:
Check HELO/EHLO domain Select to return SMTP reply code 501, rejecting the
SMTP command, if the domain name accompanying
the SMTP greeting is not a domain name that exists
in either MX or A records.
Check sender domain Select to return SMTP reply code 421, rejecting the
SMTP command, if the domain name portion of the
sender address is not a domain name that exists in
either MX or A records.
In the following example, the invalid command is
highlighted in bold:
220 FortiMail-400.localdomain ESMTP
Smtpd; Wed, 14 Feb 2008 14:32:51 GMT
EHLO
250-FortiMail-400.localdomain Hello
[192.168.1.1], pleased to meet you
MAIL FROM:<user1@example.com>
421 4.3.0 Could not resolve sender
domain.
Check recipient domain Select to return SMTP reply code 550, rejecting the
SMTP command, if the domain name portion of the
recipient address is not a domain name that exists in
either MX or A records.
In the following example, the invalid command is
highlighted in bold:
220 FortiMail-400.localdomain ESMTP
Smtpd; Wed, 14 Feb 2008 14:48:32 GMT
EHLO example.com
250-FortiMail-400.localdomain Hello
[192.168.1.1], pleased to meet you
MAIL FROM:<user1@fortinet.com>
250 2.1.0 <user1@fortinet.com>...
Sender ok
RCPT TO:<user2@example.com>
550 5.7.1 <user2@example.com>...
Relaying denied. IP name lookup failed
[192.168.1.1]
Reject empty domains Select to return SMTP reply code 553, rejecting the
SMTP command, if a domain name does not follow
the “@” symbol in the sender email address.
Because the sender address is invalid and therefore
cannot receive delivery status notifications (DSN),
you may want to disable this feature.
In the following example, the invalid command is
highlighted in bold:
220 FortiMail-400.localdomain ESMTP
Smtpd; Wed, 14 Feb 2007 14:48:32 GMT
EHLO example.com
250-FortiMail-400.localdomain Hello
[192.168.171.217], pleased to meet you
MAIL FROM:<john@>
553 5.1.3 <john@>... Hostname required
Prevent open relaying Select to prevent clients from using open relays to
(transparent mode only) send email. If your clients are permitted to use open
relays to send email, email from your domain could
be blacklisted by other SMTP servers.
This feature requires that you allow clients to use
their specified SMTP server for outgoing mail. For
details, see “Use client-specified SMTP server to
send email” on page 216.
Reject if recipient and helo domain Select to prevent the spammers from using the
match but sender domain is same domain name during the HELO greeting and
different when specifying the recipient, but using a different
domain name when specifying the sender, thereby
attempting to mask the true identity of the sending
server.
10 Select the blue arrow to expand SMTP Limits, and configure the following:
Restrict number of EHLO/HELOs Enter the limit of SMTP greetings that a connecting
per session to n SMTP server or client can perform before the
FortiMail unit terminates the connection. Restricting
the number of SMTP greetings allowed per session
makes it more difficult for spammers to probe the
email server for vulnerabilities, as a greater number
of attempts results in a greater number of terminated
connections, which must then be re-initiated.
Restrict number of emails per Enter the limit of email messages per session to
session to n prevent mass mailing.
Restrict number of recipients per Enter the limit of recipients to prevent mass mailing.
email to n
Cap message size at n kilobytes Enter the limit of message size. If enabled,
messages over the threshold size are rejected.
Cap header size at n kilobytes Enter the limit of the message header size. If
enabled, messages with headers over the threshold
size are rejected.
Drop connection after n NOOPs Enter the limit of NOOP commands that are
permitted per SMTP session. Some spammers use
NOOP commands to keep a long session alive.
Legitimate sessions usually require few NOOPs.
Drop connection after n RSETs Enter the limit of RSET commands that are
permitted per SMTP session. Some spammers use
RSET commands to try again after receiving error
messages such as unknown recipient. Legitimate
sessions should require few RSETs.
Client is allowed n “free” errors. Enter the number of number of errors permitted
before the FortiMail unit will impose a delay. By
default, five errors are permitted before the FortiMail
unit imposes the first delay.
The first non-free error will incur a Enter the delay time for the first error after the
delay of n seconds number of “free” errors is reached.
Subsequent error delays will Enter the number of seconds by which to increase
increment by n seconds the delay for each error after the first delay is
imposed.
The connection will drop after n Enter the total number of errors the FortiMail unit will
errors accept before dropping the connection.
Remove received header Select to remove all the received headers from email
messages.
Remove headers Select to remove other configured headers from
email messages, then select Edit to configure which
headers should be removed.
Note: If you require regular expression support for whitelisting and blacklisting sender and
recipient email addresses in the envelope, do not configure white lists and black lists in the
session profile. Instead, configure access control rules and message delivery rules. For
more information, see “Access” on page 198.
Figure 217:Lists
Enable sender white list checking Enable to use an envelope sender (MAIL FROM)
white list in SMTP sessions to which this profile is
applied, then select Edit to define the whitelisted
email addresses.
Enable sender black list checking Enable to use an envelope sender (MAIL FROM)
black list in SMTP sessions to which this profile is
applied, then select Edit to define the blacklisted
email addresses.
Allow recipients on this list Enable to use an envelope recipient (RCPT TO)
white list in SMTP sessions to which this profile is
applied, then select Edit to define whitelisted email
addresses.
Disallow recipients on this list Enable to use an envelope recipient (RCPT TO)
black list in SMTP sessions to which this profile is
applied, then select Edit to define blacklisted email
addresses.
14 Select OK.
Dictionary
The Dictionary menu enables you to configure dictionary profiles and to maintain
the dictionary profile database.
The Dictionary menu includes the following tabs:
• Profiles
• Categories
• Languages
• Groups
• Maintenance
1 Create language and category items, which are required when creating a
dictionary. See “To create a dictionary category” on page 304 and “To create a
dictionary language” on page 306.
2 Create dictionaries, which are required when creating a dictionary group item, or
when directly selecting them for use in a dictionary profile. See “To create a
dictionary” on page 302.
3 Add words and patterns to your new dictionaries. See “To add words and patterns
to a dictionary” on page 303.
4 If you will be creating multiple dictionary profiles that will use similar sets of
dictionaries, create dictionary groups. See “To create a dictionary group” on
page 307.
5 Add dictionary group items to your new dictionary groups. See “To create a
dictionary group item” on page 308.
6 Create dictionary profiles. See “To create a dictionary profile” on page 300
7 Select dictionaries or dictionary groups in your new dictionary profiles. See “To
add dictionaries and dictionary groups to a dictionary profile” on page 300.
8 Select dictionary profiles in antispam profiles and/or content profiles. For more
information, see “AntiSpam” on page 241 and “Content” on page 275.
Profiles
The Profiles tab enables you to configure dictionary profiles, which can be used
by antispam or content profiles to detect spam or banned content.
Rather than being selected in a policy, dictionary profiles are used indirectly by
selecting them in a content profile or antispam profile, which in turn must be
selected in the policy. For more information on content profiles and antispam
profiles, see “AntiSpam” on page 241 and “Content” on page 275.
Dictionary profiles require the creation of several other components before you
can create the dictionary profile. For an overview of the entire procedure, see
“How to create dictionary profiles” on page 298.
To view the list of dictionary profiles, go to Profile > Dictionary > Profiles.
Delete
Edit
Select Domain Select the name of a protected domain to display dictionary profiles
belonging to that protected domain, or select “system” to display
system-wide dictionary profiles.
Profile Name The name of the profile.
Select the name of the profile to add dictionaries and dictionary
groups to the dictionary profile. For more information, see “Adding
dictionaries and dictionary groups to a dictionary profile” on
page 300.
New Item
Delete
4 To select dictionaries or dictionary groups that the profile will include, in the row
corresponding to Groups or Dictionaries, first select New Item, then select the
name of the dictionary or dictionary group, and select OK.
Note: Dictionary groups that you include do not have to be an exact match for the set of
dictionaries that you actually want to use. If the dictionary group is a superset, you can
exclude individual dictionaries or smaller groups from the set by adding those to “Excluding
groups” or “Excluding dictionaries”.
Dictionaries
The Dictionaries tab enables you to create dictionaries, which contain words
and/or regular expressions.
While you can individually select which dictionaries to use with each dictionary
profile, you can also combine dictionaries into groups, then select those dictionary
groups within each profile. If you will be creating multiple dictionary profiles that
each a use similar set of dictionaries, creating dictionary groups can simplify
creation of dictionary profiles. For more information about dictionary groups, see
“Groups” on page 306.
To view the list of dictionaries, go to Profile > Dictionary > Dictionaries.
Delete
Edit
Restore
Download
To create a dictionary
Before you can create a dictionary, you must create languages and categories to
which the dictionary will be assigned. For more information, see “Categories” on
page 304 and “Languages” on page 305.
1 Go to Profile > Dictionary > Dictionaries.
2 From Select Domain, select the name of a protected domain to which this
dictionary will be assigned, or select “system” to create a system-wide dictionary.
If you have not yet configured a protected domain, the dictionary will be assigned
to “system” by default. For information on configuring protected domains, see
“Domains” on page 180.
3 Select Create New.
Delete
Insert Pattern before
x of y domain The name of the dictionary and the name of the protected domain to
which it is assigned, or “system” for system-wide dictionaries.
Pattern Enter a term, which may be either a word or a regular expression,
then select either “create new” or “Insert Pattern before”.
create new Select to add the term that you have entered in the Pattern field to
the end of the list.
Page Up Select to view the previous page of the list.
Page Down Select to view the next page of the list.
view x lines Select the number of entries to display per page.
x cols per page Select the number of columns to display.
Total: x/y The current page number and the total number of pages of the list.
Pattern The word or regular expression.
Select the term to modify it.
Modify Select Delete to remove a pattern.
Select Insert Pattern before to add a new pattern before the current
pattern.
Categories
The Categories tab enables you to create dictionary categories.
When creating a dictionary, you must select a category to label the dictionary
according to the type of terms that it contains. When creating dictionary group
items, you can select subsets of your dictionaries based upon their assigned
category.
To view the list of dictionary categories, go to Profile > Dictionary > Categories.
Delete
Edit
2 From Select Domain, select the name of a protected domain to which this
dictionary category will be assigned, or select “system” to create a system-wide
dictionary category.
If you have not yet configured a protected domain, the dictionary category will be
assigned to “system” by default. For information on configuring protected
domains, see “Domains” on page 180.
3 Select Create New.
Languages
The Languages tab enables you to define dictionary languages.
When creating a dictionary, you must select a language to label the dictionary
according to the type of terms that it contains. When creating dictionary group
items, you can select subsets of your dictionaries based upon their assigned
language.
Dictionary languages are labels only, and are not required to be indicative of any
associated encoding or spelling. Additionally, they are not restricted to the names
of locale-specific human languages. For example, a hospital might create a
dictionary language named “Medical” to identify dictionaries that contain medical
jargon. Similarly, you could create a dictionary language named “French” that will
be assigned to French as well as some English dictionaries, which you then use to
scan German email.
To view the list of dictionary languages, go to Profile > Dictionary > Languages.
Delete
Edit
Create New Select to add a language. For more information, see “To create a
dictionary profile” on page 300.
To create a dictionary language
1 Go to Profile > Dictionary > Languages.
2 Select Create New.
Groups
The Groups tab enables you to create dictionary groups.
While you can individually select which dictionaries to use with each dictionary
profile, you can also combine dictionaries into groups, then select those dictionary
groups within each profile. If you will be creating multiple dictionary profiles that
each a use similar set of dictionaries, creating dictionary groups can simplify
creation of dictionary profiles. For more information about dictionary profiles, see
“Profiles” on page 299.
Dictionary groups indirectly define the set of included dictionaries: each dictionary
group is comprised of dictionary group items, each of which are comprised of a set
of dictionaries.
To view the list of dictionary groups, go to Profile > Dictionary > Groups.
Edit
Delete
New Item
Create New Select the name of a protected domain from Select Domain, then
select Create New to add a dictionary for that protected domain.
Note: If you have not yet configured a protected domain, new
dictionary groups will by default be assigned to the “system” domain.
For more information on protected domains, see “Domains” on
page 180.
Select Domain Select the name of a protected domain to display dictionary groups
belonging to that protected domain, or select “system” to display
system-wide dictionary groups.
This option is not available if you have not yet configured a protected
domain. For more information on protected domains, see “Domains”
on page 180.
Group Name The name of the dictionary group or dictionary group item.
Domain The entire FortiMail unit (“system”) or name of a protected domain to
which the profile is assigned.
Which dictionary groups are visible and modifiable by the
administrator varies by whether a FortiMail administrator account is
assigned to specific protected domain. For more information, see
“Administrator account permissions and domains” on page 139.
Description The description of the dictionary group.
Modify Select Edit to modify the dictionary group or dictionary group item.
For more information, see “To create a dictionary group” on
page 307 or step 6 of “To create a dictionary group item” on
page 308.
Select Delete to remove the dictionary group.
Select New Item to add a dictionary group item to the dictionary
group. For more information, see “To create a dictionary group item”
on page 308.
Note: If a dictionary will be included in many Type 2 dictionary group items, consider
forming separate Type 1 dictionary group items for that dictionary instead. Because Type 2
dictionary group items manually select each member dictionary, you will not be able to
delete the dictionary until you manually deselect it from all Type 2 dictionary group items.
5 Select OK.
An empty dictionary group item is added to the dictionary group.
6 In the row corresponding to the new dictionary group item, select Edit.
A dialog appears whose appearance varies by your previous selection of Type 1
or Type 2. The dialog enables you to define the sets of dictionaries that will
comprise this dictionary item.
7 If the dictionary item is of Type 1, configure the following:
Show Domain Select the name of a protected domain to display in the Available
Dictionaries area those dictionaries whose Domain matches this
value.
Show Category Select the name of a category to display in the Available Dictionaries
area those dictionaries whose Category matches this value, or
select All to display dictionaries regardless of their Category value.
Show Language Select the name of a category to display in the Available Dictionaries
area those dictionaries whose Category matches this value, or
select All to display dictionaries regardless of their Language value.
Available Displays a list of dictionaries matching the criteria that you have
Dictionaries currently selected in Show Domain, Show Category, and Show
Language.
To include one or more dictionaries as members of the dictionary
group item, select one or more dictionaries from the Available
Dictionaries area, then select the right arrow to move them to the
Members area.
You can include additional dictionaries whose Domain, Category, or
Language values differ by selecting those values in Show Domain,
Show Category, and Show Language, then repeating the above
procedure, until all member dictionaries appear in the Members
area.
8 Select OK.
Maintenance
The Maintenance tab enables you to back up, restore, and repair the dictionary
configuration database.
To view the dictionary database error status or perform database maintenance, go
to Profile > Dictionary > Maintenance.
Database Status Indicates the error status of the dictionary database. For example,
“database ok” indicates that there are currently no database errors
that require repair.
Recovery Database Select to repair most types of database errors.
Backup Select to download a backup copy of the dictionary configuration
database, which includes all dictionaries, dictionary groups,
categories, and languages.
Restore Dictionary Select Browse to locate a dictionary backup file, then select OK to
upload and restore the file.
Caution: Back up the dictionary configuration database before
selecting Restore Dictionary. Restoring the dictionary database will
overwrite any existing dictionary configuration.
Caution: Back up the dictionary configuration database before beginning this procedure.
! Restoring the dictionary database will overwrite any existing dictionary configuration.
3 Select OK.
The FortiMail unit uploads and restores the dictionary backup file, then displays a
success message.
4 Select Return.
LDAP
The LDAP menu enables you to configure LDAP profiles, which can enable your
FortiMail unit to query an LDAP server for authentication, email address
mappings, and more.
The LDAP menu contains the following tabs:
• LDAP Profile
Caution: Verify your LDAP server’s configuration for each query type that you enable and
! configure. For example, if you enable mail routing queries, verify connectivity and that each
user object in the LDAP directory includes the attributes and values required by mail
routing. Failure to verify enabled queries can result in unexpected mail processing
behavior.
• your LDAP server already contains all information required by the LDAP profile
queries you want to enable
• your LDAP server uses a common schema style, and a matching predefined
LDAP query configuration exists for that schema style
If both of those conditions are true, your LDAP profile configuration may also be
very minimal. Some queries in LDAP profiles contain schema options that
automatically configure the query to match common schema styles such as IBM
Lotus Domino, Microsoft ActiveDirectory (AD), and OpenLDAP. If you will only
enable those queries that have schema options, it may be sufficient to select your
schema style for each query.
For example, your LDAP server might use an OpenLDAP-style schema, where
two types of user object classes exist, but both already have mail and
userPassword attributes. Your FortiMail unit is in gateway mode, and you want
to use LDAP queries to use users’ email addresses to query for authentication. In
this scenario, it may be sufficient to:
1 In the LDAP profile, enter the domain name or IP address of the LDAP server.
2 Configure the LDAP profile queries:
• In User Query Options, select from Schema which OpenLDAP schema your
user objects follow: either InetOrgPerson or InetLocalMailRecipient. Also enter
the Base DN, Bind DN, and Bind Password to authenticate queries by the
FortiMail unit and to specify which part of the directory tree to search.
• In User Auth Options, enable the query with the option to Search User and Try
Bind DN.
Figure 234:Example LDAP profile configuration for user email address and
authentication queries to an OpenLDAP-style directory
3 Configure mail domains and policies to use the LDAP profile to authenticate users
and perform recipient verification.
Note: Before modifying your LDAP directory, verify that changes will be compatible with
other applications using the directory. You may prefer to modify the LDAP profile query
and/or add new attributes than to modify existing structures that are used by other
applications, in order to reduce the likelihood of disruption to other applications. For
instructions on modifying schema or setting attribute values, consult the documentation for
your specific LDAP server.
The primary goal when modifying your LDAP directory is to provide, in some way
that can be retrieved by LDAP profile queries, the information required by
FortiMail features which can use LDAP profiles. Depending on the LDAP profile
queries that you enable, you may need to add to your LDAP directory:
• user objects
• user group objects
• email alias objects
Keep in mind that for some schema styles, such as that of Microsoft
ActiveDirectory, user group objects may also play a double role as both user
group objects and email alias objects. For the purpose of FortiMail LDAP queries,
email alias objects can be any object that can be used to expand email aliases
into deliverable email addresses, which are sometimes called distribution lists.
For each of those object types, you may also need to add required attributes in a
syntax compatible with the FortiMail features that uses those attributes.
At a minimum, your LDAP directory must have user objects that each contain an
email address attribute, and the value of that email address attribute must use full
email address syntax (e.g. mail: user@example.com). This attribute is
required by User Query Options, a query which is required in every LDAP profile.
Many other aspects of LDAP profiles are flexible enough to query for the required
information in more than one way. It may be sufficient to modify the query strings
and other fields in the LDAP profile to match your individual LDAP directory.
For example, the purpose of the User Query Options is to find the distinguished
name (DN) of user objects by their email addresses, represented by the FortiMail
variable $m. Often user objects can be distinguished by the fact that they are the
only records that contain the attribute-value pair objectClass: User. If the
class of user name objects in your LDAP directory is not objectClass: User
but instead objectClass: inetOrgPerson, you could either modify:
• the LDAP profile’s user query to request user objects as they are denoted on
your particular server, using objectClass=inetOrgPerson; for example,
you might modify the user query from:
(&(objectClass=User)(mail=$m))
to be:
(&(objectClass=inetOrgPerson)(mail=$m))
• the LDAP server’s schema to match the queries’ expected structure, where
user objects are defined by objectClass=User
Alternatively, perhaps there are too many user objects, and you prefer to instead
retrieve only those user objects belonging to a specific group number. In this case,
you might modify the query string from:
(&(objectClass=User)(mail=$m))
to be:
(&(objectClass=User)(gidNumber=102)(mail=$m))
You can use any attribute-value pairs to filter the query result set, as long as they
are unique and common to all objects in your intended result set.
Table 15: LDAP directory requirements for each FortiMail LDAP profile query
Table 15: LDAP directory requirements for each FortiMail LDAP profile query
Email alias object rfc822MailMe Either the user Query expands an alias to
classes such as mber (for alias name portion of an one or more user email
nisMailAlias, or objects) or email address addresses.
user objects from mail (for user (e.g. user; for If the alias is resolved
User Query Options, objects) alias objects), or directly, this query retrieves
depending on whether the entire email the email addresses from
your schema resolves address (e.g. the alias object itself. If the
email aliases directly user@example. alias is resolved indirectly,
or indirectly, com; for user this query first queries the
respectively. For objects). alias object for member
details, see “Base DN” attributes, then uses the
on page 329. DN of each member in a
second query to retrieve
the email addresses of
those user objects. For
details, see “Base DN” on
page 329.
User group object member A user object’s Query retrieves the DN of a
classes such as DN, or the DN of user object that is a
group or another alias member of the group.
groupOfNames. object. This attribute is required
User groups are not only if aliases resolve to
inherently associated user email addresses
with email aliases, but indirectly. For details, see
for some schemas, “Base DN” on page 329.
such as Microsoft
ActiveDirectory, group
objects play the role of
email alias objects,
and are used to
indirectly resolve
email aliases. For
details, see “Base DN”
on page 329.
Mail Routing Options
(Objects from User mailHost A fully qualified Query retrieves the fully
Query Options.) domain name qualified domain name
(FQDN) or IP (FQDN) or IP address of
address. the mail server —
sometimes also called the
mail host — that stores
email for any user defined
by User Query Options.
mailRoutingA A user’s email Query retrieves the email
ddress address for a user address for a real account
account whose physically stored on
email is physically mailHost for any user
stored on defined by User Query
mailHost. Options.
AS/AV On/Off Options
Table 15: LDAP directory requirements for each FortiMail LDAP profile query
(Objects from User No default Varies by schema. Query retrieves whether or
Query Options.) attribute name. May be: not to perform antivirus
• TRUE (on) or processing for any user
defined by User Query
FALSE (off) Options.
• YES (on) or NO
(off)
• 1 or any non-
zero value
(on), or 0 (off)
No default Varies by schema. Query retrieves whether or
attribute name. May be: not to perform antispam
• TRUE (on) or processing for any user
defined by User Query
FALSE (off) Options.
• YES (on) or NO
(off)
• 1 or any non-
zero value
(on), or 0 (off)
Address Mapping Options
(Objects from User No default A user’s internal Query retrieves the user’s
Query Options.) attribute name. email address. internal email address
No default A user’s external Query retrieves the user’s
attribute name. email address. external email address.
Webmail Password Options
(Objects from User userPassword Any. Query, upon successful
Query Options.) bind using the existing
password, changes the
password for any user
defined by User Query
options.
Each LDAP profile query filter string may indicate expected value syntax by the
FortiMail variables used in the query filter string.
• $m: the query filter expects the attribute’s value to be a full email address
• $u: the query filter expects the attribute’s value to be a user name
• $b: the query filter expects the attribute’s value to be a bind DN
The following example illustrates a matching LDAP directory and LDAP profile.
Labels indicate the part of the LDAP profile that is configured to match the
directory schema.
LDAP Profile
The LDAP Profile tab displays the list of LDAP profiles.
LDAP profiles each contain one or more queries that retrieve specific
configuration data, such as user groups, from an LDAP server. The LDAP profile
list displays which queries you have enabled in each LDAP profile.
To view the list of LDAP profiles, go to Profile > LDAP > LDAP Profile.
Caution: Before using an LDAP profile, verify each LDAP query and connectivity with your
! LDAP server. When LDAP queries do not match with the server’s schema and/or contents,
unintended mail processing behaviors can result. For details on preparing an LDAP
directory for use with FortiMail LDAP profiles, see “Preparing your LDAP schema for
FortiMail LDAP profiles” on page 311.
Delete
Edit
4 Select the blue arrow to expand User Query Options, and configure the query to
retrieve the distinguished names (DN) of user objects by their email addresses.
For more information on recipient address verification by LDAP query, see “Verify
Recipient Address” on page 187. For more information on automatically removing
quarantine mailboxes for recipients that do not currently exist in the protected
domain, see “Automatic Removal of Invalid Quarantine Accounts” on page 189.
LDAP Query to Find User Enter an LDAP query filter that selects a set of user objects
from the LDAP directory.
The query filter string filters the result set, and should be
based upon any attributes that are common to all user
objects but also exclude non-user objects.
For example, if user objects in your directory have two
distinguishing characteristics, their objectClass and
mail attributes, the query filter might be:
(& (objectClass=inetOrgPerson) (mail=$m))
where $m is the FortiMail variable for a user's email
address.
If the email address ($m) as it appears in the message
header is different from the user’s email address as it
appears in the LDAP directory, such as when you have
enabled recipient tagging, a query for the user by the email
address ($m) may fail. In this case, you can modify the
query filter to subtract prepended or appended text from
the user name portion of the email address before
performing the LDAP query. For example, to subtract “-
spam” from the end of the user name portion of the
recipient email address, you could use the query filter:
(& (objectClass=inetOrgPerson) (mail=$m$
{-spam}))
where ${-spam} is the FortiMail variable for the tag to
remove before performing the query. Similarly, to subtract
“spam-” from the beginning of the user name portion of the
recipient email address, you could use the query filter:
(& (objectClass=inetOrgPerson) (mail=$m$
{^spam-}))
where ${^spam-} is the FortiMail variable for the tag to
remove before performing the query.
For some schemas, such as Microsoft ActiveDirectory-
style schemas, this query will retrieve both the user’s
primary email address and the user’s alias email
addresses. If your schema style is different, you may want
to also configure User Alias Options to resolve aliases. For
details, see step 7.
This option is preconfigured and read-only if you have
selected from Schema any schema style other than User
Defined.
For details on query syntax, refer to any standard LDAP
query filter reference manual.
Scope Select which level of depth to query, starting from
Base DN.
• One level: Query only the one level directly below the
Base DN in the LDAP directory tree.
• Subtree: Query recursively all levels below the
Base DN in the LDAP directory tree.
Derefer Select the method to use, if any, when dereferencing
attributes whose values are references.
• Never: Do not dereference.
• Always: Always dereference.
• Search: Dereference only when searching.
• Find: Dereference only when finding the base search
object.
5 If you want to define a group membership query, enable Group Query Options,
select the blue arrow to expand its options, and configure the query.
For more information on determining user group membership by LDAP query, see
“Incoming policies” on page 357 or “Creating IP-based policies (server mode)” on
page 361.
Use LDAP Tree Node as Select to use objects within the Base DN of User Query
Group Options as if they were members of a user group object.
For example, your LDAP directory might not contain user
group objects. In that sense, groups do not really exist in
the LDAP directory. However, you could mimic a group’s
presence by enabling this option to treat all users that are
child objects of the Base DN in User Query Options as if
they were members of such a group.
Member Of Group Attribute Enter the name of the attribute, such as memberOf or
gidNumber, whose value is the group number or DN of a
group to which the user belongs.
This attribute must be present in user objects.
Whether the value must use common name, group
number, or DN syntax varies by your LDAP server schema.
For example, if your user objects use both
inetOrgPerson and posixAccount schema, user
objects have the attribute gidNumber, whose value must
be an integer that is the group ID number, such as 10000.
Use Group Name with Base Enable to specify the base distinguished name (DN)
DN as Group DN portion of the group’s full distinguished name (DN) in the
LDAP profile. By specifying the group’s base DN and the
name of its group name attribute in the LDAP profile, you
will only need to supply the group name value when
configuring each feature that uses this query.
For example, you might find it more convenient in each
recipient-based policy to type only the group name,
admins, rather than typing the full DN,
cn=admins,ou=Groups,dc=example,dc=com. In this
case, you could enable this option, then configure Group
Base DN (ou=Groups,dc=example,dc=com) and
Group Name Attribute (cn). When performing the query,
the FortiMail unit would assemble the full DN by inserting
the common name that you configured in the recipient-
based policy between the Group Name Attribute and the
Group Base DN configured in the LDAP profile.
Note: Enabling this option is appropriate only if your LDAP
server’s schema specifies that the group membership
attribute’s value must use DN syntax. It is not appropriate if
this value uses another type of syntax, such as a number
or common name.
For example, if your user objects use both
inetOrgPerson and posixAccount schema, user
objects have the attribute gidNumber, whose value must
be an integer that is the group ID number, such as 10000.
Because a group ID number does not use DN syntax, you
would not enable this option.
Group Base DN Enter the base DN portion of the group’s full DN, such as
ou=Groups,dc=example,dc=com.
This option is available only if User Group Name with Base
DN as Group DN is enabled.
Group Name Attribute Enter the name of the attribute, such as cn, whose value is
the group name of a group to which the user belongs.
This option is available only if User Group Name with Base
DN as Group DN is enabled.
Look up Group Owner Enable to query the group object by its distinguished name
(DN) to retrieve the DN of the group owner, which is a user
that will receive that group’s spam reports. Using that
user’s DN, the FortiMail unit will then perform a second
query to retrieve that user’s email address, where the
spam report will be sent.
For more information on sending spam reports to the group
owner, see “Spam Report Setting” on page 192 and
“Recipients” on page 366.
Group Owner Attribute Enter the name of the attribute, such as groupOwner,
whose value is the distinguished name of a user object.
You can configure the FortiMail unit to allow that user to be
responsible for handling the group’s spam report.
If Look up Group Owner is enabled, this attribute must be
present in group objects.
Group Owner Address Enter the name of the attribute, such as mail, whose
Attribute value is the group owner’s email address.
If Look up Group Owner is enabled, this attribute must be
present in user objects.
6 If you want to define a user authentication query, enable User Auth Options, select
the blue arrow to expand its options, and configure the query.
For more information on authenticating users by LDAP query, see “Incoming
policies” on page 357.
Try UPN or Mail Address as Select to form the user’s bind DN by prepending the user
Bind DN name portion of the email address ($u) to the User
Principle Name (UPN, such as example.com).
By default, the FortiMail unit will use the mail domain as
the UPN. If you want to use a UPN other than the mail
domain, enter that UPN in Alternative UPN Suffix. This can
be useful if users authenticate with a domain other than the
mail server’s principal domain name.
Try Common Name with Select to form the user’s bind DN by prepending a
Base DN as Bind DN common name to the base DN. Also enter the name of the
user objects’ common name attribute, such as cn or uid.
This option is preconfigured and read-only if, in User Query
Options, you have selected from Schema any schema
style other than User Defined.
Search User and Try Bind DN Select to form the user’s bind DN by using the DN
retrieved for that user by User Query Options.
7 If you want to define a user alias query, enable User Alias Options, select the blue
arrow to expand its options, and configure the query.
Resolving aliases to real email addresses enables the FortiMail unit to send a
single spam report and maintain a single quarantine mailbox at each user’s
primary email account, rather than sending separate spam reports and
maintaining separate quarantine mailboxes for each alias email address. For
FortiMail units operating in server mode, this means that users need only log in to
their primary account in order to manage their spam quarantine, rather than
logging in to each alias account individually.
For more information on resolving email aliases by LDAP query, see “LDAP User
Alias / Address Mapping profile” on page 189.
Base DN Enter the distinguished name (DN) of the part of the LDAP
directory tree within which the FortiMail will search for
either alias or user objects.
User or alias objects should be child nodes of this location.
Whether you should specify the base DN of either user
objects or alias objects varies by your LDAP schema style.
Schema may resolve alias email addresses directly or
indirectly (using references).
• Direct resolution: Alias objects directly contain one or
more email address attributes, such as mail or
rfc822MailMember, whose values are user email
addresses such as user@example.com, and that
resolves the alias. The Base DN, such as
ou=Aliases,dc=example,dc=com, should contain
alias objects.
• Indirect resolution: Alias objects do not directly
contain an email address attribute that can resolve the
alias; instead, in the style of LDAP group-like objects,
the alias objects contain only references to user objects
that are “members” of the alias “group.” User objects’
email address attribute values, such as
user@example.com, actually resolve the alias. Alias
objects refer to user objects by possessing one or more
“member” attributes whose value is the DN of a user
object, such as
uid=user,ou=People,dc=example,dc=com. The
FortiMail unit performs a first query to retrieve the
distinguished names of “member” user objects, then
performs a second query using those distinguished
names to retrieve email addresses from each user
object. The Base DN, such as
ou=People,dc=example,dc=com, should contain
user objects.
Bind DN Enter the bind DN, such as
cn=FortiMailA,dc=example,dc=com, of an LDAP
user account with permissions to query the Base DN.
This field may be optional if your LDAP server does not
require the FortiMail unit to authenticate when performing
queries, and if you have enabled Allow unauthenticated
ldap bind. For details, see “Allow unauthenticated ldap
bind” on page 334.
Bind Password Enter the password of the Bind DN.
Alias Member Attribute Enter the name of the attribute, such as mail or
rfc822MailMember, whose value is an email address to
which the email alias resolves, such as
user@example.com.
This attribute must be present in either alias or user
objects, as determined by your schema and whether it
resolves aliases directly or indirectly. For more information,
see “Base DN” on page 329.
This option is preconfigured and read-only if, in User Alias
Options, you have selected from Schema any schema style
other than User Defined.
Alias Member Query String Enter an LDAP query filter that selects a set of either user
or email alias objects, whichever object class contains the
attribute you configured in Alias Member Attribute, from the
LDAP directory.
The query filter string filters the result set, and should be
based upon any attributes that are common to all user/alias
objects but also exclude non-user/alias objects.
For example, if user objects in your directory have two
distinguishing characteristics, their objectClass and
mail attributes, the query filter might be:
(& (objectClass=alias) (mail=$m))
where $m is the FortiMail variable for a user's email
address.
If the email address ($m) as it appears in the message
header is different from the alias email address as it
appears in the LDAP directory, such as when you have
enabled recipient tagging, a query for the alias by the email
address ($m) may fail. In this case, you can modify the
query filter to subtract prepended or appended text from
the user name portion of the email address before
performing the LDAP query. For example, to subtract “-
spam” from the end of the user name portion of the
recipient email address, you could use the query filter:
(& (objectClass=alias) (mail=$m${-spam}))
where ${-spam} is the FortiMail variable for the tag to
remove before performing the query. Similarly, to subtract
“spam-” from the beginning of the user name portion of the
recipient email address, you could use the query filter:
(& (objectClass=alias) (mail=$m${^spam-}))
where ${^spam-} is the FortiMail variable for the tag to
remove before performing the query.
Whether you should configure this query filter to retrieve
user or alias objects depends on whether your schema
resolves email addresses directly or indirectly (using
references).For more information on direct vs. indirect alias
resolution, see “Base DN” on page 329.
If alias objects in your schema provide direct resolution,
configure this query string to retrieve alias objects.
Depending on your schema style, you may be able to do
this either using the user name portion of the alias email
address ($u), or the entire email address ($m). For
example, for the email aliases finance@example.com
and admin@example.com, if your LDAP directory
contains alias objects distinguished by cn: finance and
cn: admin, respectively, this query string could be
cn=$u.
If alias objects in your schema provide indirect resolution,
configure this query string to retrieve user objects by their
distinguished name, such as distinguishedName=$b or
dn=$b. Also enable User Group Expansion In Advance,
then configure Group Member Query String to retrieve
email address alias objects, and configure Group Member
Attribute to be the name of the alias object attribute, such
as member, whose value is the distinguished name of a
user object.
For more information on required object types and their
attributes, see “Preparing your LDAP schema for FortiMail
LDAP profiles” on page 311.
This option is preconfigured and read-only if, in User Alias
Options, you have selected from Schema any schema style
other than User Defined.
For details on query syntax, refer to any standard LDAP
query filter reference manual.
User Group Expansion In Enable if your LDAP schema resolves email aliases
Advance indirectly. For more information on direct vs. indirect
resolution, see “Base DN” on page 329.
When this option is disabled, alias resolution occurs using
one query. The FortiMail unit queries the LDAP directory
using the Base DN and the Alias Member Query String,
and then uses the value of each Alias Member Attribute to
resolve the alias.
When this option is enabled, alias resolution occurs using
two queries:
1 The FortiMail unit first performs a preliminary query
using the Base DN and Group Member Query String, and
uses the value of each Group Member Attribute as the
base DN for the second query.
2 The FortiMail unit performs a second query using the
distinguished names from the preliminary query (instead of
the Base DN) and the Alias Member Query String, and then
uses the value of each Alias Member Attribute to resolve
the alias.
The two-query approach is appropriate if, in your schema,
alias objects are structured like group objects and contain
references in the form of distinguished names of member
user objects, rather than directly containing email
addresses to which the alias resolves. In this case, the
FortiMail unit must first “expand” the alias object into its
constituent user objects before it can resolve the alias
email address.
This option is preconfigured and read-only if, in User Alias
Options, you have selected from Schema any schema style
other than User Defined.
Group Member Attribute Enter the name of the attribute, such as member, whose
value is the DN of a user object.
This attribute must be present in alias objects only if they
do not contain an email address attribute specified in Alias
Member Attribute.
This option is preconfigured and read-only if, in User Alias
Options, you have selected from Schema any schema style
other than User Defined. If you have selected User
Defined, this option is available only if User Group
Expansion In Advance is enabled.
Group Member Query String Enter an LDAP query filter that selects a set of alias
objects, represented as a group of member objects in the
LDAP directory.
The query filter string filters the result set, and should be
based upon any attributes that are common to all alias
objects but also exclude non-alias objects.
For example, if alias objects in your directory have two
distinguishing characteristics, their objectClass and
proxyAddresses attributes, the query filter might be:
(&(objectClass=group)
(proxyAddresses=smtp:$m))
where $m is the FortiMail variable for an email address.
This option is preconfigured and read-only if, in User Alias
Options, you have selected from Schema any schema style
other than User Defined. If you have selected User
Defined, this option is available only if User Group
Expansion In Advance is enabled.
For details on query syntax, refer to any standard LDAP
query filter reference manual.
Scope Select which level of depth to query, starting from Base DN.
• One level: Query only the one level directly below the
Base DN in the LDAP directory tree.
• Subtree: Query recursively all levels below the
Base DN in the LDAP directory tree.
Derefer Select the method to use, if any, when dereferencing
attributes whose values are references.
• Never: Do not dereference.
• Always: Always dereference.
• Search: Dereference only when searching.
• Find: Dereference only when finding the base search
object.
Max alias expansion level Enter the maximum number of alias nesting levels that
aliases the FortiMail unit will expand.
8 If you want to define a mail routing query, enable Mail Routing Options, select the
blue arrow to expand its options, and configure the query.
Note: The Mail Routing Options query occurs after recipient tagging processing. If you
have enabled recipient tagging, the Mail Routing Options query will then be based on the
tagged recipient address. If the tagged email address does not exist for the user in the
LDAP directory, you may prefer to transform the recipient address by using the User Alias
Options query.
For more information on routing email by LDAP query, see “Mail Routing” on
page 189.
Mail Host Attribute Enter the name of the attribute, such as mailHost, whose
value is the fully qualified domain name (FQDN) or IP
address of the email server that stores email for the user’s
email account.
This attribute must be present in user objects.
Mail Routing Address Enter the name of the attribute, such as
Attribute mailRoutingAddress, whose value is the email address
of a deliverable user on the email server, also known as the
mail host.
For example, a user may have many aliases and external
email addresses that are not necessarily known to the
email server. These addresses would all map to a real
email account (mail routing address) on the email server
(mail host) where the user’s email is actually stored.
A user’s recipient email address located in the envelope or
header portion of each email will be rewritten to this
address.
This attribute must be present in user objects.
9 If you want to define an antispam and antivirus processing option query, enable
AS/AV On/Off Options, select the blue arrow to expand its options, and configure
the query.
Note: If the AS/AV On/Off Options query fails, the FortiMail unit will instead use the
antispam and antivirus processing settings defined in the profile for that policy.
AntiSpam On/Off Attribute Enter the name of the attribute, such as antispam, whose
value indicates whether or not to perform antispam
processing for that user. Multiple value syntaxes are
permissible. For details, see “LDAP directory requirements
for each FortiMail LDAP profile query” on page 315.
This attribute must be present in user objects.
AntiVirus On/Off Attribute Enter the name of the attribute, such as antivirus,
whose value indicates whether or not to perform antivirus
processing for that user. Multiple value syntaxes are
permissible. For details, see “LDAP directory requirements
for each FortiMail LDAP profile query” on page 315.
This attribute must be present in user objects.
12 If your FortiMail unit is currently operating in server mode, and you want to define
a webmail password change query, enable Webmail Password Options, select the
blue arrow to expand its options, and select your LDAP server’s user schema
style, either “openldap” or “activedirectory”.
This option does not appear for FortiMail units operating in gateway or transparent
mode. “activedirectory” appears only if Use secure connection is “ssl”.
13 Select OK.
The LDAP profile appears in the LDAP profile list. Before using the LDAP profile in
other areas of the configuration, verify the configuration of each query that you
have enabled in the LDAP profile. Incorrect query configuration can result in
unexpected mail processing behavior. For information on testing queries, see
“Testing LDAP profile queries” on page 335.
4 In Mail Address, enter the email address of a user on the LDAP server, such as
test@example.com.
5 Select Test.
The FortiMail unit performs the query, and displays either success or failure for
each operation in the query, such as the search to locate the user record.
Figure 248:Test LDAP Group Query (Use Group Name with Base DN as Group DN is
disabled)
Figure 249:Test LDAP Group Query (Use Group Name with Base DN as Group DN is
enabled)
4 In Mail Address, enter the email address of a user on the LDAP server, such as
test@example.com.
Figure 251:Test LDAP Group Owner Query (Use Group Name with Base DN as Group
DN is disabled)
Figure 252:Test LDAP Group Owner Query (Use Group Name with Base DN as Group
DN is enabled)
6 Select Test.
The FortiMail unit performs the query, and displays either success or failure for
each operation in the query, such as the search to locate the group record and find
the group owner and their email address.
4 In Mail Address, enter the email address of a user on the LDAP server, such as
test@example.com.
5 In Password, enter the current password for that user.
6 Select Test.
The FortiMail unit performs the query, and displays either success or failure for
each operation in the query, such as the search to locate the user record, or
binding to authenticate the user.
4 In Mail Address, enter the email address alias of a user on the LDAP server, such
as test-alias@example.com.
5 Select Test.
The FortiMail unit performs the query, and displays either success or failure for
each operation in the query, such as the search to locate the alias record, or
binding to authenticate the user.
4 In Mail Address, enter the email address of a user on the LDAP server, such as
test@example.com.
5 Select Test.
The FortiMail unit performs the query, and displays either success or failure for
each operation in the query, such as the search to locate the user record and find
the mail host and mail routing address for that user.
4 In Mail Address, enter the email address of a user on the LDAP server, such as
test@example.com.
5 Select Test.
The FortiMail unit performs the query, and displays either success or failure for
each operation in the query, such as the search to locate the user record and find
the antispam and antivirus processing preferences for that user.
4 In Mail Address, enter the email address of a user on the LDAP server, such as
test@example.com.
5 Select Test.
The FortiMail unit performs the query, and displays either success or failure for
each operation in the query, such as the search to locate the user record and find
the internal and external email addresses for that user.
5 In Mail Address, enter the email address of a user on the LDAP server, such as
test@example.com.
Caution: Only use an email account whose password it is acceptable to change, and make
! note of the new password. Verifying the Webmail Password Options query configuration
performs a real password change, and does not restore the previous password after the
query has been verified.
IP Pool
The IP Pool menu enables you to create IP pool profiles.
The IP Pool menu includes the following tab:
• IP Pool Lists
IP Pool Lists
The IP Pool Lists tab displays the list of IP pool profiles.
You can use IP pool profiles if you want outgoing email to originate from a
configured range of IP addresses. Each email message that the FortiMail unit
sends will use the next IP address in the range. When the last IP address in the
range is used, the next email message will use the first IP address.
You can select which IP pool profile, if any, that the FortiMail unit will use for each
protected domain. For more information, see “Domains” on page 180.
You can also select IP pool profiles in each IP-based policy. The IP pool policy
selected in the protected domain will override the one selected in the IP-based
policy, unless “If this policy matches then don't check for a recipient match” is
enabled in the IP-based policy. For more information, see “IP based policies” on
page 359.
FortiMail units will use IP pool addresses only if the sender email address involves
a protected domain and the recipient email address does not. FortiMail units will
not use IP pool addresses for:
• email sent from unprotected domains
• email sent between protected domains
To view the list of IP pool profiles, go to Profile > IP Pool > IP Pool Lists.
Edit
Delete
To create an IP pool
1 Go to Profile > IP Pool > IP Pool Lists.
2 Select Create New.
Delete
TLS
The TLS menu enables you to create transport layer security (TLS) profiles.
The TLS menu includes the following tab:
• TLS Profile
TLS Profile
The TLS Profile tab enables you to create TLS profiles, which contain settings for
TLS-secured connections.
TLS profiles, unlike other types of profiles, are applied through access control
rules and message delivery rules, not policies. For more information, see “Access”
on page 198.
To view the list of TLS profiles, go to Profile > TLS > TLS Profile.
Edit
Delete
CA Issuer The type of the match, and the text that the CA Issuer field
of the server’s certificate must match.
This text must correlate to a CA certificate that you have
installed on the FortiMail unit. For information on installing
CA certificates, see “CA Certificate” on page 161.
The text is prefixed by a letter that indicates the type of the
match that you have configured in the profile:
• E: The text of the CA Issuer field must equal this value
exactly.
• S: The text of the CA Issuer field must contain this
value.
• W: The text of the CA Issuer field must be similar to this
value in the pattern indicated by wild cards.
This option does not apply and will be empty for profiles
whose TLS Level is not Secure. It may also be empty if you
have not configured the TLS profile to require a specific CA
Issuer.
CN Subject The type of the match, and the text that the CN Subject field
of the server’s certificate must match.
The text is prefixed by a letter that indicates the type of the
match that you have configured in the profile:
• E: The text of the CA Issuer field must equal this value
exactly.
• S: The text of the CA Issuer field must contain this
value.
• W: The text of the CA Issuer field must be similar to this
value in the pattern indicated by wild cards.
This option does not apply and will be empty for profiles
whose TLS Level is not Secure. It may also be empty if you
have not configured the TLS profile to require a specific CA
Issuer.
Action Indicates the action the FortiMail unit takes when a TLS
connection cannot be established.
• T: Temporarily fail.
• F: Fail.
This option does not apply and will be empty for profiles
whose TLS Level is Preferred.
Modify Select Edit to modify the profile. For more information, see
“To create a TLS profile” on page 351.
Select Delete to remove the profile. This icon does not
appear if the profile is currently selected in a policy.
Create New Select to add a profile. For more information, see “To create
a TLS profile” on page 351.
4 From TLS level, select the security level of the TLS profile:
• None: Disables TLS. Requests for a TLS connection will be ignored.
• Preferred: Allows a simple TLS connection, but does not require it. Data is not
encrypted, nor is the identity of the server validated with a certificate.
• Encrypt: Requires a basic TLS connection. Failure to negotiate a TLS
connection results in the connection being rejected according to the Action on
failure setting.
• Secure: Requires a certificate-authenticated TLS connection. CA certificates
must be installed on the FortiMail unit before they can be used for secure TLS
connections.
The availability of other options varies by your selection in TLS level.
5 Configure the following:
CA Issuer match Select the type of match required when the Fortimail unit
compares the string in the CA Issuer field and the same
field in the installed CA certificates. For more information on
CA certificates, see “CA Certificate” on page 161.
CA Issuer must be enabled for CA Issuer match to have
any effect.
This option appears only if TLS level is Secure.
CA Issuer Enable and enter a string on the CA Issuer field to select a
CA certificate by the CA Issuer. The FortiMail unit will
compare the string in the CA Issuer field with the same field
in the installed CA certificates.
The CA Issuer drop down lists all of the installed CA
certificated. Selecting a certificate will populate the CA
Issuer field with the certificate CA issuer.
This option appears only if TLS level is Secure.
CN subject match Select the type of match required when the Fortimail unit
compares the string in the CN Subject and the same field in
the installed CA certificates.
CN Subject must be enabled for CN subject match to have
any effect.
This option appears only if TLS level is Secure.
CN Subject Enable and enter a string in the CN Subject field to select a
CA certificate by the CN Subject. The FortiMail unit will
compare the string in the CN Subject field with the same
field in the installed CA certificates.
This option appears only if TLS level is Secure.
Encryption Strength Enter the bit size of the encryption key. Greater key size
results in stronger encryption, but requires more processing
resources.
This option appears only if TLS level is Encrypt or Secure.
Action on failure Select whether to fail or temporarily fail if a TLS connection
with the parameters described in the TLS profile cannot be
established.
This option does not appear if TLS level is Preferred.
6 Select OK.
Policy
The Policy menu enables you to create policies that include profiles to filter email
traffic and manage email user accounts.
The Policy menu includes:
• Recipient based policies
• IP based policies
What is a policy?
After creating the antispam, antivirus, content, authentication, or misc profiles
(see “Profile” on page 241), you need to apply them to policies for them to take
effect. A policy defines what traffic will be filtered in which way. A policy can also
determine user account settings, such as authentication type, disk quota, and
access to webmail.
The FortiMail unit support two types of policies: recipient-based policies and IP-
based policies.
Recipient-based policies vs. IP-based policies
Recipient-based policies are run on messages sent to a user or user group
specified in a policy.
IP-based policies are run when the IP address matches the client address
specified in the policy in gateway and server modes, or when both IP addresses
match the client and server addresses specified in the policy in transparent mode.
Incoming vs. outgoing recipient-based policies
A necessary concept you must understand to properly configure recipient-based
policies is how the FortiMail unit determined whether an email message is
incoming or outgoing. This is important because there are two types of recipient-
based policies, incoming and outgoing, and they are configured separately.
The deciding factor is the domain of the message recipient. If the recipient domain
is a protected domain, configured in Mail Settings > Domains, the FortiMail unit
considers the message as incoming and applies the first matching incoming
policy. If the recipient domain is not a protected domain, the message is
considered outgoing.
Note: IP-based policies are not divided into incoming and outgoing types. Only the client IP
address (in gateway and server modes) or the client and server IP addresses (in
transparent mode) are used to determine whether a match occurs.
Note: If no recipient-based policy matches the message and no IP-based policy matches
the session, no policies are applied and the mail is delivered.
Incoming policies
The Incoming tab enables you to create and apply policies to incoming email to
protect the email recipients on the domains configured on the FortiMail unit. For
definitions of outgoing and incoming email, see “What is a policy?” on page 355.
For information about how recipient-based and IP-based policies are executed
and how the order of polices affects the execution, see “How to use policies” on
page 356.
To view the incoming recipient-based policy list, go to Policy > Recipient
Based > Incoming.
Move
Delete
Edit
Profiles listed in the policy table appear as linked text. To modify profile settings,
select the required profile.
Outgoing policies
The Outgoing tab enables you to create and apply policies to outgoing email to
protect the email recipients on all domains not configured on the FortiMail unit. For
definitions of outgoing and incoming email, see “What is a policy?” on page 355.
For information about how recipient-based and IP-based policies are executed
and how the order of polices affects the execution, see “How to use policies” on
page 356.
To view the outgoing recipient-based policy list, go to Policy > Recipient Based >
Outgoing.
Move
Delete
Edit
Profiles listed in the policy table appear as linked text. To modify profile settings,
select the required profile.
IP based policies
The IP Based menu enables you to create policies by applying profiles to SMTP
connections. In gateway and server modes, you specify an address for the client.
In transparent mode, you specify IP addresses for the client and the server.
Client vs. server
The client is the computer initiating the connection and the server is the computer
receiving the connection. For example, if system A opened a connection to
system B to deliver mail, A is the client and B is the server. If system B later
opened a connection to system A to deliver a response, B is now the client and A
is the server.
Delete
Move
Edit
Profiles listed in the policy table appear as linked text. To modify profile settings,
select the required profile.
Move
Delete
Edit
Profiles listed in the policy table appear as linked text. To modify profile settings,
select the required profile.
Delete
Move
Edit
Profiles listed in the policy table appear as linked text. To modify profile settings,
select the required profile. A window opens with the policy settings.
AntiSpam
The AntiSpam menu enables you to configure antispam settings that are system-
wide or otherwise not configured individually for each antispam profile. It also
enables you to monitor and maintain some antispam features, such as sender
reputation and quarantined email.
Several antispam features require that you first configure system-wide, per-
domain, or per-user settings in the AntiSpam menu before you can use the feature
in an antispam profile. For example, before you can enable FortiGuard Antispam
scanning in an antispam profile, you must enable the service and verify
connectivity with the FortiGuard Antispam service using the AntiSpam menu. For
more information on antispam profiles, see “AntiSpam” on page 241.
The AntiSpam menu includes:
• Quarantine
• FortiGuard-AntiSpam
• Bayesian
• Black/White List
• Greylist
• Sender Reputation
• MSISDN Reputation
• Bounce Verification
Quarantine
The Quarantine submenu enables you to view and delete email messages that
have been quarantined to the FortiMail unit’s hard drive, to configure the
quarantines, and to configure system-wide settings for spam reports.
You can quarantine email messages based upon the content of the email
messages, such as whether the email is spam or contains a prohibited word or
phrase. FortiMail units have two types of quarantine:
• Per-recipient quarantine: Quarantines email messages into separate folders
for each recipient address in each protected domain. The FortiMail periodically
sends spam reports to notify recipients, their designated group owner, and/or
another email address of the email messages that have been added to the
quarantine folder for that recipient.
• System quarantine: Quarantines email messages into a system-wide
quarantine. Unlike the per-recipient quarantine, the FortiMail unit does not
send a spam report and a FortiMail administrator should review the
quarantined email messages to decide if they should be released or deleted.
To quarantine spam and/or email with prohibited content, you must first select a
quarantine action in an antispam profile or content profile. Quarantine actions,
such as whether to quarantine to the system quarantine or the per-recipient
quarantine, vary by whether the profile is a content profile or antispam profile, and
whether the email is incoming or outgoing. For more information on quarantine
actions, see “Actions options” on page 257, “Actions options” on page 263,
“Incoming” on page 276, and “Outgoing” on page 281.
Note: For more information on determining directionality, see “Incoming vs. outgoing
recipient-based policies” on page 355 and “Incoming vs. outgoing SMTP connections” on
page 214.
All FortiMail models can be configured to remotely store their quarantined email
messages in a centralized quarantine hosted on a FortiMail-2000 model or
greater. For more information, see “Storage” on page 178.
The Quarantine menu includes the following tabs:
• Recipients
• Control Account
• Spam Report
• System quarantine
• System quarantine setting
Recipients
The Recipients tab displays the per-recipient quarantine.
When incoming email matches a policy in whose profile you have configured the
FortiMail unit to quarantine the email to the per-recipient spam quarantine, the
FortiMail unit will save the email to its hard drive and not deliver it to the recipient.
Instead, the FortiMail unit will periodically send a spam report to email users, their
designated group owner, or another recipient (if you have configured one in the
advanced mode of the web-based manager). The spam report, by default sent
once a day at 9 AM, lists all email messages that were withheld since the previous
spam report. Using the spam report, email users can review email message
details and release any email messages that are false positives by clicking the link
associated with them. The email message will then be released from the
quarantine and delivered to the email user’s inbox. Using the web-based
manager, FortiMail administrators can also manually release or delete
quarantined email. For more information on deleting email that has been
quarantined to the per-recipient quarantine, see “Managing email in per-recipient
quarantines” on page 368. For information on configuring the schedule and
recipients of the spam report, see “Spam Report” on page 376.
You can configure the FortiMail unit to send email to the per-recipient quarantine
by selecting “Quarantine” as the action in content profiles and antispam profiles.
For more information, see “Actions options” on page 257 and “Incoming” on
page 276.
Unlike the system-wide quarantine, the per-recipient quarantine can be accessed
remotely by email users so that they can manage their own quarantined email. For
information on configuring remote per-recipient quarantine access through email,
see “Control Account” on page 375. For information on configuring remote per-
recipient quarantine access through HTTP or HTTPS, see “Spam Report” on
page 376.
To view the list of per-recipient quarantine folders, go to AntiSpam >
Quarantine > Recipients.
Figure 275:Recipients
Previous Page Delete selected recipients folder
Next Page Compact
Search
Check To select all quarantine folders, select the checkbox in the Check
column heading.
To select individual quarantine folders, in the Check column, mark the
checkboxes in the rows of quarantine folders that you want to select.
Recipient The email address of a recipient for which the FortiMail unit has
quarantined email.
Select to view email messages quarantined for that recipient. For more
information, see “Managing email in per-recipient quarantines” on
page 368.
Size(KBytes) The size of the quarantine folder.
Note: Folder sizes are updated once an hour.
Note: Email users can also manage their own per-recipient quarantines through spam
reports. For more information, see “Releasing and deleting email from the per-recipient
quarantine using spam reports” on page 382.
Previous Page
Next Page
Search Result
Refresh Select to refresh the page. This can be useful to
display the current Status of a search task.
# The index number of a search task.
Select to display the search results.
Status The completion status of the search task, such
as Done or Pending.
Name The date and time on which the search task was
executed.
Select to display the search results.
Action Select View Result to display the search results.
Select Copy to New to create a new search task
by duplicating the settings of this search task.
Select “stop” to pause the search task. The icon
changes to a green “resume” arrow. Select
“resume” to resume the search task.
Select Delete to remove the search results.
5 Select OK.
The FortiMail unit executes the search, which appears in the Search Result
section.
System quarantine
The System quarantine tab displays the system quarantine.
Unlike the per-recipient quarantine, the system quarantine cannot be accessed
remotely by email users; they will not receive spam reports for email held in the
system quarantine, and cannot manage the system quarantine themselves. A
FortiMail administrator should therefore periodically review the contents of the
system quarantine. Alternatively, you can configure a special-purpose system
quarantine administrator for this task. For more information, see “System
quarantine setting” on page 384.
By default, the system quarantine is not used. You can configure the FortiMail unit
to send email to the per-recipient quarantine by selecting “Quarantine to Review”
in content profiles and “Quarantine to review” in outgoing antispam profiles. For
more information, see “Actions options” on page 263 and “Outgoing” on page 281.
To view the list of system quarantine folders, go to AntiSpam > Quarantine >
System quarantine.
Rotated folder
Note: You can also configure a system quarantine administrator account whose exclusive
purpose is to manage the system quarantine. For more information, see “System
quarantine setting” on page 384.
Previous Page
Next Page
Back
Search
4 Select the action that you want to perform on the quarantined email.
• To view additional message headers, select “detail header”.
• To release the email message to its recipient, select Release.
• To delete the email message from the quarantine, select Delete.
• To forward the email message to another email address, select Forward. To
use an email address from the system quarantine administrator or system-
wide address book, select “To:”, “CC:”, or “BCC:”. For information on adding
email addresses to the system quarantine administrator’s address book, see
“Access Address Book” on page 385.
From Enter either or both the display name and sender email address
as it appears in the message header, such as:
User 1 <user1@example.com>
To Enter either or both the display name and recipient email
address as it appears in the message header, such as:
User 2 <user2@example.com>
CC Enter carbon copy email addresses.
Subject Enter all or part of the text contained in the subject line.
Text Enter all or part of the text contained in the message body.
From Enter the beginning of the range of email message dates to
(date selector) include in the search results.
5 Select Apply.
The FortiMail unit executes the search, and displays a list of email messages in
the system quarantine that match the search criteria.
Control Account
The Control Account tab enables you to configure quarantine control account
email addresses.
Email users can remotely release or delete email messages in their per-recipient
quarantine by sending email to quarantine control account email addresses.
For example, if Release User is release-ctrl and the local domain name of
the FortiMail unit is example.com, an email user could release an email
message from their per-recipient quarantine by sending an email to release-
ctrl@example.com.
For more information, see “Releasing and deleting email from the per-recipient
quarantine using spam reports” on page 382.
To configure the quarantine release and delete email addresses, go to
AntiSpam > Quarantine > Control Account.
Release User Enter the user name portion, such as release-ctrl, of the email
address on the FortiMail unit that will receive quarantine release
commands.
Note: If you have more than one FortiMail unit, this must be unique on
each FortiMail unit.
Delete User Enter the user name portion, such as delete-ctrl, of the email
address on the FortiMail unit that will receive quarantine delete
commands.
Note: If you have more than one FortiMail unit, this must be unique on
each FortiMail unit.
Spam Report
The Spam Report tab enables you to configure various system-wide aspects of
the spam report, including the schedule for when the FortiMail unit will send spam
reports.
FortiMail units send spam reports to notify email users when email has been
quarantined to their per-recipient quarantine. If no email messages have been
quarantined to the per-recipient quarantine folder in the period since the previous
spam report, the FortiMail unit will not send a spam report.
In addition to the system-wide spam report settings, you can also configure some
spam report settings individually for each protected domain, including whether the
FortiMail unit will send either or both plain text and HTML format spam reports. For
more information, see “Spam Report Setting” on page 192.
For information on the contents of the plain text and HTML format spam report,
see “Understanding the plain text formatted spam report” on page 378 and
“Understanding the HTML formatted spam report” on page 380.
Schedule
These Hours Select the hours of the day during which you
want the FortiMail unit to generate spam reports.
These Days Select the days of the week during which you
want the FortiMail unit to generate spam reports.
Webmail Access
Setting
Time Limited Enable to, when an email user clicks a web
Access Without access link in their spam report, allow email
Authentication users to access their per-recipient quarantine
without having to log in. Also configure Expiry
Period.
Disable to require that email users enter their
user name and password.
Expiry Period Enter the period of time after the spam report is
generated during which the email user can
access the per-recipient quarantine without
authenticating.
This option is available only if Time Limited
Access Without Authentication is enabled.
Using HTTPS Select to redirect HTTP requests for FortiMail
webmail and per-recipient quarantines to secure
access using HTTPS.
Note: For this option to function properly, you
must also enable both HTTP and HTTPS access
protocols on the network interface to which the
email user is connecting. For more information,
see “Editing network interfaces” on page 130.
Web Release Host Enter a host name for the FortiMail unit that will
Name/IP be used for web release links in spam reports. If
this field is left blank:
• If the FortiMail unit is operating in gateway
mode or server mode, web release links in
the spam report will use the local domain
name of the FortiMail unit. For more
information, see “Local Host” on page 167.
• If the FortiMail unit is operating in transparent
mode, web release links in the spam
quarantine report will use the FortiMail unit’s
management IP address. For more
information, see “Management IP” on
page 135.
Configuring an alternate host name for web
release links can be useful if the local domain
name or management IP of the FortiMail unit is
not resolvable from everywhere that email users
will use their spam reports. In that case, you can
override the web release link to use a globally
resolvable host name or IP address.
Spam Report
Recipient Setting
Domain The name of a protected domain.
For more information on protected domains, see
“Domains” on page 180.
Send to Individual Enable to send spam reports to each recipient
Recipients address in the protected domain.
Send to LDAP Enable to send spam reports to the email
Group Owner addresses of group owners, then select the
name of an LDAP profile in which you have
enabled and configured Group Query Options.
For more information, see “Creating LDAP
profiles” on page 321.
Send to Other Enabled to send spam reports to an email
Recipient address other than the recipients or group
owners, then enter the email address.
Note: The contents of spam reports are customizable. For more information, see “Custom
Messages” on page 173.
Report content
Message Subject: Quarantine Summary: [ 3 message(s) quarantined
header of from Thu, 04 Sep 2008 11:00:00 to Thu, 04 Sep 2008
spam report 12:00:00 ]
From: release-ctrl@example.com
Date: Thu, 04 Sep 2008 12:00:00
To: user1@example.com
Quarantined Date: Thu, 04 Sep 2008 11:52:51
email #1 Subject: [SPAM] information leak
From: User 1 <user1@example.com>
Message-Id:
MTIyMDU0MzU3MS43NDJfNTk5ODcuRm9ydGlNYWlsLTQwMCwjRiNTIzYzM
yNFLFU4OjIsUw==
Quarantined Date: Thu, 04 Sep 2008 11:51:10
email #2 Subject: [SPAM] curious?
From: User 1 <user1@example.com>
Message-Id:
MTIyMDU0MzQ3MC43NDFfOTA0MjcxLkZvcnRpTWFpbC00MDAsI0YjUyM2M
jUjRSxVNzoyLA==
Quarantined Date: Thu, 04 Sep 2008 11:48:50
email #3 Subject: [SPAM] Buy now!!!! lowest prices
From: User 1 <user1@example.com>
Message-Id:
MTIyMDU0MzMzMC43NDBfNjkwMTUwLkZvcnRpTWFpbC00MDAsI0YjUyM2N
DIjRSxVNToyLA==
Instructions Actions:
for deleting
or releasing o) Release a message: Send an email to <release-
quarantined ctrl@example.com> with subject line set to
email "user1@example.com:Message-Id".
o) Delete a message: Send an email to <delete-
ctrl@example.com> with subject line set to
"user1@example.com:Message-Id".
o) Delete all messages: Send an email to <delete-
ctrl@example.com> with subject line set to
"delete_all:user1@example.com:e4d46814:ac146004:05737c7c1
11d68d0111d68d0111d68d0".
Release links in an HTML formatted spam report may link to either the
management IP address, local domain name, or an alternative host name for the
FortiMail unit. For more information, see “Web Release Host Name/IP” on
page 378.
Note: The contents of spam reports are customizable. For more information, see “Custom
Messages” on page 173.
Web release
and web
delete links
Email release
and email
delete links
Report content
Message Subject: Quarantine Summary: [ 3 message(s) quarantined
header of from Thu, 04 Sep 2008 11:00:00 to Thu, 04 Sep 2008
spam report 12:00:00 ]
From: release-ctrl@example.com
Date: Thu, 04 Sep 2008 12:00:00
To: user1@example.com
Quarantined Date: Thu, 04 Sep 2008 11:52:51
email #1 From: User 1 <user1@example.com>
Subject: [SPAM] information leak
Web Actions: Release Delete
Email Actions: Release Delete
Quarantined Date: Thu, 04 Sep 2008 11:51:10
email #2 From: User 1 <user1@example.com>
Subject: [SPAM] curious?
Web Actions: Release Delete
Email Actions: Release Delete
Quarantined Date: Thu, 04 Sep 2008 11:48:50
email #3 From: User 1 <user1@example.com>
Subject: [SPAM] Buy now!!!! lowest prices
Web Actions: Release Delete
Email Actions: Release Delete
Instructions Web Actions:
for deleting Click on Release link to send a http(s) request to have
or releasing the message sent to your inbox.
quarantined Click on Delete link to send a http(s) request to delete
email the message from your quarantine.
Click Here to send a http(s) request to Delete all
messages from your quarantine.
Email Actions:
Click on Release link to send an email to have the
message sent to your inbox.
Click on Delete link to send an email to delete the
message from your qurantine.
Click here to send an email to Delete all messages from
your quarantine.
Other:
To view your entire quarantine inbox or manage your
preferences, Click Here
Figure 286:Releasing an email from the per-recipient quarantine using web release
Figure 287:Releasing an email from the per-recipient quarantine using email release
Release
quarantine control
account
Subject line
containing email
address of original
recipient and
Message-Id,
separated by a
colon (:)
Note: The system quarantine administrator can also view the system quarantine using a
POP3 or IMAP email client. To do this, configure the email client with the IP address of the
FortiMail unit as the POP3 or IMAP server, using the system quarantine administrator
account name and password.
Account Name and Enter the user name of the system quarantine administrator
Password account. This is the same user name that this person will use to
log in to the web-based manager in order to manage the system
quarantine.
Password Enter the password for the system quarantine administrator
account.
Forward To Enter an email address to which the FortiMail unit will forward a
copy of each email that is quarantined to the system quarantine.
Mailbox rotation size Enter the maximum size of the current system quarantine folder
(“Inbox”). When the folder reaches this size, the FortiMail unit
renames the current folder based upon its creation date and
rename date, and creates a new “Inbox” folder.
Alternatively or additionally configure Mailbox rotation time.
For more information, see “Folder” on page 372.
Mailbox rotation time Enter the maximum amount of time that the current system
quarantine folder (“Inbox”) will be used. When the folder reaches
this size, the FortiMail unit renames the current folder based upon
its creation date and rename date, and creates a new “Inbox”
folder.
Alternatively or additionally configure Mailbox rotation time.
For more information, see “Folder” on page 372.
Disk Quota Enter the maximum amount of disk space the system quarantine
will be permitted to use, including rotated folders.
Maximum configurable disk quota depends on the amount of
available disk space.
Quarantine options Select the action that the FortiMail unit will take when the system
when disk quota is full quarantine has consumed its disk quota, either:
• Overwrite: Discard the oldest email messages in the system
quarantine in order to use the disk space to quarantine new
email messages.
• Do not quarantine: Discard and do not quarantine new email
messages.
Access Address Book Select to add, delete, back up, or restore email addresses in the
address book of the system quarantine administrator account.
Email addresses in this address book can be convenient when a
system quarantine administrator wants to forward quarantined
email messages. For more information, see “To display, release,
delete, or forward an email in the system quarantine” on
page 374.
FortiGuard-AntiSpam
The FortiGuard-AntiSpam submenu enables you to configure the connection to
the FortiGuard Antispam subscription service.
The FortiGuard-AntiSpam menu includes the following tab:
• FortiGuard-Antispam
FortiGuard-Antispam
The FortiGuard-AntiSpam tab enables the FortiGuard Antispam subscription
service. It also enables you to test its connection to the Fortinet Distribution
Network (FDN), and to configure FortiGuard Antispam query caches.
Before you can use the FortiGuard Antispam service, you must:
• purchase a FortiGuard Antispam service contract through Fortinet Technical
Support, or obtain a trial contract
• be able to connect to FDN (for details, see “Update” on page 122 and
“Troubleshooting FDN connectivity” on page 124)
The FortiGuard Antispam service can be used by antispam profiles to identify
spam. For more information, see “AntiSpam” on page 241.
Bayesian
The Bayesian submenu enables you to manage the databases used to store
Bayesian statistical information for Bayesian antispam processing, and to
configure the email addresses used for remote control and training of the
Bayesian databases.
The Bayesian menu includes the following tabs:
• User
• Control Account
• DB Maintenance
Global
The global Bayesian database scans any or all email sent and received by the
FortiMail unit. If separate by-domain Bayesian databases are not required, the
global database is the ideal choice because there is only one database to
maintain.
There is only one global Bayesian database on a FortiMail unit.
You can also use the global database for all Bayesian scans enabled in outgoing
antispam profiles. Since only outgoing antispam profiles are available for selection
in IP-based policies, all Bayesian scanning triggered by IP-based policies use
only the global Bayesian database.
Group
The group Bayesian databases are maintained on a per-protected-domain basis.
This allows the flexibility of a database tailored to filter the email to each domain.
Email messages sent to all protected domains, and matching recipient-based
policies, use group Bayesian databases by default when Bayesian scanning is
enabled.
Because group databases are domain-based, the FortiMail unit maintains a
separate group database for each protected domain.
User
The user Bayesian databases are maintained on a per-user basis for each
protected domain. This allows the user Bayesian database to be fine-tuned to only
the email traffic the user receives.
Each user on each protected domain has a separate Bayesian database stored
on the FortiMail unit. Therefore, if example.com and example.org are defined as
protected domains, user1@example.com and user1@example.org will have
separate user Bayesian databases even if both accounts belong to the same
person.
User Bayesian databases are unique in that they can work with either the group or
global database, whichever is active for the domain. If a user database is mature,
the Bayesian scan will use it to determine if an incoming message is spam. The
global and group Bayesian databases are not used.
A user Bayesian database is considered mature and able to scan email with an
acceptable level of accuracy when it has been trained with a minimum of 100
spam messages and 200 non-spam messages. Until a user database is mature,
the Bayesian scanner will refer to either the global or group database, whichever
is enabled for the recipient domain, when the user database does not contain the
information required for the scan.
To more quickly train user databases to a mature state, you can enable the Use
other techniques for auto training option in incoming antispam profiles. This option
takes incoming email and uses it to train the user Bayesian database in either of
these two circumstances:
• the message is detected as spam by the FortiGuard or SURBL scans
• the message is exempted from antispam scanning because of a system white
list or user white list match.
However, once the user database matures, the global and group databases are
no longer referenced, and no automatic training occurs.
2 Train the group database for each protected domain. This ensures the Bayesian
scanner has a database to use for Bayesian scans on email handled by incoming
recipient-based policies to domains not configured to use the global database.
You can leave the group database for a protected domain untrained if either of
these conditions are true:
• the domain is configured to use the global Bayesian database
• no incoming recipient-based policies are used with the domain.
3 If the “Accept training messages from users” option is enabled in any antispam
profile, notify email users about the email training accounts and their use.
If user Bayesian databases are enabled, training messages are applied to the
sender’s database. In addition, training messages are also applied to either the
global or group Bayesian database, whichever is enabled for the sender’s
domain.
If user Bayesian databases are disabled, training messages are applied to either
the global or group Bayesian database, whichever is enabled for the sender’s
domain.
Training messages matching a policy in which the antispam profile has user
training disabled are discarded without notification to the sender.
4 If user databases are enabled, email users train their individual databases by
forwarding both undetected spam and good email incorrectly detected as spam to
the FortiMail unit.
Until users build up a mature database (100 spam and 200 non-spam email
messages) with their own message submissions, the Bayesian scanner will refer
to either the global or group database, whichever is enabled for the recipient
domain.
In addition, you can enable the option “Use other techniques for auto training” in
incoming antispam profiles to help each user’s database reach a mature state
more quickly.
Use the following procedures to configure Bayesian training and accounts.
• Control Account
• DB Maintenance
User
If you set up separate mailbox (.mbox) files containing spam and non-spam email
messages, you can use these files to train global, group, and user Bayesian
databases. This is an especially efficient method of training an empty Bayesian
database.
You can also back up Bayesian databases and the backup file can be restored to
another user, domain, or even another FortiMail unit.
You can view the status of all three types of Bayesian databases by going to
AntiSpam > Bayesian > User.
For both selections, the available options are similar, with a few exceptions:
• If the domain is set to Global Bayesian, the username field is not displayed.
• If the selected domain is configured to use the global Bayesian database, the
training options are not displayed, and the training summary totals are shown
as zero.
Select a domain Select Global Bayesian to manage the global Bayesian database, or
select a domain to manage its group Bayesian database.
For information on creating domains, see “Domains” on page 180.
Summary Displays the status of Bayesian database training on the selected
domain.
If the Summary values are “0”, the group database for this domain has
not been trained. Summary values will also display as “0” for domains
configured to use the global Bayesian database.
Operations • Select Train global bayesian database with mbox files or Train
group bayesian database with mbox files to open the Bayesian
training page. For more information, see “To train a global or
group Bayesian database” on page 391.
• Select Backup global bayesian database or Backup group
bayesian database to open the Backup bayesian group
database page. For more information, see “To back up a global
or group Bayesian database” on page 392.
• Select Restore global bayesian database or Restore group
bayesian database to open the Restore the group DB page. For
more information, see “To restore a global or group Bayesian
database” on page 392.
• Select Reset group bayesian database to reset the Bayesian
group database. For more information, see “To reset a global or
group Bayesian database” on page 392.
Username Enter a user name and select OK to view the status of a user Bayesian
database.
This option is not available for the global Bayesian database.
Enter an email user ID in the Username field and select OK to see additional user
options and information:
4 For the Innocent Mailbox, select Browse to find the mbox file containing non-spam
email.
5 For the Spam Mailbox, select Browse to find the mbox file containing spam email.
6 Select OK.
The database training begins. Depending on the size of the mailbox files, this
process may take a few minutes.
Caution: Resetting a group database deletes all the training information stored in the
! database.
The database is reset. Depending on the size of the database, this process may
take a few minutes.
Control Account
The Control Account tab enables you to configure the email accounts used for
remote training of the Bayesian databases.
The FortiMail unit has five pre-defined control accounts for Bayesian database
training. Email users send spam information to these accounts to train the
databases used in Bayesian scanning.
For the FortiMail unit to accept training messages, two conditions are necessary:
• The training messages must match a recipient-based policy.
• The matching recipient-based policy must specify an antispam profile in which
the Accept training messages from users option is enabled.
If either of these conditions are not met, the FortiMail unit will silently discard
training messages without using them for training.
If training messages are accepted, two factors determine which database or
databases benefit from Bayesian database training:
• whether the sender’s domain is configured to use the global or group Bayesian
database
• whether user Bayesian databases are enabled in the antispam profile specified
in the policy matching the training message.
When the FortiMail unit receives a training message, it examines it to determine
the sender’s domain. It then checks the domain configuration to see whether the
sender’s domain is configured to use the global or group Bayesian database. It
then uses the message to train the database that the domain is configured to use.
If user Bayesian databases are enabled, the message is also used to train the
user’s Bayesian database. The user is determined by the sender address.
There are four training accounts. Two are used to correct misdiagnosed
messages that have already been processed by the FortiMail unit’s Bayesian
routines. The other two accounts are used to train the Bayesian databases with
new messages not processed by the FortiMail unit’s Bayesian routines.
Is Really Spam Email examined by the FortiMail unit will sometime contain spam
account. that was not detected. Users can inform the FortiMail unit of its
mistake by forwarding the missed spam message to the Is Really
Default name: Spam control account.
is-spam
Is Not Really Spam Email examined by the FortiMail unit will sometime contain
account non-spam that was incorrectly detected as spam. Users can inform
the FortiMail unit of its mistake by forwarding the non-spam
Default name: message to the Is Not Really Spam control account.
is-not-spam
Training accounts:
Learn Is Spam If users have any email that was not examined by the FortiMail unit,
account they can send known spam to the Learn Is Spam account to train
the Bayesian database.
Default name:
learn-is-spam
Learn Is Not Spam If users have any email that was not examined by the FortiMail unit,
account they can send known non-spam to the Learn Is Not Spam account
to train the Bayesian database.
Default name:
learn-is-not-spam
Training Group The administrator can use this domain-based account name as the
user ID “from” address to send confirmed spam to the “Learn Is Spam” user
account and good email to the “Learn Is Not Spam” user account to
train the global or group database, whichever the domain is
configured to use. No user databases are trained.
An administrator can also use his or her own user account to train
the global or group database, but this procedure also trains that
user database if it is enabled in the antispam profile. Using the
training group user account name will limit the training to only the
global or group database.
DB Maintenance
The DB Maintenance enables you to back up, restore, or clear your Bayesian
databases. These database operations affect the global database, as well as all
group and user databases for the domains defined on the FortiMail unit. For more
selective operations, see “User” on page 389.
3 When restoring a database, select Browse to locate the saved database file
4 Select OK.
Example company
Company X has set up a FortiMail unit to protect its email server by blocking spam
email. With over 1,000 email users, Company X plans to enable the FortiMail unit
Bayesian scanning capability. You, the system administrator, have been asked to
configure the FortiMail unit Bayesian training for the company.
Company X has divided its email users into two user groups and associated the
groups with two domains:
6 Select OK.
The group training starts. Depending on the size of the mailbox files, this process
may take a few minutes.
Repeat these steps for example.org to train the Bayesian databases both
domains.
2 Send the users an email message to notify them of the user-based account user
name addresses and their usage, similar to the following:
All employees,
This message describes how to train your FortiMail Bayesian
database.
• If you receive spam that has not been caught and tagged by
the FortiMail unit, forward these missed spam messages to
is-spam@example.org from your company email account. This
will ensure any similar email will be caught by the
FortiMail unit in the future.
• If you receive email that the FortiMail unit has
incorrectly tagged as spam, forward these messages to
is-not-spam@example.org from your company email account.
This will ensure any similar email will not be tagged as
spam by the FortiMail unit in the future.
• If you have collected spam email that has not been
examined by the FortiMail Bayesian scanner and want to
train your personal Bayesian database on the FortiMail
unit, forward them to learn-is-spam@example.org from your
company email account. This ensures that any similar email
will be tagged as spam by the FortiMail unit in the
future.
• If you have collected non-spam email that has not been
examined by the FortiMail Bayesian scanner and want to
train your personal Bayesian database on the FortiMail
unit, forward them to learn-is-not-spam@example.org from
your company email account. This ensures that any similar
email will not be tagged as spam by the FortiMail unit in
the future.
3 To perform group database training without training any user databases at the
same time, send training messages to the same control account addresses, but
configure your email client to use one of these from addresses, depending on the
group database to be trained:
• default-grp@example.net
• default-grp@example.org
Now, you can send confirmed spam to the “Learn Is Spam” account or non-spam
to the “Learn Is Not Spam” account using one of the two addresses. For example,
using default-grp@example.net as the “From” address will train only the
group database for the example.net domain.
Black/White List
The Black/White List submenu enables you to block or allow email messages
from the specified email addresses, domains, or IP addresses.
The black and white lists can be system level, domain level, personal level, or
session profile level. There are also several places where you can configure the
different black and white lists.
Note: Use black and white lists with caution. They are simple and efficient tools for fighting
spam and enhancing performance, but can also cause false positives and false negatives if
not used carefully. For example, a white list entry of *.edu would allow all email from the
.edu top level domain to bypass the FortiMail unit's antispam scanning.
If the message sender is being examined for a match, email addresses and
domains in list are compared to the message’s envelope-from. IP addresses are
compared to the address of the client delivering the message, also known as the
last hop address.
If the message recipient is being examined for a match, email addresses and
domains in the list are compared to the message’s recipient address. An IP
address in a recipient white or black list is not a valid entry because no IP
addresses are checked.
4 Select Restore.
Figure 296:User
Blacklist Action
The Blacklist Action tab enables you to configure the action to take if an email
message arrives from a blacklisted domain, email address, or IP address. This
setting affects email matching the three levels of black lists: system, domain, and
session.
Note: For the personal level black lists, the only option is to discard. For more information,
see “Personal black/white list” on page 404.
Caution: Restoring the black and white lists in this manner overwrites all of the existing
! system, domain, and user black and white list contents.
Greylist
The Greylist submenu enables you to configure exemptions and other greylist
settings.
Greylisting is a low-maintenance way to reduce spam by taking advantage of how
spam servers differ from email servers. Greylisting rejects all unknown email
messages and will only accept them if the server tries to deliver it again. Email
servers will attempt to deliver email again after receiving an error, while spam
servers typically will not.
When the server re-sends the email message, the FortiMail unit accepts it and the
sender email address, recipient email address, and the IP address of server that
delivered the email message are recorded by the greylist routine. Subsequent
email messages matching these same three attributes are no longer considered
unknown and are accepted immediately.
If a spam server does not resend rejected messages, the Fortimail unit does not
need to use any resources to determine the messages are spam. The FortiMail
unit prevents the messages from being successfully delivered.
The greylisting feature has three compelling attributes:
• Greylisting does not require you to maintain IP address lists, email lists, or
word lists. The FortiMail unit automatically maintains the required information.
• Spam detection scans are not run on email stopped by greylisting. This can
save significant processing and storage resources.
• Even if spammers begin to take greylisting into account and resend their
messages, the greylist delay period can allow time for FortiGuard-Antispam
and DNSBL systems to discover the spam and blacklist the source. This way,
when the spam message is finally delivered, the FortiMail unit is more likely to
recognize it as spam.
For these reasons, the greylist feature is a recommended performance enhancing
option.
The Greylist menu includes the following tabs:
• Display
• Exempt
• AutoExempt
• Settings
Understanding greylisting
The Fortimail unit creates a greylist entry and a log entry when an unknown
message is first rejected. For the message to be accepted, the server must
attempt delivery after a greylisting period and before the 4 hour initial expiry
period.
The greylisting period determines how long after the first delivery attempt a retry
will be accepted. The default value is 20 minutes, therefore delivery attempts after
the first will continue to be rejected for 20 minutes. The greylisting period is
required because some spam servers will try to deliver messages again
immediately. A greylisting period continues to reject these messages and most
are not successfully delivered.
The FortiMail unit stores the attributes of a known message in a greylist entry so
later email messages with the same attributes are delivered immediately. The
greylist entry is discarded if no matching messages are received within the Time
to Live (TTL) period. By default this is 10 days.
For more information about the greylist period, TTL, and initial expiry period, see
“Settings” on page 415.
An exact IP address match is not required because some large organizations use
many email servers with IP addresses in the same subnet. If the first attempt to
deliver email receives a temp fail response, the second attempt may come from a
server with a different address. If an exact match were required, the greylist
routine would treat the second delivery as a new delivery attempt unrelated to the
first. Depending on the configuration of the email servers, the message might
never be delivered properly. Allowing all addresses in the subnet solves this
problem.
Greylist exemptions
You can configure greylist exempt rules to allow email messages with attributes
you define to bypass the greylisting entirely. An exemption can be useful when
email messages are sent from an email server farm that’s not limited to a single
subnet. If an email message is resent by different email servers, each retry may
be seen as a first attempt. To avoid this problem, an exempt rule can take
advantage of common elements of the server hostnames. For more information,
see “Exempt” on page 411.
Note: Everything after the “@” in the sender email address is recorded as the sender
domain. For example, email from user16@example.com and user11@example.com have
the same sender domain and would both be allowed by a single autoexempt list entry.
Although they might seem to match, user34@example.com and
user23@sales.example.com are considered separate sender domains. These addresses
would each require its own autoexempt list entry to bypass greylisting.
Because the autoexempt list uses fewer message attributes, more messages will
match each entry and be allowed through. To prevent unwanted email from taking
advantage of this, stricter requirements are applied for the creation of an
autoexempt entry.
The FortiMail unit will create an autoexempt list entry for an unknown message if
the message:
• does not match any greylist exempt rules
• passes the greylist routine
• passes all configured antispam scans
• passes all configured virus scans
• passes all configured content scans
• does not appear on any white lists.
If an email message meets these requirements, the sender domain and IP
address of the system that delivered the message are added to the greylist
autoexempt list. Subsequent messages with the same recipient domain delivered
by a system in the same subnet match the autoexempt list entry and are delivered
without delay.
If an email message is not greylist exempt but fails to meet the above
requirements, the FortiMail unit creates a greylist entry with the message
attributes.
Note: If an email message matches a greylist exempt rule, it is not subject to greylisting and
the FortiMail unit will not create an entry in the greylist or autoexempt list.
Note: Since the email message responsible for creating a greylist autoexempt table entry
must first pass the greylist routine, a matching greylist entry will also exist for a time.
Incoming messages are checked against the autoexempt list first so matching messages
will reset the expiry date of the autoexempt list entry and be delivered. The expiry date of
the greylist entry will not be reset. Therefore, the greylist entry will eventually expire, leaving
the autoexempt list entry.
Continue processing
the message
Reset TTL
End greylist routine of matching
greylist entry
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes No
No
Display
The Display tab enables you to view the current contents of the greylist.
To view the greylist, go to AntiSpam > Greylist > Display.
Figure 300:Greylist
Page Up
Page Down
Search
Exempt
The Exempt tab enables you to configure rules that define email users and other
patterns to exempt email messages from greylisting.
To view the greylist exempt rules list, go to AntiSpam > Greylist > Exempt.
Edit
Delete
# The position of the rule in the list. The rule sequence is not
important to the way the greylist exempt list works.
Sender Pattern The complete or partial sender email address to match.
If the pattern is listed with a “R/” prefix, it is set to use regular
expression syntax. If the pattern is listed with a “-/” prefix, it does not
use regular expression syntax.
Sender Pattern A complete or partial sender email address to match. The sender
address examined by the FortiMail unit is the “mail from:” part of the
message envelope.
Wildcard characters allow you to enter partial patterns that can match
multiple sender email addresses. The asterisk (*) represents one or
more characters and the question mark (?) represents any single
character.
For example, the sender pattern ??@*.com will match messages
sent by any user with a two letter user name from any .com domain.
Example: Greylisting
The Example Corporation uses greylisting to reduce the quantity of spam they
receive.
The greylist exempt list rules used by the fictional Example Corporation are shown
in Figure 304. Example Corporation uses a FortiMail unit in gateway mode. The
only protected domain, example.com, is configured in Mail Settings > Domains.
Note: This example rule set is designed to illustrate how greylist exempt rules operate. This
is not a list of recommended rules.
Edit
Delete
Rule 1
Example Corporation has a number of foreign offices. Email from these offices
does not need to be greylisted.The mail server IP addresses vary, though their
hostnames all begin with “mail” and end with “example.com”.
The rule uses the recipient pattern and the reverse DNS pattern. All email sent to
users at example.com delivered by the a mail server with a hostname beginning
with “mail” and ending with “example.com” is exempt from the greylist routine.
These email messages are no delayed by greylisting.
Rule 2
The Example Corporation works closely with its subsidiary, example.org. Mail from
any of the example.org mail servers does not need to be greylisted. All of these
servers have IP addresses within the 172.20.120.0/24 subnet and have a
hostname of mail.example.org.
The rule uses the recipient pattern, sender IP/ netmask, and reverse DNS pattern.
Messages to example.com users sent from a client with a hostname of
mail.example.org and an IP address between 172.20.120.1 and 172.20.120.255
are exempt from the greylist routine.
AutoExempt
The AutoExempt tab displays the list of senders that have been automatically
exempted from greylisting.
To view the list of automatically exempted senders, go to AntiSpam > Greylist >
AutoExempt.
Settings
The Settings tab enables you to configure time intervals associated with
greylisting.
To configure greylisting intervals, go to AntiSpam > Greylist > Settings.
TTL The TTL (time to live) setting determines how long each entry will
be retained in the FortiMail unit’s greylist and autoexempt list.
Once recognized by the greylist or autoexempt list, any subsequent
messages sent with the same address information will reset the TTL
count of the matching entry. For example, if the TTL value is 36
days, a sender’s greylist entry will never expire if he or she sends a
message every 30 days. Every time the greylist routine recognizes
the sender’s address information, the TTL count is reset and starts
counting down from 36 days.
If the TTL elapses without a matching message being delivered the
greylist or autoexempt list entry expires and is deleted.
Select a value between 1 and 60 days. The default value is 10 days.
Greylisting period Enter the length of time the FortiMail unit will continue to reject
unknown messages. After this time expires, any resend attempts
will add the known message attributes to the greylist and possibly
the autoexempt list, with subsequent messages delivered
immediately.
Select a value between 1 and 120 minutes. The default value is
20 minutes.
Note: You can change the 4 hour initial expiry period for resending an unknown message
by using the CLI. For more information, see the CLI command set as greylist
initial_expiry_period in the FortiMail CLI Reference.
Sender Reputation
The Sender Reputation submenu enables you to view the current reputation score
of senders.
Sender reputation is an antispam measure requiring no maintenance or attention.
If a sender delivers email including spam, viruses, or a large number of invalid
users, the sender reputation feature will automatically take measures against
them.
The sender reputation feature records the IP address of each client delivering
mail. For each client IP address, this feature records:
• the total number of messages delivered
• the number of messages detected as spam
• the number of messages infected with viruses or worms
• the total number of recipients
• the number of invalid recipients.
The FortiMail unit then determines a sender’s reputation score, primarily using two
ratios. First, the FortiMail unit compares the number of good messages to the
number of bad messages (spam or email with viruses or worms). Second, the
FortiMail unit compares the total number of recipients to the number of bad
recipients. The sender reputation score uses email information up to twelve hours
old, and recent email influences the score calculation more than older mail. The
score itself ranges from 0 to 100, with 0 representing a completely acceptable
sender, and 100 being a totally unacceptable sender.
The sender reputation score is compared to three thresholds, as defined in the
active session profile. If the sender is “well behaved,” the score will fall below the
first threshold. The sender can connect and deliver email with no sender
reputation restrictions.
• Throttle is the first threshold. A sender reputation score above this value will
limit the number of messages accepted per hour. The session profile includes
a field where you can enter the maximum number of messages, and a second
field where you can enter the percentage of the messages received in the last
hour. The throttle limit will be larger of these two.
• Temporary fail is the second threshold. With a sender reputation score above
this value, the FortiMail unit will not allow a connection from the client,
returning a temporary fail error.
• Reject is the final threshold. With a sender reputation score above this value,
the FortiMail unit will not allow a connection from the client, returning a reject
message.
If more than 12 hours pass without an email delivery from a client, the client’s
sender reputation record is deleted. If that client delivers email afterwards, the
FortiMail unit treats the client as a new one.
For more information on enabling sender reputation and a description of the
settings in the antispam profile, see “AntiSpam” on page 241
The Sender Reputation menu includes the following tab:
• Display
Display
The Display tab displays a list of senders, including the current sender reputation
score for each sender.
To view the list of sender reputations, go to AntiSpam > Sender Reputation.
Figure 308:Display
Page up
Page down
Search
Note: Although client sender reputation records are valid for only 12 hours after last
contact, the record may still appear in the sender reputation table after that time. Visible
entries older than 12 hours are considered invalid until they are removed or replaced.
MSISDN Reputation
The MSISDN Reputation submenu enables you to configure MSISDN blacklisting
and whitelisting.
When used on a mobile phone network, the FortiMail unit can examine text
messages for spam. If a user sends multiple spam messages, all messages from
the user will be blocked for a time. The number of spam messages and the length
of time further messages will be blocked are configurable.
An MSISDN is the number associated with a SIM card on a mobile network. The
MSISDN reputation feature identifies message senders by their MSISDN.
The multimedia messaging service (MMS) protocol transmits graphics,
animations, audio, and video between mobile phones. There are eight interfaces
defined for the MMS standard, referred to as MM1 through MM8. MM3 uses
SMTP to transmit messages to and from mobile phones. Because it can be used
to transmit content, MMS can also be used to send spam.
If you enable MSISDN Reputation checking in the session profile, the Fortimail
unit scans MM3 messages for spam, and automatically blacklists repeat
offenders. If a sender sends more than a defined number of spam messages
within the auto blacklist window, the sender will be blacklisted and further
messages will be blocked for the auto blacklist duration period. The Auto blacklist
score trigger value (the number of spam messages), Auto blacklist Window Size
(the time during which the spam messages are detected), and the Auto blacklist
duration (the length of time the MSISDN is auto blacklisted), are all configurable.
For more information about configuring the auto blacklist duration, see “Settings”
on page 422. For more information about configuring the Auto blacklist score
trigger value and the Auto blacklist duration, see “Auto Blacklist” on page 419.
In addition to the auto blacklist, senders can be manually blacklisted and their
messages will be blocked indefinitely. Senders can also be manually added to the
exempt list to prevent auto blacklisting.
The MSISDN Reputation menu includes the following tabs:
• Auto Blacklist
• Blacklist
• Exempt
• Settings
Auto Blacklist
The Auto Blacklist tab displays the current list of automatically blacklisted
MSISDNs.
If the FortiMail unit detects that more spam messages than the auto blacklist
score trigger value have been sent from an MSISDN subscriber within the auto
blacklist window duration, the MSISDN is added to the auto blacklist for the auto
blacklist duration. While on the auto blacklist, all MM3 messages from the
MSISDN will be rejected.
To view the automatic MSISDN reputation blacklist, go to AntiSpam > MSISDN
Reputation > Auto Blacklist.
Blacklist
The Blacklist tab enables you to manually blacklist MSISDNs. The users
associated with the MSISDN numbers listed on the blacklist will have their text
messages blocked as long as their MSISDN appears on the blacklist.
To view the MSISDN reputation blacklist, go to AntiSpam > MSISDN
Reputation > Blacklist.
Delete
Edit
MSISDN Type the MSISDN in this field and select Add to add it to the
MSISDN List.
MSISDN List The MSISDN List displays every MSISDN you have added while in
this window. You can delete any MSISDN in the MSISDN list by
selecting it and selecting Delete.
Exempt
The Exempt tab enables you to manually exempt MSISDNs from MSISDN
reputation-based blacklisting.
You can exempt a user from MSISDN reputation checking by adding their
MSISDN to the exempt list. The users associated with the MSISDN numbers
listed on the exempt list will never be auto blacklisted.
To view the MSISDN reputation exempt list, go to AntiSpam > MSISDN
Reputation > Exempt.
Delete
Edit
MSISDN Type the MSISDN in this field and select Add to add it to the
MSISDN List.
MSISDN List The MSISDN List displays every MSISDN you have added while in
this window. You can delete any MSISDN in the MSISDN list by
selecting it and selecting Delete.
OK Select OK to add every MSISDN in the MSISDN list to the exempt
list.
Cancel Select Cancel to discard the MSISDN List and return to the exempt
list.
Settings
The Settings tab enables you to configure the MSISDN reputation feature has
three settings that you can configure:
If the number of spam messages listed in the auto blacklist trigger value are sent
from an MSISDN within the auto blacklist window duration, the MSISDN is auto
blacklisted and all messages they send are rejected for the auto blacklist duration.
MSISDN reputation is enabled in the session profile. The auto blacklist score
trigger, and the auto blacklist duration are configured in the session profile. For
more information, see “Session” on page 287.
To configure the MSISDN reputation auto blacklist Window Size, go to
AntiSpam > MSISDN Reputation> Settings.
Bounce Verification
The Bounce Verification submenu enables you to configure bounce message
verification.
Spammers sometimes use the email addresses of others as the from address in
their spam email messages. When the spam cannot be delivered, a delivery
status notification message, or a bounce message, is returned to the sender,
which in this case isn’t the real sender. Because the invalid bounce message is
from a valid mail server, it can be very difficult to detect as invalid.
You can combat this problem with bounce verification. The FortiMail unit performs
bounce verification by adding a tag to the beginning of the envelope sender email
address of all sent messages. The envelope sender email address will look
something like this:
prvs=1234567890user1@example.com
The sender email address is user1@example.com and everything before it is the
bounce message tag. The tag will be different for every email message, uniquely
identifying the message to the FortiMail unit.
If the email message cannot be delivered, the bounce message will be addressed
to the same tagged email address. The FortiMail unit will validate the tag and
allow the bounce message through. Should a bounce message arrive without a
tag or with a tag that does not validate, it will be subject to the action that has been
configured for invalid bounce messages.
Note: Bounce verification applies a tag to every outgoing email message, but only the
envelope Mail From: address is tagged. The sender address in the email header is not
affected so neither the email sender nor the email recipient will see the address tag.
Settings
The Settings tab enables you to create and activate bounce verification keys.
The active key in the list is used to generate tags for all outgoing messages. You
can create multiple keys but only one can be marked active at any time. Incoming
messages are checked against all listed keys. The keys can be in any order.
If you delete a key, any bounce messages with a tag generated when that key was
active will fail verification. After activating a new key active, keep the previously
active key until any message tags generated with the key expire.
To view the bounce verification key list and configure bounce verification, go to
AntiSpam > Bounce Verification > Settings.
Key The key string. This can be any arbitrary string of text.
Status The active key is designated with a green icon and the
inactive keys show a red icon.
Last Used The date and time indicates when the key was last used to
verify an incoming bounce message.
Modify Select the activate icon to make the selected key the active
key. Select the delete icon to delete the key. Only inactive
keys can be modified.
Enable Bounce Select to enable bounce verification. This is a system-wide
Verification setting, though bounce verification can be bypassed for each
domain and within each session profile.
For more information about bypassing bounce verification at
the domain level, see “Domains” on page 180. For more
information about bypassing bounce verification at the
session level, see “Session Configuration” on page 287.
Bounce Verification Tag The specified number of days after creation, bounce
will expire after message tags will expire and fail validation.
Keys will be automatically Inactive keys will be removed after being unused for the
removed selected time period. The active key will not be automatically
removed.
Action
The Action tab enables you to configure the action that the FortiMail unit will
perform an incoming bounce message that fails verification, and may be spam.
To set the action that the FortiMail unit will take when an email message fails
bounce verification, go to AntiSpam > Bounce Verification > Settings.
For more information on enabling the PDF option and a description of the settings
in the antispam profile, see “PDF” on page 257.
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary.
For example, the regular expression “test” not only matches the word “test” but
also any word that contains “test” such as “attest”, “mytest”, “testimony”, “atestb”.
The notation “\b” specifies the word boundary. To match exactly the word “test”,
the expression should be \btest\b.
Case sensitivity
Regular expression pattern matching is case sensitive in the web and antispam
filters. To make a word or phrase case insensitive, use the regular expression /i.
For example, /bad language/i will block all instances of “bad language”,
regardless of case.
Expression Matches
abc “abc” (the exact character sequence, but anywhere in the string)
^abc “abc” at the beginning of the string
abc$ “abc” at the end of the string
a|b Either of “a” and “b”
^abc|abc$ The string “abc” at the beginning or at the end of the string
ab{2,4}c “a” followed by two, three or four “b”s followed by a “c”
ab{2,}c “a” followed by at least two “b”s followed by a “c”
ab*c “a” followed by any number (zero or more) of “b”s followed by a “c”
ab+c “a” followed by one or more b's followed by a c
ab?c “a” followed by an optional “b” followed by a” c”; that is, either “abc” or
“ac”
a.c “a” followed by any single character (not newline) followed by a “c”
a\.c “a.c” exactly
[abc] Any one of “a”, “b” and “c”
[Aa]bc Either of “Abc” and “abc”
[abc]+ Any (nonempty) string of “a”s, “b”s and “c”s (such as “a”, “abba”,
”acbabcacaa”)
[^abc]+ Any (nonempty) string which does not contain any of “a”, “b”, and “c”
(such as “defg”)
\d\d Any two decimal digits, such as 42; same as \d{2}
/i Makes the pattern case insensitive. For example, /bad language/i
blocks any instance of bad language regardless of case.
\w+ A “word”: A nonempty sequence of alphanumeric characters and low
lines (underscores), such as foo and 12bar8 and foo_1
100\s*mk The strings “100” and “mk” optionally separated by any amount of white
space (spaces, tabs, newlines)
abc\b “abc” when followed by a word boundary (for example, in “abc!” but not in
“abcd”)
perl\B “perl” when not followed by a word boundary (for example, in “perlert” but
not in “perl stuff”)
\x Tells the regular expression parser to ignore white space that is neither
preceded by a backslash character nor within a character class. Use this
to break up a regular expression into (slightly) more readable parts.
/x Used to add regular expressions within other text. If the first character in
a pattern is forward slash (/), the “/” is treated as the delimiter. The
pattern must contain a second “/”. The pattern between “/” will be taken
as a regular expression, and anything after the second “/” will be parsed
as a list of regular expression options (“i”, “x”, etc). An error occurs If the
second “/” is missing. In regular expressions, the leading and trailing
space is treated as part of the regular expression.
Email Archiving
The Email Archiving menu enables you to enable and email archiving, and to
manage and search archived email messages.
The Email Archiving menu includes:
• Settings
• Archiving Policy
• Exempt Policy
Settings
The Settings menu enables you to configure an email archive-specific
administrator account, hard disk quota, and other assorted global settings for
email archiving.
The Settings menu includes the following tab:
• Settings
Settings
The Settings tab enables you to configure the FortiMail to archive email on its
local hard disk or to a remote storage server.
Before you can archive email, you need to set up and enable the email archiving
account, as described below. The archived emails will be stored under the
archiving account.
When email is archived, you can view and manage the archived email messages.
For more information, see “Managing archived email” on page 430.
6 Select one of the Archiving options when disk quota is full, either Overwrite, or Do
not archive.
7 Specify an archiving destination, either on the FortiMail local hard drive, or to a
remote storage server.
8 To archive email to the local disk, select Archive to local disk and set the disk
quota.
9 To archive email to a remote server, select Archive to remote host and configure
the following:
Protocol Select the protocol of the remote host. The FortiMail unit supports SFTP
and FTP protocols.
IP address Enter the IP address of the remote host.
User name Enter the user name for logging in to the remote host.
Password Enter the password for logging in to the remote host.
Remote Enter the directory on the remote host for archiving email.
directory
Local cache Set the FortiMail unit cache quota. Email messages archived on a remote
quota host are also cached by the FortiMail unit. This speeds up viewing and
searching cached email.
Remote disk Set the disk quota for the remote host to archive email.
quota
10 Select Apply.
Note: You can search archived email in the current mailbox and the rotated mailboxes
whether email is archived on the local disk or remote host. You can view only the archived
email in the current mailbox on the local disk.
5 Select Mark. A red check mark appears in the status column for all the previously
selected messages. If a message is mistakenly marked, select the check box and
select Unmark.
6 Continue to subsequent pages of search results and mark all messages to export.
When complete, select Export.
7 A new window opens. To start a new search without exporting, select New Search.
To initiate the download, select Click to download the exported mbx file. You can
choose the mbx filename and location.
Archiving Policy
The Archiving Policy enables you to configure criteria by which email will be
archived.
The Archiving Policy menu includes the following tab:
• Archiving Policy
Archiving Policy
The Archiving Policy tab enables you to specify the types of email to archive. The
criteria you specify are called policies.
To view the archiving policy list, go to Email Archiving > Archiving Policy >
Archiving Policy.
Move
Edit
Delete
Note: The Pattern field can contain an asterisk (*) as a wildcard if the policy type is Sender
address, Recipient address, or Attachment file name.
5 Select Enabled.
6 Select OK.
Exempt Policy
The Exempt Policy menu enables you to exempt email messages from email
archiving.
The Exempt Policy includes the following tab:
• Exempt Policy
Exempt Policy
After setting up email archiving policies, you can define further criteria to prevent
the FortiMail unit from archiving certain email.
To view the archiving exempt list, go to Email Archiving > Exempt Policy >
Exempt Policy.
Move
Edit
Delete
Note: The Pattern field can contain an asterisk (*) as a wildcard if the policy type is Sender
address or Recipient address. If the policy type is Spam email, the Pattern field will be
ignored.
5 Select Enabled.
6 Select OK.
Log types
The FortiMail unit logs the following types of information:
Event log Log all management activity and events, such as administration and HA
activities activity.
When Log all management events, such as configuration
configuration has changes.
changed
Admin login/logout Log all administrative events, such as logins, resets,
event and configuration updates.
Levels Description
0 - Emergency The system has become unusable.
1 - Alert Immediate action is required.
2 - Critical Functionality is affected.
3 - Error An error condition exists and functionality could be affected.
4 - Warning Functionality could be affected.
5 - Notification Information about normal events.
6 - Information General information about system operations.
Log Setting
The Log Setting menu enables you to configure the types of log messages and
storage location of log messages that the FortiMail unit will record.
The FortiMail unit can store logs in various locations, depending on your office
environment and configuration. You can configure the FortiMail unit to log to its
hard disk, a FortiAnalyzer unit, or a Syslog server, or to a combination of these
locations. For example, you can store information logs go to a Syslog server and
error log messages on the hard disk.
You can also configure the FortiMail unit to log to multiple FortiAnalyzer units and
Syslog servers, ensuring that logs are available at all times.
The Log Setting menu includes the following tab:
• Log Setting
Log Setting
The Log Setting tab enables you to configure the types of log messages to record,
and the location where the FortiMail unit will store them. These log types include
email traffic information, spam detection events, and system activity events.
For more information, see “Logging to the hard disk” on page 439, “Logging to a
Syslog server” on page 440, “Logging to a FortiAnalyzer unit” on page 440, and
“Logging to multiple logging devices” on page 441.
Overwrite Select to delete the oldest log entry and continue logging
when the maximum log disk space is reached.
Do not log Select to stop log messages going to the FortiMail hard disk
or other logging devices when the maximum log disk space is
reached.
9 Select Apply.
7 Select from the log types and select OK. For information about log types, see “Log
types” on page 437.
8 Select a Facility level that easily identifies each log entry.
9 Select Apply.
Caution: Do not enble CSV format, because the FortiAnalyzer unit does not support log
! messages in comma delimited text format.
After configuring the log settings on the FortiMail unit, you or the FortiAnalyzer
administrator must configure the FortiAnalyzer unit to receive logs sent from the
FortiMail unit. If you need to configure a FortiAnalyzer unit to receive logs, but are
not a FortiAnalyzer administrator, follow the next procedure.
6 Expand the Device Privileges settings and verify that Allow FortiMail to send logs
is enabled.
7 Expand the Group Membership settings.
8 Select the group or groups where you want to include the Syslog server, and
select the right arrow button to add the Syslog servers to the group.
9 Select OK.
You can configure redundancy by logging the same log types to different devices,
for example, enabling logging of events to the local disk, remote host 1, and
remote host 2. You can configure traffic and help share between logging devices
by logging different log types and devices. For example, you can log both events
and antispam to remote host 1 and remote host 2.
You can also configure the FortiMail unit to handle redundancy and traffic sharing
simultaneously, if required. For example, you can configure the unit so that the
local disk logs event, antivirus, antispam, and history while remote host 1 logs
event, and remote host 2 logs antivirus, antispam and history logs.
You can configure two of the same device, such as two FortiAnalyzer units, or
different devices. For example, one device is a FortiAnalyzer unit, the other a
Syslog server.
For information on configuring a logging device, see “Logging to a Syslog server”
on page 440 and repeat the steps for a secondary device.
You need to configure both FortiAnalyzer units to receive logs. See “To configure a
FortiAnalyzer unit to receive logs from the FortiMail unit” on page 441 for
configuring the FortiAnalyzer units to receive log files.
Logging
The Logging menu enables you to view the lists of log files and the log messages
stored in each log file.
Note: You can also view history log messages from System > Status > Status.
By default, the FortiMail unit stores all log files on a local hard disk. To ensure that
that local hard disk has sufficient disk space to store new log messages, you
should regularly download copies of older log files to your management computer
or other storage, and then delete them from the FortiMail unit. For more
information on downloading, deleting, and emptying log files, see “Downloading
log files” on page 450, “Emptying the current log file” on page 451, and “Deleting
rolled log files” on page 451.
The lists of log files for each log type display both the current log file and rolled log
files. When the current log file reaches either the configured maximum log file size
or the maximum age, the FortiMail unit renames the current log file to create a
rolled log file, and then begins a new current log file.
The lists of log files are sorted by the time range of the log messages contained in
the log file, with the most recent log files appearing near the top of the list. For
example, the current log file would appear at the top of the list, above a rolled log
file whose time ranges from “2008-05-08 11:59:36 Thu” to “2008-05-29 10:44:02
Thu”.
You can view log messages contained in a specific log file by selecting either Start
time or End time, or by selecting the View icon. For more information, see
“Viewing log messages” on page 444.
Go to next page
Go to previous page
Search Delete Selected Items
Empty Log
View
Download Delete
Go to previous page Select to view the previous page of the list of log files.
Go to next page Select to view the next page of the list of log files.
Search Select to search the log files. For more information, see “Searching
log messages” on page 448.
View n lines each Select the number of rows to display per page of the list of log files.
page
Total lines The total number of rows in the list of log files.
Go to line To display the log file list page that contains a specific index number
(#), enter the number and then select Go.
Delete Selected Select the log files by marking each checkbox in the rows
Items corresponding to the log files that you want to delete, then select
Delete Selected Items to remove those items from the hard disk.
# The index number for the row in the list of log files.
Start time The beginning of the log file’s time range.
End time The end of the log file’s time range.
Note: You can also view history log messages on the Status tab. For more information,
see.“Status” on page 111
Note: The web-based manager of the FortiMail unit can only display log messages stored
locally, on the FortiMail unit’s hard disk. For information on viewing FortiMail log messages
stored remotely on either a FortiAnalyzer unit or a Syslog server, see the documentation for
that product.
Go to previous Select to view the previous page of the list of log files.
page
Go to next page Select to view the next page of the list of log files.
Search Select to search the log files. For more information, see “Searching
log messages” on page 448.
Level Select the severity level. The FortiMail unit will display only log
messages of the selected severity level and greater.
Subtype Select the subtype. The FortiMail unit will display only the log
messages of that subtype.
This option appears only when viewing event log messages.
View n lines each Select the number of rows to display per page of the list of log files.
page
Total lines The total number of rows in the list of log files.
Go to line To display the log file list page that contains a specific index number
(#), enter the number and then select Go.
Choose Columns Select to add or remove log information columns to display. For more
information see “Downloading log files” on page 450.
Using the Level and Subtype drop-down menus, you can constrain the display to
only event log messages with matching severity levels and subtype log fields. The
following tables describe each option of the Level and Subtype drop-down menus.
6 Select Move Up or Move Down to move the column in the ordered list.
Placing a column name towards the top of the Displayed Columns list will move
the column to the left side of the log message display.
7 Select Apply.
Note: Some email processing such as mail routing and subject line tagging modifies the
recipient email address, the sender email address, and/or the subject line of an email
message. If you are searching for log messages by these attributes, enter your search
criteria using text exactly as it appears in the log messages, not in the email message. For
example, you might send an email message from sender@example.com; however, if you
have configured mail routing on the FortiMail unit or other network devices, this address, at
the time it was logged by the FortiMail unit, may have been sender-1@example.com. In
that case, you would search for sender-1@example.com instead of sender@example.com.
Keyword Enter any word or words to search for within the log messages.
For example, you might enter “starting daemon” to locate all log
messages containing that exact phrase in any log field.
Message Enter all or part of the message log field.
Subject Enter all or part of the subject line of the email message as it appears
in the log message.
This option appears only for the History log type.
From Enter all or part of the sender’s email address as it appears in the log
message.
This option does not appear for the Event log type.
6 Select Apply.
The FortiMail unit searches your currently selected log file for log messages that
match your search criteria, and displays any matching log messages. For
example, if you are currently viewing a rolled history log file, the search locates all
matching log messages located in that specific rolled history log file.
Normal format Downloads the log file in plain (ASCII) text format with a file
extension of .log. You can view this format in a plain text editor
such as Microsoft Notepad.
CSV format Downloads the log file in comma-separated value (CSV) format
with a file extension of .csv. You can view this format in a
spreadsheet application such as Microsoft Excel.
Compressed Downloads a compressed file with a file extension of .gz. This
format compressed file contains the log file in plain text format, with no
file extension.
If your management computer is running Microsoft Windows or
another operating system that requires file extensions, to enable
your operating system to open the file, you can rename the log file
to add a .log or .txt file extension.
If your web browser prompts you for the location to save the file, browse to select
or enter the name of the folder.
Note: Only the current log file can be emptied. Rolled log files cannot be emptied, but may
be deleted instead. For more information, see “Deleting rolled log files” on page 451.
Caution: Back up the current log file before emptying the current log file. When emptying
! the log file, log messages are permanently removed, and cannot be recovered. For
instructions on how to download a backup copy of the current log file, see “Downloading log
files” on page 450.
Note: Only rolled log files can be deleted. Current log files cannot be deleted, but may be
emptied instead. For more information, see “Emptying the current log file” on page 451.
Caution: Back up the current log file before deleting a log file. When deleting a log file, log
! messages are permanently removed, and cannot be recovered. For instructions on how to
download a backup copy of a log file, see “Downloading log files” on page 450.
3 In the Action column, in the row corresponding to the log file that you want to
delete, select Delete.
A confirmation dialog appears, such as:
Are you sure you want to delete: 2008-06-16-14:45:15_2007-
10-16-22:52:20.alog?
4 Select OK.
Alert Email
The Alert Email menu enables you to configure the FortiMail unit to notify you by
email message when specific types of events occur and are logged. For example,
if you require notification about virus detections, you can configure the FortiMail
unit to send an alert email message whenever the FortiMail unit detects a virus.
To configure alerts, you must configure both the alert email recipients (see
“Configuration” on page 452) and which events will trigger the FortiMail unit to
send an alert email message (see “Categories” on page 453).
Alert email messages also require that you configure the FortiMail unit with the IP
address of at least one DNS server. The FortiMail unit uses the domain name of
the SMTP server to send alert email messages; to resolve this domain name into
an IP address, the FortiMail unit must be able to query a DNS server. For
information on configuring DNS, see “DNS” on page 133.
The Alert Email menu includes the following tabs:
• Configuration
• Categories
Configuration
The Configuration tab enables you to configure the recipient email addresses for
the alert email message.
Before the FortiMail unit can send alert email messages, you must configure one
or more recipients.
You must also configure which categories of events will cause the FortiMail unit to
send alert email message. For more information, see “Categories” on page 453.
Categories
The Categories tab enables you to configure which events will cause the FortiMail
unit to send an alert email message.
Before the FortiMail unit can send an alert email message, you must select the
event or events that will cause the FortiMail unit to send an alert email message.
You must also configure alert email message recipients. For more information,
see “Configuration” on page 452.
system quarantine Select to send an alert email message when the system
quota is full quarantine reaches its quota of hard disk space. For
more information on the system quarantine, see “The
System quarantine tab displays the system quarantine.”
on page 371.
deferred emails # Select to send an alert email message if the deferred
over n, interval time email queue contains greater than this number of email
n minutes messages. Enter a number between 1 and 10000 to
define the alert threshold, then enter the interval of time
between each alert email message that the FortiMail
unit will send while the number of email messages in the
deferred email queue remains over this limit.
3 Select Apply.
Reports
The Reports menu enables you to configure and view reports.
FortiMail units can collate information collected from its log files and present the
information in tabular and graphical reports.
FortiMail units require log files and a report profile to be able to generate a report.
A report profile is a group of settings that contains the report name, file format,
subject matter, and other aspects that the FortiMail unit considers when
generating the report. For information on configuring a report profile, see
“Configuring a report profile” on page 458.
Note: In addition to viewing full reports, you can also view summary email statistics. For
more information, see “Mail Statistics” on page 120.
Browse reports
The Browse tab displays a list of reports that have been generated from the report
profiles. You can delete, view, and/or download generated reports.
FortiMail units can generate reports automatically, according to the schedule that
you configure in the report profile, or manually, when you select Run Report in the
report profile list. For more information, see “Config” on page 457.
To view the list of generated reports, go to Log & Report > Reports > Browse.
Go to next page
Go to previous page Delete Selected Items
Delete
Download HTML
Download PDF
For HTML file format report output, each Query Selection in the report profile,
such as Spam by Recipient, becomes a separate HTML file, such as
“Spam_Recipient.html”. You can view the report either as individual HTML files, or
as a frame that contains all of the individual HTML files, where each section
corresponds to one of the Query Selections that you enabled.
To download a report
1 Go to Log & Report > Reports > Browse.
2 In the Action column, in the row corresponding to the report that you want to
download, select the which file format to download.
Download HTML Select to download a compressed (.tgz) archive containing the report
in HTML file format to your management computer.
Download PDF Select to download the report in PDF file format to your management
computer.
Config
The Config tab displays a list of report profiles, which are used to generate
reports, and define what information will appear in the generated report.
You may want to one create report profile for each type of report that you will
generate on demand or periodically, by schedule. For more information, see
“Configuring a report profile” on page 458.
If you used the Quick Start Wizard in the basic mode of the web-based manager
to perform initial setup of your FortiMail unit, the Quick Start Wizard automatically
created two report profiles:
• predefined_report_yesterday
• predefined_report_last_week
Otherwise, no report profiles exist by default.
To view the list of report profiles, go to Log & Report > Report > Config.
Delete
Edit
Run Report
Time Period Select the time span of log messages from which to generate the
report. For more information, see “Configuring the time period of a
report profile” on page 458.
Query Selection Select one or more subject matters to include in the report. For
more information, see “Configuring the query selection of a report
profile” on page 459.
Schedule Select to generate reports from this report profile either manually
only or automatically, according to a schedule. For more
information, see “Configuring the schedule of a report profile” on
page 460.
Domain Select the protected domains to include in the report. For more
information, see “Configuring the protected domain of a report
profile” on page 461.
Incoming Outgoing Select whether to report upon incoming email, outgoing email, or
both. For more information, see “Configuring incoming and
outgoing of a report profile” on page 461.
Output Select to email reports generated using this report profile by
adding recipients to the Email Notification list and selecting either
“html report” or “pdf report” file format for the attached report. This
field is optional. For more information, see “Configuring the output
of a report profile” on page 461.
5 Select OK.
Time Period Select the time span of the report, such as This Month or
Last N Days.
Alternatively, select and configure From Date and To Date.
Last N Hours Enter the number N of the unit of time.
Last N Days This option appears only when you have
Last N Weeks selected Last N Hours, Last N Days, or
Last N Weeks from Time Period, and
therefore must define “N”.
From Date Select and configure the beginning of the time span. For
example, you may want the report to include log messages
starting from May 5, 2006 at 6 PM. You must also configure
To Date.
To Date Select to configure the end of the time
span. For example, you may want the
report to include log messages up to
May 6, at 12 AM. You must also select
and configure From Date.
Figure 333:Schedule
Schedules
Not Scheduled Select if you do not want the FortiMail unit to
generate the report automatically according to a
schedule.
If you select this option, the report will only be
generated on demand, when you manually select
Run Report from the report profile list. For more
information, see “Config” on page 457.
Daily Select to generate the report each day.
These Days Select generate the report on specific days of each
week, then select those days.
These Dates Select to generate the report on specific date of each
month, then enter those date numbers. Separate
date numbers by a comma.
For example, to generate a report on the first and
30th day of every month, enter 1,30.
At Hour Select the time of the day when the report will be generated.
This option does not apply if you have selected Not Scheduled.
Figure 334:Domain
Domain The list of protected domains whose log messages will be used when
generating the report.
Remove Selected Select one or more protected domains in the Domain area, then select
Remove Selected to remove them from that list.
Add Select All Domains or a protected domain from the drop-down menu,
then select Add to add that protected domain to the Domain area.
Figure 336:Output
html report Select to attach a copy of the generated report in HTML format.
pdf report Select to attach a copy of the generated report in PDF file format.
Email Notification The list of recipients to which the FortiMail unit will send a copy of
reports generated using this report profile.
Remove From Email Notification, select one or more recipients that you want to
Selected remove, then select Remove Selected.
Add Enter the email address of a recipient, then select Add to add the email
address to the Email Notification area.
FortiMail active-passive HA
FortiMail supports active-passive high availability (HA) with full FortiMail
configuration and mail data synchronization between two FortiMail units. Mail data
consists of the FortiMail system mail directory, user home directories, and Mail
Transfer Agent (MTA) spool directories.
A FortiMail active-passive HA group consists of two FortiMail units, one
functioning as a primary unit (also called the master) and the other as a backup
unit (also called the slave). The FortiMail units in the HA group do not have to be
the same FortiMail model but must be running the same firmware build. The
primary and backup units are configured separately and then joined together to
form the FortiMail HA group.
Both FortiMail units in the group have the same configuration except for the
FortiMail unit host name, SNMP system information, and some HA settings. For
details about how configuration synchronization works and about what is
synchronized and what is not, see “Synchronizing the FortiMail configuration” on
page 468.
You can include different FortiMail models in an active-passive HA group. For
details, see “Mixing FortiMail models in a FortiMail HA group” on page 466.
The primary unit performs all email processing, including special FortiMail
services such as sending spam reports to email users. Email users connect to the
primary unit to download email, manage quarantined email, and to use FortiMail
webmail. To configure and manage the FortiMail HA group, administrators
connect to the primary unit web-based manager or CLI.
Internet
Switch
HA Group
Administrators can also manage the backup FortiMail unit. The backup unit
monitors the primary unit to make sure that the primary unit is operating correctly.
If the backup unit determines that the primary unit has failed, the backup unit
becomes the primary unit without interrupting mail processing.
FortiMail gateway, transparent and server modes all support HA. The HA
configuration and operating procedures are similar in all three FortiMail operating
modes.
FortiMail config-only HA
Using FortiMail config-only HA you can set up a group of 2 to 25 FortiMail units.
The FortiMail units in the config-only HA group operate independently: processing
email and providing FortiMail services such as antispam and antivirus scanning,
and special FortiMail services such as sending spam reports to email users.
All FortiMail units in the group have the same configuration except for the
following:
• network settings including interface IP addresses and default routes
• the FortiMail unit host name and SNMP system information
• other system names such as the local domain name and the spam report host
name
• some HA settings.
For details about how configuration synchronization works and about what is
synchronized and what is not, see “Synchronizing the FortiMail configuration” on
page 468.
You can include different FortiMail models in a config-only HA group. For details,
see “Mixing FortiMail models in a FortiMail HA group” on page 466.
Email users connect to any FortiMail unit to download email, manage quarantined
email, and to use FortiMail webmail. For most HA group configuration and
management operations, administrators connect to the primary unit web-based
manager or CLI. However, administrators must connect to each FortiMail unit in
the HA group to configure interface IP addresses and some HA settings for that
FortiMail unit.
A config-only HA group can function as a mail server farm for a large organization.
You can also install a FortiMail config-only HA group behind a load balancer. The
load balancer can distribute the mail processing load to all of the FortiMail units in
the config-only HA group, improving mail processing capacity.
To set up a FortiMail config-only HA group you configure one of the FortiMail units
as the config primary (or config master) and the other FortiMail units (up to 24) as
config backup units (also called config slaves or peer systems). Every
configuration change made to the config master is synchronized to all of the
config backup units.
FortiMail config-only HA does not synchronize mail data between the FortiMail
units in the config-only HA group. As well, FortiMail config-only HA does not
provide failover protection. If a FortiMail unit in a config-only HA group fails, mail
data on the unit is lost (unless the unit can be restarted) and the functioning of the
failed FortiMail unit will not be resumed by the other FortiMail units in the HA
group.
FortiMail units in a config-only HA group operate only in their configured operating
mode. The effective operating mode does not apply to config-only HA. The config
primary unit operates only in config master mode and the config backup units
operate only in config slave mode.
If the primary unit fails, the backup units will continue to operate normally.
However, with no primary unit, changes to the configuration are no longer
synchronized. You can manually switch one of the backup units to operate as the
primary unit. Then, when you make configuration changes to this new primary
unit, the changes synchronize to the remaining backup units.
You cannot configure service monitoring for a config-only HA group.
Mail Server
Internal
network
Internet
Load balancer
Note: If the config-only HA group is installed behind a load balancer, the load balancer
stops sending email to the failed FortiMail unit. All sessions being processed by the failed
FortiMail unit must be restarted and will be re-directed by the load balancer to other
FortiMail units in the config-only HA group.
According to the FortiMail 3.0 Maximum Values Matrix on the Fortinet Knowledge
Center you can add 50 domains to a FortiMail-100 unit and 500 domains to a
FortiMail-400 unit. So in an HA group consisting of a FortiMail-400 and a
FortiMail-100 you should add only 50 domains. For a complete list of configuration
limitations for all FortiMail models, see the FortiMail v3.0 Maximum Values Matrix.
Note: If you restart the primary unit (by going to System > Status and selecting Restart or
from the CLI by entering execute reboot) or if you enter the execute reload
command from the primary unit CLI, the backup unit may stop receiving HA heartbeat
packets from the primary unit for enough time to determine that the primary unit has failed.
To prevent this type of false failover, the primary unit signals to the backup unit to wait for
the primary unit to complete the restart or reload.
Caution: Using the same FortiMail network interface for user data and HA synchronization
! is not supported.
Note: Isolate heartbeat interfaces from your user networks. Heartbeat and synchronization
packets contain sensitive configuration information and can consume considerable network
bandwidth. For an active-passive or a config-only HA group consisting of only two FortiMail
units, directly connect the heartbeat interfaces using a crossover cable. For a config-only
HA group consisting of more than two FortiMail units, connect the heartbeat interfaces to a
switch and do not connect this switch to your user networks.
You can also manually synchronize configuration changes if you are concerned
about losing changes that you have just made. See “Forcing the HA group to
synchronize configuration and mail data” on page 487.
Note: You should disable mail data synchronization if the HA group stores mail data on a
remote NAS server. See “HA and storing FortiMail mail data on a NAS Server” on
page 482.
System mail directory Contains quarantined and archived email messages stored on the
FortiMail unit hard drives. The system mail directory may contain a
relatively large amount of data. However, this data does not
usually change rapidly so synchronizing the system mail directory
does not usually require a large amount of bandwidth or
processing time. You should synchronize the system mail
directory because it could be difficult to recover from a failed
FortiMail unit.
User home In server mode the user home directories contain user email
directories messages stored on the FortiMail unit hard drives. The user home
directories may also contain a relatively large amount of data.
However, this data also does not usually change rapidly so
synchronizing the user home directories does not usually require a
large amount of bandwidth or processing time. You should
synchronize the user home directories because it could be difficult
to recover this data from a failed FortiMail unit.
MTA spool directories Contain the FortiMail mail queue types including the outgoing
mail, deferred, spam, failed, and dead mail queues. For more
information on the mail queues, see “Mail Queue” on page 207.
The MTA spool directories may contain a large amount of data
that changes rapidly. Synchronizing large amounts of data that
changes rapidly may take considerable bandwidth and processing
time, both of which may affect the performance of the FortiMail
unit. Also, if the primary unit fails, when it is restarted, it becomes
a backup unit and synchronizes all MTA spool directories to the
new primary unit (see “FortiMail MTA spool directory
synchronization after a failover” on page 471 for more
information). Because of this synchronization, the data in the MTA
spool directories is usually recovered after failover.
If the primary unit experiences a hardware failure and you cannot
restart it, you might not be able to recover mail in the MTA spool
directories. Synchronizing the MTA spool directories prevents the
loss of this email if the primary unit experiences a hardware
failure.
See “HA daemon configuration options” on page 495 to configure how often the
HA group synchronizes mail data, to change the TCP port used for synchronizing
data across the heartbeat link, and to select the types of mail data to synchronize.
You can also manually synchronize mail data. See “Forcing the HA group to
synchronize configuration and mail data” on page 487.
When a failover occurs, the network connections between the sender and the
primary unit are cut off. From the sender’s point of view, the email send attempt
fails, and the sender attempts to re-send the email message.
Usually you should configure HA to synchronize the system mail directory and the
user home directory to prevent loss of any email messages in these directories
when a failover occurs. Then when a failover occurs, email being sent is stopped,
but the stored messages remain in a primary unit MTA mail directory.
The FortiMail HA group always synchronizes MTA spool directories after a
failover. This means that even if you choose not to configure the HA group to
synchronize MTA spool directories during normal operation, the email in the MTA
directories on the failed primary unit can still be delivered after a failover as long
as the failed primary unit can restart.
Even if the HA group synchronizes MTA spool directories there is a chance that,
because the synchronization is periodic, some of the email in these directories will
not be synchronized when a failover occurs. This is especially true for the
outgoing mail queue because the content of this queue changes very rapidly.
FortiMail HA uses the following mechanism to prevent loss of email messages in
the failed primary unit MTA spool directories after a failover.
Note: If the failed primary unit effective operating mode is FAILED, a sequence similar to
the following occurs automatically when the problem that caused the failure is corrected.
1 After a failover the former backup unit operates as the new primary unit.
2 The primary unit that failed starts up again, detects the presence of the new
primary unit, and becomes a backup unit.
Note: You may have to manually restart the failed primary unit.
3 The new backup unit synchronizes its MTA spool directories with the new primary
unit MTA spool directories.
This synchronization takes place over the heartbeat link between the primary and
backup FortiMail units. Synchronizing the MTA spool directories prevents
duplicate email messages from getting into the primary unit MTA spool directories.
4 The new primary unit continues to deliver the email messages in its MTA spool
directories, including the email messages synchronized from the new backup unit.
Internal
network
Mail Server
Internet
Network
Switch
HA Group
Primary unit
Backup unit
For the new primary unit to continue to process mail sessions after a failover, the
new primary unit must have the same IP addresses as the original primary unit. In
most HA configurations you use FortiMail HA virtual IP address to make this
happen. When a FortiMail HA group is operating, network interfaces that send
and receive email or that users connect to for webmail access are configured with
HA virtual IP addresses. All email transactions and webmail connections use
these virtual IP addresses.
As well, the virtual IP addresses are associated with primary unit network
interfaces. Because of this association, the primary unit processes all email. After
a failover, the virtual IP addresses are associated with the new primary unit
interfaces. As a result, after a failover, the new primary unit (originally the backup
unit) now processes all email.
Note: Because of this virtual IP address configuration, port1 of the primary unit can receive
packets sent to IP address 172.16.5.10 and 172.16.5.2. All packets sent from the primary
unit port1 interface will have a source IP address of 172.16.5.2 (the virtual IP address).
After a failover, all packets sent from the backup unit port1 interface will have a source IP
address of 172.16.5.2.
Internet
Network
Switch
Primary unit
Heartbeat HA Group
Link
Switch for
port1 interfaces Backup unit
Internal
network
Internet
Network
Switch
Recording HA log messages on the primary and backup unit hard disks
Use the following steps to configure the units in an HA group to record HA log
messages on their hard disks. This configuration is synchronized to all units in the
HA group. A unit in the HA group records a log message when that unit detects an
HA event.
To record HA log messages on the primary and backup unit hard disks
1 Log into the primary unit web-based manager.
2 Go to Log & Report > Log Setting.
3 Select Log to Local Disk.
4 Set Level to Information to generate all HA messages.
You can also set Level to Warning if you just want to generate HA log messages
when a problem occurs. A problem could be a failover or a synchronization
problem.
5 Select Config Policy.
6 Select Event Log and under Event log select HA activity event.
7 Select OK and Apply.
Table 23: New HA FortiMail MIB and FortiMail trap MIB fields
Configured Operating The HA operating mode that you have configured the unit to
Mode operate in. Configured operating mode can be MASTER (primary
unit) or SLAVE (backup unit).
Effective Operating The HA operating mode that the unit is currently operating in. The
Mode effective operating mode matches the configured operating mode
unless a failure has occurred.
Note: If the effective operating mode of a FortiMail unit is SLAVE (backup) the FortiMail
web-based manager displays “SLAVE MODE”.
During normal operation the configured and effective operating modes of each
FortiMail unit in the active-passive HA group match. If a failover occurs, the
configured and effective operating modes may not match. For example, after a
failover, the backup unit becomes the primary unit. The effective operating mode
of the new primary unit changes to MASTER (primary), but the configured
operating mode is SLAVE (backup).
Depending on the On Failure setting, the failed primary unit effective operating
mode could be OFF or FAILED. If the effective operating mode is FAILED, the
effective operating mode could change to BACKUP or MASTER depending on the
On Failure setting, after the problem that caused the failure is corrected. See “HA
main configuration options” on page 492 for more information about setting On
Failure.
If the failed primary unit restarts, it finds the new primary unit and switches to
operating as the new backup unit. So, after a failure, the effective operating mode
of a restarted primary unit becomes SLAVE (backup) while the configured
operating mode of this unit becomes MASTER (primary). See Table 24 for more
examples of configured and effective operating modes.
Monitor The time at which the backup unit HA daemon will check to make sure that
the primary unit is operating correctly. This checking takes place across
the heartbeat link between the primary and backup units. If the heartbeat
link becomes disconnected, the next time the backup unit checks for the
primary unit, the primary unit will not respond, so the backup unit operates
as though the primary unit has failed and becomes the primary unit.
Change monitor timing using the HA Daemon Heartbeat setting. See “HA
daemon configuration options” on page 495.
Configuration The time at which the backup unit HA daemon will synchronize the
FortiMail configuration from the primary unit to the backup unit.
Change configuration synchronization timing using the HA Daemon
Configuration setting. See “HA daemon configuration options” on
page 495.
The message “slave unit is currently synchronizing” displays when the HA
daemon is synchronizing the configuration.
Data The time at which the backup unit HA daemon will synchronize mail data
from the primary unit to the backup unit.
Change data synchronization timing using the HA Daemon Data setting.
See “HA daemon configuration options” on page 495.
The message “slave unit is currently synchronizing” displays when the HA
daemon is synchronizing data.
Configuring HA options
You set HA configuration options by going to System > HA > Configuration. To
configure a FortiMail HA group, you must set the HA configuration separately on
the primary and backup units. The configuration of both types of units is very
similar.
Config-only HA options are similar to active-passive HA configuration options.
This section describes both active-passive HA options and config-only HA
options.
Figure 349 shows a typical HA configuration for a FortiMail-400 unit operating as a
primary unit in gateway mode.
Mode of Operation
Set the HA configured operating mode of the FortiMail unit. The FortiMail unit
switches to operating in the HA configured operating mode immediately after you
enter this command. The configured operating mode can be one of the following:
• off if the FortiMail unit is not operating in HA mode
• master if the FortiMail unit is the primary unit in the HA group
• slave if the FortiMail unit is a backup unit in the HA group
• config master if the FortiMail unit is the primary unit in a config-only HA group
• config slave if the FortiMail unit is a backup unit in a config-only HA group.
Primary Heartbeat
Select the network interface to be used as the primary heartbeat interface. This is
the primary heartbeat link between the units in the HA group. The primary
heartbeat link is used for the HA heartbeat and synchronization. The default
primary heartbeat interface is the network interface with the highest number. In
most cases you would not have to select a different network interface.
Note: The primary heartbeat interface configuration in master mode is set to “do nothing”
and this setting cannot be changed.
For information about the heartbeat interface and about HA heartbeat and
synchronization, see “Configuring the HA heartbeat and synchronization interface”
on page 468.
Caution: Using the same FortiMail network interface for user data and HA synchronization
! is not supported.
Note: Isolate heartbeat interfaces from your user networks. Heartbeat and synchronization
packets contain sensitive configuration information and can consume considerable network
bandwidth. For an active-passive or a config-only HA group consisting of only two FortiMail
units, directly connect the heartbeat interfaces using a crossover cable. For a config-only
HA group consisting of more than two FortiMail units, connect the heartbeat interfaces to a
switch and do not connect this switch to your user networks.
The local IP is the primary heartbeat IP address for this FortiMail unit. When the
FortiMail unit is operating in HA mode, the primary heartbeat local IP appears on
the System > Network > Interface list for the heartbeat interface.
For the primary heartbeat you must configure the local IP and peer IP as follows:
• The local IP of the primary unit must match the peer IP of the backup unit.
Normally you would set the local IP of the primary unit to 10.0.0.1.
• The local IP of the backup unit must match the peer IP of the primary unit. In
an active-passive HA group you would normally set the local IP on the backup
unit to 10.0.0.2.
• For an active-passive HA group the peer IP is the local IP of the other FortiMail
unit in the HA group. This is the IP address that the FortiMail unit expects to
connect to by using the primary heartbeat to find the other FortiMail unit in the
HA group.
• The peer IP of the primary unit must match the local IP of the backup unit.
Normally you would set the peer IP of the primary unit to 10.0.0.2.
• The peer IP of the backup unit must match the local IP of the primary unit.
Normally you would set the peer IP address of the backup unit to 10.0.0.1.
Note: The secondary heartbeat interface configuration in master mode is set to “do
nothing” and this setting cannot be changed.
Select “disabled” if you are not going to use the secondary heartbeat.
You can also select “any port” if you do not want to use a specific interface as the
backup heartbeat interface. Selecting “any port” means that any interface with its
HA interface configuration in master mode set to the “do nothing” option can be
used as the secondary heartbeat interface.
Configure the secondary heartbeat local IP and peer IP in the same manner as
the primary heartbeat. The secondary heartbeat IPs cannot be on the same
subnet as the primary heartbeat IPs.
Shared Password Enter a password for the HA group. The password must be the same
on the primary and backup unit.
Heartbeat Set options used by the HA daemon for sending HA heartbeat
(active-passive HA) packets. Set the following options:
• The TCP port used for HA heartbeat communications. The default
TCP port is 20000.
• The time between which the FortiMail units in the HA group send
HA heartbeat packets. The default test interval between HA
heartbeat packets is 5 seconds. The test interval range is 2 to 60
seconds. Heartbeat packets are sent at regular intervals so that
each FortiMail unit in an active-passive HA group can confirm that
the other unit in the group is functioning. If the primary unit detects
that the backup unit has failed the primary unit continues to
operate normally. If the backup unit detects that the primary unit
has failed, the HA effective operating mode of the backup unit
changes to MASTER and the back up unit becomes the primary
unit.
• The number of consecutive times the HA heartbeat detects a
failure before a FortiMail unit in an active-passive HA unit decides
that the primary unit has failed. The number of times the check
fails range is 1 to a very high number. Set the number of times the
check fails to 0 to disable interface monitoring or hard drive
monitoring.
In most cases you do not have to change heartbeat settings. The
default settings mean that if the primary unit fails, the backup unit
switches to being the primary unit after 3 x 5 or about 15 seconds;
resulting in a failure detection time of 15 seconds.
If the failure detection time is too long the primary unit could fail and a
delay in detecting the failure could mean that email is delayed or lost.
Decrease the failure detection time if email is delayed or lost because
of an HA failover.
If the failure detection time is too short, the backup unit may detect a
failure when none has occurred. For example, if the primary unit is
very busy processing email it may not respond to HA heartbeat
packets in time. In this situation, the backup unit may operate as
though the primary unit has failed when the primary unit is actually just
busy. Increase the failure detection time to prevent the backup unit
from detecting a failure when none has occurred.
Configuration Set the TCP port and time interval for synchronizing the configuration.
Set the following:
• The TCP port used for synchronizing the configuration of the
primary unit to the backup unit. The default TCP port is 20001.
• How often HA synchronizes the configuration. The default
configuration synchronization time is 60 minutes. The
configuration synchronization time range 15 to 999 minutes.
Set the configuration synchronization time to 0 to disable
configuration synchronization.
In most cases you do not have to change the default settings.
However if you are making a lot of configuration changes, you may
want to reduce the time between synchronizations so that changes
are not lost if a failover occurs. During normal operation,
synchronizing the configuration every 60 minutes is usually sufficient.
You can also synchronize the configuration manually. See “Forcing
the HA group to synchronize configuration and mail data” on
page 487.
For more information about how FortiMail HA synchronizes the
configuration and about what is synchronized and what is not
synchronized, see “Synchronizing the FortiMail configuration” on
page 468.
Data Set the TCP port and time interval for synchronizing mail data. Set the
(active-passive HA) following:
• The TCP port used for synchronizing mail data. The default TCP
port is 20002.
• How often the synchronization occurs. The default data
synchronization time is every 30 minutes. The data
synchronization range is 15 to 999 minutes. Set the data
synchronization time to 0 to disable data synchronization.
• The type of mail data to synchronize. You can synchronize the
system mail directory, the user home directories, and the MTA
spool directories. See “Synchronizing FortiMail mail data” on
page 470 for more information about what to consider before
configuring mail data synchronization. Synchronization of all three
types of mail data is disabled by default.
In most cases you do not have to change the default settings except
to select the data to synchronize. You might also want to reduce the
synchronization time if you find you are losing mail data during a
failover. Also, synchronizing large amounts of mail data may cause
processing delays. Reducing how often mail data is synchronized may
alleviate this problem. During normal operation, synchronizing data
once every 30 minutes is usually sufficient.
You can also synchronize mail data manually. See “Forcing the HA
group to synchronize configuration and mail data” on page 487.
You should disable mail data synchronization if the HA group stores
mail data on a remote NAS server. See “HA and storing FortiMail mail
data on a NAS Server” on page 482.
Note: The primary and secondary heartbeat interface configuration is set to “do nothing”
and this setting cannot be changed.
do nothing The default setting for all network interfaces. Select this option if you
do not want to apply special functionality to a network interface when
operating in HA mode.
See “Removing an interface from an HA group” on page 476 for more
information about this option. See “Gateway mode active-passive HA
configuration example” on page 503 for a FortiMail configuration
example that uses this option.
set interface Set an IP address and netmask for a network interface. Select this
IP/netmask option and add an IP address and netmask. When operating in HA
mode, this option changes the IP address of the selected network
interface of the primary unit to the specified IP address. When a
failover occurs this IP address is assigned to the corresponding
network interface of the new primary unit.
See “Changing the IP address of an HA group interface” on page 476
for more information about the set interface IP/netmask option. See
“Gateway mode active-passive HA configuration example” on
page 503 for a FortiMail configuration example that uses this option.
Changing the IP address of an HA group interface using this option
replaces the actual IP address of the interface with the set IP address.
The interface has only one IP address. (This is different from the
virtual IP address configuration, which results in the interface having
two IP addresses.)
add virtual Assign a virtual IP address to a network interface. Select this option
IP/netmask and add an IP address and netmask. When operating in HA mode,
this option adds the specified IP address to the selected interface of
the primary unit. Email processing, FortiMail users, and FortiMail
administrators can all connect to this virtual IP address to connect to
the primary unit. If a failover occurs, the virtual IP address is
transferred to the new primary unit. Email processing, FortiMail users,
and FortiMail administrators can now connect to the same IP address
to connect to the new primary unit.
In most cases you would select this option for all FortiMail network
interfaces that will be processing email when the FortiMail HA group is
operating in gateway or server mode. See “Adding an IP address to
an HA group interface using HA virtual IP addresses” on page 473 for
more information about HA virtual IP addresses. See “Gateway mode
active-passive HA configuration example” on page 503 for a FortiMail
configuration example that uses HA virtual IP addresses.
Configuring virtual IP addresses for FortiMail active-passive HA
configuration may produce unexpected results. Adding a virtual IP
address to a FortiMail interface gives the interface two IP addresses:
the virtual IP address and the actual IP address.
Normally you would configure your network (MX records, firewall
policies, routing and so on) so that clients and mail services use the
virtual IP address. All replies to sessions with the virtual IP address
include the virtual IP address as the source address.
However, all outgoing sessions that originate from this interface use
the actual IP address of the interface and not the virtual IP address.
This means that all outbound mail or relayed mail packets sent from a
FortiMail primary unit interface, configured with a virtual IP address,
will have the actual IP address of the primary unit interface as the
source IP address.
add to bridge For a FortiMail HA group operating in transparent mode, select this
option for all network interfaces to be added to the FortiMail
transparent mode bridge for a FortiMail HA group operating in
transparent mode.
When you select add to bridge for an interface that is not physically
connected, the interface name is displayed with red text.
For the primary unit, “add to bridge” has the same affect as “do
nothing”. In both cases the interface is added to the bridge.
For the backup unit, add to bridge means that the interface is
disconnected and cannot process traffic when the effective operating
mode of the unit is SLAVE. The interface is disconnected to prevent
layer 2 loops. If the effective operating mode of the unit changes to
MASTER the interface becomes connected again and as part of the
bridge can process traffic. For this reason, selecting add to bridge is
the recommended configuration.
The add to bridge option is only available for FortiMail interfaces that
are already added to the bridge. If you have added an IP address to
an interface you cannot select add to bridge for the interface.
When you select add to bridge, on System > Network > Interface the
interface status shows bridged (isolated) indicating that the interface
is not connected to the network.
If the effective operating mode changes to FAILED, on System >
Network > Interface the interface status shows bridging (waiting for
recovery).
Known Peers The list of backup unit IP addresses that have been added to the
primary unit HA configuration. The primary unit synchronizes only with
backup units that have IP addresses in the known peers list. You can
select the Delete icon for any IP address in the Known Peers list to
remove the IP address of this backup unit from the primary unit HA
configuration.
New Peer Add the IP address of a backup unit and select Add to add the backup
unit IP address to the known peers list. You can add up to 24 backup
units or peers.
IP address The heartbeat interface IP address of the primary unit in the config-
only HA group. The backup unit uses the master configuration IP
address to communicate with the primary unit. The master
configuration IP address must be the same as the local IP address
added to the primary unit HA configuration.
The master configuration IP address is equivalent to the Peer IP
address that you add to the backup unit in an active-passive HA
group.
Configuring the backup unit to monitor remote services on the primary unit
For an active-passive HA group, you can connect to the backup unit, go to
System > HA > Services and configure remote service monitoring so that the
backup unit monitors the primary unit to verify that the primary unit can accept
SMTP service, POP service (POP3), and Web service (HTTP) connections.
For each service you can enter the IP address and TCP port number to check.
You can enter the same IP address or a different one for each service.
Remote service monitoring is an effective way to make sure that both FortiMail
units in the HA group are connected to your network. If the primary unit becomes
disconnected from the network, the HA group can no longer process email. If you
have configured remote service monitoring, the backup unit detects that the
primary unit network connection has failed.
Normally you set remote monitoring to monitor the IP address of the primary unit
interface that processes email. For example, if the primary unit uses port1 for
email traffic, set the remote service monitoring IP address to the port1 IP address
of the primary unit.
If you set the remote service monitoring IP address to the IP address of the
primary heartbeat interface or the secondary heartbeat interface of the primary
unit, checking takes place over the heartbeat link.
For each protocol, you must specify an IP address and port number, and
configure all settings for each protocol. You must also specify the check time
interval in minutes to wait between checks and the response wait time in seconds
to wait for a response. You must also specify how many times the check fails
before a failover occurs.
The check time interval range is 1 to 60 minutes. Set the time interval to 0 to
disable remote service monitoring. The response wait time range for service
checks is 1 to a high number of seconds. Set the response wait time to 0 to
disable remote service monitoring.
The number of times the check fails range is 1 to a high number. Set the number
of times the check fails to 0 to disable interface monitoring or hard drive
monitoring.
If the backup unit detects a remote service failure, the backup unit HA effective
operating mode changes to MASTER. The backup unit becomes the new primary
unit. The primary unit effective operating mode changes to OFF or FAILED
depending on the On Failure setting. See “HA main configuration options” on
page 492 for information about setting On Failure.
port5
IP: 172.16.5.2
port1
IP: 172.20.2.10 Administrators
When operating as an HA group, DNS and MX records should target the port5
interface of the primary FortiMail-400 unit. As well, administrators should be able
to administer the HA group by connecting to port1 of the primary unit.
If a failover occurs, port5 of the backup unit should become the DNS and MX
record target. As well, administrators should be able to connect to port1 of the
backup unit using the same administration IP address.
Additionally, all connections to port5 should use only the 172.16.5.2 IP address,
and, during normal HA group operation, users should not be able to connect to
port5 of the backup unit. Administrators should be able to connect to port1 of the
backup unit at any time.
The network configuration shown in Table 26 supports these requirements for the
primary unit.
Table 26: Example primary unit HA network interface configuration
HA Network Interface
configuration in master
FortiMail IP address mode
interface setting Setting IP address Description
port1 172.20.2.20 add virtual 172.20.2.10 Enable HTTPS, SSH, and ping
IP/netmask access. Administrative access to
this interface uses IP address
172.20.2.20 or 172.20.2.10.
port2 to Default IP. do nothing
port4
port5 Default IP. set interface 172.16.5.2 The target of your email DNS and
IP/netmask MX records, this interface is used
for all mail processing and email
user connections. No
administrative access to this
interface.
port6 Default IP. do nothing 10.0.0.1 Primary heartbeat interface. The
default IP address of this interface
is 10.0.0.1.
HA Network Interface
configuration in master
FortiMail IP address mode
interface setting Setting IP address Description
port1 172.20.2.30 N/A N/A Enable HTTPS, SSH, and ping
access. Administrative access to
this interface uses IP address
172.20.2.30.
port2 to Default IP. N/A N/A
port5
port6 Default IP. N/A 10.0.0.2 Primary heartbeat interface. The
default IP address of this interface
is 10.0.0.2.
Mail DNS
Server Server
DNS record
Internal example.com=172.16.5.2
network MX record
gw.example.com=172.16.5.2
Network
Switch
Internet
Primary unit
Port 6
Primary
Heartbeat
Administrators
Backup unit
HA Group
IP/Netmask 172.20.2.20/255.255.255.0
Access Enable HTTPS, SSH, and PING.
6 Select OK.
7 Connect to the port1 interface using https://172.20.2.20.
8 Go to System > HA > Configuration and change the following settings:
Main Configuration
Mode of Operation master
On Failure wait for recovery then assume slave role
Primary Heartbeat
Use Keep the default setting.
Local IP 10.0.0.1
Peer IP 10.0.0.2
Secondary Heartbeat
Use disabled
Treat Remote Services as a Keep the default setting.
heartbeat
Daemon Configuration
Shared Password PassW0rd
Heartbeat Keep the default setting.
Configuration Keep the default setting.
Data Keep the default setting.
Backup system mail directory Keep the default setting.
Backup user home directories Keep the default setting.
Backup MTA spool directories Keep the default setting.
Interface Configuration in Master Mode
port1 add virtual IP/netmask
172.20.2.10/255.255.255.0
port5 set interface/netmask 172.16.5.2/255.255.255.0
port2 to 4 and port6 Keep the default setting.
Note: The backup unit HA daemon configuration settings control how the HA daemon
operates. For the initial configuration of the primary unit there is no need to change these
settings. However, after the HA group is operating you might want to change the primary
unit HA daemon configuration settings to control how the primary unit operates when it
becomes the new backup unit after a failover.
IP/Netmask 172.20.2.30/255.255.255.0
Access Enable HTTPS, SSH, and PING.
6 Select OK.
7 Connect to the port1 interface using https://172.20.2.30.
8 Go to System > HA > Configuration and change the following settings:
Main Configuration
Mode of Operation slave
Primary Heartbeat
Use Keep the default setting.
Local IP 10.0.0.2
Peer IP 10.0.0.1
Secondary Heartbeat
Use disabled
Treat Remote Services as a Keep the default setting.
heartbeat
Daemon Configuration
Shared Password PassW0rd (enter the same password as the
primary unit).
Heartbeat Keep the default setting.
Configuration Keep the default setting.
Data Keep the default setting.
Backup system mail directory Select
3 Connect the port6 primary heartbeat interface of the primary and backup FortiMail
units together using a crossover Ethernet cable.
You can also use two regular Ethernet cables and a switch.
4 Turn on the FortiMail units.
The FortiMail units startup and automatically form an HA group.
HA failover scenarios
This section describes some basic FortiMail active-passive HA failover scenarios.
For each scenario you can refer to the HA group shown in Figure 361. To simplify
the descriptions of these scenarios:
• P1 identifies the FortiMail unit configured to be the primary unit (also called the
master) in the HA group.
• B2 identifies the FortiMail unit configured to be the backup unit (also called the
slave) in the HA group.
HA Group
6 B2 records the following event log messages (among others) indicating that B2
has determined that P1 has failed and that B2 is switching its effective operating
mode to MASTER.
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=notice user=ha ui=ha action=unknown status=success
msg="monitord: peer stop responding (heartbeat), assuming
MASTER role"
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: main loop stopping"
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="backupd: main loop stopping"
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="configd: main loop stopping"
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="configd: main loop starting, entering master mode"
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="backupd: main loop starting, entering master mode"
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: main loop starting, entering MASTER mode"
Two primary units connected to the same network may cause address conflicts on
your network because matching interfaces will have the same IP addresses. As
well, because the heartbeat link is interrupted, the units in the HA group cannot
synchronize configuration changes or mail data changes.
Even after reconnecting the heartbeat link, both units will continue operating as
primary units. To return the HA group to normal operation you must connect to the
B2 web-based manager to restore B2 to operating as the backup unit.
1 The FortiMail HA group is operating normally.
2 The heartbeat link Ethernet cable is accidently disconnected.
3 The B2 HA heartbeat test detects that the primary unit has failed.
How soon this happens depends on the HA daemon configuration of B2.
4 The effective operating mode of B2 changes to MASTER.
5 B2 sends an alert email similar to the following, indicating that B2 has determined
that P1 has failed and that B2 is switching its effective operating mode to
MASTER.
Date sent: Wed, 30 Jan 2005 16:27:18 GMT
From: example@example.com
Subject: Remote HA Event
To: example@example.net
6 B2 records the following event log messages (among others) indicating that B2
has determined that P1 has failed and that B2 is switching its effective operating
mode to MASTER.
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=notice user=ha ui=ha action=unknown status=success
msg="monitord: peer stop responding (heartbeat), assuming
MASTER role"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: main loop stopping"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="backupd: main loop stopping"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="configd: main loop stopping"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="backupd:mainloopstarting,enteringmastermode"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="configd:mainloopstarting,enteringmastermode"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: main loop starting, entering MASTER mode"
7 B2 sends an alert email similar to the following, indicating that B2 has determined
that P1 has failed and that B2 is switching its effective operating mode to
MASTER.
Date sent: Wed, 30 Jan 2005 16:27:18 GMT
From: example@example.com
Subject: Remote HA Event
To: example@example.net
8 B2 records the following event log messages (among others) indicating that B2
has determined that P1 has failed and that B2 is switching its effective operating
mode to MASTER.
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=notice user=ha ui=ha action=unknown status=success
msg="monitord: peer stop responding (heartbeat), assuming
MASTER role"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: main loop stopping"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="backupd: main loop stopping"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="configd: main loop stopping"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="backupd:mainloopstarting,enteringmastermode"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="configd:mainloopstarting,enteringmastermode"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: main loop starting, entering MASTER mode"
9 P1 sends an alert email similar to the following, indicating that P1 has stopped
operating in HA mode.
Date sent: Wed, 30 Jan 2005 17:10:18 GMT
From: example@example.com
Subject: HA Event
To: example@example.net
Upgrading firmware
This section describes the general procedures and some caveats for upgrading
the FortiMail firmware. For information about upgrading to a specific release, see
the Release Notes that come with that release.
This section includes upgrading issues for all FortiMail firmware versions and how
to revert back to a previous firmware version.
In addition to major releases and maintenance releases, Fortinet releases patch
releases. A patch release is a firmware image that resolves specific issues without
containing new features and/or changes to existing features. It is recommended to
download and install a patch release as soon as it is released. When you install a
patch release, you can use the same procedures as when upgrading to a current
firmware image, including backing up your current configuration.
This section includes the following topics:
• FortiMail v3.0 upgrade information
• Backing up your configuration
• Upgrading your FortiMail unit
• Reverting to a previous firmware version
Configuration limits
The following configuration limits carry forward to FortiMail v3.0 MR1 and higher
unless otherwise stated. For the most recent FortiMail maximum value matrix, see
http://kc.forticare.com.
You will need to create appropriate recipient-based policies after upgrading if you
enabled only IP-based policies for POP3 and Webmail in FortiMail v3.0 MR1 or
lower. FortiMail v3.0 MR2 and higher releases require recipient-based policies
because IP-based policies no longer check POP3 and Webmail access.
Resetting to factory defaults in FortiMail v3.0 MR2 and newer releases
In FortiMail v3.0 MR2 and newer releases, there are two modes: basic
management mode and advanced management mode. When the FortiMail unit is
reset to factory default settings, the default mode is basic management mode. In
this mode you can easily re-configure basic settings such as IP addresses, as well
as switch back to advanced management mode.
Note: Session profile black/white lists are not included in the configuration backup file or
the black/white list maintenance backup file. Session profile black/white lists are not
affected when you backup, restore or reset.
5 Enter the following to copy the firmware image from the TFTP server to the
FortiMail unit:
execute restore image <name_str> <tftp_ipv4>
When <name_str> is the name of the firmware image file and <tftp_ipv4> is
the IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.68, enter:
execute restore image.out 192.168.1.68
6 The FortiMail unit responds with a message similar to the following:
This operation will downgrade the current firmware version!
Do you want to continue?(y/n)
7 Enter y.
The FortiMail unit uploads the firmware image file, downgrades to the new
firmware version, and reboots. This process may take a few minutes.
8 Log back in to the CLI.
9 Enter the following to confirm the firmware image successfully installed:
get system status
Reconnect to the FortiMail unit by following the next procedure.
There are multiple ways for email users to access the quarantined spam, which
vary by the operation mode of the FortiMail unit:
• Using FortiMail webmail (gateway and transparent mode)
• Using FortiMail webmail (server mode)
• Using daily spam summary reports
• Using POP3 access (gateway and transparent mode)
• Using POP3 access (server mode)
To: user1@example.com
From: release-ctrl@fm3.example.com
Subject: Quarantine Summary: [3 message(s) quarantined from Wed, 11 Jul 2007 11:00:01
to Wed, 11 Jul 2007 12:00:01]
Date: Wed, 11 Jul 2007 12:00:01 -0400
Actions:
o) Release a message:
Send an email to <release-ctrl@fm3.example.com> with subject line set to
"user1@example.com:Message-Id".
o) Delete a message:
Send an email to <delete-ctrl@fm3.example.com> with subject line set to
"user1@example.com:Message-Id".
Index
A Bayesian scan 23
black/white list 24
access DNSBL 23
discard 20 forged IP 23
access control FortiGuard Antispam 21
authentication 199 greylist 23
default action 205 heuristic scan 24
TLS 199, 206 PDF scan 425
Access Control List (ACL) 164 profile 241
access control rules 287 sender reputation 25
action 257, 263 SHASH 21
automatically update white list 84, 258 spam quarantine 49, 366
configuring 257 SURBL 23
discard 84, 87, 258, 263 system quarantine 54, 371
quarantine 84, 258 whitelist word scan 25
quarantine for review 263 antispam profile 241
reject 83, 87, 258, 263 antivirus
rewrite recipient email address 259, 264 profile 264
tag email in header 83, 87, 258, 263 antivirus definitions
tag email in subject 83, 86, 257, 263 HA 469
active-passive manually initiating updates 125
HA 463 update 125
add to bridge update from a file 42, 125
HA interface option 499 appearance, web-based manager 176
add virtual IP/netmask archive 429
HA interface option 499 exempting spam from 434
address book policies 432
adding an 211 archived email
address book, global 211 exporting 431
address map 214, 234 HA synchronization 471
creating 235 using for Bayesian training 432
address verification 20 ASCII 304
admin 58, 139 associated domains 70, 71, 186, 191
administrative access 62, 130 AUTH 198
administrator account authentication
adding and editing 57 IMAP 269
system quarantine 384 LDAP 320
advanced mode 109 PKI 235
advanced protection settings POP3 271
description 20 profile 268
Radius 272
advanced settings
SMTP 268
configuring 169
description 20 autoexempt list
search 415
alert email 105, 452
configuring 105, 452
example message 489 B
HA 479 back up
selecting event categories 106, 453 Bayesian databases
sending for HA events 481 all databases 396
alert email, logging 105, 452 global or group 392
alias 214 user 393
alias object 314 black/white lists
antispam domain 403
banned word scan 25 personal 404
system 402 C
dictionaries 310
mail queues 48, 211 category
system settings 41, 118 logging 106, 453
backing up certificate 154
using the CLI 524 backup 160
using web-based manager 523 local 155
backing up configuration 523 options 156
server 155
backup unit 463
certificate authority (CA) 156, 158, 159, 161, 162, 163,
banned word scan 25
236
Base64 158
certificate request
basic 33 downloading and submitting 158
basic mode 33 certificate revocation list (CRL) 162, 163, 236
Bayesian accounts clear
configuring 394 Bayesian databases
Bayesian database all databases 396
global 191 global or group 392
per protected domain 191
user 394
Bayesian database training 72, 167
CLI
Bayesian databases
backing up 524
back up
all databases 396 column view
logs 92, 446
global or group 392
comma-separated value (CSV) 212
user 393
config master
repairing 396
HA mode 493
reset
all databases 396 config only HA
see config-only HA 463
global or group 392
config slave
user 394
HA mode 493
restore
config-only
all users 396
HA 463, 464
global or group 392
configuration 472
user 393 HA Daemon status 487
train HA synchronization 468
from archived email 432 configuration example
global or group 391 HA 503
user 393 configuration limits, 3.0 521
training example 396 configured HA operating mode
types 387 using SNMP 482
Bayesian scan 23 configured operating mode
bind DN 323, 327, 334 HA 484, 485
black/white list 24 content
action 405 profile 276, 281
backing up content monitor
domain 403 profile 279, 284
personal 404 quarantine 54, 371
system 402 controller card 153
hierarchy 400 CPU Usage History 36, 113
restoring CSV (comma-separated value) 75, 220
domain 403 custom messages 173
personal 405 customer service 13
system 402 customizing column views 92, 450
blacklist action 405
Boolean 315 D
bounce verification
bypass 291 daemon
disable 191 HA 470, 495
bridge HA daemon status 487
add to bridge HA interface option 499 daily
browsing reports 98, 454 update schedule 126
data
T uptime 112
user alias
technical support 13 creating 231
time and date user groups
setting 136 creating 230
time zone 56, 137 user guide
TLS 73, 169 gateway and transparent modes 531
access control 199, 206 user home directories
profile 350 synchronizing 471, 497
to IP user name 75, 221, 225
system status 121 user object 314
to port User Principle Name (UPN) 327
system status 121
UTF-8 304
top level domain (TLD) 202
train
Bayesian databases
V
global or group 391 verification of recipient addresses 20
user 393 verifying the upgrade 527
transparent mode 64, 131, 132, 135, 214, 237 viewing 92, 450
transport layer security (TLS) 161, 269, 271, 272, 349 viewing reports 99, 455
traps virtual IP
SNMP 146 DNS settings 474
treat remote services as heartbeat example HA virtual IP configuration 474
HA 495 firewall settings 474
trusted host 61, 142 HA 473
outgoing traffic 474
U virus definition
manual update 125
unknown servers virus status
configuring SMTP options for 216, 294 view 121
update
antivirus definitions 125 W
antivirus definitions, from a file 42, 125
enabling push updates 127 wait for recovery then assume slave role
enabling push updates through a NAT device 127 on HA failure 493
hourly 126 wait for recovery then restore original role
logging 126 on HA failure 493
manual virus definition update 125 web service
weekly 126 monitoring for HA 500
upgrade web-based manager
firmware 115 backing up 523
upgrade information, 3.0 521 customizing appearance 176
configuration limits 521 downgrading 528
loading default profiles 521 language 137
upgrading webmail
FortiMail unit 526 language 190
upgrading firmware weekly
on an HA cluster 483 update 126
upgrading to current firmware version 526 Whitelist word scan 25