FortiMail Administration Guide 06-30004-0154-20080904

ADMINISTRATION GUIDE
FortiMail™ Secure Messaging Platform

Version 3.0 MR4
www.fortinet.com
FortiMail™ Secure Messaging Platform Administration Guide
Version 3.0 MR4
September 4, 2008
06-30004-0154-20080904
© Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web,
FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse,
FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other
countries. The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type.

! Dispose of Used Batteries According to the Instructions.
Contents
Contents
Introduction ...................................................................................... 11
About FortiMail units....................................................................................... 11
About this document....................................................................................... 11
Document conventions................................................................................ 12
Typographic conventions ............................................................................ 12
FortiMail documentation ................................................................................. 12
Comments on FortiMail technical documentation ....................................... 13
Customer service and technical support ...................................................... 13
Register your Fortinet product....................................................................... 14
What’s new in 3.0 MR4..................................................................... 15

Basic concepts and workflow......................................................... 17
Management methods..................................................................................... 17
Configuration workflow................................................................................... 17
Modes of operation.......................................................................................... 18
How FortiMail units process email................................................................. 19
Email domains............................................................................................. 19
Access control rules .................................................................................... 19
Recipient address verification ..................................................................... 20
Customizing messages and appearance .................................................... 20
Advanced delivery features......................................................................... 20
Antispam techniques................................................................................... 21
Order of execution....................................................................................... 25
About the web-based manager....................................................... 31

Basic mode vs. advanced mode .................................................................... 31
Status bar ......................................................................................................... 31
Basic mode ....................................................................................... 33

Management..................................................................................................... 33
Status .......................................................................................................... 34
Mail Queue .................................................................................................. 44
Quarantine .................................................................................................. 48
Settings............................................................................................................. 55
Config.......................................................................................................... 56
Network ....................................................................................................... 61
Domains ...................................................................................................... 66
User (server mode) ..................................................................................... 74
AntiSpam..................................................................................................... 81
FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

06-30004-0154-20080904 3
Contents
Log & Report.................................................................................................... 87

Logging ....................................................................................................... 87
Reports ....................................................................................................... 97
Alert Email................................................................................................. 105
Quick Start ..................................................................................................... 107
Advanced mode ............................................................................. 109

System ............................................................................................ 111
Status.............................................................................................................. 111
Status........................................................................................................ 111
Mail Statistics ............................................................................................ 120
Session ..................................................................................................... 121
Update ............................................................................................................ 122
Update ...................................................................................................... 122
Network .......................................................................................................... 129
Interface .................................................................................................... 129
DNS .......................................................................................................... 133
DDNS........................................................................................................ 133
Routing...................................................................................................... 134
Management IP......................................................................................... 135
Config ............................................................................................................. 136
Time .......................................................................................................... 136
Options...................................................................................................... 137
Admin........................................................................................................ 138
SNMP v1/v2c ............................................................................................ 142
FortiMail MIBs ........................................................................................... 146
RAID................................................................................................................ 148
RAID levels ............................................................................................... 149
Configuring RAID for FortiMail-400 models .............................................. 151
Configuring RAID on FortiMail-2000/A or FortiMail-4000A models .......... 152
HA ................................................................................................................... 154
Certificate ....................................................................................................... 154
Local Certificate ........................................................................................ 155
CA Certificate ............................................................................................ 161
Certificate Revocation List ........................................................................ 162
Remote ..................................................................................................... 163
Maintenance................................................................................................... 163
Central Management ................................................................................ 164
Backup & Restore ..................................................................................... 164

4 06-30004-0154-20080904
Contents
Mail Settings ................................................................................... 167

Settings........................................................................................................... 167
Local Host ................................................................................................. 167
Advanced (mail server settings) ................................................................ 169
Disclaimer ................................................................................................. 172
Custom Messages .................................................................................... 173
Appearance ............................................................................................... 176
Storage...................................................................................................... 178
Domains.......................................................................................................... 180
Domains .................................................................................................... 180
Access ............................................................................................................ 198
Receive rules ............................................................................................ 198
Determining the default action .................................................................. 205
Delivery rules ............................................................................................ 205
Mail Queue...................................................................................................... 207
Deferred Queue ........................................................................................ 207
Spam Queue ............................................................................................. 208
Dead Mail .................................................................................................. 210
Queue Maintenance .................................................................................. 211
Address Book ................................................................................................ 211
Address Book............................................................................................ 211
Proxies............................................................................................................ 214
Incoming vs. outgoing SMTP connections ................................................ 214
FortiMail SMTP relay vs. unprotected SMTP servers ............................... 215
SMTP ........................................................................................................ 216
User ................................................................................................. 219

User................................................................................................................. 219
User........................................................................................................... 219
User Preferences ...................................................................................... 224
User Group ..................................................................................................... 230
User Group................................................................................................ 230
User Alias ....................................................................................................... 231
User Alias.................................................................................................. 231
Address Map .................................................................................................. 234
Address Map ............................................................................................. 234
PKI User.......................................................................................................... 235
PKI User.................................................................................................... 236
Profile .............................................................................................. 241

AntiSpam ........................................................................................................ 241
Incoming.................................................................................................... 242
Outgoing.................................................................................................... 259

06-30004-0154-20080904 5
Contents
AntiVirus......................................................................................................... 264
AntiVirus.................................................................................................... 264
Virus List ................................................................................................... 267
Authentication ............................................................................................... 267
SMTP ........................................................................................................ 268
IMAP ......................................................................................................... 269
POP3 ........................................................................................................ 271
Radius....................................................................................................... 272
Misc (server mode)........................................................................................ 273
Misc........................................................................................................... 273
Content ........................................................................................................... 275
Incoming ................................................................................................... 276
Outgoing ................................................................................................... 281
Session........................................................................................................... 287
Session Configuration ............................................................................... 287
Preventing clients from using open relays (transparent mode)................. 298
Dictionary ....................................................................................................... 298
How to create dictionary profiles ............................................................... 298
Profiles ...................................................................................................... 299
Dictionaries ............................................................................................... 301
Categories................................................................................................. 304
Languages ................................................................................................ 305
Groups ...................................................................................................... 306
Maintenance ............................................................................................. 310
LDAP............................................................................................................... 311
Preparing your LDAP schema for FortiMail LDAP profiles ....................... 311
LDAP Profile ............................................................................................. 320
IP Pool ............................................................................................................ 348
IP Pool Lists .............................................................................................. 348
TLS.................................................................................................................. 349
TLS Profile ................................................................................................ 350
Policy .............................................................................................. 355

What is a policy? ........................................................................................... 355
How to use policies ....................................................................................... 356
Recipient based policies............................................................................... 357
Incoming policies ...................................................................................... 357
Outgoing policies ...................................................................................... 358
IP based policies ........................................................................................... 359
Creating IP-based policies (gateway mode) ............................................. 360
Creating IP-based policies (server mode)................................................. 361
Creating IP-based policies (transparent mode) ........................................ 363

6 06-30004-0154-20080904
Contents
AntiSpam ........................................................................................ 365

Quarantine...................................................................................................... 365
Recipients ................................................................................................. 366
System quarantine .................................................................................... 371
Control Account......................................................................................... 375
Spam Report ............................................................................................. 376
System quarantine setting......................................................................... 384
FortiGuard-AntiSpam .................................................................................... 385
FortiGuard-Antispam ................................................................................. 385
Bayesian ......................................................................................................... 386
Training Bayesian databases.................................................................... 387
Bayesian database types .......................................................................... 387
Initial training of the Bayesian databases.................................................. 388
User........................................................................................................... 389
Control Account......................................................................................... 394
DB Maintenance........................................................................................ 396
Example: FortiMail Bayesian training ........................................................ 396
Black/White List ............................................................................................. 399
Black and white list hierarchy .................................................................... 400
Black and white list address formats ......................................................... 401
Order of execution of black and white lists in a session profile ................. 402
System black/white list .............................................................................. 402
Domain black/white list.............................................................................. 403
Personal black/white list ............................................................................ 404
Blacklist Action .......................................................................................... 405
Black/White List Maintenance ................................................................... 405
Greylist ........................................................................................................... 406
Understanding greylisting.......................................................................... 407
Display ...................................................................................................... 410
Exempt ...................................................................................................... 411
AutoExempt............................................................................................... 414
Settings ..................................................................................................... 415
Sender Reputation......................................................................................... 416
Display ...................................................................................................... 417
MSISDN Reputation ....................................................................................... 418
Auto Blacklist............................................................................................. 419
Blacklist ..................................................................................................... 420
Exempt ...................................................................................................... 421
Settings ..................................................................................................... 422
Bounce Verification ....................................................................................... 423
Settings ..................................................................................................... 424
Action ........................................................................................................ 425
Configuring PDF scanning ........................................................................... 425

06-30004-0154-20080904 7
Contents
Using Perl regular expressions.................................................................... 426

Regular expression versus wildcard match pattern .................................. 426
Word boundary ......................................................................................... 426
Case sensitivity ......................................................................................... 426
Regular expression syntax........................................................................ 426
Example regular expressions.................................................................... 427
Email Archiving.............................................................................. 429

Settings .......................................................................................................... 429
Settings ..................................................................................................... 429
Archiving Policy ............................................................................................ 432
Archiving Policy......................................................................................... 432
Exempt Policy ................................................................................................ 434
Exempt Policy ........................................................................................... 434
Log & Report .................................................................................. 437

About FortiMail logging ................................................................................ 437
Log types .................................................................................................. 437
Log message severity levels ..................................................................... 438
Log Setting..................................................................................................... 438
Log Setting................................................................................................ 439
Logging .......................................................................................................... 442
Viewing log messages .............................................................................. 444
Displaying and arranging log columns ...................................................... 446
Searching log messages........................................................................... 448
Downloading log files ................................................................................ 450
Emptying the current log file ..................................................................... 451
Deleting rolled log files.............................................................................. 451
Alert Email...................................................................................................... 452
Configuration............................................................................................. 452
Categories................................................................................................. 453
Reports ........................................................................................................... 454
Browse reports.......................................................................................... 454
Config........................................................................................................ 457
Configuring and operating FortiMail HA...................................... 463

FortiMail active-passive HA.......................................................................... 463
FortiMail config-only HA ............................................................................... 464
Mixing FortiMail models in a FortiMail HA group ....................................... 466

8 06-30004-0154-20080904
Contents
HA heartbeat and synchronization .............................................................. 467

Configuring the HA heartbeat and synchronization interface .................... 468
Synchronizing the FortiMail configuration ................................................. 468
Synchronizing FortiMail mail data ............................................................. 470
FortiMail MTA spool directory synchronization after a failover.................. 471
HA network interface configuration in master mode ................................. 472
Adding an IP address to an HA group interface using HA virtual IP addresses
473
Changing the IP address of an HA group interface................................... 476
Removing an interface from an HA group ................................................. 476
Example config-only HA network interface configuration .......................... 477
HA log messages, alert email, and SNMP ................................................... 479
Recording HA log messages on the primary and backup unit hard disks . 480
Sending HA log messages to a remote syslog server .............................. 480
Sending alert email for HA events............................................................. 481
Sending SNMP traps for HA events .......................................................... 481
Getting the HA information using SNMP ................................................... 482
HA and storing FortiMail mail data on a NAS Server ................................. 482
Active-passive HA and storing mail data on a NAS server ....................... 483
Config-only HA and storing mail data on a NAS server ............................ 483
Changing the FortiMail firmware for an operating HA group .................... 483
Viewing and changing HA status ................................................................. 484
About HA configured and effective operating modes ................................ 484
Viewing HA daemon status ....................................................................... 487
Forcing the HA group to synchronize configuration and mail data............ 487
Resetting a FortiMail unit to its configured HA operating mode ................ 488
Restarting the HA processes on a stopped primary unit ........................... 489
Configuring HA options ................................................................................ 490
HA main configuration options .................................................................. 492
HA daemon configuration options ............................................................. 495
HA interface configuration in master mode options (active-passive HA) .. 497
HA peer systems options (config-only HA primary unit)............................ 499
HA master configuration options (config-only HA backup units) ............... 500
Configuring active-passive HA service monitoring ................................... 500
Configuring the backup unit to monitor remote services on the primary unit ...
501
Configuring HA primary unit local services monitoring to monitor network
interfaces and hard drives ......................................................................... 502
Gateway mode active-passive HA configuration example ........................ 503
Deciding on the HA network interface configuration in master mode settings .

06-30004-0154-20080904 9
Contents
503
Configuring the primary unit for HA operation........................................... 505
Configuring the backup unit for HA operation ........................................... 507
Connecting the gateway mode HA group to your network........................ 508
Configuring and administering the HA group ............................................ 509
HA failover scenarios.................................................................................... 509
Failover scenario: Temporary failure of the primary unit........................... 510
Failover scenario: primary heartbeat link fails........................................... 512
Failover scenario: Network connection between primary and backup units fails
(remote service monitoring detects a failure) ............................................ 516
Upgrading firmware ....................................................................... 521

FortiMail v3.0 upgrade information.............................................................. 521
Backing up your configuration .................................................................... 523
Backing up your configuration using the web-based manager ................. 523
Backing up your configuration using the CLI ............................................ 524
Testing firmware before upgrading ............................................................. 524
Upgrading your FortiMail unit ...................................................................... 526
Upgrading to a current firmware version ................................................... 526
Verifying the upgrade................................................................................ 527
Reverting to a previous firmware version................................................... 528
Downgrading to a previous firmware version ............................................ 528
Reconnecting to the FortiMail unit ............................................................ 529
Restoring the previous configuration ........................................................ 530
Instructions for email users.......................................................... 531

Training Bayesian databases ....................................................................... 531
Managing tagged spam................................................................................. 532
Accessing quarantined email....................................................................... 532
Using FortiMail webmail (gateway and transparent mode) ....................... 533
Using FortiMail webmail (server mode) .................................................... 533
Using daily spam summary reports........................................................... 533
Using POP3 access (gateway and transparent mode) ............................. 535
Using POP3 access (server mode)........................................................... 536
Sending email remotely (gateway and transparent mode)........................ 536
Index................................................................................................ 537

10 06-30004-0154-20080904
Introduction About FortiMail units
Introduction
This section introduces you to the FortiMail™ Secure Messaging Platform
(FortiMail unit) and the following topics:
• About FortiMail units
• About this document
• FortiMail documentation
• Customer service and technical support
• Register your Fortinet product
About FortiMail units

The FortiMail unit is an integrated hardware and software solution that provides
powerful and flexible logging and reporting, antispam, antivirus, and email
archiving capabilities to incoming and outgoing email traffic. The FortiMail unit has
reliable and high performance features for detecting and blocking spam
messages and malicious attachments. Built on Fortinet’s FortiOS™, the FortiMail
antivirus technology extends full content inspection capabilities to detect the most
advanced email threats.
About this document

This document explains how to use the FortiMail unit once you have successfully
installed the FortiMail unit by following the instructions in the FortiMail Installation
Guide. At this stage:
• The FortiMail unit is integrated into your network.
• In transparent or gateway modes, the network is configured so incoming and
outgoing email passes through the FortiMail unit for examination.
• In server mode, the FortiMail unit is the email server. The network is
configured to allow the FortiMail unit access to and from other email servers,
typically including those out on the Internet, and from users with POP3 or
webmail access.
• The advanced features of the FortiMail unit are not enabled. These features
include antispam, antivirus, email archiving, logging, and reporting.
Optionally, you can continue configuring other system-related items, such as date
and time, administrator accounts, and RAID levels. For more information, see
“System” on page 111. At this time you might also want to update the firmware
(see “Changing the firmware of your FortiMail unit” on page 114) and configure
the unit for antivirus updates (see “Update” on page 122), but you can leave these
tasks for later.

06-30004-0154-20080904 11
FortiMail documentation Introduction
Once your FortiMail unit is running and you have configured the optional system-
related items, you can start to configure the advanced features as described in
this guide. You have the flexibility to choose which features to enable and select
the options you want within each feature.
Document conventions
The following document conventions are used in this guide:
• In the examples, private IP addresses are used for both private and public IP
addresses.
• To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are
fictional and follow the documentation guidelines specific to Fortinet. The
addresses used are from the private IP address ranges defined in RFC 1918:
Address Allocation for Private Internets, available at
http://ietf.org/rfc/rfc1918.txt?number-1918.
• Notes and cautions are used to provide important information:
Note: Highlights useful additional information.
Caution: Warns you about commands or procedures that could have unexpected or
! undesirable results including loss of data or damage to equipment.
Typographic conventions
FortiMail documentation uses the following typographical conventions:
Convention Example
Keyboard input To navigate the list of sessions, select the Page Up icon or
the Page Down icon.
CLI command syntax execute restore config <filename_str>
Document names FortiMail Administration Guide
Menu commands Go to System > Network > Interface to view the interface
information.
Program output Welcome!
Variables <address_ipv4>
FortiMail documentation
You can find FortiMail documentation from the following resources:
Online Help
• FortiMail online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the web-based manager as you work.

12 06-30004-0154-20080904
Introduction Customer service and technical support
• FortiMail Webmail online help

Describes how to use the FortiMail web-based email client, including: how to
send and receive email; how to add, import, and export addresses; how to
configure message display preferences; and how to manage quarantined
email. You can access online help when using the webmail.
Fortinet Documentation CD
All Fortinet documentation is available on the Fortinet Tools and Documentation
CD shipped with your Fortinet product. The documents on this CD are current at
shipping time. The CD contains the following documents:
• FortiMail QuickStart Guides
Provides basic information about connecting and installing a FortiMail unit. A
separate guide is available for each FortiMail model.
• FortiMail Installation Guide
Describes how to set up the FortiMail unit in transparent, gateway, or server
mode.
• FortiMail Administration Guide
This document. Introduces the product and describes how to configure and
manage a FortiMail unit, including how to create profiles and policies,
configure antispam and antivirus filters, create user accounts, configure email
archiving, and set up logging and reporting.
• FortiMail CLI Reference
Describes how to use the FortiMail CLI and contains a reference of all
FortiMail CLI commands.
Fortinet Documentation Web Site

Go to http://docs.forticare.com to get the up-to-date FortiMail documentation.
Fortinet Knowledge Center

Go to http://kc.forticare.com to find more FortiMail related documents:
• FortiMail Log Message Reference
Describes the structure of FortiMail log messages and provides information
about the log messages that are generated by FortiMail units.
• Other troubleshooting and how-to articles, FAQs, technical notes, and more.
Comments on FortiMail technical documentation

Please send information about any errors or omissions in this document to
techdoc_fortimail@fortinet.com.
Customer service and technical support

Fortinet Technical Support provides services designed to make sure your Fortinet
systems install quickly, configure easily, and operate reliably as part of your
network.
Please visit the Fortinet Technical Support web site at http://support.fortinet.com
to learn about the technical support services Fortinet provides.

06-30004-0154-20080904 13
Register your Fortinet product Introduction
You can dramatically improve the time that it takes to resolve your technical
support ticket by providing your configuration file, a network diagram, and other
specific information. For a list of required information, see the Fortinet Knowledge
Center article What does Fortinet Technical Support require in order to best assist
the customer?
Register your Fortinet product

Register your Fortinet product to receive Fortinet customer services such as
product updates and technical support. You must also register your product for
FortiGuard services such as FortiGuard Antivirus and Intrusion Prevention
updates and for FortiGuard Web Filtering and AntiSpam.
Register your product by visiting http://support.fortinet.com and selecting Product
Registration.
To register, enter your contact information and the serial numbers of the Fortinet
products that you or your organization have purchased. You can register multiple
Fortinet products in a single session without re-entering your contact information.

14 06-30004-0154-20080904
What’s new in 3.0 MR4

This section lists and describes some of the new features and changes in
FortiMail 3.0 MR4. For upgrade information, see “Upgrading firmware” on
page 521.
If you want to know exactly what has changed in the CLI, and/or what new
commands have been added, it is recommended to review the What’s New
section in the FortiMail CLI Reference.
The following descriptions includes only menus containing new features, changes
to features, or both.
System
• System Load – A System Load monitor on the status page displays a
measurement of resource use. This composite statistic takes into account disk,
CPU, memory and SMTP session load. See “Status” on page 111.
• Log/mail disk space allocation – A new CLI command,
execute partitionlogdisk, allows you to vary the ratio of disk space
used for log and mail data from the default 25%/75%. See the FortiMail CLI
Reference.
• Trusted hosts – A security enhancement allowing you to restrict access to the
web-based manager. Attempts to log in to the web-based manager will only
succeed if made from IP addresses configured as trusted hosts. See “Admin”
on page 138.
• Administrator RADIUS authentication – You can configure the FortiMail unit
to authenticate administrator access with a RADIUS server. See “Admin” on
page 138.
• HA slave mode indicator – When part of an HA cluster, the backup unit web-
based manager displays “SLAVE MODE” as a reminder that you should not
make configuration changes to the backup unit. See “Synchronizing the
FortiMail configuration” on page 468
• FortiManager Support – Local-mode support for remote management by a
FortiManager unit allows configuration backup and restore, and firmware
update. See “Central Management” on page 164.
Mail Settings
• Enhanced spam report customization – Customize the report title, column
titles, and many other parts of the spam report summary. See, “Custom
Messages” on page 173.
• Authentication support in access control rules – Access control rules are
now authentication aware. You can configure access control rules to apply to
all clients, or only authenticated clients. See “Access” on page 198.
• TLS enforcement – Access control rules can be configured to require TLS
connections. You can configure the connection requirement in TLS profiles
and select them in each access control rule. For more information about TLS
profiles, see “TLS” on page 349. For more information in access control rules,
see “Access” on page 198.

06-30004-0154-20080904 15
• Domain Association – A domain association is a domain name that uses all

the settings configured for the domain it is associated with. Domain
associations are defined within domains or subdomains you have created. See
“Domain Associations” on page 191.
User
• PKI Authentication support – You can configure the FortiMail unit to allow
administrator and email user log in using certificates. See “PKI User” on
page 236.
• Webmail multipart email display selection – Email users have the option to
display the HTML or text portion of an email.
Profile
• Spam action rewrites recipient email address – When the FortiMail unit
detects a spam message, it can add to, or replace, both the local and domain
parts of the recipient email address. See “Actions options” on page 257.
• Header Manipulation – You can configure session profiles to remove any
email message header. See “Session Configuration” on page 287.
• Mail rate limiting by email message quantity – Currently, you can restrict
clients to a maximum number of connections in a specified time. If you prefer,
you can instead restrict the number of email messages a clients to a maximum
number in a specified time. Use the new CLI command set
ip_profile_setting rate_control message to make this change.
This is a system-wide setting. See the FortiMail CLI Reference.
AntiSpam
• Greylist AutoExempt – The FortiMail unit will automatically exempt certain
domains from greylisting for a period. This delays fewer messages and
reduces the number of greylist entries. See “Greylist automatic exemptions” on
page 408.
• MSISDN Reputation – You can configure the FortiMail unit to temporarily
block all MSISDN messages from repeated spam senders. Blacklist and
whitelist support is also included. See “MSISDN Reputation” on page 418.
• Bounce Verification – The FortiMail can detect and blocks invalid bounce
messages using bounce verification. See “Bounce Verification” on page 423.
Log & Report

• Log file compression – Log files can be downloaded in a compressed state,
saving download time. See “Downloading log files” on page 450.

16 06-30004-0154-20080904
Basic concepts and workflow Management methods
Basic concepts and workflow

This section describes the tools that you can use to configure your FortiMail unit,
and describes how the features of FortiMail units work together.
This section contains the following topics:
• Management methods
• Configuration workflow
• Modes of operation
• How FortiMail units process email
Management methods
After you install the FortiMail unit, you can configure and manage it with either of:
• the web-based manager
• and/or the command line interface (CLI)
The web-based manager has two management modes:
• basic mode: this is the default mode after you log on to the system. In the basic
mode, there is also a quick start wizard to help you quickly set up the basic
network settings.
• advanced mode: this mode allows you to configure the detailed settings.
You can switch between the two modes. For more information, see “About the
web-based manager” on page 31.
If you have completed physical installation and initial configuration of your
FortiMail unit, you have already connected to one of these management methods.
For information about installing your FortiMail unit and connecting to the web-
based manager and/or the CLI, see the FortiMail Installation Guide or the
FortiMail QuickStart Guide.
Note: This Administration Guide describes the web-based manager. For equivalent
documentation of the CLI, see the FortiMail CLI Reference.
Configuration workflow
The web-based manager presents a large number of configuration options. Some
options require prior configuration of other options, or will not function correctly or
cannot be tested until other required components are functional.
Depending on the operation mode you use, the general configuration workflow
may vary.

06-30004-0154-20080904 17
Modes of operation Basic concepts and workflow
In general, you may find it helpful to use the following order:

1 In the basic mode of the web-based manager, use the Quick Start Wizard to
configure the most basic of system settings, including network interfaces and DNS
settings. For details, see “Quick Start” on page 107.
This step may already be complete if you have already completed physical
installation and initial configuration of your FortiMail unit.
jAll the following procedures can be performed in the advanced management
mode. Some of them can be done in the basic mode. For information about the
basic mode and advanced mode, see “About the web-based manager” on
page 31
2 Connect to the FortiGuard Distribution Network (FDN) to update features that use
or require FortiGuard Antispam or FortiGuard Antivirus service. For details, see
“Update” on page 122.
3 Configure protected email domains. For details, see “Domains” on page 66 and
“Domains” on page 180.
4 Configure email user accounts/preferences. For details, see “User” on page 219.
5 Configure access control rules and message delivery rules. For details, see
“Access” on page 198.
6 Configure antispam settings. For details, see “AntiSpam” on page 365.
7 Configure antispam profiles that will be used in antispam policies. For details, see
“Profile” on page 241.
8 Configure policies. For details, see “Policy” on page 355.
9 Configure logging and reports. For details, see “Log & Report” on page 437.
Modes of operation
You can install the FortiMail unit to operate in either:
• gateway mode
• transparent mode
• server mode
Which mode of operation you choose will vary by its appropriateness to your
network topology and other requirements.
If you have completed physical installation and initial configuration of your
FortiMail unit, you have already selected a mode of operation. For information
about appropriate network topologies for each mode of operation, see the
FortiMail Installation Guide.
Note: All modes can scan for viruses and spam, but each mode of operation has
some features are specific to it. This Administration Guide notes features of the web-
based manager that do not appear in all modes of operation.

18 06-30004-0154-20080904
Basic concepts and workflow How FortiMail units process email
In most cases, you will select the mode of operation once, and will not change it:
changing the mode of operation could require you to adjust your network topology,
configuration of the MX entry of DNS records for your protected domains, and
other setup considerations that are specific to the nature of each mode of
operation. Should you want to change the mode of operation, for information on
configuring the mode of operation, see “Changing the operation mode” on
page 117.
How FortiMail units process email

FortiMail units receive email for defined email domains and control relay of email
to other domains. Email passing through the FortiMail unit can be scanned for
viruses and spam. Policies and profiles govern how the FortiMail unit scans email
and what it does with email messages containing viruses or spam. For information
about policies, see the “Policy” on page 355. For information about profiles, see
“Profile” on page 241.
In addition to policies and profiles, other configured items, such as email domains,
may affect how your FortiMail unit processes email.
Email domains
An email domain is a set of email accounts that reside on a particular email server.
The email domain name is the portion of the user’s email address following the
“@” symbol.
FortiMail units can be configured to protect email domains (referred to as
“protected domains” in this Administration Guide) by defining policies and profiles
to scan and relay email that is incoming to or outbound from protected domains.
If the FortiMail unit is operating in gateway mode or transparent mode, there is
one local email domain that represents the FortiMail unit itself. If the FortiMail unit
is operating in server mode, protected domains reside locally on the FortiMail
unit’s built-in email server.
For information about creating protected domains, see “Creating a protected
domain” on page 182.
In transparent mode, each network interface includes a proxy that receives and
relays email. By default, the proxy responds to SMTP greetings (HELO/EHLO)
using the host name of the SMTP server of the protected domain. For information
about configuring the proxies, see “Proxies” on page 214. For information on
configuring the SMTP greeting, see “Creating a protected domain” on page 182.
Access control rules

The access control rules allow you to control how email messages move to, from,
and through the FortiMail unit. Using access control rules the FortiMail unit can
analyze email messages and take action based on the result. Messages can be
examined according to the sender email address, recipient email address, and the
IP address or host name of the system delivering the email message.
Each access control rule specified an action to be taken against matching
messages. The actions are as follows:

06-30004-0154-20080904 19
How FortiMail units process email Basic concepts and workflow
ACCEPT The FortiMail unit will deliver the message and bypass all message
processing. That is, no antispam, antivirus, or similar scans will be
performed on the message.
RELAY The FortiMail unit will deliver the message and process it normally, with
all configured scanning.
REJECT The FortiMail unit does not accept delivery of the message. The
FortiMail unit sends a reject response to the system attempting delivery
of the email message.
DISCARD The FortiMail unit accepts the message and immediately deletes it
without delivery. The FortiMail unit does not inform the client.
For information about configuring access control, see “Access” on page 198.
Recipient address verification

Recipient address verification ensures that the FortiMail unit rejects email with
invalid recipients and does not scan or send them to the backend email server.
This verification can reduce the load on the FortiMail unit when a spammer tries to
send messages to every possible recipient name on the email server.
If you want to use recipient address verification, you need to verify email recipient
addresses by using either the email server or an LDAP server.
Usually you can use the email server to perform address verification. This works
with most email servers that provide a “user unknown” response to invalid
addresses.
You configure recipient address verification as part of the domain settings. See
“Creating a protected domain” on page 182.
Customizing messages and appearance

You can customize both the disclaimer and replacement messages, as well as the
appearance of the FortiMail unit interface.
The disclaimer message is attached to all email, generally warning the recipient
the contents may be confidential. See “Disclaimer” on page 172
Replacement messages are messages recipients receive instead of their email.
These can include warnings about messages sent and incoming messages that
are spam or infected with a virus. See “Custom Messages” on page 173 and
“Editing a custom replacement message” on page 174.
You can customize the appearance of the FortiMail unit web pages visible to mail
administrators to better match a company look and feel. See “Appearance” on
page 176.
Advanced delivery features

Processing email takes time, that can cause delays that result in client and server
timeouts. To reduce this problem, you can enable two advanced settings to:
• defer delivery to process oversize email at a time when traffic is expected to be
light
• send delivery status notifications (DSN)
For detailed information, see “Advanced (mail server settings)” on page 169.

20 06-30004-0154-20080904
Antispam techniques
Spam detection is a key feature of the FortiMail unit. The feature is based on two
tiers of spam defense: Fortinet’s FortiGuard Antispam service and FortiMail
antispam techniques. Each tier plays an important role in separating spam from
legitimate email. FortiGuard Antispam delivers a highly-tuned managed service
for the classification of spam while the FortiMail unit offers superior antispam
detection and control technologies.
In addition to scanning incoming email messages, FortiMail units can also inspect
the content of outgoing email messages. This can help eliminate the possibility
that an employee or a compromised computer could send spam, resulting in the
blacklisting of your organization’s email servers.
For more information on antispam techniques, see “Profile” on page 241 and
“AntiSpam” on page 365.
FortiGuard Antispam service

The FortiGuard Antispam service is a Fortinet-managed service that provides a
three-element approach to screening email messages. The first element is a DNS
Block List (DNSBL) which is a “living” list of known spam origins. The second
element is an in-depth email screening based on a Uniform Resource Identifier
(URI) contained in the message body – commonly known as Spam URI Realtime
Blackhole Lists (SURBLs). The third element is the FortiGuard Antispam Spam
Checksum Blocklist (SHASH) feature. Using SHASH, the FortiMail unit sends a
hash of an email to the FortiGuard Antispam server which compares the hash to
hashes of known spam messages stored in the FortiGuard Antispam database. If
the hash results match, the email is flagged as spam.
For information on configuring the FortiGuard Antispam service, see “FortiGuard-
AntiSpam” on page 385.
FortiGuard Antispam DNSBL
To achieve up-to-date real-time identification, the FortiGuard Antispam service
uses globally distributed spam probes that receive over one million spam
messages per day. The FortiGuard Antispam service uses multiple layers of
identification processes to produce an up-to-date list of spam origins. To further
enhance the service and streamline performance, the FortiGuard Antispam
service continuously retests each of the “known” identities in the list to determine
the state of the origin (active or inactive). If a known spam origin has been
decommissioned, the FortiGuard Antispam service removes the origin from the
list, thus providing customers with both accuracy and performance.
The FortiMail FortiGuard Antispam DNSBL scanning process works this way:
1 Incoming email (SMTP) connections are directed to the FortiMail unit.
2 Upon receiving the inbound SMTP connection request, the FortiMail unit extracts
the source information (sending server’s domain name and IP address).
3 The FortiMail unit transmits the extracted source information to Fortinet’s
FortiGuard Antispam service using a secure communication method.
4 The FortiGuard Antispam service checks the sender’s source information against
its DNSBL database of known spam sources and sends the results back to the
FortiMail unit.

06-30004-0154-20080904 21
5 The results are cached on the FortiMail unit.

• If the results identify the source as a known spam source, the FortiMail unit
acts according to its configured policy.
• The cache on the FortiMail unit is checked for additional connection attempts
from the same source. The FortiMail unit does not need to contact the
FortiGuard Antispam service if the results of a previous connection attempt are
cached.
• Additional connection requests from the same source do not need to be
submitted to the FortiGuard Antispam service again because the classification
is stored in the system cache.
Once the incoming connection has passed the first pass scan (DNSBL), and has
not been classified as spam, it will then go through a second pass scan (SURBL)
if the administrator has configured the service.
FortiGuard Antispam SURBL
To detect spam based on the message body URIs (usually web sites), Fortinet
uses FortiGuard Antispam SURBL technology. Complementing the DNSBL
component, which blocks messages based on spam origin, SURBL technology
blocks messages that have spam hosts mentioned in message bodies. By
scanning the message body, SURBL is able to determine if the message is a
known spam message regardless of origin. This augments the DNSBL technology
by detecting spam messages from spam source that may be dynamic, or a spam
source that is yet unknown to the DNSBL service. The combination of both
technologies provides a superior managed service with higher detection rates
than traditional DNSBLs or SURBLs alone.
The FortiMail FortiGuard Antispam SURBL scanning process works this way:
1 After accepting an incoming SMTP connection (passed first pass scan), the email
message is received.
2 After an incoming SMTP connection has passed the DNSBL scan, the FortiMail
unit accepts delivery of email messages.
3 The FortiMail unit generates a signature (URI) based on the contents of the
received email message.
4 The FortiMail unit transmits the signature to the FortiGuard Antispam service.
5 The FortiGuard Antispam service checks the email signature against its SURBL
database of known signatures and sends the results back to the FortiMail unit.
6 The results are cached on the FortiMail unit.
• If the results identify the signature as known spam email content, the FortiMail
unit acts according to its configured policy.
• Additional connection requests with the same email signature do not need to
be re-classified by the FortiGuard Antispam service, and can be checked
against the classification in the system cache.
• Additional messages with the same signature do not need to be submitted to
the FortiGuard Antispam service again because the signature classification is
stored in the system cache.
Once the message has passed both elements (DNSBL and SURBL), it goes to the
next layer of defense – the FortiMail unit that includes additional spam
classification technologies.

22 06-30004-0154-20080904
Forged IP scanning
When the FortiMail unit receives an email message, it converts the sender's IP
address to a canonical host name. The FortiMail unit then compares all of the
officially listed IP addresses for that host name with the sender's IP address. If the
sender's IP address is not found, the FortiMail unit considers the IP address and
host name to be forged and treats the email as spam. For more information, see
“Forged IP scan” on page 243
Greylist scanning
Greylist scanning blocks spam based on the behavior of the sending server,
rather than the content of the messages. When receiving an email from an
unknown server, the FortiMail unit will temporarily reject the message. If the mail
is legitimate, the originating server will try to send it again later, at which time the
FortiMail unit will accept it. Spam senders rarely attempt a retry. For more
information, see “Greylist” on page 406.
DNSBL scanning
In addition to supporting Fortinet’s FortiGuard Antispam DNSBL service, the
FortiMail unit supports administrator-defined public Realtime Block List servers.
You can enable DNSBL filtering as part of the antispam profile, and define multiple
DNSBL servers for each antispam profile. For more information, see “DNSBL
scan” on page 243 and “DNSBL scan options” on page 246.
Deep header scanning

Deep header scanning involves two separate checks. Black IP checking
examines the “Received” fields of the email header. The FortiMail unit then
extracts any URIs or IPs from the header and passes them to the FortiGuard
Antispam service, DNSBL, or SURBL servers for spam checking. Header analysis
examines the entire message header for spam characteristics. For more
information, see “Deep header scan” on page 243.
SURBL scanning
In addition to supporting Fortinet’s FortiGuard Antispam SURBL service, the
FortiMail unit supports administrator-defined public Spam URI Realtime Block
Lists servers. You can specify which public SURBL servers to use as part of an
antispam profile. For more information, see “SURBL scan” on page 243 and
“SURBL scan options” on page 248.
Bayesian scanning
Bayesian scanning uses databases to determine if an email is spam. For
Bayesian scanning to be effective, the databases must be trained with known-
spam and known-good email messages so the scanner can learn the differences
between the two types of email. To maintain its effectiveness, false positives and
false negatives must be sent to the FortiMail unit so the Bayesian scanner can
learn from its mistakes. Without this ongoing training, Bayesian scanning will
become significantly less effective over time.

06-30004-0154-20080904 23
The FortiMail Bayesian scanner uses three types of databases: personal, group,
and global. Personal databases are associated with individual users, the group
database applies to all users in a domain, and the global database applies to all
users hosted on domains defined on the FortiMail unit. For more information, see
“Training Bayesian databases” on page 387.
Heuristic scanning
The FortiMail unit includes rules the heuristic filter uses. Each rule has an
individual score used to calculate the total score for an email. An upper and lower
limit threshold for the heuristic filter is set for each antispam profile. To determine if
an email is spam, the heuristic filter examines an email message and adds the
score for each rule that applies to get a total score for that email. If the total is
greater than or equal to the upper threshold, the filter classifies the email as spam
and processes is accordingly. If the total is less than or equal to the lower
threshold, the email is not spam. If the total is between the two thresholds, then
the heuristic filter cannot determine whether the email is spam or not spam
determination. For more information, see “Heuristic scan” on page 243.
Image spam scanning

Spammers attempt to get their email messages past spam safeguards by
replacing the message body with an image file. This image file displays a graphic
of the desired text. Since the message body contains no real text, scanners
designed to examine the message body find nothing to work with. However, the
FortiMail unit’s image spam scan is equipped to examine and identify GIF, JPEG,
and PNG graphics used in image spam. For more information, see “Image spam
scan” on page 244.
PDF scanning
Spammers may attach a PDF file to an otherwise empty message, to get their
email messages past spam safeguards. The PDF file contains the spam
information. Since the message body contains no text, antispam scanners cannot
determine if the message is spam. However, the FortiMail unit’s PDF scanning
option directs the heuristic, banned word, and image spam scanners to examine
the contents of PDF attachments. For more information, see “PDF” on page 257.
Locally-administered black/white lists

The FortiMail unit supports four levels of black/white lists: system, domain,
session, and personal. Addresses added to blacklists usually consist of those
known to be used for sending spam. Whitelisted addresses include any non-spam
producing address that may have been improperly marked as a spam sender in
the past, or addresses that you do not want marked as spam in the future. By
using the FortiMail black/white lists, you can add sources that may be unclassified
or misclassified from the managed DNSBL services by specifying email
addresses, domains, and IP addresses. For more information on global
black/white lists, see “System black/white list” on page 402. For more information
on session black/white lists, see “Select the blue arrow to expand Lists.” on
page 297. For more information on personal black/white lists, see “Personal
black/white list” on page 404.

24 06-30004-0154-20080904
Banned word scanning

You can specify a list of banned words as part of an antispam profile. If the
FortiMail unit detects any of the banned words in the email body or header, it flags
the email as spam. For more information, see “Banned word scan options” on
page 253.
Whitelist word scanning

You can specify a white list of words as part of an antispam profile. If the FortiMail
unit detects a whitelist word, it treats the message as non-spam and cancels
further antispam scanning. For more information, see “Whitelist word scan
options” on page 254.
Sender reputation
The FortiMail unit tracks SMTP client behavior, limiting deliveries of those clients
sending excessive spam messages, infected email, or messages to invalid
recipients. Should clients continue delivering these types of messages, their
connection attempts will be rejected entirely. Sender reputation is managed by the
FortiMail unit and requires no administration. For more information, see “Display”
on page 417.
Order of execution
FortiMail units perform each of the antispam scanning and other actions in the
following order:
Table 1: Execution sequence of antispam techniques
Check Check Involves Action if positive Action if negative

Client initiates communication with the FortiMail unit
Sender/MSISDN Client IP address If the client IP/MSISDN Add the address to
Reputation for sender address is in the sender the sender
reputation. Client reputation database, check reputation
MSISDN for the score and enable any database and keep
MSISDN reputation. appropriate restrictions, if a sender reputation
any. score based on the
messages
received. Proceed
to the next check.
Sender Rate Client IP address. Apply any connection In there are no
Control limitations specified in the connection
session profile. Proceed to limitations, or if no
the next check. session profile
applies, proceed to
the next check.

06-30004-0154-20080904 25

Access DB Client IP address, DISCARD permission, If the client IP or
envelope From, matching messages are the domain/email
recipient To, header accepted, but immediately address of the
From, and header deleted upon receipt. The sender or receiver
To. sender and the receiver does not appear in
are not notified of the the Access list,
deletion. mail to or from
users from with
OK domains defined on
If the client IP or the the FortiMail unit is
domain/email address of accepted.
the sender or receiver If mail to another
appears in the Access list domain is delivered
with OK permission and a to the FortiMail
message to or from a user unit, indicating an
of a domain defined on the attempt to relay
FortiMail unit is delivered, mail, the messages
the message is accepted are rejected.
and the net antispam check
is initiated.
If the client IP address
appears in the Access list,
mail is accepted if
permission is set to 'OK'
and mail is rejected if set to
'Reject.'
REJECT
If the client IP or the
domain/email address of
the sender or receiver
appears in the Access list
with REJECT permission,
any mail the client delivers
is rejected.
RELAY
If the client IP or the
domain/email address of
the sender or receiver
appears in the Access list
with RELAY permission
and a message to or from a
user of a domain not
defined on the FortiMail
unit, accept delivery and
relay it.
HELO/EHLO received from client
HELO check Check the domain Reject the EHLO/HELO If no invalid
in the HELO command if invalid characters appear
command received characters appear in the in the domain,
from the client for domain. Session will not proceed to the next
invalid characters. continue until a proper check.
EHLO/HELO command is
received.
MAIL FROM and RCPT TO commands received from client
System white Client IP address If the client IP address or Proceed to the next
list and Mail From Mail From email check.
email address/domain appear in
address/domain. the system white list,
deliver the message and
cancel remaining antispam
checks.

26 06-30004-0154-20080904

System black Client IP address If the client IP address or Proceed to the next
address/domain. the system black list,
invoke the black list action
for the message.
Domain white Client IP address If the client IP address or Proceed to the next
address/domain. the domain white list,
checks.
Domain black Client IP address If the client IP address or Proceed to the next
address/domain. the domain black list,
for the message.
Session Envelope recipient. If the Envelope Recipient Proceed to the next
recipient white appears in the session check.
list recipient white list, deliver
the message and cancel
remaining antispam
checks.
Session Envelope recipient. If the Envelope Recipient Proceed to the next
recipient black appears in the session check.
list recipient black list, reject
the message.
Greylist Envelope From, If the sender information is If the sender is not
Envelope Recipient, in the greylist database or if in the greylist
and client IP subnet the client IP subnet database, a temp
address appears in the greylist fail is returned to
exempt list, the message is the sending
passed to the next check. system.
Domain checks Domain in Envelope If any of the domain checks Proceed to the next
From. (the four checks listed in check.
'For Unauthenticated
Sessions' in the session
profile) fail, an error is
returned to the client. The
error depends on which
particular check failed.
DATA command received from client
System white Header From If the message header Proceed to the next
list address. From email check.
address/domain appears in
the system white list,
checks.
System black Header from If the message header Proceed to the next
list address. From email check.
address/domain appears in
the system black list,
for the message.

06-30004-0154-20080904 27

Session sender Envelope from and If the envelope From or Proceed to the next
white list message header header From email check.
From field. address/domain appears in
the session sender white
list, deliver the message
and cancel remaining
antispam checks.
Session sender Envelope from and If the envelope From or Proceed to the next
black list message header header From email check.
the session sender black
list, the black list action is
invoked.
Personal white Envelope from and If the envelope From or Proceed to the next
list message header header From email check.
the personal white list,
checks.
Personal black Envelope from and If the envelope From or Proceed to the next
list message header header From email check.
the personal black list, the
message is discarded.
End of message (EOM) command received from client
AV scan Message and If an infected message is Proceed to the next
attachments. detected, and the antispam check.
profile is configured to treat
viruses as spam, the
default spam action will be
invoked on the infected
message.
FortiGuard Every URI in the If the FortiGuard-Antispam Proceed to the next
Antispam message body. scanner determines the check.
If Black IP scan is message is spam, the
enabled, all IP configured individual action
addresses in the is invoked. If the individual
message header action is set to default, then
are also checked. the antispam profile default
action is used.
Forged IP Last hop IP If the Forged IP scanner Proceed to the next
address. determines the message is check.
If Black IP scan is spam, the configured
enabled, all IP individual action is invoked.
addresses in the If the individual action is set
message header to default, then the
are also checked. antispam profile default
If Header analysis is action is used.
enabled, the entire
header is examined
for characteristics of
spam.
DNSBL Client IP address. If the DNSBL scanner Proceed to the next
determines the message is check.
spam, the configured
individual action is invoked.
If the individual action is set
to default, then the
antispam profile default
action is used.

28 06-30004-0154-20080904

SURBL Every URI in the If the SURBL scanner Proceed to the next
message body. determines the message is check.
action is used.
Heuristic The message body. If the Heuristic scanner Proceed to the next
action is used.
Bayesian The message body. If the Bayesian scanner Proceed to the next
action is used.
Whitelist Word The message If the Whitelist Word Proceed to the next
subject and/or body. scanner determines the check.
message is not spam,
checks.
Banned Word The message If the Banned Word Proceed to the next
subject and/or body. scanner determines the check.
message is spam, the
configured individual action
is invoked. If the individual
action is set to default, then
the antispam profile default
action is used.
Dictionary The message body. If the Dictionary scanner Proceed to the next
action is used.
Image Spam Embedded image If the Image Spam scanner Proceed to the next
files. determines the message is check.
If Aggressive scan spam, the configured
is enabled, attached individual action is invoked.
images are also If the individual action is set
examined. to default, then the
action is used.

06-30004-0154-20080904 29
Deep Header The message If the Deep Header scan Proceed to the next
header. determines the message is check.
action is used.
Content Attached files for If the Content scanner Proceed to the next
content scan and determines the message is check.
message body for spam, the action
content monitor configured in the content
scan. profile individual action is
invoked. If the individual
action is set to default, then
the antispam profile default
action is used.

30 06-30004-0154-20080904
About the web-based manager Basic mode vs. advanced mode
About the web-based manager

This chapter describes aspects that are general to use of the web-based
manager, and includes the following topics:
• Basic mode vs. advanced mode
• Status bar
Basic mode vs. advanced mode

The web-based manager enables you to configure the FortiMail unit by
connecting to the FortiMail unit through a web browser. The web-based manager
has two modes: basic mode and advanced mode.
• Basic mode: Provides easy navigation using a simplified set of menu options
that allow for many typical FortiMail unit configurations, and includes the Quick
Start Wizard.
• Advanced mode: Provides the full set of menu options which allows you to
achieve more complex configurations, but does not include the Quick Start
Wizard.
You can switch between the basic mode and advanced mode of the web-based
manager at any time with no configuration loss. If, for example, you prefer basic
mode but need to configure an item that is displayed only in advanced mode, you
could switch to advanced mode, configure the item, then switch back to basic
mode. To switch between the two modes, go to either Basic >> or Advanced >>.
Basic mode is explained in “Basic mode” on page 33. Advanced mode is
explained in the chapters that follow the basic mode chapters.
Status bar
While you are logged in to the web-based manager, a status bar appears near the
bottom of the browser window while you are logged in to the web-based manager.
The left side of the status bar displays the FortiMail unit uptime and the user name
of the FortiMail administrator account that you are currently using.
Figure 1: Status bar
If the FortiMail unit is running in high-availability (HA) mode, the status bar also
displays the host name, enabling you to differentiate members within the HA
cluster.
Figure 2: Status bar (HA mode)

06-30004-0154-20080904 31
Status bar About the web-based manager
For information on using the advanced mode of the web-based manager to

configure FortiMail administrator accounts, see “Admin” on page 138. For
information on using the advanced mode of the web-based manager to configure
the host name, see “Local Host” on page 167.

32 06-30004-0154-20080904
Basic mode Management
Basic mode
The basic mode of the web-based manager provides easy navigation using a set
of menu options that is more simple than the advanced mode.
By default, the web-based manager initially appears in basic mode when you log
in. You can configure a preference for either the basic mode or the advanced
mode of the web-based manager for each administrator account, causing the
web-based manager to start in that mode when the administrator logs in. For
more information, see “Admin” on page 57.
To manually switch from the advanced mode to the basic mode of the web-based
manager, go to Basic >>.
Note: The basic mode of the web-based manager includes the Quick Start Wizard. If you
have not yet performed the first-time setup of your FortiMail unit, you can use the Quick
Start Wizard to lead you through the required steps, then use the remaining basic mode or
advanced mode menu options if, for example, you later need to change or add to some part
of the configuration. For more information, see “Quick Start” on page 107.
This chapter describes the menu options that appear in the basic mode of the
web-based manager, and includes the following topics:
• Management
• Settings
• Log & Report
• Quick Start
Management
The Management menu enables you to view basic FortiMail unit information and
statuses, including:
• the FortiMail unit’s serial number
• current firmware version
• current virus definition version
• email statistics
• mail queues
• quarantines
You can also configure updates from the Fortinet Distribution Network (FDN),
such as FortiGuard Antivirus, change the firmware, back up and restore the
configuration, and shut down or restart the FortiMail unit.
The Management menu includes:
• Status
• Mail Queue
• Quarantine

06-30004-0154-20080904 33
Management Basic mode
Status
The Status menu enables you to view the statuses and other information on
various FortiMail unit aspects, such as serial numbers and email statistics.
The Status menu includes the following tabs:
• Status
• Mail Statistics
Status
The Status tab displays various system statuses, such as log disk usage, version
numbers and the history log. It also enables you to view and change firmware and
antivirus versions, configuration files, and to shut down or restart the FortiMail
unit.
To view status information, go to Management > Status > Status.
Figure 3: Status
Automatic Refresh Interval Select how often the web-based manager updates the
Status tab display.
Go Select to set the selected automatic refresh interval.
Refresh Select to manually update the Status tab display.
System Information
Serial Number The serial number of the FortiMail unit. The serial number
is unique to the FortiMail unit and does not change with
firmware upgrades.
UP Time The time in days, hours, and minutes since the FortiMail
unit was started or rebooted.
System Time The current time according to the FortiMail unit internal
clock.
Firmware Version The version of the firmware installed on the FortiMail unit.
Select Update to change the firmware. For more
information, see “Changing the firmware of your FortiMail
unit” on page 37.
Operation Mode The operation mode of the FortiMail unit. Select Change to
switch modes. For more information, see “Changing the
operation mode” on page 39.

34 06-30004-0154-20080904
Log Disk The capacity of the hard disk that the FortiMail unit uses to
store log messages. For more information on logging, see
“About FortiMail logging” on page 437.
For information on using the advanced mode of the web-
based manager to configure the RAID level of the log disk,
see “RAID” on page 148.
Mailbox Disk The capacity of the hard disk that the FortiMail unit uses to
store archived email and quarantined spam.
For information on using the advanced mode of the web-
based manager to configure the RAID level of the mailbox
disk, see “RAID” on page 148.
License Information
Antivirus The version of the FortiMail Antivirus Engine.
Antivirus Definitions The current installed version of the FortiMail Antivirus
Definitions.
Select Update to manually update the definitions. For more
information, see “Updating antivirus definitions from a file”
on page 42.
You can schedule the frequency at which the FortiMail unit
retrieves updates from the Fortinet Distribution Network
(FDN) using the advanced mode of the web-based
manager. For more information, see “Scheduling updates”
on page 126.
Antispam The version of FortiMail Antispam Engine.
Antispam Definitions The version of FortiMail Antispam Definitions.
System Settings
Settings Select Backup to download a configuration backup file.
Select Restore to upload a configuration backup file.
Select Restore Factory Defaults to revert the configuration
to the defaults of the firmware version.
For more information, see “Backing up the configuration”
on page 41, “Restoring the configuration” on page 41, and
“Reverting the configuration to firmware defaults” on
page 42.
System Resources
CPU Usage The current CPU activity. The web-based manager
displays CPU usage for core processes only. CPU usage
for management processes, such as HTTPS connections
to the web-based manager, is excluded.
Memory Usage The current memory (RAM) usage. The web-based
manager displays memory usage for core processes only.
Memory usage for management processes, such as
HTTPS connections to the web-based manager, is
excluded.
Log Disk Usage The current log disk usage indicates how much of the
allocated disk space is consumed. For information on log
settings, see “Logging to the hard disk” on page 439.
Mailbox Disk Usage The current mailbox disk usage indicates how much of the
allocated disk space is consumed.
You can use the advanced mode of the web-based
manager to configure an SNMP trigger to alert you when
the mailbox disk is very full. By default, it is set to trigger at
90% full. For more information, see “SNMP v1/v2c” on
page 142.
System Load A composite resource usage figure taking into account
CPU, memory, disk, and other Fortimail unit resources.
Active Sessions Shows the number of administrators and email users
logged in to the FortiMail unit.

06-30004-0154-20080904 35
History Select History to view a graphical representation of the last

minute of CPU, memory, sessions, and network usage. For
more information, see “Viewing the system resources
history” on page 36. Graphs include:
• CPU Usage History: CPU usage for the previous
minute.
• Memory Usage History: Memory usage for the
previous minute.
• Session History: Session history for the previous
minute.
• Network Utilization History: Network utilization for the
previous minute.
System Command Select to restart or shut down the FortiMail unit. For more
information, see “Restarting and shutting down the
FortiMail unit” on page 39.
History Log Select History Log >> to view history log messages. For
more information on viewing log messages, see “Viewing
log messages” on page 89.
Viewing the system resources history

You can view current and recent usage of each of the FortiMail unit’s system
resources through graphs that automatically refresh every three (3) seconds to
display current data.
The system resources history contains four (4) graphs. Each graph displays
readings of one of the system resources: CPU, memory, sessions, and network
bandwidth usage. Each graph is divided by a grid.
• Horizontal axis: Indicates time, with each grid square representing
approximately three (3) seconds. The most recent time is towards the right
side of the graph.
• Vertical axis: Indicates the usage level, with each grid square representing one
fifth (20%) of either the:
• maximum possible usage (CPU Usage History and Memory Usage
History), or
• number of units currently in the upper left corner of the graph; this number
of units is not constant, but instead scales to more clearly show trends at
higher or lower levels of usage, such as scaling from 100 Kbps to 1 Mbps
(Session History and Network Utilization History)
Greater usage levels are towards the top of the graph.
• Yellow line: Indicates the usage level of that resource over the previous 60
seconds.
If you do not initially see the yellow line in a graph, look at the bottom edge of the
graph. If the system resource usage is very low, such as when the CPU is idle, the
yellow line may coincide with the bottom edge of the graph.
To view the system resources history, go to Management > Status > Status,
then, in the System Resources area, select History >>.

36 06-30004-0154-20080904
Figure 4: Viewing the system resources history
CPU Usage The amount of workload of the CPU, relative to its maximum.
History
Memory Usage The amount of memory (RAM) in use, relative to its maximum.
History
Session History The amount of TCP sessions, relative to the number of units
displayed in the upper left corner of the graph.
You can view the connections to and from the FortiMail unit using the
advanced mode of the web-based manager. For more information,
see “Session” on page 121.
Network Utilization The amount of network bandwidth usage, relative to the number of
History units displayed in the upper left corner of the graph.
Changing the firmware of your FortiMail unit

Administrators whose Domain is “system” can change the FortiMail firmware.
Firmware changes are either:
• an upgrade to a newer version
• a reversion to an earlier version
The firmware version number is used to determine if you are upgrading or
reverting your firmware image. For example, if your current firmware version is
“FortiMail-400 3.00,build288,080327”, changing to “FortiMail-400
3.00,build266,071209”, an earlier build number and date, indicates you are
reverting.
For more information, see:
• Upgrading the firmware of your FortiMail unit
• Reverting the firmware of your FortiMail unit
Upgrading the firmware of your FortiMail unit

You can upgrade the firmware of your FortiMail unit to ensure that it has the most
antivirus engine, and antispam engine, bug fixes, and new features.
Note: Installing firmware replaces the current antivirus definitions with those included with
the firmware release that you are installing. After you install the new firmware, verify that
your antivirus definitions are up-to-date using the advanced mode of the web-based
manager. For more information, see “Manually initiating antivirus definitions updates” on
page 125.

06-30004-0154-20080904 37
Caution: Back up the configuration before beginning this procedure. This procedure may
! reset changes that you have made to the FortiMail unit’s configuration file. For more
information on creating a backup, see “Backing up the configuration” on page 41.
To upgrade the firmware

1 Download the firmware image file to your management computer from the Fortinet
Technical Support web site, https://support.fortinet.com.
2 Log in to the web-based manager as an administrator whose Domain is “system”,
such as the administrator named “admin”.
3 Go to Management > Status > Status.
4 In the System Information area, next to Firmware Version, select Update.
5 In Upload File, type the path and filename of the firmware image file, or select
Browse and locate the file.
6 Select OK.
The FortiMail unit installs the uploaded firmware file and restarts. Time required
varies by the speed of the connection of your management computer to your
FortiMail unit. When complete, refreshing your browser will display the login page
of the web-based manager.
7 Log in again to the web-based manager.
9 Confirm that the firmware upgrade has been successfully installed by verifying the
version number located next to Firmware Version in the System Information area.
Reverting the firmware of your FortiMail unit

You can revert your FortiMail unit to a previous firmware version.
the firmware release that you are installing. After you install the new firmware, verify that
your antivirus definitions are up-to-date using the advanced mode of the web-based
manager. For more information, see “Manually initiating antivirus definitions updates” on
page 125.
To revert to a previous firmware version

The following procedures revert the FortiMail unit to its factory default
configuration and delete all configuration on the unit.
1 Download the firmware image file to your management computer from the Fortinet

38 06-30004-0154-20080904
6 Select OK.
10 Restore your configuration.
For information about restoring your configuration, see “Restoring the
configuration” on page 41.
Restarting and shutting down the FortiMail unit

Administrators whose Domain is “system” can restart and shut down the FortiMail
unit.
! Caution: Before performing any of these procedures, notify your email users.
To restart the FortiMail unit

2 Select Restart.
The FortiMail unit restarts. If you want to continue configuring the FortiMail unit,
refresh your browser and log in again.
To shut down the FortiMail unit

2 Select Shut Down.
The FortiMail unit shuts down. For FortiMail-400 models, you can now turn off the
power using the power button on the back of the FortiMail unit. For FortiMail-100,
FortiMail-2000, or FortiMail-4000 models, you can now turn off the power by
unplugging the FortiMail unit.
Changing the operation mode

Administrators whose Domain is “admin” can change the FortiMail unit from one
operation mode to another.
Operation modes reflect the nature of the network topology in which you deploy
the FortiMail unit, and other considerations. For information on the differences
between each operation mode, see “Determining the best operation mode” on
page 40.

06-30004-0154-20080904 39
! reset many of the configuration file changes that you have made to the FortiMail unit,
including settings that do not apply to the new operation mode. For more information on
creating a backup, see “Backing up the configuration” on page 41.
To change the operation mode

2 In the System Information area, in the Operation Mode row, select Change.
3 From Operating Mode, select one of the following:
• Gateway
• Server
• Transparent
Note: If the FortiMail unit is operating in gateway mode, you must configure the MX record
on the DNS server for each protected domain to direct all email to this FortiMail unit instead
of the protected SMTP servers.
4 Select OK.
Determining the best operation mode

You can configure your FortiMail unit to operate in any one of three possible
operation modes. Each operation mode best suits a specific situation.
• Gateway: Use when you do not want your email server to be visible to email
users. You will need to modify the email clients of your email users and your
mail routing policy to route email through the FortiMail unit for it to be scanned.
• Transparent: Use when a network is complex and you do not want to change
the IP address scheme.
• Server: Use if you need a secure SMTP server with integrated advanced
antispam and antivirus capabilities.
For more information about the different operation modes, see “Modes of
operation” on page 18.
Important configuration tips for transparent mode

The transparent mode of operation is often your best choice when a network is
complex and does not allow for changes in the IP addressing scheme. If you
choose to operate your FortiMail unit in transparent mode, consider the following
tips.
• Deploy the FortiMail unit in front of your mail server so incoming email is forced
to go to the FortiMail unit and be scanned.
• Enter the management IP address and all the IP addresses connecting to your
FortiMail unit’s bridged (default) network interfaces on the same IP subnet.
• Do not connect two ports to the same VLAN on a switch or the same hub.
Some Layer 2 switches become unstable when they detect the same media
access control (MAC) address originating on more than one network interface
on the switch, or from more than one VLAN.

40 06-30004-0154-20080904
• If the client is configured for authentication and the “Use original server to
deliver mail” option under “For unknown Servers” of SMTP proxies is not
selected, configure and apply an authentication profile for the FortiMail unit,
and explicitly configure the back end mail server to allow relay. Without the
profile, the authentication will fail.
• For additional advanced options when configuring protected domains in
transparent mode, see “Creating a protected domain” on page 182.
Backing up the configuration

You can back up the FortiMail unit’s configuration by downloading a configuration
backup file to the management computer.
Caution: A FortiMail configuration backup file is not a full backup of all data on the
! FortiMail unit. Backing up the FortiMail unit’s configuration does not include mail queues,
dictionaries, the Bayesian database, which must be backed up separately. For more
information, see “Queue Maintenance” on page 48, “Maintenance” on page 310 or “User”
on page 389.
To back up the configuration

1 In the System Settings area, select Backup.
2 Select Backup system settings.
3 If your browser prompts you for a location to save the file, select a folder.
The file is downloaded to your management computer.
Restoring the configuration

You can restore the configuration of the FortiMail unit by uploading a previously
downloaded configuration backup file.
Note: This procedure restores the configuration backup file only. For instructions on
restoring other FortiMail unit data, see “Queue Maintenance” on page 48, “Maintenance” on
page 310, and “User” on page 389.
To restore system settings

2 In the System Settings area, select Restore.
3 Enter the path and filename of the configuration backup file, or select Browse to
locate the file.
4 Select OK.
The FortiMail unit restores the system configuration using the uploaded
configuration backup file, and restarts.
5 After the FortiMail unit restarts, refresh your browser.
The FortiMail Administrator Login page is displayed.
6 Log in to the web-based manager to review your configuration to confirm that the
uploaded system settings have taken effect.

06-30004-0154-20080904 41
Reverting the configuration to firmware defaults

You can use the following procedure to revert the FortiMail configuration to the
values that are defaults for the currently installed firmware version. This procedure
does not change the firmware version or the antivirus definitions.
Caution: Back up the configuration before beginning this procedure. This procedure resets
! all changes that you have made to the FortiMail unit’s configuration file and reverts the
system to the default values for the firmware version, including factory default settings for
the IP addresses of network interfaces. For more information on creating a backup, see
“Backing up the configuration” on page 41.
To revert system settings to factory defaults

2 In the System Settings area, select Restore Factory Defaults.
A confirmation dialog appears.
3 Select OK.
The FortiMail unit resets its configuration to the defaults for that firmware version,
and restarts. To configure the FortiMail unit, you must connect to the FortiMail unit
using the default IP addresses for its network interfaces. For more information on
connecting to a FortiMail unit with the default configuration, see the FortiMail
Install Guide. For information on restoring the configuration, see “Restoring the
Downloading the debug log and trace file

You can download a debug log file and/or trace file. These files may sometimes be
requested by Fortinet Technical Support for systems analysis purposes. The trace
log file is in a binary format, and contains information that is supplementary to the
debug log file.
To download the debug log and trace file

2 Select Download debug log, then select Download trace log.
3 If your browser prompts you for a location to save the files, select a folder.
The files are downloaded to your management computer.
Updating antivirus definitions from a file

If you do not want to allow the FortiMail unit to automatically download antivirus
definition updates from the Fortinet Distribution Network (FDN), you can manually
upload an antivirus definitions update file.
To upload an antivirus definitions file

1 Download the antivirus definition file to your management computer from the
Fortinet Technical Support web site, https://support.fortinet.com.
2 Go to System > Status > Status.
3 In the License Information area, next to AntiVirus Definitions, select Update.

42 06-30004-0154-20080904
4 In Update File, type the path and filename of the firmware image file, or select
5 Select OK.
The FortiMail unit installs the antivirus definitions file. This takes about 1 minute.
7 Confirm that the antivirus definitions file has been successfully installed by
verifying the version number located next to AntiVirus Definitions in the License
Information area.
Mail Statistics
The Mail Statistics tab contains summaries of the numbers of email messages in
each time period that the FortiMail unit detected as containing viruses, spam, or
neither.
For email messages classified as spam, mail statistics include which FortiMail
feature classified the email as spam, such as Bayesian antispam databases,
access control, system wide black list (System List), or the email user-configured
black list (User List).
To use the Mail Statistics tab, you must first configure your FortiMail unit to detect
spam and/or viruses. For more information, see “AntiSpam” on page 81.
To view mail statistics, go to Management > Status > Mail Statistics.
Figure 5: Mail Statistics
Automatic Refresh Select the interval, such as 30 seconds, between automatic refreshes
Interval of the page. Refreshing the page displays current email statistics.
Refresh Select to manually refresh the page, displaying current email
statistics.
Statistics data Select to display the statistics in graph format. To return to displaying
extracted from log the email statistics in table format, select Realtime statistics data also
also available here available here.
Summary Select to display a summary of the hourly, daily, monthly, yearly, and
total email statistics.
The summary table includes both the total count of spam and viral
email messages and counts for each method that caused email to be
classified as spam or viral email.
Hourly History Select to display graphs of the hourly email statistics.
Daily History Select to display graphs of the daily email statistics.

06-30004-0154-20080904 43
Monthly History Select to display graphs of the monthly email statistics.

Yearly History Select to display graphs of the yearly email statistics.
Mail Queue
The Mail Queue menu enables you to view and manage the FortiMail unit’s email
queues: the deferred queue, the spam queue, and the dead email folder.
FortiMail units queue email messages when the email message is temporarily
undeliverable, and moves email messages to the dead mail folder when all retries
have failed. You can configure aspects of queueing behavior such as the interval
at which the FortiMail retries to send the email messages using the advanced
mode of the web-based manager. For more information, see “Advanced (mail
server settings)” on page 169.
The Mail Queue menu includes the following tabs:
• Deferred Queue
• Spam Queue
• Dead Mail
• Queue Maintenance
Deferred Queue
The Deferred Queue tab displays a list of email messages that currently in the
deferred queue. Unlike the spam queue, the deferred queue contains only email
messages that are not tagged spam.
FortiMail units move an email message to the deferred queue upon initial failure to
send the email message, which can be caused by various temporary reasons
such as interruptions to network connectivity. When an email message is deferred,
the FortiMail unit periodically retries to send the deferred email message.
Administrators can also manually initiate an attempt to send the email message. If
the email is subsequently sent successfully, the FortiMail unit removes the email
from the queue and does not notify the sender. But if the email message continues
to be deferred, the FortiMail unit eventually sends an initial delivery status
notification (DSN) email message to notify the sender that delivery has not yet
succeeded. Finally, if the FortiMail unit cannot send the email message by the end
of the time limit for delivery retries, the FortiMail unit sends a final DSN to notify
the sender about the delivery failure and deletes the email message from the
deferred queue. If the sender cannot receive this notification, such as if the
sender’s SMTP server is unreachable or if the sender address is invalid or empty,
the FortiMail unit will save a copy of the email in the dead mail folder. For more
information, see “Dead Mail” on page 47.
For information on configuring the delivery retry interval, maximum amount of time
that an email message can spend in a queue, and DSN timing using the advanced
mode of the web-based manager, see “Advanced (mail server settings)” on
page 169.
To view, delete, or attempt to resend an email message in the deferred queue, go
to Management > Mail Queue > Deferred Queue.

44 06-30004-0154-20080904
Figure 6: Deferred Queue
Page up icon Select to view previous page.

Page down icon Select to view next page.
View n lines Select the number of lines to display on each page.
each page
Total lines The total number of lines in the queue.
Goto Line Enter the line number of the queue, then select Go to display the page
containing that line number.
# The line numbers on the page.
Select In the row corresponding to an email message, mark the checkbox to
select one or more email messages.
Sender The sender of the email.
Recipient The recipient of the email.
Reason The reasons why the email has been deferred, such as DNS lookup
failure or refused connections.
First Processed The date and time that the FortiMail unit first tried to send the email.
Last Processed The date and time that the FortiMail unit last tried to send the email.
Tries The number of times that the FortiMail unit has tried to send the email.
Check All Select to mark all checkboxes in the Select column for all email
messages in the queue.
Uncheck All Select to unmark all checkboxes in the Select column for all email
Delete In the Select column, mark the checkboxes in the rows corresponding to
email messages that you want to delete, then select Delete.
When you delete a deferred email, the FortiMail unit will send an
email message, with the deleted email attached to it, to notify the
sender.
Resend In the Select column, mark the checkboxes in the rows corresponding to
email messages that you want to attempt to send, then select Resend.
Refresh Select to refresh the list of deferred email messages. This can be useful
to determine how many email messages are remaining in the queue after
selecting Resend.
Spam Queue
The Spam Queue tab displays a list of email messages that currently in the spam
queue. Unlike the deferred queue, the spam queue contains only those deferred
email messages that are tagged spam.
Note: For information on tagging spam using the advanced mode of the web-
based manager, see “Actions options” on page 257.

06-30004-0154-20080904 45
FortiMail units move tagged spam to the spam queue upon initial failure to send
the email message, which can be caused by various temporary reasons such as
interruptions to network connectivity. When an email message is deferred, the
FortiMail unit periodically retries to send the deferred email message.
from the queue and does not notify the sender. But if the email message continues
to be deferred, the FortiMail unit eventually sends an initial delivery status
notification (DSN) email message to notify the sender that delivery has not yet
succeeded. Finally, if the FortiMail unit cannot send the email message by the end
of the time limit for delivery retries, the FortiMail unit sends a final DSN to notify
the sender about the delivery failure and deletes the email message from the
deferred queue. If the sender cannot receive this notification, such as if the
that an email message can spend in a queue, and DSN timing using the advanced
mode of the web-based manager, see “Advanced (mail server settings)” on
page 169.
To view or delete email messages in the spam queue, go to Management > Mail
Queue > Spam Queue.
Figure 7: Spam Queue

each page
Sender The sender of the email.
Recipient The recipient of the email.

46 06-30004-0154-20080904
sender.
email messages that you want to delete, then select Resend.
selecting Resend.
Dead Mail
The Dead Mail tab displays the list of email messages that are in the dead mail
folder.
Unlike the spam and deferred queue, the dead mail folder contains copies of
delivery status notification (DSN) email messages from the FortiMail unit
(“postmaster”) to senders of email that is considered to be more permanently
undeliverable, because all previous retry attempts of the deferred email message
have failed. These email messages from "postmaster" include the original email
message for which the DSN was generated.
If an email message cannot be sent nor returned to the sender, it is usually
because both the recipient and sender addresses are invalid. Such email
messages are often sent by spammers who know the domain name of an SMTP
server but not the names of its email users, and are attempting to send spam by
guessing at valid recipient email addresses.
You can configure the FortiMail unit to automatically delete old email messages in
the dead mail folder. Alternatively, if the FortiMail unit is operating in server mode,
you can create a local email account named “postmaster” to receive these email
messages, or create an alias named “postmaster” to an existing email account,
instead of using the dead mail folder.
To view or delete email messages in the dead mail folder, go to Management >
Mail Queue > Dead Mail.
Figure 8: Dead email list

06-30004-0154-20080904 47

View n lines each Select the number of lines to display on each page.
page
Sort By Select the name of the column by which to sort the list.
Delete dead mails n Enter the number of days after which to automatically delete the
days old (1-365) email from the dead mail folder.
# The line number.
Select All To select all email messages in the queue, select the checkbox in
the column heading. To select individual email messages in the
queue, select the checkbox in each row corresponding to the email
messages that you want to select.
From The sender of the email.
To The recipient of the email.
Subject The subject line of the email.
Date Date and time of the email.
Delete In the Select All column, mark the checkboxes in the rows
corresponding to the email messages that you want to delete, then
select Delete.
To delete dead email messages

1 Go to Management > Mail Queue > Dead Mail.
2 To delete an individual dead email message, select the check box in the row
corresponding to a dead email message, then select Delete.
To delete all dead email messages, select the Select All check box on the column
heading, then select Delete.
Queue Maintenance
The Queue Maintenance tab enables you to back up and restore the mail queues.
This can be useful if you need to change or reformat the mailbox hard disk.
To back up or restore email message queues, go to Management > Mail
Queue > Queue Maintenance.
Figure 9: Queue Maintenance
Backup Queue Select to download a queue backup file to the management

computer.
Restore Queue Select to restore a queue backup file from the management
computer, then either enter the path and filename of the backup
file or select Browse to locate the file, and select OK.
Quarantine
The Quarantine menu enables you to view and delete email messages that have
been quarantined to a FortiMail unit’s hard drive.

48 06-30004-0154-20080904
You can quarantine email messages based upon the content of the email
messages, such as whether the email is spam or contains a prohibited word or
phrase. FortiMail units have two types of quarantine:
• Per-recipient quarantine: Quarantines email messages into separate folders
for each recipient address in each protected domain. The FortiMail periodically
sends spam reports to notify recipients, their designated group owner, and/or
another email address of the email messages that have been added to the
quarantine folder for that recipient.
• System quarantine: Quarantines email messages into a system-wide
quarantine. Unlike the per-recipient quarantine, the FortiMail unit does not
send a spam report and a FortiMail administrator should review the
quarantined email messages to decide if they should be released or deleted.
The Quarantine menu includes the following tabs:
• Recipients
• System quarantine
Recipients
The Recipients tab displays a list of per-recipient quarantine folders.
When incoming email matches a policy in whose antispam settings you have
configured the FortiMail unit to quarantine the email to the per-recipient spam
quarantine, the FortiMail unit will save the email to its hard drive and not deliver it
to the recipient. Instead, the FortiMail unit will periodically send a spam report to
email users, their designated group owner, or another recipient (if you have
configured one in the advanced mode of the web-based manager). The spam
report, by default sent once a day at 9 AM, lists all email messages that were
withheld since the previous spam report. Using the spam report, email users can
review email message details and release any email messages that are false
positives by clicking the link associated with them. The email message will then
be released from the quarantine and delivered to the email user’s inbox. Using the
web-based manager, FortiMail administrators can also manually release or delete
quarantined email. For more information on deleting email that has been
quarantined to the per-recipient quarantine, see “Managing email in per-recipient
quarantines” on page 51. For information on using the advanced mode of the
web-based manager to configure the schedule and recipients of the spam report,
see “Spam Report” on page 376.
You can configure the FortiMail unit to send email to the per-recipient quarantine
by selecting the Quarantine option for antispam settings in the basic mode of the
web-based manager, or selecting it as the action in content profiles and antispam
profiles. For more information, see “Actions options” on page 257 and “Incoming”
on page 276.
To view the recipient quarantine list, go to Management > Quarantine >
Recipients.

06-30004-0154-20080904 49
Figure 10: Recipients
Previous Page Compact Delete selected

Next Page Search recipients folder
Select a domain Select the name of a protected domain to view per-recipient

quarantines for recipients in that protected domain.
For more information on protected domains, see “Domains” on
page 66.
Search Select to search email in the per-recipient quarantine. For details,
see “Searching email in the per-recipient quarantine” on page 52.
Previous Page icon Select to view the previous page.
Next Page icon Select to view the next page.
View n lines each Select the number of lines to display per page.
page
Search icon To display the per-recipient quarantine for an email user, from
Select a domain, select the name of a protected domain, then
enter the user name portion of a recipient address in the field to
the left of the Search icon, and select the Search icon.
Compact In the Check column, mark the checkboxes in the rows
corresponding to the quarantine folders that you want to
compress, then select Compact.
Note: Folder sizes are updated once an hour. The reduction in
folder size will not be immediately reflected after you compress a
folder.
Delete selected In the Check column, mark the checkboxes in the rows
recipients folder corresponding to the quarantine folders that you want to delete,
then select Delete selected recipients folder.
Caution: Per-recipient quarantine folders contain both the email
user’s recipient quarantine and other data such as the email
user’s preferences and personal white lists and black lists.
Deleting a quarantine folder will delete contained spam, but will
also delete that other personal data. To avoid this, delete email in
the quarantine folder, but not the quarantine folder itself. For more
information, see “Managing email in per-recipient quarantines” on
page 51.
Send spam report to Enter the number of previous hours’ worth of spam to include in
<All or Selected> the spam report, then either:
users for the past n • select All to send a spam report to all email users for which
hours spam was quarantined to the per-recipient quarantine
• in the Check column, mark the checkboxes of each email user
for which you want to send a spam report if the FortiMail unit
quarantined spam for that email user, then select Selected
You can configure a spam report schedule to automatically send
spam reports using the advanced mode of the web-based
manager. For more information, see “Spam Report” on page 376
and “Spam Report Setting” on page 192.
# The index number of the entry in the list.

50 06-30004-0154-20080904
Check To select all quarantine folders, select the checkbox in the Check
column heading.
To select individual quarantine folders, in the Check column, mark
the checkboxes in the rows of quarantine folders that you want to
select.
Recipient The email address of a recipient for which the FortiMail unit has
quarantined email.
Select to view email messages quarantined for that recipient. For
more information, see “Managing email in per-recipient
quarantines” on page 51.
Size(KBytes) The size of the quarantine folder.
Note: Folder sizes are updated once an hour.
Managing email in per-recipient quarantines

You can view, delete, or release email that has been quarantined to per-recipient
quarantines.
Note: Email users can also manage their own per-recipient quarantines through spam
reports. For more information, see “Releasing and deleting email from the per-recipient
quarantine using spam reports” on page 382.
To view email messages quarantined for an individual recipient, go to

Management > Quarantine > Recipients, then select the email address of the
recipient.
Figure 11: Viewing email messages in a per-recipient quarantine
Previous Page
Next Page

page
# The index number of the email message.
Select to view the email message.
Delete To delete all email messages in the quarantine for this recipient,
mark the checkbox in the Delete column heading, then select OK.
To delete individual email messages in the quarantine for this
recipient, mark checkboxes in the rows of email messages that
you want to delete, then select OK.
Release To release all email messages in the quarantine for this recipient,
mark the checkbox in the Release column heading, then select
OK.
To release individual email messages in the quarantine for this
you want to release, then select OK.
From The name of the sender, such as “User 1”.

06-30004-0154-20080904 51

Date The time of the email.
Received The time that the email was quarantined.
EnvelopeFrom The email address of the sender as it appears in the SMTP
envelope, such as user1@example.com.
To view a quarantined email message

1 Go to Management > Quarantine > Recipients.
2 In the Recipient column, select the email address of the recipient whose
quarantine you want to view.
A list appears which contains email messages quarantined for that recipient.
3 In the “#” column, in the row corresponding to the email message that you want to
view, select the index number.
A pop-up window appears which displays the email message.
To delete quarantined email for a recipient

3 In the Delete column, mark the checkboxes of the email messages that you want
to delete, or select the checkbox in the Delete column heading to mark the
checkboxes for all email messages in the per-recipient quarantine.
4 Select OK.
5 Select OK.
The selected email messages are deleted.
To release quarantined email for a recipient

3 In the Release column, mark the checkboxes of the email messages that you
want to release, or select the checkbox in the Release column heading to mark
the checkboxes for all email messages in the per-recipient quarantine.
4 Select OK.
5 Select OK.
The selected email messages are sent to the recipient.
Searching email in the per-recipient quarantine

You can search the per-recipient quarantine for email messages based on their
content and message recipient, across any or all protected domains.

52 06-30004-0154-20080904
Figure 12: Quarantine Search

stop
Refresh Copy to New Delete
View Result
Search Result
Refresh Select to refresh the page. This can be useful to
display the current Status of a search task.
# The index number of a search task.
Select to display the search results.
Status The completion status of the search task, such
as Done or Pending.
Name The date and time on which the search task was
executed.
Action Select View Result to display the search results.
Select Copy to New to create a new search task
by duplicating the settings of this search task.
Select “stop” to pause the search task. The icon
changes to a green “resume” arrow. Select
“resume” to resume the search task.
Select Delete to remove the search results.
To search the per-recipient quarantine

2 Select the Search button located next to Select a domain.

06-30004-0154-20080904 53
3 Select the blue arrow to expand New Search Task.

4 Configure one or more of the following search criteria.
Email messages must match all criteria that you configure in New Search Task in
order to be included in the search results. For example, if you configure From and
Subject, only email messages matching both From and Subject will be included in
the search results.
From Enter the email address of the sender.

To Enter the email address of the recipient.
Cc Enter the carbon copy email addresses.
Subject Enter the subject line.
Text Enter text that appears on the message body.
Time Select the range of time of email messages that you want to
include in the search results.
User Enter the user name portion of recipient email addresses
whose quarantine folders you want to search.
Domain To select which protected domains’ per-recipient quarantines
will be searched, in the text area on the left, select the names
of one or more protected domains, then select the right arrow
to move them into the text area on the right.
You must select at least one protected domain to search.
5 Select OK.
The FortiMail unit executes the search, which appears in the Search Result
section.
System quarantine
The System quarantine tab displays the system quarantine.
Unlike the per-recipient quarantine, the system quarantine cannot be accessed
remotely by email users; they will not receive spam reports for email held in the
system quarantine, and cannot manage the system quarantine themselves. A
FortiMail administrator should therefore periodically review the contents of the
system quarantine. Alternatively, using the advanced mode of the web-based
manager, you can configure a special-purpose system quarantine administrator
for this task. For more information, see “System quarantine setting” on page 384.
By default, the system quarantine is not used. You can quarantine email to the
system quarantine by selecting “Quarantine to Review” in outgoing content
profiles and “Quarantine to review” in outgoing antispam profiles in the advanced
mode of the web-based manager. For more information, see “Actions options” on
page 263 and “Outgoing” on page 281.
To view the system quarantine, go to Management > Quarantine > System
Quarantine.

54 06-30004-0154-20080904
Basic mode Settings
Figure 13: System quarantine
Previous Page Delete

Next Page Compact
Rotated folder
Previous Page Select to display the previous page.

Next Page Select to display the next page.
View n Folders Select the number of lines to display per page.
Compact In the Check column, mark the checkboxes of each email user
whose quarantine folder you want to compress, then select
Compact.
Note: Folder sizes are updated once an hour. The reduction in
folder size will not be immediately reflected after a compress is
executed.
Delete In the Check column, mark the checkboxes in the rows
corresponding to the folders that you want to delete, then select
Delete.
# The folder number. The folders are always numbers in sequential
order.
Check To select every quarantine folder in the list, mark the checkbox in
the column heading.
To select individual quarantine folders, in each row corresponding
to a quarantine folder that you want to select, mark the checkbox.
Folder The system quarantine folders are listed with the newest sorted to
the top row of the column.
The current folder is named “Inbox.” When “Inbox” reaches its
configured Mailbox Rotation Size, the FortiMail unit renames the
“Inbox” according to its creation date and the rename date, and
creates a new “Inbox” folder. These older, renamed folders are
sometimes also called rotated folders. For information on
configuring the Mailbox Rotation Size using the advanced mode of
the web-based manager, see “System quarantine setting” on
page 384.
Select to view email messages quarantined in that folder.
Size(KBytes) The size of all email messages and attachments in the folder.
Settings
The Settings menu enables you to configure the system and email settings of the
FortiMail unit.
The Settings menu includes:
• Config
• Network
• Domains
• User (server mode)

06-30004-0154-20080904 55
Settings Basic mode
• AntiSpam
Config
The Config menu provides options to configure the system time and administrator
accounts.
The Config menu includes the following tabs:
• Time
• Admin
Time
The Time tab enables you to configure the system time of the FortiMail unit.
For correct scheduling and logging, the FortiMail system time must be accurate.
You can either manually set the FortiMail system time or configure the FortiMail
unit to automatically keep its system time correct by synchronizing with a Network
Time Protocol (NTP) server.
Note: FortiMail units support daylight savings time (DST), including recent changes in the
USA, Canada and Western Australia.
To configure the system time, go to Settings > Config > Time.
Figure 14: Time Settings
System Time The current FortiMail system date and time.

Refresh Select Refresh to update the display of the current FortiMail
system date and time.
Time Zone Select the appropriate time zone for your region.
Automatically adjust Select to adjust the FortiMail system clock automatically when
clock for daylight your time zone changes to daylight saving time and back to
saving changes standard time.
Set Time Select to manually the FortiMail system date and time.
Synchronize with NTP Select to use a network time protocol (NTP) server to
Server automatically set the system date and time, then configure
Server and Syn Interval.
Server Enter the IP address or domain name of an NTP server. To find
an NTP server that you can use, see http://www.ntp.org.
Syn Interval Specify how often the FortiMail unit will synchronize its time with
the NTP server. A typical Syn Interval would be 1440 minutes for
the FortiMail unit to synchronize its time once a day.

56 06-30004-0154-20080904
Basic mode Settings
Admin
The Admin tab displays a list of the FortiMail unit’s administrator accounts.
Depending on the permission and assigned domain of your account, this list may
not display all other administrator accounts. For more information, see
“Administrator account permissions and domains” on page 58.
By default, FortiMail units have a single administrator account, “admin”. For more
granular administrative access, you can create additional administrator accounts
that are restricted to being able to configure a specific protected domain and/or
with restricted permissions. For more information, see “Administrator account
permissions and domains” on page 58 and “Creating an administrator account” on
page 59.
Note: If you have configured a system quarantine administrator account using the
advanced mode of the web-based manager, this account does not appear in the list of
standard FortiMail administrator accounts. For more information on the system quarantine
administrator account, see “System quarantine setting” on page 384.
To view the list of administrator accounts, go to Settings > Config > Admin.
Figure 15: Admin
Delete
Edit
Change Password
Name The name of the administrator account.

Domain The entire FortiMail unit (“system”) or name of a protected domain to
which an administrator account is assigned.
For more information on protected domain assignments, see
Trusted Hosts The IP address and netmask from which the administrator can log in.
Permission The permissions of the administrator account:
• all (also known as Administrator)
• Read & Write
• Read Only
For more information on permissions, see “Administrator account
permissions and domains” on page 58.
Auth Type The local or remote type of authentication that the administrator can use:
• Local
• RADIUS
• RADIUS + Local
• PKI

06-30004-0154-20080904 57
Settings Basic mode
Modify Select Delete to remove an administrator account. This option does not
appear for your own administrator account.
Select Edit to change an administrator account.
Select Change Password to change the password of an administrator
account.
Create New Select to create a new administrator account. For more information, see
“Creating an administrator account” on page 59.
Administrator account permissions and domains

There are three possible permission types for an administrator account:
• Administrator (also known as “all”)
• Read & Write
• Read Only
The permissions of an administrator account, combined with whether the
administrator account is assigned to a specific protected domain such as
example.com or is assigned to the entire system, determine the parts of the
configuration that the administrator is permitted to modify and/or view.
Table 2: Administrator account permissions by domain assignment
Permission Domain: system Domain: example.com

Administrator • Can create, view and change • Can create, view and change
all other administrator other administrator accounts
accounts except the “admin” with Read & Write and
administrator account Read Only permissions in its
• Can view and change all own protected domain
parts of the FortiMail unit’s • Can only view and change
configuration, including settings, including profiles
uploading configuration and policies, in its own
backup files and restoring protected domain
firmware default settings • Can only view profiles and
• Can release and delete policies created by an
quarantined email messages administrator whose Domain
for all protected domains is “system”
• Can back up and restore • Can be only one per
databases protected domain.
• Can manually update
firmware and antivirus
definitions
• Can restart and shut down
the FortiMail unit

58 06-30004-0154-20080904
Basic mode Settings

Read & Write • Can only view and change its • Can only view and change its
own administrator account own administrator account
• Can view and change parts of • Can only view and change
the FortiMail unit’s parts of the FortiMail unit’s
configuration at the system configuration in its own
and protected domain levels protected domain
• Can release and delete • Can only view profiles and
quarantined email messages policies created by an
for all protected domains administrator whose Domain
• Can back up and restore is “system”
databases • Can release and delete
quarantined email messages
in its own protected domain
Read Only • Can only view and change its • Can only view and change its
• Can view the FortiMail unit • Can only view settings in its
configuration at the system own protected domain
and protected domain levels • Can only view profiles and
• Can back up databases
There can be up to five (5) administrator accounts per protected domain. The
maximum total number of administrators with Administrator access that are
assigned to protected domains is 25 for FortiMail-400 models and 50 for FortiMail-
2000 models.
Unlike other administrator accounts whose permission is Administrator and
domain is “system,” the “admin” administrator account exists by default and
cannot be deleted. The “admin” administrator account is similar to a root
administrator account. This administrator account always has full permission to
view and change all FortiMail configuration options, including viewing and
changing all other administrator accounts. Its name, permissions, and assignment
to the “system” domain cannot be changed.
Caution: Set a strong password for the “admin” administrator account, and change the
! password regularly. By default, this administrator account has no password. Failure to
maintain the password of the “admin” administrator account could compromise the security
of your FortiMail unit.
Creating an administrator account

For more granular administrative access, the “admin” administrator account can
create additional administrator accounts that are restricted to being able to
configure a specific protected domain and/or with restricted permissions. For
more information, see “Administrator account permissions and domains” on
page 58.

06-30004-0154-20080904 59
Settings Basic mode
Caution: Set a strong password for each administrator account, and change the
! passwords regularly. If possible, configure each Trusted Host to restrict administrative
access to the FortiMail unit from within your trusted private network. Failure to restrict
administrative access could compromise the security of your FortiMail unit.
Figure 16: New Administrator
Administrator Enter the name for this administrator account.

Domain Select the entire FortiMail unit (“system”) or name of a protected domain
such as example.com to which this administrator account is assigned.
Password Enter this account’s password.
Confirm Enter this account’s password again to confirm it.
password
Trusted Host Enter the IP address from which this administrator can log in.
Netmask Enter the netmask for the Trusted Host.
Permission Select the permissions of this administrator account:
• Read & Write
• Read Only
Management Select which mode of the web-based manager, Basic or Advanced, will be
mode displayed when this administrator logs in.
The administrator can switch the mode of the web-based manager at any
time during their administrative session. This option only indicates which
mode will be displayed initially.
• Local
• RADIUS
• RADIUS + Local
• PKI
To add an administrator account

1 Go to Settings > Config > Admin.
2 Select Create New.

60 06-30004-0154-20080904
Basic mode Settings
3 In Administrator, type a login name for the administrator account.

The login name can contain numbers (0-9), uppercase and lowercase letters
(A-Z, a-z), hyphens (-), and underscores ( _ ). Other special characters and
spaces are not allowed.
4 From Domain, either select a protected domain to which you want to assign the
administrator account, or select “system” to allow the administrator account to
view all protected domains and settings pertaining to the FortiMail unit itself.
5 In Password and Confirm password, type and confirm a password for the
administrator account.
The password can contain any characters except spaces.
6 If you want to restrict the network locations from which this administrator account
can log in, in Trusted Host #1, Trusted Host #2, and Trusted Host #3, type the IP
address and netmask of each permitted location.
If you want the administrator to be able to access the FortiMail unit from any IP
address, type 0.0.0.0/0.0.0.0.
To limit the administrator’s access to the FortiMail unit from a specific network or
IP address, enter that IP address and netmask in dotted decimal format. For
example, you might permit the administrator to log in to the FortiMail unit only from
your private network by typing 192.168.1.0/255.255.255.0.
7 From Permission, select the permissions of the administrator account.
For more information on permissions, see “Administrator account permissions
and domains” on page 58.
8 From Management mode, select either Basic or Advanced to indicate the initial
mode of the web-based manager when the administrator logs in.
9 From Auth Type, select the local or remote authentication style for the
administrator account:
• Local
• RADIUS
• RADIUS + Local
• PKI
Note: RADIUS and PKI authentication require that you first configure a RADIUS
authentication profile or PKI user in the advanced mode of the web-based manager. For
more information, see “Radius” on page 272 and “PKI User” on page 236.
10 Select OK.
Network
The Network menu provides options to configure network connectivity and
administrative access to the web-based manager or CLI of the FortiMail unit
through each network interface.
The Network menu includes the following tabs:
• Interface
• DNS
• Routing

06-30004-0154-20080904 61
Settings Basic mode
Interface
The Interface tab displays a list of the FortiMail unit’s network interfaces.
You must configure at least one of the FortiMail unit’s network interfaces to enable
it to connect to your network. Depending on your network topology and other
considerations, you may choose to connect the FortiMail unit to your network
using two or more of the FortiMail unit’s network interfaces. You can configure
each network interface separately. For more information, see “Editing network
interfaces” on page 62.
To view the network interface list, go to Settings > Network > Interface.
Figure 17: Interface
Modify
Name The name of the network interface, such as port1.

IP The IP address of the network interface.
If the FortiMail unit is in transparent mode, IP and Netmask may alternatively
display “bridging”. This means that Do not associate with management IP
has been disabled, and the network interface is acting as a Layer 2 bridge.
Netmask The netmask of the network interface.
Access The administrative access and webmail access services that are enabled on
the network interface, such as HTTPS for the web-based manager.
Status Indicates the “up” (available) or “down” (unavailable) port status for the
network interface.
• Green up arrow: The network interface is up and can accept traffic.
• Red down arrow: The network interface is down and cannot accept
traffic.
To bring up a network interface, select Bring Up.
To bring down a network interface, use the command line interface (CLI) and
enter the following command:
set system interface <intf_str> config status down
where <intf_str> is the name of the network interface.
Modify Select Modify to edit a network interface configuration. For more information,
see “Editing network interfaces” on page 62.
Editing network interfaces

You can edit a network interface to change its IP address, netmask, administrative
access protocols, and other settings.
Caution: Enable administrative access only on network interfaces connected to trusted

! private networks or directly to your management computer. If possible, enable only secure
administrative access protocols such as HTTPS or SSH. Failure to restrict administrative
access could compromise the security of your FortiMail unit.

62 06-30004-0154-20080904
Basic mode Settings
To edit a network interface

1 Go to Settings > Network > Interface.
2 In the row corresponding to the network interface that you want to edit, select Edit.
The Edit Interface page appears. Appearance varies by:
• the operational mode of the FortiMail unit (gateway, transparent, or server)
• if the FortiMail unit is operating in transparent mode, by whether the network
interface is port1, which is required to be configured as a Layer 2 bridge and
therefore cannot be configured with an IP and Netmask
3 Configure the following:
Figure 18: Edit Interface (gateway mode)
Figure 19: Edit Interface (transparent mode, non-bridging)
Figure 20: Edit Interface (transparent mode, port1)
Interface Name The name (such as port2) and media access control (MAC)
address for this network interface.
Addressing mode

06-30004-0154-20080904 63
Settings Basic mode
Do not associate Enable to configure an IP address and netmask for this

with management IP network interface, separate from the management IP, then
configure IP/Netmask.
This option appears only if the FortiMail unit is operating in
transparent mode and if the network interface is not port1,
which must always be bridging. For more information, see
“Routing” on page 66.
Manual Select to enter a static IP address, then enter the IP address
and netmask for the network interface in the IP/Netmask field.
gateway mode or server mode, and the network interface is not
port1.
IP/Netmask Enter the IP address and netmask for the network interface.
If the FortiMail unit is operating in gateway mode or server
mode, this option is available only if Manual is selected.
If the FortiMail unit is operating in transparent mode, this option
is available only if Do not associate with management IP is
enabled.
DHCP Select to retrieve a dynamic IP address using DHCP.
gateway mode or server mode.
Retrieve default Select to retrieve both the default gateway and DNS addresses
gateway and from the DHCP server, replacing any manually configured
DNS from server values.
Connect to Select for the FortiMail unit to attempt to obtain DNS
Server addressing information from the DHCP server. Disable this
option if you are configuring the network interface offline, and
do not want the unit to attempt to obtain addressing information
at this time.
Status Select to refresh the page and display the current DHCP status
message.
The text following this link displays the current DHCP status
message at the time that this page was last refreshed. DHCP
status messages can indicate progress as the FortiMail unit
connects to the DHCP server and retrieves addressing
information.
Access
HTTPS Enable to allow secure HTTPS connections to the web-based
manager, webmail, and per-recipient quarantine through this
network interface.
PING Enable to allow ICMP ping responses from this network
interface.
HTTP Enable to allow HTTP connections to the web-based manager,
webmail, and per-recipient quarantine through this network
interface.
For information on using the advanced mode of the web-based
manager to redirect HTTP requests for webmail and per-
recipient quarantines to HTTPS, see “Spam Report” on
page 376.
Caution: HTTP connections are not secure, and can be
intercepted by a third party. If possible, enable this option only
for network interfaces connected to a trusted private network,
or directly to your management computer. Failure to restrict
administrative access through this protocol could compromise
the security of your FortiMail unit.
SSH Enable to allow SSH connections to the CLI through this
network interface.
SNMP Enable to allow SNMP connections to this network interface.

64 06-30004-0154-20080904
Basic mode Settings
TELNET Enable to allow Telnet connections to the CLI through this

network interface
Caution: Telnet connections are not secure, and can be
MTU
Override default Select to change the maximum transmission unit (MTU) value,
MTU value (1500). then enter the maximum packet or Ethernet frame size in
bytes.
If network devices between the FortiMail unit and its traffic
destinations require smaller or larger units of traffic, packets
may require additional processing at each node in the network
to fragment or defragment the units, resulting in reduced
network performance. Adjusting the MTU to match your
network can improve network performance.
The default value is 1500 bytes. The MTU size must be
between 576 and 1500 bytes.
4 Select OK.
DNS
The DNS tab enables you to configure the DNS servers that the FortiMail unit will
query to resolve domain names into IP addresses.
FortiMail units require DNS servers for features such as reverse DNS lookups and
other aspects of email processing. Your ISP may supply IP addresses of DNS
servers, or you may want to use the IP addresses of your own DNS servers.
Note: For improved FortiMail unit performance, use DNS servers on your local network.
Caution: If the FortiMail unit is operating in gateway mode, you must configure the MX
! record of the DNS server for each protected domain to direct all email to this FortiMail unit
instead of the protected SMTP servers. Failure to update the records of your DNS server
may enable email to circumvent the FortiMail unit.
To configure the primary and secondary DNS servers, go to Settings >

Network > DNS.
Figure 21: Network Setting (DNS)
Primary DNS Server Enter the IP address of the primary DNS server.
Secondary DNS Server Enter the IP address of the secondary DNS server.

06-30004-0154-20080904 65
Settings Basic mode
Routing
The Routing tab displays a list of routes and enables you to configure static routes
and gateways used by the FortiMail unit.
To configure routes, go to Settings > Network > Routing.
Figure 22: Routing
Delete
Edit
Destination The destination network IP address of traffic that will be routed. 0.0.0.0
IP indicates any IP address.
Mask The netmask for the route.
Gateway The IP address for the route gaiter.
Modify Select Delete to remove the route.
Select Edit to modify the route.
Create New Select to create a new static route.
To create a new route

1 Go to Settings > Network > Routing.
Figure 23: Edit Routing Entry
Destination IP Enter the destination IP address for this route.

To create a default route, set the Destination IP to 0.0.0.0.
Mask Enter the netmask for this route.
To create a default route, set the mask to 0.0.0.0.
Gateway Enter the IP address of the next hop router to which this route directs
traffic. For an Internet connection, the next hop routing gateway routes
traffic to the Internet.
4 Select OK.
Domains
The Domains menu enables you to create protected domains to define the SMTP
servers that the FortiMail unit protects. Usually, you will configure at least one
protected domain during installation, but you may also add more protected
domains or modify the settings of existing protected domains.
The Domains menu includes the following tabs:

66 06-30004-0154-20080904
Basic mode Settings
• Domains
• Local Host
Domains
The Domains tab displays the list of protected domains.
Protected domains define connections and email messages for which the
FortiMail unit can performs protective email processing by describing both:
• the IP address of an SMTP server
• the domain name portion (the portion which follows the “@” symbol) of
recipient email addresses in the envelope
both of which the FortiMail unit compares to connections and email messages
when looking for traffic that involves the protected domain.
Note: For FortiMail units operating in server mode, protected domains list only the domain
name, not the IP address: the IP address of the SMTP server is the IP address of the
FortiMail unit itself.
Aside from defining the domain, protected domains also contain some settings
that apply specifically to all email destined for that domain, such as mail routing
and disclaimer messages.
Many FortiMail features require that you configure a protected domain. For
example, when applying recipient-based policies for email messages incoming to
the protected domain, the FortiMail unit will compare the domain name of the
protected domain to the domain name portion of the recipient email addresses.
When FortiMail units operating in transparent mode are proxying email
connections for a protected domain, the FortiMail unit will pass, drop or intercept
connections destined for the IP address of an SMTP server associated with the
protected domain, and can use the domain name of the protected domain during
the SMTP greeting.
Note: For more information on how the domain name and mail exchanger (MX) IP address
of protected domains are used, see “Incoming vs. outgoing SMTP connections” on
page 214 and “Incoming vs. outgoing recipient-based policies” on page 355.
Usually, you have already configured at least one protected domain during
installation of your FortiMail unit. However, you can add more domains or modify
the settings of existing ones if necessary. For more information, see “Creating a
protected domain” on page 68.
To view the list of protected domains, go to Settings > Domains > Domains.
Figure 24: Domain list (transparent mode and gateway mode)
Edit
Delete

06-30004-0154-20080904 67
Settings Basic mode
Figure 25: Domain list (server mode)
Delete Edit
Domain The fully qualified domain name (FQDN) of the protected domain.
If the protected domain is a subdomain or domain association, select
the “+” next to a domain entry to expand the list of subdomains and
domain associations. To collapse the entry, select “-”.
Use MX Indicates whether the IP address and the port number of the
(transparent mode protected email server is manually defined in the FortiMail unit’s
and gateway mode configuration file, or if you have enabled the FortiMail unit to query
only) the DNS server’s MX record to ascertain that information for this
domain name.
• Green check mark: Indicates that Use MX Record is enabled.
• Red X icon: Indicates that Use MX Record is disabled.
For more information, see “Use MX Record” on page 70.
SMTP Server The host name or IP address and port number of the mail exchanger
(transparent mode (MX) for this protected domain.
and gateway mode If Use MX contains a green check mark, this information is
only) determined dynamically by querying the MX record of the DNS
server, and this field will be empty.
Sub A green check indicates that the entry is a subdomain of a protected
(transparent mode domain.
and gateway mode
only)
Association A green check indicates that the entry is a domain association. For
(transparent mode more information on domain associations, see “Configuring Domain
and gateway mode Associations” on page 70.
only)
Modify
Delete icon Select to remove the protected domain and all associated email user
accounts and preferences.
Edit icon Select to modify the protected domain. For more information, see
This option is not available for domain associations, as they use the
settings of the protected domain with which they are associated.
Create New Select to create a new protected domain, subdomain, or domain
association. For more information, see “Creating a protected domain”
on page 68.
Creating a protected domain

You can configure the FortiMail unit to protect multiple SMTP servers by creating
additional protected domains.

68 06-30004-0154-20080904
Basic mode Settings
Available options vary slightly by whether you are creating or modifying an

existing protected domain. For example, when editing an existing protected
domain, you cannot change the domain name, but you can configure the DKIM
selector feature for sender validation, which is not available when initially creating
the protected domain. If you want to configure an option that is not available when
initially creating a protected domain, create the protected domain, save it, and
then edit the protected domain.
Available options also vary slightly by whether the FortiMail unit is operating in
gateway mode, transparent mode, or server mode.
If the FortiMail unit is operating in gateway mode, you must change the MX entries
for the DNS records for your email domain, referring email to the FortiMail unit
rather than your email servers. For more information, see the FortiMail Installation
Guide. If you create additional protected domains, you must modify the MX
records for each additional email domain.
To configure a protected domain

1 Go to Mail Settings > Domains > Domains.
2 Select either Create New to create a new protected domain, or, in the row
corresponding to a protected domain that you want to modify, select Edit.
Figure 26: Creating a protected domain (gateway mode and transparent mode)
Figure 27: Creating a protected domain (server mode)
Domain FQDN Enter the fully qualified domain name (FQDN) of the protected
domain.
For example, if you want to protect email user accounts such as
user1@example.com, you would enter the protected domain name
example.com.

06-30004-0154-20080904 69
Settings Basic mode
Use MX Record Select to enable the FortiMail unit to query the DNS server’s MX
(transparent mode and record for the FQDN or IP address of the SMTP server for this
gateway mode only) domain name, instead of manually defining the SMTP server in the
fields SMTP Server and Fallback MX Host.
Note: If the FortiMail unit is operating in gateway mode and you
enable this option, you usually should also configure the FortiMail
unit to use a private DNS server. On the private DNS server,
configure the MX record with the FQDN of the SMTP server that
you are protecting for this domain, causing the FortiMail unit to
route email to the protected SMTP server. This is different from
how a public DNS server should be configured for that domain
name, where the MX record usually should contain the FQDN of
the FortiMail unit itself, causing external SMTP servers to route
email through the FortiMail unit.
If the FortiMail unit is operating in transparent mode and you
enable this option, a private DNS server is not required.
SMTP Server Enter the host name or IP address of the primary SMTP server for
(transparent mode and this protected domain, then also configure Use smtps and Port.
gateway mode only)
Port Enter the port number on which the SMTP server listens.
(transparent If you enable Use smtps, Port automatically changes to the default
mode and port number for SMTPS, but can still be customized.
gateway mode The default SMTP port number is 25; the default SMTPS port
only) number is 465.
Use smtps Select to enable SMTPS for connections originating from or

(transparent destined for this protected domain.
mode and
gateway mode
only)
Fallback MX Host Enter the host name or IP address of the secondary SMTP server
(transparent mode and for this protected domain, then also configure Use smtps and Port.
gateway mode only) This SMTP server will be used if the primary SMTP server is
unreachable.
Port Enter the port number on which the failover SMTP server listens.

mode and
gateway mode
only)
Domain Associations Select to expand and configure domain associations.
(transparent mode and Associated domains use the settings of the protected domain with
gateway mode only) which they are associated, and do not have separate protected
domain settings of their own. For more information, see “Domain
Associations” on page 191.
4 Select OK.
Configuring Domain Associations

The Domain Associations section that appears when configuring a protected
domain enables you to configure associated domains. Associated domains use
the settings of the protected domains or subdomains with which they are
associated.

70 06-30004-0154-20080904
Basic mode Settings
Domain associations can be useful for saving time when you have multiple
domains for which you would otherwise need to configure protected domains with
identical settings.
For example, if you have one SMTP server handling email for ten domains, you
could create ten separate protected domains, and configure each with identical
settings. Alternatively, you could create one protected domain, listing the nine
remaining domains as domain associations. The advantage of using the second
method is that you do not have to repeatedly configure the same things when
creating or modifying the protected domains, saving time and reducing chances
for error. Changes to one protected domain automatically apply to all of its
associated domains.
The maximum number of domain associations that you can create is separate
from the maximum number of protected domains. For more information, see the
Fortinet Knowledge Center article FortiMail v3.0 MR4 Maximum Values Matrix.
To configure domain associations

1 Go to Settings > Domains > Domains.
2 Select either Create New to create a new protected domain, or Edit to modify an
existing protected domain.
3 Select the blue arrow to expand Domain Associations.
Note: Domain Associations options do not appear if the FortiMail unit is operating in server
mode.
Figure 28: Domain Associations
Members The list of domain names that are associated with this protected
domain. Associated domains use the settings of the protected
domain with which they are associated (with the sole exception of
their domain name), and do not have protected domain settings of
their own.
Remove Selected Select one or more domain names, then select Remove Selected
to remove them from the Members area
Add Enter a fully qualified domain name (FQDN) that you want to use
the same settings as this protected domain, the select Add to add
a domain name to the Members area.
5 Select OK.
Local Host
The Local Host tab enables you to configure the SMTP server settings of the
“system” domain, which is located on the local host (that is, your FortiMail unit).

06-30004-0154-20080904 71
Settings Basic mode
You usually should configure the FortiMail unit with a local domain name that is
different from that of protected domains, such as mail.example.com for the
FortiMail unit and server.mail.example.com for the protected mail server. The local
domain name of the FortiMail unit will be used in many FortiMail features such as
email quarantine, Bayesian database training, spam report, and delivery status
notification (DSN) email messages, and if the FortiMail unit uses the same domain
name as your mail server, it may become difficult to distinguish email messages
that originate from the FortiMail unit.
To configure local SMTP server settings, go to Settings > Domains >
Local Host.
Figure 29: Local Host Setting (transparent mode and gateway mode)
Figure 30: Local Host Setting (server mode)

72 06-30004-0154-20080904
Basic mode Settings
Local Host
Host Name Enter the host name of the FortiMail unit.
You should use a different host name for each FortiMail
unit, especially when you are managing multiple FortiMail
units of the same model, or when configuring a FortiMail
high availability (HA) cluster. This will enable you to
distinguish between different members of the cluster. If
the FortiMail unit is in HA mode:
• When you connect to the web-based managed, your
web browser will display the host name of that cluster
member in its status bar.
• The FortiMail unit will add the host name to the subject
line of alert email messages.
Local Domain Name Enter the local domain name of the FortiMail unit
itself.The FortiMail unit’s fully qualified domain name
(FQDN) is in the format <Host Name>.<Local Domain
Name>.
Note: The Local Domain Name can be a subdomain of an
internal domain if the MX record for the domain on the
DNS server can direct the mail destined for this
subdomain to the intended FortiMail unit.
SMTP Server Port Enter the port number on which the FortiMail unit’s SMTP
Number server will listen for SMTP connections. The default port
number is 25.
SMTP over SSL/TLS Enable to allow SSL- and TLS-secured connections from
servers and clients requesting SSL/TLS.
When disabled, SMTP connections with the FortiMail
unit’s SMTP server will occur as clear text, unencrypted.
This option must be enabled to use SMTPS.
SMTPS Server Port Enter the port number on which the FortiMail unit’s SMTP
Number server listens for secure SMTP connections. The default
port number is 465.
This option is unavailable if SMTP over SSL/TLS is
disabled.
POP3 Server Port Enter the port number on which the FortiMail unit’s POP3
Number server will listen for POP3 connections. The default port
number is 110.
This option is available only if the FortiMail unit is
operating in server mode.
Relay Server
Relay Server Name Enter the domain name of an SMTP relay server, if any.
This is typically provided by your ISP.
Relay Server Port Enter the port number on which the SMTP relay server
listens. This is typically provided by your ISP.
Authentication If the relay server requires authentication, enable this
Required option, then select the blue arrow to expand and configure
User Name, Password, and Auth Type. Available
authentication types include:
• AUTO
• PLAIN
• LOGIN
• DIGEST-MD5
• CRAM-MD5

06-30004-0154-20080904 73
Settings Basic mode
User (server mode)

The User menu enables you to configure email user accounts and email address
aliases for the protected domains that are hosted on the FortiMail unit.
Note: This menu option appears only when the FortiMail unit is operating in server mode.
The User menu includes the following tabs:

• User
• User Alias
User
The User tab enables you to configure email user accounts for the protected
domains that are hosted on the FortiMail unit.
Note: This option appears only if the FortiMail unit is operating in server mode.
Email users can check their email using webmail or through an email client such
as Microsoft Outlook, using POP3 or IMAP. For information on webmail and other
features used directly by email users, see “Instructions for email users” on
page 531.
Some antispam behaviors can be configured specifically for each email user
account using the advanced mode of the web-based manager. For example, each
email user can train their own per-user Bayesian database and create white lists
and black lists specific to their email user account. For information on configuring
per-user white lists and black lists, see “User Preferences” on page 224. For
information on per-user Bayesian databases, see “User” on page 389.
To view the list of email user accounts, go to Settings > User > User.
Figure 31: User
Reassign a new password to the selected users

Delete Selected Users
Go to line
Delete
Edit
Maintenance

74 06-30004-0154-20080904
Basic mode Settings
Show Users of Select the protected domain to display its email users, or to select the
Domain protected domain to which you want to add an email user account
before selecting Create New.
Export .CSV Select to download a backup of the email users list in comma-separated
value (CSV) file format. For more information, see “To export the email
user list” on page 76.
Import .CSV In the field to the right side of Import .CSV, enter the location of a CSV-
formatted email user backup file, then select Import .CSV to upload the
file to your FortiMail unit. For more information, see “To import an email
Browse Select to locate an email user list backup file before selecting
Import .CSV.
ALL, 0-9, A ... Z Select a letter or number to display email users whose user names
begin with that character. Alternatively, select ALL to display a list
containing all email users.
View n lines Select the number of lines to display per page.
each page
Go to line Enter the index number of the line you want to display, then select Go.
Delete Selected To delete all email user accounts, in the checkbox column, mark the
Users checkbox in the column heading to select all email users, then select
Delete Selected Users.
To delete individual email user accounts, in the checkbox column, mark
checkboxes in the rows of email users that you want to delete, then
select Delete Selected Users.
Reassign a new To change the password of all email user accounts, in the checkbox
password to the column, mark the checkbox in the column heading to select all email
selected users users, then select Reassign a new password to the selected users.
To change the password of individual email user accounts, in the
checkbox column, mark checkboxes in the rows of email users for which
you want to change the password, then select Reassign a new
password to the selected users.
# The index number of each email user in the list.
Check box Select the checkbox in the column heading to mark the checkboxes of
all email users.
Select the checkboxes in the rows of individual email users to select
only those email users.
User Name The user name of an email user, such as “user1”. This is also the user
name portion of the email user’s primary email address.
To alphabetically sort the list of email users by user name, select the
arrow icon in the column heading for this column.
Display Name The display name of an email user, such as “J Smith”. This name
appears in the “From:” field in the message headers of email messages
sent from this email user.
Disk Usage (M) The disk space used by mailboxes for the email user, in megabytes.
Modify Select Delete to remove the email user account.
Select Edit to modify the email user account.
Select Maintenance to view or delete the list of mailboxes for that email
user. For more information, see “Managing the disk usage of email
users’ mailboxes” on page 78.
Create New Select to create a new email user account. For more information, see
“Creating an email user account” on page 77.

06-30004-0154-20080904 75
Settings Basic mode
To export the email user list

1 Go to Settings > User > User.
2 Select Export .CSV.
A backup file containing all protected domains’ list of email user accounts in
comma-separated value (CSV) file format is downloaded to your management
computer.
To import an email user list
Note: Before importing a user list or adding an email user, you must first configure one or
more protected domains to which the email users will belong. For more information, see

2 Select Browse to locate the email user list backup file that you want to import.
The file must be in comma-separated value (CSV) file format, and contain fields
required by email user accounts. For reference, export an email user list and
compare the file that you want to import with the structure of the exported file.
3 Select Import .CSV.
The FortiMail unit imports the file.
To delete multiple email user accounts
Caution: Before beginning this procedure, back up the list of email user accounts. This
! procedure permanently deletes one or more email user accounts, which cannot be undone.
For more information on backing up email user account data, see “To export the email user
list” on page 76.

2 From Show Users Of Domain, select the name of the protected domain from
which you want to remove email user accounts.
3 To delete all email user accounts for the protected domain, mark the checkbox
located in the checkbox column heading.
To delete individual email user accounts, in the checkbox column, mark the
checkboxes of each email user account that you want to remove.
4 Select Delete Selected Users.
5 Select OK.
To change the password of multiple email user accounts
Caution: This procedure sets the same password for one or more email user accounts,
! which can result in reduced security of the email users’ accounts. To reduce risk, set a
strong password and notify each email user whose password has been reset to configure a
unique, strong password as soon as possible.

76 06-30004-0154-20080904
Basic mode Settings
2 From Show Users Of Domain, select the name of the protected domain in which
you want to change email user account passwords.
3 To change the passwords of all email user accounts for the protected domain,
mark the checkbox located in the checkbox column heading.
To change the passwords of individual email user accounts, in the checkbox
column, mark the checkboxes of each email user account whose password you
want to change.
4 Select Reassign a new password to the selected users.
5 Select either:
• Password, then enter the password for this email account, or
• LDAP, then select the name of an LDAP profile in which you have enabled and
configured the User Auth Options query, which enables the FortiMail unit to
query the LDAP server to authenticate the email user.
Note: You can create LDAP profiles using the advanced mode of the web-based manager.
For more information, see “Creating LDAP profiles” on page 321.
6 Select OK.
Creating an email user account

You can create email user accounts for each protected domain on the FortiMail
unit.
To add an email user

2 From Show Users Of Domain, select the name of the protected domain to which
you want to add an email user.
A dialog appears.
Figure 32: New User
4 In User Name, enter the user name portion of the email address that will be locally
deliverable on the FortiMail unit.
For example, an email user may have numerous aliases, mail routing, and other
email addresses on other systems in your network, such as
accounting@example.com; this user name, however, reflects the email user’s
account on this FortiMail unit, such as jsmith.

06-30004-0154-20080904 77
Settings Basic mode
5 Select either:
Note: The LDAP option requires that you first create an LDAP profile in which you have
enabled and configured User Auth Options using the advanced mode of the web-based
manager. For more information, see “Creating LDAP profiles” on page 321.
6 In Display Name, enter the name of the user as it should appear in the message
envelope.
For example, an email user whose email address is user1@example.com may
prefer that their Display Name be “J Smith”.
7 Select OK.
Managing the disk usage of email users’ mailboxes

Especially if your email users often send or receive large attachments, email
users’ mailboxes may rapidly consume the hard disk space of the FortiMail unit.
You can manage the disk usage of email users’ mailboxes by monitoring the size
of the folders, and optionally deleting their contents.
For example, if each email user has a mailbox folder named “Spam” that receives
tagged spam, you might want to periodically empty the contents of these folders to
reclaim hard disk space.
Figure 33: Viewing an email user’s mailbox folder disk usage
Clear Folder
Folder Name The name of the email user’s mailbox folder, such as Sent.
Disk Usage(Byte) The amount of hard disk space used by the mailbox folder.
Folder Action Select Clear Folder to empty the contents of the email folder.
To empty a mailbox folder

2 In the Modify column for the email user whose mailbox folders you want to
manage, select Maintenance.
A list of mailbox folder names with their hard disk usages appears.
3 In the row corresponding to the mailbox folder that you want to empty, such as
Trash, select Clear Folder.
4 Select OK.

78 06-30004-0154-20080904
Basic mode Settings
User Alias
The User Alias tab enables you to configure email address aliases for the
protected domains that are hosted on the FortiMail unit when the FortiMail unit is
Aliases are sometimes also called distribution lists, and may translate one email
address to the email addresses of several recipients, also called members, or
may be simply a literal alias — that is, an alternative email address that resolves
to the real email address of a single email user.
For example, groupa@example.com might be an alias that the FortiMail unit will
expand to user1@example.com and user2@example.com, having the effect of
distributing an email message to all email addresses that are members of that
alias, while john.smith@example.com might be an alias that the FortiMail unit
translates to j.smith@example.com. In both cases, the FortiMail unit converts the
alias in the recipient fields of incoming email messages into the member email
addresses of the alias, each of which are the email address of an email user that
is locally deliverable on the SMTP server or FortiMail unit.
Note: Members of an alias can include the email address of the alias itself.
To view the user alias list, go to Settings > User Alias > User Alias.
Figure 34: User Alias
Delete
Edit
Select a domain Select the name of a protected domain to view email address aliases for
that protected domain.
Alias Name The email address of the alias, such as groupa@example.com.
Members The email addresses to which the alias will translate, which may be the
email addresses of one or more local or non-local email users. Multiple
email addresses are comma-delimited.
Modify Select Delete to remove the alias.
Select Edit to modify the alias.
Create New Select to add an alias. For more information, see “Creating an email
address alias” on page 79.
Creating an email address alias

You can add email address aliases for each protected domain.
Aliases can contain both or either local and non-local email addresses as
members of the alias. For example, if the local protected domain is
mail.example.com, you could create an email address alias whose members are:
• user1@mail.example.com, which is locally deliverable to the protected domain

06-30004-0154-20080904 79
Settings Basic mode
• user1@smtp.example.com, which is not locally deliverable to the protected

domain
To add an email address alias

1 Go to Settings > User > User Alias.
2 From Select a domain, select the name of the protected domain for which you
want to create an email address alias.
A dialog appears.
Figure 35: New User Alias
4 From Show Users of Domain, select the name of a protected domain to display
the email addresses of users from a specific protected domain, or select “all” to
display the email addresses of all email users in all protected domains.
The email addresses of email users from the selected protected domain appear in
the Available Local Users area.
5 In Alias Name, enter the user name portion of the email address alias.
For example, for the alias group1@example.com, you would enter group1.
6 Select the members of the alias.
• To add local email addresses as members to the alias, in the Available Local
Users area, select one or more email addresses, then select the right arrow.
The email addresses are removed from the Available Local Users area, and
appear in the Members area.
• To add non-local email addresses as members to the alias, in the External
Email Address field, enter the email address, then select the right arrow next to
the field. The email address appears in the Members area.
• To remove members from the alias, in the Members area, select one or more
email addresses, then select the left arrow. The email addresses are removed
from the Members area; local email addresses return to the Available Local
Users area.
7 Select OK.

80 06-30004-0154-20080904
Basic mode Settings
AntiSpam
After you have integrated the FortiMail unit into your network by configuring the
network interfaces and protected domains, you can configure the antispam and
antivirus features of the FortiMail unit to protect your SMTP servers and email
users. The AntiSpam menu enables you to customize these features.
Antispam and antivirus settings can be configured separately for incoming and
outgoing email messages. For definitions of incoming and outgoing, see
“Incoming vs. outgoing email” on page 81.
Note: The Antispam menu of the basic mode of the web-based manager presents
simplified controls for typical antispam and antivirus configurations. If you need to achieve a
more sophisticated configuration, additional settings are available in profiles and recipient-
based and IP-based policies in the advanced mode of the web-based manager. For more
information, see “Profile” on page 241 and “Policy” on page 355.
The AntiSpam menu contains the following tabs:

• Incoming
• Incoming Action
• Outgoing
• Outgoing Action
Incoming vs. outgoing email

Incoming email messages consist of messages sent to the SMTP servers that are
protected domains of the FortiMail unit. For example, if the FortiMail unit is
configured to protect the SMTP server whose domain name is example.com, the
FortiMail unit treats all email messages sent to example.com as incoming email.
For information about configuring protected domains, see “Domains” on page 66.
Outgoing email messages consist of messages sent to recipients on domains that
the FortiMail unit has not been configured to protect. For example, if the FortiMail
unit is not configured to protect the domain example.com, all email messages sent
to recipients at example.com will be treated as outgoing email, regardless of their
origin.
Incoming
The Incoming tab displays the antispam and antivirus settings for each protected
domain, and enables you to customize these default settings.
To view the incoming antispam and antivirus settings, go to Settings >
AntiSpam > Incoming.
Figure 36: Incoming AntiSpam and AntiVirus Settings
Edit
# The index number of the row.

Domain The name of the protected domain.

06-30004-0154-20080904 81
Settings Basic mode
AntiSpam The current antispam settings level, such as Medium.

This setting will be “Advanced” if:
• you have created the protected domain, but have not yet selected
an antispam level, and the FortiMail unit is currently using default
antispam settings, or
• you have used the advanced mode of the web-based manager to
configure the FortiMail unit to use profiles other than those such as
such as antispam_basic_predefined_high, which correspond to the
antispam levels in the basic mode of the web-based manager
AntiVirus The current antivirus settings level.
• Green checkmark icon: Indicates that antivirus processing is
enabled.
• Red X icon: Indicates that antivirus processing is disabled.
• you have created the protected domain, but have not yet selected to
enable or disable antivirus processing, and the FortiMail unit is
currently using default antivirus settings, or
• you have used the advanced mode of the web-based manager to
configure the FortiMail unit to use profiles other than those such as
such as antivirus_basic_predefined_enable, which correspond to
the antivirus setting in the basic mode of the web-based manager
(No column Select Edit to modify the antispam and antivirus settings for incoming
heading.) email messages.
To edit incoming antispam and antivirus settings

1 Go to Settings > AntiSpam > Incoming.
2 In the row corresponding to the protected domain whose antispam and antivirus
settings you want to modify, select Edit.
Figure 37: Editing Incoming AntiSpam and AntiVirus Settings
AntiSpam Level Select one of the following:

• Off: No antispam scanning.
• Low: Good spam detection rate.
• Medium: Better spam detection rate with a small impact on
system performance.
• High: Best spam detection rate with an additional impact on
system performance.
AntiVirus Status Select whether to enable or disable antivirus scanning.
4 Select OK.

82 06-30004-0154-20080904
Basic mode Settings
Incoming Action
The Incoming Action tab enables you to select which action the FortiMail unit will
take against spam and virus-infected incoming email.
To configure the actions

1 Go to Settings > AntiSpam > Incoming Action.
Figure 38: Incoming AntiSpam and AntiVirus Actions
AntiSpam Action
Tag Email in Enable and enter the text that will appear in the subject line
subject line of the email, such as “[SPAM]”. The FortiMail unit will add
this text to the subject line of spam before forwarding it to
the recipient.
Many email clients can sort incoming email messages into
separate mailboxes, including a spam mailbox, based on
text appearing in various parts of email messages, including
the subject line. For details, see the documentation for your
email client.
Tag Email with Enable and enter the message header text. The FortiMail
Header unit will add this text to the message header of spam before
forwarding it to the recipient.
separate mailboxes, including a spam mailbox, based on
text appearing in various parts of email messages, including
the message header. For details, see the documentation for
your email client.
Message header lines are composed of two parts: a key and
a value, which are separated by a colon. For example, you
might enter:
X-Custom-Header: Detected as spam by profile
22.
If you enter a header line that does not include a colon, the
FortiMail unit will automatically append a colon, causing the
entire text that you enter to be the key.
Note: Do not enter spaces in the key portion of the header
line, as these are forbidden by RFC 2822.
Reject Enable to reject spam and send reject responses to the
sender.

06-30004-0154-20080904 83
Settings Basic mode
Discard Enable to discard spam without sending reject responses to

the sender.
Quarantine Enable to redirect spam to the per-recipient quarantine. For
more information, see “Recipients” on page 49.
• Delete Messages: Enter the number of days you want to
keep the quarantined email. Enter a small enough value
that will prevent the size of the quarantine from
exceeding the available disk space. If you enter 0 to
prevent automatic deletion of quarantined files, you must
periodically manually remove old files.
Allow users to Enable to add the recipient email addresses from an email
automatically user’s outgoing email to their personal white list.
update This option applies only if it is also enabled in the email
personal user’s preferences, which can be configured from both the
Preferences tab of FortiMail webmail and from the advanced
White list from mode of the web-based manager. For more information, see
sent emails “User Preferences” on page 224.
This setting can be initialized manually or automatically.
FortiMail administrators can manually create and configure
this setting when configuring email user preferences using
the advanced mode of the web-based manager. If the
setting has not yet been created when either:
• an email user logs in to FortiMail webmail
• an email user sends outgoing email through the FortiMail
unit
• a FortiMail administrator configures the email user’s
personal black or white list using the advanced mode of
the web-based manager (see “Personal black/white list”
on page 404)
then the FortiMail unit will automatically initialize this setting.
The value that the FortiMail unit assigns to this setting when
automatically initializing it is either:
• if there is a policy corresponding to this email user, the
value duplicated from the equivalent setting located in
the profile selected within that policy
• if there is no policy corresponding to this email user,
disabled
AntiVirus Action
Replace Virus Enable to exchange infected attachments for a replacement

Body message that explains that the attachment was infected with
a virus, and was therefore removed. This replacement
message can be customized using the advanced mode of
the web-based manager. For more information, see
“Custom Messages” on page 173.
This option is always enabled.
Reject Enable to reject infected email and send reject responses to
the sender.
Discard Enable to discard infected email and send reject responses
to the sender.
3 Select Apply.
Outgoing
After you have created a protected domain, the FortiMail unit will apply default
outgoing antispam and antivirus settings to the protected domain. The Outgoing
tab enables you to customize these default settings.

84 06-30004-0154-20080904
Basic mode Settings
To view the outgoing antispam and antivirus settings, go to Settings >

AntiSpam > Outgoing.
Figure 39: Outgoing AntiSpam and AntiVirus Settings
Edit
AntiSpam The current antispam settings level, such as Medium.

• you have created the protected domain, but have not yet
selected an antispam level, and the FortiMail unit is currently
using default antispam settings, or
• you have used the advanced mode of the web-based manager
to configure the FortiMail unit to use profiles other than those
such as such as antispam_out_basic_predefined_medium,
which correspond to the antispam levels in the basic mode of the
web-based manager
AntiVirus The current antivirus settings level.
• Green checkmark icon: Indicates that antivirus processing is
enabled.
• Red X icon: Indicates that antivirus processing is disabled.
• you have created the protected domain, but have not yet
selected to enable or disable antivirus processing, and the
FortiMail unit is currently using default antivirus settings, or
• you have used the advanced mode of the web-based manager
to configure the FortiMail unit to use profiles other than those
such as such as antivirus_basic_predefined_enable, which
correspond to the antivirus setting in the basic mode of the web-
based manager
(No column heading.) Select Edit to modify the antispam and antivirus settings for
incoming email messages.
To edit outgoing antispam and antivirus settings

1 Go to Settings > AntiSpam > Outgoing.
2 In the row corresponding to the protected domain whose antispam and antivirus
settings you want to modify, select Edit.
Figure 40: Editing Outgoing AntiSpam and AntiVirus Settings

06-30004-0154-20080904 85
Settings Basic mode
AntiSpam Level Select one of the following:

• Off: No antispam scanning.
• Low: Good spam detection rate.
• Medium: Better spam detection rate with a small impact on
system performance.
• High: Best spam detection rate with an additional impact on
system performance.
AntiVirus Status Select whether to enable or disable antivirus scanning.
Access Control Select “Click here to config access control for outgoing mail” to
configure the FortiMail unit to allow, discard, reject, or relay email
based on the sender, recipient, IP address, or a reverse DNS lookup
of the domain name of the connecting SMTP server. For details, see
“Creating access control rules” on page 200.
4 Select OK.
Outgoing Action
The Outgoing Action tab enables you to select which action the FortiMail unit will
take against spam and virus-infected incoming email.
To configure the actions

1 Go to Settings > AntiSpam > Outgoing Action.
Figure 41: Outgoing AntiSpam and AntiVirus Actions
AntiSpam Action
Tag Email in Enable and enter the text that will appear in the subject line
subject line of the email, such as “[SPAM]”. The FortiMail unit will add
this text to the subject line of spam before forwarding it to the
recipient.
separate mailboxes, including a spam mailbox, based on text
appearing in various parts of email messages, including the
subject line. For details, see the documentation for your
email client.

86 06-30004-0154-20080904
Basic mode Log & Report
Tag Email with Enable and enter the message header text. The FortiMail
Header unit will add this text to the message header of spam before
forwarding it to the recipient.
separate mailboxes, including a spam mailbox, based on text
appearing in various parts of email messages, including the
message header. For details, see the documentation for your
email client.
Message header lines are composed of two parts: a key and
a value, which are separated by a colon. For example, you
might enter:
X-Custom-Header: Detected as spam by profile
22.
If you enter a header line that does not include a colon, the
FortiMail unit will automatically append a colon, causing the
entire text that you enter to be the key.
Note: Do not enter spaces in the key portion of the header
line, as these are forbidden by RFC 2822.
Reject Enable to reject spam and send reject responses to the
sender.
Discard Enable to discard spam without sending reject responses to
the sender.
AntiVirus Action
Replace Virus Enable to exchange infected attachments for a replacement

Body message that explains that the attachment was infected with
a virus, and was therefore removed. This replacement
message can be customized using the advanced mode of
the web-based manager. For more information, see “Custom
This option is always enabled.
Reject Enable to reject infected email and send reject responses to
the sender.
Discard Enable to discard infected email and send reject responses
to the sender.
Log & Report

The Log & Report menu enables you to configure and view log messages and
reports.
The FortiMail unit provides extensive logging capabilities for virus incidents, spam
incidents and system event functions. Detailed log information and reports provide
historical as well as current analysis of network activity to help you identify
security issues and reduce network misuse and abuse.
The Log & Report menu includes:
• Logging
• Reports
• Alert Email
Logging
The Logging menu enables you to view log files and the log messages that they
contain.

06-30004-0154-20080904 87
Log & Report Basic mode
The Logging menu includes the following tabs:

• History
• Event
• AntiSpam
• AntiVirus
Each of those tabs correspond to a type of log message that the FortiMail unit
records. For each of those tabs, you can perform similar actions, which include:
• Viewing the log file list
• Viewing log messages
• Displaying and arranging log columns
• Searching log messages
• Downloading log files
• Emptying the current log file
• Deleting rolled log files
Viewing the log file list

The Logging menu enables you to view the lists of log files for that log type, such
as History.
For example, by selecting the Event tab, you can view all log files that contain log
messages that were recorded due to system events and activities.
Note: You can view history log messages from either the Status tab or Log & Report >
Logging.
By default, the FortiMail unit stores all log files on a local hard disk. To ensure that
that local hard disk has sufficient disk space to store new log messages, you
should regularly download copies of older log files to your management computer
or other storage, and then delete them from the FortiMail unit. For more
information on downloading, deleting, and emptying log files, see “Downloading
log files” on page 95, “Emptying the current log file” on page 96, and “Deleting
rolled log files” on page 96.
The lists of log files for each log type display both the current log file and rolled log
files. When the current log file reaches either the configured maximum log file size
or the maximum age, the FortiMail unit renames the current log file to create a
rolled log file, and then begins a new current log file.
The lists of log files are sorted by the time range of the log messages contained in
the log file, with the most recent log files appearing near the top of the list. For
example, the current log file would appear at the top of the list, above a rolled log
file whose time ranges from “2008-05-08 11:59:36 Thu” to “2008-05-29 10:44:02
Thu”.
You can view log messages contained in a specific log file by selecting either Start
time or End time, or by selecting the View icon. For more information, see
“Viewing log messages” on page 89.
To view the list of log files, go to Log & Report > Logging, then select a log type
tab, such as History.

88 06-30004-0154-20080904
Figure 42: Viewing the log file list (Event tab)
Go to previous page
Go to next page
Search Delete Selected Items
Empty Log
View
Download Delete
Go to previous page Select to view the previous page of the list of log files.
Go to next page Select to view the next page of the list of log files.
Search Select to search the log files. For more information, see “Searching
View n lines each Select the number of rows to display per page of the list of log files.
page
Total lines The total number of rows in the list of log files.
Go to line To display the log file list page that contains a specific index number
(#), enter the number and then select Go.
Delete Selected Select the log files by marking each checkbox in the rows
Items corresponding to the log files that you want to delete, then select
Delete Selected Items to remove those items from the hard disk.
# The index number for the row in the list of log files.
Start time The beginning of the log file’s time range.
End time The end of the log file’s time range.
Size The size of the log file in bytes.
Action Select Empty Log to clear the current log file of all log messages.
This option appears only for the current log file. For more
information, see “Emptying the current log file” on page 96.
Select View to display the log messages in the log file. For more
information, see “Viewing log messages” on page 89.
Select Download to download the log file to your management
computer. For more information, see “Downloading log files” on
page 95.
Select Delete to remove the selected log file from the hard disk. For
more information, see “Deleting rolled log files” on page 96.
Viewing log messages

You can view the log messages contained in any log file, such as the Event log
file, in both a columnar and raw format.

06-30004-0154-20080904 89
Log messages are always displayed in columnar format, with one log field per
column. However, when viewing this columnar display, you can also view the log
message in raw format by hovering your mouse over the index number of the log
message, in the “#” column, as shown in Figure 43 on page 90.
You can select which columns to display or hide. For details, see “Displaying and
arranging log columns” on page 92.
When hovering your mouse cursor over a log message, that row is temporarily
highlighted; however, this temporary highlight automatically follows the cursor,
and will move to a different row if you move your mouse. To create a row highlight
that does not move when you move your mouse, click anywhere in the row of the
log message.
For information on individual log messages, see the FortiMail Log Message
Reference in the Fortinet Knowledge Center at http://kc.fortinet.com/.
Note: You can also view history log messages on the Status tab. For more information,
see.“Status” on page 34.
Figure 43: Viewing log messages
Go to previous page
Go to next page
Search
Go to previous Select to view the previous page of the list of log files.
page
Level Select the severity level. The FortiMail unit will display only log
messages of the selected severity level and greater.
Subtype Select the subtype. The FortiMail unit will display only the log
messages of that subtype.
This option appears only when viewing event log messages.
page

90 06-30004-0154-20080904
Choose Columns Select to add or remove log information columns to display. For more
information see “Displaying and arranging log columns” on page 92.
Using the Level and Subtype drop-down menus, you can constrain the display to
only event log messages with matching severity levels and subtype log fields. The
following tables describe each option of the Level and Subtype drop-down menus.
Table 3: Level drop-down list options
Emergency Displays only log messages at the Emergency severity level.

Alert Displays only log messages at the Alert severity level.
Critical Displays only log messages at the Critical severity level.
Error Displays only log messages at the Error severity level.
Warning Displays only log messages at the Warning severity level.
Notification Displays only log messages at the Notification severity level.
Information Displays only log messages at the Information severity level.
Table 4: Subtype drop-down list options
ALL Displays all log messages, without filtering by subtype.

Configuration Displays only log messages containing “configuration” in the
subtype log field.
Admin User Displays only log messages containing only “admin user” in the
subtype log field.
Web Mail Displays only log messages containing “webmail” in the subtype
log field.
System Displays only log messages containing “system” in the subtype
log field.
HA Displays only log messages containing “HA” in the subtype field.
Update Failure Displays only log messages containing “Update Failure” in the
subtype log field.
Update Displays only log messages containing “Update Success” in the
Success subtype log field.
POP3 Displays only log messages containing “POP3” in the subtype log
field.
IMAP Displays only log messages containing “IMAP” in the subtype log
field.
SMTP Displays only log messages containing “SMTP” in the subtype log
field.
OTHERS Displays all lines that have a value other than all of the above
subtypes, from Configuration to SMTP.
To view log messages

1 Go to Log & Report > Logging.
2 Select a log type tab, such as History.

06-30004-0154-20080904 91
3 In the Action column, in the row corresponding to a log file whose log messages
you want to view, select View.
Alternatively, in the row corresponding to a log file whose messages you want to
view, select either Start time or End time.
Log messages contained in that log file appear.
Displaying and arranging log columns

When viewing logs in Formatted view, you can display, hide and re-order columns
to display only relevant categories of information in your preferred order.
Available columns vary by log type.
Figure 44: Displaying and arranging log columns
To display or hide columns

4 Select Choose Columns.
Lists of available and displayed columns for the log type appear.
5 Select which columns to hide or display.
• In the Hidden Columns area, select the names of individual columns you want
to display, then select Add-> to move them to the Displayed Columns area.
• In the Displayed Fields area, select the names of individual columns you want
to hide, then select <-Remove to move them to the Hidden Columns area.
6 Select Apply.
To change the order of the columns


92 06-30004-0154-20080904
5 In the Displayed Columns area, select a column name whose order of
appearance you want to change.
6 Select Move Up or Move Down to move the column in the ordered list.
Placing a column name towards the top of the Displayed Columns list will move
the column to the left side of the log message display.
7 Select Apply.
Searching log messages

You can search the log messages to quickly find specific log messages in a log
file, rather than browsing the entire contents of the log file.
Search appearance, like log fields, varies by log type.
Note: Some email processing such as mail routing and subject line tagging modifies the
recipient email address, the sender email address, and/or the subject line of an email
message. If you are searching for log messages by these attributes, enter your search
criteria using text exactly as it appears in the log messages, not in the email message. For
example, you might send an email message from sender@example.com; however, if you
have configured mail routing on the FortiMail unit or other network devices, this address, at
the time it was logged by the FortiMail unit, may have been sender-1@example.com. In
that case, you would search for sender-1@example.com instead of sender@example.com.
Figure 45: Searching the log messages (History log)

06-30004-0154-20080904 93
Figure 46: Searching the log messages (Event log)
Figure 47: Searching the log messages (AntiVirus log)
Figure 48: Searching the log messages (AntiSpam log)
To search log messages

3 In the Action column, in the row corresponding to the log file, select View to
display the contents of the log file.

94 06-30004-0154-20080904
4 Select Search.
5 Enter your search criteria by configuring one or more of the following:
Keyword Enter any word or words to search for within the log messages.
For example, you might enter “starting daemon” to locate all log
messages containing that exact phrase in any log field.
Message Enter all or part of the message log field.
Subject Enter all or part of the subject line of the email message as it appears
in the log message.
This option appears only for the History log type.
From Enter all or part of the sender’s email address as it appears in the log
message.
This option does not appear for the Event log type.
To Enter all or part of the recipient’s email address as it appears in the
log message.
Session Id Enter all or part of the session ID in the log message.
Log Id Enter all or part of the log ID in the log message.
Client Name Enter all or part of the domain name or IP address of the SMTP
client. For email users connecting to send email, this is usually an IP
address rather than a domain name. For SMTP servers connecting
to deliver mail, this may often be a domain name.
Time Select the time span of log messages to include in the search results.
For example, you might want to search only log messages that were
recorded during the two weeks and 8 hours previous to the current
date. In that case, you would specify the current date, and also
specify the size of the span of time (two weeks and 8 hours) before
that date.
6 Select Apply.
The FortiMail unit searches your currently selected log file for log messages that
match your search criteria, and displays any matching log messages. For
example, if you are currently viewing a rolled history log file, the search locates all
matching log messages located in that specific rolled history log file.
Downloading log files

You can download log files to your management computer. Downloading log files
can be useful if you want to view log messages on your management computer, or
if you want to download a backup copy of log files to another location before
deleting them from the FortiMail unit’s hard disk.
To download a log file

3 In the Action column, in the row corresponding to the log file that you want to
download, select Download.

06-30004-0154-20080904 95
4 Select one of the following:
Normal format Downloads the log file in plain (ASCII) text format with a file
extension of .log. You can view this format in a plain text editor
such as Microsoft Notepad.
CSV format Downloads the log file in comma-separated value (CSV) format
with a file extension of .csv. You can view this format in a
spreadsheet application such as Microsoft Excel.
Compressed Downloads a compressed file with a file extension of .gz. This
format compressed file contains the log file in plain text format, with no
file extension.
If your management computer is running Microsoft Windows or
another operating system that requires file extensions, to enable
your operating system to open the file, you can rename the log file
to add a .log or .txt file extension.
If your web browser prompts you for the location to save the file, browse to select
or enter the name of the folder.
Emptying the current log file

You can empty the current log file to remove all of the log messages contained in
that file, without deleting the log file itself. This can be useful in cases such as
when you want to delete all old log messages from the FortiMail unit’s hard disk,
because rolled log files can be deleted but the current log file cannot.
Note: Only the current log file can be emptied. Rolled log files cannot be emptied, but may
be deleted instead. For more information, see “Deleting rolled log files” on page 96.
Caution: Back up the current log file before emptying the current log file. When emptying
! the log file, log messages are permanently removed, and cannot be recovered. For
instructions on how to download a backup copy of the current log file, see “Downloading log
files” on page 95.
To empty the current log file

3 In the Action column, in the row corresponding to the current log file, select Empty
Log.
A confirmation dialog appears, such as:
Are you sure you want to delete: alog?
4 Select OK.
Deleting rolled log files

You can delete rolled log files. This can be useful if you want to free disk space
used by old log files to make disk space available for newer log files.
Note: Only rolled log files can be deleted. Current log files cannot be deleted, but may be
emptied instead. For more information, see “Emptying the current log file” on page 96.

96 06-30004-0154-20080904
Caution: Back up the current log file before deleting a log file. When deleting a log file, log
! messages are permanently removed, and cannot be recovered. For instructions on how to
download a backup copy of a log file, see “Downloading log files” on page 95.
To delete a rolled log file

delete, select Delete.
Are you sure you want to delete: 2008-06-16-14:45:15_2007-
10-16-22:52:20.alog?
4 Select OK.
To delete multiple rolled log files

3 If you want to delete selected log files, mark the checkbox in each row
corresponding to a log file that you want to delete.
If you want to delete all rolled log files, mark the checkbox in the column heading
for the column that contains checkboxes. This automatically marks all other
checkboxes.
4 Select Delete Selected Items.
A confirmation dialog appears:
Are you sure you want to delete: selected log files?
5 Select OK.
Reports
The Reports menu enables you to configure report profiles, generate reports, and
to view generated reports.
FortiMail units can collate information collected from its log files and present the
information in tabular and graphical reports.
FortiMail units require log files and a report profile to be able to generate a report.
A report profile is a group of settings that contains the report name, file format,
subject matter, and other aspects that the FortiMail unit considers when
generating the report. For information on configuring a report profile, see
“Creating a report profile” on page 101.
Note: In addition to viewing full reports, you can also view summary email statistics. For
more information, see “Mail Statistics” on page 43.
Note: Generating reports can be resource intensive. To avoid email processing

performance impacts, you may want to generate reports during times with low email traffic
volume, such as at night. For more information on scheduling the generation of reports, see
“Configuring the schedule of a report profile” on page 103.

06-30004-0154-20080904 97
The Reports menu includes the following tabs:

• Logging
• Reports
• Alert Email
Browse
The Browse tab displays a list of reports that have been generated from the report
profiles. You can delete, view, and/or download generated reports.
FortiMail units can generate reports automatically, according to the schedule that
you configure in the report profile, or manually, when you select Run Report in the
report profile list. For more information, see “Config” on page 100.
To view the list of generated reports, go to Log & Report > Reports > Browse.
Figure 49: Browsing generated reports
Go to previous page
Go to next page Delete Selected Items
Delete
Download HTML
Download PDF
Go to next page View to the previous page.

Go to previous page View to the next page.
View n lines each page Select the number of reports displayed on each page.
Total lines The total number of rows in the list of generated reports.
Go to line Type the line number you want to display, then select Go.
Delete Selected Items In the column containing checkboxes, in each row corresponding
to a report that you want to delete, mark the checkbox, then
select Delete Selected Items.
Line # The index number of the row in the list of generated reports.
Report Files The name of the generated report, and the date and time at which
it was generated.
For example, “Report 1-2008-03-31-2112” is a report named
“Report 1”, generated on March 31, 2008 at 9:12 PM.
To view the report in HTML format, select the name of the report.
To view only an individual section of the report in HTML format,
select “+” next to the report name to expand the list of HTML files
that comprise the report, then select one of the file names.

98 06-30004-0154-20080904
Last Access Time The date and time when the FortiMail unit completed the
generated report.
Size (bytes) The file size of the report in HTML format.
Action Select Delete to remove the report.
Select Download HTML to download a compressed (.tgz) archive
containing the report in HTML file format to your management
computer.
Select Download PDF to download the report in PDF file format to
your computer.
Viewing a generated report

After you have generated a report from a report profile, you can view it in any of its
configured file format outputs.
For HTML file format report output, each Query Selection in the report profile,
such as Spam by Recipient, becomes a separate HTML file, such as
“Spam_Recipient.html”. You can view the report either as individual HTML files, or
as a frame that contains all of the individual HTML files, where each section
corresponds to one of the Query Selections that you enabled.
Figure 50: Viewing a generated report (HTML file format, all sections)
\
To view a generated report

1 Go to Log & Report > Reports > Browse.
2 If you want to view the report in PDF file format, in the Action column, in the row
corresponding to the report that you want to view, select Download PDF.

06-30004-0154-20080904 99
3 If you want to view the report in HTML file format, you can view all sections of the
report together, or you can view a section individually.
• To view all report sections together, in the row corresponding to the report that
you want to view, select the name of the report, such as “treportprofile-2008-
06-27-1039”.
• To view one of the report sections, in the row corresponding to the report that
you want to view, select “+” next to the report name to expand the list of
sections, then select the file name of the section that you want to view, such as
“Spam_Recipient.html”.
The report appears in a new browser window.
Downloading a generated report

You can download generated reports to your management computer. This can be
useful for purposes such as archival and offline viewing.
To download a report
2 In the Action column, in the row corresponding to the report that you want to
download, select the which file format to download.
Download HTML Select to download a compressed (.tgz) archive containing the report
in HTML file format to your management computer.
Download PDF Select to download the report in PDF file format to your management
computer.
Config
The Config tab displays a list of report profiles, which are used to generate
reports, and define what information will appear in the generated report.
You may want to one create report profile for each type of report that you will
generate on demand or periodically, by schedule. For more information, see
If you used the Quick Start Wizard to perform initial setup of your FortiMail unit, the
Quick Start Wizard automatically created two report profiles:
• predefined_report_yesterday
• predefined_report_last_week
Otherwise, no report profiles exist by default.
To view the list of report profiles, go to Log & Report > Reports > Config.
Figure 51: Viewing report profiles
Delete
Edit
Run Report

100 06-30004-0154-20080904
Config Name The name of the report profile.

Domain The name of the protected domain that is the subject matter of this
report.
Schedule The scheduled frequency when the FortiMail unit generates the report.
If this report in not scheduled to be periodically generated according to
the schedule configured in the report profile, but instead will be
generated only on demand, when you manually select Run Report,
“none” appears in this column.
Modify Select Delete to remove the report profile.
Select Edit to modify the report profile. For more information, see
Select Run Report to immediately generate a report using this report
profile. This option can be used with both scheduled and on demand
report profiles, and occurs independently of any automatic report
generation schedules you may have configured. For more information,
see “Configuring the schedule of a report profile” on page 103.
Create New Select to add a new report profile.
Creating a report profile

You can create report profiles to define what information will appear in generated
reports.
To configure a report profile

1 Go to Log & Report > Reports > Config.
3 In Report Name, enter a report name.
Report names must not include spaces.
4 Select the blue arrow next to each option, and configure the following:
Time Period Select the time span of log messages from which to generate the
report. For more information, see “Configuring the time period of a
report profile” on page 102.
Query Selection Select one or more subject matters to include in the report. For
more information, see “Configuring the query selection of a report
profile” on page 102.
Schedule Select to generate reports from this report profile either manually
only or automatically, according to a schedule. For more
information, see “Configuring the schedule of a report profile” on
page 103.
Domain Select the protected domains to include in the report. For more
information, see “Configuring the protected domains of a report
Incoming Outgoing Select whether to report upon incoming email, outgoing email, or
both. For more information, see “Configuring incoming and
outgoing of a report profile” on page 104.
Output Select to email reports generated using this report profile by
adding recipients to the Email Notification list and selecting either
“html report” or “pdf report” file format for the attached report. This
field is optional. For more information, see “Configuring the output
of a report profile” on page 104.
5 Select OK.

06-30004-0154-20080904 101
Configuring the time period of a report profile

When configuring a report profile, you can select the time span of log messages
from which to generate the report.
Figure 52: Time Period
Time Period Select the time span of the report, such as This Month or
Last N Days.
Alternatively, select and configure From Date and To Date.
Last N Hours Enter the number N of the unit of time.
Last N Days This option appears only when you have
Last N Weeks selected Last N Hours, Last N Days, or
Last N Weeks from Time Period, and
therefore must define “N”.
From Date Select and configure the beginning of the time span. For
example, you may want the report to include log messages
starting from May 5, 2006 at 6 PM. You must also configure
To Date.
To Date Select to configure the end of the time
span. For example, you may want the
report to include log messages up to
May 6, at 12 AM. You must also select
and configure From Date.
Configuring the query selection of a report profile

When configuring a report profile, you can select one or more queries or query
groups that define the subject matter of the report.
Each query group contains multiple individual queries, each of which correspond
to a chart that will appear in the generated report. You can select all queries within
the group by marking the checkbox of the query group, or you can expand the
query group and then individually select each query that you want to include.
For example:
• If you want the report to include charts about spam, you might select both of
the query groups Spam by Sender and Spam by Recipient.
• If you want the report to specifically include only a chart about top virus
senders by date, you might expand the query group Virus by Sender, then
select only the individual query Top Virus Sender By Date.

102 06-30004-0154-20080904
Figure 53: Query Selection
Mail Statistics Select to include information on email message statistics, such as

Mail Stat Messages By Day.
Total Summary Select to include summary information, such as Total Sent And
Received.
High Level Select if you want to include all top level and summary information
Breakdown for all queries, such as Top Client IP By Date.
Mail by Sender Select to include information on email messages by each sender,
such as Top Sender By Date.
Mail by Recipient Select to include information on email messages by each recipient,
such as Top Recipient By Date.
Spam by Sender Select to include information on spam by each sender, such as Top
Spam Sender By Date.
Spam by Recipient Select to include information on spam by each recipient, such as
Top Spam Recipient By Date.
Virus by Sender Select to include information on infected email messages by each
sender, such as Top Virus Sender By Date.
Virus by Recipient Select to include information on infected email messages by each
recipient, such as Top Virus Recipient By Date.
Configuring the schedule of a report profile

When configuring a report profile, you can select whether the FortiMail unit will
generate the report on demand or according to the schedule that you configure.
Figure 54: Schedule
Schedules
Not Scheduled Select if you do not want the FortiMail unit to
generate the report automatically according to a
schedule.
If you select this option, the report will only be
generated on demand, when you manually select
Run Report from the report profile list. For more
information, see “Config” on page 100.

06-30004-0154-20080904 103
Daily Select to generate the report each day.

These Days Select generate the report on specific days of each
week, then select those days.
These Dates Select to generate the report on specific date of each
month, then enter those date numbers. Separate
date numbers by a comma.
For example, to generate a report on the first and
30th day of every month, enter 1,30.
At Hour Select the time of the day when the report will be generated.
This option does not apply if you have selected Not Scheduled.
Configuring the protected domains of a report profile

When configuring a report profile, you can select one or more protected domains
whose log messages will be used when generating the report.
Figure 55: Domain
Domain The list of protected domains whose log messages will be used when
generating the report.
Remove Selected Select one or more protected domains in the Domain area, then select
Remove Selected to remove them from that list.
Add Select All Domains or a protected domain from the drop-down menu,
then select Add to add that protected domain to the Domain area.
Configuring incoming and outgoing of a report profile

When configuring a report profile, you can select to report only on email
messages matching the directionality that you select: incoming, outgoing, or both.
Figure 56: Incoming Outgoing
Incoming Select the directionality, relative to the protected domain, of email

Outgoing messages that you want to report on.
• Incoming
• Outgoing
• Incoming and Outgoing
Configuring the output of a report profile

When configuring a report profile, you can configure the FortiMail unit to email a
copy of the report, in either HTML or PDF file format, to your designated
recipients.

104 06-30004-0154-20080904
Figure 57: Output
html report Select to attach a copy of the generated report in HTML format.
pdf report Select to attach a copy of the generated report in PDF file format.
Email Notification The list of recipients to which the FortiMail unit will send a copy of
reports generated using this report profile.
Remove From Email Notification, select one or more recipients that you want to
Selected remove, then select Remove Selected.
Add Enter the email address of a recipient, then select Add to add the email
address to the Email Notification area.
Alert Email
The Alert Email menu enables you to configure the FortiMail unit to notify you by
email message when specific types of events occur and are logged. For example,
if you require notification about virus detections, you can configure the FortiMail
unit to send an alert email message whenever the FortiMail unit detects a virus.
To configure alerts, you must configure both the recipients and which events will
trigger the FortiMail unit to send an alert email message. Alert email messages also
require that you configure the FortiMail unit with the IP address of at least one DNS server.
The FortiMail unit uses the domain name of the SMTP server to send alert email
messages; to resolve this domain name into an IP address, the FortiMail unit must be able
to query a DNS server. For information on using the advanced mode of the web-based
manager to configure DNS, see “DNS” on page 133.
The Alert Email menu includes the following tabs:
• Configuration
• Categories
Configuration
The Configuration tab enables you to configure recipient email addresses for alert
email messages.
Before the FortiMail unit can send alert email messages, you must configure one
or more recipients. You must also configure which categories of events will cause
the FortiMail unit to send alert email message. For more information, see
“Categories” on page 106.
To configure recipients of alert email messages

1 Go to Log & Report > Alert Email > Configuration.
2 In Email To, enter one or more recipient email addresses.
Enter only one email address per field.

06-30004-0154-20080904 105
3 Select Apply.
A Test button appears below the Email To fields.
4 To verify that alert email is configured correctly by sending a sample alert email to
all configured recipients, select Test.
Categories
The Categories tab enables you to configure which events will cause the FortiMail
unit to send an alert.
Before the FortiMail unit can send an alert email message, you must select the
event or events that will cause the FortiMail unit to send an alert email message.
You must also configure alert email message recipients. For more information,
see “Configuration” on page 105.
To select events that will trigger an alert email message

1 Go to Log & Report > Alert Email > Categories.
2 Select one or more of the following event categories:
virus incidents Select to send an alert email message when the

FortiMail unit detects a virus.
critical events Select to send an alert email message when the
FortiMail unit detects a system error that may affect its
operation.
disk is full Select to send an alert email message when the hard
disk of the FortiMail unit is full.
remote archiving Select to send an alert email message when the remote
failures archiving feature encounters one or more failures.
HA events Select to send an alert email message when any high
availability (HA) event occurs.
When a FortiMail unit is operating in HA mode, the
subject line of the alert email includes the host name of
the cluster member. If you have configured a different
host name for each member of the cluster, this enables
you to identify which FortiMail unit in the HA cluster sent
the alert email message. For more information, see “HA
log messages, alert email, and SNMP” on page 479.
disk quota of an Select to send an alert email message when an email
account is exceeded user’s account exceeds its quota of hard disk space.
This option is available only if the FortiMail unit is in
server mode.
dictionary is Select to send an alert email message when a
corrupted dictionary is corrupt.
system quarantine Select to send an alert email message when the system
quota is full quarantine reaches its quota of hard disk space. For
more information on the system quarantine, see “The
System quarantine tab displays the system quarantine.”
on page 371.
deferred emails # Select to send an alert email message if the deferred
over n, interval time email queue contains greater than this number of email
n minutes messages. Enter a number between 1 and 10000 to
define the alert threshold, then enter the interval of time
between each alert email message that the FortiMail
unit will send while the number of email messages in the
deferred email queue remains over this limit.
3 Select Apply.

106 06-30004-0154-20080904
Basic mode Quick Start
Quick Start
If you are configuring your FortiMail unit for the first time, you may want to use the
Quick Start Wizard. The Quick Start Wizard leads you through required
configuration steps, helping you to quickly set up your FortiMail unit.
All settings configured by the Quick Start Wizard can also be configured through
the basic and advanced modes of the web-based manager. However, the Quick
Start Wizard presents each setting in the necessary order, and contains
descriptions to assist you in configuring each setting. These descriptions are not
available in either the basic mode or advanced mode of the web-based manager.
Completing the Quick Start Wizard will:
• change the admin password
• configure system settings such as IP address, netmask, DNS, and gateway
• configure local host settings such as host name
• configure one or more protected domains
• set the level of incoming and outgoing antispam controls
• turn incoming and outgoing antivirus scanning on or off
Caution: Before running the Quick Start Wizard, select the operation mode of the FortiMail
! unit, such as gateway mode, transparent mode, or server mode. Failure to select the
operation mode before running the Quick Start Wizard may require you to run the Quick
Start Wizard again after changing the operation mode, as changing the operation mode
may reset or change part of the configuration performed by the Quick Start Wizard. For
more information on selecting the operation mode, see “Changing the operation mode” on
page 39.
To begin the Quick Start Wizard, go to Quick Start >>.
Note: The Quick Start Wizard appears only in the basic mode of the web-based manager.
If the web-based manager is currently in advanced mode and you want to use the Quick
Start Wizard, first switch to basic mode by going to Basic >>.
For more information on setting up your FortiMail unit, see the FortiMail
Installation Guide.

06-30004-0154-20080904 107
Quick Start Basic mode

108 06-30004-0154-20080904
Advanced mode
Advanced mode
The advanced mode of the web-based manager provides the full set of menu
options, allowing you to achieve more complex configurations than the basic
mode of the web-based manager.
By default, the web-based manager initially appears in basic mode when you log
in. You can configure a preference for either the basic mode or the advanced
mode of the web-based manager for each administrator account, causing the
web-based manager to start in that mode when the administrator logs in. For
more information, see “Creating an administrator account” on page 140.
To manually switch from the basic mode to the advanced mode of the web-based
manager, go to Advanced >>.
Note: The basic mode of the web-based manager includes the Quick Start Wizard. If you
have not yet performed the first-time setup of your FortiMail unit, you can use the Quick
Start Wizard to lead you through the required steps, then use the remaining basic mode or
advanced mode menu options if, for example, you later need to change or add to some part
of the configuration. For more information, see “Quick Start” on page 107.
The following chapters describe the menu options that appear in the advanced
mode of the web-based manager, and includes the following topics:
• System
• Mail Settings
• User
• Profile
• Policy
• AntiSpam
• Email Archiving
• Log & Report
• Configuring and operating FortiMail HA

06-30004-0154-20080904 109
Advanced mode

110 06-30004-0154-20080904
System Status
System
The System menu enables you to view basic FortiMail unit information and
statuses, including:
• the FortiMail unit’s serial number
• current firmware version
• current virus definition version
• email statistics
• IP sessions
• mail queues
• quarantines
You can also configure updates from the Fortinet Distribution Network (FDN),
such as FortiGuard Antivirus, change the firmware, back up and restore the
configuration, and shut down or restart the FortiMail unit, and configure RAID,
high availability (HA), and network settings.
The System menu includes:
• Status
• Update
• Network
• Config
• RAID
• HA
• Certificate
• Maintenance
Status
The Status menu enables you to view the statuses and other information on
various FortiMail unit aspects, such as serial numbers and email statistics.
The Status menu includes the following tabs:
• Status
• Mail Statistics
• Session
Status
The Status tab displays various system statuses, such as log disk usage, version
numbers and the history log. It also enables you to view and change firmware and
antivirus versions, configuration files, and to shut down or restart the FortiMail
unit.
To view status information, go to System > Status > Status.

06-30004-0154-20080904 111
Status System
Figure 58: Status
Automatic Refresh Interval Select how often the web-based manager updates the Status
tab display.
Go Select to set the selected automatic refresh interval.
Refresh Select to manually update the Status tab display.
System Information
Serial Number The serial number of the FortiMail unit. The serial number is
unique to the FortiMail unit and does not change with
firmware upgrades.
UP Time The time in days, hours, and minutes since the FortiMail unit
was started or rebooted.
System Time The current time according to the FortiMail unit internal
clock.
Firmware Version The version of the firmware installed on the FortiMail unit.
Select Update to change the firmware. For more information,
see “Changing the firmware of your FortiMail unit” on
page 114.
Operation Mode The operation mode of the FortiMail unit. Select Change to
switch modes. For more information, see “Changing the
operation mode” on page 117.
Log Disk The capacity of the hard disk that the FortiMail unit uses to
store log messages. For more information on logging, see
“About FortiMail logging” on page 437.
Mailbox Disk The capacity of the hard disk that the FortiMail unit uses to
store archived email and quarantined spam. For more
information on quarantining and email archiving, see
“Actions options” on page 257 and “Archiving Policy” on
page 432.
License Information
Antivirus The version of the FortiMail Antivirus Engine.
Antivirus Definitions The current installed version of the FortiMail Antivirus
Definitions.
Select Update to manually update the definitions. For more
information, see “Updating antivirus definitions from a file” on
page 125.
You can schedule the frequency at which the FortiMail unit
retrieves updates from the Fortinet Distribution Network
(FDN). For more information, see “Update” on page 122.
Antispam The version of FortiMail Antispam Engine.
Antispam Definitions The version of FortiMail Antispam Definitions.

112 06-30004-0154-20080904
System Status
System Settings
Settings Select Backup to download a configuration backup file.
Select Restore to upload a configuration backup file.
Select Restore Factory Defaults to revert the configuration to
the defaults of the firmware version.
For more information, see “Backing up the configuration” on
page 118, “Restoring the configuration” on page 119, and
“Reverting the configuration to firmware defaults” on
page 119.
System Resources
CPU Usage The current CPU activity. The web-based manager displays
CPU usage for core processes only. CPU usage for
management processes such as HTTPS connections to the
web-based manager is excluded.
Memory Usage The current memory (RAM) usage. The web-based manager
displays memory usage for core processes only. Memory
usage for management processes such as HTTPS
connections to the web-based manager is excluded.
Log Disk Usage The current log disk usage indicates how much of the
allocated disk space is consumed. For information on log
settings, see “Logging to the hard disk” on page 439.
Mailbox Disk Usage The current mailbox disk usage indicates how much of the
allocated disk space is consumed.
You can configure an SNMP trigger to alert you when the
mailbox disk is very full. By default, it is set to trigger at 90%
full. For more information, see “SNMP v1/v2c” on page 142.
System Load A composite resource usage figure taking into account CPU,
memory, disk, and other Fortimail unit resources.
Active Sessions Shows the number of administrators and email users logged
in to the FortiMail unit.
History Select History to view a graphical representation of the last
minute of CPU, memory, sessions, and network usage. For
more information, see “Viewing the system resources
history” on page 113.
• CPU Usage History: CPU usage for the previous minute.
• Memory Usage History: Memory usage for the previous
minute.
• Session History: Session history for the previous minute.
• Network Utilization History: Network utilization for the
previous minute.
System Command Select to restart or shut down the FortiMail unit. For more
information, see “Restarting and shutting down the FortiMail
unit” on page 116.
History Log Select History Log >> to view history log messages. For
more information on viewing log messages, see “Viewing log
messages” on page 444.
Viewing the system resources history

You can view current and recent usage of each of the FortiMail unit’s system
resources through graphs that automatically refresh every three (3) seconds to
display current data.
The system resources history contains four (4) graphs. Each graph displays
readings of one of the system resources: CPU, memory, sessions, and network
bandwidth usage. Each graph is divided by a grid.

06-30004-0154-20080904 113
Status System
• Horizontal axis: Indicates time, with each grid square representing

approximately three (3) seconds. The most recent time is towards the right
side of the graph.
• Vertical axis: Indicates the usage level, with each grid square representing one
fifth (20%) of either the:
• maximum possible usage (CPU Usage History and Memory Usage
History), or
• number of units currently in the upper left corner of the graph; this number
of units is not constant, but instead scales to more clearly show trends at
higher or lower levels of usage, such as scaling from 100 Kbps to 1 Mbps
(Session History and Network Utilization History)
Greater usage levels are towards the top of the graph.
• Yellow line: Indicates the usage level of that resource over the previous 60
seconds.
If you do not initially see the yellow line in a graph, look at the bottom edge of the
graph. If the system resource usage is very low, such as when the CPU is idle, the
yellow line may coincide with the bottom edge of the graph.
To view the system resources history, go to System > Status > Status, then, in
the System Resources area, select History >>.
Figure 59: Viewing the system resources history
CPU Usage The amount of workload of the CPU, relative to its maximum.
History
Memory Usage The amount of memory (RAM) in use, relative to its maximum.
History
Session History The amount of TCP sessions, relative to the number of units
displayed in the upper left corner of the graph.
You can view the connections to and from the FortiMail unit. For more
information, see “Session” on page 121.
Network Utilization The amount of network bandwidth usage, relative to the number of
History units displayed in the upper left corner of the graph.
Changing the firmware of your FortiMail unit

Administrators whose Domain is “system” can change the FortiMail firmware.
Firmware changes are either:
• an upgrade to a newer version
• a reversion to an earlier version

114 06-30004-0154-20080904
System Status
The firmware version number is used to determine if you are upgrading or

reverting your firmware image. For example, if your current firmware version is
“FortiMail-400 3.00,build288,080327”, changing to “FortiMail-400
3.00,build266,071209”, an earlier build number and date, indicates you are
reverting.
For more information, see:
• Upgrading the firmware of your FortiMail unit
• Reverting the firmware of your FortiMail unit
Upgrading the firmware of your FortiMail unit

You can upgrade the firmware of your FortiMail unit to ensure that it has the most
antivirus engine, and antispam engine, bug fixes, and new features.
the firmware release that you are installing. After you install the new firmware, make sure
that your antivirus definitions are up-to-date. For more information, see “Manually initiating
antivirus definitions updates” on page 125.
To upgrade the firmware

1 Download the firmware image to your management computer from the Fortinet
6 Select OK.
Reverting the firmware of your FortiMail unit

You can revert your FortiMail unit to a previous firmware version.

06-30004-0154-20080904 115
Status System
the firmware release that you are installing. After you install the new firmware, make sure
that your antivirus definitions are up-to-date. For more information, see “Manually initiating
antivirus definitions updates” on page 125.
To revert to a previous firmware version

The following procedures revert the FortiMail unit to its factory default
configuration and delete all configuration on the unit.
1 Download the firmware image to your management computer from the Fortinet
6 Select OK.
10 Restore your configuration.
For information about restoring your configuration, see “Restoring the
Restarting and shutting down the FortiMail unit

Administrators whose Domain is “system” can restart and shut down the FortiMail
unit.
! Caution: Before performing any of these procedures, notify your email users.

116 06-30004-0154-20080904
System Status
To restart the FortiMail unit

2 Select Restart.
The FortiMail unit restarts. If you want to continue configuring the FortiMail unit,
refresh your browser and log in again.
To shut down the FortiMail unit

2 Select Shut Down.
The FortiMail unit shuts down. For FortiMail-400 models, you can now turn off the
power using the power button on the back of the FortiMail unit. For FortiMail-100,
FortiMail-2000, or FortiMail-4000 models, you can now turn off the power by
unplugging the FortiMail unit.
Changing the operation mode

Administrators whose Domain is “admin” can change the FortiMail unit from one
operation mode to another.
Operation modes reflect the nature of the network topology in which you deploy
the FortiMail unit, and other considerations. For information on the differences
between each operation mode, see “Determining the best operation mode” on
page 117.
! reset many of the configuration file changes that you have made to the FortiMail unit,
including settings that do not apply to the new operation mode. For more information on
creating a backup, see “Backing up the configuration” on page 118.
To change the operation mode

2 In the System Information area, in the Operation Mode row, select Change.
3 From Operating Mode, select one of the following:
• Gateway
• Server
• Transparent
Note: If the FortiMail unit is operating in gateway mode, you must configure the MX record
of the DNS server for each protected domain to direct all email to this FortiMail unit instead
of the protected SMTP servers.
4 Select OK.
Determining the best operation mode

You can configure your FortiMail unit to operate in any one of three possible
operation modes. Each operation mode best suits a specific situation.
• Gateway: Use when you do not want your email server to be visible to email
users. You will need to modify the email clients of your email users and your
mail routing policy to route email through the FortiMail unit for it to be scanned.

06-30004-0154-20080904 117
Status System
• Transparent: Use when a network is complex and you do not want to change
the IP address scheme.
• Server: Use if you need a secure SMTP server with integrated advanced
antispam and antivirus capabilities.
For more information about the different operation modes, see “Modes of
operation” on page 18.
Important configuration tips for transparent mode

The transparent mode of operation is often your best choice when a network is
complex and does not allow for changes in the IP addressing scheme. If you
choose to operate your FortiMail unit in transparent mode, consider the following
tips.
• Deploy the FortiMail unit in front of your mail server so incoming email is forced
to go to the FortiMail unit and be scanned.
• Enter the management IP address and all the IP addresses connecting to your
FortiMail unit’s bridged (default) network interfaces on the same IP subnet.
• Do not connect two ports to the same VLAN on a switch or the same hub.
Some Layer 2 switches become unstable when they detect the same media
access control (MAC) address originating on more than one network interface
on the switch, or from more than one VLAN.
• If the client is configured for authentication and the “Use original server to
deliver mail” option under “For unknown Servers” of SMTP proxies is not
selected, configure and apply an authentication profile for the FortiMail unit,
and explicitly configure the back end mail server to allow relay. Without the
profile, the authentication will fail.
• For additional advanced options when configuring protected domains in
transparent mode, see “Creating a protected domain” on page 182.
Backing up the configuration

You can back up the FortiMail unit’s configuration by downloading a configuration
backup file to the management computer.
Caution: A FortiMail configuration backup file is not a full backup of all data on the
! FortiMail unit. Backing up the FortiMail unit’s configuration does not include mail queues,
dictionaries, the Bayesian database, which must be backed up separately. For more
information, see “Queue Maintenance” on page 211, “Maintenance” on page 310 or “User”
on page 389.
To back up the configuration

3 Select Backup system settings.
The file is downloaded to your management computer.

118 06-30004-0154-20080904
System Status
Restoring the configuration

You can restore the configuration of the FortiMail unit by uploading a previously
downloaded configuration backup file.
Note: This procedure restores the configuration backup file only. For instructions on
restoring other FortiMail unit data, see “Queue Maintenance” on page 211, “Maintenance”
on page 310, and “User” on page 389.
To restore system settings

2 In the System Settings area, select Restore.
3 Enter the path and filename of the configuration backup file, or select Browse to
locate the file.
4 Select OK.
The FortiMail unit restores the system configuration using the uploaded
configuration backup file, and restarts.
5 After the FortiMail unit restarts, refresh your browser.
The FortiMail Administrator Login page is displayed.
6 Log in to the web-based manager to review your configuration to confirm that the
uploaded system settings have taken effect.
Reverting the configuration to firmware defaults

You can use the following procedure to revert the FortiMail configuration to the
values that are defaults for the currently installed firmware version. This procedure
does not change the firmware version or the antivirus definitions.
Caution: Back up the configuration before beginning this procedure. This procedure resets
! all changes that you have made to the FortiMail unit’s configuration file and reverts the
system to the default values for the firmware version, including factory default settings for
the IP addresses of network interfaces. For more information on creating a backup, see
“Backing up the configuration” on page 118.
To revert system settings to factory defaults

2 In the System Settings area, select Restore Factory Defaults.
3 Select OK.
The FortiMail unit resets its configuration to the defaults for that firmware version,
and restarts. To configure the FortiMail unit, you must connect to the FortiMail unit
using the default IP addresses for its network interfaces. For more information on
connecting to a FortiMail unit with the default configuration, see the FortiMail
Install Guide. For information on restoring the configuration, see “Restoring the

06-30004-0154-20080904 119
Status System
Downloading the debug log and trace file

You can download a debug log file and/or trace file. These files may sometimes be
requested by Fortinet Technical Support for systems analysis purposes. The trace
log file is in a binary format, and contains information that is supplementary to the
debug log file.
To download the debug log and trace file

3 Select Download debug log, then select Download trace log.
4 If your browser prompts you for a location to save the files, select a folder.
The files are downloaded to your management computer.
Mail Statistics
The Mail Statistics tab contains summaries of the numbers of email messages in
each time period that the FortiMail unit detected as containing viruses, spam, or
neither.
For email messages classified as spam, mail statistics include which FortiMail
feature classified the email as spam, such as Bayesian antispam databases,
access control, system wide black list (System List), or the email user-configured
black list (User List).
To use the Mail Statistics tab, you must first configure your FortiMail unit to detect
spam and/or viruses. For more information, see “Profile” on page 241 and “Policy”
on page 355.
To view mail statistics, go to System > Status > Mail Statistics.
Figure 60: Mail Statistics
Automatic Refresh Select the interval, such as 30 seconds, between automatic refreshes
Interval of the page. Refreshing the page displays current email statistics.
Refresh Select to manually refresh the page, displaying current email
statistics.
Statistics data Select to display the statistics in graph format. To return to displaying
extracted from log the email statistics in table format, select Realtime statistics data also
also available here available here.

120 06-30004-0154-20080904
System Status
Summary Select to display a summary of the hourly, daily, monthly, yearly, and
total email statistics.
The summary table includes both the total count of spam and viral
email messages and counts for each method that caused email to be
classified as spam or viral email.
Hourly History Select to display graphs of the hourly email statistics.
Daily History Select to display graphs of the daily email statistics.
Monthly History Select to display graphs of the monthly email statistics.
Yearly History Select to display graphs of the yearly email statistics.
Session
The Session tab displays information about the connections to and from the
FortiMail unit.
To view the session list, go to System > Status > Session.
Figure 61: Session
Page Up
Refresh Page Down
Total Number of Total number of sessions currently passing through the FortiMail unit.
Sessions
Page The number of pages of sessions.
Refresh icon Select to update the session list.
Page up icon Select to view previous page in the session list.
Page down icon Select to view the next page in the session list.
each page
Protocol The service protocol of the connection, such as ICMP, UDP, or TCP.
From IP The source IP address of the connection.
From Port The source port of the connection.
To IP The destination IP address of the connection.
To Port The destination port of the connection.
Expire(secs) The time, in seconds, before the connection expires.

06-30004-0154-20080904 121
Update System
Update
The Update menu enables you to configure updates that the FortiMail unit can
receive from the Fortinet Distribution Network (FDN).
The Update menu includes the following tab:
• Update
Update
The Update tab displays the current versions and the dates of the most recent
updates to antivirus and antispam definitions and the antivirus engine. It also
allows you to manually initiate a request from the FortiMail unit to the FDN for
available updates, and/or to configure how the FortiMail unit will automatically
retrieve updates.
FortiMail units can receive updates from the FortiGuard Distribution Network
(FDN). The FDN is a world-wide network of FortiGuard Distribution Servers (FDS).
FortiMail units connect to the FDN by connecting to the FDS nearest to the
FortiMail unit by its configured time zone.
FortiMail units support two kinds of automatic update mechanisms:
• scheduled updates, by which the FortiMail unit periodically polls the FDN to
determine if there are any available updates
• push updates, by which the FDN actively notifies FortiMail units when updates
become available
For information on configuring scheduled updates, see “Scheduling updates” on
page 126. For information on configuring push updates, see “Enabling push
updates” on page 127.
You may want to configure both scheduled and push updates. In this way, if the
network experiences temporary problems such as connectivity issues that
interfere with either method, the other method may still be able to provide your
FortiMail unit with updated protection. You can alternatively manually update the
FortiMail unit by uploading an update file. For more information on uploading
updates, see “Updating antivirus definitions from a file” on page 125.
To receive scheduled and push updates, you must first register your FortiMail unit.
To register your FortiMail unit, go to the Fortinet Technical Support web site,
https://support.fortinet.com/. The FortiMail unit must also be able to connect to the
FDN. If you want to enable push updates, the FDN must also be able to connect to
your FortiMail unit to be able to send it notifications of available updates. For
additional requirements, see “Troubleshooting FDN connectivity” on page 124.
To view the currently installed engine or definition versions, or to configure
scheduled or push updates from the FDN, go to System > Update > Update.

122 06-30004-0154-20080904
System Update
Figure 62: Update
FortiGuard Distribution The status of the connection to the FortiGuard Distribution

Network Network (FDN) or, if enables and configured, the override
server.
• Available: Indicates that the FortiMail unit can connect to
the FDN.
• Unknown: Indicates that the FortiMail unit cannot connect
to the FDN. For more information, see “Troubleshooting
FDN connectivity” on page 124.
Push Update The status of the connection from the FDN.
• Available: Indicates that the FDN can connect to the
FortiMail unit to send push updates. For more information,
see “Enabling push updates” on page 127.
• Not Available: Indicates that the FDN cannot connect to the
FortiMail unit to send push updates.
• Unknown: Indicates that the FDN cannot connect to the
FortiMail unit to send push updates. For more information,
see “Troubleshooting FDN connectivity” on page 124.
Refresh Select to test the connection of the FortiMail unit to the FDN.
Results are displayed at the top of the page.
Use override server Select Use override server address and enter the IP address
address of a public or private FortiGuard Distribution Server (FDS). For
more information, see “To add an override server” on
page 126.
If you cannot connect to the FDN or if your organization
provides updates using their own FortiGuard server, you can
configure an override server.
If after applying the override server address, the FortiGuard
Distribution Network setting changes to available, the FortiMail
unit has successfully connected to the override server. If the
FortiGuard Distribution Network displays Unknown, the
FortiMail unit cannot connect to the override server. For more
information, see “Troubleshooting FDN connectivity” on
page 124.
Update The name of the updatable item, such as Anti Virus Definition.
Version The version number of the item currently installed on the
FortiMail unit.
Expiry date The expiry date of the license for the item.
Last update attempt The date and time when the FortiMail unit last attempted to
download an update.

06-30004-0154-20080904 123
Update System
Last update status The result of the last update attempt.

• No updates: Indicates the last update attempt was
successful but no new updates are available.
• Installed updates: Indicates the last update attempt was
successful and new updates were installed.
• Other messages, such as Network Error, indicate that the
FortiMail unit was not able to connect to the FDN, or other
error conditions. For more information, see
“Troubleshooting FDN connectivity” on page 124.
Allow Push Update Select this check box to allow push updates of the FortiMail
unit.
Use override push IP Select, then enter the override IP address and port number.
Override push IP addresses and ports are used when there is
a NAT device between the FortiMail Unit and the FDN.
The FortiMail unit sends the override push IP address and Port
to the FDN. The FDN will now use this IP address and port for
push updates to the FortiMail unit on the internal network. If
the External IP Address or External Service Port changes, add
the changes to the Use override push configuration and select
Apply to update the push information on the FDN. For more
information, see “To enable push updates through a NAT
device” on page 127.
This option is available only if Allow Push Update is enabled.
Scheduled Update Select this check box to enable scheduled updates, then select
the frequency of update attempts.
Every Select to attempt to update once every 1 to 23 hours, then
select the number of hours between each update request.
This option is available only if Scheduled Update is enabled.
Daily Select to attempt to update once a day, then select the hour of
the day to check for updates.
If you select “00” minutes, the update attempt occurs at a
randomly determined time within the selected hour.
Weekly Select to attempt to update once a week, then select the day of
the week, the hour, and the minute of the day to check for
updates.
If you select “00” minutes, the update attempt occurs at a
randomly determined time within the selected hour.
Troubleshooting FDN connectivity

If your FortiMail unit is unable to connect to the FortiGuard Distribution Network
(FDN), verify the following:
• You must register your FortiMail unit with the Fortinet Technical Support web
site, https://support.fortinet.com/.
• Your FortiMail unit must be configured to connect with a DNS server. For more
information, see “DNS” on page 133.
• You must add routes to the FortiMail routing table so that the FortiMail can
connect to the Internet. See “Routing” on page 134.
• You must set the system time of the FortiMail unit, including its time zone. For
more information, see “Status” on page 111.
• Your network, including any intermediary firewall devices, must allow the
FortiMail unit to use HTTPS on TCP port 9443 to connect to the FDN.

124 06-30004-0154-20080904
System Update
• You might need to override the default FortiGuard server to receive updates.
For more information, see “To add an override server” on page 126.
If you have enabled push updates, in addition to the above, verify the following:
• If there is a NAT device installed between the FortiMail unit and the FDN, you
must configure it to forward push traffic to the FortiMail unit. For more
information, see “To enable push updates through a NAT device” on page 127.
• If your FortiMail unit connects to the Internet using a proxy, use the CLI
command set system autoupdate tunneling to enable the FortiMail
unit to connect to the FDN through the proxy. For more information, see the
FortiMail CLI Reference.
• You may need to add routes or configure your network to allow the FortiMail
unit to use HTTPS on TCP port 8890 to connect to the FDN.
Manually initiating antivirus definitions updates

You can manually trigger the FortiMail unit to request available updates,
independently from the configured update schedule.
To update antivirus definitions

1 Go to System > Update.
2 Select Update Now.
If the connection to the FDN or override server is successful, the web-based
manager displays a message similar to the following:
Your update request has been sent. Your database will be
updated in a few minutes. Please check your update page for
the status of the update.
After a few minutes, if an update is available, the System Update page lists new
version information for antivirus definitions, or the antivirus engine. The System
Status page also displays new dates and version numbers for antivirus definitions.
Messages are recorded to the event log indicating whether the update was
successful or not.
See “Troubleshooting FDN connectivity” on page 124 if your FortiMail unit cannot
connect to the FDN.
Updating antivirus definitions from a file

If you do not want to allow the FortiMail unit to automatically download antivirus
definition updates from the Fortinet Distribution Network (FDN), you can manually
upload an antivirus definitions update file.
To upload an antivirus definitions file

1 Download the antivirus definition file to your management computer from the
Fortinet Technical Support web site, https://support.fortinet.com.
3 In the License Information area, next to AntiVirus Definitions, select Update.
4 In Update File, type the path and filename of the firmware image file, or select

06-30004-0154-20080904 125
Update System
5 Select OK.
The FortiMail unit installs the antivirus definitions file. This takes about 1 minute.
7 Confirm that the antivirus definitions file has been successfully installed by
verifying the version number located next to AntiVirus Definitions in the License
Information area.
Scheduling updates
FortiMail units can be configured to poll for and download updated definitions
hourly, daily, or weekly, according to a schedule that you specify.
To enable scheduled updates

2 Select Scheduled Update.
3 Select one of the following to check for and download updates.
Hourly Once every 1 to 23 hours. Select the number of hours and minutes between
each update request.
Daily Once a day. You can specify the time of day to check for updates.
Weekly Once a week. You can specify the day of the week and the time of day to
check for updates.
4 Select Apply.
The FortiMail unit starts the next scheduled update according to the new update
schedule.
Whenever the FortiMail unit runs a scheduled update, the event is recorded in the
FortiMail event log. See “Log & Report” on page 437.
To add an override server

If you cannot connect to the FDN, or if your organization provides antivirus
updates using their own FortiResponse server, you can use the following
procedure to add the IP address of an override FortiResponse server.
2 Select Use override server address.
3 Type the IP address of a FortiResponse server.
4 Select Apply.
The FortiMail unit tests the connection to the override server.
If the FortiGuard Distribution Network setting changes to available, the FortiMail
unit has successfully connected to the override server.
If the FortiGuard Distribution Network stays set to not available, the FortiMail unit
cannot connect to the override server. Check the FortiMail network configuration
for settings that would prevent the FortiMail unit connecting to the override
FortiResponse server.

126 06-30004-0154-20080904
System Update
Enabling push updates

The FDN can push updates to FortiMail units to provide the fastest possible
response to critical situations. You must register the FortiMail unit before it can
receive push updates. Go to Product Registration and follow the instructions.
You must configure the FortiMail unit in order to allow push updates. FDN
provides push updates to the FortiMail unit by using HTTPS on UDP port 9443. To
receive push updates, you must configure the FortiMail unit so that the FDN can
route packets to it using this port.
When you configure a FortiMail unit to enable push updates, the FortiMail unit
sends a SETUP message to the FDN. The next time a new antivirus engine or
new antivirus definitions are released, the FDN notifies all FortiMail units that are
configured for push updates that a new update is available. Within 60 seconds of
receiving a push notification, the FortiMail unit requests an update from the FDN.
When the network configuration permits, Fortinet recommends configuring push
updates in addition to scheduled updates. The FortiMail unit usually receives new
updates sooner through push updates. When the FortiMail unit receives a push
notification, it makes only one attempt to connect to the FDN and download
updates which may or may not be successful. Configuring scheduled updates
ensures that the FortiMail unit receives the latest updates.
To enable push updates

1 Go to System > Update > Update.
2 Select Allow Push Update.
3 Select Apply.
To ensure that your FortiMail unit can connect to the FDN, see “Troubleshooting
FDN connectivity” on page 124.
To enable push updates when FortiMail IP addresses change

The SETUP message that the FortiMail unit sends when you enable push updates
includes the IP address of the FortiMail port 1 interface. The FDN must be able to
connect to this IP address for your FortiMail unit to receive push update
messages. If your FortiMail unit is behind a NAT device, see “To enable push
updates through a NAT device” on page 127.
Whenever the port 1 interface IP address changes, the FortiMail unit sends a new
SETUP message to notify the FDN of the address change. As long as the
FortiMail unit sends this SETUP message and the FDN receives it, the FDN can
maintain the most up-to-date port 1 interface IP address for the FortiMail unit.
The FortiMail unit sends the SETUP message if you change the port 1 interface IP
address manually or if you have set the port 1 interface addressing mode to
DHCP and your DHCP server changes the IP address.
To enable push updates through a NAT device

If the FDN can connect to the FortiMail unit only through a NAT device, you must
configure port forwarding on the NAT device and add the port forwarding
information to the push update configuration. Using port forwarding, the FDN
connects to the FortiMail unit using either port 9443 or an override push port that
you specify.

06-30004-0154-20080904 127
Update System
Note: You cannot receive push updates through a NAT device if the external IP address of
the NAT device is dynamic (for example, set using DHCP).
The following example describes how to configure a FortiGate unit running in NAT
mode to forward push updates to a FortiMail unit installed on its internal network.
Before the FortiMail unit on the internal network can receive push updates, you
must configure the FortiGate unit with a port forwarding virtual IP. This virtual IP
maps the IP address of the external interface of the FortiGate unit and a custom
port to the IP address of the FortiMail unit on the internal network.
Note: This example describes the configuration for a FortiGate NAT device. However, you
can use any NAT device with a static external IP address that can be configured for port
forwarding.
Use the following steps to configure the FortiGate NAT device and the FortiMail
unit on the internal network so that the FortiMail unit on the internal network can
receive push updates:
1 Add a port forwarding virtual IP to the FortiGate NAT device.
For more information, see the FortiGate Administration Guide.
2 Add a firewall policy to the FortiGate NAT device that includes the port forwarding
virtual IP.
For more information, see the FortiGate Administration Guide.
3 Configure the FortiMail unit on the internal network with an override push IP and
port.
Note: Before completing the following procedure, you should register the internal network
FortiMail unit so that it can receive push updates. To register your FortiMail unit, go to
Product Registration and follow the instructions.
To configure the FortiMail unit with an override push IP and port

2 Select Allow Push Update.
3 Select Use override push.
4 Set IP to the external IP address added to the virtual IP.
5 Set Port to the external service port added to the virtual IP.
6 Select Apply.
The FortiMail unit sends the override push IP address and port to the FDN. The
FDN now uses this IP address and port for push updates to the FortiMail unit on
the internal network.
If the external IP address or external service port changes, add the changes to the
Use override push configuration and select Apply to update the push information
on the FDN.
7 Select Refresh to make sure that push updates work.
The Push Update status changes to Available.

128 06-30004-0154-20080904
System Network
Network
The Network menu provides options to configure network connectivity and
administrative access to the web-based manager or CLI of the FortiMail unit
through each network interface.
The Network menu includes the following tabs:
• Interface
• DNS
• DDNS
• Routing
• Management IP
Interface
The Interface tab displays a list of the FortiMail unit’s network interfaces.
If your FortiMail unit is not properly deployed and configured for the topology of
your network, email may be able to bypass the FortiMail unit. For example,
spammers can easily determine the lowest priority mail server (the highest
preference number in the MX record) and deliver spam to it in an attempt to avoid
spam defences on the FortiMail unit. To ensure maximum protection against
spam, you should:
• configure your router or firewall to forward all SMTP traffic to the FortiMail unit
for scanning
• modify the DNS records of domain names associated with protected domains
to keep a single MX record entry that resolves to the FortiMail unit
• configure policies and profiles for each of the protected domains
The FortiMail unit also provides IP addresses for administrator access to the web-
based manager and for user access to webmail. In transparent mode, you specify
a management IP address. In gateway and server modes, the IP address of the
interface serves this purpose. If the interface is configured to enable
administrative access, you can also use this IP address to access the web-based
manager. The administrative and user access URLs are as follows:
Gateway or server mode

User access https://<interface IP address>
Administrative access https://<interface IP address>/admin
Transparent mode
User access https://<management IP address>
Administrative access https://<management IP address>/admin
To view the list of network interfaces, go to System > Network > Interface.
Figure 63: Interface

06-30004-0154-20080904 129
Network System
Name The name of the network interface, such as port1.

IP The IP address of the network interface.
Netmask The netmask of the network interface.
Access The administrative access and webmail access services that are enabled on
the network interface, such as HTTPS for the web-based manager.
Status Indicates the “up” (available) or “down” (unavailable) port status for the
network interface.
• Green up arrow: The network interface is up and can accept traffic.
• Red down arrow: The network interface is down and cannot accept
traffic.
To bring up a network interface, select Bring Up.
To bring down a network interface, use the command line interface (CLI) and
enter the following command:
set system interface <intf_str> config status down
where <intf_str> is the name of the network interface.
Modify Select Modify to edit a network interface configuration. For more information,
Editing network interfaces

You can edit a network interface to change its IP address, netmask, administrative
access protocols, and other settings.
Caution: Enable administrative access only on network interfaces connected to trusted

! private networks or directly to your management computer. If possible, enable only secure
administrative access protocols such as HTTPS or SSH. Failure to restrict administrative
access could compromise the security of your FortiMail unit.
To edit a network interface

1 Go to System > Network > Interface.
2 In the row corresponding to the network interface that you want to edit, select Edit.
The Edit Interface page appears. Appearance varies by:
• the operational mode of the FortiMail unit (gateway, transparent, or server)
• if the FortiMail unit is operating in transparent mode, by whether the network
interface is port1, which is required to be configured as a Layer 2 bridge and
therefore cannot be configured with an IP and Netmask

130 06-30004-0154-20080904
System Network
Figure 64: Edit Interface (gateway mode)
Figure 65: Edit Interface (transparent mode, non-bridging)
Figure 66: Edit Interface (transparent mode, port1)
Interface Name The name (such as port2) and media access control (MAC)
address for this network interface.
Addressing mode
Do not associate Enable to configure an IP address and netmask for this
with management IP network interface, separate from the management IP, then
configure IP/Netmask.
transparent mode and if the network interface is not port1,
which must always be bridging. For more information, see
“Management IP” on page 135.
Manual Select to enter a static IP address, then enter the IP address
and netmask for the network interface in the IP/Netmask field.
gateway mode or server mode, and the network interface is not
port1.

06-30004-0154-20080904 131
Network System
IP/Netmask Enter the IP address and netmask for the network interface.
If the FortiMail unit is operating in gateway mode or server
mode, this option is available only if Manual is selected.
If the FortiMail unit is operating in transparent mode, this option
is available only if Do not associate with management IP is
enabled.
DHCP Select to retrieve a dynamic IP address using DHCP.
gateway mode or server mode.
Retrieve default Select to retrieve both the default gateway and DNS addresses
gateway and from the DHCP server, replacing any manually configured
DNS from server values.
Connect to Select for the FortiMail unit to attempt to obtain DNS
Server addressing information from the DHCP server. Disable this
option if you are configuring the network interface offline, and
do not want the unit to attempt to obtain addressing information
at this time.
Status Select to refresh the page and display the current DHCP status
message.
The text following this link displays the current DHCP status
message at the time that this page was last refreshed. DHCP
status messages can indicate progress as the FortiMail unit
connects to the DHCP server and retrieves addressing
information.
Access
HTTPS Enable to allow secure HTTPS connections to the web-based
manager, webmail, and per-recipient quarantine through this
network interface.
PING Enable to allow ICMP ping responses from this network
interface.
HTTP Enable to allow HTTP connections to the web-based manager,
webmail, and per-recipient quarantine through this network
interface.
For information on redirecting HTTP requests for webmail and
per-recipient quarantines to HTTPS, see “Spam Report” on
page 376.
Caution: HTTP connections are not secure, and can be
SSH Enable to allow SSH connections to the CLI through this
network interface.
SNMP Enable to allow SNMP connections to this network interface.
TELNET Enable to allow Telnet connections to the CLI through this
network interface
Caution: Telnet connections are not secure, and can be

132 06-30004-0154-20080904
System Network
MTU
Override default Select to change the maximum transmission unit (MTU) value,
MTU value (1500). then enter the maximum packet or Ethernet frame size in
bytes.
If network devices between the FortiMail unit and its traffic
destinations require smaller or larger units of traffic, packets
may require additional processing at each node in the network
to fragment or defragment the units, resulting in reduced
network performance. Adjusting the MTU to match your
network can improve network performance.
The default value is 1500 bytes. The MTU size must be
between 576 and 1500 bytes.
4 Select OK.
DNS
The DNS tab enables you to configure the DNS servers that the FortiMail unit will
query to resolve domain names into IP addresses.
FortiMail units require DNS servers for features such as reverse DNS lookups and
other aspects of email processing. Your ISP may supply IP addresses of DNS
servers, or you may want to use the IP addresses of your own DNS servers.
Note: For improved FortiMail unit performance, use DNS servers on your local network.
Caution: If the FortiMail unit is operating in gateway mode, you must configure the MX
! record of the DNS server for each protected domain to direct all email to this FortiMail unit
instead of the protected SMTP servers. Failure to update the records of your DNS server
may enable email to circumvent the FortiMail unit.
To configure the primary and secondary DNS servers, go to Settings >

Network > DNS.
Figure 67: Network Setting (DNS)
Primary DNS Server Enter the IP address of the primary DNS server.
Secondary DNS Server Enter the IP address of the secondary DNS server.
DDNS
The DDNS tab enables you to configure the FortiMail unit to use a dynamic DNS
(DDNS) service.
If the FortiMail unit has a static domain name and a dynamic public IP address,
you can use DDNS to update DNS servers on the Internet when the public IP
address for the domain name changes.
To configure DDNS, go to System > Network > DDNS.

06-30004-0154-20080904 133
Network System
Figure 68: DDNS settings
Server Select the name of your DDNS service provider.

Username Enter your user name for the DDNS service provider.
Password Enter your password for the DDNS user name.
Update Time Enter the interval in hours between your FortiMail unit
contacting the DDNS server to update its DNS records
with the FortiMail unit’s current IP address.
Routing
The Routing tab displays a list of routes and enables you to configure static routes
and gateways used by the FortiMail unit.
To configure routes, go to System > Network > Routing.
Figure 69: Routing
Delete
Edit
Destination The destination network IP address of traffic that will be routed. 0.0.0.0
IP indicates any IP address.
Mask The netmask for the route.
Gateway The IP address for the route gateway.
Modify Select Delete to remove the route.
Select Edit to modify the route.
Create New Select to create a new static route.
To create a new route

1 Go to System > Network > Routing.

134 06-30004-0154-20080904
System Network
Figure 70: Edit Routing Entry
Destination IP Enter the destination IP address for this route.

To create a default route, set the Destination IP to 0.0.0.0.
Mask Enter the netmask for this route.
To create a default route, set the mask to 0.0.0.0.
Gateway Enter the IP address of the next hop router to which this route directs
traffic. For an Internet connection, the next hop routing gateway routes
traffic to the Internet.
4 Select OK.
Management IP
The Management IP tab enables you to configure the management IP address of
the FortiMail unit.
Note: This menu option appears only when the FortiMail unit is operating in transparent
mode.
When a FortiMail unit is operating in transparent mode, one or more of its network
interfaces may be configured to act as a Layer 2 bridge, without IP addresses of
their own. However, for administrators to be able to configure the FortiMail unit
through a network connection rather than a local console, the FortiMail unit must
have an IP address. The management IP address enables administrators to
connect to the FortiMail unit through port1 or other network ports, even when they
are currently bridging.
By default, the management IP address is indirectly bound to port1, through the
bridge. If other network interfaces are also included in the bridge with port1, the
FortiMail unit can be configured to respond to connections to the management IP
address that arrive on those other network interfaces. For more information, see
“Do not associate with management IP” on page 131.
Unless you have configured an override server IP address, FortiMail units will use
this IP address for connections with the FortiGuard Distribution Network (FDN).
Depending on your network topology, the management IP may be a private
network address, and therefore not routable from the FDN, making it unsuitable
for use as the destination IP address of push update connections from the FDN. In
this case, for push updates to function correctly, you must configure an override
server. For more information, see “Enabling push updates” on page 127.
To configure the management IP address

1 Go to System > Network > Management IP.

06-30004-0154-20080904 135
Config System
Figure 71: Management IP
IP The IP address of the FortiMail unit that administrators will connect to when
using the web-based manager.
Netmask The netmask for the IP address.
3 Select Apply.
Config
The Config menu enables you to configure an assortment of settings such as the
system time, administrator accounts, the idle timeout of the web-based manager,
and SNMP access.
The Config menu includes the following tabs:
• Time
• Options
• Admin
• SNMP v1/v2c
Time
The Time tab enables you to configure the system time of the FortiMail unit.
For correct scheduling and logging, the FortiMail system time must be accurate.
You can either manually set the FortiMail system time or configure the FortiMail
unit to automatically keep its system time correct by synchronizing with a Network
Time Protocol (NTP) server.
Note: FortiMail units support daylight savings time (DST), including recent changes in the
USA, Canada and Western Australia.
To configure the system time, go to System > Config > Time.
Figure 72: Time Settings

136 06-30004-0154-20080904
System Config
System Time The current FortiMail system date and time.

Refresh Select Refresh to update the display of the current FortiMail
system date and time.
Time Zone Select the appropriate time zone for your region.
Automatically adjust Select to adjust the FortiMail system clock automatically when
clock for daylight your time zone changes to daylight saving time and back to
saving changes standard time.
Set Time Select to manually the FortiMail system date and time.
Synchronize with NTP Select to use a network time protocol (NTP) server to
Server automatically set the system date and time, then configure
Server and Syn Interval.
Server Enter the IP address or domain name of an NTP server. To find
an NTP server that you can use, see http://www.ntp.org.
Syn Interval Specify how often the FortiMail unit will synchronize its time with
the NTP server. A typical Syn Interval would be 1440 minutes for
the FortiMail unit to synchronize its time once a day.
Options
The Options tab enables you to set the idle timeout and language of the web-
based manager, and to restrict access to the control buttons and LCD by requiring
a PIN (Personal Identification Number)
To view the web-based manager and LCD panel options, go to System >
Config > Options.
Figure 73: Configuration Options
Idle Timeout Enter the amount of time that an administrator may be

inactive before the FortiMail unit automatically logs out the
administrator.
For better security, use a low idle timeout value.
Web Administration
Language Select the language for the display of the web-based
manager.
LCD Panel
PIN Protection Select to require administrators to first enter the PIN before
using the LCD display panel and control buttons on the
FortiMail unit, then enter the 6-digit PIN number.
This option appears only on FortiMail models whose
hardware includes an LCD panel.

06-30004-0154-20080904 137
Config System
Admin
The Admin tab displays a list of the FortiMail unit’s administrator accounts.
Depending on the permission and assigned domain of your account, this list may
not display all other administrator accounts. For more information, see
By default, FortiMail units have a single administrator account, “admin”. For more
granular control over administrative access, you can create additional
administrator accounts that are restricted to being able to configure a specific
protected domain and/or with restricted permissions. For more information, see
“Administrator account permissions and domains” on page 139 and “Creating an
administrator account” on page 140.
Note: If you have configured a system quarantine administrator account, this account does
not appear in the list of standard FortiMail administrator accounts. For more information on
the system quarantine administrator account, see “System quarantine setting” on
page 384.
To view the list of administrator accounts, go to System > Config > Admin.
Figure 74: Admin
Delete
Edit
Change Password
Name The name of the administrator account.

which an administrator account is assigned.
Trusted Hosts The IP address and netmask from which the administrator can log in.
Permission The permissions of the administrator account:
• Read & Write
• Read Only
• Local
• RADIUS
• RADIUS + Local
• PKI

138 06-30004-0154-20080904
System Config
Modify Select Delete to remove an administrator account. This option does not
appear for your own administrator account.
Select Edit to change an administrator account.
Select Change Password to change the password of an administrator
account.
Create New Select to create a new administrator account. For more information, see
“Creating an administrator account” on page 140.
Administrator account permissions and domains

There are three possible permission types for an administrator account:
• Administrator (also known as “all”)
• Read & Write
• Read Only
The permissions of an administrator account, combined with whether the
administrator account is assigned to a specific protected domain such as
example.com or is assigned to the entire system, determine the parts of the
configuration that the administrator is permitted to modify and/or view.
Permission Domain: system Domain: example.com

Administrator • Can create, view and change • Can create, view and change
all other administrator other administrator accounts
accounts except the “admin” with Read & Write and
administrator account Read Only permissions in its
• Can view and change all own protected domain
parts of the FortiMail unit’s • Can only view and change
configuration, including settings, including profiles
uploading configuration and policies, in its own
backup files and restoring protected domain
firmware default settings • Can only view profiles and
• Can back up and restore • Can be only one per
databases protected domain.
• Can manually update
firmware and antivirus
definitions
• Can restart and shut down
the FortiMail unit

06-30004-0154-20080904 139
Config System

Read & Write • Can only view and change its • Can only view and change its
• Can view and change parts of • Can only view and change
the FortiMail unit’s parts of the FortiMail unit’s
configuration at the system configuration in its own
and protected domain levels protected domain
• Can release and delete • Can only view profiles and
quarantined email messages policies created by an
for all protected domains administrator whose Domain
• Can back up and restore is “system”
databases • Can release and delete
quarantined email messages
in its own protected domain
Read Only • Can only view and change its • Can only view and change its
• Can view the FortiMail unit • Can only view settings in its
configuration at the system own protected domain
and protected domain levels • Can only view profiles and
• Can back up databases
There can be up to five (5) administrator accounts per protected domain. The
maximum total number of administrators with Administrator access that are
assigned to protected domains is 25 for FortiMail-400 models and 50 for FortiMail-
2000 models.
Unlike other administrator accounts whose permission is Administrator and
domain is “system,” the “admin” administrator account exists by default and
cannot be deleted. The “admin” administrator account is similar to a root
administrator account. This administrator account always has full permission to
view and change all FortiMail configuration options, including viewing and
changing all other administrator accounts. Its name, permissions, and assignment
to the “system” domain cannot be changed.
Caution: Set a strong password for the “admin” administrator account, and change the
! password regularly. By default, this administrator account has no password. Failure to
maintain the password of the “admin” administrator account could compromise the security
of your FortiMail unit.
Creating an administrator account

For more granular administrative access, the “admin” administrator account can
create additional administrator accounts that are restricted to being able to
configure a specific protected domain and/or with restricted permissions. For more
information, see “Administrator account permissions and domains” on page 139.
Caution: Set a strong password for each administrator account, and change the
! passwords regularly. If possible, configure each Trusted Host to restrict administrative
access to the FortiMail unit from within your trusted private network. Failure to restrict
administrative access could compromise the security of your FortiMail unit.

140 06-30004-0154-20080904
System Config
Figure 75: New Administrator
Administrator Enter the name for this administrator account.

Domain Select the entire FortiMail unit (“system”) or name of a protected domain
such as example.com to which this administrator account is assigned.
Password Enter this account’s password.
Confirm Enter this account’s password again to confirm it.
password
Trusted Host Enter the IP address from which this administrator can log in.
Netmask Enter the netmask for the Trusted Host.
Permission Select the permissions of this administrator account:
• Read & Write
• Read Only
Management Select which mode of the web-based manager, Basic or Advanced, will be
mode displayed when this administrator logs in.
The administrator can switch the mode of the web-based manager at any
time during their administrative session. This option only indicates which
mode will be displayed initially.
• Local
• RADIUS
• RADIUS + Local
• PKI
For more information on remote authentication, see “Radius” on
page 272.
To add an administrator account

1 Go to System > Config > Admin.
3 In Administrator, type a login name for the administrator account.
The login name can contain numbers (0-9), uppercase and lowercase letters
(A-Z, a-z), hyphens (-), and underscores ( _ ). Other special characters and
spaces are not allowed.

06-30004-0154-20080904 141
Config System
4 From Domain, either select a protected domain to which you want to assign the
administrator account, or select “system” to allow the administrator account to
view all protected domains and settings pertaining to the FortiMail unit itself.
5 In Password and Confirm password, type and confirm a password for the
administrator account.
The password can contain any characters except spaces.
6 If you want to restrict the network locations from which this administrator account
can log in, in Trusted Host #1, Trusted Host #2, and Trusted Host #3, type the IP
address and netmask of each permitted location.
If you want the administrator to be able to access the FortiMail unit from any IP
address, type 0.0.0.0/0.0.0.0.
To limit the administrator’s access to the FortiMail unit from a specific network or
IP address, enter that IP address and netmask in dotted decimal format. For
example, you might permit the administrator to log in to the FortiMail unit only from
your private network by typing 192.168.1.0/255.255.255.0.
7 From Permission, select the permissions of the administrator account.
For more information on permissions, see “Administrator account permissions and
domains” on page 139.
8 From Management mode, select either Basic or Advanced to indicate the initial
mode of the web-based manager when the administrator logs in.
9 From Auth Type, select the local or remote authentication style for the
administrator account:
• Local
• RADIUS
• RADIUS + Local
• PKI
Note: RADIUS and PKI authentication require that you first configure a RADIUS
authentication profile or PKI user in the advanced mode of the web-based manager. For
more information, see “Radius” on page 272 and “PKI User” on page 236.
10 Select OK.
SNMP v1/v2c
The SNMP v1/v2c tab enables you to configure SNMP to monitor a high
availability (HA) cluster for failover messages.
You can also use SNMP to monitor some FortiMail-2000A and FortiMail-4000
models which have monitored power supplies and RAID controllers. When a
monitored power supply or a RAID controller is removed or added, the FortiMail
unit will send configured notification for those events by log messages, alert email
messages, and/or SNMP traps.
Before you can use its SNMP queries and/or traps, you must enable SNMP
access on the network interfaces that SNMP clients will use to access the
FortiMail unit. For more information, see “Editing network interfaces” on page 130.

142 06-30004-0154-20080904
System Config
To configure the SNMP agent of the FortiMail unit, go to Config > SNMP v1/v2c.
Note: You can download the SNMP MIB file from the Fortinet Technical Support web site,
https://support.fortinet.com/.
Figure 76: SNMP v1/v2c
Delete
Edit
SNMP Agent Select to enable the FortiMail SNMP agent. This must be enabled
to accept queries or send traps from the FortiMail unit.
Description Enter a descriptive name for the FortiMail unit.
Location Enter the location of the FortiMail unit.
Contact Enter administrator contact information.
Select the blue triangle to expand the list of traps. In this section you configure the
conditions that trigger the FortiMail unit to send a trap if the trap type is enabled for the
community.
Trap Type The type of trap, such as CPU Usage.
Trigger Either the percent of the resource in use or the number of times
the trigger level must be reached before it is triggered.
For example, using the default value, if the mailbox disk is 90% or
more full, it will trigger.
Threshold The number of triggers that will result in an SNMP trap.
For example if the CPU level exceeds the set trigger percentage
once before returning to a lower level, and the threshold is set to
more than one an SNMP trap will not be generated until that
minimum number of triggers occurs during the sample period.
Sample Period(s) The time period in seconds during which the FortiMail unit SNMP
Agent counts the number of triggers that occurred.
The default period is 600 seconds (ten minutes).
This value should not be lower than the Sample Frequency.

06-30004-0154-20080904 143
Config System
Sample Freq(s) The interval in seconds between measurements of the trap

condition. You will not receive traps faster than this rate,
depending on the selected sample period.
The default sample frequency is 30 seconds.
This value should be lower than the Sample Period.
Communities The list of SNMP communities added to the FortiMail
configuration.
Create New Select to add a new SNMP community.
For more information, see “Configuring an SNMP community” on
page 144.
Community The name of the SNMP community. The SNMP Manager client
Name must be configured with this name.
Queries A green checkmark icon indicates that queries are enabled.
Traps A green checkmark icon indicates that traps are enabled.
Enable Select to enable or unselect to disable this SNMP community.
Delete icon Select to remove the SNMP community.
Edit icon Select to edit the SNMP community.
Configuring an SNMP community

An SNMP community is a grouping of equipment for network administration
purposes. You can add up to three SNMP communities so that SNMP managers
can connect to the FortiMail unit to view system information and receive SNMP
traps. You can configure each community differently for SNMP traps and to
monitor different events. You can add the IP addresses of up to eight SNMP
managers to each community.
To configure an SNMP community

1 Go to System > Config > SNMP v1/v2c.

144 06-30004-0154-20080904
System Config
Figure 77: New SNMP Community
Community Name Enter a name to identify the SNMP community. If you are editing an
existing community, you cannot change the name.
Hosts The list of SNMP managers that can use the settings in this SNMP
community to monitor the FortiMail unit. Select Add to create a new
entry.
IP Address Enter the IP address of an SNMP manager. By default, the IP
address is 0.0.0.0, so that any SNMP manager can use this SNMP
community.
Interface Select the name of the interface that connects to the network where
this SNMP manager is located. You need to do this if the SNMP
manager is on the Internet or behind a router.
Delete icon Select to remove this SNMP manager.
Add Select to add a new default entry to the Hosts list that you can edit as
needed. You can have up to eight SNMP manager entries for a
single community.
Queries Enter the Port number (161 by default) that the SNMP managers in
this community use for SNMP v1 and SNMP v2c queries to receive
configuration information from the FortiMail unit. Select the Enable
check box to activate queries for each SNMP version.

06-30004-0154-20080904 145
Config System
Traps Enter the Local and Remote port numbers (162 local, 162 remote by
default) that the FortiMail unit uses to send SNMP v1 and SNMP v2c
traps to the SNMP managers in this community. Enable traps for
each SNMP version that the SNMP managers use.
SNMP Event Enable each SNMP event for which the FortiMail unit should send
traps to the SNMP managers in this community.
FortiMail MIBs
The FortiMail SNMP agent supports Fortinet proprietary MIBs as well as standard
RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of
RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to
FortiMail unit configuration.
The FortiGate MIBs are listed in Table 6. You can obtain these MIB files from
Fortinet technical support. To be able to communicate with the SNMP agent, you
must compile all of these MIBs into your SNMP manager.
Your SNMP manager may already include standard and private MIBs in a
compiled database that is ready to use. You must add the Fortinet proprietary MIB
to this database. If the standard MIBs used by the Fortinet SNMP agent are
already compiled into your SNMP manager you do not have to compile them
again.
Table 6: FortMail MIBs
MIB file name Description

fortimail.mib The proprietary Fortinet MIB includes detailed FortiMail system
configuration information. Your SNMP manager requires this
information to monitor FortiMail configuration settings. For more
information, see “FortiMail MIB fields” on page 147.
fortimail.trap.mib The proprietary Fortinet trap MIB includes FortiMail trap
information. Your SNMP manager requires this information to
receive traps from the FortiMail SNMP agent. For more
information, see “FortiMail traps” on page 146.
FortiMail traps
The FortiMail agent can send traps to SNMP managers that you have added to
SNMP communities. To receive traps, you must load and compile the FortMail trap
MIB into the SNMP manager.
All traps sent include the trap message as well as the FortiMail unit serial number
and host name.

146 06-30004-0154-20080904
System Config
Table 7: FortiMail traps
Trap Description
fmlTrapCpuHighThreshold Trap sent if CPU usage becomes too high.
fmlTrapMemLowThreshold Trap sent if memory usage becomes too
high.
fmlTrapLogDiskHighThreshold Trap sent if Log disk usage becomes too
high.
fmlTrapMailDiskHighThreshold Trap sent if Mailbox disk usage becomes too
high.
fmlTrapMailDeferredQueueHighThreshold Trap sent if the number of deferred email
messages becomes too great.
fmlTrapAvThresholdEvent Trap sent when the number of detected
viruses reaches the threshold.
fmlTrapSpamThresholdEvent Trap sent when the number of spam email
messages reaches the threshold.
fmlTrapSystemEvent Trap sent when system shuts down, reboots,
upgrades, etc.
fmlTrapRAIDEvent Trap sent for RAID operations.
fmlTrapHAEvent Trap sent when an HA event occurs.
fmlTrapArchiveEvent Trap sent when remote archive event
occurs.
fmlTrapIpChange Trap sent when the IP address of the
specified interface has been changed.
FortiMail MIB fields

The Fortimail MIB contains fields reporting current FortiMail unit status
information. The tables below list the names of the MIB fields and describe the
status information available for each one. You can view more details about the
information available from all Fortinet MIB fields by compiling the FortiMail MIB
file into your SNMP manager and browsing the Fortinet MIB fields.
Table 8: System MIB fields

MIB field Description
fmlSysModel FortiMail model number, for example, 400 for the FortiMail-400.
fmlSysSerial FortiMail unit serial number.
fmlSysVersion The firmware version currently running on the FortiMail unit.
fmlSysVersionAv The antivirus definition version installed on the FortiMail unit.
fmlSysOpMode The FortiMail unit operation mode (Gateway, Transparent, or
server).
fmlSysCpuUsage The current CPU usage (%).
fmlSysMemUsage The current memory utilization (%).
fmlSysLogDiskUsage The log disk usage (%).
fmlSysMailDiskUsage The mail disk usage (%).
fmlSysSesCount The current IP session count.
fmlSysEventCode System component events.
fmlRAIDCode RAID system events.

06-30004-0154-20080904 147
RAID System
Table 8: System MIB fields

fmlRAIDDevName RAID device name.
fmlHAEventId HA event type ID.
fmlHAUnitIp Unit IP address where the event occurs.
fmlHAEventReason The reason for the HA event.
fmlArchiveServerIp IP address of the remote Archive Server.
fmlArchiveFilename Archive mail file name.
Table 9: System options MIB fields

fmlSysOptIdleTimeout Idle period after which the administrator is automatically
logged out off the system.
fmlSysOptAuthTimeout Authentication idle timeout value.
fmlSysOptsLan Web administration language.
fmlSysOptsLcdProt Whether LCD control buttons protection is enabled or
disabled.
Table 10: System session MIB fields

fmlIpSessTable FortiMail IP sessions table.
fmlIpSessEntry Particular IP session information.
fmlIpSessIndex An index value that uniquely identifies an IP session.
fmlIpSessProto The protocol of the connection.
fmlIpSessFromAddr The session source IP address,
fmlIpSessFromPort The session source port number.
fmlIpSessToAddr The session destination IP address.
fmlIpSessToPort The session destination port number.
fmlIpSessExp Time (in seconds) until the session expires.
Table 11: Mail options MIB fields

fmlMailOptionsDeferQ The current number of deferred email messages.
ueue
RAID
The RAID menu enables you to configure Redundant Array of Independent Disks
(RAID) for the FortiMail hard disk devices that are used to store logs and email.

148 06-30004-0154-20080904
System RAID
The hard disks of many FortiMail models can use RAID for enhanced
performance and reliability. The default settings for RAID should give good
results, but you can modify the configuration. For more information, see
“Configuring RAID for FortiMail-400 models” on page 151 or “Configuring RAID on
FortiMail-2000/A or FortiMail-4000A models” on page 152.
You can configure the RAID levels for the FortiMail unit local disk partitions used
for storing email files or log files (in the case of FortiMail-400), depending on your
requirements for performance, resiliency, and cost.
RAID events can be logged and can be reported with alert email. These events
include disk full, or disk failure notices. For more information, see “About FortiMail
logging” on page 437, and “Alert Email” on page 452.
The RAID menu varies by FortiMail model, but may include the following tabs:
• Log Device
• Mail Device
Each of those tabs provide similar configuration options for configuring RAID.
Note: If your FortiMail model does not support RAID, tabs in the RAID menu display the
message, “RAID is not available on this system.”
RAID levels
FortiMail-400 models use software RAID which supports RAID levels 0 or 1. The
log disk and email disk on those models can each use different RAID levels.
FortiMail-2000/A and FortiMail-4000A models use hardware RAID controllers and
therefore the log disk and mail disk on these models cannot be separated.
The following tables describe the RAID levels used by the FortiMail units:
Table 12: FortiMail 400
RAID 0 Has striping but no redundancy of data. It offers the fastest performance but has
no fault-tolerance - if any hard disk fails, the whole RAID fails. So adding more
disks to a RAID 0 array increases the risk of failure.
Also known as a striped array.
RAID 1 Consists of at least two drives that duplicate the storage of data. There is no
striping. Read performance is improved since either disk can be read at the
same time. Write performance is the same as for single disk storage. This
technique provides the best performance and the best fault-tolerance in a multi-
user system. In a RAID 1 with two hard disks, one hard disk can fail and the
RAID will continue to function.
You should replace any failed drive as soon as possible. Until that failed drive is
replaced, the RAID is essentially running as a RAID 0.
Also known as a mirrored array.

06-30004-0154-20080904 149
RAID System
Table 13: FortiMail-2000, FortiMail-2000A, and FortiMail-4000A
RAID 10 A combination of RAID 1 and RAID 0 (see Table 12), also called RAID
1+0. Striped and mirrored arrays are good for fault tolerance and high
performance, such as for high-load databases. RAID 10 requires a
minimum of four drives. Adding two additional drives to the array will add
another RAID 1.
Any RAID 1 in the array can have a hard disk failure and continue to
function, but if both hard disks in a RAID 1 fail then the whole RAID fails.
RAID 10 + hot A RAID 10 configuration that has a backup hard disk installed that takes
spare(s) the place of a failed RAID hard disk. The RAID 10 + hot spares must use
(4000A at least five drives, one spare in addition to the RAID 10 drives. To add
another RAID 1, you would need seven drives total because at least one
model) hot spare drive is required.
RAID 50 A combination of RAID 5 with RAID 0 (see Table 12). RAID 5 provides
data striping at the byte level and also stripe error correction information.
This results in excellent performance and good fault tolerance.
The RAID 50 array type provides fault tolerance and high performance. It
requires a minimum of six drives. To add another RAID 5 requires an
additional three hard disks.
RAID 50 + hot A RAID 50 configuration that has a backup hard disk installed that takes
spare(s) the place of a failed RAID hard disk. The RAID 50 + hot spares must use
(4000A at least seven drives, one spare in addition to the RAID 50 drives.
model)
Hot spares
FortiMail-4000A models have a hot spare RAID option. This feature consists of
one or more disks that are pre-installed with the other disks in the unit. The hot
spare disk is idle until an active hard disk in the RAID fails. Then the RAID
immediately puts the hot spare disk into service and starts to rebuild the data from
the failed disk onto it. This rebuilding may take up to several hours depending on
system load and amount of data stored on the RAID, but the RAID continues
without interruption during the process.
The hot spare feature has one or more extra hard disks installed with the RAID. A
RAID 10 configuration requires two disks per RAID 1, and can have only one hot
spare disk. A RAID 50 configuration requires three disks per RAID 5, and can
have up to two hot spare disks.

150 06-30004-0154-20080904
System RAID
Configuring RAID for FortiMail-400 models

To configure RAID, go to either System > RAID > Log Device or System >
RAID > Mail Device.
Figure 78: Log Device and Mail Device (FortiMail-400)
Device Details
Automatic Select how often the web-based manager updates the
Refresh Interval log/mail device status display and select Go.
Refresh Select to manually update the log device status display.
Name Name of the RAID. This is hard-coded and not
configurable.
Level Level of the current RAID configuration.
Change Select to change the RAID level.
State Status of the RAID device.
• dirty: On a normal system the array will be in a dirty
state, which means that the RAID device has
information that needs to be written to disk.
• clean: When the information on the RAID device is
written to disk, the array will be marked clean.
• errors: Error were detected on the array.
• no-errors: Error were not detected on the array.
• dirty no-errors: For normal operation, this is the
expected setting.
• clean no-errors: For a system with an unmounted RAID
array, this is the expected setting.
Array Details Enables you to remove or recover disks for the array.
Resynch Status A progress bar to show how far the RAID configuration has
gone in rebuilding the RAID. If the RAID is not synched,
then the system is rebuilding itself for some reason.
This section is displayed only when [click here to check
array] has been selected and the status of the raid is
anything other than clean with no errors.
Percentage Displays the percentage of resynch that remains to be
done.

06-30004-0154-20080904 151
RAID System
Done Displays the amount of the resynch that has been

completed, including as a percentages and as the number
of kilobytes completed and the size of the disk.
Finished in Display the time in hours, minutes, seconds until the
currently running resynch is complete.
Speed Displays the average speed of the data transfer for the
resynch. This is affected by the disk being in use during the
resynch.
[click here to check array] Select to start a diagnostic check on this RAID. The
progress is displayed in the Resynch Status section.
No check will be run if the status of the RAID is clean and
no errors.
To change RAID levels (FortiMail-400)

1 Go to System > RAID > Log Device or System > RAID > Mail Device.
2 For Device Details, select Change to change the RAID level 0 or 1.
Caution: Changing the device’s RAID level suspends temporarily all mail operations and
! erases all data on the device.
The new hard disk will appear in the Device Details section.
Configuring RAID on FortiMail-2000/A or FortiMail-4000A models

To configure RAID, go to System > RAID.
Figure 79: Log Device and Mail Device (FortiMail-2000/A, and FortiMail-4000A)
General RAID settings Settings that apply to all RAID controllers and disks.
Web page Refresh Select how often the web-based manager updates the log
Interval device status display and select Go.

152 06-30004-0154-20080904
System RAID
Refresh now Select to manually update the log device status display.
Controller number The RAID controller number. The following fields apply to this
controller.
Set RAID level to Select the RAID level desired. RAID level 10 and 50 are
available on the FortiMail-2000, FortiMail-2000A, and
FortiMail-4000A. Hot spares are available only on the FortiMail-
4000A.
Change Select to apply the RAID level indicated.
Model The model of the hardware RAID controller.
Driver The version of the RAID controller software driver.
Firmware The version of the RAID controller firmware.
Unit List of RAID units.
Type RAID type used. Depending on the FortiMail unit model, valid
types include:
• RAID 10
• RAID 10 + hot spare(s)
• RAID 50
• RAID 50 + hot spare(s).
Status Status of the RAID units.
• OK: The RAID controller is operating normally.
• Warning: A background task is currently being performed
(rebuilding, migrating, or initializing). Do not remove the disks
while this status is displayed.
• Error: A controller is degraded or inoperable.
• No Units: No RAID controllers are available.
Note that if both Error and Warning conditions exist, the status
will appear as Error.
Size (GB) Total disk space available for that RAID array, or individual hard
disk.
Ignore ECC Select to enable Ignore Error Correcting Code (ECC). This
option is off by default. Ignoring ECC can speed up building the
RAID, but the RAID will not be as fault-tolerant.
Port List of connections between the RAID controller and hard disks.
Part of Unit The RAID unit to which the port connection belongs.
Status Status of the hard disk.
Size Size of the hard disk.
Remove Select to swap a hard disk.
Add to u(n) Select to add a hard disk to the specified unit.
This button appears only after a disk has been deleted by the
system and the hard disk has been removed.
Click to start Select to update unit information after adding or removing a hard
controller rescan disk.
To change RAID levels (FortiMail-2000/A or FortiMail-4000A)
Caution: Back up data on the disk before beginning this procedure. Changing the device’s
! RAID level temporarily suspends all mail processing and erases all data on the hard disk.
For more information on creating a backup, see “Backing up the configuration” on
page 118.
1 Go to System > RAID.

06-30004-0154-20080904 153
HA System
2 Select a RAID level in the Set RAID level to field.

3 Select Change.
The system will reboot after the RAID level changes.
When replacing a disk in the RAID array, the new disk must have the same or
greater storage capacity than the existing disks in the array. If the new disk has a
larger capacity than the other disks in the array, only the amount equal to the small
hard disk will be used. For example, if the RAID has 400 GB disks, and you
replace one with a 500 GB disk only 400 GB will be used on the new disk — so
that it matches the other disks.
To replace a disk in the RAID array (FortiMail-2000/A or FortiMail-4000A)

2 Select Remove for the disk to be replaced.
3 For non-hot spare configurations, shut down the FortiMail unit. Hot spare
configurations do not require a shut down.
4 Ensure you are protected from static electricity using measures such as an
anti-static wrist strap.
5 Remove the failed hard disk from the FortiMail unit.
6 Install the new hard disk into the FortiMail unit.
7 For non-hot spare configurations, restart the FortiMail unit. Hot spare RAID
configurations do not require a restart.
9 For the disk that you replaced, select Add to.
Note: If you do not see the Add to buttons, select “click to start controller rescan”.
10 Select “click to start controller rescan”.
HA
The HA menu enables you to configure the FortiMail unit to act as a member of a
high availability (HA) cluster.
For information about HA of FortiMail units, see “Configuring and operating
FortiMail HA” on page 463.
Certificate
The Certificate menu enables you to generate, import, revoke, and manage other
aspects of certificates used by or with the FortiMail unit.
The Certificate menu includes the following tabs:
• Local Certificate
• CA Certificate

154 06-30004-0154-20080904
System Certificate
• Certificate Revocation List

• Remote
Local Certificate
The Local Certificate tab displays certificate requests and installed local
certificates. It also enables you to generate certificate requests, and to import
signed certificates in order to install them for local use by the FortiMail unit.
FortiMail units require a local server certificate that it can present when clients
request secure connections, including:
• the web-based manager (HTTPS connections only)
• webmail (HTTPS connections only)
• secure email, such as SMTPS, IMAPS, and POP3S
To view the list of certificates and certificate requests, go to System >
Certificate > Local Certificate.
Figure 80: Local Certificate
Set current Certificate as default

Delete
View Certificate Detail
Download
Download PKCS12 file
Generate Select to generate a local certificate request. For more

information, see “Generating a certificate signing request”
on page 156.
Import Select to import a signed local certificate. For more
information, see “Importing a certificate” on page 158.
Subject The Distinguished Name (DN) located in the “subject” field
of the certificate.
If the certificate has not yet been signed, this field is empty.
Status The status of the local certificate.
• Default: Indicates that the certificate was successfully
imported, and is currently selected for use by the
FortiMail unit.
• OK: Indicates that the certificate was successfully
imported, but is not selected as the certificate currently in
use.
• PENDING: Indicates that the certificate request has been
generated, but must be downloaded, signed, and
imported before it can be used as a local certificate.
View Certificate Detail Select to display certificate details including the certificate
name, issuer, subject, and the range of dates within which
the certificate is valid.
Delete Select to remove the certificate or certificate request.

06-30004-0154-20080904 155
Certificate System
Set current Certificate as Select to use the certificate in the corresponding row as the
default current certificate, then select OK. A confirmation dialog
appears, and the Status column changes to indicate that the
certificate is the current (“default”) certificate.
Download Select to download a copy of the certificate request to your
management computer. You can send the request to your
certificate authority (CA) to obtain a signed certificate for the
FortiMail unit. For more information, see “Downloading a
certificate request” on page 158.
Download PKCS12 file Select to download a PKCS #12 file to your management
computer. For more information, see “Downloading a PKCS
#12 file” on page 160.
Generating a certificate signing request

You can generate a certificate request file, based on the information you enter to
identify the FortiMail unit. Certificate request files can then be submitted for
verification and signing by a certificate authority (CA).
To generate a certificate request

1 Go to System > Certificate > Local Certificate.
2 Select Generate.
Figure 81: Generate Certificate Signing Request
Certification Enter a unique name for the certificate request, such as

Information fmlocal.
Subject Information Information that the certificate is required to contain in order to
uniquely identify the FortiMail unit.

156 06-30004-0154-20080904
System Certificate
ID Type Select which type of identifier will be used in the

certificate to identify the FortiMail unit:
• Host IP
• Domain Name
• E-Mail
Which type you should select varies by whether
or not your FortiMail unit has a static IP address,
a fully-qualified domain name (FQDN), and by
the primary intended use of the certificate.
For example, if your FortiMail unit has both a
static IP address and a domain name, but you
will primarily use the local certificate for HTTPS
connections to the web-based manager by the
domain name of the FortiMail unit, you might
prefer to generate a certificate based upon the
domain name of the FortiMail unit, rather than
its IP address.
• Host IP requires that the FortiMail unit have
a static, public IP address. It may be
preferable if clients will be accessing the
FortiMail unit primarily by its IP address.
• Domain Name requires that the FortiMail
unit have a fully-qualified domain name
(FQDN). It may be preferable if clients will be
accessing the FortiMail unit primarily by its
domain name.
• E-Mail does not require either a static IP
address or a domain name. It may be
preferable if the FortiMail unit does not have
a domain name or public IP address.
IP Enter the static IP address of the FortiMail unit.
This option appears only if ID Type is Host IP.
Domain Name Type the fully-qualified domain name (FQDN) of
the FortiMail unit.
The domain name may resolve to either a static
or, if the FortiMail unit is configured to use a
dynamic DNS service, a dynamic IP address.
For more information, see “Interface” on
page 129 and “DDNS” on page 133.
If a domain name is not available and the
FortiMail unit subscribes to a dynamic DNS
service, an “unable to verify certificate”
message may be displayed in the user’s
browser whenever the public IP address of the
FortiMail unit changes.
This option appears only if ID Type is Domain
Name.
e-mail Type the email address of the owner of the
FortiMail unit.
This option appears only if ID Type is E-Mail.
Optional Information Information that you may include in the certificate, but which is
not required.
Organization Type the name of your organizational unit, such
Unit as the name of your department. (Optional.)
To enter more than one organizational unit
name, select the “+” icon, and enter each
organizational unit separately in each field.
Organization Type the legal name of your organization.
(Optional.)

06-30004-0154-20080904 157
Certificate System
Locality (City) Type the name of the city or town where the
FortiMail unit is located. (Optional.)
State/Province Type the name of the state or province where
the FortiMail unit is located. (Optional.)
Country Select the name of the country where the
FortiMail unit is located. (Optional.)
e-mail Type an email address that may be used for
contact purposes. (Optional.)
Key Type The type of algorithm used to generate the key.
This option is unavailable, because only RSA is currently
supported.
Key Size Select a security key size of 1024 Bit, 1536 Bit or 2048 Bit.
Larger keys are slower to generate, but provide better security.
4 Select OK.
The certificate is generated, and can be downloaded to your management
computer for submission to a certificate authority (CA) for signing. For more
information, see “Downloading a certificate request” on page 158.
Downloading a certificate request

After you have generated a certificate request, you can download the request file
to your management computer in order to submit the request file to a certificate
authority (CA) for signing.
To download and submit a certificate request
2 In the row that corresponds to the certificate request, select Download.
3 If your browser prompts you for a location to save the file, select a location.
The certificate request (.csr) file is downloaded to your management computer.
4 Submit the certificate request to your CA.
• Using the web browser on the management computer, browse to the web site
for your CA.
• Follow your CA’s instructions to place a Base64-encoded PKCS #10 certificate
request, uploading your certificate request.
• Follow your CA’s instructions to download their root certificate and Certificate
Revocation List (CRL), and then install the root certificate and CRL on each
remote client. For details, see the documentation for each client.
5 When you receive the signed certificate from the CA, install the certificate on the
FortiMail unit. For more information, see “Importing a certificate” on page 158.
Importing a certificate
You can upload Base64-encoded certificates in either privacy-enhanced email
(PEM) or public key cryptography standard #12 (PKCS #12) format from your
management computer to the FortiMail unit.
Importing a certificate may be useful when:
• restoring a certificate backup
• installing a certificate that has been generated on another system

158 06-30004-0154-20080904
System Certificate
• installing a certificate, after the certificate request has been generated on the
FortiMail unit and signed by a certificate authority (CA)
If you generated the certificate request using the FortiMail unit, after you submit
the certificate request to CA, the CA will verify the information and register the
contact information in a digital certificate that contains a serial number, an
expiration date, and the public key of the CA. The CA will then sign the certificate
and return it to you for installation on the FortiMail unit. To install the certificate,
you must import it. For more information on generating certificate requests, see
“Generating a certificate signing request” on page 156.
If the FortiMail unit’s local certificate is signed by an intermediate CA rather than a
root CA, before clients will trust the FortiMail unit’s local certificate, you must
demonstrate a link with trusted root CAs, thereby proving that the FortiMail unit’s
certificate is genuine. You can demonstrate this chain of trust either by:
• installing the each intermediate CA’s certificate in the client’s list of trusted CAs
• including a signing chain in the FortiMail unit’s local certificate
To include a signing chain, before importing the local certificate to the FortiMail
unit, first open the FortiMail unit’s local certificate file in a plain text editor, append
the certificate of each intermediate CA in order from the intermediate CA who
signed the FortiMail unit’s certificate to the intermediate CA whose certificate was
signed directly by a trusted root CA, then save the certificate. For example, a local
certificate which includes a signing chain might use the following structure:
-----BEGIN CERTIFICATE-----
<FortiMail unit’s local server certificate>
-----END CERTIFICATE-----
<certificate of intermediate CA 1, who signed the
FortiMail certificate>
<certificate of intermediate CA 2, who signed the
certificate of intermediate CA 1 and whose certificate
was signed by a trusted root CA>
To import a local certificate

2 Select Import.
3 From Type, select the type of the import file or files:
• Local Certificate: The certificate is stored in a file that does not require a
password.
• PKCS12 Certificate: The certificate and private key are stored in a PKCS #12
password-encrypted file.
• Certificate: The certificate and key file are stored separately, and the private
key is password-encrypted.
The remaining fields vary by your selection in Type.

06-30004-0154-20080904 159
Certificate System
Figure 82: Upload Local Certificate (Local Certificate)
Figure 83: Upload Local Certificate (PKCS12 Certificate)
Figure 84: Upload Local Certificate (Certificate)
Certificate file Enter the location of the previously exported certificate file, or
select Browse to locate the file.
This option appears only when Type is Local Certificate or
Certificate.
Certificate with key Enter the location of the previously exported certificate and key
file file, or select Browse to locate the file.
This option appears only when Type is PKCS12 Certificate.
Key file Enter the location of the previously exported key file, or select
Browse to locate the file.
This option appears only when Type is Certificate.
Password Enter the password that was used to encrypt the file, enabling the
FortiMail unit to decrypt and install the certificate.
This option appears only when Type is PKCS12 Certificate or
Certificate.
5 Select OK.
A confirmation message appears.
6 Select Return.
Downloading a PKCS #12 file

You can export certificates from the FortiMail unit to a PKCS #12 file for secure
download and import to another platform, or for backup purposes.
To download a PKCS #12 file

2 In the row corresponding to the certificate whose PKCS12 file you want to

160 06-30004-0154-20080904
System Certificate
Figure 85: PKCS12 Certificate Download
Password Enter the password that will be used to encrypt the export file.
Confirm Password Enter the password again to confirm its spelling.
4 Select Download PKCS12 file.

5 If your browser prompts you for a location to save the file, select a location.
The PKCS #12 (.p12) file is downloaded to your management computer. For
information on importing a PKCS #12 file, see “Importing a certificate” on
page 158.
CA Certificate
The CA Certificate tab enables you to view and import certificates for certificate
authorities (CA).
CA certificates are required by connections that use transport layer security
(TLS). For more information, see “TLS Profile” on page 350. Depending on the
configuration of each PKI user, CA certificates may also be required to
authenticate PKI users. For more information, see “PKI User” on page 236.
To view a the list of CA certificates, go to System > Certificate > CA Certificate.
Figure 86: CA Certificate
Delete Download
Import Select to import a certificate.

Name The name of the certificate.
of the certificate.
Delete Select to remove the certificate.
Download Select to download a copy of the certificate to your
management computer.
To import a CA certificate
1 Go to System > Certificate > CA Certificate.
2 Select Import.

06-30004-0154-20080904 161
Certificate System
3 In Upload File, enter the location of the certificate file on your management
computer, or select Browse to select the location.
4 Select OK.
5 Select Return.
Certificate Revocation List

The Certificate Revocation List tab enables you to view and import certificate
revocation lists.
To ensure that your FortiMail unit validates only certificates that have not been
revoked, you should periodically upload a current certificate revocation list, which
may be provided by certificate authorities (CA). Alternatively, you can use online
certificate status protocol (OCSP) to query for certificate statuses. For more
information, see “Remote” on page 163.
To view a the list of remote certificates, go to System > Certificate > Certificate
Revocation List.
Figure 87: Certificate Revocation List
Delete Download
Import Select to import a certificate revocation list.

Name The name of the certificate revocation list.
of the certificate revocation list.
Delete Select to remove the certificate revocation list
name, issuer, and the range of dates within which the
certificate revocation list is current.
To import a certificate revocation list

1 Go to System > Certificate > Certificate Revocation List.
2 Select Import.
3 In Upload File, enter the location of the certificate revocation list file on your
management computer, or select Browse to select the location.
4 Select OK.
5 Select Return.

162 06-30004-0154-20080904
System Maintenance
Remote
The Remote tab enables you to view and import the certificates of the online
certificate status protocol (OCSP) servers of your certificate authority (CA).
OCSP enables you to revoke or validate certificates by query, rather than by
importing certificate revocation lists (CRL). For information about importing CRLs,
see “Certificate Revocation List” on page 162.
Remote certificates are required if you enable OCSP for PKI users. For more
information, see “Creating a PKI user” on page 237.
To view a the list of remote certificates, go to System > Certificate > Remote.
Figure 88: Remote
Delete
Download
Import Select to import a certificate.

Delete Select to remove the certificate
Name The name of the certificate.
of the certificate.
To import a remote certificate

1 Go to System > Certificate > Remote.
2 Select Import.
3 In Upload File, enter the location of the certificate on your management computer,
or select Browse to select the location.
4 Select OK.
5 Select Return.
Maintenance
The Maintenance menu enables you to manage your system configuration by
performing configuration backups, restoring these backups, and restoring
firmware.
The Maintenance menu includes the following tabs:

06-30004-0154-20080904 163
Maintenance System
• Central Management
• Backup & Restore
Central Management
The Central Management tab enables you to use a FortiManager unit to manage
your FortiMail configuration and firmware.
You can back up the FortiMail configuration to a FortiManager unit or restore the
configuration from a FortiManager unit. You can also configure your FortiMail unit
to back up configuration settings automatically to a FortiManager unit and allow a
FortiManager unit to update the FortiMail configuration.
To configure central management, go to System > Maintenance > Central
Management.
Figure 89: Central Management Setting
Enable Central Select to allow a FortiManager unit to manage your FortiMail unit.
Management
IP Enter the IP address of the FortiManager unit.
Allow automatic If enabled, the FortiMail unit will send a configuration backup to
backup of the FortiManager unit every time an administrator logs out of the
configuration on FortiMail web-based manager. The FortiManager units saves
these configuration backup files.
logout
Allow configuration If enabled, the FortiMail unit accepts configuration updates from
updates initiated by the FortiManager unit.
the management
server
Backup & Restore

The Backup & Restore tab enables you to back up the configuration of the
FortiMail unit to a file, to restore the configuration from that backup file, and to
change the firmware of the FortiMail unit.
Limitations
Backing up the FortiMail unit’s configuration does not include dictionaries and the
Bayesian database, which must be backed up separately. For more information
see “Maintenance” on page 310 and “User” on page 389.
Backing up the FortiMail unit’s configuration does include all black/white lists,
custom messages, the Access Control List (ACL), and user preferences. For more
information see “System black/white list” on page 402, “Appearance” on
page 176, and “User Preferences” on page 224.

164 06-30004-0154-20080904
System Maintenance
Backing up the system configuration

You can back up the system configuration to a file on your management computer
or to the FortiManager unit configured in System > Maintenance > Central
Management.
To back up the system configuration to your management computer

1 Go to System > Management > Backup & Restore.
2 Under Backup configuration to, select Local PC.
3 Select Backup to begin the back up operation.
To back up the system configuration to a FortiManager unit

2 Under Backup configuration to, select FortiManager.
3 Enter a comment to identify the configuration backup.
This will help you find it should you need to restore the configuration later.
4 Select Backup.
When the back up is complete, a message will confirm the operation was
successful.
5 Select OK to return to the Backup & Restore window.
Restoring the system configuration

You can restore the system configuration by uploading a system configuration file
from your management computer or from the FortiManager unit configured in
System > Maintenance > Central Management.
To restore the system configuration from your management computer

2 Under Restore configuration from, select Local PC.
3 Select the Browse button to choose the saved system configuration file.
4 Select Restore.
The FortiMail unit will take several minutes to load the configuration file and
reboot.
5 Connect to the web-based manager again to review your configuration and
confirm that the system configuration has been successfully restored.
To restore the system configuration from a FortiManager unit

2 Under Restore configuration from, select FortiManager.
3 Select the configuration to be restored from the list.
Each configuration will display the user who created the backup, the date and
time, and a comment.
4 Select Restore.
The FortiMail unit will take several minutes to load the configuration file and
reboot.

06-30004-0154-20080904 165
Maintenance System
5 Connect to the web-based manager again to review your configuration and

confirm that the system configuration has been successfully restored.
Restoring firmware
You can restore firmware, whether to upgrade or downgrade, from your
management computer or from the FortiManager unit configured in System >
Maintenance > Central Management.
Note: Check the release notes for the firmware version you’re upgrading to for information
about upgrade procedures. Firmware downgrades will clear your configuration and reset
the FortiMail to the factory default settings. Save your system configuration before
downgrading.
To restore a firmware file from your management computer

2 Under Restore firmware from, select Local PC.
3 Select the Browse button to choose the firmware file.
4 Select Restore.
The FortiMail unit will take several minutes to load the firmware file and reboot.
5 Connect to the web-based manager again to confirm that the firmware has been
successfully installed.
To restore firmware from a FortiManager unit

2 Under Restore firmware from, select FortiManager.
3 Choose the firmware to be restored.
The FortiMail unit will display the version and build number of each available
firmware file.
4 Select Restore.
The FortiMail unit will take several minutes to load the firmware file and reboot.
5 Connect to the web-based manager again to confirm that the firmware has been
successfully installed.

166 06-30004-0154-20080904
Mail Settings Settings
Mail Settings
The Mail Settings menu enables you configure the basic email settings of the
FortiMail unit, such as the port number of the FortiMail SMTP proxy and how the
proxy handles connections, and enables you to manage the mail queues.
The Mail Settings menu includes:
• Settings
• Domains
• Access
• Mail Queue
• Address Book
• Proxies
Settings
The Settings menu enables you to configure assorted settings that apply to the
SMTP server and webmail server that are built into the FortiMail unit itself.
The Settings menu includes the following tabs:
• Local Host
• Advanced (mail server settings)
• Disclaimer
• Custom Messages
• Appearance
• Storage
Local Host
The Local Host tab enables you to configure the SMTP server settings of the
“system” domain, which is located on the local host (that is, your FortiMail unit).
You usually should configure the FortiMail unit with a local domain name that is
different from that of protected domains, such as mail.example.com for the
FortiMail unit and server.mail.example.com for the protected mail server. The local
domain name of the FortiMail unit will be used in many FortiMail features such as
email quarantine, Bayesian database training, spam report, and delivery status
notification (DSN) email messages, and if the FortiMail unit uses the same domain
name as your mail server, it may become difficult to distinguish email messages
that originate from the FortiMail unit.
To configure local SMTP server settings, go to Mail Settings > Settings >
Local Host.

06-30004-0154-20080904 167
Settings Mail Settings
Figure 90: Local Host Setting (transparent mode and gateway mode)
Figure 91: Local Host Setting (server mode)
Local Host
Host Name Enter the host name of the FortiMail unit.
You should use a different host name for each FortiMail
unit, especially when you are managing multiple FortiMail
units of the same model, or when configuring a FortiMail
high availability (HA) cluster. This will enable you to
distinguish between different members of the cluster. If
the FortiMail unit is in HA mode:
• When you connect to the web-based managed, your
web browser will display the host name of that cluster
member in its status bar.
• The FortiMail unit will add the host name to the subject
line of alert email messages.

168 06-30004-0154-20080904
Local Domain Name Enter the local domain name of the FortiMail unit
itself.The FortiMail unit’s fully qualified domain name
(FQDN) is in the format <Host Name>.<Local Domain
Name>.
Note: The Local Domain Name can be a subdomain of an
internal domain if the MX record for the domain on the
DNS server can direct the mail destined for the
subdomain to the intended FortiMail unit.
SMTP Server Port Enter the port number on which the FortiMail unit’s SMTP
Number server will listen for SMTP connections. The default port
number is 25.
SMTP over SSL/TLS Enable to allow SSL- and TLS-secured connections from
servers and clients requesting SSL/TLS.
When disabled, SMTP connections with the FortiMail
unit’s SMTP server will occur as clear text, unencrypted.
This option must be enabled to use SMTPS.
SMTPS Server Port Enter the port number on which the FortiMail unit’s SMTP
Number server listens for secure SMTP connections. The default
port number is 465.
This option is unavailable if SMTP over SSL/TLS is
disabled.
POP3 Server Port Enter the port number on which the FortiMail unit’s POP3
Number server will listen for POP3 connections. The default port
number is 110.
This option is available only if the FortiMail unit is
Relay Server
Relay Server Name Enter the domain name of an SMTP relay server, if any.
This is typically provided by your ISP.
Relay Server Port Enter the port number on which the SMTP relay server
listens. This is typically provided by your ISP.
Authentication If the relay server requires authentication, enable this
Required option, then select the blue arrow to expand and configure
User Name, Password, and Auth Type. Available
authentication types include:
• AUTO
• PLAIN
• LOGIN
• DIGEST-MD5
• CRAM-MD5
Advanced (mail server settings)

The Advanced tab enables you to configure an assortment of advanced features
for the FortiMail unit’s SMTP server, such as disabling ESMTP. Many of these
settings are not commonly used, but are available if necessary.
To configure advanced SMTP settings, go to Mail Settings > Settings >
Advanced.

06-30004-0154-20080904 169
Figure 92: Mail server advanced settings
Deferred Oversize To defer sending email messages that are larger than the limit,
Message Delivery configure both “Start delivering messages at n (hour) n (mins)”
and “Stop delivering messages at n (hour) n (mins)“.
For information on the deferred delivery limit, see “Incoming” on
page 276.
Start delivering Select the hour and minute of the day at which to begin delivering
messages at n oversize email messages.
(hour) n (mins)
Stop delivering Select the hour and minute of the day at which to stop delivering
messages at n oversize email messages.
(hour) n (mins)
DSN
Sender The name of the sender, such as “FortiMail administrator”, as it
displayname should appear in delivery status notification (DSN) email
messages sent by the FortiMail unit to notify email users of
delivery failure.
If this field is empty, the FortiMail unit sends DSN from the default
name of “postmaster”.
For more information on DSN, see “Mail Queue” on page 207.
Sender address The sender email address in delivery status notification (DSN)
email messages sent by the FortiMail unit to notify email users of
delivery failure.
If this field is empty, the FortiMail unit sends DSN from the default
sender email address of “postmaster@example.com”, where
“example.com” is the domain name of the FortiMail unit.
For more information on sending of DSN, see “Mail Queue” on
page 207.
Mail Queue

170 06-30004-0154-20080904
Maximum time for Select the maximum number of days that deferred email
email in queue messages can remain in the deferred or spam mail queue, during
which the FortiMail unit periodically retries to send the message.
After the maximum time has been reached, the FortiMail unit will
send a final delivery status notification (DSN) email message to
notify the sender that the email message was undeliverable.
For more information on the FortiMail mail queues, see “Mail
Queue” on page 207.
Maximum time for Select the maximum number of days a delivery status notification
DSN email in (DSN) message can remain in the mail queues. If the maximum
queue time is set to zero (0) days, the FortiMail unit attempts to deliver
the DSN only once.
After the maximum time has been reached, the DSN email is
moved to the dead mail folder.
Time before delay Select the number of hours after an initial failure to deliver an
warning email message before the FortiMail unit sends the first delivery
status notification (DSN) email message to notify the sender that
the email message has been deferred.
After sending this initial DSN, the FortiMail unit will continue to
retry sending the email until reaching the limit configured in
“Maximum time for email in queue”.
Time interval for Select the number of minutes between delivery retries for email
retry messages in the deferred and spam mail queues.
Delivery Options
Disable ESMTP for Select to disable Extended Simple Mail Transfer Protocol
outgoing email (ESMTP) for outgoing email.
By default, FortiMail units can use ESMTP commands. ESMTP
supports email messages with graphics, sound, video, and text in
various languages. For more information on ESMTP, see RFC
1869.
Domain Check
(gateway mode and
transparent mode only)
Perform LDAP Select to verify the existence of domains that have not been
domain verification configured as protected domains. Also configure Ldap profile for
for unknown domain check.
domains To verify the existence of unknown domains, the FortiMail unit
queries an LDAP server for a user object that contains the email
address. If the user object exists, the verification is successful,
and:
• If “Automatically create domain association for verified
domain” is enabled, the FortiMail unit automatically adds the
unknown domain as a domain associated of the protected
domain selected in “Internal domain to hold association”.
• If “Automatically create domain association for verified
domain” is disabled, and the DNS lookup of the unknown
domain name is successful, the FortiMail unit routes the email
to the IP address resolved for the domain name during the
DNS lookup. Because the domain is not formally defined as a
protected domain, the email is considered to be outgoing, and
outgoing recipient-based policies are used to scan the email.
For more information, see “Outgoing policies” on page 358.
LDAP profile for Select the LDAP profile to use when verifying existence of
domain check unknown domains.
This option is available only if “Perform LDAP domain verification
for unknown domains” is enabled.

06-30004-0154-20080904 171
Automatically Select to automatically add unknown domains as domain

create domain associations if they are successfully verified by the LDAP query.
association for For more information, see “Domain Associations” on page 191.
verified domain This option is available only if “Perform LDAP domain verification
for unknown domains” is enabled.
Internal domain to Select the name of a protected domain with which to associate
hold association unknown domains, if they pass domain verification.
This option is available only if “Automatically create domain
association for verified domain” is enabled.
Disclaimer
The Disclaimer tab enables you to configure system-wide disclaimer messages.
A disclaimer message is text that is generally attached to email to warn the
recipient that the email contents may be confidential. For disclaimers added to
outgoing messages, you need to configure an IP-based policy or an outgoing
recipient-based policy.?
Disclaimer messages can be appended for either or both incoming or outgoing
email messages. For information on determining the directionality of an email
message, see “Incoming vs. outgoing recipient-based policies” on page 355.
Note: If the FortiMail unit is operating in transparent mode, to use disclaimers, you must
enable clients to send email using their specified SMTP server. For more information, see
“Use client-specified SMTP server to send email” on page 216.
Note: If Allow per domain settings is enabled, you can configure disclaimer messages that
are specific to each protected domain. For more information, see “Disclaimer” on page 197.
To configure disclaimer messages, go to Mail Settings > Settings > Disclaimer.
Figure 93: FortiMail disclaimer

172 06-30004-0154-20080904
Allow per-domain settings Enable to allow protected domains to select from

either the system-wide disclaimer messages,
configured below, or their own separate
disclaimer messages.
Disable to require that all protected domains use
the system-wide disclaimer messages.
For information on configuring disclaimer
messages specific to a protected domain, see
“Disclaimer” on page 197.
For incoming messages
Disclaimer in message header Enable to append a disclaimer message to the
message header of incoming messages, then
enter the disclaimer message. The maximum
length is 256 characters.
Disclaimer in message body Enable to append a disclaimer message to the
message body of incoming messages, then enter
the disclaimer message. The maximum length is
1024 characters.
For outgoing messages
Disclaimer in message header Enable to append a disclaimer message to the
message header of outgoing messages, then
enter the disclaimer message. The maximum
length is 256 characters.
Disclaimer in message body Enable to append a disclaimer message to the
message body of outgoing messages, then enter
the disclaimer message. The maximum length is
1024 characters.
Custom Messages
The Custom Messages tab enables you to configure replacement messages.
When the FortiMail unit detects a virus in an email attachment, it replaces the
attachment with a replacement message that provides information about the virus
and source of the email. The FortiMail unit may also use replacement messages
when notifying a recipient when it blocks an email as spam or due to content
filtering, or when sending a spam report.
To customize replacement messages, go to Mail Settings > Settings >
Custom Messages.
Figure 94: Custom messages list

06-30004-0154-20080904 173
Name There are three categories: Replacement, Reject, and Report. Select the
blue arrow to expand the category and view the names of individual
replacement messages. The names are one of the following:
Replacement
Virus message Replacement message for an infected
attachment.
Suspicious message Replacement message for suspicious email
attachments.
Attachment filtering Replacement message for an email whose
message attachment is blocked by filtering.
Content filtering message Replacement message for an email blocked
by content filtering.
Content filtering subject Replacement message for a subject of email
blocked by content filtering.
Reject
Virus message Reject message for email containing a virus
Suspicious message Reject message for email containing
suspicious contents.
Spam message Reject message for a spam email.
Attachment filtering Reject message for email containing banned
message attachments.
Content filtering message Reject message for email containing sensitive
contents.
Report
Spam report (HTML) Body of HTML spam report.
Spam report (Text) Body of text spam report.
Spam Report Subject Subject line of spam report email messages.
Description Description indicating when the replacement
message is used.
Modify
Edit Icon Select to modify the replacement message.
For more information, see “Editing a custom
replacement message” on page 174.
Editing a custom replacement message

You can customize replacement messages, including adding HTML formatting, if it
is supported by the location in the email message where the FortiMail unit will
insert the replacement message.
To configure replacement messages

1 Go to Mail Settings > Settings > Custom Messages.
2 In the row corresponding to the replacement message that you want to modify,
select Edit.

174 06-30004-0154-20080904
3 In the text area, enter the replacement message, or select Reset To Default to
revert the replacement message to its default.
If the replacement message is not required to be plain text, such as those which
replace subject lines, the replacement message can be either plain text or HTML.
To format replacement messages HTML formatting to replacement messages,
use HTML tags, such as <b>some bold text</b>. Acceptable formats and the
limit of the number of characters appear in the Allowed Formats and Size fields.
Replacement messages often include variables, such as the MIME type of the file
that was removed and replaced by the replacement message.
Note: Typically, you will customize text, but should not remove variables from the
replacement message. Removing variables may result in an error message and reduced
functionality.
Figure 95: Editing a custom replacement message
Table 14: Email Virus replacement message variables
Variable Description
%%EMAIL%% The email user's email address.
%%FILE%% The name of the file that was removed from the email.
%%FILE_TYPE%% The MIME type of file that was blocked. (Content
blocking only)
%%MESSAGE_ID_ALL%% Message ID to indicate “all messages” when using
control addresses.
%%SPAM_DELETE_EMAIL%% Spam delete control address, for example
delete-ctr-srv@examplemail.com.
%%SPAM_RELEASE_EMAIL%% Spam release control address, for example
release-ctrl-srv@examplemail.com.
%%VIRUS%% The name of the virus that was detected. %%VIRUS%%
can be used in replacement messages for antivirus
processing.
4 Select OK.

06-30004-0154-20080904 175
Appearance
The Appearance tab enables you to customize the default appearance of the
web-based manager, per-recipient quarantine, and webmail pages with your own
product name, product logo, and corporate logo.
You can customize the language used to display the webmail pages. If your
preferred language is not currently installed, you can create a new language file or
customize an existing language file.
To customize the appearance of the web-based manager and webmail pages, go
to Mail Settings > Settings > Appearance.
Figure 96: Customizing the appearance of the FortiMail web-based manager and
webmail
Delete
Upload
Download
Edit
Administration Interface
Product name Enter the name of the product. This name will precede
“Administrator Login” in the title on the login page of the
web-based manager.
Top logo Select “change” to upload a graphic that will appear at the
top of all pages in the web-based manager.
Note: Uploading a graphic overwrites the current graphic.
The FortiMail unit does not retain previous or default
graphics. If you want to be able to revert to the current
graphic, use your web browser to save the image to your
management computer, enabling you to upload it again at a
later time.

176 06-30004-0154-20080904
Bottom logo Select “change” to upload a graphic that will appear at the
bottom left edge of all pages in the web-based manager.
This logo is hyperlinked to the URL configured in Bottom
URL.
later time.
Bottom URL Enter the URL to which the Bottom logo graphic will be
hyperlinked. For example, you might enter the URL of your
organization’s web site.
Webmail Interface
Webmail Language Select the language in which webmail pages will be
displayed. By default, the FortiMail unit will use the same
language as the web-based manager. For web-based
manager language settings, see “Options” on page 137.
Webmail Language Select the blue arrow to expand the list of languages
Customization installed on the FortiMail unit, including the language names
in English, and in their own language. For each language,
you can select:
• New Language: Select to add a new language to the
list. See “To add a webmail language” on page 178.
• Edit: Select to modify the language name and individual
text strings that are associates with resource IDs and
appear in locations such as field labels and alert
messages. For more information, see “To edit a webmail
language” on page 178.
• Download Webmail Language: Select to download the
language resource file for this language to your
management computer
• Upload: Select to update the language resource file for
this language from your management computer to the
FortiMail unit.
• Delete: Select to remove the language. This option
appears only for non-default languages.
Webmail Login Enter the title that will appear on the webmail login page.
Input your email Enter the prompt text that will appear between the user
address name and password fields on the webmail login page.
The default value is “Input your email address”.
Web mail flash logo Select “change” to upload a graphic that will appear at the
top left of webmail login page.
later time.
Web mail top logo Select “change” to upload a graphic that will appear at the
top of all webmail pages.
later time.

06-30004-0154-20080904 177
To add a webmail language

1 Go to Mail Settings > Settings > Appearance.
2 Select the blue arrow to expand Webmail Language Customization.
3 Select New Language at the top of the right column.
4 In Language Name in English, enter the English name for the language.
5 In Language Name, enter the name for the language using its own characters.
Characters must use UTF-8 encoding.
The new language appears at the bottom of the webmail languages list.
6 In the row corresponding to the language you have just added, select the “edit”
icon.
7 In each Resource Value field, enter the word or phrase that should appear in the
location indicated by the Resource ID.
By default, Resource Values contain the words as they appear in English.
8 Select OK.
To edit a webmail language

After you have created a language or for an existing default language, you can
modify the translations for each term. This can be useful for adjusting language or
localizing terms within a language. For example, you might adjust the English
language file to use spellings and terms specific to the locale of the United
Kingdom or of the United States of America.
1 Go to Mail Settings > Settings > Appearance.
2 In the row corresponding to the language, select the “edit” icon.
3 In the Section column, find the section of webmail that contains the resource you
want to change.
4 In the Resource ID column, find the resource you want to change.
5 Delete the displayed text in the Resource Value field and enter the new text to
use.
6 At the bottom of the page select OK.
Storage
The Storage tab enables you to configure local or remote storage of normal and
quarantined email messages.
FortiMail units can store email either locally or remotely. Your FortiMail unit
supports NFS storage on a Network Attached Storage (NAS) server, and a
Centralized Quarantine.
A NAS has the benefits of remote storage which include ease of backing up the
mail data and flexible storage limits. As well, you can still access the mail data on
the NAS server if your FortiMail unit loses connection.
Note: If you are using an NAS server in high availability (HA) mode, disable mail data
synchronization. Otherwise, both FortiMail units will write the same data to the same
location, wasting CPU cycles and network bandwidth.

178 06-30004-0154-20080904
A centralized quarantine server allows up to 10 client FortiMail units to send all

their quarantined spam email and system quarantined email to one FortiMail-2000
or FortiMail-4000 unit, which acts as a quarantine server. This offloads disk
storage from the clients to the server. Any FortiMail model can be a client.
To configure storage, select Mail Settings > Settings > Storage.
Figure 97: Storage (FortiMail-2000/A and FortiMail-4000 models)
Figure 98: Centralized Quarantine (FortiMail-100 models)
NAS
Local Select to store email on the FortiMail unit local disk. This is
selected by default.
NAS Server Select to store email on a remote Network Attached Storage
(NAS) server.
Test Select to verify the NAS server settings are correct and that the
FortiMail unit can access that location.
This control is available only when NAS Server is selected.
Server IP Enter the IP address of the NAS server.

Server Dir Enter the directory to store the FortiMail email in on the NAS
server.
Centralized Quarantine
Disabled Select to use local storage for quarantine.

06-30004-0154-20080904 179
Domains Mail Settings
Receive Select to enable the FortiMail unit to act as a centralized

quarantined quarantine server. Other FortiMail units acting as clients that
messages from send all their quarantined messages to this FortiMail unit are
listed below this option.
clients
• Name: The name of the client.
• IP: The IP address of the client.
• Delete: Select to remove this client from the list.
This option is available only on FortiMail-2000 and
FortiMail-4000 models.
Add Select to add a blank client entry to the client list.

This option is available only on FortiMail-2000 and FortiMail-
4000 series models.
Send Select to enable the FortiMail unit to act as a centralized
quarantined quarantine client. All quarantined messages will be saved on
messages to the centralized quarantine server.
remote server When selected, enter the following information:
• Name: A name to identify this client.
• Host: The IP address of the server.
Domains
The Domains menu enables you to create protected domains to define the SMTP
servers that the FortiMail unit protects. Usually, you will configure at least one
protected domain during installation, but you may also add more protected
domains or modify the settings of existing protected domains.
The Domains menu includes the following tab:
• Domains
Domains
The Domains tab displays the list of protected domains.
Protected domains define connections and email messages for which the
FortiMail unit can performs protective email processing by describing both:
• the IP address of an SMTP server
• the domain name portion (the portion which follows the “@” symbol) of
recipient email addresses in the envelope
both of which the FortiMail unit compares to connections and email messages
when looking for traffic that involves the protected domain.
Note: For FortiMail units operating in server mode, protected domains list only the domain
name, not the IP address: the IP address of the SMTP server is the IP address of the
FortiMail unit itself.
Aside from defining the domain, protected domains also contain some settings
that apply specifically to all email destined for that domain, such as mail routing
and disclaimer messages.

180 06-30004-0154-20080904
Mail Settings Domains
Many FortiMail features require that you configure a protected domain. For
example, when applying recipient-based policies for email messages incoming to
the protected domain, the FortiMail unit will compare the domain name of the
protected domain to the domain name portion of the recipient email addresses.
When FortiMail units operating in transparent mode are proxying email
connections for a protected domain, the FortiMail unit will pass, drop or intercept
connections destined for the IP address of an SMTP server associated with the
protected domain, and can use the domain name of the protected domain during
the SMTP greeting.
Note: For more information on how the domain name and mail exchanger (MX) IP address
of protected domains are used, see “Incoming vs. outgoing SMTP connections” on
page 214 and “Incoming vs. outgoing recipient-based policies” on page 355.
Usually, you have already configured at least one protected domain during
installation of your FortiMail unit. However, you can add more domains or modify
the settings of existing ones if necessary. For more information, see “Creating a
protected domain” on page 182.
To view the list of protected domains, go to Mail Settings > Domains > Domains.
Figure 99: Domain list (transparent mode and gateway mode)
Edit
Delete
Figure 100:Domain list (server mode)
Delete Edit
Domain The fully qualified domain name (FQDN) of the protected domain.
If the protected domain is a subdomain or domain association, select
the “+” next to a domain entry to expand the list of subdomains and
domain associations. To collapse the entry, select “-”.
Use MX Indicates whether the IP address and the port number of the
(transparent mode protected email server is manually defined in the FortiMail unit’s
and gateway mode configuration file, or if you have enabled the FortiMail unit to query
only) the DNS server’s MX record to ascertain that information for this
domain name.
• Green check mark: Indicates that Use MX Record is enabled.
• Red X icon: Indicates that Use MX Record is disabled.
For more information, see “Use MX Record” on page 185.

06-30004-0154-20080904 181
SMTP Server The host name or IP address and port number of the mail exchanger
(transparent mode (MX) for this protected domain.
and gateway mode If Use MX contains a green check mark, this information is
only) determined dynamically by querying the MX record of the DNS
server, and this field will be empty.
Sub A green check indicates that the entry is a subdomain of a protected
(transparent mode domain.
and gateway mode
only)
Association A green check indicates that the entry is a domain association. For
(transparent mode more information on domain associations, see “Domain
and gateway mode Associations” on page 191.
only)
Modify
Delete icon Select to remove the protected domain and all associated email user
accounts and preferences.
Edit icon Select to modify the protected domain. For more information, see
This option is not available for domain associations, as they use the
settings of the protected domain with which they are associated.
Create New Select to create a new protected domain, subdomain, or domain
association. For more information, see “Creating a protected domain”
on page 182.
Creating a protected domain

You can configure the FortiMail unit to protect multiple SMTP servers by creating
additional protected domains.
Available options vary slightly by whether you are creating or modifying an
existing protected domain. For example, when editing an existing protected
domain, you cannot change the domain name, but you can configure the DKIM
selector feature for sender validation, which is not available when initially creating
the protected domain. If you want to configure an option that is not available when
initially creating a protected domain, create the protected domain, save it, and
then edit the protected domain.
Available options also vary slightly by whether the FortiMail unit is operating in
gateway mode, transparent mode, or server mode.
If the FortiMail unit is operating in gateway mode, you must change the MX entries
for the DNS records for your email domain, referring email to the FortiMail unit
rather than your email servers. For more information, see the FortiMail Installation
Guide. If you create additional protected domains, you must modify the MX
records for each additional email domain.
To configure a protected domain

2 Select either Create New to create a new protected domain, or, in the row
corresponding to a protected domain that you want to modify, select Edit.

182 06-30004-0154-20080904
Figure 101:Creating a protected domain (gateway mode)

06-30004-0154-20080904 183
Figure 102:Creating a protected domain (transparent mode)

184 06-30004-0154-20080904
Figure 103:Creating a protected domain (server mode)
Domain FQDN Enter the fully qualified domain name (FQDN) of the protected
domain.
For example, if you want to protect email user accounts such as
user1@example.com, you would enter the protected domain name
example.com.
Use MX Record Select to enable the FortiMail unit to query the DNS server’s MX
(transparent mode and record for the FQDN or IP address of the SMTP server for this
gateway mode only) domain name, instead of manually defining the SMTP server in the
fields SMTP Server and Fallback MX Host.
Note: If the FortiMail unit is operating in gateway mode and you
enable this option, you usually should also configure the FortiMail
unit to use a private DNS server. On the private DNS server,
configure the MX record with the FQDN of the SMTP server that
you are protecting for this domain, causing the FortiMail unit to
route email to the protected SMTP server. This is different from
how a public DNS server should be configured for that domain
name, where the MX record usually should contain the FQDN of
the FortiMail unit itself, causing external SMTP servers to route
email through the FortiMail unit.
If the FortiMail unit is operating in transparent mode and you
enable this option, a private DNS server is not required.
SMTP Server Enter the host name or IP address of the primary SMTP server for
(transparent mode and this protected domain, then also configure Use smtps and Port.
gateway mode only)
Port Enter the port number on which the SMTP server listens.

mode and
gateway mode
only)

06-30004-0154-20080904 185
Fallback MX Host Enter the host name or IP address of the secondary SMTP server
(transparent mode and for this protected domain, then also configure Use smtps and Port.
gateway mode only) This SMTP server will be used if the primary SMTP server is
unreachable.
Port Enter the port number on which the failover SMTP server listens.

mode and
gateway mode
only)
Is Subdomain Select to indicate the protected domain you are creating is a
subdomain of an existing protected domain, then also configure
Main Domain.
Subdomains, like their parent protected domains, can be selected
when configuring policies specific to that subdomain. Unlike top-
level protected domains, however, subdomains will be displayed
as grouped under the parent protected domain when viewing the
list of protected domains.
This option is available only when another protected domain exists
to select as the parent domain.
Main Domain Select the protected domain that is the parent of this subdomain.
For example, lab.example.com might be a subdomain of
example.com.
This option is available only when Is Subdomain is selected.
Domain Associations Select to expand and configure domain associations.
(transparent mode and Associated domains use the settings of the protected domain with
gateway mode only) which they are associated, and do not have separate protected
domain settings of their own. Exceptions include DKIM keys, which
will not be used for associated domains. For more information, see
“Domain Associations” on page 191.

186 06-30004-0154-20080904
Verify Recipient Select a method of confirming that the recipient “To:” address in the
Address message header corresponds to an email user account that
actually exists on the protected email server. If the recipient
address is invalid, the FortiMail unit will not quarantine email
messages for the non-existent account, thereby conserving
quarantine hard disk space.
• Disable: Do not verify that the recipient address is an email
user account that actually exists.
• Use SMTP Server: Query the SMTP server to verify that the
recipient address is an email user account that actually exists.
• Use LDAP Server: Query an LDAP server to verify that the
Also select the LDAP profile that will be used to query the
LDAP server. For more information on configuring LDAP
profiles, see “LDAP Profile” on page 320.
This option can cause a performance impact that may be
noticeable during peak traffic times. For a lesser performance
impact, you can alternatively periodically automatically remove
quarantined email messages for invalid email user accounts,
rather than actively preventing them during each email message.
For more information, see “Automatic Removal of Invalid
Quarantine Accounts” on page 189.
Note: Spam often contains invalid recipient addresses. If you have
enabled spam quarantining, but have not prevented or scheduled
the periodic removal of quarantined email messages for invalid
email accounts, the FortiMail hard disk may be rapidly consumed
during peak traffic times, resulting in refused SMTP connections
when the hard disk becomes full. To prevent this, enable either this
option or the periodic removal of invalid quarantine accounts.
Note: This option does not operate upon the recipient address that
appears in the envelope of the SMTP session, which is governed
by access control rules. For more information on access control
rules, see “Access” on page 198.
Transparent Mode Options
This server is Select the network interface (port) to which the protected SMTP
on server is connected.
(transparent Note: Selecting the wrong network interface will result in the
mode only) FortiMail sending email traffic to the wrong network interface.

06-30004-0154-20080904 187
Hide the When enabled, the EHLO field of “Received:” message headers of
transparent box outgoing email messages will not contain the domain name of the
(transparent FortiMail unit; instead, it will contain the IP address of the SMTP
server that was sending the email message, masking the existence
mode only) of the FortiMail unit.
Note that when this option is enabled, you cannot use IP pools for
this protected domain, and you should allow clients to specify an
SMTP server other than the FortiMail unit for outbound mail. For
more information, see “Use client-specified SMTP server to
send email” on page 216.
When disabled, the FortiMail unit’s domain name appears in the
EHLO field of “Received:” message headers.
For example, the SMTP server associated with a protected domain
might have the IP address 172.168.1.1, and the FortiMail unit
might have the domain name fortimail.example.com. If the option is
enabled, the message header would contain (difference
highlighted in bold):
Received: from 192.168.1.1 (EHLO 172.168.1.1)
(192.168.1.1) by smtp.external.example.com with
SMTP; Fri, 24 Jul 2008 07:12:40 -0800
Received: from smtpa ([172.168.1.2]) by
[172.168.1.1] with SMTP id kAOFESEN001901 for
<user1@external.example.com>; Fri, 24 Jul 2008
15:14:28 GMT
But if the option is disabled, the message headers would contain:
Received: from 192.168.1.1 (EHLO
fortimail.example.com) (192.168.1.1) by
smtp.external.example.com with SMTP; Fri, 24 Jul
2008 07:17:45 -0800
Received: from smtpa ([172.168.1.2]) by
fortimail.example.com with SMTP id kAOFJl4j002011
for <user1@external.example.com>; Fri, 24 Jul
2008 15:19:47 GMT
Use this Select to relay mail to the SMTP server for this protected domain
domain’s SMTP for delivery, rather than delivering the email using the FortiMail unit
server to itself.
deliver the mail
(transparent
mode only)

188 06-30004-0154-20080904
Automatic Removal Select a method by which to periodically remove quarantined spam

of Invalid Quarantine for which an email user account does not actually exist on the
Accounts protected email server.
(transparent mode and • Disable: Do not verify that the recipient address is an email
gateway mode only) user account that actually exists.
• Use SMTP Server: Query the SMTP server to verify that the
• Use LDAP Server: Query an LDAP server to verify that the
Also select the LDAP profile that will be used to query the
LDAP server. For more information on configuring LDAP
profiles, see “LDAP Profile” on page 320.
If you select either Use SMTP Server or Use LDAP Server, at
4:00 AM daily, the FortiMail unit queries the server to verify the
existence of email user accounts. If an email user account does
not currently exist, the FortiMail unit removes all spam quarantined
for that email user account.
If you have also enabled “Verify Recipient Address”, the FortiMail
unit is prevented from forming quarantine accounts for email user
accounts that do not really exist on the protected email server. In
that case, invalid quarantine accounts are never formed, and this
option may not be necessary, except when you delete email user
accounts on the protected email server. If this is the case, you can
improve the performance of the FortiMail unit by disabling this
option.
Note: Spam often contains invalid recipient addresses. If you have
enabled spam quarantining, but have not prevented or scheduled
the periodic removal of quarantined email messages for invalid
email accounts, the FortiMail hard disk may be rapidly consumed
during peak traffic times, resulting in refused SMTP connections
when the hard disk becomes full. To prevent this, enable either this
option or verification of recipient addresses. For more information,
see “Verify Recipient Address” on page 187.
LDAP User Alias / Select the name of an LDAP profile in which you have enabled and
Address Mapping configured User Alias Options, enabling you to expand alias email
profile addresses or replace one email address with another by using an
LDAP query to retrieve alias members and/or address mappings.
(transparent mode and For more information, see “LDAP Profile” on page 320.
gateway mode only)
LDAP User Profile Select the name of an LDAP profile in which you have configured
(server mode only) User Auth Options and User Alias Options, enabling you to
authenticate email users and expand alias email addresses or
replace one email address with another by using an LDAP query to
retrieve alias members. For more information, see “LDAP Profile”
on page 320.
Advanced Settings
Mail Routing Select to enable mail routing, then select the blue arrow to expand
the options and select the name of an LDAP profile in which you
have enabled and configured Mail Routing Options. For more
information, see “LDAP Profile” on page 320
Spam Report Select the blue arrow to expand the spam report section. For more
Setting information, see “Spam Report Setting” on page 192. For
information on system-wide spam report settings, see “Spam
Report” on page 376.
DKIM Setting Select the blue arrow to expand the DKIM setting section. For
more information, see “DKIM Setting” on page 195.
This option appears only when you are modifying a protected
domain. To configure DKIM signing, create the protected domain,
save it, then select Edit to modify the protected domain.
Disclaimer Select the blue arrow to expand the disclaimer section. For more
information, see “Disclaimer” on page 197. For information on
system-wide disclaimer settings, see “Disclaimer” on page 172.

06-30004-0154-20080904 189
Webmail Select the language that the FortiMail unit uses to display webmail
Language and quarantine folder pages. By default, the FortiMail unit uses the
same language as the web-based manager. For more information,
see “Options” on page 137.
IP Pool to use Select a pool of IP addresses to use for connections outgoing from
this protected domain.
Use IP pool profiles if you want outgoing email to originate from a
configured range of IP addresses. Each sent email message will
use the next IP address in the range. When the last IP address in
the range is used, the next email message will use the first IP
address.
This setting is used only for email that is outgoing from a protected
domain. This is done by checking only the envelope from address.
If the envelope “from” address indicates that the email message is
from a protected domain, the FortiMail unit performs actions
configured in this setting for the protected domain.
If the FortiMail unit is operating in transparent mode, and you have
enabled “Hide this transparent box”, you cannot use IP pools.
For more information on IP pools, see “IP Pool Lists” on page 348.
SMTP greeting Select how the FortiMail unit will identify itself during the HELO or
(ehlo/helo) EHLO greeting of outgoing SMTP connections that it initiates.
• Use this domain name: The FortiMail unit will identify itself
using the domain name for this protected domain.
If the FortiMail unit will handle internal email messages (those
for which both the sender and recipient addresses in the
envelope contain the domain name of the protected domain), to
use this option, you must also configure your protected SMTP
server to use its host name for SMTP greetings. Failure to do
this will result in dropped SMTP sessions, as both the FortiMail
unit and the protected SMTP server will be using the same
domain name when greeting each other. Alternatively, instead
select Use system host name.
• Use system host name: The FortiMail unit will identify itself
using its own host name.
By default, the FortiMail unit uses the domain name of the
protected domain. If your FortiMail unit is protecting multiple
domains and using IP pool addresses, select Use system host
name instead. This setting does not apply if email is incoming,
according to the sender address in the envelope, from an
unprotected domain.
Advanced AS / AV Settings
Check AS / AV Select to enable or disable antispam and/or antivirus processing
config for email messages destined for an email user of a protected
domain based upon an LDAP query for the email user’s
preferences, then select the blue arrow to expand the options, and
select the name of an LDAP profile in which you have enabled and
configured AS/AV On/Off Options. For more information, see
“LDAP Profile” on page 320

190 06-30004-0154-20080904
Use Global Enable to use the global Bayesian database instead of the
Bayesian Bayesian database for this protected domain.
Database If you do not need the Bayesian database to be specific to the
protected domain, you may want to use the global Bayesian
database instead in order to simplify database maintenance and
training.
Disable to use the per-domain Bayesian database.
This option does not apply if you have enabled use of personal
Bayesian databases in an incoming antispam profile, and if the
personal Bayesian database is mature. Instead, the FortiMail unit
will use the personal Bayesian database. For more information,
see “Bayesian scan options” on page 249.
Note: Train the global or per-domain Bayesian database before
using it. If you do not train it first, Bayesian scan results may be
unreliable. For more information on Bayesian database types and
how to train them, see “Bayesian database types” on page 387 and
“Initial training of the Bayesian databases” on page 388.
Bypass Bounce Select to disable bounce verification for this protected domain.
Verification This option appears only if bounce verification is enabled. For
more information, see “Bounce Verification” on page 423.
4 Select OK.
Domain Associations
The Domain Associations section that appears when configuring a protected
domain enables you to configure associated domains. Associated domains use
the settings of the protected domains or subdomains with which they are
associated.
Note: In FortiMail version 3.0 MR4 and earlier releases, associated domains do not inherit
the following domain related settings from the main domain. Instead, associated domains
use system level settings.
• Domain level disclaimer
• Domain level spam report format, including subject and body
• Webmail language preference
Domain associations can be useful for saving time when you have multiple
domains for which you would otherwise need to configure protected domains with
identical settings.
For example, if you have one SMTP server handling email for ten domains, you
could create ten separate protected domains, and configure each with identical
settings. Alternatively, you could create one protected domain, listing the nine
remaining domains as domain associations. The advantage of using the second
method is that you do not have to repeatedly configure the same things when
creating or modifying the protected domains, saving time and reducing chances
for error. Changes to one protected domain automatically apply to all of its
associated domains.
Exceptions to settings that associated domains will re-use include DKIM keys and
signing settings. Domain keys are by nature tied to the exact protected domain
only, and cannot be used for any other protected domain, including associated
domains.
The maximum number of domain associations that you can create is separate
from the maximum number of protected domains. For more information, see the
Fortinet Knowledge Center article FortiMail v3.0 MR4 Maximum Values Matrix.

06-30004-0154-20080904 191
To configure domain associations

3 Select the blue arrow to expand Domain Associations.
Figure 104:Domain Associations
Members The list of domain names that are associated with this protected
domain. Associated domains use the settings of the protected
domain with which they are associated (with the sole exception of
their domain name), and do not have protected domain settings of
their own.
Remove Selected Select one or more domain names, then select Remove Selected
to remove them from the Members area
Add Enter a fully qualified domain name (FQDN) that you want to use
the same settings as this protected domain, the select Add to add
a domain name to the Members area.
5 Select OK.
Spam Report Setting

The Spam Report Setting section that appears when configuring a protected
domain enables you to configure spam report settings that are specific to this
protected domain.
The spam report settings for a protected domain are a subset of the system-wide
spam report settings. For example, if the system settings for schedule include only
Monday and Thursday, when you are setting the schedule for the spam reports of
the protected domain, you will only be able to select either Monday or Thursday.
Note: For information on system-wide spam report settings and spam reports in general,
see “Spam Report” on page 376 and “Custom Messages” on page 173.
To configure per-domain spam report settings

3 Select the blue arrow to expand Spam Report Setting.

192 06-30004-0154-20080904
Figure 105:Spam Report Setting

06-30004-0154-20080904 193
Send to individual Select to send the spam report to all recipients. For more
recipients information, see “Recipients” on page 366.
Send to LDAP group Select to send the spam report to a group owner, rather than
owner based on LDAP individual recipients, then select the name of an LDAP profile in
profile which you have enabled and configured Group Query Options.
For more information, see “LDAP Profile” on page 320.
Send to other recipient Select to send the spam report to a recipient other than the
individual recipients or group owner. For example, you might
delegate spam reports by sending them to an administrator
whose email address is not locally deliverable to the protected
domain, such as admin@lab.example.com.
Schedule Select the schedule to use when sending spam reports.
• Use system settings: Use the system-wide spam report
schedule. For more information, see “Spam Report” on
page 376.
• Use domain settings: Use a spam report schedule that is
specific to this protected domain, within the boundaries of
time allowed by the system-wide spam report schedule. Also
configure These Hours and These Days.
Caution: If you change the system-wide spam report schedule, it
will clear any spam report schedules for this protected domain,
requiring you to re-configure all per-domain spam report
schedules.
These Hours Select which hours to send the spam report for this protected
domain. When the FortiMail unit is reset not all hours will be
available.
This option is available only when Schedule is Use domain
settings.
These Days Select which days to send the spam report for this protected
domain. When the FortiMail unit is reset, not all days will be
available.
This option is available only when Schedule is Use domain
settings.
Report Select the text that will appear in the spam reports.
• Use system settings: Use the system-wide spam report text.
For more information, see “Custom Messages” on page 173.
• Use domain settings: Use spam report text that is specific to
this protected domain. Also configure Report Email Body
(HTML), Report Email Body (Text), and Report Email Subject
(Text).
Report Email Enable to use spam report text that is specific to this protected
Body (HTML) domain, then enter the spam report text, which may include
HTML tags. For examples, see “Editing a custom replacement
message” on page 174.
To set this per-domain spam report text to its default value for the
firmware version, select Reset to Default.
For information on the contents of the HTML format spam report,
see “Understanding the HTML formatted spam report” on
page 380.
Report Email Enable to use spam report text that is specific to this protected
Body (Text) domain, then enter the spam report text, which must be in plain
text.
To set this per-domain spam report text to its default value for the
firmware version, select Reset to Default.
For information on the contents of the plain text format spam
report, see “Understanding the plain text formatted spam report”
on page 378.

194 06-30004-0154-20080904
Report Email Enable to use a subject line for the spam report that is specific to
Subject (Text) this protected domain, then enter the subject line that will be
used for the spam report. The subject line must be in plain text.
To set the per-domain spam report subject line to its default value
for the firmware version, select Reset to Default.
Replacement messages often include variables, such as the MIME type of the file
that was removed and replaced by the replacement message.
Note: Typically, you will customize text, but should not remove variables from the
replacement message. Removing variables may result in an error message and reduced
functionality.
5 Select OK.
DKIM Setting
The DKIM Setting section that appears when configuring a protected domain
enables you to create domain keys for this protected domain.
The FortiMail unit will sign outgoing email messages using the domain key for this
protected domain if you have selected it when configuring sender validation in the
session profile. For more information, see “Session Configuration” on page 287.
Note: Because domain keys are tied to the domain name for which they are generated,
FortiMail units will not use the domain key of a protected domain to sign email of an
associated domain. If you require DKIM signing for an associated domain, convert it to a
standard protected domain and then generate its own, separate domain key.
DKIM signing requires a public-private key pair. The private key is kept on and
used by the FortiMail unit to generate the DKIM signatures for the email
messages; the public key is stored on the DNS server in the DNS record for the
domain name, and used by receiving parties to verify the signature.
After you generate the key pair by creating a domain key selector, you can export
the DNS record that contains the public key. The following is a sample of the
exported DNS record:
example_com._domainkey IN TXT "t=y; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5xvUazqp2sBovpfumPu
R5xC+yDvGbfndyHZuVQdSHhwdKAdsfiyOa03iPniCfQEbuM0d+4/AoPyTXHH
PFBBnChMMHkWgHYlRDm5UMjrH5J1zDT5OyFxUEur+NtfS6LF29Te+6vSS+D3
asfZ85V6WJDHSI9JV0504uwDeOOh/aewIDAQAB"
Then you can publish the public key by adding it to the DNS zone file as a text
record for the domain name on the DNS server. The recipient SMTP server, if
enabled with DKIM checking, will use the public key to decrypt the signature and
compare the HASH values of the email message to make sure the HASH values
match.
Figure 106:DKIM Setting
Export DNS Record

Delete

06-30004-0154-20080904 195
To create a domain key pair

2 In the row corresponding to the protected domain whose domain key you want to
generate, select Edit.
Note: Because information from the protected domain is used to generate the key pair, you
cannot create DKIM keys while initially creating the protected domain.
3 Select the blue arrow to expand Advanced Settings.

4 Select the blue arrow to expand DKIM Setting.
5 Select New Selector.
A prompt appears.
6 Enter a name for the selector.
7 Select OK.
The selector name for the key pair appears in the list of domain keys.
8 Select OK.
The key pair is generated and public key can be exported for publication on a DNS
server. For instructions, see “To export a public domain key” on page 196.
Note: Only one key pair can be active at a time. If a new selector is generated, the FortiMail
unit always signs email messages with the most recently generated key pair. To use an
older domain key pair, you must delete all domain key pairs that have been more recently
generated.
To delete a domain key pair

generate, select Edit.
5 In the Modify column, in the row corresponding to the domain key pair that you
want to delete, select Delete.
6 Select OK.
To export a public domain key

export, select Edit.
5 Select Export DNS Record.
6 If your web browser prompts you for a location, select a folder in which to save the
plain text file which contains the exported DNS record.
7 Publish the public key by inserting the exported DNS record into the DNS zone file
of the DNS server that resolves this domain name.

196 06-30004-0154-20080904
Disclaimer
The Disclaimer section that appears when configuring a protected domain
enables you to configure disclaimer messages specific to this protected domain.
A disclaimer message is text that is generally attached to email to warn the
recipient that the email contents may be confidential. For disclaimers added to
outgoing messages, you need to configure an IP-based policy or an outgoing
recipient-based policy.?
Disclaimer messages can be appended for either or both incoming or outgoing
email messages. For information on determining the directionality of an email
message, see “Incoming vs. outgoing recipient-based policies” on page 355.
Note: If the FortiMail unit is operating in transparent mode, to use disclaimers, you must
enable clients to send email using their specified SMTP server. For more information, see
“Use client-specified SMTP server to send email” on page 216.
To configure a per-domain disclaimer messages

1 Go to Mail > Domains > Domains.
2 Select Create New to create a new protected domain, or select Edit to modify an
3 Select the blue arrow to expand Disclaimer.
Figure 107:Disclaimer (transparent mode)
Disclaimer Select the type of disclaimer message to append.

• Disable: Do not append disclaimer messages.
• Use system settings: Append the system-wide
disclaimer messages. For more information, see
“Disclaimer” on page 172.
• Use domain settings: Append the disclaimer
messages configured specifically for this protected
domain. Also configure the per-domain disclaimer
messages in For Incoming Messages and For Outgoing
Messages.
This option is available only if you have enabled per-
domain disclaimer messages. For more information, see
“Allow per-domain settings” on page 173.
For Incoming Messages

06-30004-0154-20080904 197
Access Mail Settings
Disclaimer in Enable to use append a disclaimer message to the

message header message header of incoming messages that is specific to
this protected domain, then enter the disclaimer message.
The maximum length is 256 characters.
This option is available only if Disclaimer is Use Domain
Settings.
message body message body of incoming messages that is specific to this
protected domain, then enter the disclaimer message. The
maximum length is 1024 characters.
Settings.
For Outgoing Messages
message header message header of outgoing messages that is specific to
this protected domain, then enter the disclaimer message.
The maximum length is 256 characters.
Settings.
message body message body of outgoing messages that is specific to this
protected domain, then enter the disclaimer message. The
maximum length is 1024 characters.
Settings.
5 Select OK.
Access
The Access menu enables you to configure access control rules for SMTP
sessions.
Access control rules are categorized separately based upon whether they affect
either the receipt or delivery of email messages by the FortiMail unit — that is,
whether or not the FortiMail unit initiated the SMTP session, or was the
destination.
The Access menu includes the following tabs:
• Receive rules
• Delivery rules
Receive rules
The Receive tab displays a list of access control rules that apply to SMTP
sessions being received by the FortiMail unit.
When an SMTP server attempts to deliver email through the FortiMail unit, the
FortiMail unit compares each access control rule to the commands used by the
SMTP server during the SMTP session, such as the sender address (MAIL
FROM), recipient address (RCPT TO), authentication (AUTH), and TLS
(STARTTLS). Rules are evaluated for a match in the order of their list sequence,
from top to bottom. If all the attributes of a rule match, the FortiMail unit applies the
action selected in the matching rule to the SMTP session, and no subsequent
access control rules are applied. Only one access control rule is ever applied to
any given SMTP session.

198 06-30004-0154-20080904
Mail Settings Access
To view the access control rule list, go to Mail Settings > Access > Receive.
Figure 108:Access Control Rules
Move
Delete
Edit
# The order of the rule in the list.

FortiMail units evaluate access control rules in sequence. Only the
first matching access control rule will be applied.
Sender Pattern The complete or partial sender email address to match.
If the pattern is listed with a “R/” prefix, it is set to use regular
expression syntax. If the pattern is listed with a “-/” prefix, it does not
use regular expression syntax.
Recipient Pattern The complete or partial recipient address to match.
Sender IP/Netmask The IP address and netmask of the SMTP server attempting to
deliver the email message. IP address 0.0.0.0/0 matches all IP
addresses.
Reverse DNS The pattern to compare to the result of a reverse DNS look-up of the
Pattern IP address of the SMTP server delivering the email message.
Authenticated Indicates whether this rule applies only to messages delivered by
Sender clients that have authenticated with the FortiMail unit.
• any: The rule will apply to all matching messages, whether or
not the client has authenticated.
• authenticated: The rule will apply only to messages delivered
by a client that has authenticated with the FortiMail unit.
TLS Select a TLS profile to allow or reject the connection based on
whether the communication session attributes match the settings in
the TLS profile. If the attributes match, the access control action is
executed. If the attributes do not match, the FortiMail unit performs
the Failure action configured in the TLS profile. For more
information on TLS profiles, see “TLS Profile” on page 350.
Action The action taken when this rule is matched. For more information
about actions, see “Creating access control rules” on page 200.
Modify Select Edit to modify the access control rule.
Select Delete to remove the access control rule.
Select Move to change the order of the rule in the list. FortiMail units
match the rules in sequence, from the top of the list downwards.
Create New Select to add an access control rule. For more information, see
“Creating access control rules” on page 200.

06-30004-0154-20080904 199
Creating access control rules

You can configure the FortiMail unit to accept, reject, discard, or process and relay
email messages for SMTP sessions initiated by SMTP servers (rather than the
FortiMail unit itself) by configuring access control rules.
When configuring access control rules, do not leave any pattern fields blank.
Instead, to have the FortiMail unit ignore a pattern:
• If Regular expression is disabled for the field, enter an asterisk (*) in the
pattern field.
• If Regular expression is enabled for the field, enter a dot-star (.*) character
sequence in the pattern field.
For example, if you enter an asterisk (*) in the Recipient Pattern field and do not
select Regular expression, the asterisk matches all recipient addresses, and
therefore will not exclude any SMTP sessions from matching the access control
rule.
Similarly, to match any IP address in the Sender IP/Netmask field, enter 0.0.0.0/0.
Caution: If possible, verify configuration of access control rules in a testing environment

! before applying them to a FortiMail unit in active use. Failure to verify correctly configured
reject, discard, and accept actions can result in inability to correctly handle SMTP sessions.
To configure access control rules

1 Go to Mail Settings > Access > Receive.
2 Select Create New to add an access control rule, or, in the row corresponding to
the access control rule that you want to modify, select Edit.

200 06-30004-0154-20080904
Figure 109:Creating a new access control rule
Sender Pattern Enter a complete or partial sender email address to match. The
sender address examined by the FortiMail unit is the “mail from:” part
of the message envelope.
Wildcard characters allow you to enter partial patterns that can match
multiple sender email addresses. The asterisk (*) represents one or
more characters and the question mark (?) represents any single
character.
For example, the sender pattern ??@*.com will match messages
sent by any email user with a two letter email user name from any
“.com” domain name.
Regular Select to use regular expression syntax instead of
expression wildcards to specify the sender pattern. For more
information, see “Using Perl regular expressions” on
page 426.
Recipient Pattern Enter a complete or partial recipient email address to match. The
recipient address examined by the FortiMail unit is the “rcpt to:” part
of the message envelope.
multiple recipient email addresses. The asterisk (*) represents one or
character.
For example, the recipient pattern *@example.??? will match
messages sent to any email user at example.com, example.net,
example.org, or any other “example” domain ending with a
three-letter top-level domain name.
expression wildcards to specify the recipient pattern. For more
page 426.
Sender IP/Netmask Enter the IP address and netmask of the system attempting to deliver
the email message. Use the netmask, the portion after the slash (/) to
specify the matching subnet.
For example, enter 10.10.10.10/24 to match a 24 bit subnet, or all
addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in
the access control rule table, with the 0 indicating that any value is
matched in that position of the address.
Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match
only the 10.10.10.10 address. Enter 0.0.0.0/0 to match any address.

06-30004-0154-20080904 201
Reverse DNS Enter a pattern to compare to the result of a reverse DNS look-up of
Pattern the IP address of the SMTP server delivering the email message.
Because domain names in the SMTP session are self-reported by
the connecting SMTP server and easy to fake, the FortiMail unit does
not trust the domain name that an SMTP server reports. Instead, the
FortiMail does a DNS lookup using the SMTP server’s IP address.
The resulting domain name is compared to the reverse DNS pattern
for a match. If the reverse DNS query fails, the access control rule
match will also fail. If no other access control rule matches, the
connection will be rejected with SMTP reply code 550 (Relaying
denied).
multiple reverse DNS lookup results. An asterisk (*) represents one
or more characters; a question mark (?) represents any single
character.
For example, the recipient pattern mail*.com will match messages
delivered by an SMTP server whose domain name starts with “mail”
and ends with “.com”.
Note: Reverse DNS queries for access control rules require that the
domain name be a valid top level domain (TLD). For example, “.lab”
is not a valid top level domain name, and thus the FortiMail unit
cannot successfully perform a reverse DNS query for it.
expression wildcards to specify the reverse DNS pattern. For
more information, see “Using Perl regular
expressions” on page 426.
Authentication Select whether or not to match this access control rule based upon
Status client authentication.
• any: Match or do not match this access control rule regardless of
whether the client has authenticated with the FortiMail unit.
• authenticated: Match this access control rule only for clients that
have authenticated with the FortiMail unit.
the TLS profile. If the attributes match, the access control action is
executed. If the attributes do not match, the FortiMail unit performs
the Failure action configured in the TLS profile. For more information
on TLS profiles, see “TLS Profile” on page 350.
Action Select the action that the FortiMail unit will perform for SMTP
sessions matching this access control rule.
• BYPASS: The FortiMail unit will deliver the email message, but
will bypass all antispam profile processing. Antivirus, content and
other scans will still be performed on the email message.
• RELAY: The FortiMail unit will deliver the email message and
process it normally, with all configured scanning.
• REJECT: The FortiMail unit rejects delivery of the email message.
The FortiMail unit returns a rejection response to the client
attempting delivery of the email message.
• DISCARD: The FortiMail unit accepts the email message but
silently deletes it without delivery. The FortiMail unit does not
inform the client.
4 Select OK.
Example access control rules

Example Corporation uses a FortiMail unit that is operating in gateway mode, and
that has been configured with only one protected domain: example.com. The
FortiMail unit has also been configured with the access control rules illustrated in
Figure 110.

202 06-30004-0154-20080904
Figure 110:A list of sample access control rules
Rule 1
The email account of former employee user932 receives a large amount of spam.
Since this employee is no longer with the company and all of his external contacts
were informed of their new Example Corporation employee contacts, messages
addressed to the former employee’s address must be spam.
Rule 1 uses only the recipient pattern. All the other access control rule attributes
are configured to match any value. This rule rejects all messages sent to the
user932@example.com recipient email address. Rejection at the access control
stage prevents these messages from being scanned for spam and viruses, saving
FortiMail system resources.
This rule is placed first because it is the most specific access control rule in the
list. It applies only to SMTP sessions for that single recipient address. SMTP
sessions sending email to any other recipient do not match it. If a rule that
matched all messages were placed at the top of the list, no rule after the first
would ever be checked for a match, because the first would always match.
SMTP sessions not matching this rule are checked against the next rule.
Rule 2
Much of the spam received by the Example Corporation has no sender specified
in the message envelope. Most valid email messages will have a sender email
address.
Rule 2 uses only the sender pattern. The regular expression “^\s*$” will match a
sender string that contains one or more spaces, or is empty. If any non-space
character appears in the sender string, this rule does not match. This rule will
reject all messages with a no sender, or a sender containing only spaces.
Not all email messages without a sender are spam, however. Delivery status
notification (DSN) messages often have no specified sender. Bounce notifications
are the most common type of DSN messages. The FortiMail administrators at the
Example Corporation decided that the advantages of this rule outweigh the
disadvantages.
Messages not matching this rule are checked against the next rule.
Rules 3 and 4
Recently, the Example Corporation has been receiving spam that appears to be
sent by example.org. The FortiMail log files revealed that the sender address is
being spoofed and the messages are sent from servers operated by spammers.
Because spam servers often change IP addresses to avoid being blocked, the
FortiMail administrators decided to use two rules to block all mail from
example.org unless delivered from a server with the proper address and host
name.

06-30004-0154-20080904 203
When legitimate, email messages from example.org are sent from one of multiple
mail servers. All of these servers have IP addresses within the 172.20.120.0/24
subnet and have a domain name of mail.example.org that can be verified using a
reverse DNS query.
Rule 3 uses the recipient pattern, the sender IP, and the reverse DNS pattern. This
rule will relay messages to email users of example.com sent from a client whose
domain name is mail.example.org and IP address is between 172.20.120.1 and
172.20.120.255.
Rule 4 works in conjunction with rule 3. It uses only the sender pattern. Rule 4
rejects all messages from example.org. But because it is positioned after rule 3 in
the list, rule 4 affects only messages that were not already proven to be legitimate
by rule 3, thereby rejecting only email messages with a fake sender.
Rules 3 and 4 must appear in the order shown. If they were reversed, all mail from
example.org would be rejected. The more specific rule 3 (accept valid mail from
example.org) is placed first, and the more general rule 4 (reject all mail from
example.org) follows.
Messages not matching these rules are checked against the next rule.
Rules 5 and 6
The administrator of example.com has noticed that during peak traffic, a flood of
spam using random user names causes the FortiMail unit to devote a significant
amount of resources to recipient verification. Verification is performed with the aid
of an LDAP server which also expends significant resources servicing these
requests. Example Corporation email addresses start with “user” followed by the
user’s employee number, and end with “@example.com”.
Rule 5 uses only the recipient pattern. The recipient pattern is a regular
expression that will match all email addresses that start with “user”, end with
“@example.com”, and have one or more numbers in between. Email messages
matching this rule are relayed.
Rule 6, the final rule, works in conjunction with rule 5. Rule 6 rejects all email
messages. But because it is positioned after rule 5 in the list, rule 6 affects only
email messages that do not contain recipient addresses of legitimate email users
according to rule 5. Since the email addresses of the Example Corporation are
formatted the same way, any messages sent to example.com addresses not
formatted in the way configured in rule 5 are not addressed to valid email users.
As with rules 3 and 4, rules 5 and 6 must appear in the order shown. The more
specific rule 5 (relay messages sent to properly formatted example.com email
addresses) is placed first, and the more general rule 6 (reject all messages)
follows.
The way rules 5 and 6 work together to form a simple recipient address format
verification is possible only because all email addresses of the Example
Corporation employees follow the same formatting rules. Even though the
FortiMail unit is configured to verify the recipient addresses, the use of these two
rules at the end of the access control rules list will reduce the amount of traffic
between the FortiMail unit and the LDAP server used for recipient verification.
Only messages with properly formatted recipient email addresses pass scrutiny
by the access control rules. All other messages will be rejected before being
subjected to more resource-intensive scans.

204 06-30004-0154-20080904
Determining the default action

If no access control rules are configured, or no configured access control rules
match, the FortiMail unit will perform the default action, which varies by whether or
not the recipient is a member of a protected domain.
• For protected domains, the default action is RELAY.
• For unprotected domains, the default action is REJECT.
For information on protected domains, see “Domains” on page 180.
Delivery rules
The Delivery tab displays a list of message delivery rules that apply to SMTP
sessions being initiated by the FortiMail unit in order to deliver email.
Message delivery rules enable you to require TLS for the SMTP sessions the
FortiMail unit initiates when sending email to other email servers.
The FortiMail unit compares the domain name portion of the recipient email
address and the IP address of the mail server receiving the email message
against the delivery control rules. The FortiMail unit starts with the first rule and
continues down the list until a match is found. If no match is found, the email
message is delivered. If a match is found, the FortiMail unit compares the TLS
profile settings to the connection attributes and the email message is sent or the
connection is not allowed, depending on the result.
The TLS profile setting allows you to enforce TLS connection settings on sessions
that other servers initiate with the FortiMail unit. If the connection settings do not
match the settings in the TLS profile, the FortiMail unit will not allow the
connection. The TLS profile in the access control list only affects connections to
the FortiMail unit initiated by other servers. To enforce TLS settings when the
FortiMail unit contacts other servers, use email message delivery rules. For
information about TLS profiles, see “TLS” on page 349.
To view the message delivery rule list, go to Mail Settings > Access > Delivery.
Figure 111:Message Delivery Rules
Move
Delete
Edit
# The position of the rule in the list.

Domain The pattern that describes matching domain names in the recipient
email address.
Sender IP/Netmask The IP address and netmask of the system to which the FortiMail is
sending the email message. IP address 0.0.0.0/0 matches all IP
addresses.

06-30004-0154-20080904 205

the TLS profile. If the attributes match, the connection is allowed. If
the attributes do not match, the Failure action configured in the TLS
profile is executed.
For information about TLS profiles, see “TLS” on page 349.
Modify Select edit to modify the rule.
Select delete to delete the rule.
Select move to change the position of the rule in the list. The
FortiMail unit matches the rules in sequence, from the top of the list
down.
Create New Create a new email access rule. See “Creating access control rules”
on page 200.
Creating delivery control rules

You can configure delivery control rules to enforce use of TLS for connections that
the FortiMail unit initiates to deliver email.
When using wildcards, the asterisk (*) matches all patterns in the Destination
Domain Pattern field. The IP address 0.0.0.0/0 matches all addresses in the
Sender IP/Netmask field.
To configure a delivery control rule

1 Go to Mail Settings > Access > Delivery.
2 Select Create New to add a delivery control rule, or, in the row corresponding to a
delivery control rule that you want to modify, select Edit.
Figure 112:Creating a new message delivery rule
Destination A pattern describing matching domain names in recipient email

Domain Pattern addresses.
multiple domains. The asterisk (*) represents one or more characters
and the question mark (?) represents any single character.
For example, the recipient pattern example.??? will match messages
sent to any “example” domain name ending with a three-letter top-
level domain.
Destination The IP address and netmask of the system to which the FortiMail unit
IP/Netmask is sending the email message. Use the netmask, the portion after the
slash (/) to specify the matching subnet.
the access control rule table, with the 0 indicating that any value is

206 06-30004-0154-20080904
Mail Settings Mail Queue

the TLS profile. If the attributes match, the connection is allowed. If
the attributes do not match, the FortiMail unit performs the Failure
action configured in the TLS profile. For more information on TLS
profiles, see “TLS Profile” on page 350.
4 Select OK.
Mail Queue
The Mail Queue menu enables you to view and manage the FortiMail unit’s email
queues: the deferred queue, the spam queue, and the dead email folder.
FortiMail units queue email messages when the email message is temporarily
undeliverable, and moves email messages to the dead mail folder when all retries
have failed. You can configure aspects of queueing behavior such as the interval
at which the FortiMail retries to send the email messages. For more information,
see “Advanced (mail server settings)” on page 169.
The Mail Queue includes the following tabs:
• Deferred Queue
• Spam Queue
• Dead Mail
• Queue Maintenance
Deferred Queue
The Deferred Queue tab displays a list of email messages that currently in the
deferred queue. Unlike the spam queue, the deferred queue contains only email
messages that are not tagged spam.
FortiMail units move an email message to the deferred queue upon initial failure to
send the email message, which can be caused by various temporary reasons
such as interruptions to network connectivity. When an email message is
deferred, the FortiMail unit periodically retries to send the deferred email
message. Administrators can also manually initiate an attempt to send the email
message. If the email is subsequently sent successfully, the FortiMail unit
removes the email from the queue and does not notify the sender. But if the email
message continues to be deferred, the FortiMail unit eventually sends an initial
delivery status notification (DSN) email message to notify the sender that delivery
has not yet succeeded. Finally, if the FortiMail unit cannot send the email
message by the end of the time limit for delivery retries, the FortiMail unit sends a
final DSN to notify the sender about the delivery failure and deletes the email
message from the deferred queue. If the sender cannot receive this notification,
such as if the sender’s SMTP server is unreachable or if the sender address is
invalid or empty, the FortiMail unit will save a copy of the email in the dead mail
folder. For more information, see “Dead Mail” on page 210.
that an email message can spend in a queue, and DSN timing, see “Advanced
(mail server settings)” on page 169.
To view, delete, or attempt to resend an email message in the deferred queue, go
to Management > Mail Queue > Deferred Queue.

06-30004-0154-20080904 207
Mail Queue Mail Settings
Figure 113:Deferred Queue

each page
EnvelopeFrom The sender of the email.
EnvelopeTo The recipient of the email.
sender.
email messages that you want to attempt to send, then select Resend.
selecting Resend.
Spam Queue
The Spam Queue tab displays a list of email messages that currently in the spam
queue. Unlike the deferred queue, the spam queue contains only those deferred
email messages that are tagged spam.
Note: For information on tagging spam, see “Actions options” on page 257.

208 06-30004-0154-20080904
Mail Settings Mail Queue
FortiMail units move tagged spam to the spam queue upon initial failure to send
the email message, which can be caused by various temporary reasons such as
interruptions to network connectivity. When an email message is deferred, the
FortiMail unit periodically retries to send the deferred email message.
from the queue and does not notify the sender. But if the email message
continues to be deferred, the FortiMail unit eventually sends an initial delivery
status notification (DSN) email message to notify the sender that delivery has not
yet succeeded. Finally, if the FortiMail unit cannot send the email message by the
end of the time limit for delivery retries, the FortiMail unit sends a final DSN to
notify the sender about the delivery failure and deletes the email message from
the deferred queue. If the sender cannot receive this notification, such as if the
that an email message can spend in a queue, and DSN timing, see “Advanced
To view or delete email messages in the spam queue, go to Mail Settings > Mail
Queue > Spam Queue.
Figure 114:Spam Queue

each page
EnvelopeFrom The sender of the email.
EnvelopeTo The recipient of the email.

06-30004-0154-20080904 209
Mail Queue Mail Settings
sender.
email messages that you want to delete, then select Resend.
to determine how many email messages are remaining in the queue
after selecting Resend.
Dead Mail
The Dead Mail tab displays the list of email messages that are in the dead mail
folder.
Unlike the spam and deferred queue, the dead mail folder contains copies of
delivery status notification (DSN) email messages from the FortiMail unit
(“postmaster”) to senders of email that is considered to be more permanently
undeliverable, because all previous retry attempts of the deferred email message
have failed. These email messages from "postmaster" include the original email
message for which the DSN was generated.
If an email message cannot be sent nor returned to the sender, it is usually
because both the recipient and sender addresses are invalid. Such email
messages are often sent by spammers who know the domain name of an SMTP
server but not the names of its email users, and are attempting to send spam by
guessing at valid recipient email addresses.
You can configure the FortiMail unit to automatically delete old email messages in
the dead mail folder. Alternatively, if the FortiMail unit is operating in server mode,
you can create a local email account named “postmaster” to receive these email
messages, or create an alias named “postmaster” to an existing email account,
instead of using the dead mail folder.
To view or delete email messages in the dead mail folder, go to Mail Settings >
Mail Queue > Dead Mail.
Figure 115:Dead Mails

page

210 06-30004-0154-20080904
Mail Settings Address Book

Sort By Select the name of the column by which to sort the list.
Delete dead mails n Enter the number of days after which to automatically delete the
days old (1-365) email from the dead mail folder.
# The line number.
Select All To select all email messages in the queue, select the checkbox in
the column heading. To select individual email messages in the
queue, select the checkbox in each row corresponding to the email
messages that you want to select.
From The sender of the email.
To The recipient of the email.
Date Date and time of the email.
Delete In the Select All column, mark the checkboxes in the rows
corresponding to the email messages that you want to delete, then
select Delete.
Queue Maintenance
The Queue Maintenance tab enables you to back up and restore the mail queues.
This can be useful if you need to change or reformat the mailbox hard disk.
To back up or restore email message queues, go to Mail Settings > Mail
Queue > Queue Maintenance.
Figure 116:Queue Maintenance
Backup Queue Select to download a queue backup file to the management

computer.
Restore Queue Select to restore a queue backup file from the management
computer, then either enter the path and filename of the backup
file or select Browse to locate the file, and select OK.
Address Book
The Address Book menu enables you to configure the address book for local
email users.
The Address Book menu includes the following tab:

• Address Book
Address Book
The Address Book tab enables you to create and maintain a global address book

06-30004-0154-20080904 211
Address Book Mail Settings
Individual FortiMail webmail users can import the global address book into their
accounts, allowing them to use that information when composing email
messages. For more information, log in to FortiMail webmail and select Help.
To configure the address book, go to Mail Settings > Address Book > Address
Book.
Figure 117:Address Book
Next page
Edit
Delete
New Contact Select to add a new entry to the address book.

Export .CSV Select to download a copy of the address book in comma-separated
value (CSV) file format.
Exporting the address book can be useful for backup purposes or
when exporting the address book in order to use a spreadsheet
application such as Microsoft Excel to make large numbers of
changes to the address book.
Import .CSV Select the Browse button to locate a comma-separated value (CSV)
file from which to import address book entries, then select
Import .CSV to upload the file.
Importing the address book can be useful when restoring a backup
of the address book, or when importing large numbers of address
book entries.
Note: To replace existing entries, first delete those entries, then
import the address book file. The FortiMail unit compares the
Webmail_ID value of each entry in the address book file, and will
not overwrite existing address book entries.
Delete Checked In the checkbox column, either select the checkbox in the column
heading to select all entries, or mark the checkboxes of individual
entries that you want to delete, then select Delete Checked.
Previous page Select to display the previous page of entries.
This option appears when viewing pages of entries other than the
first page.
Next page Select to display the next page of entries.
Show n each page Select the number of entries to display per page.
Total: n The total number of entries in the address book.
Sort Last Name Select to rearrange the list of entries, sorting by the last name.
Address book entries whose last names are identical are
secondarily sorted by their first name.
This option appears only if the list of address book entries is
currently sorted by first names.

212 06-30004-0154-20080904
Mail Settings Address Book
Sort First Name Select to rearrange the list of entries, sorting by the first name.
This option appears only if the list of address book entries is
currently sorted by last names.
Name The first and last name for the select email address, not including
the middle name and/or nickname.
Email The email address for the entry.
Modify Select Delete to remove the entry.
Select Edit to modify the entry.
To add a new contact

1 Go to Mail Settings > Address Book > Address Book.
2 Select New Contact.
3 Enter information for the contact.
You must enter a first name, a last name, or an email address. Other fields are
optional.
Figure 118:Creating an address book entry
4 Select Save.

06-30004-0154-20080904 213
Proxies Mail Settings
To delete a contact
1 Go to Mail Settings > Address Book > Address Book.
2 Mark the checkboxes of address book entries that you want to delete.
• To delete all address book entries, in the checkbox column heading, select the
checkbox.
• To delete individual address book entries, in the checkbox column, in each row
corresponding to an address book entry that you want to delete, select the
checkbox.
3 Select Delete Checked.
4 Select Delete.
Proxies
The Proxies menu enables you to configure the transparent proxies of the
FortiMail unit.
Note: This menu option appears only when the FortiMail unit is operating in transparent
mode.
The Proxies menu includes the following tabs:

• SMTP
Incoming vs. outgoing SMTP connections

Proxy behaviors are configured separately based upon whether the SMTP
connection is considered to be incoming or outgoing. Because a FortiMail SMTP
proxy considers the network layer rather than the application layer when deciding
whether to intercept a connection, the concept of incoming and outgoing
connections is based upon slightly different things than that of incoming and
outgoing email messages: directionality is determined by IP addresses of
connecting clients and servers, rather than the email addresses of recipients.
Note: For information on the concept of incoming vs. outgoing at the application layer, see
“Incoming vs. outgoing recipient-based policies” on page 355.
Incoming connections consist of those destined for the SMTP servers that are
protected domains of the FortiMail unit. For example, if the FortiMail unit is
configured to protect the SMTP server whose IP address is 10.1.1.1, the FortiMail
unit treats all SMTP connections destined for 10.1.1.1 as incoming. For
information about configuring protected domains, see “Domains” on page 180.
Outgoing connections consist of those destined for SMTP servers that the
FortiMail unit has not been configured to protect. For example, if the FortiMail unit
is not configured to protect the SMTP server whose IP address is 192.168.1.1, all
SMTP connections destined for 192.168.1.1 will be treated as outgoing,
regardless of their origin.

214 06-30004-0154-20080904
Mail Settings Proxies
For example, in the following sample diagram, an email user configures their mail
user agent (MUA) such as Microsoft Outlook to send email using 10.1.1.1, an
SMTP server that has been configured as a protected domain on the FortiMail
unit. Because 10.1.1.1 is the SMTP server for a protected domain, all SMTP
connections from the MUA to 10.1.1.1 will be considered incoming. However,
when 10.1.1.1 relays the email message to SMTP servers that have not been
configured as protected domains on the FortiMail unit, those SMTP connections
are outgoing.
If the email user configures their MUA to send email using the unprotected SMTP
server 192.168.1.1, the MUA never connects to the IP address associated with a
protected domain, and therefore all the SMTP connections from this email user
will be outgoing.
Figure 119:Incoming vs. outgoing SMTP connections
FortiMail SMTP relay vs. unprotected SMTP servers

When operating in transparent mode, FortiMail units can use their own built-in
SMTP relay to send email.
In the example topology in the previous section, if the email user specifies the
unprotected SMTP server 192.168.1.1 as the outgoing SMTP server, you can
either let email users send email using that specified unprotected SMTP server, or
ignore the client’s specification and insist that the FortiMail unit send the email
message itself.
• If you permit the client to specify an unprotected SMTP server, the FortiMail
unit will allow the email client to connect to it, and will not act as a formal relay.
If the client’s attempt to send the email message using the client-specified mail
server fails, the FortiMail unit will simply drop the connection and will not retry.
• If you insist that the client relay email using the FortiMail unit rather than the
client-specified relay, the FortiMail unit will act as an MTA, queuing email for
temporary delivery failures and sending error messages back to the email
senders for permanent delivery failures.
Enabling the FortiMail unit to allow client-specified unprotected SMTP servers
may be useful if, for example, you are an ISP and allow customers to use the
SMTP servers of their own choice, but do not want to spend resources to maintain
SMTP connections to external SMTP servers.
For information on configuring this feature, see “Use client-specified SMTP server
to send email” on page 216.

06-30004-0154-20080904 215
SMTP
The SMTP tab enables you to configure the following SMTP proxy settings
separately for incoming and outgoing SMTP connections.
Note: For definitions of incoming and outgoing connections, see “Incoming vs. outgoing
SMTP connections” on page 214.
When operating in transparent mode, the FortiMail unit can use transparent
proxies to inspect SMTP connections. If enabled for connections on that network
interface, transparent proxies scan and process the connection. If proxying is not
enabled, the FortiMail unit can either block or permit the connection to pass
through unmodified.
Exceptions to SMTP connections that can be proxied include SMTP connections
destined for the FortiMail unit itself. For those local connections, such as email
messages from email users requesting deletion or release of their quarantined
email, you can choose to either allow or block the connection.
Note: The FortiMail transparent SMTP proxy only picks up the SMTP traffic. Whether the
email will be scanned or not depends on the policies you specify. For more information
about policies, see “Policy” on page 355.
To configure the SMTP proxies, go to Mail Settings > Proxies > SMTP.
Figure 120:SMTP Proxy Settings
Use client-specified SMTP Select to allow the client to pass email to the SMTP server
server to send email that they specify, rather than using the FortiMail unit’s own
built-in relay. For more information, see “FortiMail SMTP
relay vs. unprotected SMTP servers” on page 215.
If disabled, the FortiMail unit itself relays email to its
destination.
Disclaimer messages require that this option be enabled.
For more information, see “Disclaimer” on page 172.
For security reasons, this option does not apply if there is
no session profile selected in the applicable IP-based
policy. For more information on configuring IP policies,
see “IP based policies” on page 359.
Port The name of a FortiMail network interface.

216 06-30004-0154-20080904
Mail Settings Proxies
Incoming SMTP connections Select how the proxy will handle SMTP connections on
each network interface that are incoming to the IP
addresses of email servers belonging to a protected
domain.
• are passed through: The FortiMail unit permits but
does not proxy SMTP connections destined for the IP
addresses of SMTP servers for protected domains.
Because traffic is not proxied, no policies will be
applied.
• are dropped: The FortiMail unit drops SMTP
connections destined for the IP addresses of SMTP
servers for protected domains.
• are proxied: The FortiMail unit proxies SMTP
servers for protected domains. Once proxied,
incoming policies determine any further scanning or
logging actions. For more information, see “Policy” on
page 355.
Outgoing SMTP connections Select how the proxy will handle SMTP connections on
each network interface that are incoming to the IP
addresses of email servers that are not a protected
domain.
• are passed through: The FortiMail unit permits but
does not proxy SMTP connections destined for the IP
addresses of SMTP servers that are not associated
with protected domains. Because traffic is not proxied,
no policies will be applied.
• are dropped: The FortiMail unit drops SMTP
servers that are not associated with protected
domains.
• are proxied: The FortiMail unit proxies SMTP
servers that are not associated with protected
domains. Once proxied, outgoing policies determine
any further scanning or logging actions. For more
information, see “Policy” on page 355.
Local SMTP connections Select how the FortiMail unit will handle SMTP
connections on each network interface that are destined
for the FortiMail unit itself.
• are allowed: SMTP connections will be allowed.
• are not allowed: SMTP connections will be blocked.

06-30004-0154-20080904 217

218 06-30004-0154-20080904
User User
User
The User menu enables you to configure settings related to email users such as
PKI authentication, per-user white lists and email address aliases.
If the FortiMail unit is operating in server mode, the User menu also enables you
to add email user accounts that can access their email hosted on the FortiMail unit
through webmail, POP3 or IMAP.
The User menu includes:
• User
• User Preferences
• User Alias
• Address Map
• PKI User
User
The User menu enables you to view individual email user preferences and, if the
FortiMail unit is operating in server mode, configure email user accounts.
The User menu includes the following tabs:
• User
• User Preferences
User
The User tab enables you to configure email user accounts for the protected
domains that are hosted on the FortiMail unit.
Note: This option appears only if the FortiMail unit is operating in server mode.
Email users can check their email using webmail or through an email client such
as Microsoft Outlook, using POP3 or IMAP. For information on webmail and other
features used directly by email users, see “Instructions for email users” on
page 531.
Some antispam behaviors can be configured specifically for each email user
account. For example, each email user can train their own per-user Bayesian
database and create white lists and black lists specific to their email user account.
For information on configuring per-user white lists and black lists, see “User
Preferences” on page 224. For information on per-user Bayesian databases, see
“User” on page 389.
To view the list of email user accounts, go to User > User > User.

06-30004-0154-20080904 219
User User
Figure 121:User
Reassign a new password to the selected users

Delete Selected Users
Go to line
Delete
Edit
Maintenance
Show Users Of Select the protected domain to display its email users, or to select the
Domain protected domain to which you want to add an email user account
before selecting Create New.
Export .CSV Select to download a backup of the email users list in comma-separated
value (CSV) file format. For more information, see “To export the email
Import .CSV In the field to the right side of Import .CSV, enter the location of a CSV-
formatted email user backup file, then select Import .CSV to upload the
file to your FortiMail unit. For more information, see “To import an email
Browse Select to locate an email user list backup file before selecting
Import .CSV.
ALL, 0-9, A ... Z Select a letter or number to display email users whose user names
begin with that character. Alternatively, select ALL to display a list
containing all email users.
each page
Go to line Enter the index number of the line you want to display, then select Go.
Delete Selected To delete all email user accounts, in the checkbox column, mark the
Users checkbox in the column heading to select all email users, then select
Delete Selected Users.
To delete individual email user accounts, in the checkbox column, mark
checkboxes in the rows of email users that you want to delete, then
select Delete Selected Users.
Reassign a new To change the password of all email user accounts, in the checkbox
password to the column, mark the checkbox in the column heading to select all email
selected users users, then select Reassign a new password to the selected users.
To change the password of individual email user accounts, in the
checkbox column, mark checkboxes in the rows of email users for which
you want to change the password, then select Reassign a new
password to the selected users.
# The index number of each email user in the list.
Check box Select the checkbox in the column heading to mark the checkboxes of
all email users.
Select the checkboxes in the rows of individual email users to select
only those email users.

220 06-30004-0154-20080904
User User
User Name The user name of an email user, such as “user1”. This is also the user
name portion of the email user’s primary email address.
To alphabetically sort the list of email users by user name, select the
arrow icon in the column heading for this column.
Display Name The display name of an email user, such as “J Smith”. This name
appears in the “From:” field in the message headers of email messages
sent from this email user.
Disk Usage (M) The disk space used by mailboxes for the email user, in megabytes.
Modify Select Delete to remove the email user account.
Select Edit to modify the email user account.
Select Maintenance to view or delete the list of mailboxes for that email
user. For more information, see “Managing the disk usage of email
users’ mailboxes” on page 223.
Create New Select to create a new email user account. For more information, see
“Creating an email user account” on page 222.
To export the email user list

1 Go to User > User > User.
2 Select Export .CSV.
A backup file containing all protected domains’ list of email user accounts in
comma-separated value (CSV) file format is downloaded to your management
computer.
To import an email user list

2 Select Browse to locate the email user list backup file that you want to import.
The file must be in comma-separated value (CSV) file format, and contain fields
required by email user accounts. For reference, export an email user list and
compare the file that you want to import with the structure of the exported file.
3 Select Import .CSV.
The FortiMail unit imports the file.
To delete multiple email user accounts
Caution: Before beginning this procedure, back up the list of email user accounts. This
! procedure permanently deletes one or more email user accounts, which cannot be undone.
For more information on backing up email user account data, see “To export the email user
list” on page 221.

2 From Show Users Of Domain, select the name of the protected domain from
which you want to remove email user accounts.

06-30004-0154-20080904 221
User User
3 To delete all email user accounts for the protected domain, mark the checkbox
located in the checkbox column heading.
To delete individual email user accounts, in the checkbox column, mark the
checkboxes of each email user account that you want to remove.
4 Select Delete Selected Users.
5 Select OK.
To change the password of multiple email user accounts
Caution: This procedure sets the same password for one or more email user accounts,
! which can result in reduced security of the email users’ accounts. To reduce risk, set a
strong password and notify each email user whose password has been reset to configure a
unique, strong password as soon as possible.

2 From Show Users Of Domain, select the name of the protected domain in which
you want to change email user account passwords.
3 To change the passwords of all email user accounts for the protected domain,
mark the checkbox located in the checkbox column heading.
To change the passwords of individual email user accounts, in the checkbox
column, mark the checkboxes of each email user account whose password you
want to change.
4 Select Reassign a new password to the selected users.
5 Select either:
Note: You can create LDAP profiles using the advanced mode of the web-based manager.
For more information, see “Creating LDAP profiles” on page 321.
6 Select OK.
Creating an email user account

You can create email user accounts for each protected domain on the FortiMail
unit.
To add an email user

2 From Show Users Of Domain, select the name of the protected domain to which
you want to add an email user.

222 06-30004-0154-20080904
User User

A dialog appears.
Figure 122:New User
4 In User Name, enter the user name portion of the email address that will be locally
deliverable on the FortiMail unit.
For example, an email user may have numerous aliases, mail routing, and other
email addresses on other systems in your network, such as
accounting@example.com; this user name, however, reflects the email user’s
account on this FortiMail unit, such as jsmith.
5 Select either:
Note: The LDAP option requires that you first create an LDAP profile in which you have
enabled and configured User Auth Options. For more information, see “Creating LDAP
profiles” on page 321.
6 In Display Name, enter the name of the user as it should appear in the message
envelope.
For example, an email user whose email address is user1@example.com may
prefer that their Display Name be “J Smith”.
7 Select OK.
Managing the disk usage of email users’ mailboxes

Especially if your email users often send or receive large attachments, email
users’ mailboxes may rapidly consume the hard disk space of the FortiMail unit.
You can manage the disk usage of email users’ mailboxes by monitoring the size
of the folders, and optionally deleting their contents.
For example, if each email user has a mailbox folder named “Spam” that receives
tagged spam, you might want to periodically empty the contents of these folders to
reclaim hard disk space.
Figure 123:Viewing an email user’s mailbox folder disk usage
Clear Folder

06-30004-0154-20080904 223
User User
Folder Name The name of the email user’s mailbox folder, such as Sent.
Disk Usage(Byte) The amount of hard disk space used by the mailbox folder.
Folder Action Select Clear Folder to empty the contents of the email folder.
To empty a mailbox folder

2 In the Modify column for the email user whose mailbox folders you want to
manage, select Maintenance.
A list of mailbox folder names with their hard disk usages appears.
3 In the row corresponding to the mailbox folder that you want to empty, such as
Trash, select Clear Folder.
4 Select OK.
User Preferences
The User Preference tab enables you to configure preferences for each email
user, such as per-user white lists and preferred webmail language.
To view the webmail user preference list, go to User > User > User Preferences.
Figure 124:User Preferences
Go to line Search
Edit New Enabled

Disabled
Delete user
Edit user preference
Reset user preference to default
Show Users Of Select the protected domain to display its email users, or to select
Domain the protected domain to which you want to add an email user
account before selecting Create New.
ALL, 0-9, A ... Z Select a letter or number to display the list of preferences of email
users whose user names begin with that character. Alternatively,
select ALL to display a list containing all email users.
Search Enter the complete user name, then select Search to display the
preferences entry for that email user.
page
Go to line Enter the index number of the line you want to display, then select
Go.

224 06-30004-0154-20080904
User User
# The index number of each email user preference entry in the list.
Check box Select the checkbox in the column heading to mark the
checkboxes of all email user preference entries.
Select the checkboxes in the rows of individual email user
preference entries to select only those email users.
User Name The user name of an email user, such as “user1”.
To alphabetically sort the list of email user preference entries by
user name, select the arrow icon in the column heading for this
column.
Language The language in which this email user prefers to display their
quarantine and, if the FortiMail unit is operating in server mode,
webmail. By default, this language preference is the same as the
system-wide language preference for web-based manager of the
FortiMail unit. For information on the system-wide language
preference, see “Options” on page 137.
White List Indicates whether or not a personal white list currently exists for
this email user, and enables you to configure, back up, and restore
the personal white list. White lists include sender IP addresses,
domain names, and email addresses that the email user wants to
permit.
• New: A personal white list does not currently exist for this email
user. Select to create a per-user white list.
• Edit: A personal white list currently exists for this email user.
Select to modify the personal white list, or to back up or restore
the email user’s personal white list.
Note that system-level lists take precedence over domain-level
lists while domain-level lists take precedence over personal-level
lists.
For more information on white lists and black lists, see
“Black/White List” on page 399.
Black List Indicates whether or not a personal black list currently exists for
this email user, and enables you to configure, back up, and restore
the personal black list. White lists include sender IP addresses,
domain names, and email addresses that the email user wants to
block.
• New: A personal black list does not currently exist for this email
user. Select to create a personal black list.
• Edit: A personal white list currently exists for this email user.
Select to modify the personal black list, or to back up or restore
the email user’s personal black list.
Note that system-level lists take precedence over domain-level
lists while domain-level lists take precedence over personal-level
lists.
For more information on white lists and black lists, see
“Black/White List” on page 399.
Secondary Accounts Indicates whether or not this email user will also handle
quarantined email messages for other email addresses.
• New: A list of email addresses whose quarantines will be
managed by this email user does not currently exist. Select to
add this list of email addresses.
• Edit: A list of email addresses whose quarantines will be
managed by this email user already exists. Select to modify
this list of email addresses.

06-30004-0154-20080904 225
User User
Add Outgoing Email Indicates whether or not the FortiMail unit will automatically add
Addresses to recipient addresses in outgoing email sent by this email user to
WhiteList their per-user white list, if it is allowed in the antispam profile. For
more information, see “Actions options” on page 257.
• Empty check box: Automatic per-user whitelisting is disabled.
• Marked check box: Automatic per-user whitelisting is
enabled.
Email users can change this setting in their webmail preferences.
For more information, log in to the FortiMail webmail, then select
Help.
This setting can be initialized manually or automatically. FortiMail
administrators can manually create and configure this setting
when configuring email user preferences. If the setting has not yet
been created when either:
• an email user sends outgoing email through the FortiMail unit
• a FortiMail administrator configures the email user’s personal
black or white list (see “Personal black/white list” on page 404)
then the FortiMail unit will automatically initialize this setting as
disabled.
Modify Select Delete user to remove email user preferences for that email
user.
Select Edit user preference to modify email user preferences for
that email user. For more information, see “Editing email user
preferences” on page 226.
Select Reset user preference to default to reset email preferences
for that email user.
Create New Enter an email user name, then select Create New to create email
preferences for that email user. For more information, see “Editing
email user preferences” on page 226.
Go To clear selected per-user or domain white or black lists, select an
option, then select Go. Options include:
• Clear Whitelist for all selected users
• Clear Blacklist for all selected users
• Clear Whitelist for all domain users
• Clear Blacklist for all domain users
Editing email user preferences

Both FortiMail administrators and email users can modify the email user’s
preferences. Administrators can modify preferences for each email user through
the web-based manager; email users can modify their own preferences by logging
in to the FortiMail webmail or quarantine.
Available preferences for email users vary by whether or not the FortiMail unit is
operating in server mode. For example, out-of-office status messages and mail
forwarding can only be configured for email user accounts when the FortiMail unit
is operating in server mode.
To edit the preferences for an email user

1 Go to User > User > User Preferences.
2 In the row corresponding to the email user whose preferences you want to modify,
select Edit user preference.

226 06-30004-0154-20080904
User User
Figure 125:User Preference (transparent mode and gateway mode)
Figure 126:User Preference (server mode)

06-30004-0154-20080904 227
User User
Language Select the email user’s preferred language in which to display the
quarantine and, if the FortiMail unit is operating in server mode,
FortiMail webmail. Languages available by default include:
• English
• Traditional Chinese
• Simplified Chinese
• Korean
• Japanese
• French
• German
• Italian
• Hebrew
• Spanish
• Polish
• Portuguese
• Turkish
Additional languages may be available if you have installed their
language resource files. For more information, see “Appearance”
on page 176.
On Holiday Select whether or not the FortiMail unit automatically responds to
(server mode only) email messages received for this email user, which is typically
used for out-of-office/vacation responses.
• ON: Select to enable automatic response. Also configure Set
auto-reply message.
• OFF: Select to disable automatic response.
Set auto-reply Select to enter the message body that the FortiMail unit will use to
message automatically reply when On Holiday is set to ON.
(server mode only)
Auto Forward Select whether or not the FortiMail unit will automatically forward
(server mode only) email messages received for this email user to another email
address.
• ON: Select to automatically forward, then enter the email
address to which email will be forwarded.
• OFF: Select to disable automatic forwarding.
Leave a copy in Select to retain a copy of email messages received for this user
mailbox that have been automatically forwarded.
(server mode only) This option is available only if Auto Forward is ON, after you have
entered the email address to which email will be forwarded.

228 06-30004-0154-20080904
User User
Add outgoing email Select whether or not to automatically add recipient addresses in
addresses to "White" outgoing email sent by this email user to their per-user white list, if
list it is allowed in the antispam profile. For more information, see
“Actions options” on page 257.
• ON: Automatically whitelist recipient addresses in outgoing
email for this email user.
• OFF: Do not automatically whitelist recipient addresses in
outgoing email for this email user.
Email users can change this setting in their webmail preferences.
For more information, log in to the FortiMail webmail, then select
Help.
This setting can be initialized manually or automatically. FortiMail
administrators can manually create and configure this setting
when configuring email user preferences. If the setting has not yet
been created when either:
• an email user sends outgoing email through the FortiMail unit
• a FortiMail administrator configures the email user’s personal
black or white list (see “Personal black/white list” on page 404)
then the FortiMail unit will automatically initialize this setting as
disabled.
Black/White Lists Configure the per-user white and/or black list for this email user.
• Black: Select to view, modify, back up or restore the per-user
black list for this email user.
• White: Select to view, modify, back up or restore the per-user
white list for this email user.
For information on configuring per-user white lists and black lists,
see “User Preferences” on page 224. For information on white lists
and black lists in general, see “Black/White List” on page 399.
Receive Spam Report Select whether or not the FortiMail unit will automatically
periodically generate spam reports for this email user.
• ON: Periodically generate spam reports for this email user.
Depending on your configuration, spam reports may be sent to
an email address other than the email address of this email
user. For example, you could configure the FortiMail unit to
send spam reports to the email address of a person who is
responsible for reviewing spam reports for multiple users.
FortiMail units will generate a spam report for an email user
only if all of the following conditions are true:
• In antispam profiles that have been used to process email
for this email user, you have enabled the options
“Quarantine” and “Send Spam Report”. For more
information, see “Actions options” on page 257.
• The email user’s “Bulk” folder exists.
• The email user has received spam since the previous spam
report was generated. (If no spam has been received, there
is nothing to report.)
• The email user preference “Receive Spam Report” is ON.
• OFF: Do not generate spam reports for this email user.
This option applies only if generation of spam reports has been
enabled for the protected domain. For more information, see
For more information on spam reports, see “Spam Report” on
page 376.

06-30004-0154-20080904 229
User Group User
Primary Accounts Select an email address to view the email user preferences of that
primary account. Email addresses listed in this field are email
users for which this email user is a secondary account.
This option is not available (“None” appears) if this email user has
not been configured as the secondary account of any other email
user. For information on configuring secondary accounts, see
“Secondary Accounts” on page 230.
Secondary Accounts Select “None” or an email address to define other email addresses
whose quarantine will be managed by this email user. Email
addresses listed in this field are email users for which this email
user is a primary account.
4 Select OK.
User Group
The User Group menu enables you to configure groups of email users.
The User Group menu includes the following tab:
• User Group
User Group
The User Group tab enables you to group related email user accounts.
Email user groups can simplify the creation of policies: when creating policies, you
can select the name of an email user group, rather than entering each email user
name individually.
To view the list of user groups, go to User > User Group > User Group.
Figure 127:User Group
Delete
Edit
Select a domain Select the name of a protected domain to display user groups
that belong to it.
User Group Name The name of the user group.
Members The email users that are members of this user group.
Modify Select Delete to remove an email user group.
Select Edit to modify an email user group. For more information,
see “To add an email user group” on page 230.
Create New Select Create New to add an email user group. For more
information, see “To add an email user group” on page 230.
To add an email user group

1 Go to User > User Group.
2 From Select a domain, select the name of a protected domain in which you want
to form an email user group

230 06-30004-0154-20080904
User User Alias

A dialog appears.
Figure 128:New User Group
Group Name Enter the name for this user group.

Available Users Select the name of one or more email users, then select the right arrow
to move them to the Members area.
Members Select the name of one or more email users, then select the left arrow to
remove them from the Members area, returning them to the Available
Users area.
4 In Group Name, enter the name of the email user group.

5 Select the members of the email user group:
• In the Available Users area, select the names of one or more email users that
you want to add to the email user group, then select the right arrow to move
them to the Members area.
• In the Members area, select the names of one or more email users that you
want to remove from the email user group, then select the left arrow to return
them to the Available Users area.
6 Select OK.
User Alias
The User Alias menu enables you to configure email address aliases.
The User Alias menu includes the following tabs:
• User Alias
User Alias
The User Alias tab enables you to configure email address aliases for protected
domains.
Aliases are sometimes also called distribution lists, and may translate one email
address to the email addresses of several recipients, also called members, or
may be simply a literal alias — that is, an alternative email address that resolves
to the real email address of a single email user.

06-30004-0154-20080904 231
User Alias User
For example, groupa@example.com might be an alias that the FortiMail unit will
expand to user1@example.com and user2@example.com, having the effect of
distributing an email message to all email addresses that are members of that
alias, while john.smith@example.com might be an alias that the FortiMail unit
translates to j.smith@example.com. In both cases, the FortiMail unit converts the
alias in the recipient fields of incoming email messages into the member email
addresses of the alias, each of which are the email address of an email user that
is locally deliverable on the SMTP server or FortiMail unit.
Note: Members of an alias can include the email address of the alias itself.
To view the user alias list, go to User > User Alias > User Alias.
Figure 129:User Alias
Delete
Edit
Select a domain Select the name of a protected domain to view email address aliases for
that protected domain.
Alias Name The email address of the alias, such as groupa@example.com.
Members The email addresses to which the alias will translate, which may be the
email addresses of one or more local or non-local email users. Multiple
email addresses are comma-delimited.
Modify Select Delete to remove the alias.
Select Edit to modify the alias.
Create New Select to add an alias. For more information, see “Creating an email
address alias” on page 232.
Creating an email address alias

You can add email address aliases for each protected domain.
Aliases can contain both or either local and non-local email addresses as
members of the alias. For example, if the local protected domain is
mail.example.com, you could create an email address alias whose members are:
• user1@mail.example.com, which is locally deliverable to the protected domain
• user1@smtp.example.com, which is not locally deliverable to the protected
domain
To add an email address alias

1 Go to User > User > User Alias.
2 From Select a domain, select the name of the protected domain for which you
want to create an email address alias.

232 06-30004-0154-20080904
User User Alias

A dialog appears. Its appearance varies by whether or not the FortiMail unit is
Figure 130:New User Alias (gateway mode and transparent mode)
Figure 131:New User Alias (server mode)
4 If the FortiMail unit is operating in server mode, from Show Users of Domain,
select the name of a protected domain to display the email addresses of users
from a specific protected domain, or select “all” to display the email addresses of
all email users in all protected domains.
The email addresses of email users from the selected protected domain (that is,
local users) appear in the Available Local Users area.
5 In Alias Name, enter the user name portion of the email address alias.
For example, for the alias group1@example.com, you would enter group1.

06-30004-0154-20080904 233
Address Map User
6 Select the members of the alias.

If the FortiMail unit is operating in gateway mode or transparent mode:
• To add members to the alias, in the field to the left of the Add button, enter the
email address, then select Add. The email address appears in the Members
area.
email addresses, then select Remove Selected.
If the FortiMail unit is operating in server mode:
• To add local email addresses as members to the alias, in the Available Local
Users area, select one or more email addresses, then select the right arrow.
The email addresses are removed from the Available Local Users area, and
appear in the Members area.
• To add non-local email addresses as members to the alias, in the External
Email Address field, enter the email address, then select the right arrow next to
the field. The email address appears in the Members area.
email addresses, then select the left arrow. The email addresses are removed
from the Members area; local email addresses return to the Available Local
Users area.
7 Select OK.
Address Map
The Address Map menu enables you to configure email address mappings.
The Address Map menu includes the following tab:
• Address Map
Address Map
The Address Map tab enables you to configure email address mappings.
Address mappings can be useful when you want to redirect email messages or
hide internal email addresses.
You can alternatively create address mappings by configuring the FortiMail unit to
query an LDAP server that contains address mappings. For more information, see
“LDAP Profile” on page 320.
To view the address map list, go to User > Address Map > Address Map.
Figure 132:Address Map list
Delete
Edit
Select a domain Select the name of a protected domain to view address map for that
protected domain, or to select the protected domain for which you
want to make an address map before selecting Create New.

234 06-30004-0154-20080904
User PKI User
Internal Email The email address to which the external address will be converted.
Address This email address will be visible to internal clients, such as email
users on your private network.
External Email The email address to which the internal email address will be
Address converted. This email address will be visible to external clients, such
as SMTP servers on the Internet.
Modify Select Delete to remove an address map.
Select Edit to modify an address map. For more information, see
“Creating an email address mapping” on page 235.
Create New Select the name of a protected domain for which you want to create
an address map from Select a domain, then select Create New to
add an address map. For more information, see “Creating an email
address mapping” on page 235.
Creating an email address mapping

You can configure email address mappings to convert external email addresses
into related internal email addresses.
To create an address mapping

1 Go to User > Address Map > Address Map.
2 From Select an internal domain, select the name of a protected domain for which
you want to create an address mapping.
A dialog appears.
Figure 133:New Email Address Map
4 In Internal Email Address, enter the user name portion (the portion before the “@”
symbol) of the internal email address.
The internal address is an email address that is hosted on the SMTP server for
this protected domain, but that will not be visible to external networks.
5 In External Email Address, enter the user name portion (the portion before the
“@” symbol) of the external email address.
The external email address is the email address that will be visible to external
networks, and correlates to the internal email address.
6 Select the name of a protected domain that will be used as the domain name
portion (the portion after the “@” symbol) of the external email address.
7 Select OK.
PKI User
The PKI User menu enables you to configure public key infrastructure (PKI)
authentication for email users and FortiMail administrators.
The PKI User menu includes the following tab:

06-30004-0154-20080904 235
PKI User User
• PKI User
PKI User
The PKI User tab displays a list of public key infrastructure (PKI) users.
PKI users can authenticate by presenting a valid client certificate, rather than by
entering a user name and password. A PKI user can be either an email user or a
FortiMail administrator.
When the PKI user connects to the FortiMail unit with his or her web browser, the
web browser presents the PKI user’s certificate to the FortiMail unit. If the
certificate is valid, the FortiMail unit then authenticates the PKI user. To be valid, a
client certificate must:
• Not be expired
• Not be revoked by either certificate revocation list (CRL) or, if enabled, online
certificate status protocol (OCSP)
• Be signed by a certificate authority (CA), whose certificate you have imported
into the FortiMail unit
• Contain a “ca” field whose value matches the CA certificate
• Contain a “issuer” field whose value matches the “subject” field in the CA
certificate
• Contain a “subject” field whose value contains the subject, or is empty
• If LDAP Query is enabled, contain a common name (CN) or Subject Alternative
field whose value matches the email address of a user object retrieved using
the User Query Options of the LDAP profile
If the client certificate is not valid, depending on whether you have configured the
FortiMail unit to require valid certificates, authentication will either fail absolutely,
or fail over to a user name and password mode of authentication.
If the certificate is valid and authentication succeeds, the PKI user’s web browser
is redirected to either the web-based manager (for PKI users that are FortiMail
administrators) or the mailbox folder that contains quarantined spam (for PKI
users that are email users).
To view the list of PKI users, go to User > PKI User.
Figure 134:PKI user list
Delete
Edit
PKI authentication Select whether to enable or disable PKI authentication.

Caution: Before disabling PKI authentication, select another mode
of authentication for FortiMail administrators and email users that
are currently using PKI authentication. Failure to first select another
authentication method before disabling PKI authentication will
prevent them from being able to log in.
Name The name of the PKI user.

236 06-30004-0154-20080904
User PKI User
Domain The protected domain to which the PKI user is assigned. If Domain
is System, the PKI user belongs to all domains configured on the
FortiMail unit. For PKI users who are FortiMail administrators,
Domain is System. For more information, see “Domains” on
page 180.
CA The name of the CA certificate used when validating the CA’s
signature of the client certificate. For more information, see “CA
Certificate” on page 161.
Subject The value which must match the “subject” field of the client
certificate. If empty, matching values are not considered when
validating the client certificate presented by the PKI user’s web
browser.
LDAP If LDAP Query is enabled, the LDAP configuration of this PKI user is
shown in three parts:
• Whether the LDAP query setting is enabled (indicated by “E”) or
disabled (indicated by “-”).
• The name of the LDAP profile used for the query. For more
information, see “LDAP Profile” on page 320.
• The name of the field in the client certificate (either Subject
Alternative or CN) whose value must match the email address of
a user object in the LDAP directory.
For example, E/tldap/Subject Alternative indicates that
LDAP query is enabled, and will use the LDAP profile called tldap
to validate the Subject Alternative field of the client certificate.
OCSP If Online Certificate Status Protocol (OCSP) is enabled, the OCSP
configuration of this PKI user is shown in three parts:
• Whether OSCP is enabled (indicated by “E”) or disabled
(indicated by “-”).
• The URL of the OCSP server.
• The action to take if the OCSP server is unavailable. If set to
ignore, the FortiMail unit allows the user to authenticate. If set to
revoke, the Fortimail unit behaves as if the certificate is currently
revoked, and authentication fails.
For example, E/https://www.example.com/Revoke indicates
OCSP is enabled, using the OSCP server at
https://www.example.com, and if the OSCP server is unavailable,
the FortiMail unit prevents the user from authenticating.
Modify Delete or edit the PKI user.
Create New Select Create New to create a new PKI user. For more information,
see “Creating a PKI user” on page 237.
Creating a PKI user

You must configure a public key infrastructure (PKI) user for each email user
and/or FortiMail administrator that will authenticate using PKI.
Note: PKI users that are email users can only be configured if the FortiMail unit is operating
in transparent mode or gateway mode.
To create a PKI user

1 Go User > PKI User.

06-30004-0154-20080904 237
PKI User User
Figure 135:New User
User Name Enter the name of the PKI user.

Domain Select the protected domain to which the PKI user is assigned. If Domain is
System, the PKI user belongs to all domains configured on the FortiMail
unit. For PKI users who are FortiMail administrators, Domain is System. For
more information, see “Domains” on page 180.
CA Select either “none” or the name of the CA certificate to use when validating
the CA’s signature of the client certificate. For more information, see “CA
If you select “none”, you must configure Subject.
Subject Enter the value which must match the “subject” field of the client certificate.
If empty, matching values are not considered when validating the client
certificate presented by the PKI user’s web browser.
If you do not configure Subject, you must configure CA.
LDAP Query Enable to query an LDAP directory, such as Microsoft ActiveDirectory, to
determine the existence of the PKI user who is attempting to authenticate,
then also configure LDAP Profile and Query Field.
LDAP Profile Select the LDAP profile to use when querying the LDAP
server. For more information, see “LDAP Profile” on
page 320.
This option is available only if LDAP Query is enabled.
Query Field Select the name of the field in the client certificate (either
CN or Subject Alternative) which contains the email address
of the PKI user.
This email address will be compared with the value of the
email address attribute for each user object queried from
the LDAP directory to determine if the PKI user exists in the
LDAP directory.
This option is available only if LDAP Query is enabled.
OCSP Enable to use an Online Certificate Status Protocol (OCSP) server to query
whether the client certificate has been revoked, then also configure URL,
Remote Certificate, and Unavailable Action.
URL The URL of the OCSP server.
This option is available only if OCSP is enabled.
Remote Select the remote certificate that is used to verify the
Certificate identity of the OCSP server. For more information, see
“Remote” on page 163.
Unavailable Select the action to take if the OCSP server is unavailable.
Action If set to ignore, the FortiMail unit allows the user to
authenticate. If set to revoke, the Fortimail unit behaves as
if the certificate is currently revoked, and authentication
fails.

238 06-30004-0154-20080904
User PKI User
4 Select OK.
5 Configure the following aspects of the FortiMail unit and the PKI user’s computer:
• Import each PKI user’s client certificate into the web browser of each computer
from which the PKI user will access the FortiMail unit. For details on installing
certificates, see the documentation for your web browser. Client certificates
must be valid. For information on how FortiMail units validate the client
certificates of PKI users, see “PKI User” on page 236.
• Import the CA certificate into the FortiMail unit. For more information, see “CA
• For PKI users that are FortiMail administrators, select the PKI authentication
type and select a PKI user to which the administrator account corresponds.
For more information, see “Admin” on page 138.
• For PKI users that are email users, enable PKI user authentication in the
recipient-based policies which match those email users. For more information,
see “Incoming policies” on page 357.
Caution: Control access to each PKI user’s computer. Certificate-based PKI authentication
! controls access to the FortiMail unit based upon PKI certificates, which are installed on
each email user or administrator’s computer. If anyone can access the computers where
those PKI certificates are installed, they can gain access to the Fortimail unit, which can
compromise the security of your FortiMail unit.

06-30004-0154-20080904 239
PKI User User

240 06-30004-0154-20080904
Profile AntiSpam
Profile
The Profile menu enables you to configure profiles, which are a collection of
settings for antispam, antivirus, authentication, or other features.
After creating and configuring a profile, you can apply it either directly in a policy,
or indirectly, by inclusion in another profile that is selected in a policy. Policies
apply each selected profile to all email messages and SMTP connections that the
policy governs. For information about policies, see “Policy” on page 355.
Creating multiple profiles for each type of profile enables you to customize your
email service by applying different profiles to policies that govern different SMTP
connections or email users. For instance, if you are an Internet Service Provider
(ISP), you might want to create and apply antivirus profiles only to policies
governing email users who pay you to provide antivirus protection.
Using the Profile menu, you can configure the following profiles:
• AntiSpam
• AntiVirus
• Authentication
• Misc (server mode)
• Content
• Session
• Dictionary
• LDAP
• IP Pool
• TLS
AntiSpam
The AntiSpam menu enables you to configure antispam profiles.
FortiMail units can use various methods to detect spam, such as the
FortiGuard Antispam service, DNSBL queries, Bayesian scanning, and heuristic
scanning. Antispam profiles contain settings for these features that you may want
to vary by policy. Depending on the feature, before you configure antispam
policies, you may need to enable the feature or configure its system-wide settings.
For more information, see “AntiSpam” on page 365.
Antispam profiles are created and applied separately based upon the incoming or
outgoing directionality of the SMTP connection or email message. For more
information, see “Incoming vs. outgoing recipient-based policies” on page 355
and “Incoming vs. outgoing SMTP connections” on page 214.
For information on the order in which FortiMail units perform each type of
antispam scan, see “Order of execution” on page 25.
The AntiSpam menu contains the following tabs:
• Incoming
• Outgoing

06-30004-0154-20080904 241
Profile
Incoming
The Incoming tab enables you to configure antispam profiles for incoming email
messages and SMTP connections.
Note: For more information on determining directionality, see “Incoming vs. outgoing
recipient-based policies” on page 355 and “Incoming vs. outgoing SMTP connections” on
page 214.
To view the list of incoming antispam profiles, go to Profile > AntiSpam >
Incoming.
Figure 136:Incoming antispam profile list
Delete
Edit
Copy
Profile The name of the profile.

which the administrator account who created this profile is assigned.
For more information, see “Administrator account permissions and
Modify Select Delete to remove a profile. This option appears only if the
profile is not currently selected in a policy.
Select Edit to modify a profile. For more information, see “To create
an incoming antispam profile” on page 242.
Select Copy to create a new profile by duplicating the settings of an
existing profile. For more information, see “To create a profile by
duplicating an existing profile” on page 244.
Create New Select to add a profile. For more information, see “To create an
incoming antispam profile” on page 242.
To create an incoming antispam profile

1 Go to Profile > AntiSpam > Incoming.
A dialog appears.

242 06-30004-0154-20080904
Profile AntiSpam
Figure 137:Creating an incoming antispam profile
Profile Name Enter the name of the profile.

FortiGuard-Antispam See “FortiGuard-Antispam scan options” on page 245.
scan
Forged IP scan Select to have the FortiMail unit convert the message sender's IP
address to a canonical host name and compare the IP addresses
returned from a DNS lookup of the host name to the sender's IP
address. If the sender's IP address is not found, the FortiMail unit
treats the email message as spam.
For more information, see “Forged IP scanning” on page 23.
Greylist scan Select to enable greylisting. For more information, see “Greylist”
on page 406.
DNSBL scan See “DNSBL scan options” on page 246.
Deep header scan See “Deep header scan options” on page 247.
SURBL scan See “SURBL scan options” on page 248.
Bayesian scan See “Bayesian scanning” on page 23 and “Bayesian scan options”
on page 249.
Heuristic scan See “Heuristic scan options” on page 250.
Dictionary scan See “Dictionary scan options” on page 252.
Banned word scan See “Banned word scanning” on page 25 and “Banned word scan
Whitelist word scan See “Whitelist word scanning” on page 25 and “Whitelist word scan

06-30004-0154-20080904 243
Profile
Image spam scan See “Image spam scan options” on page 255.
Treat messages with Enable to have the FortiMail unit classify email messages with
viruses as spam viruses as spam and treat them accordingly.
Scan Conditions See “Scan Conditions options” on page 256.
Actions See “Actions options” on page 257.
4 Select OK.
To create a profile by duplicating an existing profile

2 In the row corresponding to the profile whose settings you want to duplicate when
creating the new profile, select Copy.
3 In To, enter a name for the new profile.
Figure 138:Copy AntiSpam Profile
4 Select OK.
The new profile appears in the list of profiles. Changes to this new profile do not
affect the original profile from which it was created.
To apply changes to multiple profiles

2 In the row corresponding to an existing profile whose settings you want to modify,
select Edit.
The option to apply changes to multiple profiles does not appear when creating a
new profile. You must modify an existing profile.
3 Modify the profile, changing only those settings that you want to apply to multiple
profiles.
4 Select Apply To Profiles.
A dialog appears, summarizing the changes you are about to apply.
Figure 139:Review Anti-spam Profile Change
5 If you want to undo some of the changes or make additional changes, select
Change Profile. Otherwise, proceed by selecting Select Profiles.
6 In the Available profiles area, select the names of one or more profiles to which
you want to apply the changes, then select the right arrow to move them into the
Selected profiles area.

244 06-30004-0154-20080904
Profile AntiSpam
Figure 140:Select profiles
7 Select OK.
A success message appears. To display the list of profiles, select Return.
FortiGuard-Antispam scan options

The FortiGuard-Antispam scan section of antispam profiles enables you to
configure the FortiMail unit to query the FortiGuard Antispam service to determine
if any of the uniform resource identifier (URI) (that is, hyperlinks) in the message
body are associated with spam. If any URI is blacklisted, the FortiMail unit
considers the email to be spam, and you can select the action that the FortiMail
unit will perform.
If you enable the Black IP scan option, in addition to the URI query, the FortiMail
unit will query the FortiGuard Antispam service to determine if the IP address of
the SMTP server is blacklisted. If the Black IP scan option located in the Deep
header scan section is enabled, FortiGuard-Antispam scan will also examine the
IP addresses of all other SMTP servers that appear in the Received: lines of the
message header. For more information, see “Deep header scan options” on
page 247.
FortiGuard Antispam scans do not examine private network addresses, which are
defined in RFC 1918.
Before enabling FortiGuard-Antispam scan, you must enable and configure the
FortiGuard Antispam service. For more information, see “FortiGuard-AntiSpam”
on page 385 and “Update” on page 122.
To configure FortiGuard antispam scanning

2 Select Create New to add a profile, or, in the row corresponding to an existing
profile that you want to modify, select Edit.
3 Enable FortiGuard-Antispam scan.
Figure 141:FortiGuard-Antispam scan
4 From Actions, select the action that you want the FortiMail unit to perform if the
FortiGuard Antispam scan determines that the email is spam.
For more information, see “Actions options” on page 257.

06-30004-0154-20080904 245
Profile
5 If you want the FortiMail unit to query the FortiGuard Antispam service to
determine if the IP address of the SMTP server is blacklisted, enable Black IP
scan.
Whether the FortiMail unit queries for the blacklist status of the IP address of only
the most recent SMTP server or of all SMTP servers in the Received: lines of
the message header varies by the configuration of Deep header scan. For more
information, see “Deep header scan options” on page 247.
If this option is disabled, the FortiMail unit will query FortiGuard Antispam for URIs
associated with spam, but will not query for IP addresses.
6 Select OK.
DNSBL scan options

The DNSBL scan section of antispam profiles enables you to configure the
FortiMail unit to query one or more DNS black list (DNSBL) servers to determine if
the IP address of the SMTP server has been blacklisted. If the IP address is
blacklisted, the FortiMail unit considers the email to be spam, and you can select
the action that the FortiMail unit will perform.
DNSBL scans examine the IP address of the SMTP server that is currently
delivering the email message. If the Black IP scan option located in the Deep
header scan section is enabled, DNSBL scan will also examine the IP addresses
of all other SMTP servers that appear in the Received: lines of the message
header. For more information, see “Deep header scan options” on page 247.
DNSBL scans do not examine private network addresses, which are defined in
RFC 1918.
To configure DNSBL scanning

3 Enable DNSBL scan.
Figure 142:DNSBL scan
DNSBL scan determines that the email is spam.
5 Next to DNSBL scan, select Config.
A pop-up window appears, enabling you to enter the domain names of DNSBL
servers that will be used with this profile.

246 06-30004-0154-20080904
Profile AntiSpam
Figure 143:DNSBL server list
Delete
Edit
Move
# The index number of the DNSBL server.

Enable DNSBL Filtering The domain name of the DNSBL server.
Modify Select Delete to remove the DNSBL server.
Select Edit to modify the domain name of the DNSBL server.
Select Move to change the order of the DNSBL server in the list.
New Select to add a new DNSBL server by entering its domain
name.
Close Select to close the pop-up window that contains the DNSBL
server list.
Caution: Closing the pop-up window does not save the
antispam profile and its associated DNSBL server list. To save
changes to the DNSBL server list, in the antispam profile, select
OK before navigating away to another part of the web-based
manager.
7 Select Close.
The pop-up window closes.
8 In the profile, select OK.
The FortiMail unit saves the profile and its associated DNSBL server list.
Deep header scan options

The Deep header scan section of antispam profiles enables you to configure the
FortiMail unit for more extensive inspection of message headers. If the message
header inspection indicates that the email message is spam, the FortiMail unit
considers the email to be spam, and you can select the action that the FortiMail
unit will perform.
For more information, see “Deep header scanning” on page 23.
To configure deep header scanning

3 Select the blue arrow to expand Deep header scan.
Figure 144:Deep header scan
deep header scan determines that the email is spam.

06-30004-0154-20080904 247
Profile
Black IP scan Select to query for the blacklist status of the IP addresses of all
SMTP servers appearing in the Received: lines of header lines.
If this option is disabled, the FortiMail unit checks only the IP
address of the current SMTP client.
This option applies only if you have also configured either or both
FortiGuard-Antispam scan and DNSBL scan. For more information,
see “FortiGuard-Antispam scan options” on page 245 and “DNSBL
scan options” on page 246.
Headers analysis Select to inspect all message headers for known spam
characteristics.
If FortiGuard-Antispam scan is enabled, this option uses results from
that scan, providing up-to-date header analysis. For more
information, see “FortiGuard-Antispam scan options” on page 245.
6 Enable Deep header scan.

This option becomes available after you have enabled either or both Black IP scan
and Headers analysis.
7 Select OK.
SURBL scan options

The SURBL scan section of antispam profiles enables you to configure the
FortiMail unit to query one or more spam URI realtime black list (SURBL) servers
to determine if any of the uniform resource identifier (URI) (that is, hyperlinks) in
the message body are associated with spam. If any URI is blacklisted, the
FortiMail unit considers the email to be spam, and you can select the action that
the FortiMail unit will perform.
To configure SURBL scanning

3 Enable SURBL scan.
Figure 145:SURBL scan
SURBL scan determines that the email is spam.
5 Next to SURBL scan, select Config.
A pop-up window appears, enabling you to enter the domain names of SURBL
servers that will be used with this profile.

248 06-30004-0154-20080904
Profile AntiSpam
Figure 146:SURBL server list
Delete
Edit
Move
# The index number of the SURBL server.

Enable SURBL Filtering The domain name of the SURBL server.
Modify Select Delete to remove the SURBL server.
Select Edit to modify the domain name of the SURBL server.
Select Move to change the order of the SURBL server in the list.
New Select to add a new SURBL server by entering its domain
name.
Close Select to close the pop-up window that contains the SURBL
server list.
Caution: Closing the pop-up window does not save the
antispam profile and its associated SURBL server list. To save
changes to the SURBL server list, in the antispam profile, select
OK before navigating away to another part of the web-based
manager.
7 Select Close.
The pop-up window closes.
8 In the profile, select OK.
The FortiMail unit saves the profile and its associated SURBL server list.
Bayesian scan options

The Bayesian scan section of antispam profiles enables you to configure the
FortiMail unit to use Bayesian databases to determine if the email is likely to be
spam. If the Bayesian scan indicates that the email is likely to be spam, the
FortiMail units can maintain multiple Bayesian databases: a global, per-domain,
and per-user. For incoming email, which database will be used when performing
the Bayesian scan varies by configuration of the incoming antispam profile,
configuration of the protected domain, and the maturity of the personal Bayesian
database. For more information, see “Bayesian database types” on page 387,
“Domains” on page 180, and “Initial training of the Bayesian databases” on
page 388.
Before using Bayesian scans, you must train one or more Bayesian databases in
order to teach the FortiMail unit which words indicate probable spam. If a
Bayesian database is not sufficiently trained, it can increase false positive and/or
false negative rates. You can train the Bayesian databases of your FortiMail unit in
several ways. For more information, see “Initial training of the Bayesian
databases” on page 388.
To configure Bayesian scanning


06-30004-0154-20080904 249
Profile
3 Select the blue arrow to expand Bayesian scan.
4 Enable Bayesian scan.
Bayesian scan determines that the email is spam.
Figure 147:Bayesian scan
Use personal Enable to use the per-user Bayesian databases instead of the global or
database per-domain Bayesian database, if the personal Bayesian database is
mature. If the email user’s personal Bayesian database is not yet mature,
the FortiMail unit will instead continue to use the global or per-domain
Bayesian database. For more information on determining the maturity of
personal Bayesian databases, see “User” on page 389.
Personal databases can provide better individual results because they
are trained by the email user and therefore contain statistics derived
exclusively from that email user's messages.
Disable to use either the global or per-domain Bayesian database.
Whether the FortiMail will use the global or per-domain Bayesian
database varies by your selection in the protected domain. For more
information, see “Domains” on page 180.
Note: Bayesian scan results may be unreliable if the Bayesian database
being used has not been sufficiently trained. For more information, see
“Initial training of the Bayesian databases” on page 388.
Accept training Enable to accept training messages from email users.
messages from Training messages are email messages that email users forward to the
users email addresses of control accounts, such as “is-spam@example.com”,
in order to train or correct Bayesian databases. For information on
Bayesian control account email addresses, see “Control Account” on
page 375. For information on how email users can train Bayesian
databases, see “Training Bayesian databases” on page 531.
FortiMail units apply training messages to either the global or per-domain
Bayesian database depending on your configuration of the protected
domain to which the email user belongs. For more information, see
“Domains” on page 180. If “Use personal database” is enabled, the
FortiMail unit will also apply training messages to the email user’s
personal Bayesian database.
Disable to discard training messages.
Use other Enable to use scan results from FortiGuard-Antispam scan, SURBL scan,
techniques for per-user and system-wide white lists to train per-user Bayesian
auto training databases until those databases are considered to be mature. For
information on database maturity, see “User” on page 389.
7 Select OK.
Heuristic scan options

The Heuristic scan section of antispam profiles enables you to configure the
FortiMail unit to use score-based rules to determine if the email is likely to be
spam. If the score of the heuristic scan equals or exceeds the upper score
threshold, the FortiMail unit considers the email to be spam, and you can select
the action that the FortiMail unit will perform.

250 06-30004-0154-20080904
Profile AntiSpam
Each heuristic rule has an associated number of points. For example, if the
subject line of an email contains “As seen on national TV!”, it might match a
heuristic rule that increases the heuristic scan score towards the threshold. For
more information on how scores are used in heuristics, see “Heuristic scanning”
on page 24.
A default heuristic rule set is included, and is updated through the FortiGuard
service. New rules are added and rule scores are adjusted for maximum
advantage.
Default threshold values are recommended as only a starting point. You can fine-
tune the threshold values to cause higher or lower scores to be considered spam.
If the false positive ratio is too high, increase the upper level threshold value until
you achieve a satisfactory ratio. If your spam catch rate is too low, reduce the
lower level threshold value until you achieve a satisfactory rate.
Note: Heuristic scanning is resource intensive. If spam detection rates are acceptable
without heuristic scanning, consider disabling it or limiting its application to policies for
problematic hosts.
Note: You can also apply this scan to PDF attachments. For more information, see “Scan
Conditions options” on page 256.
To configure heuristic scanning

3 Select the blue arrow to expand Heuristic scan.
4 Enable Heuristic scan.
heuristic scan determines that the email is spam.
Figure 148:Heuristic scan
Lower level threshold Enter the score equal to or below which the FortiMail unit
considers an email to not be spam.
Upper level threshold Enter the score equal to or above which the FortiMail unit
considers an email to be spam.

06-30004-0154-20080904 251
Profile
The percentage of Enter the percentage of the total number of heuristic rules that will
rules used be used to calculate the heuristic score for an email message.
The FortiMail unit compares this total score to the upper and
lower level threshold to determine if an email is:
• spam
• not spam
• indeterminable (score is between the upper and lower level
thresholds)
7 Select OK.
Dictionary scan options

The Dictionary scan section of antispam profiles enables you to configure the
FortiMail unit to use dictionary profiles to determine if the email is likely to be
spam. If the FortiMail unit considers the email to be spam, you can select the
action that the FortiMail unit will perform.
When dictionary scanning is enabled and an email is found to contain a dictionary
word, FortiMail units add X-FEAS-DICTIONARY: to the message header,
followed by the dictionary word or pattern that was found in the email.
For information on dictionaries, see “Dictionary” on page 298.
Unlike banned word scans, dictionary scans are more resource-intensive. If you
do not require dictionary features such as regular expressions and/or non-ASCII
character encoding such as UTF-8, consider using a banned word scan instead.
For information on banned word scans, see “Banned word scan options” on
page 253.
To configure dictionary scanning

3 Select the blue arrow to expand Dictionary scan.
4 Enable Dictionary scan.
Figure 149:Dictionary scan
heuristic scan determines that the email is spam.
6 From Select dictionary profile, select the name of a dictionary profile to use with
the scan.
For information on creating dictionary profiles, see “How to create dictionary
7 Select OK.

252 06-30004-0154-20080904
Profile AntiSpam
Banned word scan options

The Banned word scan section of antispam profiles enables you to configure the
FortiMail unit to consider email messages whose subject line and/or message
body contain a prohibited word or phrase to be spam. If the email message
contains a banned word, the FortiMail unit considers the email to be spam, and
you can select the action that the FortiMail unit will perform.
Note: A banned work entry does not support regular expressions and non-ASCII charactor
encoding. If you want to use these features, you must use the dictionary scan. For more
information, see “Dictionary scan options” on page 252.
When banned word scanning is enabled and an email is found to contain a

banned word, the FortiMail unit adds X-FEAS-BANNEDWORD: to the message
header, followed by the banned word that was found in the email.
Note: You can also apply this scan to PDF attachments. For more information, see “Scan
Conditions options” on page 256.
To configure banned word scanning

3 Enable Banned word scan.
Figure 150:Banned word scan
banned word scan determines that the email is spam.
5 Next to Banned word scan, select Config.
A pop-up window appears, enabling you to enter the words or phrases that will be
prohibited with this profile.
Figure 151:Banned word list
Delete
Edit
Move
# The index number of the banned word entry.

Enable Banned The banned word.
Word Filtering

06-30004-0154-20080904 253
Profile
Subject Indicates whether or not the subject line will be inspected for the banned
word.
• Empty check box: The subject line will not be inspected.
• Check mark: The subject line will be inspected.
Body Indicates whether or not the message body will be inspected for the
banned word.
• Empty check box: The message body will not be inspected.
• Check mark: The message body will be inspected.
Modify Select the Delete icon to remove a banned word.
Select the Edit icon to modify a banned word.
Select the Move icon to change the order of a banned word in the list.
New Select to add a new banned word. Wildcards are not supported.
Save Select to close the pop-up window, save the antispam profile, and return
to the profile list.
Close Select to close the banned word pop-up window.
Caution: Closing the pop-up window does not save the antispam profile
and its associated banned word list. To save changes to the banned word
list, first select Save before navigating away to another part of the web-
based manager.
7 Select Save.
Whitelist word scan options

The Whitelist word scan section of antispam profiles enables you to configure the
FortiMail unit to consider email messages whose subject line and/or message
body contain a whitelisted word or phrase to not be spam. If the email message
contains a whitelisted word, the FortiMail unit does not consider the email to be
spam, and will not perform any antispam scans.
For information on the order in which antispam scans are performed, see “Order
of execution” on page 25.
To configure white list word scanning

3 Enable Whitelist word scan.
Figure 152:Whitelist word scan
4 Next to Whitelist word scan, select Config.

A pop-up window appears, enabling you to enter the words or phrases that will be
prohibited with this profile.

254 06-30004-0154-20080904
Profile AntiSpam
Figure 153:Whitelist word list
Delete
Edit
Move
# The index number of the white list word entry.

Enable Whitelist The whitelisted word.
Word Filtering
Subject Indicates whether or not the subject line will be inspected for the
whitelisted word.
• Empty check box: The subject line will not be inspected.
• Check mark: The subject line will be inspected.
Body Indicates whether or not the message body will be inspected for the
whitelisted word.
• Empty check box: The message body will not be inspected.
• Check mark: The message body will be inspected.
Modify Select Delete to remove a whitelist word, Edit to modify a whitelist
word or toggle the subject/body options, or Move to change the
position of a whitelist word in the list.
New Select to add a new whitelist word. Wildcards are not supported.
Save Select to close the whitelist word pop-up window, save the
antispam profile, and return to the profile list.
Close Select to close the banned word pop-up window.
Caution: Closing the pop-up window does not save the antispam
profile and its associated banned word list. To save changes to the
banned word list, first select Save before navigating away to
another part of the web-based manager.
6 Select Save.
Image spam scan options

The Image spam scan section of antispam profiles enables you to configure the
FortiMail unit to analyze the contents of GIF, JPG, and PNG graphics to determine
if the email is spam. If the email message contains a spam image, the FortiMail
unit considers the email to be spam, and will not perform any antispam scans.
Image spam scanning may be useful when, for example, the message body of an
email contains graphics but no text, and text-based antispam scans are therefore
unable to determine whether or not an email is spam.
To configure image spam scanning

3 Enable Image spam scan.

06-30004-0154-20080904 255
Profile
Figure 154:Image spam scan
banned word scan determines that the email is spam.
Aggressive scan Enable to inspect image file attachments in addition to embedded

graphics.
Enabling this option increases workload when scanning email
messages that contain image file attachments. If you do not require
this feature, consider disabling this option to improve performance.
Note: This option applies only if you enable PDF scanning. For more
information, see “Scan Conditions options” on page 256.
6 Select OK.
Scan Conditions options

The Scan Conditions section of antispam profiles enables you to configure
conditions that cause the FortiMail unit to omit antispam scans, or to apply some
antispam scans to PDF attachments.
To configure Scan Conditions

3 Select the blue arrow to expand Scan Conditions, then also select the blue arrow
to expand Attachment Type.
Figure 155:Scan Conditions
Max message size Enter the maximum size of email messages, in bytes, that the
to perform FortiMail unit will scan for spam. Messages larger than the
antispam scan maximum message size will not be scanned for spam.
Resource requirements for scanning messages increase with the
size of the email message. If the spam you receive tends not to be
smaller than a certain size, consider limiting antispam scanning to
messages under this size to improve performance.
Enter “0” to disable the size limit, causing all messages to be
scanned, regardless of size.
Bypass scan on Enable to bypass spam scanning for SMTP connections that have
SMTP been authenticated.
authentication If you can trust that authenticating SMTP clients will not relay spam,
consider disabling this option to improve performance.

256 06-30004-0154-20080904
Profile AntiSpam
PDF Enable to use the heuristic, banned word, and image spam scans to
inspect the first page of PDF attachments.
This option applies only if you have enabled and configured
heuristic, banned word, and/or image spam scans. For information
on configuring those scans, see “Heuristic scan options” on
page 250, “Banned word scan options” on page 253, and “Image
spam scan options” on page 255.
For more information, see “Configuring PDF scanning” on page 425
5 Select OK.
Actions options
The Actions section of antispam profiles enables you to configure one or more
actions that the FortiMail unit can perform on spam detected by this profile.
To configure Actions
3 Select the blue arrow to expand Actions, then also select the blue arrows to
expand Quarantine and Rewrite recipient address.
Figure 156:Actions
Tag Email in Enable and enter the text that will appear in the subject line of the email,
subject line such as “[SPAM]”, in the With field. The FortiMail unit will add this text to
the subject line of spam before forwarding it to the recipient.
Many email clients can sort incoming email messages into separate
mailboxes, including a spam mailbox, based on text appearing in various
parts of email messages, including the subject line. For details, see the
documentation for your email client.

06-30004-0154-20080904 257
Profile
Tag Email with Enable and enter the message header line in the With field. The FortiMail
Header unit will add this text to the message header of spam before forwarding it
to the recipient.
parts of email messages, including the message header. For details, see
the documentation for your email client.
Message header lines are composed of two parts: a key and a value,
which are separated by a colon. For example, you might enter:
X-Custom-Header: Detected as spam by profile 22.
If you enter a header line that does not include a colon, the FortiMail unit
will automatically append a colon, causing the entire text that you enter to
be the key.
Note: Do not enter spaces in the key portion of the header line, as these
are forbidden by RFC 2822.
Reject Enable to reject spam and send reject responses to the sender.
Discard Enable to discard spam without sending reject responses to the sender.
Quarantine Enable to redirect spam to the per-recipient quarantine. For more
information, see “Recipients” on page 366.
• Delete Messages: Enter the number of days you want to keep the
quarantined email. Enter a small enough value that will prevent the
size of the quarantine from exceeding the available disk space. If you
enter 0 to prevent automatic deletion of quarantined files, you must
periodically manually remove old files.
• Send Spam Report: Select to send a spam report.For more
information, see “Spam Report” on page 376.
• Email Release: Select to enable email users to remotely release email
from the quarantine by sending email to quarantine control account
email addresses. For more information, see “Control Account” on
page 375.
• Web Release: Select to enable email users to remotely release email
from the quarantine by selecting the Release link in a spam report. For
more information, see “Understanding the HTML formatted spam
report” on page 380
• Add the sender of a released message to personal white list:
Select to, when an email user releases an email from the quarantine,
automatically add the sender email address of the quarantined email
to the email user’s personal white list.
Allow users to Enable to allow the FortiMail unit to add the recipient email addresses
automatically from an email user’s outgoing email to their personal white list, if the
update option is also enabled in the email user’s preferences.
personal White Email users’ preferences can be configured from both the Preferences tab
of FortiMail webmail and from the web-based manager. For more
list from sent information, see “User Preferences” on page 224.
emails

258 06-30004-0154-20080904
Profile AntiSpam
Rewrite Enable to change the recipient address of any email message detected as
recipient email spam.
address Configure rewrites separately for the local part (the potion of the email
address before the “@”) and the domain part (the portion of the email
address after the “@”). For each part, select either:
• None: No change.
• Prefix: Prepend the part with text that you have entered in the With
field.
• Suffix: Append the part with the text you have entered in the With
field.
• Replace: Substitute the part with the text you have entered in the With
field.
5 Select OK.
Outgoing
The Outgoing tab enables you to configure antispam profiles for outgoing email
messages and SMTP connections.
page 214.
To view the list of outgoing antispam profiles, go to Profile > AntiSpam >
Outgoing.
Figure 157:Outgoing antispam profile list
Delete
Edit
Copy

Modify Select Delete to remove a profile. This option appears only if the
profile is not currently selected in a policy.
Select Edit to modify a profile. For more information, see “To create
an outgoing antispam profile” on page 259.
outgoing antispam profile” on page 259.
To create an outgoing antispam profile

1 Go to Profile > AntiSpam > Outgoing.
A dialog appears.

06-30004-0154-20080904 259
Profile
Figure 158:Creating an outgoing antispam profile
Profile Name Enter the name of the profile.

FortiGuard-Antispam Identical to that of incoming antispam profiles.
scan See “FortiGuard-Antispam scan options” on page 245.
Greylist scan Select to enable greylisting. For more information, see “Greylist”
on page 406.
DNSBL scan Identical to that of incoming antispam profiles.
See “DNSBL scan options” on page 246.
Deep header scan Identical to that of incoming antispam profiles.
See “Deep header scan options” on page 247.
SURBL scan Identical to that of incoming antispam profiles.
See “SURBL scan options” on page 248.
Bayesian scan See “Bayesian scanning” on page 23 and “Bayesian scan options”
on page 262.
Heuristic scan Identical to that of incoming antispam profiles.
See “Heuristic scan options” on page 250.
Dictionary scan Identical to that of incoming antispam profiles.
See “Dictionary scan options” on page 252.
Banned word scan Identical to that of incoming antispam profiles.
See “Banned word scanning” on page 25 and “Banned word scan

260 06-30004-0154-20080904
Profile AntiSpam
Whitelist word scan Identical to that of incoming antispam profiles.

See “Whitelist word scanning” on page 25 and “Whitelist word scan
Image spam scan Identical to that of incoming antispam profiles.
See “Image spam scan options” on page 255.
Treat messages with Enable to have the FortiMail unit classify email messages with
viruses as spam viruses as spam and treat them accordingly.
Scan Conditions Identical to that of incoming antispam profiles.
See “Scan Conditions options” on page 256.
Actions See “Actions options” on page 263.
4 Select OK.

Figure 159:Copy Outgoing AntiSpam Profile
4 Select OK.

select Edit.
profiles.
Figure 160:Review Anti-spam Outgoing Profile Change

06-30004-0154-20080904 261
Profile
7 Select OK.
Bayesian scan options

The Bayesian scan section of antispam profiles enables you to configure the
FortiMail unit to use Bayesian databases to determine if the email is likely to be
spam. If the Bayesian scan indicates that the email is likely to be spam, the
FortiMail units can maintain multiple Bayesian databases: a global, per-domain,
and per-user. For outgoing email, the FortiMail unit uses only the global Bayesian
database. For more information, see “Bayesian database types” on page 387.
Before using Bayesian scans in outgoing antispam profiles, you must train the
global Bayesian databases in order to teach the FortiMail unit which words
indicate probable spam. If the global Bayesian database is not sufficiently trained,
it can increase false positive and/or false negative rates. You can train the global
Bayesian database in several ways. For more information, see “Initial training of
the Bayesian databases” on page 388.
To configure Bayesian scanning

3 Enable Bayesian scan.
Figure 162:Bayesian scan
Bayesian scan determines that the email is spam.
5 Select OK.

262 06-30004-0154-20080904
Profile AntiSpam
Actions options
The Actions section of antispam profiles enables you to configure one or more
actions that the FortiMail unit can perform on spam detected by this profile.
To configure Actions
3 Select the blue arrow to expand Actions, then also select the blue arrow to expand
Rewrite recipient address.
Figure 163:Actions
Tag Email in Enable and enter the text that will appear in the subject line of the email,
subject line such as “[SPAM]”. The FortiMail unit will add this text to the subject line of
spam before forwarding it to the recipient.
parts of email messages, including the subject line. For details, see the
documentation for your email client.
Tag Email with Enable and enter the message header line. The FortiMail unit will add this
Header text to the message header of spam before forwarding it to the recipient.
parts of email messages, including the message header. For details, see
the documentation for your email client.
Message header lines are composed of two parts: a key and a value,
which are separated by a colon. For example, you might enter:
X-Custom-Header: Detected as spam by profile 22.
If you enter a header line that does not include a colon, the FortiMail unit
will automatically append a colon, causing the entire text that you enter to
be the key.
Note: Do not enter spaces in the key portion of the header line, as these
are forbidden by RFC 2822.
Reject Enable to reject spam and send reject responses to the sender.
Discard Enable to discard spam without sending reject responses to the sender.
Quarantine for Enable to redirect spam to the system quarantine. For more information,
review see “System quarantine” on page 371.

06-30004-0154-20080904 263
Profile
Rewrite Enable to change the recipient address of any email message detected as
recipient email spam.
address Configure rewrites separately for the local part (the potion of the email
address before the “@”) and the domain part (the portion of the email
address after the “@”). For each part, select either:
• None: No change.
• Prefix: Prepend the part with text that you have entered in the With
field.
• Suffix: Append the part with the text you have entered in the With
field.
• Replace: Substitute the part with the text you have entered in the With
field.
5 Select OK.
AntiVirus
The AntiVirus menu enables you to create antivirus profiles and to view the list of
viruses.
The AntiVirus menu includes the following tabs:
• AntiVirus
• Virus List
AntiVirus
The AntiVirus tab enables you to create antivirus profiles that you can select in a
policy in order to scan email for viruses.
You can view a list of the virus signatures currently being used by antivirus profiles
to detect viruses. For more information, see “Virus List” on page 267.
If the FortiMail unit detects a virus, it replaces the infected file with a replacement
message that notifies the email user the infected file has been removed. You can
customize replacement messages. For more information, see “Custom
To view the list of antivirus profiles, go to Profile > AntiVirus > AntiVirus.
Figure 164:Antivirus profile list
Delete
Edit
Copy

264 06-30004-0154-20080904
Profile AntiVirus

Modify Select Delete to remove the profile. The Delete icon does not appear
if the profile is used in a policy.
Select Edit to modify the profile. For more information, see “To
create an antivirus profile” on page 265.
Create New Select to add an antivirus profile. For more information, see “To
create an antivirus profile” on page 265.
To create an antivirus profile

1 Go to Profile > AntiVirus > AntiVirus.
3 Select the blue arrows to expand each section, then configure the following:
Figure 165:AntiVirus Profile
Profile Enter the name of the antivirus profile.

Virus Scanning Select to enable antivirus scanning.
Heuristic Select to enable heuristics-based antivirus scanning.
Scanning This option is disabled by default to reduce false positives.
Replace Suspicious Indicates that the FortiMail unit will
Attachment replace infected attachments with a
replacement message. You can
customize replacement messages.
For more information, see “Custom
This option cannot be disabled, but
does not apply if you also select
Reject or Discard.
Reject Select to allow the FortiMail unit to
reject the email and send a reject
response to the sender.
Discard Select to allow the FortiMail unit to
discard the email without sending a
reject response to the sender.
Actions

06-30004-0154-20080904 265
Profile
Replace Indicates that the FortiMail unit will replace infected

Virus Body attachments with a replacement message. You can
customize replacement messages. For more information,
see “Custom Messages” on page 173.
This option cannot be disabled, but does not apply if you
also select Reject or Discard.
Reject Select to allow the FortiMail unit to reject the email and send
a reject response to the sender.
Discard Select to allow the FortiMail unit to discard the email without
sending a reject response to the sender.
4 Select OK.

Figure 166:Copy AntiVirus Profile
4 Select OK.

select Edit.
profiles.
Figure 167:Review Anti-virus Profile Change

266 06-30004-0154-20080904
Profile Authentication
7 Select OK.
Virus List
The Virus List tab displays a list of signatures for files that the FortiMail unit treats
as a virus for the purpose of antivirus processing configured in an antivirus profile.
FortiMail units can update their virus signatures online using the Fortinet
Distribution Network (FDN). For more information, see “Update” on page 122.
To view the list of virus files, go to Profile > AntiVirus > Virus List.
Figure 169:Virus List
(Drop-down menu Select a number or letter to display a list of viruses beginning with
without name.) that character.
Virus number The number of viruses in the list that begin with the currently
selected letter or number.
Authentication
The Authentication menu enables you to configure authentication profiles.
FortiMail units support the following authentication methods:
• SMTP
• IMAP
• POP3
• RADIUS

06-30004-0154-20080904 267
Profile
• LDAP
Note: When the FortiMail unit is operating in server mode, only RADIUS authentication is
available.
Note: LDAP profiles can configure many features other than authentication, and are not
located in the Authentication menu. For information on LDAP profiles, see “LDAP Profile”
on page 320.
FortiMail units can use authentication profiles when authenticating email users
with FortiMail webmail and POP3, and when authenticating with another SMTP
server to deliver email. Depending on the mode in which your FortiMail unit is
operating, you may be able to apply authentication profiles through incoming
recipient-based policies, IP-based policies, and email user accounts. For more
information, see “Incoming policies” on page 357, “IP based policies” on
page 359, and “User” on page 219.
The Authentication menu includes the following tabs:
• SMTP
• IMAP
• POP3
• Radius
SMTP
The SMTP tab enables you to configure the FortiMail unit to support SMTP server
authentication by creating SMTP server authentication profiles.
Note: This tab does not appear if the FortiMail unit is operating in server mode.
To view the list of SMTP authentication profiles, go to Profile > Authentication >
SMTP.
Figure 170:SMTP authentication profile list
Delete
Edit

Server The domain name or IP address of the SMTP server.
Select Edit to modify the profile. For more information, see “To create
an SMTP authentication profile” on page 269.

268 06-30004-0154-20080904
SMTP authentication profile” on page 269.
To create an SMTP authentication profile

1 Go to Profile > Authentication > SMTP.
Figure 171:New SMTP Server
3 In Profile Name, enter the name of the profile.

4 In Server Name/IP, enter the domain name or IP address of the SMTP server.
5 In Server Port, enter the port number on which the SMTP server listens.
The default value is 25. You must change this value if the server is configured to
listen on a different port number, such as if the server requires use of SSL, whose
default port number is 465.
6 If the SMTP server requires that email users authenticate using their full email
address (such as user1@example.com) and not just the user name (such as
user1), enable Server Requires Domain.
7 If you want to use secure socket layers (SSL) to encrypt communications between
the FortiMail unit, and this server and the server supports it, enable SSL.
8 If you want to use secure authentication to encrypt the passwords of email users
when communicating with the server, and the server supports it, enable Secure
Authentication.
9 If you want to use transport layer security (TLS) to authenticate and encrypt
communications between the FortiMail unit and this server, and the server
supports it, enable TLS.
10 Select OK.
IMAP
The IMAP tab enables you to configure the FortiMail unit to support IMAP server
authentication by creating IMAP server authentication profiles.
To view the list of IMAP authentication profiles, go to Profile > Authentication >
IMAP.

06-30004-0154-20080904 269
Profile
Figure 172:IMAP authentication profile list
Delete
Edit

Server The domain name or IP address of the IMAP server.
Modify Select Delete to remove the profile. The Delete icon does not
appear if the profile is used in a policy.
create an IMAP authentication profile” on page 270.
IMAP authentication profile” on page 270.
To create an IMAP authentication profile

1 Go to Profile > Authentication > IMAP.
Figure 173:New IMAP Server

4 In Server Name/IP, enter the domain name or IP address of the IMAP server.
5 In Server Port, enter the port number on which the server listens.
6 If the server requires that email users authenticate using their full email address
(such as user1@example.com) and not just the user name (such as user1),
enable Server Requires Domain.
7 If you want to use secure socket layers (SSL) to encrypt communications between
the FortiMail unit and this server, and the server supports it, enable SSL.

270 06-30004-0154-20080904
Authentication.
10 Select OK.
POP3
The POP3 tab enables you to configure the FortiMail unit to support POP3 server
authentication by creating POP3 server authentication profiles.
To view the list of POP3 authentication profiles, go to Profile > Authentication >
POP3.
Figure 174:POP3 authentication profile list
Delete
Edit

Server The domain name or IP address of the POP3 server.
create a POP3 authentication profile” on page 271.
Create New Select to add a profile. For more information, see “To create a POP3
authentication profile” on page 271.
To create a POP3 authentication profile

1 Go to Profile > Authentication > POP3.

06-30004-0154-20080904 271
Profile
Figure 175:New POP3 Server

7 If you want to use secure socket layers (SSL) tenderest communications between
the FortiMail unit, and this server and the server supports it, enable SSL.
Authentication.
10 Select OK.
Radius
The Radius tab enables you to configure the FortiMail unit to support RADIUS
server authentication by creating RADIUS server authentication profiles.
To view the list of RADIUS authentication profiles, go to Profile >
Authentication > Radius.
Figure 176:Radius authentication profile list
Delete
Edit

272 06-30004-0154-20080904
Profile Misc (server mode)

Server The domain name or IP address of the RADIUS server.
create a RADIUS authentication profile” on page 273.
Create New Select to add a profile. For more information, see “To create a
RADIUS authentication profile” on page 273.
To create a RADIUS authentication profile

1 Go to Profile > Authentication > Radius.
Figure 177:New RADIUS Server

5 In Server Secret, enter the preshared secret for the server.
The default value is 1812. You must change this value if the server is configured
to listen on a different port number.
8 Select OK.
Misc (server mode)

The Misc menu enables you to configure “misc” profiles.
The Misc menu includes the following tab:
• Misc
Misc
The Misc tab enables you to create “misc” profiles, which configure miscellaneous
aspects of local email user accounts when the FortiMail unit is operating in server
mode, such as disk space quota.

06-30004-0154-20080904 273
Profile
For more information on settings that can be applied to email user accounts, see
“User” on page 219 and “User Preferences” on page 224.
To view the list of “misc” profiles, go to Profile > Misc > Misc.
Figure 178:Misc profile list
Delete
Edit

a “misc” profile” on page 274.
Create New Select to add a “misc” profile. For more information, see “To create a
“misc” profile” on page 274.
To create a “misc” profile

1 Go to Profile > Misc > Misc.
Figure 179:Misc Profile

4 In Disk Quota, enter the maximum amount of FortiMail mail disk space that you
will allow to be consumed, or enter “0” to allow unlimited use.
5 In Auto delete emails after, enter the number of days after which the FortiMail unit
will automatically delete email that is locally hosted.
6 Select User Account Status to enable email user accounts.
7 Select Webmail Access to enable email users’ access to FortiMail webmail.
8 Select OK.

274 06-30004-0154-20080904
Profile Content

1 Go to Profile > Misc > Misc.
select Edit.
profiles.
Figure 180:Review Misc Profile Change
Change profile. Otherwise, proceed by selecting Select Profiles.
7 Select OK.
Content
The Content menu enables you to configure content profiles for incoming and
outgoing content-based scanning. While antispam profiles filter email that contain
spam-like word, image, and other content, content profiles filter non-spam content
such as words and file attachments that are not permitted by your network usage
policy.
The Content menu includes the following tabs:
• Incoming

06-30004-0154-20080904 275
Profile
• Outgoing
Incoming
The Incoming tab enables you to create content profiles, which you can use to
filter email subject lines, message bodies, and attachments.
page 214.
To view the list of incoming content profiles, go to Profile > Content > Incoming.
Figure 182:Incoming content profile list
Delete
Edit
Copy

if the profile is selected in a policy.
an incoming content profile” on page 276.
incoming content profile” on page 276.
To create an incoming content profile

1 Go to Profile > Content > Incoming.
Figure 183:Creating an incoming content profile

276 06-30004-0154-20080904
Profile Content

4 Select the blue arrow to expand Attachment Filtering, and configure the following:
Figure 184:Attachment Filtering
New To add a file name or file name extension that you want to filter,
enter a pattern, then select New.
# The index number of the attachment filtering pattern.
Enable Select to filter using the attachment filtering pattern in that row.
Name The attachment filtering pattern, which describes a file name or file
name extension that can be filtered, such as *.exe for files with the
executable file name extension.
Delete Select to delete the attachment filtering pattern.
This option does not apply immediately; it occurs when you save
the content profile.
5 Select the blue arrow to expand File Type Filtering, and in the Enable column,
mark the checkboxes of the file types that you want to filter, such as
application/executable.
application/other includes all file types not specifically described by the
other options.
Figure 185:File Type Filtering
6 Select the blue arrow to expand Scan Conditions, and configure the following:

06-30004-0154-20080904 277
Profile
Bypass scan on Select to omit content profile scanning if the SMTP session is
SMTP authentication authenticated.
Defer messages Enter the file size limit over which the FortiMail unit will defer
over processing large email messages.
For information on scheduling deferred delivery, see “Advanced
7 Select the blue arrow to expand Actions, and configure the following:
Figure 187:Actions
Treat as Spam Select to perform the Actions selected in the antispam profile of the
policy that matches the email. For more information, see “Actions
Reject Select to reject the email, notifying the sender.
Discard Select to discard the email without notifying the sender.
Replace Select to substitute the content with a replacement message.
For information on replacement messages, see “Custom
Quarantine Select to redirect matching email messages to the per-recipient
quarantine. For more information, see “Recipients” on page 366.
Forward to Select to forward email messages, then enter a recipient email

address.
8 Select the blue arrow to expand Content Monitor and filtering, then configure the
following:
Figure 188:Content Monitor and filtering
Edit

278 06-30004-0154-20080904
Profile Content
New profile Select to add a monitor profile, which selects the dictionary profile
that will be used to determine matching email messages, and the
actions that will be performed if a match is found.
# The index number of the content monitor profile.
Enable Enable to use the dictionary profile to inspect email for matching
email and perform the configured action.
Delete Select to delete the monitor profile.
This option does not take effect immediately; it occurs when you
save the content profile.
Dictionary Profile The name of the dictionary profile and the protected domain to
which it belongs, or “system” for system-wide dictionary profiles.
Actions The action that the FortiMail unit will perform if the content of the
email message matches words or patterns from the dictionary
profile.
Header/Subject Tag The text that the FortiMail unit will use to tag email messages
matching the dictionary profile. Each tag is prefixed by a letter:
• H: The tag is a message header.
• S: The tag will be prepended to the subject line.
This field is empty if you have not enabled either or both tagging of
the subject line and message header.
Modify Select Edit to modify the monitor profile.
If you create or edit a monitor profile, configure the following:
Figure 189:Content Monitor Profile
Dictionary Select the dictionary profile that this monitor profile will use.
Profile The FortiMail unit will compare content in the subject line and message body
of the email message with words and patterns in the dictionary profile. If it
locates matching content, the FortiMail unit will perform the actions configured
in this monitor profile.
For information on dictionary profiles, see “Dictionary” on page 298.
Actions Tag Email in subject line Select to prepend tag text to the subject line of the
email, then enter the tag text, such as
“[FILTERED] “, in the With field.
Tag Email with Header Select to prepend tag text to the subject line of the
email, then enter the header line, such as:
X-Content-Filter: Contains banned
word.
in the With field.

06-30004-0154-20080904 279
Profile
No action Select to perform no action other than tagging, if

enabled, before delivery to the recipient.
Treat As Spam Select to perform the Actions selected in the
antispam profile of the policy that matches the
email. For more information, see “Actions options”
on page 257.
Discard Select to discard the email without notifying the
sender.
Replace Select to substitute the part of the content that
matches the dictionary profile with a replacement
message.
For information on replacement messages, see
Quarantine Select to redirect matching email messages to the
per-recipient quarantine. For more information,
see “Recipients” on page 366.
Quarantine to Review Select to redirect matching email messages to the
system quarantine. For more information, see
“System quarantine” on page 371.
Forward to Select to forward matching email messages, then
enter a recipient email address.
9 Select Apply.
Caution: Applied monitor profile changes will not be saved until you have also saved the
! associated content profile.
10 Select OK.

Figure 190:Copy Content Profile
4 Select OK.


280 06-30004-0154-20080904
Profile Content
select Edit.
profiles.
Figure 191:Review ContentProfile Change
7 Select OK.
Outgoing
The Outgoing tab enables you to create content profiles, which you can use to
filter email subject lines, message bodies, and attachments.
page 214.
To view the list of outgoing content profiles, go to Profile > Content > Outgoing.

06-30004-0154-20080904 281
Profile
Figure 193:Outgoing content profile list
Delete
Edit
Copy

if the profile is selected in a policy.
an outgoing content profile” on page 282.
outgoing content profile” on page 282.
To create an outgoing content profile

1 Go to Profile > Content > Outgoing.
Figure 194:Creating an outgoing content profile

4 Select the blue arrow to expand Attachment Filtering, and configure the following:

282 06-30004-0154-20080904
Profile Content
Figure 195:Attachment Filtering
New To add a file name or file name extension that you want to filter,
enter a pattern, then select New.
# The index number of the attachment filtering pattern.
Enable Select to filter using the attachment filtering pattern in that row.
Name The attachment filtering pattern, which describes a file name or file
name extension that can be filtered, such as *.exe for files with the
executable file name extension.
Delete Select to delete the attachment filtering pattern.
This option does not apply immediately; it occurs when you save
the content profile.
5 Select the blue arrow to expand File Type Filtering, and in the Enable column,
mark the checkboxes of the file types that you want to filter, such as
application/executable.
application/other includes all file types not specifically described by the
other options.
Figure 196:File Type Filtering
6 Select the blue arrow to expand Scan Conditions, and configure the following:
Bypass scan on Select to omit content profile scanning if the SMTP session is
SMTP authentication authenticated.

06-30004-0154-20080904 283
Profile
7 Select the blue arrow to expand Actions, and configure the following:
Figure 198:Actions
Treat as Spam Select to perform the Actions selected in the antispam profile of the
policy that matches the email. For more information, see “Actions
Discard Select to discard the email without notifying the sender.
Replace Select to substitute the content with a replacement message.
For information on replacement messages, see “Custom
Forward to Select to forward email messages, then enter a recipient email
address.
8 Select the blue arrow to expand Content Monitor and filtering, then configure the
following:
Figure 199:Content Monitor and filtering
Edit
New profile Select to add a monitor profile, which selects the dictionary profile
that will be used to determine matching email messages, and the
actions that will be performed if a match is found.
# The index number of the content monitor profile.
Enable Enable to use the dictionary profile to inspect email for matching
email and perform the configured action.
Delete Select to delete the monitor profile.
This option does not take effect immediately; it occurs when you
save the content profile.
Dictionary Profile The name of the dictionary profile and the protected domain to
which it belongs, or “system” for system-wide dictionary profiles.
Actions The action that the FortiMail unit will perform if the content of the
email message matches words or patterns from the dictionary
profile.
Header/Subject Tag The text that the FortiMail unit will use to tag email messages
matching the dictionary profile. Each tag is prefixed by a letter:
• H: The tag is a message header.
• S: The tag will be prepended to the subject line.
This field is empty if you have not enabled either or both tagging of
the subject line and message header.
Modify Select Edit to modify the monitor profile.
If you create or edit a monitor profile, configure the following:

284 06-30004-0154-20080904
Profile Content
Figure 200:Content Monitor Profile
Dictionary Select the dictionary profile that this monitor profile will use.
Profile The FortiMail unit will compare content in the subject line and message body
of the email message with words and patterns in the dictionary profile. If it
locates matching content, the FortiMail unit will perform the actions configured
in this monitor profile.
For information on dictionary profiles, see “Dictionary” on page 298.
Actions Tag Email in subject line Select to prepend tag text to the subject line of the
email, then enter the tag text, such as
“[FILTERED] “, in the With field.
Tag Email with Header Select to prepend tag text to the subject line of the
email, then enter the header line, such as:
X-Content-Filter: Contains banned
word.
in the With field.
No action Select to perform no action other than tagging, if
enabled, before delivery to the recipient.
Treat As Spam Select to perform the Actions selected in the
antispam profile of the policy that matches the
email. For more information, see “Actions options”
on page 263.
Discard Select to discard the email without notifying the
sender.
Replace Select to substitute the part of the content that
matches the dictionary profile with a replacement
message.
For information on replacement messages, see
Quarantine to Review Select to redirect matching email messages to the
system quarantine. For more information, see
“System quarantine” on page 371.
Forward to Select to forward matching email messages, then
enter a recipient email address.
9 Select Apply.
Caution: Applied monitor profile changes will not be saved until you have also saved the
! associated content profile.
10 Select OK.

06-30004-0154-20080904 285
Profile

Figure 201:Copy Outgoing Content Profile
4 Select OK.

select Edit.
profiles.
Figure 202:Review ContentProfile Change

286 06-30004-0154-20080904
Profile Session
7 Select OK.
Session
The Session menu enables you to configure session profiles.
Similar to access control rules or message delivery rules, session profiles control
aspects of SMTP connection sessions.
The Session menu includes the following tabs:
• Session Configuration
Session Configuration
The Session Configuration tab enables you to create session profiles. While, like
antispam profiles, session profiles protect against spam, session profiles focus on
the connection and envelope portion of the SMTP session, rather than the
message header, body, or attachments.
To view the list of session profiles, go to Profile > Session >
Session Configuration.
Figure 204:Session profile list
Edit Delete
Modify Select Edit to modify a profile. For more information, see “To create
a session profile” on page 288.
Select Delete to remove a profile. This option does not appear if the
profile is currently selected in a policy.
session profile” on page 288.

06-30004-0154-20080904 287
Profile
To create a session profile

1 Go to Profile > Session > Session Configuration.
3 In Profile Name, type the name of the profile.
4 Select the blue arrow to expand Connection Settings.
Configure the following connection settings options to restrict the number and
duration of connections to the FortiMail unit. When any of these limits are
exceeded, the FortiMail unit blocks further connections. Setting any of these
values to 0 disables the limit.
Figure 205:Connection Settings (gateway mode and server mode)
Figure 206:Connection Settings (transparent mode)
Hide this box from the mail server Select to omit information from message headers
(transparent mode only) that would normally indicate the FortiMail unit has
intercepted, examined, and processed the message.
Restrict the number of Enter a rate limit to the number of connections per
connections per client to n per n client IP address, then enter the number of minutes
minutes that defines the time interval of the limit.
Restrict the number of messages Enter a rate limit to the number of message sent per
per client to n per n minute(s) client IP address, then enter the number of minutes
that defines the time interval of the limit.
Each client can only connect n Enter a limit to the number of simultaneous
times concurrently connections per client.
Limit the total number of Enter a limit to the total number of simultaneous
connections to n connections from all sources.
Drop connections after n seconds Enter a limit to the number of seconds a client may
of client inactivity be inactive before the FortiMail unit drops the
connection.
Do not let client connect to Select to prevent clients from using SMTP servers
blacklisted SMTP servers that have been blacklisted in antispam profiles or, if
(transparent mode only) enabled, the FortiGuard AntiSpam service.

288 06-30004-0154-20080904
Profile Session
5 Select the blue arrow to expand Sender Reputation.

Configure the sender reputation settings to restrict the number of email messages
sent from SMTP clients based upon whether they have a reputation of sending an
excessive number of email messages, email with invalid recipients, or email
infected with viruses.
For more information on sender reputations, see “Sender Reputation” on
page 416.
Note: Sender reputation scores can be affected by sender validation results.
Figure 207:Sender Reputation
Enable sender Select to accept or reject email based upon sender reputation
reputation checking scores.
Throttle client at n Enter a sender reputation score over which the FortiMail unit will
rate limit the number of email messages that can be sent by this
SMTP client.
The enforced rate limit is either “Restrict number of emails per hour
to n” or “Restrict email to n percent of the previous hour”, whichever
value is greater.
This option applies only if “Enable sender reputation checking” is
enabled.
Restrict number of emails Enter the maximum number of email
per hour to n messages per hour that the FortiMail
unit will accept from a throttled sender.
Restrict email to n percent Enter the maximum number of email
of the previous hour messages per hour that the FortiMail
unit will accept from a throttled sender,
as a percentage of the number of
email messages that the sender sent
during the previous hour.
Temporarily fail Enter a sender reputation score over which the FortiMail unit will
client at n return a temporary fail error when the sender attempts to initiate a
connection.
enabled.
Reject client at n Enter a sender reputation score over which the FortiMail unit will
return a rejection error when the sender attempts to initiate a
connection.
enabled.
6 Select the blue arrow to expand MSISDN Reputation.

Configure the MSISDN Reputation settings to restrict the ability of an MSISDN to
send MM3 multimedia messaging service (MMS) messages from a mobile phone
based upon its MSISDN reputation score, similarly to a sender reputation score.
For more information on configuring MSISDN reputation-based behavior, see
“MSISDN Reputation” on page 418.

06-30004-0154-20080904 289
Profile
Figure 208:MSISDN Reputation
Enable MSISDN Reputation Select to accept or reject email based upon MSISDN
reputation scores.
Auto blacklist score trigger value Enter the MSISDN reputation score over which the
FortiMail unit will add the MSISDN to the automatic
blacklist.
The trigger score is relative to the period of time
configured as the automatic blacklist window. For
more information on the automatic blacklist window,
see “Settings” on page 422.
Auto blacklist duration Enter the number of minutes that an MSISDN will be
prevented from sending email after they have been
automatically blacklisted.
7 Select the blue arrow to expand Sender Validation.

Configure the Sender Validation settings to confirm sender and message
authenticity.
Failure to validate does not guarantee that an email is spam, just as successful
validation does not guarantee that an email is not spam, but it may help to indicate
spam. Validation results are used to adjust the sender reputation scores and deep
header scans.
Figure 209:Sender Validation
Enable DKIM check Select to, if a DKIM signature is present, query the
DNS server that hosts the DNS record for the
sender’s domain name to retrieve its public key to
decrypt and verify the DKIM signature.
An invalid signature increases the client sender
reputation score and affect the deep header scan. A
valid signature decreases the client sender
reputation score.
If the sender domain DNS record does not include
DKIM information or the message is not signed, the
FortiMail unit omits the DKIM signature validation.
Enable DKIM signing for outgoing Select to sign outgoing email with a DKIM signature.
messages This option requires that you first generate a domain
key pair and publish the public key in the DNS
record for the domain name of the protected domain.
If you do not publish the public key, destination
SMTP servers will not be able to validate your DKIM
signature. For details on generating domain key
pairs and publishing the public key, see “DKIM
Setting” on page 195.
Enable DKIM signing for Select to sign outgoing email with a DKIM signature
authenticated senders only only if the sender is authenticated.
This option is available only if “Enable DKIM signing
for outgoing messages” is enabled.

290 06-30004-0154-20080904
Profile Session
Enable Domain Key check Select to, if the DNS record for the domain name of
the sender lists DomainKeys authorized IP
addresses, compare the client IP address to the IP
addresses of authorized senders.
An unauthorized client IP address increases the
client sender reputation score. An authorized client
IP address decreases the client sender reputation
score.
If the DNS record for the domain name of the sender
does not publish DomainKeys information, the
FortiMail unit omits the DomainKeys client IP
address validation.
Enable SPF check Select to, if the sender domain DNS record lists SPF
authorized IP addresses, compare the client IP
address to the IP addresses of authorized senders
in the DNS record.
An unauthorized client IP address increases the
client sender reputation score. An authorized client
IP address decreases the client sender reputation
score.
If the DNS record for the domain name of the sender
does not publish SPF information, the FortiMail unit
omits the SPF client IP address validation.
Bypass Bounce Verification check Select to, if bounce verification is enabled, omit
verification of bounce address tags on incoming
bounce messages.
This bypass does not omit bounce address tagging
of outgoing messages.
For more information, see “Bounce Verification” on
page 423.
8 Select the blue arrow to expand Session Settings, and configure the following:
Figure 210:Session Settings (gateway mode and server mode)
Figure 211:Session Settings (transparent mode)

06-30004-0154-20080904 291
Profile
Reject EHLO/HELO commands Select to return SMTP reply code 501, rejecting the
with invalid characters in the SMTP greeting, if the client or server uses a greeting
domain that contains a domain name with invalid characters.
To avoid disclosure of a real domain name,
spammers sometimes spoof an SMTP greeting
domain name with random characters, rather than
using a genuine, valid domain name. If this option is
enabled, such connections are rejected.
In the following example, the invalid command is
highlighted in bold:
220 FortiMail-400.localdomain ESMTP
Smtpd; Wed, 14 Feb 2008 13:30:20 GMT
EHLO ^^&^&^#$
501 5.0.0 Invalid domain name
Valid characters for domain names
include:
Valid domain characters include:
• alphanumerics (A to Z and 0 to 9)
• brackets ( [ and ] )
• periods ( . )
• dashes ( - )
• underscores ( _ )
• number symbols( # )
• colons ( : )
Rewrite EHLO/HELO domain to Select to rewrite the HELO domain to the IP address
[n.n.n.n] IP string of the client of the client to prevent domain name spoofing.
address
(transparent mode only)
Rewrite EHLO/HELO domain to Select to rewrite the HELO domain to the specified
(transparent mode only) value.
Prevent encryption of the session Select to block TLS/MD5 commands so that email
(transparent mode only) must pass unencrypted, enabling the FortiMail unit
to scan the email for viruses and spam.
Clear to pass TLS/MD5 commands, allowing
encrypted email to pass. The FortiMail unit cannot
scan encrypted email for viruses and spam.
Allow pipelining for the session Select to allow SMTP command pipelining, allowing
(transparent mode only) multiple SMTP commands to be accepted and
processed simultaneously, improving performance
for high-latency connections.
Deselect to accept only a single command at a time
during an SMTP session.
Enforce strict RFC compliance Select this option to limit pipelining support to strict
(transparent mode only) compliance with RFC 2920, SMTP Service
Extension for Command Pipelining.
This option is available only if Allow pipelining for the
session is enabled.

292 06-30004-0154-20080904
Profile Session
Perform strict syntax checking Select to return SMTP reply code 503, rejecting the
SMTP command, if the client or server uses SMTP
commands that are syntactically incorrect.
EHLO or HELO, MAIL FROM, RCPT TO (can be
multiple), and DATA commands must be in that
order. AUTH, STARTTLS, RSET, NOOP commands
can arrive at any time. Other commands, or
commands in an unacceptable order, return a syntax
error.
In the following example, the invalid commands are
Smtpd; Wed, 14 Feb 2008 13:41:15 GMT
EHLO example.com
250-FortiMail-400.localdomain Hello
[192.168.1.1], pleased to meet you
RCPT TO:<user1@example.com>
503 5.0.0 Need MAIL before RCPT
Switch to SPLICE mode after n Select to enable splice mode, then type a threshold
seconds/kilobytes value based on time (seconds) or data size
(transparent mode only) (kilobytes).
Splice mode enables the FortiMail unit to
simultaneously scan an email and relay it to the
SMTP server. This increases throughput and
reduces the risk of a server timeout.
If the FortiMail unit detects spam or a virus, it
terminates the server connection and returns an
error message to the sender, listing the spam or
virus name and infected file name.

06-30004-0154-20080904 293
Profile
ACK EOM before AntiSpam check Select to acknowledge the end of message (EOM)
signal immediately after receiving the carriage return
and line feed (CRLF) characters that indicate the
EOM, rather than waiting for antispam scanning to
complete.
If the FortiMail unit has not yet completed antispam
scanning by the time that four (4) minutes has
elapsed, it will return SMTP reply code 451(Try
again later), resulting in no permanent problems, as
according to RFC 2281, the minimum timeout value
should be 10 minutes. However, in rare cases where
the server or client’s timeout is shorter than 4
minutes, the sending client or server could time-out
while waiting for the FortiMail unit to acknowledge
the EOM command. Enabling this option prevents
those rare cases.
Send DSN to sender when spam is Select to send a delivery status notification (DSN) to
detected the sender when spam is detected. DSN is
described in RFC1891, RFC 3461, and RFC 3463.
By default, this feature is disabled, because
enabling this feature could enable spammers to use
the FortiMail unit to spam via DSN. In this attack,
spammers spoof a legitimate sender email address,
expecting that the FortiMail unit will reject the email
and then send a DSN, containing the spam, to the
spoofed sender address, which is the true target of
the attack. However, there may be reasons why you
want to enable this option. For example:
• If you have disabled recipient validation but
enabled tagging of spam, after the FortiMail unit
sends tagged spam to the protected email
server, the protected email server will return the
SMTP reply code 550 (user unknown), thereby
wasting system resources of both the FortiMail
unit and the protected email server.
• According to RFC 2821, the FortiMail unit should
send a DSN to notify the sender of the delivery
failure.
9 Select the blue arrow to expand For Unauthenticated Sessions, and configure the
following:
Figure 212:For Unauthenticated Sessions (gateway mode and server mode)
Figure 213:For Unauthenticated Sessions (transparent mode)

294 06-30004-0154-20080904
Profile Session
Check HELO/EHLO domain Select to return SMTP reply code 501, rejecting the
SMTP command, if the domain name accompanying
the SMTP greeting is not a domain name that exists
in either MX or A records.
Check sender domain Select to return SMTP reply code 421, rejecting the
SMTP command, if the domain name portion of the
sender address is not a domain name that exists in
either MX or A records.
Smtpd; Wed, 14 Feb 2008 14:32:51 GMT
EHLO
MAIL FROM:<user1@example.com>
421 4.3.0 Could not resolve sender
domain.
Check recipient domain Select to return SMTP reply code 550, rejecting the
SMTP command, if the domain name portion of the
recipient address is not a domain name that exists in
either MX or A records.
Smtpd; Wed, 14 Feb 2008 14:48:32 GMT
EHLO example.com
MAIL FROM:<user1@fortinet.com>
250 2.1.0 <user1@fortinet.com>...
Sender ok
RCPT TO:<user2@example.com>
550 5.7.1 <user2@example.com>...
Relaying denied. IP name lookup failed
[192.168.1.1]
Reject empty domains Select to return SMTP reply code 553, rejecting the
SMTP command, if a domain name does not follow
the “@” symbol in the sender email address.
Because the sender address is invalid and therefore
cannot receive delivery status notifications (DSN),
you may want to disable this feature.
Smtpd; Wed, 14 Feb 2007 14:48:32 GMT
EHLO example.com
MAIL FROM:<john@>
553 5.1.3 <john@>... Hostname required
Prevent open relaying Select to prevent clients from using open relays to
(transparent mode only) send email. If your clients are permitted to use open
relays to send email, email from your domain could
be blacklisted by other SMTP servers.
This feature requires that you allow clients to use
their specified SMTP server for outgoing mail. For
details, see “Use client-specified SMTP server to
send email” on page 216.

06-30004-0154-20080904 295
Profile
Reject if recipient and helo domain Select to prevent the spammers from using the
match but sender domain is same domain name during the HELO greeting and
different when specifying the recipient, but using a different
domain name when specifying the sender, thereby
attempting to mask the true identity of the sending
server.
10 Select the blue arrow to expand SMTP Limits, and configure the following:
Figure 214:SMTP Limits
Restrict number of EHLO/HELOs Enter the limit of SMTP greetings that a connecting
per session to n SMTP server or client can perform before the
FortiMail unit terminates the connection. Restricting
the number of SMTP greetings allowed per session
makes it more difficult for spammers to probe the
email server for vulnerabilities, as a greater number
of attempts results in a greater number of terminated
connections, which must then be re-initiated.
Restrict number of emails per Enter the limit of email messages per session to
session to n prevent mass mailing.
Restrict number of recipients per Enter the limit of recipients to prevent mass mailing.
email to n
Cap message size at n kilobytes Enter the limit of message size. If enabled,
messages over the threshold size are rejected.
Cap header size at n kilobytes Enter the limit of the message header size. If
enabled, messages with headers over the threshold
size are rejected.
Drop connection after n NOOPs Enter the limit of NOOP commands that are
permitted per SMTP session. Some spammers use
NOOP commands to keep a long session alive.
Legitimate sessions usually require few NOOPs.
Drop connection after n RSETs Enter the limit of RSET commands that are
permitted per SMTP session. Some spammers use
RSET commands to try again after receiving error
messages such as unknown recipient. Legitimate
sessions should require few RSETs.
11 Select the blue arrow to expand Error Handling.

Configure Error Handling to specify how the FortiMail unit should handle
connections from SMTP clients that are error-prone. Errors sometime indicate
attempts to misuse the server. You can impose delays or drop connections if there
are errors. Setting any of these values to 0 disables the limit.

296 06-30004-0154-20080904
Profile Session
Figure 215:Error Handling
Client is allowed n “free” errors. Enter the number of number of errors permitted
before the FortiMail unit will impose a delay. By
default, five errors are permitted before the FortiMail
unit imposes the first delay.
The first non-free error will incur a Enter the delay time for the first error after the
delay of n seconds number of “free” errors is reached.
Subsequent error delays will Enter the number of seconds by which to increase
increment by n seconds the delay for each error after the first delay is
imposed.
The connection will drop after n Enter the total number of errors the FortiMail unit will
errors accept before dropping the connection.
12 Select the blue arrow to expand Header manipulation.

Email processing software and hardware can add extra lines to the message
header of each email message. When multiple lines are added, this can
significantly increase the size of the email message. You can configure Header
manipulation settings to reduce the number of message headers.
Figure 216:Header manipulation
Remove received header Select to remove all the received headers from email
messages.
Remove headers Select to remove other configured headers from
email messages, then select Edit to configure which
headers should be removed.
13 Select the blue arrow to expand Lists.

Configure the sender and recipient black lists and white lists, if any, that will be
used with the session profile. Black and white lists are separate for each session
profile, and will apply only to traffic controlled by the IP-based policy to which the
session profile is applied.
Email addresses in each black list or white list are listed in alphabetical order. For
more information on how blacklisted email addresses are handled, see “Black and
white list hierarchy” on page 400.
Note: If you require regular expression support for whitelisting and blacklisting sender and
recipient email addresses in the envelope, do not configure white lists and black lists in the
session profile. Instead, configure access control rules and message delivery rules. For
more information, see “Access” on page 198.

06-30004-0154-20080904 297
Profile
Figure 217:Lists
Enable sender white list checking Enable to use an envelope sender (MAIL FROM)
white list in SMTP sessions to which this profile is
applied, then select Edit to define the whitelisted
email addresses.
Enable sender black list checking Enable to use an envelope sender (MAIL FROM)
black list in SMTP sessions to which this profile is
applied, then select Edit to define the blacklisted
email addresses.
Allow recipients on this list Enable to use an envelope recipient (RCPT TO)
white list in SMTP sessions to which this profile is
applied, then select Edit to define whitelisted email
addresses.
Disallow recipients on this list Enable to use an envelope recipient (RCPT TO)
black list in SMTP sessions to which this profile is
applied, then select Edit to define blacklisted email
addresses.
14 Select OK.
Preventing clients from using open relays (transparent mode)

In addition to controlling SMTP connections through session profiles, if the
FortiMail unit is operating in transparent mode, some aspects of SMTP
connections can be configured during configuration of the transparent proxy.
If your clients specify use of an open relay when sending email messages, you
could be blacklisted by other SMTP relays. You can prevent this from happening
by not allowing email users to use open relays. For more information, see
“FortiMail SMTP relay vs. unprotected SMTP servers” on page 215
Dictionary
The Dictionary menu enables you to configure dictionary profiles and to maintain
the dictionary profile database.
The Dictionary menu includes the following tabs:
• Profiles
• Categories
• Languages
• Groups
• Maintenance
How to create dictionary profiles

Dictionary profiles use several components, which must be created before you
can create and use a dictionary profile. The following is an overview of steps you
must complete in order to create and apply a dictionary profile.

298 06-30004-0154-20080904
Profile Dictionary
1 Create language and category items, which are required when creating a
dictionary. See “To create a dictionary category” on page 304 and “To create a
dictionary language” on page 306.
2 Create dictionaries, which are required when creating a dictionary group item, or
when directly selecting them for use in a dictionary profile. See “To create a
dictionary” on page 302.
3 Add words and patterns to your new dictionaries. See “To add words and patterns
to a dictionary” on page 303.
4 If you will be creating multiple dictionary profiles that will use similar sets of
dictionaries, create dictionary groups. See “To create a dictionary group” on
page 307.
5 Add dictionary group items to your new dictionary groups. See “To create a
dictionary group item” on page 308.
6 Create dictionary profiles. See “To create a dictionary profile” on page 300
7 Select dictionaries or dictionary groups in your new dictionary profiles. See “To
add dictionaries and dictionary groups to a dictionary profile” on page 300.
8 Select dictionary profiles in antispam profiles and/or content profiles. For more
information, see “AntiSpam” on page 241 and “Content” on page 275.
Profiles
The Profiles tab enables you to configure dictionary profiles, which can be used
by antispam or content profiles to detect spam or banned content.
Rather than being selected in a policy, dictionary profiles are used indirectly by
selecting them in a content profile or antispam profile, which in turn must be
selected in the policy. For more information on content profiles and antispam
profiles, see “AntiSpam” on page 241 and “Content” on page 275.
Dictionary profiles require the creation of several other components before you
can create the dictionary profile. For an overview of the entire procedure, see
“How to create dictionary profiles” on page 298.
To view the list of dictionary profiles, go to Profile > Dictionary > Profiles.
Figure 218:Dictionary profile list
Delete
Edit
Select Domain Select the name of a protected domain to display dictionary profiles
belonging to that protected domain, or select “system” to display
system-wide dictionary profiles.
Profile Name The name of the profile.
Select the name of the profile to add dictionaries and dictionary
groups to the dictionary profile. For more information, see “Adding
dictionaries and dictionary groups to a dictionary profile” on
page 300.

06-30004-0154-20080904 299
Profile

which this profile is assigned.
Description The description of the profile.

Modify Select Delete to remove a profile. This option does not appear if the
profile is selected in an antispam or content profile.
Select Edit to modify profile properties other than its selected
dictionaries and/or dictionary groups. For more information, see “To
create a dictionary profile” on page 300.
dictionary profile” on page 300.
To create a dictionary profile

1 Go to Profile > Dictionary > Profiles.
Figure 219:New/Edit dictionary profile

4 In Description, enter a descriptive note.
5 Select OK.
An empty dictionary profile appears in the profile list.
6 To define the words and patterns that will comprise the dictionary profile, add
dictionaries and/or dictionary groups. For details, see “Adding dictionaries and
dictionary groups to a dictionary profile” on page 300.
Adding dictionaries and dictionary groups to a dictionary

profile
After you have created a dictionary profile, the profile is initially empty. To include
words and patterns, you must select the dictionaries and/or dictionary groups that
you want to use with the profile.
To add dictionaries and dictionary groups to a dictionary profile
Before you can select dictionaries or dictionary groups that will be used with the
dictionary profile, you must first create dictionaries and dictionary groups. For
more information, see “Dictionaries” on page 301 and “Groups” on page 306.
1 Go to Profile > Dictionary > Profiles.
2 From Select Domain, select the name of the protected domain to which the
dictionary profile is assigned, or select “system” to display system-wide dictionary
profiles.
3 In the Profile Name column, select the name of the profile.
A list of dictionaries and/or dictionary groups used by this profile appears.

300 06-30004-0154-20080904
Profile Dictionary
Figure 220:Selecting dictionaries for a profile
New Item
Delete
4 To select dictionaries or dictionary groups that the profile will include, in the row
corresponding to Groups or Dictionaries, first select New Item, then select the
name of the dictionary or dictionary group, and select OK.
Note: Dictionary groups that you include do not have to be an exact match for the set of
dictionaries that you actually want to use. If the dictionary group is a superset, you can
exclude individual dictionaries or smaller groups from the set by adding those to “Excluding
groups” or “Excluding dictionaries”.
Dictionaries
The Dictionaries tab enables you to create dictionaries, which contain words
and/or regular expressions.
While you can individually select which dictionaries to use with each dictionary
profile, you can also combine dictionaries into groups, then select those dictionary
groups within each profile. If you will be creating multiple dictionary profiles that
each a use similar set of dictionaries, creating dictionary groups can simplify
creation of dictionary profiles. For more information about dictionary groups, see
“Groups” on page 306.
To view the list of dictionaries, go to Profile > Dictionary > Dictionaries.
Figure 221:Dictionary list
Delete
Edit
Restore
Download
Select Domain Select the name of a protected domain to display dictionaries

system-wide dictionaries.

06-30004-0154-20080904 301
Profile
Dictionary Name The name of the dictionary.

Select the dictionary name to add, delete, or modify the words
and/or patterns that the dictionary contains. For more information,
see “To add words and patterns to a dictionary” on page 303.
which the dictionary is assigned.
Which dictionaries are visible and modifiable by the administrator
varies by whether a FortiMail administrator account is assigned to
specific protected domain. For more information, see “Administrator
account permissions and domains” on page 139.
Language The language assigned to the dictionary. For more information, see
“Languages” on page 305.
Category The category assigned to the dictionary. For more information, see
“Categories” on page 304.
Description The description of the dictionary.
Modify Select Delete to remove a dictionary. This option does not appear if
the dictionary is selected in a dictionary profile or Type 2 dictionary
group item.
Select Edit to modify the dictionary properties other than its
contained words and/or patterns. For more information, see “To
create a dictionary” on page 302.
Select Download to download a backup file of this dictionary.
Alternatively, you can download a backup file of all dictionaries,
languages, categories, and dictionary groups. For more information,
see “Maintenance” on page 310.
Select Restore to upload a dictionary backup file and add its
contents to that dictionary.
Create New Select to add a dictionary. For more information, see “To create a
dictionary” on page 302.
To create a dictionary
Before you can create a dictionary, you must create languages and categories to
which the dictionary will be assigned. For more information, see “Categories” on
page 304 and “Languages” on page 305.
1 Go to Profile > Dictionary > Dictionaries.
2 From Select Domain, select the name of a protected domain to which this
dictionary will be assigned, or select “system” to create a system-wide dictionary.
If you have not yet configured a protected domain, the dictionary will be assigned
to “system” by default. For information on configuring protected domains, see
Figure 222:New/Edit dictionary category
4 In Dictionary Name, enter a name for the dictionary.

6 From Language, select a dictionary language to categorize the dictionary.

302 06-30004-0154-20080904
Profile Dictionary
7 From Category, select a dictionary category to categorize the dictionary.

8 Select OK.
An empty dictionary is created.
9 To define the terms that the dictionary will include, add words and patterns. For
details, see “To add words and patterns to a dictionary” on page 303.
To add words and patterns to a dictionary

1 Go to Profile > Dictionary > Dictionaries.
2 From Select Domain, select the name of the protected domain to which the
dictionary is assigned, or select “system” to display system-wide dictionaries.
3 In the Dictionary Name column, select the name of the dictionary to which you
want to add terms.
The list of words and/or patterns contained by the dictionary appears.
Figure 223:Dictionary pattern list
Page Up Page Down
Delete
Insert Pattern before
x of y domain The name of the dictionary and the name of the protected domain to
which it is assigned, or “system” for system-wide dictionaries.
Pattern Enter a term, which may be either a word or a regular expression,
then select either “create new” or “Insert Pattern before”.
create new Select to add the term that you have entered in the Pattern field to
the end of the list.
Page Up Select to view the previous page of the list.
Page Down Select to view the next page of the list.
view x lines Select the number of entries to display per page.
x cols per page Select the number of columns to display.
Total: x/y The current page number and the total number of pages of the list.
Pattern The word or regular expression.
Select the term to modify it.
Modify Select Delete to remove a pattern.
Select Insert Pattern before to add a new pattern before the current
pattern.

06-30004-0154-20080904 303
Profile
4 For each term that you want to add, either:

• To add a term to the end of the list, in Pattern, enter a word or regular
expression, then select “create new”.
• To add a term before another in the list, in the row corresponding to the term
before which you want to add your new term, first select “Insert Pattern before”,
then in Pattern, enter a word or regular expression, and select OK.
Dictionary terms are UTF-8 encoded, and may include characters other than
ASCII characters, such as é or ñ.
Categories
The Categories tab enables you to create dictionary categories.
When creating a dictionary, you must select a category to label the dictionary
according to the type of terms that it contains. When creating dictionary group
items, you can select subsets of your dictionaries based upon their assigned
category.
To view the list of dictionary categories, go to Profile > Dictionary > Categories.
Figure 224:Dictionary category list
Delete
Edit
Select Domain Select the name of a protected domain to display dictionary

categories belonging to that protected domain, or select “system” to
display system-wide dictionary categories.
Category Name The name of the category.
which the dictionary category is assigned.
Which dictionary categories are visible and modifiable by the
administrator varies by whether a FortiMail administrator account is
assigned to specific protected domain. For more information, see
Description The description of the category.
Modify Select Delete to remove a category. This option does not appear if
the dictionary category is currently used in a dictionary.
Select Edit to modify the dictionary category. For more information,
see “To create a dictionary category” on page 304.
Create New Select to add a dictionary category. For more information, see “To
create a dictionary category” on page 304.
To create a dictionary category

1 Go to Profile > Dictionary > Category.

304 06-30004-0154-20080904
Profile Dictionary
2 From Select Domain, select the name of a protected domain to which this
dictionary category will be assigned, or select “system” to create a system-wide
dictionary category.
If you have not yet configured a protected domain, the dictionary category will be
assigned to “system” by default. For information on configuring protected
domains, see “Domains” on page 180.
Figure 225:New/Edit dictionary category
4 In Category Name, enter a name for the category.

6 Select OK.
Languages
The Languages tab enables you to define dictionary languages.
When creating a dictionary, you must select a language to label the dictionary
according to the type of terms that it contains. When creating dictionary group
items, you can select subsets of your dictionaries based upon their assigned
language.
Dictionary languages are labels only, and are not required to be indicative of any
associated encoding or spelling. Additionally, they are not restricted to the names
of locale-specific human languages. For example, a hospital might create a
dictionary language named “Medical” to identify dictionaries that contain medical
jargon. Similarly, you could create a dictionary language named “French” that will
be assigned to French as well as some English dictionaries, which you then use to
scan German email.
To view the list of dictionary languages, go to Profile > Dictionary > Languages.
Figure 226:Dictionary language list
Delete
Edit
Lang Name The name of the language.

Description The description of the language.
Modify Select Delete to remove a language. This option does not appear if
the language is currently selected in a dictionary.
Select Edit to modify a language. For more information, see “To
create a dictionary profile” on page 300.

06-30004-0154-20080904 305
Profile
Create New Select to add a language. For more information, see “To create a
dictionary profile” on page 300.
To create a dictionary language
1 Go to Profile > Dictionary > Languages.
Figure 227:New/Edit dictionary language
3 In Language Name, enter a name to describe the type of language, such as

“Medical” or “English”.
5 Select OK.
Groups
The Groups tab enables you to create dictionary groups.
While you can individually select which dictionaries to use with each dictionary
profile, you can also combine dictionaries into groups, then select those dictionary
groups within each profile. If you will be creating multiple dictionary profiles that
each a use similar set of dictionaries, creating dictionary groups can simplify
creation of dictionary profiles. For more information about dictionary profiles, see
“Profiles” on page 299.
Dictionary groups indirectly define the set of included dictionaries: each dictionary
group is comprised of dictionary group items, each of which are comprised of a set
of dictionaries.
To view the list of dictionary groups, go to Profile > Dictionary > Groups.
Figure 228:Dictionary group list
Edit
Delete
New Item

306 06-30004-0154-20080904
Profile Dictionary
Create New Select the name of a protected domain from Select Domain, then
select Create New to add a dictionary for that protected domain.
Note: If you have not yet configured a protected domain, new
dictionary groups will by default be assigned to the “system” domain.
page 180.
Select Domain Select the name of a protected domain to display dictionary groups
system-wide dictionary groups.
This option is not available if you have not yet configured a protected
domain. For more information on protected domains, see “Domains”
on page 180.
Group Name The name of the dictionary group or dictionary group item.
which the profile is assigned.
Which dictionary groups are visible and modifiable by the
administrator varies by whether a FortiMail administrator account is
assigned to specific protected domain. For more information, see
Description The description of the dictionary group.
Modify Select Edit to modify the dictionary group or dictionary group item.
For more information, see “To create a dictionary group” on
page 307 or step 6 of “To create a dictionary group item” on
page 308.
Select Delete to remove the dictionary group.
Select New Item to add a dictionary group item to the dictionary
group. For more information, see “To create a dictionary group item”
on page 308.
To create a dictionary group

1 Go to Profile > Dictionary > Groups.
2 From Select Domain, select the name of a protected domain.
Figure 229:dictionary database maintenance
4 In Group Name, enter the name of the dictionary group.

6 Select OK.
An empty dictionary group is created.
7 To define the sets of dictionaries that will be included in the dictionary group, add
dictionary group items to the dictionary group. For details, see “To create a
dictionary group item” on page 308.

06-30004-0154-20080904 307
Profile
To create a dictionary group item

Before creating a dictionary group item, if you want to add a Type 2 dictionary
item, you must first create one or more dictionaries. For more information, see
“Dictionaries” on page 301.
1 Go to Profile > Dictionary > Groups.
2 In the row of a dictionary group to which you want to add dictionary items, select
the New Item icon.
Figure 230:New Dictionary Group Item
3 In Name, enter the name of the dictionary group item.

4 From Type, select the method that you want to use to define dictionaries that are
members of the dictionary group item:
• Type 1: Define group item members by automatically including all dictionaries
whose protected domain, category, and language match the values that you
you select. Unlike Type 2, members of Type 1 dictionary group items must all
have identical protected domains, categories, and languages.
• Type 2: Define group item members by manually selecting each dictionary.
Unlike Type 1, members of Type 2 dictionary group items are not required to
have any protected domain, category, or language in common.
Note: If a dictionary will be included in many Type 2 dictionary group items, consider
forming separate Type 1 dictionary group items for that dictionary instead. Because Type 2
dictionary group items manually select each member dictionary, you will not be able to
delete the dictionary until you manually deselect it from all Type 2 dictionary group items.
5 Select OK.
An empty dictionary group item is added to the dictionary group.
6 In the row corresponding to the new dictionary group item, select Edit.
A dialog appears whose appearance varies by your previous selection of Type 1
or Type 2. The dialog enables you to define the sets of dictionaries that will
comprise this dictionary item.
7 If the dictionary item is of Type 1, configure the following:
Figure 231:Edit Dictionary Group Item (Type 1)

308 06-30004-0154-20080904
Profile Dictionary
Select Domain Select the name of a protected domain or “system” to include

dictionaries whose Domain matches this value, or select All to
include dictionaries regardless of their Domain value.
Select Category Select the name of a category to include dictionaries whose
Category matches this value, or select All to include dictionaries
regardless of their Category value.
Available options vary by your selection in Select Domain: the list of
options includes only those categories whose Domain matches your
selection in Select Domain.
Select Language Select the name of a language to include dictionaries whose
Language matches this value, or select All to include dictionaries
regardless of their Language value.
If the dictionary item is of Type 2, configure the following:
Figure 232:Edit Dictionary Group Item (Type 2)
Show Domain Select the name of a protected domain to display in the Available
Dictionaries area those dictionaries whose Domain matches this
value.
Show Category Select the name of a category to display in the Available Dictionaries
area those dictionaries whose Category matches this value, or
select All to display dictionaries regardless of their Category value.
Show Language Select the name of a category to display in the Available Dictionaries
area those dictionaries whose Category matches this value, or
select All to display dictionaries regardless of their Language value.
Available Displays a list of dictionaries matching the criteria that you have
Dictionaries currently selected in Show Domain, Show Category, and Show
Language.
To include one or more dictionaries as members of the dictionary
group item, select one or more dictionaries from the Available
Dictionaries area, then select the right arrow to move them to the
Members area.
You can include additional dictionaries whose Domain, Category, or
Language values differ by selecting those values in Show Domain,
Show Category, and Show Language, then repeating the above
procedure, until all member dictionaries appear in the Members
area.

06-30004-0154-20080904 309
Profile
Members Displays a list of dictionaries that are currently members of the

dictionary group item. This list is sorted into subsets of dictionaries
whose Domain value matches; the Domain value appears in grey
text above each subset. Unlike Type 1 dictionary group items,
members of Type 2 dictionary group items are not required to have
any Domain, Category or Language attribute in common.
To remove one or more dictionaries from the dictionary group item,
In the Members area, select the name of the dictionary, then select
the left arrow.
8 Select OK.
Maintenance
The Maintenance tab enables you to back up, restore, and repair the dictionary
configuration database.
To view the dictionary database error status or perform database maintenance, go
to Profile > Dictionary > Maintenance.
Figure 233:dictionary database maintenance
Database Status Indicates the error status of the dictionary database. For example,
“database ok” indicates that there are currently no database errors
that require repair.
Recovery Database Select to repair most types of database errors.
Backup Select to download a backup copy of the dictionary configuration
database, which includes all dictionaries, dictionary groups,
categories, and languages.
Restore Dictionary Select Browse to locate a dictionary backup file, then select OK to
upload and restore the file.
Caution: Back up the dictionary configuration database before
selecting Restore Dictionary. Restoring the dictionary database will
overwrite any existing dictionary configuration.
To back up the dictionary configuration

1 Go to Profile > Dictionary > Maintenance.
2 Select Backup dictionary.
If your web browser prompts you for a location to save the file, select a folder.
A backup copy of the dictionary configuration is downloaded to your management
computer.
To restore a dictionary configuration
Caution: Back up the dictionary configuration database before beginning this procedure.
! Restoring the dictionary database will overwrite any existing dictionary configuration.

2 Select Browse to locate the dictionary backup file that you want to restore.

310 06-30004-0154-20080904
Profile LDAP
3 Select OK.
The FortiMail unit uploads and restores the dictionary backup file, then displays a
success message.
4 Select Return.
To repair the dictionary database

If the Dictionary Status field reports a database error, you can use this procedure
to attempt to repair the error.
2 Select “recovery database”.
The FortiMail unit attempts to repair the dictionary database configuration, then
displays a success message.
3 Select Return.
LDAP
The LDAP menu enables you to configure LDAP profiles, which can enable your
FortiMail unit to query an LDAP server for authentication, email address
mappings, and more.
The LDAP menu contains the following tabs:
• LDAP Profile
Preparing your LDAP schema for FortiMail LDAP profiles

FortiMail units can be configured to consult an LDAP server for many things that
you might otherwise normally have to configure locally on the FortiMail unit, such
as user authentication, group membership, mail routing, and other features.
Especially if you have a large amount of users and groups already defined on an
LDAP directory, you may find it more convenient to query those existing
definitions than to recreate the definition of those same users locally on the
FortiMail unit. To accomplish this, you would configure an LDAP profile, then
select that LDAP profile in other areas of the configuration that should use its
LDAP queries.
LDAP profiles require compatible LDAP server directory schema and contents.
Your LDAP server configuration may already be compatible. However, if your
LDAP server configuration does not contain required information in a schema
acceptable to LDAP profile queries, you may be required to modify either or both
your LDAP profile and LDAP directory schema.
Caution: Verify your LDAP server’s configuration for each query type that you enable and
! configure. For example, if you enable mail routing queries, verify connectivity and that each
user object in the LDAP directory includes the attributes and values required by mail
routing. Failure to verify enabled queries can result in unexpected mail processing
behavior.
Using common schema styles

Your LDAP server schema may require no modification if:

06-30004-0154-20080904 311
Profile
• your LDAP server already contains all information required by the LDAP profile
queries you want to enable
• your LDAP server uses a common schema style, and a matching predefined
LDAP query configuration exists for that schema style
If both of those conditions are true, your LDAP profile configuration may also be
very minimal. Some queries in LDAP profiles contain schema options that
automatically configure the query to match common schema styles such as IBM
Lotus Domino, Microsoft ActiveDirectory (AD), and OpenLDAP. If you will only
enable those queries that have schema options, it may be sufficient to select your
schema style for each query.
For example, your LDAP server might use an OpenLDAP-style schema, where
two types of user object classes exist, but both already have mail and
userPassword attributes. Your FortiMail unit is in gateway mode, and you want
to use LDAP queries to use users’ email addresses to query for authentication. In
this scenario, it may be sufficient to:
1 In the LDAP profile, enter the domain name or IP address of the LDAP server.
2 Configure the LDAP profile queries:
• In User Query Options, select from Schema which OpenLDAP schema your
user objects follow: either InetOrgPerson or InetLocalMailRecipient. Also enter
the Base DN, Bind DN, and Bind Password to authenticate queries by the
FortiMail unit and to specify which part of the directory tree to search.
• In User Auth Options, enable the query with the option to Search User and Try
Bind DN.

312 06-30004-0154-20080904
Profile LDAP
Figure 234:Example LDAP profile configuration for user email address and
authentication queries to an OpenLDAP-style directory
3 Configure mail domains and policies to use the LDAP profile to authenticate users
and perform recipient verification.
Using other schema styles

If your LDAP server’s schema is not one of the predefined common schema
styles, or if you want to enable queries that require information that does not
currently exist in your directory, you may need to adapt either or both your LDAP
server and LDAP profile query configuration.
Note: Before modifying your LDAP directory, verify that changes will be compatible with
other applications using the directory. You may prefer to modify the LDAP profile query
and/or add new attributes than to modify existing structures that are used by other
applications, in order to reduce the likelihood of disruption to other applications. For
instructions on modifying schema or setting attribute values, consult the documentation for
your specific LDAP server.

06-30004-0154-20080904 313
Profile
The primary goal when modifying your LDAP directory is to provide, in some way
that can be retrieved by LDAP profile queries, the information required by
FortiMail features which can use LDAP profiles. Depending on the LDAP profile
queries that you enable, you may need to add to your LDAP directory:
• user objects
• user group objects
• email alias objects
Keep in mind that for some schema styles, such as that of Microsoft
ActiveDirectory, user group objects may also play a double role as both user
group objects and email alias objects. For the purpose of FortiMail LDAP queries,
email alias objects can be any object that can be used to expand email aliases
into deliverable email addresses, which are sometimes called distribution lists.
For each of those object types, you may also need to add required attributes in a
syntax compatible with the FortiMail features that uses those attributes.
At a minimum, your LDAP directory must have user objects that each contain an
email address attribute, and the value of that email address attribute must use full
email address syntax (e.g. mail: user@example.com). This attribute is
required by User Query Options, a query which is required in every LDAP profile.
Many other aspects of LDAP profiles are flexible enough to query for the required
information in more than one way. It may be sufficient to modify the query strings
and other fields in the LDAP profile to match your individual LDAP directory.
For example, the purpose of the User Query Options is to find the distinguished
name (DN) of user objects by their email addresses, represented by the FortiMail
variable $m. Often user objects can be distinguished by the fact that they are the
only records that contain the attribute-value pair objectClass: User. If the
class of user name objects in your LDAP directory is not objectClass: User
but instead objectClass: inetOrgPerson, you could either modify:
• the LDAP profile’s user query to request user objects as they are denoted on
your particular server, using objectClass=inetOrgPerson; for example,
you might modify the user query from:
(&(objectClass=User)(mail=$m))
to be:
(&(objectClass=inetOrgPerson)(mail=$m))
• the LDAP server’s schema to match the queries’ expected structure, where
user objects are defined by objectClass=User
Alternatively, perhaps there are too many user objects, and you prefer to instead
retrieve only those user objects belonging to a specific group number. In this case,
you might modify the query string from:
(&(objectClass=User)(mail=$m))
to be:
(&(objectClass=User)(gidNumber=102)(mail=$m))
You can use any attribute-value pairs to filter the query result set, as long as they
are unique and common to all objects in your intended result set.

314 06-30004-0154-20080904
Profile LDAP
For example, most directories do not contain an antivirus processing switch

attribute for each user. However, FortiMail units can perform antivirus processing,
which can be switched off or on depending on the results from an LDAP query.
The FortiMail unit expects the query to return a value that may use Boolean
syntax (TRUE or FALSE) that reflects whether or not, respectively, to perform
antivirus processing. In this case, you would add to user objects in your LDAP
directory an antivirus attribute whose value is a Boolean value.
The following table indicates expected object types, attribute names, and value
syntax, as well as query results, for each LDAP profile query. Attributes listed
should be present, but their names may vary by schema. Attributes that do not
have a default name require that you configure them in both your LDAP profile
and your LDAP directory’s schema.
Table 15: LDAP directory requirements for each FortiMail LDAP profile query
Object type Attribute Value Query result

User Query Options
User object classes mail A user’s email Query compares the email
such as address. address to the value of this
inetOrgPerson, attribute to find the
inetLocalMailRec matching user, and retrieve
ipient, User, that user’s distinguished
dominoPerson. name (DN), which is the
basis for most other LDAP
profile queries.
Group Query Options
(Objects from User gidNumber or Varies by schema. Query retrieves the group
Query Options.) memberOf Typically is either name for any user defined
a group number or by User Query Options.
the distinguished
name (DN) of the
group.
(Objects from User mail A user’s email Query uses the DN
Query Options.) address. retrieved from
groupOwner to retrieve
the email address of the
user specified by that DN.
User group object groupOwner A user object’s Query retrieves the DN of a
classes such as DN. user object from the group
group or defined in gidNumber or
groupOfNames. memberOf.
User Auth Options
(Objects from User userPassword Any. Query verifies user identity
Query Options.) by binding with the user
password for any user
defined by User Query
Options.
User Alias Options

06-30004-0154-20080904 315
Profile
Email alias object rfc822MailMe Either the user Query expands an alias to
classes such as mber (for alias name portion of an one or more user email
nisMailAlias, or objects) or email address addresses.
user objects from mail (for user (e.g. user; for If the alias is resolved
User Query Options, objects) alias objects), or directly, this query retrieves
depending on whether the entire email the email addresses from
your schema resolves address (e.g. the alias object itself. If the
email aliases directly user@example. alias is resolved indirectly,
or indirectly, com; for user this query first queries the
respectively. For objects). alias object for member
details, see “Base DN” attributes, then uses the
on page 329. DN of each member in a
second query to retrieve
the email addresses of
those user objects. For
details, see “Base DN” on
page 329.
User group object member A user object’s Query retrieves the DN of a
classes such as DN, or the DN of user object that is a
group or another alias member of the group.
groupOfNames. object. This attribute is required
User groups are not only if aliases resolve to
inherently associated user email addresses
with email aliases, but indirectly. For details, see
for some schemas, “Base DN” on page 329.
such as Microsoft
ActiveDirectory, group
objects play the role of
email alias objects,
and are used to
indirectly resolve
email aliases. For
details, see “Base DN”
on page 329.
Mail Routing Options
(Objects from User mailHost A fully qualified Query retrieves the fully
Query Options.) domain name qualified domain name
(FQDN) or IP (FQDN) or IP address of
address. the mail server —
sometimes also called the
mail host — that stores
email for any user defined
by User Query Options.
mailRoutingA A user’s email Query retrieves the email
ddress address for a user address for a real account
account whose physically stored on
email is physically mailHost for any user
stored on defined by User Query
mailHost. Options.
AS/AV On/Off Options

316 06-30004-0154-20080904
Profile LDAP
(Objects from User No default Varies by schema. Query retrieves whether or
Query Options.) attribute name. May be: not to perform antivirus
• TRUE (on) or processing for any user
FALSE (off) Options.
• YES (on) or NO
(off)
• 1 or any non-
zero value
(on), or 0 (off)
No default Varies by schema. Query retrieves whether or
attribute name. May be: not to perform antispam
• TRUE (on) or processing for any user
FALSE (off) Options.
• YES (on) or NO
(off)
• 1 or any non-
zero value
(on), or 0 (off)
Address Mapping Options
(Objects from User No default A user’s internal Query retrieves the user’s
Query Options.) attribute name. email address. internal email address
No default A user’s external Query retrieves the user’s
attribute name. email address. external email address.
Webmail Password Options
(Objects from User userPassword Any. Query, upon successful
Query Options.) bind using the existing
password, changes the
password for any user
options.
Each LDAP profile query filter string may indicate expected value syntax by the
FortiMail variables used in the query filter string.
• $m: the query filter expects the attribute’s value to be a full email address
• $u: the query filter expects the attribute’s value to be a user name
• $b: the query filter expects the attribute’s value to be a bind DN
The following example illustrates a matching LDAP directory and LDAP profile.
Labels indicate the part of the LDAP profile that is configured to match the
directory schema.

06-30004-0154-20080904 317
Profile
Figure 235:Example compatible LDAP directory and LDAP profile

318 06-30004-0154-20080904
Profile LDAP

06-30004-0154-20080904 319
Profile
LDAP Profile
The LDAP Profile tab displays the list of LDAP profiles.
LDAP profiles each contain one or more queries that retrieve specific
configuration data, such as user groups, from an LDAP server. The LDAP profile
list displays which queries you have enabled in each LDAP profile.
To view the list of LDAP profiles, go to Profile > LDAP > LDAP Profile.
Caution: Before using an LDAP profile, verify each LDAP query and connectivity with your
! LDAP server. When LDAP queries do not match with the server’s schema and/or contents,
unintended mail processing behaviors can result. For details on preparing an LDAP
directory for use with FortiMail LDAP profiles, see “Preparing your LDAP schema for
FortiMail LDAP profiles” on page 311.

320 06-30004-0154-20080904
Profile LDAP
Figure 236:LDAP profile list
Delete
Edit

Server Name/IP The domain name or IP address of the LDAP server.
Port The listening port of the LDAP server.
User Indicates that User Query Options is enabled.
User Query Options are required for each LDAP profile, and
therefore cannot be disabled.
Group Indicates whether or not Group Query Options is enabled.
Auth Indicates whether or not User Auth Options is enabled.
Alias Indicates whether or not User Alias Options is enabled.
Routing Indicates whether or not Mail Routing Options is enabled.
AS/AV Indicates whether or not AV/AS On/Off Options is enabled.
Address Map Indicates whether or not Address Mapping Options is enabled.
Webmail Pwd Indicates whether or not Webmail Password Options is enabled in
(server mode only) this profile.
Cache Indicates whether or not query result caching is enabled.

Modify Select the Edit icon to modify the LDAP profile. For more
information, see “Creating LDAP profiles” on page 321.
Select the Delete icon to remove the LDAP profile. The Delete icon
does not appear if the profile is selected in a policy.
Create New Select to add an LDAP profile. For more information, see “Creating
LDAP profiles” on page 321.
Creating LDAP profiles

You can add an LDAP profile to define a set of queries that the FortiMail can use
with an LDAP server. You might create more than one LDAP profile if, for
example, you have more than one LDAP server, or you want to configure multiple,
separate query sets for the same LDAP server.
After you have created an LDAP profile, LDAP profile options will appear in other
areas of the FortiMail unit’s configuration. These options enable you to select the
LDAP profile where you might otherwise create a reference to a configuration item
stored locally on the FortiMail unit itself. These other configuration areas will only
allow you to select applicable LDAP profiles — that is, those LDAP profiles in
which you have enabled the query required by that feature. For example, if a
feature requires a definition of user groups, you will only be able to select from
those LDAP profiles where Group Query Options are enabled.
To create an LDAP profile

1 Go to Profile > LDAP > LDAP Profile.

06-30004-0154-20080904 321
Profile
Figure 237:New LDAP Profile
Profile Name Enter the name of the LDAP profile.

This field is read-only if you are editing an existing LDAP
profile.
Server Name/IP Enter the fully qualified domain name (FQDN) or IP
address of the LDAP server.
Port Enter the port number where the LDAP server listens.
The default port number varies by your selection in Use
secure connection: port 389 is typically used for non-
secure connections, and port 636 is typically used for SSL-
secured (LDAPS) connections.
Fallback Server Name/IP Optional. Enter the fully qualified domain name (FQDN) or
IP address of an alternate LDAP server that the FortiMail
unit can query if the primary LDAP server is unreachable.
Port Enter the port number where the fallback LDAP server
listens.
The default port number varies by your selection in Use
secure connection: port 389 is typically used for non-
secure connections, and port 636 is typically used for SSL-
secured (LDAPS) connections.
Use secure connection Select whether or not to connect to the LDAP server(s)
using an encrypted connection.
• none: Use a non-secure connection.
• ssl: Use an SSL-secured (LDAPS) connection.
If your FortiMail unit is deployed in server mode, and you
want to configure Webmail Password Options using an
LDAP server that uses a Microsoft ActiveDirectory-style
schema, you must select “ssl”. ActiveDirectory servers
require a secure connection for queries that change user
passwords.
4 Select the blue arrow to expand User Query Options, and configure the query to
retrieve the distinguished names (DN) of user objects by their email addresses.
For more information on recipient address verification by LDAP query, see “Verify
Recipient Address” on page 187. For more information on automatically removing
quarantine mailboxes for recipients that do not currently exist in the protected
domain, see “Automatic Removal of Invalid Quarantine Accounts” on page 189.

322 06-30004-0154-20080904
Profile LDAP
Figure 238:User Query Options
Schema If your LDAP directory’s user objects use a common

schema style:
• InetOrgPerson
• InetLocalMailRecipient
• MS Active Directory
• Lotus Domino
select the schema style. This automatically configures
many other LDAP profile options to match that schema
style.
If your LDAP server uses any other schema style, select
User Defined, then manually configure other query fields.
Base DN Enter the distinguished name (DN) of the part of the LDAP
directory tree within which the FortiMail will search for user
objects, such as ou=People,dc=example,dc=com.
User objects should be child nodes of this location.
Bind DN Enter the bind DN, such as
cn=FortiMailA,dc=example,dc=com, of an LDAP
user account with permissions to query the Base DN.
This field may be optional if your LDAP server does not
require the FortiMail unit to authenticate when performing
queries, and if you have enabled Allow unauthenticated
ldap bind. For details, see “Allow unauthenticated ldap
bind” on page 334.
Bind Password Enter the password of the Bind DN.
Browse Select Browse the LDAP directory from the location that
you specified in Base DN, or, if you have not yet entered a
Base DN, beginning from the root of the LDAP directory
tree.
Browsing the LDAP tree can be useful if you need to locate
your Base DN, or need to look up attribute names. For
example, if the Base DN is unknown, browsing can help
you to locate it.
Before using Browse, first configure Server Name/IP, Port,
Use secure connection, Bind DN, Bind Password, and
Protocol Version, then select Apply or OK. These fields
provide minimum information required to establish the
directory browsing connection.

06-30004-0154-20080904 323
Profile
LDAP Query to Find User Enter an LDAP query filter that selects a set of user objects
from the LDAP directory.
The query filter string filters the result set, and should be
based upon any attributes that are common to all user
objects but also exclude non-user objects.
For example, if user objects in your directory have two
distinguishing characteristics, their objectClass and
mail attributes, the query filter might be:
(& (objectClass=inetOrgPerson) (mail=$m))
where $m is the FortiMail variable for a user's email
address.
If the email address ($m) as it appears in the message
header is different from the user’s email address as it
appears in the LDAP directory, such as when you have
enabled recipient tagging, a query for the user by the email
address ($m) may fail. In this case, you can modify the
query filter to subtract prepended or appended text from
the user name portion of the email address before
performing the LDAP query. For example, to subtract “-
spam” from the end of the user name portion of the
recipient email address, you could use the query filter:
(& (objectClass=inetOrgPerson) (mail=$m$
{-spam}))
where ${-spam} is the FortiMail variable for the tag to
remove before performing the query. Similarly, to subtract
“spam-” from the beginning of the user name portion of the
(& (objectClass=inetOrgPerson) (mail=$m$
{^spam-}))
where ${^spam-} is the FortiMail variable for the tag to
remove before performing the query.
For some schemas, such as Microsoft ActiveDirectory-
style schemas, this query will retrieve both the user’s
primary email address and the user’s alias email
addresses. If your schema style is different, you may want
to also configure User Alias Options to resolve aliases. For
details, see step 7.
This option is preconfigured and read-only if you have
selected from Schema any schema style other than User
Defined.
For details on query syntax, refer to any standard LDAP
query filter reference manual.
Scope Select which level of depth to query, starting from
Base DN.
• One level: Query only the one level directly below the
Base DN in the LDAP directory tree.
• Subtree: Query recursively all levels below the
Derefer Select the method to use, if any, when dereferencing
attributes whose values are references.
• Never: Do not dereference.
• Always: Always dereference.
• Search: Dereference only when searching.
• Find: Dereference only when finding the base search
object.

324 06-30004-0154-20080904
Profile LDAP
5 If you want to define a group membership query, enable Group Query Options,
select the blue arrow to expand its options, and configure the query.
For more information on determining user group membership by LDAP query, see
“Incoming policies” on page 357 or “Creating IP-based policies (server mode)” on
page 361.
Figure 239:Group Query Options
Use LDAP Tree Node as Select to use objects within the Base DN of User Query
Group Options as if they were members of a user group object.
For example, your LDAP directory might not contain user
group objects. In that sense, groups do not really exist in
the LDAP directory. However, you could mimic a group’s
presence by enabling this option to treat all users that are
child objects of the Base DN in User Query Options as if
they were members of such a group.
Member Of Group Attribute Enter the name of the attribute, such as memberOf or
gidNumber, whose value is the group number or DN of a
group to which the user belongs.
This attribute must be present in user objects.
Whether the value must use common name, group
number, or DN syntax varies by your LDAP server schema.
For example, if your user objects use both
inetOrgPerson and posixAccount schema, user
objects have the attribute gidNumber, whose value must
be an integer that is the group ID number, such as 10000.

06-30004-0154-20080904 325
Profile
Use Group Name with Base Enable to specify the base distinguished name (DN)
DN as Group DN portion of the group’s full distinguished name (DN) in the
LDAP profile. By specifying the group’s base DN and the
name of its group name attribute in the LDAP profile, you
will only need to supply the group name value when
configuring each feature that uses this query.
For example, you might find it more convenient in each
recipient-based policy to type only the group name,
admins, rather than typing the full DN,
cn=admins,ou=Groups,dc=example,dc=com. In this
case, you could enable this option, then configure Group
Base DN (ou=Groups,dc=example,dc=com) and
Group Name Attribute (cn). When performing the query,
the FortiMail unit would assemble the full DN by inserting
the common name that you configured in the recipient-
based policy between the Group Name Attribute and the
Group Base DN configured in the LDAP profile.
Note: Enabling this option is appropriate only if your LDAP
server’s schema specifies that the group membership
attribute’s value must use DN syntax. It is not appropriate if
this value uses another type of syntax, such as a number
or common name.
For example, if your user objects use both
inetOrgPerson and posixAccount schema, user
objects have the attribute gidNumber, whose value must
be an integer that is the group ID number, such as 10000.
Because a group ID number does not use DN syntax, you
would not enable this option.
Group Base DN Enter the base DN portion of the group’s full DN, such as
ou=Groups,dc=example,dc=com.
This option is available only if User Group Name with Base
DN as Group DN is enabled.
Group Name Attribute Enter the name of the attribute, such as cn, whose value is
the group name of a group to which the user belongs.
This option is available only if User Group Name with Base
DN as Group DN is enabled.
Look up Group Owner Enable to query the group object by its distinguished name
(DN) to retrieve the DN of the group owner, which is a user
that will receive that group’s spam reports. Using that
user’s DN, the FortiMail unit will then perform a second
query to retrieve that user’s email address, where the
spam report will be sent.
For more information on sending spam reports to the group
owner, see “Spam Report Setting” on page 192 and
“Recipients” on page 366.
Group Owner Attribute Enter the name of the attribute, such as groupOwner,
whose value is the distinguished name of a user object.
You can configure the FortiMail unit to allow that user to be
responsible for handling the group’s spam report.
If Look up Group Owner is enabled, this attribute must be
present in group objects.
Group Owner Address Enter the name of the attribute, such as mail, whose
Attribute value is the group owner’s email address.
If Look up Group Owner is enabled, this attribute must be
present in user objects.
6 If you want to define a user authentication query, enable User Auth Options, select
the blue arrow to expand its options, and configure the query.
For more information on authenticating users by LDAP query, see “Incoming
policies” on page 357.

326 06-30004-0154-20080904
Profile LDAP
Figure 240:User Auth Options
Try UPN or Mail Address as Select to form the user’s bind DN by prepending the user
Bind DN name portion of the email address ($u) to the User
Principle Name (UPN, such as example.com).
By default, the FortiMail unit will use the mail domain as
the UPN. If you want to use a UPN other than the mail
domain, enter that UPN in Alternative UPN Suffix. This can
be useful if users authenticate with a domain other than the
mail server’s principal domain name.
Try Common Name with Select to form the user’s bind DN by prepending a
Base DN as Bind DN common name to the base DN. Also enter the name of the
user objects’ common name attribute, such as cn or uid.
This option is preconfigured and read-only if, in User Query
Options, you have selected from Schema any schema
style other than User Defined.
Search User and Try Bind DN Select to form the user’s bind DN by using the DN
retrieved for that user by User Query Options.
7 If you want to define a user alias query, enable User Alias Options, select the blue
arrow to expand its options, and configure the query.
Resolving aliases to real email addresses enables the FortiMail unit to send a
single spam report and maintain a single quarantine mailbox at each user’s
primary email account, rather than sending separate spam reports and
maintaining separate quarantine mailboxes for each alias email address. For
FortiMail units operating in server mode, this means that users need only log in to
their primary account in order to manage their spam quarantine, rather than
logging in to each alias account individually.
For more information on resolving email aliases by LDAP query, see “LDAP User
Alias / Address Mapping profile” on page 189.

06-30004-0154-20080904 327
Profile
Figure 241:User Alias Options
Schema If your LDAP directory’s user alias objects use a common

schema style:
• NisMailAlias
• MS Active Directory
• Lotus Domino
select the schema style. This automatically configures
many other LDAP profile options to match that schema
style.
If your LDAP server uses any other schema style, select
User Defined, then manually configure other query fields.

328 06-30004-0154-20080904
Profile LDAP
Base DN Enter the distinguished name (DN) of the part of the LDAP
directory tree within which the FortiMail will search for
either alias or user objects.
User or alias objects should be child nodes of this location.
Whether you should specify the base DN of either user
objects or alias objects varies by your LDAP schema style.
Schema may resolve alias email addresses directly or
indirectly (using references).
• Direct resolution: Alias objects directly contain one or
more email address attributes, such as mail or
rfc822MailMember, whose values are user email
addresses such as user@example.com, and that
resolves the alias. The Base DN, such as
ou=Aliases,dc=example,dc=com, should contain
alias objects.
• Indirect resolution: Alias objects do not directly
contain an email address attribute that can resolve the
alias; instead, in the style of LDAP group-like objects,
the alias objects contain only references to user objects
that are “members” of the alias “group.” User objects’
email address attribute values, such as
user@example.com, actually resolve the alias. Alias
objects refer to user objects by possessing one or more
“member” attributes whose value is the DN of a user
object, such as
uid=user,ou=People,dc=example,dc=com. The
FortiMail unit performs a first query to retrieve the
distinguished names of “member” user objects, then
performs a second query using those distinguished
names to retrieve email addresses from each user
object. The Base DN, such as
ou=People,dc=example,dc=com, should contain
user objects.
Bind DN Enter the bind DN, such as
cn=FortiMailA,dc=example,dc=com, of an LDAP
user account with permissions to query the Base DN.
This field may be optional if your LDAP server does not
require the FortiMail unit to authenticate when performing
queries, and if you have enabled Allow unauthenticated
ldap bind. For details, see “Allow unauthenticated ldap
bind” on page 334.
Bind Password Enter the password of the Bind DN.
Alias Member Attribute Enter the name of the attribute, such as mail or
rfc822MailMember, whose value is an email address to
which the email alias resolves, such as
user@example.com.
This attribute must be present in either alias or user
objects, as determined by your schema and whether it
resolves aliases directly or indirectly. For more information,
see “Base DN” on page 329.
This option is preconfigured and read-only if, in User Alias
Options, you have selected from Schema any schema style
other than User Defined.

06-30004-0154-20080904 329
Profile
Alias Member Query String Enter an LDAP query filter that selects a set of either user
or email alias objects, whichever object class contains the
attribute you configured in Alias Member Attribute, from the
LDAP directory.
based upon any attributes that are common to all user/alias
objects but also exclude non-user/alias objects.
For example, if user objects in your directory have two
mail attributes, the query filter might be:
(& (objectClass=alias) (mail=$m))
where $m is the FortiMail variable for a user's email
address.
If the email address ($m) as it appears in the message
header is different from the alias email address as it
appears in the LDAP directory, such as when you have
enabled recipient tagging, a query for the alias by the email
address ($m) may fail. In this case, you can modify the
query filter to subtract prepended or appended text from
the user name portion of the email address before
performing the LDAP query. For example, to subtract “-
spam” from the end of the user name portion of the
(& (objectClass=alias) (mail=$m${-spam}))
where ${-spam} is the FortiMail variable for the tag to
remove before performing the query. Similarly, to subtract
“spam-” from the beginning of the user name portion of the
(& (objectClass=alias) (mail=$m${^spam-}))
where ${^spam-} is the FortiMail variable for the tag to
remove before performing the query.
Whether you should configure this query filter to retrieve
user or alias objects depends on whether your schema
resolves email addresses directly or indirectly (using
references).For more information on direct vs. indirect alias
resolution, see “Base DN” on page 329.
If alias objects in your schema provide direct resolution,
configure this query string to retrieve alias objects.
Depending on your schema style, you may be able to do
this either using the user name portion of the alias email
address ($u), or the entire email address ($m). For
example, for the email aliases finance@example.com
and admin@example.com, if your LDAP directory
contains alias objects distinguished by cn: finance and
cn: admin, respectively, this query string could be
cn=$u.
If alias objects in your schema provide indirect resolution,
configure this query string to retrieve user objects by their
distinguished name, such as distinguishedName=$b or
dn=$b. Also enable User Group Expansion In Advance,
then configure Group Member Query String to retrieve
email address alias objects, and configure Group Member
Attribute to be the name of the alias object attribute, such
as member, whose value is the distinguished name of a
user object.
For more information on required object types and their
attributes, see “Preparing your LDAP schema for FortiMail
LDAP profiles” on page 311.

330 06-30004-0154-20080904
Profile LDAP
User Group Expansion In Enable if your LDAP schema resolves email aliases
Advance indirectly. For more information on direct vs. indirect
resolution, see “Base DN” on page 329.
When this option is disabled, alias resolution occurs using
one query. The FortiMail unit queries the LDAP directory
using the Base DN and the Alias Member Query String,
and then uses the value of each Alias Member Attribute to
resolve the alias.
When this option is enabled, alias resolution occurs using
two queries:
1 The FortiMail unit first performs a preliminary query
using the Base DN and Group Member Query String, and
uses the value of each Group Member Attribute as the
base DN for the second query.
2 The FortiMail unit performs a second query using the
distinguished names from the preliminary query (instead of
the Base DN) and the Alias Member Query String, and then
uses the value of each Alias Member Attribute to resolve
the alias.
The two-query approach is appropriate if, in your schema,
alias objects are structured like group objects and contain
references in the form of distinguished names of member
user objects, rather than directly containing email
addresses to which the alias resolves. In this case, the
FortiMail unit must first “expand” the alias object into its
constituent user objects before it can resolve the alias
email address.
Group Member Attribute Enter the name of the attribute, such as member, whose
value is the DN of a user object.
This attribute must be present in alias objects only if they
do not contain an email address attribute specified in Alias
Member Attribute.
other than User Defined. If you have selected User
Defined, this option is available only if User Group
Expansion In Advance is enabled.
Group Member Query String Enter an LDAP query filter that selects a set of alias
objects, represented as a group of member objects in the
LDAP directory.
based upon any attributes that are common to all alias
objects but also exclude non-alias objects.
For example, if alias objects in your directory have two
proxyAddresses attributes, the query filter might be:
(&(objectClass=group)
(proxyAddresses=smtp:$m))
where $m is the FortiMail variable for an email address.
other than User Defined. If you have selected User
Defined, this option is available only if User Group
Expansion In Advance is enabled.

06-30004-0154-20080904 331
Profile
Scope Select which level of depth to query, starting from Base DN.
• One level: Query only the one level directly below the
• Subtree: Query recursively all levels below the
Derefer Select the method to use, if any, when dereferencing
attributes whose values are references.
• Never: Do not dereference.
• Always: Always dereference.
• Search: Dereference only when searching.
• Find: Dereference only when finding the base search
object.
Max alias expansion level Enter the maximum number of alias nesting levels that
aliases the FortiMail unit will expand.
8 If you want to define a mail routing query, enable Mail Routing Options, select the
blue arrow to expand its options, and configure the query.
Note: The Mail Routing Options query occurs after recipient tagging processing. If you
have enabled recipient tagging, the Mail Routing Options query will then be based on the
tagged recipient address. If the tagged email address does not exist for the user in the
LDAP directory, you may prefer to transform the recipient address by using the User Alias
Options query.
For more information on routing email by LDAP query, see “Mail Routing” on
page 189.
Figure 242:Mail Routing Options
Mail Host Attribute Enter the name of the attribute, such as mailHost, whose
value is the fully qualified domain name (FQDN) or IP
address of the email server that stores email for the user’s
email account.
Mail Routing Address Enter the name of the attribute, such as
Attribute mailRoutingAddress, whose value is the email address
of a deliverable user on the email server, also known as the
mail host.
For example, a user may have many aliases and external
email addresses that are not necessarily known to the
email server. These addresses would all map to a real
email account (mail routing address) on the email server
(mail host) where the user’s email is actually stored.
A user’s recipient email address located in the envelope or
header portion of each email will be rewritten to this
address.
9 If you want to define an antispam and antivirus processing option query, enable
AS/AV On/Off Options, select the blue arrow to expand its options, and configure
the query.

332 06-30004-0154-20080904
Profile LDAP
Note: If the AS/AV On/Off Options query fails, the FortiMail unit will instead use the
antispam and antivirus processing settings defined in the profile for that policy.
Figure 243:AS/AV On/Off Options
AntiSpam On/Off Attribute Enter the name of the attribute, such as antispam, whose
value indicates whether or not to perform antispam
processing for that user. Multiple value syntaxes are
permissible. For details, see “LDAP directory requirements
for each FortiMail LDAP profile query” on page 315.
AntiVirus On/Off Attribute Enter the name of the attribute, such as antivirus,
whose value indicates whether or not to perform antivirus
processing for that user. Multiple value syntaxes are
permissible. For details, see “LDAP directory requirements
for each FortiMail LDAP profile query” on page 315.
10 Select the blue arrow to expand Address Mapping Options.

For more information on mapping email addresses by LDAP query, see “LDAP
User Alias / Address Mapping profile” on page 189.
Figure 244:Address Mapping Options
Internal Address Attribute Enter the name of the attribute, such as

internalAddress, whose value is an internal email
address.
External Address Attribute Enter the name of the attribute, such as
externalAddress, whose value is an external email
address.
11 Select the blue arrow to expand Advanced Options.
Figure 245:Advanced Options

06-30004-0154-20080904 333
Profile
Timeout Enter the maximum amount of time in seconds that the

FortiMail unit will wait for query responses from the LDAP
server.
Protocol Version Select the LDAP protocol version used by the LDAP server.
Allow unauthenticated ldap Enable to perform queries in this profile without supplying a
bind bind DN and password for the directory search.
Many LDAP servers require LDAP queries to be
authenticated using a bind DN and password. However, if
your LDAP server does not require the FortiMail unit to
authenticate before performing queries, you may enable
this option.
Enable Cache Enable to cache LDAP query results.
Caching LDAP queries can introduce a delay between
when you update LDAP directory information and when the
FortiMail unit begins using that new information, but also
has the benefit of reducing the amount of LDAP network
traffic associated with frequent queries for information that
does not change frequently.
If this option is enabled but queries are not being cached,
inspect the value of TTL. Entering a TTL value of 0
effectively disables caching.
TTL Select the blue arrow to expand Enable Cache, then enter
the amount of time, in minutes, that the FortiMail unit will
cache query results. After the TTL has elapsed, cached
results expire, and any subsequent request for that
information causes the FortiMail unit to query the LDAP
server, refreshing the cache.
The default TTL value is 1,440 minutes (one day). The
maximum value is 10,080 minutes (one week). Entering a
value of 0 effectively disables caching.
This option is available only if Enable Cache is enabled.
12 If your FortiMail unit is currently operating in server mode, and you want to define
a webmail password change query, enable Webmail Password Options, select the
blue arrow to expand its options, and select your LDAP server’s user schema
style, either “openldap” or “activedirectory”.
This option does not appear for FortiMail units operating in gateway or transparent
mode. “activedirectory” appears only if Use secure connection is “ssl”.
13 Select OK.
The LDAP profile appears in the LDAP profile list. Before using the LDAP profile in
other areas of the configuration, verify the configuration of each query that you
have enabled in the LDAP profile. Incorrect query configuration can result in
unexpected mail processing behavior. For information on testing queries, see
“Testing LDAP profile queries” on page 335.

334 06-30004-0154-20080904
Profile LDAP
Testing LDAP profile queries

After you have created an LDAP profile, you should test each enabled query in the
LDAP profile to verify that the FortiMail unit can connect to the LDAP server, that
the LDAP directory contains the required attributes and values, and that the query
configuration is correct.
When testing a query in an LDAP profile, you may encounter error messages that
indicate failure of the query and how to fix the problem. Failure messages include:
• Connection Failed: The FortiMail unit could not connect to the LDAP server.
The LDAP server may be unreachable, or the LDAP profile may be configured
with an incorrect IP address, port number, or secure connection setting.
• Unable to Find User DN that matches Mail Address: The FortiMail unit
successfully connected to the LDAP server, but could not find a user whose
email address attribute matched that value. The user may not exist on the
LDAP server in the Base DN and using the query filter you specified in User
Query Options, or the value of the user’s email address attribute does not
match the value that you supplied in Mail Address.
• Unable to find LDAP group for user: The FortiMail unit successfully located
a user with that email address, but their group membership attribute did not
match that value. The group membership attribute you specified in Group
Query Options may not exist, or the value of the group membership attribute
may not match the value that you supplied in Group DN. If the value does not
match, verify that you have supplied the Group DN according to the syntax
expected by both your LDAP server and your configuration of Group Query
Options.
• Failed to Bind: The FortiMail unit successfully located a user with that email
address, but the bind failed and the FortiMail unit was unable to authenticate
the user. Binding may fail if the value of the user’s password attribute does not
match the value that you supplied in Password. If this error message appears
when testing Webmail Password Options, it also implies that the query failed to
change the password.
• Unable to Find Mail Alias: The FortiMail unit was unable to find the email
alias. The email address alias may not exist on the LDAP server in the Base
DN and using the query filter you specified in User Alias Options, or the value
of the alias’ email address attribute does not match the value that you supplied
in Mail Address.
To verify User Query Options
2 In the row corresponding to the LDAP profile whose User Query Options query
you want to test, select Edit.
3 Next to User Query Options, select Test.
A pop-up window appears allowing you to test the query.

06-30004-0154-20080904 335
Profile
Figure 246:Test LDAP User Query
4 In Mail Address, enter the email address of a user on the LDAP server, such as
test@example.com.
5 Select Test.
The FortiMail unit performs the query, and displays either success or failure for
each operation in the query, such as the search to locate the user record.
Figure 247:Test LDAP User Query: successful query
To verify Group Query Options

2 In the row corresponding to the LDAP profile whose Group Query Options query
3 Next to Group Query Options, select Test.
A pop-up window appears allowing you to test the query. Fields displayed in the
window vary by whether or not Use Group Name with Base DN as Group DN is
enabled in Group Query Options.

336 06-30004-0154-20080904
Profile LDAP
Figure 248:Test LDAP Group Query (Use Group Name with Base DN as Group DN is
disabled)
Figure 249:Test LDAP Group Query (Use Group Name with Base DN as Group DN is
enabled)
test@example.com.

06-30004-0154-20080904 337
Profile
5 Either Group DN or Group Name is displayed. If Group DN appears, enter the

value of the user’s group membership attribute. If Group Name appears, enter
only the group name portion of the value of the user’s group membership attribute.
For example, a Group DN entry with valid syntax could be either:
• 10000
• admins
• cn=admins,ou=People,dc=example,dc=com
but a Group Name entry with valid syntax would be admins.
Valid syntax varies by your LDAP server’s schema and by whether Use Group
Name with Base DN as Group DN is enabled, but is identical to what you should
enter when using this LDAP profile and entering the group name elsewhere in the
FortiMail configuration, such as for a recipient-based policy.
6 Select Test.
each operation in the query, such as the search to locate the user record and find
the group to which the user belongs.
Figure 250:Test LDAP Group Query: successful query
To verify Group Query Options’ Group Owner

2 In the row corresponding to the LDAP profile whose Group Query Options query
3 Select the blue arrow to expand Group Query Options.
4 Next to Look up Group Owner, select Test.
A pop-up window appears allowing you to test the query. Fields displayed in the
window vary by whether or not Use Group Name with Base DN as Group DN is
enabled in Group Query Options.

338 06-30004-0154-20080904
Profile LDAP
Figure 251:Test LDAP Group Owner Query (Use Group Name with Base DN as Group
DN is disabled)
Figure 252:Test LDAP Group Owner Query (Use Group Name with Base DN as Group
DN is enabled)
5 Either Group DN or Group Name is displayed. If Group DN appears, enter the

distinguished name of the group object. If Group Name appears, enter only the
group name portion of the distinguished name of the group object.
For example, a Group DN entry with valid syntax would be
cn=admins,ou=People,dc=example,dc=com, but a Group Name entry with
valid syntax would be admins.
Valid syntax varies by your LDAP server’s schema and by whether Use Group
Name with Base DN as Group DN is enabled, but is identical to what you should
enter when using this LDAP profile and entering the group name elsewhere in the
FortiMail configuration, such as for a recipient-based policy.

06-30004-0154-20080904 339
Profile
6 Select Test.
each operation in the query, such as the search to locate the group record and find
the group owner and their email address.
Figure 253:Test LDAP Group Owner Query: successful query
To verify User Auth Options

2 In the row corresponding to the LDAP profile whose User Auth Options query you
want to test, select Edit.
3 Next to User Auth Options, select Test.

340 06-30004-0154-20080904
Profile LDAP
Figure 254:Test LDAP User Authentication
test@example.com.
5 In Password, enter the current password for that user.
6 Select Test.
each operation in the query, such as the search to locate the user record, or
binding to authenticate the user.
Figure 255:Test LDAP User Authentication: successful query

06-30004-0154-20080904 341
Profile
To verify User Alias Options

2 In the row corresponding to the LDAP profile whose User Alias Options query you
want to test, select Edit.
3 Next to User Alias Options, select Test.
Figure 256:Test LDAP User Alias
4 In Mail Address, enter the email address alias of a user on the LDAP server, such
as test-alias@example.com.
5 Select Test.
each operation in the query, such as the search to locate the alias record, or
binding to authenticate the user.

342 06-30004-0154-20080904
Profile LDAP
Figure 257:Test LDAP User Alias: successful query
To verify Mail Routing Options

2 In the row corresponding to the LDAP profile whose Mail Routing Options query
3 Next to Mail Routing Options, select Test.
Figure 258:Test LDAP Mail Routing Query
test@example.com.
5 Select Test.
the mail host and mail routing address for that user.

06-30004-0154-20080904 343
Profile
Figure 259:Test LDAP Mail Routing Query: successful query
To verify AS/AV On/Off Options

2 In the row corresponding to the LDAP profile whose AS/AV On/Off Options query
3 Next to AS/AV On/Off Options, select Test.
Figure 260:Test LDAP AS/AV On/Off Config
test@example.com.
5 Select Test.
the antispam and antivirus processing preferences for that user.

344 06-30004-0154-20080904
Profile LDAP
Figure 261:Test LDAP AS/AV On/Off Config: successful query
To verify Address Mapping Options

2 In the row corresponding to the LDAP profile whose Mail Routing Options query
3 Next to Mail Routing Options, select Test.
Figure 262:Test LDAP Address Mapping
test@example.com.
5 Select Test.
the internal and external email addresses for that user.

06-30004-0154-20080904 345
Profile
Figure 263:Test LDAP Address Mapping: successful query
To verify Webmail Password Options

1 Go to Profile > LDAP.
2 In the row corresponding to the LDAP profile whose Webmail Password Options
query you want to test, select Edit.
3 Select the blue arrow next to Advanced Options.
4 Next to Webmail Password Options, select Test.
Figure 264:Test LDAP User Pwd Change
test@example.com.

346 06-30004-0154-20080904
Profile LDAP
Caution: Only use an email account whose password it is acceptable to change, and make
! note of the new password. Verifying the Webmail Password Options query configuration
performs a real password change, and does not restore the previous password after the
query has been verified.
6 In Password, enter the current password for that user.

7 In New Password, enter the new password for that user.
8 Select Test.
each operation in the query, such as the search to locate the user record, binding
to authenticate the password change, and the password change operation itself.
Figure 265:Test LDAP User Pwd Change: successful query
Clearing the LDAP profile cache

You can clear the FortiMail unit’s cache of query results for any LDAP profile.
This may be useful after, for example, you have updated parts of your LDAP
directory that are used by that LDAP profile, and you want the FortiMail unit to
discard outdated cached query results and reflect changes to the LDAP directory.
After the cache is emptied, any subsequent request for information from that
LDAP profile causes the FortiMail unit to query the updated LDAP server,
refreshing the cache.
To clear the LDAP query cache

2 In the row corresponding to the LDAP profile whose query cache you want to
clear, select Edit.

06-30004-0154-20080904 347
Profile
3 Select the blue arrow next to Advanced Options.

4 Select Clear Cache.
A warning dialog appears, notifying you that the cache for this LDAP profile will be
cleared if you proceed.
5 Select OK.
The FortiMail unit empties cached LDAP query responses associated with that
LDAP profile.
IP Pool
The IP Pool menu enables you to create IP pool profiles.
The IP Pool menu includes the following tab:
• IP Pool Lists
IP Pool Lists
The IP Pool Lists tab displays the list of IP pool profiles.
You can use IP pool profiles if you want outgoing email to originate from a
configured range of IP addresses. Each email message that the FortiMail unit
sends will use the next IP address in the range. When the last IP address in the
range is used, the next email message will use the first IP address.
You can select which IP pool profile, if any, that the FortiMail unit will use for each
protected domain. For more information, see “Domains” on page 180.
You can also select IP pool profiles in each IP-based policy. The IP pool policy
selected in the protected domain will override the one selected in the IP-based
policy, unless “If this policy matches then don't check for a recipient match” is
enabled in the IP-based policy. For more information, see “IP based policies” on
page 359.
FortiMail units will use IP pool addresses only if the sender email address involves
a protected domain and the recipient email address does not. FortiMail units will
not use IP pool addresses for:
• email sent from unprotected domains
• email sent between protected domains
To view the list of IP pool profiles, go to Profile > IP Pool > IP Pool Lists.
Figure 266:IP pool list
Edit
Delete

348 06-30004-0154-20080904
Profile TLS
Name The name of the profile.

Action Select Edit to modify the profile. For more information, see
“To create an IP pool” on page 349.
Select Delete to remove the profile. This icon does not
appear if the profile is currently selected in a policy.
Create New Select to add a profile. For more information, see “To create
an IP pool” on page 349.
To create an IP pool
1 Go to Profile > IP Pool > IP Pool Lists.
Figure 267:IP Pool
Delete
3 In Pool Name, enter a name for this IP pool.

The name must contain only alphanumeric characters and spaces. Hyphens ( - )
and underscores ( _ ) are not allowed.
4 In Start IP, enter the IP address that begins the range of IP addresses that will be
used for this IP pool.
5 In Range Size, enter the total number of IP addresses in the contiguous range of
the IP pool, including that of the Start IP.
For example, if Start IP is 10.0.0.3 and Range Size is 5, the IP pool will contain the
IP addresses 10.0.03, 10.0.0.4, 10.0.0.5, 10.0.0.6, and 10.0.0.7.
6 If you want to include additional ranges of IP addresses in this IP pool, select
Create New, then repeat steps 4 and 5 for each additional range of addresses you
add.
If you want to remove a range of IP addresses from this IP pool, in the row
corresponding to the range, select Delete.
7 Select OK.
TLS
The TLS menu enables you to create transport layer security (TLS) profiles.
The TLS menu includes the following tab:
• TLS Profile

06-30004-0154-20080904 349
Profile
TLS Profile
The TLS Profile tab enables you to create TLS profiles, which contain settings for
TLS-secured connections.
TLS profiles, unlike other types of profiles, are applied through access control
rules and message delivery rules, not policies. For more information, see “Access”
on page 198.
To view the list of TLS profiles, go to Profile > TLS > TLS Profile.
Figure 268:TLS profile list
Edit
Delete

TLS level The security level of the TLS connection.
• None: Disables TLS. Requests for a TLS connection
will be ignored.
• Preferred: Allow a simple TLS connection, but do not
require it. Data is not encrypted, nor is the identity of the
server validated with a certificate.
• Encrypt: Requires a basic TLS connection. Failure to
negotiate a TLS connection results in the connection
being rejected according to the Action on failure setting.
• Secure: Requires a certificate-authenticated TLS
connection. CA certificates must be installed on the
FortiMail unit before they can be used for secure TLS
connections. For information on installing CA
certificates, see “CA Certificate” on page 161.
Encryption Strength The bit size of the encryption key. Greater key size results
in stronger encryption, but requires more processing
resources.
This option does not apply and will be empty for profiles
whose TLS Level is None or Preferred.

350 06-30004-0154-20080904
Profile TLS
CA Issuer The type of the match, and the text that the CA Issuer field
of the server’s certificate must match.
This text must correlate to a CA certificate that you have
installed on the FortiMail unit. For information on installing
CA certificates, see “CA Certificate” on page 161.
The text is prefixed by a letter that indicates the type of the
match that you have configured in the profile:
• E: The text of the CA Issuer field must equal this value
exactly.
• S: The text of the CA Issuer field must contain this
value.
• W: The text of the CA Issuer field must be similar to this
value in the pattern indicated by wild cards.
whose TLS Level is not Secure. It may also be empty if you
have not configured the TLS profile to require a specific CA
Issuer.
CN Subject The type of the match, and the text that the CN Subject field
of the server’s certificate must match.
The text is prefixed by a letter that indicates the type of the
match that you have configured in the profile:
• E: The text of the CA Issuer field must equal this value
exactly.
• S: The text of the CA Issuer field must contain this
value.
• W: The text of the CA Issuer field must be similar to this
value in the pattern indicated by wild cards.
whose TLS Level is not Secure. It may also be empty if you
have not configured the TLS profile to require a specific CA
Issuer.
Action Indicates the action the FortiMail unit takes when a TLS
connection cannot be established.
• T: Temporarily fail.
• F: Fail.
whose TLS Level is Preferred.
Modify Select Edit to modify the profile. For more information, see
“To create a TLS profile” on page 351.
Select Delete to remove the profile. This icon does not
appear if the profile is currently selected in a policy.
Create New Select to add a profile. For more information, see “To create
a TLS profile” on page 351.
To create a TLS profile

1 Go to Profile > TLS > TLS Profile.

06-30004-0154-20080904 351
Profile
4 From TLS level, select the security level of the TLS profile:
• None: Disables TLS. Requests for a TLS connection will be ignored.
• Preferred: Allows a simple TLS connection, but does not require it. Data is not
encrypted, nor is the identity of the server validated with a certificate.
• Encrypt: Requires a basic TLS connection. Failure to negotiate a TLS
connection results in the connection being rejected according to the Action on
failure setting.
• Secure: Requires a certificate-authenticated TLS connection. CA certificates
must be installed on the FortiMail unit before they can be used for secure TLS
connections.
The availability of other options varies by your selection in TLS level.
Figure 269:New TLS Profile
CA Issuer match Select the type of match required when the Fortimail unit
compares the string in the CA Issuer field and the same
field in the installed CA certificates. For more information on
CA certificates, see “CA Certificate” on page 161.
CA Issuer must be enabled for CA Issuer match to have
any effect.
This option appears only if TLS level is Secure.
CA Issuer Enable and enter a string on the CA Issuer field to select a
CA certificate by the CA Issuer. The FortiMail unit will
compare the string in the CA Issuer field with the same field
in the installed CA certificates.
The CA Issuer drop down lists all of the installed CA
certificated. Selecting a certificate will populate the CA
Issuer field with the certificate CA issuer.
CN subject match Select the type of match required when the Fortimail unit
compares the string in the CN Subject and the same field in
the installed CA certificates.
CN Subject must be enabled for CN subject match to have
any effect.
CN Subject Enable and enter a string in the CN Subject field to select a
CA certificate by the CN Subject. The FortiMail unit will
compare the string in the CN Subject field with the same
field in the installed CA certificates.

352 06-30004-0154-20080904
Profile TLS
Encryption Strength Enter the bit size of the encryption key. Greater key size
results in stronger encryption, but requires more processing
resources.
This option appears only if TLS level is Encrypt or Secure.
Action on failure Select whether to fail or temporarily fail if a TLS connection
with the parameters described in the TLS profile cannot be
established.
This option does not appear if TLS level is Preferred.
6 Select OK.

06-30004-0154-20080904 353
Profile

354 06-30004-0154-20080904
Policy What is a policy?
Policy
The Policy menu enables you to create policies that include profiles to filter email
traffic and manage email user accounts.
The Policy menu includes:
• Recipient based policies
• IP based policies
What is a policy?
After creating the antispam, antivirus, content, authentication, or misc profiles
(see “Profile” on page 241), you need to apply them to policies for them to take
effect. A policy defines what traffic will be filtered in which way. A policy can also
determine user account settings, such as authentication type, disk quota, and
access to webmail.
The FortiMail unit support two types of policies: recipient-based policies and IP-
based policies.
Recipient-based policies vs. IP-based policies
Recipient-based policies are run on messages sent to a user or user group
specified in a policy.
IP-based policies are run when the IP address matches the client address
specified in the policy in gateway and server modes, or when both IP addresses
match the client and server addresses specified in the policy in transparent mode.
Incoming vs. outgoing recipient-based policies
A necessary concept you must understand to properly configure recipient-based
policies is how the FortiMail unit determined whether an email message is
incoming or outgoing. This is important because there are two types of recipient-
based policies, incoming and outgoing, and they are configured separately.
The deciding factor is the domain of the message recipient. If the recipient domain
is a protected domain, configured in Mail Settings > Domains, the FortiMail unit
considers the message as incoming and applies the first matching incoming
policy. If the recipient domain is not a protected domain, the message is
considered outgoing.
Note: IP-based policies are not divided into incoming and outgoing types. Only the client IP
address (in gateway and server modes) or the client and server IP addresses (in
transparent mode) are used to determine whether a match occurs.

06-30004-0154-20080904 355
How to use policies Policy
How to use policies

Recipient-based policies are run on individual messages based on who the
message is sent to. In server and gateway modes, IP-based policies are run on
connections initiated by a computer specified by the IP address defined in the
policy. IP-based policies are run on connections between two computers, based
on the client IP address in gateway and server modes, and the client and server
IP addresses in transparent mode.
Depending on your needs, you can create different recipient-based policies for
different email recipients. For example, if your company is an ISP, you can create
and apply antispam and antivirus profiles for only the customers who have paid for
those services.
In all operating modes, you can create incoming and outgoing recipient-based
email policies to protect both the local and remote email recipients.
How policies are executed
The FortiMail unit determines the IP-based policy matching the session as soon
as the connection is made, but does not immediately apply it, because
recipient-based policies take priority. Since any given message can have only one
policy applied to it, the FortiMail unit holds the IP-based policy match in reserve
and checks each message for recipient-based policy matches. If a match is found,
the recipient-based policy is applied. If no recipient-based policies match, the
IP-based policy is applied.
Note: If no recipient-based policy matches the message and no IP-based policy matches
the session, no policies are applied and the mail is delivered.
You cannot include a session profile in a recipient-based policy. If an IP-based

policy matches the connection, the session profile will be applied in addition to
other profiles specified in a matching recipient-based policy.
Single messages with multiple recipients are treated as multiple messages, each
with a single recipient, when recipient-based policies apply their profiles. This
allows a fine degree of control, but also means some recipients will not receive the
same message another recipient will receive.
However, for an antivirus profile, the FortiMail unit will treat a message with
multiple recipients as a single message. The FortiMail unit will check the recipients
for a recipient-based policy match and when it finds the first match, it will run the
antivirus profile from the matching recipient-based policy on the message. No
further checks are made for recipient matches. If no recipient-based policies
match the message, the antivirus profile from the IP-based policy is applied. If no
recipient-based policies match the message, and no IP-based policy matches the
session, no antivirus profile is applied to the message.
Order of policies
Policy matches are checked from the top of the list, downward.
Arrange policies in the policy list from most specific at the top to more general at
the bottom. For example, a policy created with an asterisk (*) entered for the user
name is the most general policy possible because it will match all users in the
domain. When you create more specific policies, you must add them to the policy
list above the general policy.

356 06-30004-0154-20080904
Policy Recipient based policies
Recipient based policies

The Recipient Based menu enables you to create recipient-based policies based
on the incoming or outgoing directionality of an email message with respect to the
protected domain.
The Recipient Based menu includes the following tabs:
• Incoming policies
• Outgoing policies
Incoming policies
The Incoming tab enables you to create and apply policies to incoming email to
protect the email recipients on the domains configured on the FortiMail unit. For
definitions of outgoing and incoming email, see “What is a policy?” on page 355.
For information about how recipient-based and IP-based policies are executed
and how the order of polices affects the execution, see “How to use policies” on
page 356.
To view the incoming recipient-based policy list, go to Policy > Recipient
Based > Incoming.
Figure 270:Incoming recipient-based policy list
Move
Delete
Edit
Select a domain Select a domain to display its recipient-based policy list.

# The order number of the recipient-based policies.
User Name Recipients matching the specified user name will have the policy
settings applied to their email.
AntiSpam The antispam profile selected for the matching recipients.
AntiVirus The antivirus profile selected for the matching recipients.
Content The content profile selected for the matching recipients.
Authentication The authentication profile selected for the matching recipients.
Advanced The PKI user selected for the matching recipients.
Modify Select Edit to modify a policy.
Select Delete to remove a policy.
Select Move to rearrange the order of the policies.
Create New Select to create a policy.
Profiles listed in the policy table appear as linked text. To modify profile settings,
select the required profile.

06-30004-0154-20080904 357
Recipient based policies Policy
To create an incoming recipient-based policy

1 Go to Policy > Recipient based > Incoming.
2 Select a domain (mail server) that contains the users to whom you want to apply
policies.
For information on creating domains, see “Domains” on page 180.
4 The user or group the policy applies to can be defined in three ways:
• Select User Name and enter the user’s name. The user name must match the
same user’s name on the email server. Do not include the domain portion. Use
an asterisk (*) to represent all users on a domain.
• Select Local Group Name and enter the name of a group defined in User >
User Group. See “User Group” on page 230.
• Select LDAP Group Name and enter the name of an LDAP group. Select the
LDAP profile configured to connect to the server and retrieve the group
information. For information about LDAP profiles, see “LDAP” on page 311.
5 Select the Antispam profile, Antivirus profile, and Content profile for the user. For
information about profiles, see “Profile” on page 241.
6 For Authentication, select the authentication server type and a profile for the user.
Create and modify Radius, POP3, IMAP, and SMTP authentication profiles in
Profile > Authentication. Create and modify LDAP authentication profiles in
Profile > LDAP. See “LDAP” on page 311.
7 Enable Use for SMTP authentication if required.
This enables user access to the quarantined spam on the FortiMail unit. It also
enables roaming users to send email through the FortiMail unit.
8 Select Allow Different Sender Identity if you allow email with different
authentication identities and “from” addresses to pass through.
This option is available only if you have enabled SMTP AUTH in step 7.
9 For Spam Access Methods, select POP3 or Web Mail to access the quarantined
spam on the FortiMail unit.
10 Select Enable PKI Authentication for Web Mail SPAM access to allow email users
to log in to their spam quarantine with PKI authentication instead of a username
and password. Select the PKI user for the policy. See “PKI User” on page 235.
11 If you enable PKI authentication, select Valid Certificate is Mandatory if users
must have a valid certificate.
12 Select OK.
Outgoing policies
The Outgoing tab enables you to create and apply policies to outgoing email to
protect the email recipients on all domains not configured on the FortiMail unit. For
definitions of outgoing and incoming email, see “What is a policy?” on page 355.
page 356.
To view the outgoing recipient-based policy list, go to Policy > Recipient Based >
Outgoing.

358 06-30004-0154-20080904
Policy IP based policies
Figure 271:Outgoing recipient-based policy list
Move
Delete
Edit
# The order number of user policies.

User Name The names of email recipient.
AntiSpam The antispam profile selected for the user.
AntiVirus The antivirus profile selected for the user.
Content The content profile selected for the user
To create an outgoing recipient-based policy

1 Go to Policy > Recipient Based > Outgoing.
3 Enter the User Name.
The user name must match the same user’s name on the recipient email server.
The user name should include the domain portion, for example
user1@example.com. You can use an asterisk (*) plus a domain name to
represent all users on that server. For example, *@example.com.
4 Select the Antispam profile, Antivirus profile, and Content profiles for the user.
5 Select OK.
IP based policies
The IP Based menu enables you to create policies by applying profiles to SMTP
connections. In gateway and server modes, you specify an address for the client.
In transparent mode, you specify IP addresses for the client and the server.
Client vs. server
The client is the computer initiating the connection and the server is the computer
receiving the connection. For example, if system A opened a connection to
system B to deliver mail, A is the client and B is the server. If system B later
opened a connection to system A to deliver a response, B is now the client and A
is the server.

06-30004-0154-20080904 359
IP based policies Policy
The IP Based menu includes the following tab:

• IP Policies
Instructions for this tab are specific to each operation mode:
• Creating IP-based policies (gateway mode)
• Creating IP-based policies (server mode)
• Creating IP-based policies (transparent mode)
Creating IP-based policies (gateway mode)

You can create and apply policies to SMTP traffic to protect both inside and
outside email recipients.
page 356.
To view the IP-based policy list, go to Policy > IP Based > Incoming or
Outgoing.
Figure 272:Gateway mode IP-based Policy list
Delete
Move
Edit

Match The IP address of the client to apply this policy to. The address is
blue when “If this policy matches then don't check for a recipient
match” is selected in the policy’s Misc Settings.
Session The session profile selected for the client.
AntiSpam The antispam profile selected for the client.
AntiVirus The antivirus profile selected for the client.
Content The content profile selected for the client.
IP Pool The IP pool profile selected for the client. The IP pool profile will
be ignored if the ‘If this policy matches then don't check for a
recipient match’ option is not enabled.
Authentication The authorization profile selected for the client.

360 06-30004-0154-20080904
To create an IP-based policy

1 Go to Policy > IP Based.
3 Type the IP address of a client computer or a subnet. The policy will apply to all
connection attempts initiated from the address/subnet specified.
4 If the policy is to simply deny connections from the specified IP address, select
Reject connections with this match.
5 If required, expand Profile Settings and select the Session profile, Antispam
profile, Antivirus profile, IP pool profile, and Content profile to be used by the
profile during the session initiated by the client computer. For information about
profiles, see “Profile” on page 241.
6 If required, expand Authentication, select the authentication server type and a
profile for the policy. Radius, POP3, IMAP, and SMTP authentication profiles are
created and modified in Profile > Authentication. LDAP authentication profiles
are created and modified in Profile > LDAP. See “LDAP” on page 311.
7 Select Use for SMTP Authentication to use the authentication type and profile for
SMTP sessions. This enables user access to the quarantined spam on the
FortiMail unit. It also enables roaming users to send email through the FortiMail
unit.
8 Select Allow Different Sender Identity if you allow email messages that have
different authentication identities and “from” addresses to pass through. This
option is available only if Use for SMTP Authentication is selected.
9 Select “If this policy matches then don't check for a recipient match” to have
checking for recipient-based policy matches disabled while this IP-based profile is
in effect.
The IP-based profile will be applied and recipient-based profiles ignored. For
information about how the policies are executed, see “How to use policies” on
page 356.
Creating IP-based policies (server mode)

page 356.
Outgoing.

06-30004-0154-20080904 361
Figure 273:Server mode IP-based Policy list
Move
Delete
Edit

Match The IP address of the client to apply this policy to. The address is
blue when “If this policy matches then don't check for a recipient
match” is selected in the policy’s Misc Settings.
Session The session profile selected for the client.
AntiSpam The antispam profile selected for the client.
AntiVirus The antivirus profile selected for the client.
Content The content profile selected for the client.
IP Pool The IP pool profile selected for the client. The IP pool profile will be
ignored if the ‘If this policy matches then don't check for a recipient
match’ option is not enabled.

3 Type the IP address of a client computer or a subnet. The policy will apply to all
connection attempts initiated from the address/subnet specified.
4 If the policy is to simply deny connections from the specified IP address, select
Reject connections with this match.
profile, Antivirus profile, Content profile, and IP pool profile to be used by the
in effect.
page 356.

362 06-30004-0154-20080904
Creating IP-based policies (transparent mode)

The client’s IP address and the server’s IP address are compared against those
specified in the policy and a match activates the policy. Since both the client and
server addresses are specified, you can even define different policies for
connections between the same two computers depending on which machine
initiates contact.
page 356.
Outgoing.
Figure 274:Transparent mode IP-based Policy list
Delete
Move
Edit

Match The IP address of the client and the server the policy will apply to.
The client address is displayed first, followed by the server. The
addresses are blue when ‘If this policy matches then don't check
for a recipient match’ is selected in the policy’s Misc Settings.
Session The session profile selected for the policy.
AntiSpam The antispam profile selected for the policy.
AntiVirus The antivirus profile selected for the policy.
Content The content profile selected for the policy.
IP Pool The IP pool profile selected for the policy. The IP pool profile will
be ignored if the ‘If this policy matches then don't check for a
recipient match’ option is not enabled.
Authentication The authorization profile selected for the policy.
select the required profile. A window opens with the policy settings.

06-30004-0154-20080904 363

3 Type the IP address of the client computer or a subnet. The policy created will
apply to all connection attempts initiated from the client address/subnet to the
server address/subnet.
4 If the policy is to simply deny connections from the client to server, select Reject
connections with this match.
profile, Antivirus profile, Content profile, and IP pool profile to be used by the
6 If required, expand Authentication, select the authentication server type and a
profile for the policy. Create or modify Radius, POP3, IMAP, and SMTP
authentication profiles in Profile > Authentication. Create or modify LDAP
authentication profiles in Profile > LDAP. See “LDAP” on page 311.
7 Select Use SMTP Authentication to use the authentication type and profile for
SMTP sessions. This enables user access to the quarantined spam on the
FortiMail unit. It also enables roaming users to send email through the FortiMail
unit.
8 Select Allow Different Sender Identity if you allow email messages that have
different authentication identities and “from” addresses to pass through.
This option is available only if Use for SMTP Authentication is selected.
in effect.
page 356.

364 06-30004-0154-20080904
AntiSpam Quarantine
AntiSpam
The AntiSpam menu enables you to configure antispam settings that are system-
wide or otherwise not configured individually for each antispam profile. It also
enables you to monitor and maintain some antispam features, such as sender
reputation and quarantined email.
Several antispam features require that you first configure system-wide, per-
domain, or per-user settings in the AntiSpam menu before you can use the feature
in an antispam profile. For example, before you can enable FortiGuard Antispam
scanning in an antispam profile, you must enable the service and verify
connectivity with the FortiGuard Antispam service using the AntiSpam menu. For
more information on antispam profiles, see “AntiSpam” on page 241.
The AntiSpam menu includes:
• Quarantine
• FortiGuard-AntiSpam
• Bayesian
• Black/White List
• Greylist
• Sender Reputation
• MSISDN Reputation
• Bounce Verification
Quarantine
The Quarantine submenu enables you to view and delete email messages that
have been quarantined to the FortiMail unit’s hard drive, to configure the
quarantines, and to configure system-wide settings for spam reports.
You can quarantine email messages based upon the content of the email
messages, such as whether the email is spam or contains a prohibited word or
phrase. FortiMail units have two types of quarantine:
• Per-recipient quarantine: Quarantines email messages into separate folders
for each recipient address in each protected domain. The FortiMail periodically
sends spam reports to notify recipients, their designated group owner, and/or
another email address of the email messages that have been added to the
quarantine folder for that recipient.
• System quarantine: Quarantines email messages into a system-wide
quarantine. Unlike the per-recipient quarantine, the FortiMail unit does not
send a spam report and a FortiMail administrator should review the
quarantined email messages to decide if they should be released or deleted.
To quarantine spam and/or email with prohibited content, you must first select a
quarantine action in an antispam profile or content profile. Quarantine actions,
such as whether to quarantine to the system quarantine or the per-recipient
quarantine, vary by whether the profile is a content profile or antispam profile, and
whether the email is incoming or outgoing. For more information on quarantine
actions, see “Actions options” on page 257, “Actions options” on page 263,
“Incoming” on page 276, and “Outgoing” on page 281.

06-30004-0154-20080904 365
Quarantine AntiSpam
page 214.
All FortiMail models can be configured to remotely store their quarantined email
messages in a centralized quarantine hosted on a FortiMail-2000 model or
greater. For more information, see “Storage” on page 178.
The Quarantine menu includes the following tabs:
• Recipients
• Control Account
• Spam Report
• System quarantine
• System quarantine setting
Recipients
The Recipients tab displays the per-recipient quarantine.
When incoming email matches a policy in whose profile you have configured the
FortiMail unit to quarantine the email to the per-recipient spam quarantine, the
FortiMail unit will save the email to its hard drive and not deliver it to the recipient.
Instead, the FortiMail unit will periodically send a spam report to email users, their
designated group owner, or another recipient (if you have configured one in the
advanced mode of the web-based manager). The spam report, by default sent
once a day at 9 AM, lists all email messages that were withheld since the previous
spam report. Using the spam report, email users can review email message
details and release any email messages that are false positives by clicking the link
associated with them. The email message will then be released from the
quarantine and delivered to the email user’s inbox. Using the web-based
manager, FortiMail administrators can also manually release or delete
quarantined email. For more information on deleting email that has been
quarantined to the per-recipient quarantine, see “Managing email in per-recipient
quarantines” on page 368. For information on configuring the schedule and
recipients of the spam report, see “Spam Report” on page 376.
You can configure the FortiMail unit to send email to the per-recipient quarantine
by selecting “Quarantine” as the action in content profiles and antispam profiles.
For more information, see “Actions options” on page 257 and “Incoming” on
page 276.
Unlike the system-wide quarantine, the per-recipient quarantine can be accessed
remotely by email users so that they can manage their own quarantined email. For
information on configuring remote per-recipient quarantine access through email,
see “Control Account” on page 375. For information on configuring remote per-
recipient quarantine access through HTTP or HTTPS, see “Spam Report” on
page 376.
To view the list of per-recipient quarantine folders, go to AntiSpam >
Quarantine > Recipients.

366 06-30004-0154-20080904
AntiSpam Quarantine
Figure 275:Recipients
Previous Page Delete selected recipients folder
Next Page Compact
Search
Select a domain Select the name of a protected domain to view per-recipient

quarantines for recipients in that protected domain.
page 180.
Search Select to search email in the per-recipient quarantine. For details, see
“Searching email in the per-recipient quarantine” on page 369.
Previous Page Select to view the previous page.
icon
page
Search icon To display the per-recipient quarantine for an email user, from Select a
domain, select the name of a protected domain, then enter the user
name portion of a recipient address in the field to the left of the Search
icon, and select the Search icon.
Compact In the Check column, mark the checkboxes in the rows corresponding
to the quarantine folders that you want to compress, then select
Compact.
Note: Folder sizes are updated once an hour. The reduction in folder
size will not be immediately reflected after you compress a folder.
Delete selected In the Check column, mark the checkboxes in the rows corresponding
recipients folder to the quarantine folders that you want to delete, then select Delete
selected recipients folder.
Caution: Per-recipient quarantine folders contain both the email user’s
recipient quarantine and other data such as the email user’s
preferences and personal white lists and black lists. Deleting a
quarantine folder will delete contained spam, but will also delete that
other personal data. To avoid this, delete email in the quarantine folder,
but not the quarantine folder itself. For more information, see
“Managing email in per-recipient quarantines” on page 368.
Send spam report Enter the number of previous hours’ worth of spam to include in the
to <All or spam report, then either:
Selected> users • select All to send a spam report to all email users for which spam
for the past n was quarantined to the per-recipient quarantine
hours • in the Check column, mark the checkboxes of each email user for
which you want to send a spam report if the FortiMail unit
quarantined spam for that email user, then select Selected
You can configure a spam report schedule to automatically send spam
reports. For more information, see “Spam Report” on page 376 and
“Spam Report Setting” on page 192.

06-30004-0154-20080904 367
Quarantine AntiSpam
Check To select all quarantine folders, select the checkbox in the Check
column heading.
To select individual quarantine folders, in the Check column, mark the
checkboxes in the rows of quarantine folders that you want to select.
Recipient The email address of a recipient for which the FortiMail unit has
quarantined email.
Select to view email messages quarantined for that recipient. For more
information, see “Managing email in per-recipient quarantines” on
page 368.
Managing email in per-recipient quarantines

You can view, delete, and release email that has been quarantined to per-recipient
quarantines.
Note: Email users can also manage their own per-recipient quarantines through spam
reports. For more information, see “Releasing and deleting email from the per-recipient
To view email messages quarantined for an individual recipient, go to AntiSpam >

Quarantine > Recipients, then select the email address of the recipient.
Figure 276:Viewing email messages in a per-recipient quarantine
Previous Page
Next Page

page
# The index number of the email message.
Select to view the email message.
mark the checkbox in the Delete column heading, then select OK.
you want to delete, then select OK.
mark the checkbox in the Release column heading, then select
OK.
you want to release, then select OK.
From The name of the sender, such as “User 1”.

368 06-30004-0154-20080904
AntiSpam Quarantine

Date The time of the email.
EnvelopeFrom The email address of the sender as it appears in the SMTP
envelope, such as user1@example.com.
To view a quarantined email message

1 Go to AntiSpam > Quarantine > Recipients.
A list appears which contains email messages quarantined for that recipient.
3 In the “#” column, in the row corresponding to the email message that you want to
view, select the index number.
A pop-up window appears which displays the email message. If the message
body and subject line are not sufficient to help you decide whether you want to
release or delete the email, you can select the “Detailed Header” link to view
additional message headers.
To delete quarantined email for a recipient

3 In the Delete column, mark the checkboxes of the email messages that you want
to delete, or select the checkbox in the Delete column heading to mark the
checkboxes for all email messages in the per-recipient quarantine.
4 Select OK.
5 Select OK.
The selected email messages are deleted.
To release quarantined email for a recipient

3 In the Release column, mark the checkboxes of the email messages that you
want to release, or select the checkbox in the Release column heading to mark
the checkboxes for all email messages in the per-recipient quarantine.
4 Select OK.
5 Select OK.
The selected email messages are sent to the recipient.
Searching email in the per-recipient quarantine

You can search the per-recipient quarantine for email messages based on their
content and message recipient, across any or all protected domains.

06-30004-0154-20080904 369
Quarantine AntiSpam
Figure 277:Quarantine Search

stop
Refresh Copy to New Delete
View Result
Search Result
Refresh Select to refresh the page. This can be useful to
display the current Status of a search task.
# The index number of a search task.
Status The completion status of the search task, such
as Done or Pending.
Name The date and time on which the search task was
executed.
Action Select View Result to display the search results.
Select Copy to New to create a new search task
by duplicating the settings of this search task.
Select “stop” to pause the search task. The icon
changes to a green “resume” arrow. Select
“resume” to resume the search task.
Select Delete to remove the search results.

2 Select the Search button located next to Select a domain.

370 06-30004-0154-20080904
AntiSpam Quarantine
3 Select the blue arrow to expand New Search Task.

Email messages must match all criteria that you configure in New Search Task in
order to be included in the search results. For example, if you configure From and
Subject, only email messages matching both From and Subject will be included in
the search results.
From Enter the email address of the sender.

To Enter the email address of the recipient.
Cc Enter the carbon copy email addresses.
Subject Enter the subject line.
Text Enter text that appears on the message body.
Time Select the range of time of email messages that you want to
include in the search results.
User Enter the user name portion of recipient email addresses
whose quarantine folders you want to search.
Domain To select which protected domains’ per-recipient quarantines
will be searched, in the text area on the left, select the names
of one or more protected domains, then select the right arrow
to move them into the text area on the right.
You must select at least one protected domain to search.
5 Select OK.
The FortiMail unit executes the search, which appears in the Search Result
section.
System quarantine
The System quarantine tab displays the system quarantine.
Unlike the per-recipient quarantine, the system quarantine cannot be accessed
remotely by email users; they will not receive spam reports for email held in the
system quarantine, and cannot manage the system quarantine themselves. A
FortiMail administrator should therefore periodically review the contents of the
system quarantine. Alternatively, you can configure a special-purpose system
quarantine administrator for this task. For more information, see “System
quarantine setting” on page 384.
By default, the system quarantine is not used. You can configure the FortiMail unit
to send email to the per-recipient quarantine by selecting “Quarantine to Review”
in content profiles and “Quarantine to review” in outgoing antispam profiles. For
more information, see “Actions options” on page 263 and “Outgoing” on page 281.
To view the list of system quarantine folders, go to AntiSpam > Quarantine >
System quarantine.

06-30004-0154-20080904 371
Quarantine AntiSpam
Figure 278:System quarantine
Previous Page Delete

Next Page Compact
Rotated folder
Previous Page Select to display the previous page.

Next Page Select to display the next page.
View n Folders Select the number of lines to display per page.
Compact In the Check column, mark the checkboxes of each email user whose
quarantine folder you want to compress, then select Compact.
Note: Folder sizes are updated once an hour. The reduction in folder
size will not be immediately reflected after a compress is executed.
Delete In the Check column, mark the checkboxes in the rows corresponding
to the folders that you want to delete, then select Delete.
Check To select every quarantine folder in the list, mark the checkbox in the
column heading.
To select individual quarantine folders, in each row corresponding to a
quarantine folder that you want to select, mark the checkbox.
Folder The system quarantine folders are listed with the newest sorted to the
top row of the column.
The current folder is named “Inbox.” Older system quarantine folders,
also called rotated folders, are named according to their creation date
and the rename date. For information on configuring rotation of the
system quarantine folder, see “System quarantine setting” on
page 384.
Select to view email messages quarantined in that folder.
Managing email in the system quarantine

You can view, delete, release, and forward email that has been quarantined to the
system quarantine.
Note: You can also configure a system quarantine administrator account whose exclusive
purpose is to manage the system quarantine. For more information, see “System
quarantine setting” on page 384.
To view email messages quarantined to the system quarantine, go to AntiSpam >

Quarantine > System quarantine, then select a system quarantine folder.

372 06-30004-0154-20080904
AntiSpam Quarantine
Figure 279:Viewing email messages in a system quarantine folder
Previous Page
Next Page
Back
Search
View email (viewed)

View email (unviewed)
Previous Page Select to view the previous page.

Next Page Select to view the next page.
Back Select to return to viewing the list of system quarantine folders.
Search Select to search the system quarantine. For details, see
“Searching email in the system quarantine” on page 374.
View n messages Select the number of lines to display on each page.
each page
mark the checkbox in the checkbox column heading, then select
OK.
recipient, mark checkboxes in the rows of each email message
that you want to delete, then select OK.
mark the checkbox in the checkbox column heading, then select
OK.
recipient, mark checkboxes in the rows of each email message
that you want to release, then select OK.
(Checkbox without To select all email messages in the folder, mark the checkbox
column heading.) located in the checkbox column heading. This automatically
marks all other checkboxes.
To select individual email messages in the folder, mark
checkboxes in the row of each email message.
(Empty column Indicates whether or not the quarantined email has been viewed.
heading.) • Open envelope: The email message has been previously
viewed.
• Unopened envelope: The email message has not yet been
viewed.
Select the icon to display or the email message. For details, see
“To display, release, delete, or forward an email in the system
quarantine” on page 374.
Select to display the email message. For details, see “To display,
release, delete, or forward an email in the system quarantine” on
page 374.

06-30004-0154-20080904 373
Quarantine AntiSpam
From The display name of the sender as it appears in the message

header, such as “User 1”.
To The display name of the recipient as it appears in the message
header, such as “User 2”.
Rcpt To The user name portion of the recipient email address as it
appears in the message envelope, such as “user2” where the full
recipient email address is user2@example.com.
Size The size of the email message.
To display, release, delete, or forward an email in the system quarantine

1 Go to AntiSpam > Quarantine > System quarantine.
2 In the Folder column, select the name of a system quarantine folder.
3 In the Subject column, select the subject line of the email message.
Alternatively, in the envelope icon column, select the envelope icon of the email
message.
The email message appears, including basic message headers such as the
subject and date.
Figure 280:Viewing an email message in the system quarantine
4 Select the action that you want to perform on the quarantined email.
• To view additional message headers, select “detail header”.
• To release the email message to its recipient, select Release.
• To delete the email message from the quarantine, select Delete.
• To forward the email message to another email address, select Forward. To
use an email address from the system quarantine administrator or system-
wide address book, select “To:”, “CC:”, or “BCC:”. For information on adding
email addresses to the system quarantine administrator’s address book, see
“Access Address Book” on page 385.
Searching email in the system quarantine

You can search the system quarantine for email messages based on their
message body content and message headers.

1 Go to AntiSpam > Quarantine > System quarantine.
2 In the Folder column, select the name of a system quarantine folder.
3 Select Search.

374 06-30004-0154-20080904
AntiSpam Quarantine

Email messages must match all criteria that you configure in order to be included
in the search results. For example, if you configure From and Subject, only email
messages matching both From and Subject will be included in the search results.
Figure 281:Content Quarantined Messages Searching
From Enter either or both the display name and sender email address
as it appears in the message header, such as:
User 1 <user1@example.com>
To Enter either or both the display name and recipient email
address as it appears in the message header, such as:
User 2 <user2@example.com>
CC Enter carbon copy email addresses.
Subject Enter all or part of the text contained in the subject line.
Text Enter all or part of the text contained in the message body.
From Enter the beginning of the range of email message dates to
(date selector) include in the search results.
To Enter the end of the range of email message dates to include in

(date selector) the search results.
5 Select Apply.
The FortiMail unit executes the search, and displays a list of email messages in
the system quarantine that match the search criteria.
Control Account
The Control Account tab enables you to configure quarantine control account
email addresses.
Email users can remotely release or delete email messages in their per-recipient
quarantine by sending email to quarantine control account email addresses.
For example, if Release User is release-ctrl and the local domain name of
the FortiMail unit is example.com, an email user could release an email
message from their per-recipient quarantine by sending an email to release-
ctrl@example.com.
For more information, see “Releasing and deleting email from the per-recipient
To configure the quarantine release and delete email addresses, go to
AntiSpam > Quarantine > Control Account.

06-30004-0154-20080904 375
Quarantine AntiSpam
Figure 282:Auto Release Accounts
Release User Enter the user name portion, such as release-ctrl, of the email
address on the FortiMail unit that will receive quarantine release
commands.
Note: If you have more than one FortiMail unit, this must be unique on
each FortiMail unit.
Delete User Enter the user name portion, such as delete-ctrl, of the email
address on the FortiMail unit that will receive quarantine delete
commands.
Note: If you have more than one FortiMail unit, this must be unique on
each FortiMail unit.
Spam Report
The Spam Report tab enables you to configure various system-wide aspects of
the spam report, including the schedule for when the FortiMail unit will send spam
reports.
FortiMail units send spam reports to notify email users when email has been
quarantined to their per-recipient quarantine. If no email messages have been
quarantined to the per-recipient quarantine folder in the period since the previous
spam report, the FortiMail unit will not send a spam report.
In addition to the system-wide spam report settings, you can also configure some
spam report settings individually for each protected domain, including whether the
FortiMail unit will send either or both plain text and HTML format spam reports. For
more information, see “Spam Report Setting” on page 192.
For information on the contents of the plain text and HTML format spam report,
see “Understanding the plain text formatted spam report” on page 378 and
“Understanding the HTML formatted spam report” on page 380.

376 06-30004-0154-20080904
AntiSpam Quarantine
Figure 283:Spam Report
Schedule
These Hours Select the hours of the day during which you
want the FortiMail unit to generate spam reports.
These Days Select the days of the week during which you
want the FortiMail unit to generate spam reports.
Webmail Access
Setting
Time Limited Enable to, when an email user clicks a web
Access Without access link in their spam report, allow email
Authentication users to access their per-recipient quarantine
without having to log in. Also configure Expiry
Period.
Disable to require that email users enter their
user name and password.
Expiry Period Enter the period of time after the spam report is
generated during which the email user can
access the per-recipient quarantine without
authenticating.
This option is available only if Time Limited
Access Without Authentication is enabled.
Using HTTPS Select to redirect HTTP requests for FortiMail
webmail and per-recipient quarantines to secure
access using HTTPS.
Note: For this option to function properly, you
must also enable both HTTP and HTTPS access
protocols on the network interface to which the
email user is connecting. For more information,

06-30004-0154-20080904 377
Quarantine AntiSpam
Web Release Host Enter a host name for the FortiMail unit that will
Name/IP be used for web release links in spam reports. If
this field is left blank:
• If the FortiMail unit is operating in gateway
mode or server mode, web release links in
the spam report will use the local domain
name of the FortiMail unit. For more
information, see “Local Host” on page 167.
• If the FortiMail unit is operating in transparent
mode, web release links in the spam
quarantine report will use the FortiMail unit’s
management IP address. For more
information, see “Management IP” on
page 135.
Configuring an alternate host name for web
release links can be useful if the local domain
name or management IP of the FortiMail unit is
not resolvable from everywhere that email users
will use their spam reports. In that case, you can
override the web release link to use a globally
resolvable host name or IP address.
Spam Report
Recipient Setting
Domain The name of a protected domain.
For more information on protected domains, see
Send to Individual Enable to send spam reports to each recipient
Recipients address in the protected domain.
Send to LDAP Enable to send spam reports to the email
Group Owner addresses of group owners, then select the
name of an LDAP profile in which you have
enabled and configured Group Query Options.
For more information, see “Creating LDAP
Send to Other Enabled to send spam reports to an email
Recipient address other than the recipients or group
owners, then enter the email address.
Understanding the plain text formatted spam report

Plain text spam reports:
• notify email users about email messages that have been quarantined to their
per-recipient quarantine
• explain how to delete one or all quarantined email messages
• explain how to release individual email messages
For plain text spam reports, you can only release email from the per-recipient
quarantine by using the email release method. For more information on how to
release email from the per-recipient quarantine, see “Releasing and deleting email
from the per-recipient quarantine using spam reports” on page 382.
Note: The contents of spam reports are customizable. For more information, see “Custom

378 06-30004-0154-20080904
AntiSpam Quarantine
Figure 284:Sample plain text spam report

06-30004-0154-20080904 379
Quarantine AntiSpam
Table 16: Sample plain text spam report
Report content
Message Subject: Quarantine Summary: [ 3 message(s) quarantined
header of from Thu, 04 Sep 2008 11:00:00 to Thu, 04 Sep 2008
spam report 12:00:00 ]
From: release-ctrl@example.com
Date: Thu, 04 Sep 2008 12:00:00
To: user1@example.com
Quarantined Date: Thu, 04 Sep 2008 11:52:51
email #1 Subject: [SPAM] information leak
From: User 1 <user1@example.com>
Message-Id:
MTIyMDU0MzU3MS43NDJfNTk5ODcuRm9ydGlNYWlsLTQwMCwjRiNTIzYzM
yNFLFU4OjIsUw==
email #2 Subject: [SPAM] curious?
Message-Id:
MTIyMDU0MzQ3MC43NDFfOTA0MjcxLkZvcnRpTWFpbC00MDAsI0YjUyM2M
jUjRSxVNzoyLA==
email #3 Subject: [SPAM] Buy now!!!! lowest prices
Message-Id:
MTIyMDU0MzMzMC43NDBfNjkwMTUwLkZvcnRpTWFpbC00MDAsI0YjUyM2N
DIjRSxVNToyLA==
Instructions Actions:
for deleting
or releasing o) Release a message: Send an email to <release-
quarantined ctrl@example.com> with subject line set to
email "user1@example.com:Message-Id".
o) Delete a message: Send an email to <delete-
ctrl@example.com> with subject line set to
"user1@example.com:Message-Id".
o) Delete all messages: Send an email to <delete-
ctrl@example.com> with subject line set to
"delete_all:user1@example.com:e4d46814:ac146004:05737c7c1
11d68d0111d68d0111d68d0".
Understanding the HTML formatted spam report

HTML spam reports:
• notify email users about email messages that have been quarantined to their
per-recipient quarantine
• contain links to delete one or all quarantined email messages (see Figure 285
on page 381)
• contain links to release individual email messages (see Figure 285 on
page 381)
From an HTML format spam report, you can release or delete messages by using
either web or email release methods. For more information on how to release
email from the per-recipient quarantine, see “Releasing and deleting email from
the per-recipient quarantine using spam reports” on page 382.

380 06-30004-0154-20080904
AntiSpam Quarantine
Release links in an HTML formatted spam report may link to either the
management IP address, local domain name, or an alternative host name for the
FortiMail unit. For more information, see “Web Release Host Name/IP” on
page 378.
Note: The contents of spam reports are customizable. For more information, see “Custom
Figure 285:Sample HTML spam report
Web release
and web
delete links
Email release
and email
delete links

06-30004-0154-20080904 381
Quarantine AntiSpam
Table 17: Sample HTML spam report
Report content
Message Subject: Quarantine Summary: [ 3 message(s) quarantined
header of from Thu, 04 Sep 2008 11:00:00 to Thu, 04 Sep 2008
spam report 12:00:00 ]
From: release-ctrl@example.com
Date: Thu, 04 Sep 2008 12:00:00
email #1 From: User 1 <user1@example.com>
Subject: [SPAM] information leak
Web Actions: Release Delete
Email Actions: Release Delete
Subject: [SPAM] curious?
Subject: [SPAM] Buy now!!!! lowest prices
Instructions Web Actions:
for deleting Click on Release link to send a http(s) request to have
or releasing the message sent to your inbox.
quarantined Click on Delete link to send a http(s) request to delete
email the message from your quarantine.
Click Here to send a http(s) request to Delete all
messages from your quarantine.
Email Actions:
Click on Release link to send an email to have the
message sent to your inbox.
Click on Delete link to send an email to delete the
message from your qurantine.
Click here to send an email to Delete all messages from
your quarantine.
Other:
To view your entire quarantine inbox or manage your
preferences, Click Here
Releasing and deleting email from the per-recipient quarantine

using spam reports
Spam reports enable recipients to remotely monitor and delete or release email
messages in the per-recipient quarantine folders.
Depending on whether the spam report is sent and viewed in plain text or HTML
format, a spam report recipient may be able to use either or both web release and
email release methods to release or delete email from a per-recipient quarantine.

382 06-30004-0154-20080904
AntiSpam Quarantine
• Web release: To release or delete an email from the per-recipient quarantine,

the recipient must select the “Release” web action link which sends an HTTP
or HTTPS request to the FortiMail unit. Available for HTML format spam
reports only.
Figure 286:Releasing an email from the per-recipient quarantine using web release
• Email release: To release or delete an email from the per-recipient quarantine,

the recipient must either:
• Select the “Release” email action link which creates a new email message
containing all required information, then send it to the quarantine control
account of the FortiMail unit. Available for HTML format spam reports only.
• Manually send an email message to the quarantine control account of the
FortiMail unit. The To: address must be the quarantine control account
email address, such as release-ctrl@example.com or delete-
ctrl@example.com. The subject line must contain both the recipient
email address and Message-Id of the quarantined email, separated by a
colon (:), such as:
user1@example.com:MTIyMDU0MDk1Ni43NDRfMTk2ODU0LkZvcnRpT
WFpbC00MDAsI0YjUyM2NjUjRQ==
Available for plain text spam reports.
Figure 287:Releasing an email from the per-recipient quarantine using email release
Release
quarantine control
account
Subject line
containing email
address of original
recipient and
Message-Id,
separated by a
colon (:)

06-30004-0154-20080904 383
Quarantine AntiSpam
The email addresses of quarantine control accounts are configurable. For

information, see “Control Account” on page 375.
Web release links may be configured to expire after a period of time, and may or
may not require the recipient to log in to the FortiMail unit. For more information,
see “Spam Report” on page 376.
For more information on the differences between plain text and HTML format
spam reports, see “Understanding the plain text formatted spam report” on
page 378 and “Understanding the HTML formatted spam report” on page 380.
System quarantine setting

The System quarantine Setting tab enables you to configure system quarantine
quota and rotation. It also enables you to configure a system quarantine
administrator account exclusively for the purpose of managing the system-wide
quarantine, which cannot be managed by individual email users through their
spam reports.
Like other FortiMail administrators, the system quarantine administrator can log in
to the web-based manager. However, he or she has access only to the system
quarantine. In this way, you can assign the periodic review of the system
quarantine to someone else without allowing that person full administrative access
to all FortiMail unit settings.
Note: The system quarantine administrator can also view the system quarantine using a
POP3 or IMAP email client. To do this, configure the email client with the IP address of the
FortiMail unit as the POP3 or IMAP server, using the system quarantine administrator
account name and password.
To configure the system quarantine administrator or to configure system

quarantine quotas, go to AntiSpam > Quarantine > System quarantine Setting.
Figure 288:System Quarantine Settings
Account Name and Enter the user name of the system quarantine administrator
Password account. This is the same user name that this person will use to
log in to the web-based manager in order to manage the system
quarantine.
Password Enter the password for the system quarantine administrator
account.

384 06-30004-0154-20080904
AntiSpam FortiGuard-AntiSpam
Forward To Enter an email address to which the FortiMail unit will forward a
copy of each email that is quarantined to the system quarantine.
Mailbox rotation size Enter the maximum size of the current system quarantine folder
(“Inbox”). When the folder reaches this size, the FortiMail unit
renames the current folder based upon its creation date and
rename date, and creates a new “Inbox” folder.
Alternatively or additionally configure Mailbox rotation time.
For more information, see “Folder” on page 372.
Mailbox rotation time Enter the maximum amount of time that the current system
quarantine folder (“Inbox”) will be used. When the folder reaches
this size, the FortiMail unit renames the current folder based upon
its creation date and rename date, and creates a new “Inbox”
folder.
Alternatively or additionally configure Mailbox rotation time.
For more information, see “Folder” on page 372.
Disk Quota Enter the maximum amount of disk space the system quarantine
will be permitted to use, including rotated folders.
Maximum configurable disk quota depends on the amount of
available disk space.
Quarantine options Select the action that the FortiMail unit will take when the system
when disk quota is full quarantine has consumed its disk quota, either:
• Overwrite: Discard the oldest email messages in the system
quarantine in order to use the disk space to quarantine new
email messages.
• Do not quarantine: Discard and do not quarantine new email
messages.
Access Address Book Select to add, delete, back up, or restore email addresses in the
address book of the system quarantine administrator account.
Email addresses in this address book can be convenient when a
system quarantine administrator wants to forward quarantined
email messages. For more information, see “To display, release,
delete, or forward an email in the system quarantine” on
page 374.
FortiGuard-AntiSpam
The FortiGuard-AntiSpam submenu enables you to configure the connection to
the FortiGuard Antispam subscription service.
The FortiGuard-AntiSpam menu includes the following tab:
• FortiGuard-Antispam
FortiGuard-Antispam
The FortiGuard-AntiSpam tab enables the FortiGuard Antispam subscription
service. It also enables you to test its connection to the Fortinet Distribution
Network (FDN), and to configure FortiGuard Antispam query caches.
Before you can use the FortiGuard Antispam service, you must:
• purchase a FortiGuard Antispam service contract through Fortinet Technical
Support, or obtain a trial contract
• be able to connect to FDN (for details, see “Update” on page 122 and
“Troubleshooting FDN connectivity” on page 124)
The FortiGuard Antispam service can be used by antispam profiles to identify
spam. For more information, see “AntiSpam” on page 241.

06-30004-0154-20080904 385
Bayesian AntiSpam
Figure 289:FortiGuard-Antispam Service and Configuration
To configure the FortiGuard-Antispam service

1 Go to AntiSpam > FortiGuard-Antispam.
2 Select Enable Service to activate the FortiGuard-Antispam service.
3 Select Check status to make sure the FortiMail unit can access the
FortiGuard-Antispam server.
After a moment, the FortiGuard-Antispam status should change from Unknown to
Available. If the FortiGuard-Antispam service status is unavailable, wait and try
again.
4 Enter an IP or URI and select Query FortiGuard to determine the address status in
the FortiGuard system. The result will be displayed on the line below.
5 Enable and set a TTL (Time To Live) for the cache.
This sets the number of seconds to store the results of antispam queries from the
FortiGuard servers. If the cache is enabled, locally cached antispam query
information will be checked before contacting the FortiGuard service, possibly
reducing network bandwidth use.
6 Select Apply.
You can now enable FortiGuard-Antispam service for any antispam profile you
create.
Once you select Apply, the FortiGuard-Antispam license type and expiration date
appear.
Bayesian
The Bayesian submenu enables you to manage the databases used to store
Bayesian statistical information for Bayesian antispam processing, and to
configure the email addresses used for remote control and training of the
Bayesian databases.
The Bayesian menu includes the following tabs:
• User

386 06-30004-0154-20080904
AntiSpam Bayesian
• Control Account
• DB Maintenance
Training Bayesian databases

Bayesian analysis is used to evaluate the header and content of an email
message to determine the probability that it is spam.
Bayesian filters recognize spam messages by looking at the words (or “tokens”)
they contain. The Bayesian filter starts with two collections of email, one of known
spam and one of known non-spam email. For every word in these email
messages, it calculates the probability of a scanned message being spam based
on the proportion of spam occurrences.
However, spammers are constantly trying to invent new ways to defeat spam
filters. Certain words, commonly identified as characteristic of spam, can be
altered by the insertion of symbols such as periods, or by the use of nonstandard
but readable characters such as Â, Ç, Ë, or Í. Therefore, the Bayesian database
still needs to be trained to include new data to maintain accuracy.
Bayesian database types

The FortiMail unit can maintain three types of Bayesian databases: global, group,
and user. They all work in the same way with the Bayesian scanning engine, but
each is designed for a different application.
Global
The global Bayesian database scans any or all email sent and received by the
FortiMail unit. If separate by-domain Bayesian databases are not required, the
global database is the ideal choice because there is only one database to
maintain.
There is only one global Bayesian database on a FortiMail unit.
You can also use the global database for all Bayesian scans enabled in outgoing
antispam profiles. Since only outgoing antispam profiles are available for selection
in IP-based policies, all Bayesian scanning triggered by IP-based policies use
only the global Bayesian database.
Group
The group Bayesian databases are maintained on a per-protected-domain basis.
This allows the flexibility of a database tailored to filter the email to each domain.
Email messages sent to all protected domains, and matching recipient-based
policies, use group Bayesian databases by default when Bayesian scanning is
enabled.
Because group databases are domain-based, the FortiMail unit maintains a
separate group database for each protected domain.
User
The user Bayesian databases are maintained on a per-user basis for each
protected domain. This allows the user Bayesian database to be fine-tuned to only
the email traffic the user receives.

06-30004-0154-20080904 387
Bayesian AntiSpam
Each user on each protected domain has a separate Bayesian database stored
on the FortiMail unit. Therefore, if example.com and example.org are defined as
protected domains, user1@example.com and user1@example.org will have
separate user Bayesian databases even if both accounts belong to the same
person.
User Bayesian databases are unique in that they can work with either the group or
global database, whichever is active for the domain. If a user database is mature,
the Bayesian scan will use it to determine if an incoming message is spam. The
global and group Bayesian databases are not used.
A user Bayesian database is considered mature and able to scan email with an
acceptable level of accuracy when it has been trained with a minimum of 100
spam messages and 200 non-spam messages. Until a user database is mature,
the Bayesian scanner will refer to either the global or group database, whichever
is enabled for the recipient domain, when the user database does not contain the
information required for the scan.
To more quickly train user databases to a mature state, you can enable the Use
other techniques for auto training option in incoming antispam profiles. This option
takes incoming email and uses it to train the user Bayesian database in either of
these two circumstances:
• the message is detected as spam by the FortiGuard or SURBL scans
• the message is exempted from antispam scanning because of a system white
list or user white list match.
However, once the user database matures, the global and group databases are
no longer referenced, and no automatic training occurs.
To change the database type a domain uses

1 Go to Mail Settings > Domains, and select the Edit icon of the domain you want
to configure.
2 Expand the Advanced AS/AV Settings.
3 Enable Using Global Bayesian to have the current domain use the global
Bayesian database. Disable Using Global Bayesian to have the current domain
use its own group Bayesian database.
4 Select OK.
Initial training of the Bayesian databases

The FortiMail unit uses an account system (See “Control Account” on page 394)
to train its Bayesian filters so email scanning is more efficient and accurate. How
the administrator trains the Bayesian databases when initially configuring the
FortiMail unit depends on which databases will be used.
If you are an administrator, you will typically carry out the initial training as follows:
1 Train the global database. This ensures the Bayesian scanner has a database to
use for all Bayesian scans on outgoing email, email handled by IP-based policies,
and for incoming email to domains configured to use the global database.
You can leave the global database untrained if both these conditions are true:
• no outgoing antispam profiles have Bayesian scanning enabled
• no domains are configured to use the global Bayesian database.

388 06-30004-0154-20080904
AntiSpam Bayesian
2 Train the group database for each protected domain. This ensures the Bayesian
scanner has a database to use for Bayesian scans on email handled by incoming
recipient-based policies to domains not configured to use the global database.
You can leave the group database for a protected domain untrained if either of
these conditions are true:
• the domain is configured to use the global Bayesian database
• no incoming recipient-based policies are used with the domain.
3 If the “Accept training messages from users” option is enabled in any antispam
profile, notify email users about the email training accounts and their use.
If user Bayesian databases are enabled, training messages are applied to the
sender’s database. In addition, training messages are also applied to either the
global or group Bayesian database, whichever is enabled for the sender’s
domain.
If user Bayesian databases are disabled, training messages are applied to either
the global or group Bayesian database, whichever is enabled for the sender’s
domain.
Training messages matching a policy in which the antispam profile has user
training disabled are discarded without notification to the sender.
4 If user databases are enabled, email users train their individual databases by
forwarding both undetected spam and good email incorrectly detected as spam to
the FortiMail unit.
Until users build up a mature database (100 spam and 200 non-spam email
messages) with their own message submissions, the Bayesian scanner will refer
to either the global or group database, whichever is enabled for the recipient
domain.
In addition, you can enable the option “Use other techniques for auto training” in
incoming antispam profiles to help each user’s database reach a mature state
more quickly.
Use the following procedures to configure Bayesian training and accounts.
• Control Account
• DB Maintenance
User
If you set up separate mailbox (.mbox) files containing spam and non-spam email
messages, you can use these files to train global, group, and user Bayesian
databases. This is an especially efficient method of training an empty Bayesian
database.
You can also back up Bayesian databases and the backup file can be restored to
another user, domain, or even another FortiMail unit.
You can view the status of all three types of Bayesian databases by going to
AntiSpam > Bayesian > User.
Global database and group databases

To manage and view the status of the global and group Bayesian databases, go to
AntiSpam > Bayesian > User. In the domain drop-down list, select Global
Bayesian to view statistics for the global database, or select the domain of your
choice.

06-30004-0154-20080904 389
Bayesian AntiSpam
For both selections, the available options are similar, with a few exceptions:
• If the domain is set to Global Bayesian, the username field is not displayed.
• If the selected domain is configured to use the global Bayesian database, the
training options are not displayed, and the training summary totals are shown
as zero.
Figure 290:User (Global Bayesian selected)
Figure 291:User (per-domain Bayesian selected and user name entered)
Select a domain Select Global Bayesian to manage the global Bayesian database, or
select a domain to manage its group Bayesian database.
Summary Displays the status of Bayesian database training on the selected
domain.
If the Summary values are “0”, the group database for this domain has
not been trained. Summary values will also display as “0” for domains
configured to use the global Bayesian database.

390 06-30004-0154-20080904
AntiSpam Bayesian
Operations • Select Train global bayesian database with mbox files or Train
group bayesian database with mbox files to open the Bayesian
training page. For more information, see “To train a global or
group Bayesian database” on page 391.
• Select Backup global bayesian database or Backup group
bayesian database to open the Backup bayesian group
database page. For more information, see “To back up a global
or group Bayesian database” on page 392.
• Select Restore global bayesian database or Restore group
bayesian database to open the Restore the group DB page. For
more information, see “To restore a global or group Bayesian
database” on page 392.
• Select Reset group bayesian database to reset the Bayesian
group database. For more information, see “To reset a global or
group Bayesian database” on page 392.
Username Enter a user name and select OK to view the status of a user Bayesian
database.
This option is not available for the global Bayesian database.
Enter an email user ID in the Username field and select OK to see additional user
options and information:
User Summary Displays the status of Bayesian training on a user’s

database.
If the Summary values are “0”, the specified user’s database
on this domain has not been trained.
The Alert message shows if the user’s Bayesian database
has reached the required threshold (100 spam messages
and 200 non-spam messages) to accurately detect spam.
Operations • Select Train user bayesian database with mbox files
to open the Bayesian user training page. For more
information, see “To train the user Bayesian
• Select Backup user bayesian database to open the
Backup bayesian user database page. For more
information, see “To back up a user Bayesian
• Select Restore user bayesian database to open the
Restore the user DB page. For more information, see
“To restore a user Bayesian database” on page 393.
• Select Reset user bayesian database to reset the
Bayesian user database. For more information, see
“To reset a user Bayesian database” on page 394.
To train a global or group Bayesian database

1 Go to AntiSpam > Bayesian > User.
2 Depending on the type of database you will train, follow the appropriate step:
• To train the global database, select Global Bayesian for the domain and select
the Train global bayesian database with mbox files link.
• To train a group database, select the domain associated with the group
database and select the Train group bayesian database with mbox files link.
3 A window opens to specify the mbox files containing spam and non-spam
messages.

06-30004-0154-20080904 391
Bayesian AntiSpam
4 For the Innocent Mailbox, select Browse to find the mbox file containing non-spam
email.
5 For the Spam Mailbox, select Browse to find the mbox file containing spam email.
6 Select OK.
The database training begins. Depending on the size of the mailbox files, this
process may take a few minutes.
To back up a global or group Bayesian database

2 Depending on the type of database you will back up, follow the appropriate step:
• To back up the global database, select Global Bayesian for the domain and
select the Backup global bayesian database link.
• To back up a group database, select the domain associated with the group
database and select the Backup group bayesian database link.
3 Select the location to which the database backup file will be written. Change the
file name if required.
4 Select OK.
To restore a global or group Bayesian database

2 Depending on the type of database you will restore, follow the appropriate step:
• To restore the global database, select Global Bayesian for the domain and
select the Restore global bayesian database link.
• To restore a group database, select the domain associated with the group
database and select the Restore group bayesian database link.
3 In the new window, select browse and find the backup file to be restored.
4 Select OK.
5 The database backup file is restored. Select Browse to find the saved group
Bayesian data file.
6 Select OK.
Depending on the size of the backup file, this process may take a few minutes.
To reset a global or group Bayesian database
Caution: Resetting a group database deletes all the training information stored in the
! database.

2 Depending on the type of database you will reset, follow the appropriate step:
• To reset the global database, select Global Bayesian for the domain and select
the Reset global bayesian database link.
• To reset a group database, select the domain associated with the group
database and select the Reset group bayesian database link.
3 If you are sure you want to reset the database, select OK.

392 06-30004-0154-20080904
AntiSpam Bayesian
The database is reset. Depending on the size of the database, this process may
take a few minutes.
To view an email user’s Bayesian database

2 Select the domain the user’s account belongs to.
3 Enter the user ID in the Username field.
4 Select OK.
The user’s database summary and database operation options are displayed.
To train the user Bayesian database

4 Select OK.
5 Select Train user bayesian database with mbox files.
6 For the Innocent Mailbox field, select Browse to find the mailbox file containing
non-spam email.
7 For the Spam Mailbox field, select Browse to find the mailbox file containing spam
email.
8 Select OK.
The user database training begins. Depending on the size of the mailbox files, this
process may take a few minutes.
To back up a user Bayesian database

4 Select OK.
5 Select Backup user bayesian database.
6 Select the location to which the database backup file will be written. Change the
file name if required.
7 Select OK.
To restore a user Bayesian database

4 Select OK.
5 Select Restore user bayesian database.
6 In the new window, select browse and find the backup file to be restored.
7 Select OK.

06-30004-0154-20080904 393
Bayesian AntiSpam
To reset a user Bayesian database
! Caution: Resetting a user database deletes the database.

4 Select OK.
5 Select Reset user bayesian database.
6 A confirmation window appears. If you are sure you want to reset the database,
select OK.
The database is reset. Depending on the size of the database, this process may
take a few minutes.
Control Account
The Control Account tab enables you to configure the email accounts used for
remote training of the Bayesian databases.
The FortiMail unit has five pre-defined control accounts for Bayesian database
training. Email users send spam information to these accounts to train the
databases used in Bayesian scanning.
For the FortiMail unit to accept training messages, two conditions are necessary:
• The training messages must match a recipient-based policy.
• The matching recipient-based policy must specify an antispam profile in which
the Accept training messages from users option is enabled.
If either of these conditions are not met, the FortiMail unit will silently discard
training messages without using them for training.
If training messages are accepted, two factors determine which database or
databases benefit from Bayesian database training:
• whether the sender’s domain is configured to use the global or group Bayesian
database
• whether user Bayesian databases are enabled in the antispam profile specified
in the policy matching the training message.
When the FortiMail unit receives a training message, it examines it to determine
the sender’s domain. It then checks the domain configuration to see whether the
sender’s domain is configured to use the global or group Bayesian database. It
then uses the message to train the database that the domain is configured to use.
If user Bayesian databases are enabled, the message is also used to train the
user’s Bayesian database. The user is determined by the sender address.
There are four training accounts. Two are used to correct misdiagnosed
messages that have already been processed by the FortiMail unit’s Bayesian
routines. The other two accounts are used to train the Bayesian databases with
new messages not processed by the FortiMail unit’s Bayesian routines.

394 06-30004-0154-20080904
AntiSpam Bayesian
Figure 292:Bayesian Training Accounts
Is Really Spam Email examined by the FortiMail unit will sometime contain spam
account. that was not detected. Users can inform the FortiMail unit of its
mistake by forwarding the missed spam message to the Is Really
Default name: Spam control account.
is-spam
Is Not Really Spam Email examined by the FortiMail unit will sometime contain
account non-spam that was incorrectly detected as spam. Users can inform
the FortiMail unit of its mistake by forwarding the non-spam
Default name: message to the Is Not Really Spam control account.
is-not-spam
Training accounts:
Learn Is Spam If users have any email that was not examined by the FortiMail unit,
account they can send known spam to the Learn Is Spam account to train
the Bayesian database.
Default name:
learn-is-spam
Learn Is Not Spam If users have any email that was not examined by the FortiMail unit,
account they can send known non-spam to the Learn Is Not Spam account
to train the Bayesian database.
Default name:
learn-is-not-spam
Training Group The administrator can use this domain-based account name as the
user ID “from” address to send confirmed spam to the “Learn Is Spam” user
account and good email to the “Learn Is Not Spam” user account to
train the global or group database, whichever the domain is
configured to use. No user databases are trained.
An administrator can also use his or her own user account to train
the global or group database, but this procedure also trains that
user database if it is enabled in the antispam profile. Using the
training group user account name will limit the training to only the
global or group database.
To configure Bayesian accounts

1 Go to AntiSpam > Bayesian > Control Account.
2 Enter the Bayesian training account names into the five user name fields.
3 Select OK.
You need to inform the users of these account names and how to use them so
they can send the four types of messages as required.
The account names are only part of the email address to which users will forward
training messages. They must append the FortiMail unit’s local domain name to
the end of the account name. For example, if the FortiMail unit’s local domain
name is “example.com” and the “is really spam” user account name is “is-
spam”, the email address the users will send missed spam to is
is-spam@example.com.

06-30004-0154-20080904 395
Bayesian AntiSpam
DB Maintenance
The DB Maintenance enables you to back up, restore, or clear your Bayesian
databases. These database operations affect the global database, as well as all
group and user databases for the domains defined on the FortiMail unit. For more
selective operations, see “User” on page 389.
Figure 293:Database Maintenance
To maintain the Bayesian databases

1 Go to AntiSpam > Bayesian > DB Maintenance.
2 Select from the following:
• Backup Bayesian database
• Restore Bayesian database
• Repair Bayesian database
• Reset Bayesian database
! Caution: Resetting the Bayesian databases deletes all the databases.
3 When restoring a database, select Browse to locate the saved database file
4 Select OK.
Example: FortiMail Bayesian training

This section introduces an example FortiMail Bayesian configuration and
describes how it is set up at the system administration level.
This section contains the following topics:
• Example company
• Training user groups
• Setting up Bayesian control accounts
Example company
Company X has set up a FortiMail unit to protect its email server by blocking spam
email. With over 1,000 email users, Company X plans to enable the FortiMail unit
Bayesian scanning capability. You, the system administrator, have been asked to
configure the FortiMail unit Bayesian training for the company.
Company X has divided its email users into two user groups and associated the
groups with two domains:
User Group Domain

Group1 example.net
Group2 example.org
The local domain name of Company X’s FortiMail unit is example.com.

396 06-30004-0154-20080904
AntiSpam Bayesian
Training user groups

You need to train the two user groups first to ensure that Bayesian filtering works
for all email users before they start training their own databases.
Because the group database is domain-based, you need to set up the domains for
the email users on the FortiMail unit.
To set up domains in gateway and transparent modes in the Web-based

manager
1 Go to Mail Settings > Domains.
3 For each domain, enter the corresponding user group information and select OK.
Field Group1 Group2

FQDN example.net example.org
IP Address 192.168.150.1 192.168.150.2
To set up domains in gateway and transparent modes in the CLI

set policy example.net modify ip 192.168.150.1
set policy example.org modify ip 192.168.150.2
To set up domains in server mode in the Web-based manager

1 Go to Mail Settings > Domains.
2 For each domain, enter the corresponding user group information and select OK.
Field Group1 Group2

FQDN example.net example.org
To set up domains in server mode in the CLI

set policy example.net
set policy example.org
To train user group databases in the Web-based manager

You need to generate two mailbox files (.mbx) with your email client to train the
user group databases. One file is for good email and the other for spam email. For
information on generating mailbox files, see your email client documentation.
User group training cannot be performed with CLI.
2 Select example.net.
3 Select Train group bayesian database with mbox files.
4 For Innocent Mailbox, select Browse to find the mailbox file that contains good
email.
5 For Spam Mailbox, select Browse to find the mailbox file that contains spam email.

06-30004-0154-20080904 397
Bayesian AntiSpam
6 Select OK.
The group training starts. Depending on the size of the mailbox files, this process
may take a few minutes.
Repeat these steps for example.org to train the Bayesian databases both
domains.
To train user groups databases - email

You can also use the control accounts (see “To inform the users of the control
account addresses” on page 398) to train the user group databases by sending
email containing confirmed spam to the “Learn Is Spam” account and sending
good email to the “Learn Is Not Spam” account.
Setting up Bayesian control accounts

To allow email users to forward spam messages to the Bayesian accounts, you
need to configure the Bayesian control account names on the FortiMail unit. You
then inform the email users of the control account addresses. Later, when an
email user forwards a spam training message to one of the control accounts using
the address you provide, the FortiMail unit will automatically set up a Bayesian
database for the user based on his or her email address.
To configure Bayesian control account names in the Web-based manager

1 Go to AntiSpam > Bayesian > Control Account.
2 If you accept the default account user names, select OK.
The account user names are configurable.
To configure Bayesian control account names in the CLI

set as control bayesian <account> <account user name>
• <account> is the Bayesian control account type, such as “is really spam”.
• <account user name> is the Bayesian control account name, such as the
default “is-spam”.
To inform the users of the control account addresses

1 The complete control account email address is formed by the control account
name, the (@) ‘at sign,’ and the user’s account domain. For example,
user1@example.org would use these control account addresses if the default
account names were not modified:
• is-spam@example.org
• is-not-spam@example.org
• learn-is-spam@example.org
• learn-is-not-spam@example.org

398 06-30004-0154-20080904
AntiSpam Black/White List
2 Send the users an email message to notify them of the user-based account user
name addresses and their usage, similar to the following:
All employees,
This message describes how to train your FortiMail Bayesian
database.
• If you receive spam that has not been caught and tagged by
the FortiMail unit, forward these missed spam messages to
is-spam@example.org from your company email account. This
will ensure any similar email will be caught by the
FortiMail unit in the future.
• If you receive email that the FortiMail unit has
incorrectly tagged as spam, forward these messages to
is-not-spam@example.org from your company email account.
This will ensure any similar email will not be tagged as
spam by the FortiMail unit in the future.
• If you have collected spam email that has not been
examined by the FortiMail Bayesian scanner and want to
train your personal Bayesian database on the FortiMail
unit, forward them to learn-is-spam@example.org from your
company email account. This ensures that any similar email
will be tagged as spam by the FortiMail unit in the
future.
• If you have collected non-spam email that has not been
examined by the FortiMail Bayesian scanner and want to
train your personal Bayesian database on the FortiMail
unit, forward them to learn-is-not-spam@example.org from
your company email account. This ensures that any similar
email will not be tagged as spam by the FortiMail unit in
the future.
3 To perform group database training without training any user databases at the
same time, send training messages to the same control account addresses, but
configure your email client to use one of these from addresses, depending on the
group database to be trained:
• default-grp@example.net
• default-grp@example.org
Now, you can send confirmed spam to the “Learn Is Spam” account or non-spam
to the “Learn Is Not Spam” account using one of the two addresses. For example,
using default-grp@example.net as the “From” address will train only the
group database for the example.net domain.
Black/White List
The Black/White List submenu enables you to block or allow email messages
from the specified email addresses, domains, or IP addresses.
The black and white lists can be system level, domain level, personal level, or
session profile level. There are also several places where you can configure the
different black and white lists.

06-30004-0154-20080904 399
Black/White List AntiSpam
• Go to AntiSpam > Black/Whitelists to configure system-level, domain-level,

and personal-level black and white lists, to configure the action that the
FortiMail unit will take when an email message matches a black list, and to
back up and restore black lists and white lists.
• Go to User > User Preferences to configure the personal-level black and
white lists. For details, see “User Preferences” on page 224.
• Go to Profile > Session to configure the black and white lists that will be used
in that specific session profile. For details, see “Session Configuration” on
page 287 and “Order of execution of black and white lists in a session profile”
on page 402.
• The email users can also configure their personal black and white lists through
webmail access.
All black and white list entries are listed in alphabetical order.
You can add a maximum of 2048 black or white list entries at each of the system,
domain, and personal levels, and 2048 black or white list entries in each session
profile.
Note: Use black and white lists with caution. They are simple and efficient tools for fighting
spam and enhancing performance, but can also cause false positives and false negatives if
not used carefully. For example, a white list entry of *.edu would allow all email from the
.edu top level domain to bypass the FortiMail unit's antispam scanning.
The Black/White List menu includes the following tabs:

• System black/white list
• Domain black/white list
• Personal black/white list
• Blacklist Action
• Black/White List Maintenance
Black and white list hierarchy

The FortiMail unit performs black and white list checking as one of the first steps
to detect spam.
Firstly, white lists take precedence over black lists. If the same entry appears in
both the white list and black list, the entry will be whitelisted.
Secondly, system-level lists take precedence over domain-level lists while
domain-level lists take precedence over personal-level lists.
Table 18 shows the checking sequence, in order from top to bottom. If a match is
discovered, the FortiMail unit stops further list checking for the matching message
and cancels any remaining antispam checks for it.

400 06-30004-0154-20080904
Table 18: Black and white list sequence
List Check for match of Action taken if match discovered

System white list Message sender Accept message
System black list Message sender Invoke black list action
Domain white list Message sender Accept message
Domain black list Message sender Invoke black list action
Session recipient white list Message recipient Accept message for matching
recipients
Session recipient black list Message recipient Invoke black list action
Session sender white list Message sender Accept message for all recipients
Session sender black list Message sender Invoke black list action
User white list Message sender Accept message for this recipient
User black list Message sender Discard message
If the message sender is being examined for a match, email addresses and
domains in list are compared to the message’s envelope-from. IP addresses are
compared to the address of the client delivering the message, also known as the
last hop address.
If the message recipient is being examined for a match, email addresses and
domains in the list are compared to the message’s recipient address. An IP
address in a recipient white or black list is not a valid entry because no IP
addresses are checked.
Black and white list address formats

A black and white list entry can be an IP addresses, a domain names, an email
addresses, a part of an ip address, a part of an email address, or a part of a
domain name.
The domain part (e.g., spam.com) and local part (e.g., bogus) supports wild cards
(? and *).
For example:
• 172.20.110: email from IP address 172.20.110.xxx
• fortimail.com: email from xxx@fortimail.com, or from an ip address with the
domain name of fortimail.com
• bogus@spam.com: email from bogus@spam.com
The following formats are also valid:
• ?ogus@spam.com
• *@spam.com
• bogus@sp?m.com
• bogus@*.com
The following formats are not valid:
• 172.20.110.0
• 172.20.110.0/24
• @spam.com

06-30004-0154-20080904 401
Order of execution of black and white lists in a session profile

When configuring a session profile (see “Session Configuration” on page 287),
you can create black and white lists that will be used with the session profile.
Black and white lists are separate for each session profile, and will apply only to
traffic controlled by the IP-based policy to which the session profile is applied.
Therefore, the session-level black and white lists will not be executed until the
traffic matches an IP-based policy with the session profile.
In contrast, the system, domain, and personal-level black and white lists are
executed before any policy match.
System black/white list

The System tab enables you to configure system-wide black lists and white lists.
Figure 294:System List Settings
To block or allow email

1 Go to AntiSpam > Black/White List > System.
2 Choose one of the following:
• To block email, select Black List.
• To allow email, select White List.
3 Enter the email address, domain, or IP address that you want to block or allow.
For supported and valid formats, see “Black and white list address formats” on
page 401.
4 Select Add to add it to the black or white list.
To delete an email address or domain from the black or white list

2 Select Black List or White List.
3 Select the email address, domain, or IP address you want to delete.
4 Select Remove Selected.
To back up a system black or white list

3 Select Backup.
4 Select a location to save your file.
5 Save the file.
To restore a system black or white list

3 Select Browse to find the black or white list that you want to restore.

402 06-30004-0154-20080904
4 Select Restore.
Domain black/white list

The Domain tab enables you to configure white lists and black lists that are
specific to a protected domain.
Figure 295:Domain List Settings

1 Go to AntiSpam > Black/White List > Domain.
2 Do one of the following:
• To block email, select the Black List icon for the required domain.
• To allow email, select the White List icon for the required domain.
page 401.
4 Select Add to add the address to the black or white list.
To delete an address from a domain black or white list

2 Select the black or white list icon associated with the domain containing the
address you want to remove.
3 Select the address you want to delete.
To back up a domain black or white list

2 Select the black or white list icon associated with the domain you want to back up.
3 Select Backup.
4 Select a location to save your file.
5 Save the file.
To restore a domain black or white list

2 Select the black or white list icon associated with the domain you want to restore.
3 Select Browse to find the black or white list backup file you want to restore.
4 Select Restore.

06-30004-0154-20080904 403
Personal black/white list

The Personal tab enables you to add or modify email users’ black or white lists.
Email users can also use or modify the list you configure when they use FortiMail
webmail.
Figure 296:User

1 Go to AntiSpam > Black/White List > Personal.
2 Select the domain of the SMTP server that has the user for whom you want to
configure the black or white list.
Enter the username and select OK. If the user does not exist, a new user will be
created.
3 Turn on Add outgoing email addresses to White list if you want the FortiMail unit to
treat email sent from these addresses as non-spam email in the future.
4 Do one of the following:
• To discard email, select Black List.
• To allow email, select White List.
page 401.
6 Select Add to add the address or domain to the black or white list.
To delete an email address or domain from a personal black or white list

modify the black or white list.
3 Type the user’s Username and select OK.
5 Select the email address, domain, or IP address you want to delete.
To back up a personal black or white list

backup the black or white list.

404 06-30004-0154-20080904

5 Select Backup.
6 Save the file.
To restore a personal black or white list

restore the black or white list.
4 Select Browse to find the black or white list that you want to restore.
5 Select Restore.
Blacklist Action
The Blacklist Action tab enables you to configure the action to take if an email
message arrives from a blacklisted domain, email address, or IP address. This
setting affects email matching the three levels of black lists: system, domain, and
session.
Note: For the personal level black lists, the only option is to discard. For more information,
see “Personal black/white list” on page 404.
Figure 297:Blacklist Action
To set the blacklist action

1 Go to AntiSpam > Black/White List > Blacklist Action.
2 Choose how a message matching a black list entry should be handled.
• Reject refuses delivery of the message and returns an error to the sending
system.
• Discard accepts the message and immediately discards it without notifying the
sending system.
• The Use AntiSpam Profile Settings option has blacklisted email treated the
same way as spam, according to the setting in the antispam profile for the
message matching the black list entry.
Black/White List Maintenance

The Black/White List Maintenance tab enables you to back up and restore black
and white lists. The FortiMail unit saves all of the user and domain black and white
lists as well as the system black and white lists in a single backup file.

06-30004-0154-20080904 405
Greylist AntiSpam
Figure 298:Black/White Maintenance
To back up all black and white lists

1 Go to AntiSpam > Black/White List > Black/White List Maintenance.
2 Select Backup Black/White List.
3 Select Download Black/White list backup file.
4 Save the file.
To restore all black and white lists
Caution: Restoring the black and white lists in this manner overwrites all of the existing
! system, domain, and user black and white list contents.
1 Go to AntiSpam > Black/White List > Black/White List Maintenance.

2 Select Restore Black/White List.
3 Select Browse, select the back up file to be restored, and select Open.
The path and filename of the selected file appears in the Black White list file field.
4 Select OK.
Greylist
The Greylist submenu enables you to configure exemptions and other greylist
settings.
Greylisting is a low-maintenance way to reduce spam by taking advantage of how
spam servers differ from email servers. Greylisting rejects all unknown email
messages and will only accept them if the server tries to deliver it again. Email
servers will attempt to deliver email again after receiving an error, while spam
servers typically will not.
When the server re-sends the email message, the FortiMail unit accepts it and the
sender email address, recipient email address, and the IP address of server that
delivered the email message are recorded by the greylist routine. Subsequent
email messages matching these same three attributes are no longer considered
unknown and are accepted immediately.
If a spam server does not resend rejected messages, the Fortimail unit does not
need to use any resources to determine the messages are spam. The FortiMail
unit prevents the messages from being successfully delivered.
The greylisting feature has three compelling attributes:
• Greylisting does not require you to maintain IP address lists, email lists, or
word lists. The FortiMail unit automatically maintains the required information.
• Spam detection scans are not run on email stopped by greylisting. This can
save significant processing and storage resources.

406 06-30004-0154-20080904
AntiSpam Greylist
• Even if spammers begin to take greylisting into account and resend their
messages, the greylist delay period can allow time for FortiGuard-Antispam
and DNSBL systems to discover the spam and blacklist the source. This way,
when the spam message is finally delivered, the FortiMail unit is more likely to
recognize it as spam.
For these reasons, the greylist feature is a recommended performance enhancing
option.
The Greylist menu includes the following tabs:
• Display
• Exempt
• AutoExempt
• Settings
Understanding greylisting
The Fortimail unit creates a greylist entry and a log entry when an unknown
message is first rejected. For the message to be accepted, the server must
attempt delivery after a greylisting period and before the 4 hour initial expiry
period.
The greylisting period determines how long after the first delivery attempt a retry
will be accepted. The default value is 20 minutes, therefore delivery attempts after
the first will continue to be rejected for 20 minutes. The greylisting period is
required because some spam servers will try to deliver messages again
immediately. A greylisting period continues to reject these messages and most
are not successfully delivered.
The FortiMail unit stores the attributes of a known message in a greylist entry so
later email messages with the same attributes are delivered immediately. The
greylist entry is discarded if no matching messages are received within the Time
to Live (TTL) period. By default this is 10 days.
For more information about the greylist period, TTL, and initial expiry period, see
“Settings” on page 415.
Greylist address matching

When a system tries to deliver an email message to the FortiMail unit, the greylist
routine checks three message attributes: the envelope from (Mail From:), the
envelope recipient (Rctp to:), and the IP address of the system delivering the
message.
While the envelope from and envelope recipient values must match exactly, the
FortiMail unit only checks the subnet of the system attempting delivery of the
message. For example, if a server at 192.168.1.99 tries to deliver an email
message, any IP address starting with 192.168.1 is considered a match. The
entry in the greylist for this IP address is 192.168.1.0 with the “0” indicating any
value will match for that portion of the IP address.

06-30004-0154-20080904 407
Greylist AntiSpam
An exact IP address match is not required because some large organizations use
many email servers with IP addresses in the same subnet. If the first attempt to
deliver email receives a temp fail response, the second attempt may come from a
server with a different address. If an exact match were required, the greylist
routine would treat the second delivery as a new delivery attempt unrelated to the
first. Depending on the configuration of the email servers, the message might
never be delivered properly. Allowing all addresses in the subnet solves this
problem.
Greylist exemptions
You can configure greylist exempt rules to allow email messages with attributes
you define to bypass the greylisting entirely. An exemption can be useful when
email messages are sent from an email server farm that’s not limited to a single
subnet. If an email message is resent by different email servers, each retry may
be seen as a first attempt. To avoid this problem, an exempt rule can take
advantage of common elements of the server hostnames. For more information,
see “Exempt” on page 411.
Note: Greylist checking is bypassed in two circumstances:

• The client establishes an authenticated session.
• The message matches a rule in the greylist exempt list, located in AntiSpam >
Greylist > Exempt.
Greylist automatic exemptions

The greylist autoexempt list reduces the need for greylist exempt rules and
reduces the number of greylist entries by consolidating similar entries in the
autoexempt list. This allows for more efficient processing and greatly reduces the
possibility of overflowing the maximum number of entries in the greylist. The
autoexempt list works by automatically creating entries including only the sender
domain and IP address of the system delivering the message.
By using only the sender domain and not the entire sender address, all the
senders from a single recipient domain use the same autoexempt entry instead of
each sender having their own greylist entry. Similarly, entirely ignoring the
recipient allows every recipient in the protected domains to share the same
greylist entry. This also makes an autoexempt entry less likely to expire than a
greylist entry.
For example, example.com and example.org each have 100 employees. The two
organizations work together and employees of each company exchange email
with many of their counterparts in the other company. If each example.com
employee corresponds with 20 people from example.org, the FortiMail unit used
by example.com will have 2000 greylist entries for the email received from
example.org alone. With the autoexempt list, these 2000 greylist entries are
replaced by a single autoexempt list entry.
Note: Everything after the “@” in the sender email address is recorded as the sender
domain. For example, email from user16@example.com and user11@example.com have
the same sender domain and would both be allowed by a single autoexempt list entry.
Although they might seem to match, user34@example.com and
user23@sales.example.com are considered separate sender domains. These addresses
would each require its own autoexempt list entry to bypass greylisting.

408 06-30004-0154-20080904
AntiSpam Greylist
Because the autoexempt list uses fewer message attributes, more messages will
match each entry and be allowed through. To prevent unwanted email from taking
advantage of this, stricter requirements are applied for the creation of an
autoexempt entry.
The FortiMail unit will create an autoexempt list entry for an unknown message if
the message:
• does not match any greylist exempt rules
• passes the greylist routine
• passes all configured antispam scans
• passes all configured virus scans
• passes all configured content scans
• does not appear on any white lists.
If an email message meets these requirements, the sender domain and IP
address of the system that delivered the message are added to the greylist
autoexempt list. Subsequent messages with the same recipient domain delivered
by a system in the same subnet match the autoexempt list entry and are delivered
without delay.
If an email message is not greylist exempt but fails to meet the above
requirements, the FortiMail unit creates a greylist entry with the message
attributes.
Note: If an email message matches a greylist exempt rule, it is not subject to greylisting and
the FortiMail unit will not create an entry in the greylist or autoexempt list.
Note: Since the email message responsible for creating a greylist autoexempt table entry
must first pass the greylist routine, a matching greylist entry will also exist for a time.
Incoming messages are checked against the autoexempt list first so matching messages
will reset the expiry date of the autoexempt list entry and be delivered. The expiry date of
the greylist entry will not be reset. Therefore, the greylist entry will eventually expire, leaving
the autoexempt list entry.

06-30004-0154-20080904 409
Greylist AntiSpam
Figure 299:The greylist process
Continue processing
the message
Reset TTL
End greylist routine of matching
greylist entry
Yes Yes
Yes Yes
No No Does the No Does the No

Did the client Does the
Start message match an message match a
authenticate? message match an
autoexempt greylist
exempt rule?
record? entry?
Does the Does the

Remove the sender retry before sender retry before Reject message with
the initial expiry the greylisting Create a greylist entry
greylist record a temporary fail
No period elapses? No period elapses?
Yes Yes
Set greylist entry Does the

Is the message Does the message
expiry to TTL message match an
detected as contain a virus?
No No autoexempt
spam?
record?
Yes Yes
Yes No
Continue processing End greyist routine Is the sender or

the message recipient
Yes whitelisted?
No
Create a greylist entry
Display
The Display tab enables you to view the current contents of the greylist.
To view the greylist, go to AntiSpam > Greylist > Display.
Figure 300:Greylist
Page Up
Page Down
Search
# Greylist entry number.

IP The subnet of the email server that delivered the message.
Sender The email message sender’s email address.
Recipient The email message recipient’s email address.

410 06-30004-0154-20080904
AntiSpam Greylist
Status The action taken on matching messages. If the greylisting period

has not elapsed, the action is TEMPFAIL. If the greylisting period
has elapsed, the status is PASSTHROUGH.
Time to passthrough The time and date the greylisting period will elapse is displayed. If
the greylisting period has already elapsed, “N/A” is displayed.
Expire The expiration shows when the entry in the greylist will expire. It is
determined by adding the TTL value to the time the last matching
message was received.
Searching greylist entries

Greylist entries are listed in order by IP address. You can search for entries based
on sender, recipient, and IP address.
Figure 301:Greylist Search
To search greylist entries

1 Go to AntiSpam > Greylist > Display.
2 Select the Search icon.
3 Enter the search parameters. Use an asterisk (*) to enter partial patterns. Blank
fields will match any value. Regular expressions are not supported.
4 Select Apply.
Exempt
The Exempt tab enables you to configure rules that define email users and other
patterns to exempt email messages from greylisting.
To view the greylist exempt rules list, go to AntiSpam > Greylist > Exempt.
Figure 302:Greylist exempt rules list
Edit
Delete
# The position of the rule in the list. The rule sequence is not
important to the way the greylist exempt list works.
Sender Pattern The complete or partial sender email address to match.

06-30004-0154-20080904 411
Greylist AntiSpam
Recipient Pattern The complete or partial recipient address to match.

Sender IP/Netmask The IP address and netmask of the system attempting to deliver the
message. IP address 0.0.0.0/0 matches all IP addresses.
Reverse DNS The pattern to compare to the result of a reverse DNS look-up of the
Pattern IP address of the system delivering the message.
Modify Select Edit to modify the rule.
Select Delete to delete the rule.
Create New Create a new greylist exempt rule. For more information, see
“Creating and editing greylist exempt rules” on page 412.
Creating and editing greylist exempt rules

Go to AntiSpam > Greylist > Exempt and select Create New to add a new
greylist exempt rule. To edit an existing rule, select the Edit icon of the rule you
want to modify.
No pattern can be left blank in a greylist exempt rule. To have the FortiMail unit
ignore a pattern, enter an asterisk (*) in the pattern field. For example, if you enter
an asterisk (*) in the Recipient Pattern field and do not select Regular Expression,
the asterisk matches all recipient addresses. This eliminates the recipient pattern
as an item used to determine if the rule matches an email message.
When using wildcards, the asterisk (*) matches all patterns in the Sender Pattern,
Recipient Pattern, and Reverse DNS Pattern. If Regular Expression is enabled,
the dot-star (.*) character sequence matches all patterns in these fields.
The IP address 0.0.0.0/0 matches all addresses in the Sender IP/Netmask field.
Figure 303:Create a new greylist exempt rule
Sender Pattern A complete or partial sender email address to match. The sender
address examined by the FortiMail unit is the “mail from:” part of the
message envelope.
multiple sender email addresses. The asterisk (*) represents one or
character.
For example, the sender pattern ??@*.com will match messages
sent by any user with a two letter user name from any .com domain.

412 06-30004-0154-20080904
AntiSpam Greylist

expression wildcards to specify the sender pattern. For more
page 426.
Recipient Pattern A complete or partial recipient email address to match. The recipient
address examined by the FortiMail unit is the “rcpt to:” part of the
message envelope.
multiple recipient email addresses. The asterisk (*) represents one or
character.
For example, the recipient pattern *@example.??? will match
messages sent to any user at example.com, example.net,
example.org, or any other “example” domain ending with a
three-letter top-level domain.
expression wildcards to specify the recipient pattern. For more
page 426.
Sender IP/Netmask The IP address and netmask of the system attempting to deliver the
message. Use the netmask, the portion after the slash (/) to specify
the matching subnet.
the greylist exempt list, with the 0 indicating that any value is
Reverse DNS A pattern to compare to the result of a reverse DNS look-up of the
Pattern IP address of the system delivering the message.
Host addresses are easy to spoof, so the FortiMail unit does not trust
the host address a client reports. Rather, the FortiMail does a DNS
lookup of the client’s IP address. The returned host address is
compared to the reverse DNS pattern for a match.
multiple reverse DNS lookup results. The asterisk (*) represents one
or more characters and the question mark (?) represents any single
character.
For example, the recipient pattern mail*.com will match messages
delivered by a client with hostname starting with “mail” and ending
with “.com”.
expression wildcards to specify the reverse DNS pattern. For
more information, see “Using Perl regular
expressions” on page 426.
Example: Greylisting
The Example Corporation uses greylisting to reduce the quantity of spam they
receive.
The greylist exempt list rules used by the fictional Example Corporation are shown
in Figure 304. Example Corporation uses a FortiMail unit in gateway mode. The
only protected domain, example.com, is configured in Mail Settings > Domains.
Note: This example rule set is designed to illustrate how greylist exempt rules operate. This
is not a list of recommended rules.

06-30004-0154-20080904 413
Greylist AntiSpam
Figure 304:A sample greylist exempt list.
Edit
Delete
Rule 1
Example Corporation has a number of foreign offices. Email from these offices
does not need to be greylisted.The mail server IP addresses vary, though their
hostnames all begin with “mail” and end with “example.com”.
The rule uses the recipient pattern and the reverse DNS pattern. All email sent to
users at example.com delivered by the a mail server with a hostname beginning
with “mail” and ending with “example.com” is exempt from the greylist routine.
These email messages are no delayed by greylisting.
Rule 2
The Example Corporation works closely with its subsidiary, example.org. Mail from
any of the example.org mail servers does not need to be greylisted. All of these
servers have IP addresses within the 172.20.120.0/24 subnet and have a
hostname of mail.example.org.
The rule uses the recipient pattern, sender IP/ netmask, and reverse DNS pattern.
Messages to example.com users sent from a client with a hostname of
mail.example.org and an IP address between 172.20.120.1 and 172.20.120.255
are exempt from the greylist routine.
AutoExempt
The AutoExempt tab displays the list of senders that have been automatically
exempted from greylisting.
To view the list of automatically exempted senders, go to AntiSpam > Greylist >
AutoExempt.
Figure 305:The greylist autoexempt list

Page Up
Page Down
Search
# Autoexempt list entry number.

IP The subnet of the email server that delivered the message.
Sender The sender domain.
Expire The expiration shows when the entry in the autoexempt list will
expire. It is determined by adding the TTL value to the time the last
matching message was received.

414 06-30004-0154-20080904
AntiSpam Greylist
Searching greylist autoexempt entries

Greylist autoexempt entries are listed in order by the sender domain. You can
search for entries based on sender domain and IP address.
Figure 306:Autoexempt list search
To search autoexempt list entries

1 Go to AntiSpam > Greylist > AutoExempt.
2 Select the search icon.
3 Enter the search parameters. Use an asterisk (*) to enter partial patterns. Blank
fields will match any value. Regular expressions are not supported.
4 Select Apply.
Settings
The Settings tab enables you to configure time intervals associated with
greylisting.
To configure greylisting intervals, go to AntiSpam > Greylist > Settings.
Figure 307:Greylist settings
TTL The TTL (time to live) setting determines how long each entry will
be retained in the FortiMail unit’s greylist and autoexempt list.
Once recognized by the greylist or autoexempt list, any subsequent
messages sent with the same address information will reset the TTL
count of the matching entry. For example, if the TTL value is 36
days, a sender’s greylist entry will never expire if he or she sends a
message every 30 days. Every time the greylist routine recognizes
the sender’s address information, the TTL count is reset and starts
counting down from 36 days.
If the TTL elapses without a matching message being delivered the
greylist or autoexempt list entry expires and is deleted.
Select a value between 1 and 60 days. The default value is 10 days.
Greylisting period Enter the length of time the FortiMail unit will continue to reject
unknown messages. After this time expires, any resend attempts
will add the known message attributes to the greylist and possibly
the autoexempt list, with subsequent messages delivered
immediately.
Select a value between 1 and 120 minutes. The default value is
20 minutes.
Note: You can change the 4 hour initial expiry period for resending an unknown message
by using the CLI. For more information, see the CLI command set as greylist
initial_expiry_period in the FortiMail CLI Reference.

06-30004-0154-20080904 415
Sender Reputation AntiSpam
Sender Reputation
The Sender Reputation submenu enables you to view the current reputation score
of senders.
Sender reputation is an antispam measure requiring no maintenance or attention.
If a sender delivers email including spam, viruses, or a large number of invalid
users, the sender reputation feature will automatically take measures against
them.
The sender reputation feature records the IP address of each client delivering
mail. For each client IP address, this feature records:
• the total number of messages delivered
• the number of messages detected as spam
• the number of messages infected with viruses or worms
• the total number of recipients
• the number of invalid recipients.
The FortiMail unit then determines a sender’s reputation score, primarily using two
ratios. First, the FortiMail unit compares the number of good messages to the
number of bad messages (spam or email with viruses or worms). Second, the
FortiMail unit compares the total number of recipients to the number of bad
recipients. The sender reputation score uses email information up to twelve hours
old, and recent email influences the score calculation more than older mail. The
score itself ranges from 0 to 100, with 0 representing a completely acceptable
sender, and 100 being a totally unacceptable sender.
The sender reputation score is compared to three thresholds, as defined in the
active session profile. If the sender is “well behaved,” the score will fall below the
first threshold. The sender can connect and deliver email with no sender
reputation restrictions.
• Throttle is the first threshold. A sender reputation score above this value will
limit the number of messages accepted per hour. The session profile includes
a field where you can enter the maximum number of messages, and a second
field where you can enter the percentage of the messages received in the last
hour. The throttle limit will be larger of these two.
• Temporary fail is the second threshold. With a sender reputation score above
this value, the FortiMail unit will not allow a connection from the client,
returning a temporary fail error.
• Reject is the final threshold. With a sender reputation score above this value,
the FortiMail unit will not allow a connection from the client, returning a reject
message.
If more than 12 hours pass without an email delivery from a client, the client’s
sender reputation record is deleted. If that client delivers email afterwards, the
FortiMail unit treats the client as a new one.
For more information on enabling sender reputation and a description of the
settings in the antispam profile, see “AntiSpam” on page 241
The Sender Reputation menu includes the following tab:
• Display

416 06-30004-0154-20080904
AntiSpam Sender Reputation
Display
The Display tab displays a list of senders, including the current sender reputation
score for each sender.
To view the list of sender reputations, go to AntiSpam > Sender Reputation.
Figure 308:Display
Page up
Page down
Search
Page up icon Select to view the previous page.

Page down icon Select to view the next page.
Search icon Select to search for sender reputation records based on IP address,
sender reputation score, and/or time.
View Lines Select the number of sender reputation records displayed per page.
Total Lines The total number of sender reputation records in the list.
Edit state The default of Disable locks the state of all the sender reputation
records. Selecting Enable allows the admin to choose any record’s
state regardless of the client’s sender reputation score.
# The sender reputation entry number.
IP The IP address of the client.
Score The client’s current sender reputation score.
State If Edit state is enabled, the admin can force a client to be throttled,
blacklisted, or whitelisted regardless of the client’s current sender
reputation score. This applies the selected threshold condition until the
client’s record expires and is deleted from the table.
The default value, Score controlled, uses the sender’s reputation score
to determine what action is taken, if any.
Score Controlled When the state is set to Score Controlled, the
FortiMail unit will compare the sender reputation
score to the thresholds set in the session profile
to determine how the client will be handled.
Throttled The volume of email accepted from the client will
be limited. The session profile includes a field
where the admin can enter the maximum
number of messages, and a second field where
the admin can enter the percentage of the
number of messages received in the last hour.
The throttle limit will be larger of these two.
Blacklisted Connection attempts from this client will be
denied with a reject error. The Last Modified time
will not be updated, therefore the record is
deleted 12 hours after the last successful
connection attempt. Any connection attempt
after the record is deleted will create a new
record with default settings.

06-30004-0154-20080904 417
MSISDN Reputation AntiSpam
Whitelisted Mail deliveries from this client will be permitted

without restriction regardless of the sender
reputation score. The Last Modified time will not
be updated, therefore the record is deleted 12
hours after the last successful connection
attempt before being set to Whitelisted. Any
connection attempt after the record is deleted will
create a new record with default settings.
Last Modified The time and date the sender reputation score was most recently
modified.
Note: Although client sender reputation records are valid for only 12 hours after last
contact, the record may still appear in the sender reputation table after that time. Visible
entries older than 12 hours are considered invalid until they are removed or replaced.
MSISDN Reputation
The MSISDN Reputation submenu enables you to configure MSISDN blacklisting
and whitelisting.
When used on a mobile phone network, the FortiMail unit can examine text
messages for spam. If a user sends multiple spam messages, all messages from
the user will be blocked for a time. The number of spam messages and the length
of time further messages will be blocked are configurable.
An MSISDN is the number associated with a SIM card on a mobile network. The
MSISDN reputation feature identifies message senders by their MSISDN.
The multimedia messaging service (MMS) protocol transmits graphics,
animations, audio, and video between mobile phones. There are eight interfaces
defined for the MMS standard, referred to as MM1 through MM8. MM3 uses
SMTP to transmit messages to and from mobile phones. Because it can be used
to transmit content, MMS can also be used to send spam.
If you enable MSISDN Reputation checking in the session profile, the Fortimail
unit scans MM3 messages for spam, and automatically blacklists repeat
offenders. If a sender sends more than a defined number of spam messages
within the auto blacklist window, the sender will be blacklisted and further
messages will be blocked for the auto blacklist duration period. The Auto blacklist
score trigger value (the number of spam messages), Auto blacklist Window Size
(the time during which the spam messages are detected), and the Auto blacklist
duration (the length of time the MSISDN is auto blacklisted), are all configurable.
For more information about configuring the auto blacklist duration, see “Settings”
on page 422. For more information about configuring the Auto blacklist score
trigger value and the Auto blacklist duration, see “Auto Blacklist” on page 419.
In addition to the auto blacklist, senders can be manually blacklisted and their
messages will be blocked indefinitely. Senders can also be manually added to the
exempt list to prevent auto blacklisting.
The MSISDN Reputation menu includes the following tabs:
• Auto Blacklist
• Blacklist
• Exempt
• Settings

418 06-30004-0154-20080904
AntiSpam MSISDN Reputation
Auto Blacklist
The Auto Blacklist tab displays the current list of automatically blacklisted
MSISDNs.
If the FortiMail unit detects that more spam messages than the auto blacklist
score trigger value have been sent from an MSISDN subscriber within the auto
blacklist window duration, the MSISDN is added to the auto blacklist for the auto
blacklist duration. While on the auto blacklist, all MM3 messages from the
MSISDN will be rejected.
To view the automatic MSISDN reputation blacklist, go to AntiSpam > MSISDN
Reputation > Auto Blacklist.
Figure 309:MSISDN auto blacklist
Page Up/Page Down View the next/previous page.

Search Search for an MSISDN in the list.
View Lines The number of lines to display per page.
Total Lines The total number of lines in the MSISDN auto blacklist.
Delete Delete all the selected MSISDN entries.
Move to Move the selected MSISDN entries to the blacklist or exempt list.
# MSISDN reputation auto blacklist entry number.
MSISDN The MSISDN subscriber number.
Score The number of messages detected as spam from the MSISDN in
the auto blacklist window.
Expire The time remaining in the auto blacklist duration. When this time
expires, the MSISDN is removed from the auto blacklist. If the auto
blacklist duration is set to zero, the length of time the MSISDN
depends purely on the number of spam messages sent during the
auto blacklist window size. In this case, the Expire time will be
listed as N/A.

06-30004-0154-20080904 419
Blacklist
The Blacklist tab enables you to manually blacklist MSISDNs. The users
associated with the MSISDN numbers listed on the blacklist will have their text
messages blocked as long as their MSISDN appears on the blacklist.
To view the MSISDN reputation blacklist, go to AntiSpam > MSISDN
Reputation > Blacklist.
Figure 310:MSISDN reputation blacklist
Delete
Edit

Total Lines The total number of lines in the MSISDN exempt list.
# MSISDN reputation blacklist entry number.
Modify Select Edit to modify the entry.
Select Delete to delete the entry.
Adding an MSISDN to the blacklist

To add an MSISDN to the blacklist, go to AntiSpam > MSISDN Reputation >
Blacklist and select Create New.
Figure 311:Add an MSISDN to the blacklist
MSISDN Type the MSISDN in this field and select Add to add it to the
MSISDN List.
MSISDN List The MSISDN List displays every MSISDN you have added while in
this window. You can delete any MSISDN in the MSISDN list by
selecting it and selecting Delete.

420 06-30004-0154-20080904
AntiSpam MSISDN Reputation
OK Select OK to add every MSISDN in the MSISDN list to the

blacklist.
Cancel Select Cancel to discard the MSISDN List and return to the
blacklist.
Exempt
The Exempt tab enables you to manually exempt MSISDNs from MSISDN
reputation-based blacklisting.
You can exempt a user from MSISDN reputation checking by adding their
MSISDN to the exempt list. The users associated with the MSISDN numbers
listed on the exempt list will never be auto blacklisted.
To view the MSISDN reputation exempt list, go to AntiSpam > MSISDN
Reputation > Exempt.
Figure 312:The MSISDN reputation exempt list
Delete
Edit

Total Lines The total number of lines in the MSISDN exempt list.
# MSISDN reputation exempt entry number.
Modify Select Edit to modify the entry.
Select Delete to delete the entry.
Create New Select to add an MSISDN to the MSISDN reputation exempt list.
Adding an MSISDN to the exempt list

To add an MSISDN to the exempt list, go to AntiSpam > MSISDN Reputation >
Exempt and select Create New.

06-30004-0154-20080904 421
Figure 313:Add an MSISDN to the exempt list
MSISDN Type the MSISDN in this field and select Add to add it to the
MSISDN List.
MSISDN List The MSISDN List displays every MSISDN you have added while in
this window. You can delete any MSISDN in the MSISDN list by
selecting it and selecting Delete.
OK Select OK to add every MSISDN in the MSISDN list to the exempt
list.
Cancel Select Cancel to discard the MSISDN List and return to the exempt
list.
Settings
The Settings tab enables you to configure the MSISDN reputation feature has
three settings that you can configure:
If the number of spam messages listed in the auto blacklist trigger value are sent
from an MSISDN within the auto blacklist window duration, the MSISDN is auto
blacklisted and all messages they send are rejected for the auto blacklist duration.
MSISDN reputation is enabled in the session profile. The auto blacklist score
trigger, and the auto blacklist duration are configured in the session profile. For
more information, see “Session” on page 287.
To configure the MSISDN reputation auto blacklist Window Size, go to
AntiSpam > MSISDN Reputation> Settings.
Figure 314:MSISDN reputation settings
Auto blacklist MSISDN reputation functions by detecting whether a sender is

Window Size responsible for more than a certain number of spam messages
within the auto blacklist window duration. This duration is set by
specifying the Auto blacklist Window Size in minutes.

422 06-30004-0154-20080904
AntiSpam Bounce Verification
Bounce Verification
The Bounce Verification submenu enables you to configure bounce message
verification.
Spammers sometimes use the email addresses of others as the from address in
their spam email messages. When the spam cannot be delivered, a delivery
status notification message, or a bounce message, is returned to the sender,
which in this case isn’t the real sender. Because the invalid bounce message is
from a valid mail server, it can be very difficult to detect as invalid.
You can combat this problem with bounce verification. The FortiMail unit performs
bounce verification by adding a tag to the beginning of the envelope sender email
address of all sent messages. The envelope sender email address will look
something like this:
prvs=1234567890user1@example.com
The sender email address is user1@example.com and everything before it is the
bounce message tag. The tag will be different for every email message, uniquely
identifying the message to the FortiMail unit.
If the email message cannot be delivered, the bounce message will be addressed
to the same tagged email address. The FortiMail unit will validate the tag and
allow the bounce message through. Should a bounce message arrive without a
tag or with a tag that does not validate, it will be subject to the action that has been
configured for invalid bounce messages.
Note: Bounce verification applies a tag to every outgoing email message, but only the
envelope Mail From: address is tagged. The sender address in the email header is not
affected so neither the email sender nor the email recipient will see the address tag.
Bounce message verification identifies bounce messages by a missing envelope

Mail From: email address. Email messages sent with email clients or webmail will
always have an envelope Mail From: email address.
Some spam messages do not include an envelope Mail From: email address and
bounce verification will treat them as bounce messages. The spam will not have
the proper tag so it will be subject to the bounce verification action. Since spam
and invalid bounce messages are equally undesirable, this behavior eliminates
some forms of spam.
Incoming messages are subject to bounce verification when they meet all of these
criteria:
• The message has no envelope Mail From: address.
• Bounce verification is enabled.
• Bypass bounce verification is not enabled in the recipient domain
configuration.
• Bypass bounce verification is not enabled in the session profile matching the
TCP/IP session used to delivering the message.
The Bounce Verification menu includes the following tabs:
• Settings
• Action

06-30004-0154-20080904 423
Bounce Verification AntiSpam
Settings
The Settings tab enables you to create and activate bounce verification keys.
The active key in the list is used to generate tags for all outgoing messages. You
can create multiple keys but only one can be marked active at any time. Incoming
messages are checked against all listed keys. The keys can be in any order.
If you delete a key, any bounce messages with a tag generated when that key was
active will fail verification. After activating a new key active, keep the previously
active key until any message tags generated with the key expire.
To view the bounce verification key list and configure bounce verification, go to
AntiSpam > Bounce Verification > Settings.
Figure 315:Bounce verification settings
Key The key string. This can be any arbitrary string of text.
Status The active key is designated with a green icon and the
inactive keys show a red icon.
Last Used The date and time indicates when the key was last used to
verify an incoming bounce message.
Modify Select the activate icon to make the selected key the active
key. Select the delete icon to delete the key. Only inactive
keys can be modified.
Enable Bounce Select to enable bounce verification. This is a system-wide
Verification setting, though bounce verification can be bypassed for each
domain and within each session profile.
For more information about bypassing bounce verification at
the domain level, see “Domains” on page 180. For more
information about bypassing bounce verification at the
session level, see “Session Configuration” on page 287.
Bounce Verification Tag The specified number of days after creation, bounce
will expire after message tags will expire and fail validation.
Keys will be automatically Inactive keys will be removed after being unused for the
removed selected time period. The active key will not be automatically
removed.
Creating a bounce verification key

For the bounce verification feature to work correctly, an active key must be
created. To create a bounce verification key, go to AntiSpam >
Bounce Verification > Settings and select Create New. Bounce verification keys
are used as a randomizing element when creating the tag for each outgoing
message.

424 06-30004-0154-20080904
AntiSpam Configuring PDF scanning
Figure 316:Creating a bounce verification key
Key Enter a string of text. This is used in the creation of the

bounce verification tag created for each message. No two
keys can use the same text.
Status If set to active, this new key will be set to active upon
creation, deactivating the previously active key. The active
key is used to generate tags for outgoing messages.
Action
The Action tab enables you to configure the action that the FortiMail unit will
perform an incoming bounce message that fails verification, and may be spam.
To set the action that the FortiMail unit will take when an email message fails
bounce verification, go to AntiSpam > Bounce Verification > Settings.
Figure 317:Bounce verification action
Reject A bounce message failing verification will be rejected. The

message will not be delivered and the system sending the
message will be sent an error in response to the delivery
attempt.
Discard A bounce message failing verification will be accepted and
then silently deleted. The message will not be delivered and
the system sending the message will not be notified.
Use AntiSpam Profile A bounce message failing verification will be handled
Setting according to the default action set in the applicable antispam
profile.
Configuring PDF scanning

Spammers sometimes disguise their email by entering the message content in a
PDF attachment. Most detection methods do not examine the contents of PDF
files for spam, so they do not recognize the messages containing them as spam.
You can use the FortiMail PDF option in combination with FortiMail antispam
scanners (banned word, heuristic, and image spam) to combat this spam.
Selecting the PDF option makes the first page of each PDF attachment available
for scanning, but the actual scanning will not take place until you also select one
or more of the three antispam scanners in the antispam profile.
If the PDF option is disabled, no PDF scanning will occur. Other antispam
scanners may still detect the message as spam based on the sender, envelope,
or message header, but any PDF attachments will not be examined.

06-30004-0154-20080904 425
Using Perl regular expressions AntiSpam
For more information on enabling the PDF option and a description of the settings
in the antispam profile, see “PDF” on page 257.
Using Perl regular expressions

Access control rules and greylist exempt rules can include wildcards or Perl
regular expressions. Dictionary profiles support only regular expressions.
See http://perldoc.perl.org/perlretut.html for detailed information about using Perl
regular expressions.
Regular expression versus wildcard match pattern

A wildcard character is a special character that represents one or more other
characters. The most commonly used wildcard characters are the asterisk (*),
which typically represents zero or more characters, and the question mark (?),
which typically represents any one character.
In Perl regular expressions, the “.” character refers to any single character. It is
similar to the “?” character in wildcard match pattern. As a result:
• fortinet.com not only matches fortinet.com but also fortinetacom, fortinetbcom,
fortinetccom, and so on.
To match a special character such as “.” and “*” use the escape character “\”. For
example:
• To match fortinet.com, the regular expression should be: fortinet\.com
In Perl regular expressions, “*” means match the character before it 0 or more
times, not 0 or more times of any character. For example:
• forti*.com matches fortiiii.com but does not match fortinet.com
To match any character 0 or more times, use “.*” where “.” means any character
and the “*” means 0 or more times. For example, the wildcard match pattern
forti*.com should therefore be fort.*\.com.
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary.
For example, the regular expression “test” not only matches the word “test” but
also any word that contains “test” such as “attest”, “mytest”, “testimony”, “atestb”.
The notation “\b” specifies the word boundary. To match exactly the word “test”,
the expression should be \btest\b.
Case sensitivity
Regular expression pattern matching is case sensitive in the web and antispam
filters. To make a word or phrase case insensitive, use the regular expression /i.
For example, /bad language/i will block all instances of “bad language”,
regardless of case.
Regular expression syntax

Table 19 lists some example regular expressions, and describes matches for each
expression. Regular expressions on FortiMail units use Perl-style stands.

426 06-30004-0154-20080904
AntiSpam Using Perl regular expressions
Table 19: Regular expression syntax
Expression Matches
abc “abc” (the exact character sequence, but anywhere in the string)
âbc “abc” at the beginning of the string
abc$ “abc” at the end of the string
a|b Either of “a” and “b”
âbc|abc$ The string “abc” at the beginning or at the end of the string
ab{2,4}c “a” followed by two, three or four “b”s followed by a “c”
ab{2,}c “a” followed by at least two “b”s followed by a “c”
ab*c “a” followed by any number (zero or more) of “b”s followed by a “c”
ab+c “a” followed by one or more b's followed by a c
ab?c “a” followed by an optional “b” followed by a” c”; that is, either “abc” or
“ac”
a.c “a” followed by any single character (not newline) followed by a “c”
a\.c “a.c” exactly
[abc] Any one of “a”, “b” and “c”
[Aa]bc Either of “Abc” and “abc”
[abc]+ Any (nonempty) string of “a”s, “b”s and “c”s (such as “a”, “abba”,
”acbabcacaa”)
[âbc]+ Any (nonempty) string which does not contain any of “a”, “b”, and “c”
(such as “defg”)
\d\d Any two decimal digits, such as 42; same as \d{2}
/i Makes the pattern case insensitive. For example, /bad language/i
blocks any instance of bad language regardless of case.
\w+ A “word”: A nonempty sequence of alphanumeric characters and low
lines (underscores), such as foo and 12bar8 and foo_1
100\s*mk The strings “100” and “mk” optionally separated by any amount of white
space (spaces, tabs, newlines)
abc\b “abc” when followed by a word boundary (for example, in “abc!” but not in
“abcd”)
perl\B “perl” when not followed by a word boundary (for example, in “perlert” but
not in “perl stuff”)
\x Tells the regular expression parser to ignore white space that is neither
preceded by a backslash character nor within a character class. Use this
to break up a regular expression into (slightly) more readable parts.
/x Used to add regular expressions within other text. If the first character in
a pattern is forward slash (/), the “/” is treated as the delimiter. The
pattern must contain a second “/”. The pattern between “/” will be taken
as a regular expression, and anything after the second “/” will be parsed
as a list of regular expression options (“i”, “x”, etc). An error occurs If the
second “/” is missing. In regular expressions, the leading and trailing
space is treated as part of the regular expression.
Example regular expressions
To block any word in a phrase

/block|any|word/

06-30004-0154-20080904 427
Using Perl regular expressions AntiSpam
To block purposely misspelled words

Spammers often insert other characters between the letters of a word to fool spam
blocking software.
/^.*v.*i.*a.*g.*r.*o.*$/i
/cr[eéèêë][\+\-
\*=<>\.\,;!\?%&§@\^°\$£€\{\}()\[\]\|\\_01]dit/i
To block common spam phrases

The following phrases are some examples of common phrases found in spam
messages.
/try it for free/i
/student loans/i
/you’re already approved/i
/special[\+\-
\*=<>\.\,;!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i

428 06-30004-0154-20080904
Email Archiving Settings
Email Archiving
The Email Archiving menu enables you to enable and email archiving, and to
manage and search archived email messages.
The Email Archiving menu includes:
• Settings
• Archiving Policy
• Exempt Policy
Settings
The Settings menu enables you to configure an email archive-specific
administrator account, hard disk quota, and other assorted global settings for
email archiving.
The Settings menu includes the following tab:
• Settings
Settings
The Settings tab enables you to configure the FortiMail to archive email on its
local hard disk or to a remote storage server.
Before you can archive email, you need to set up and enable the email archiving
account, as described below. The archived emails will be stored under the
archiving account.
When email is archived, you can view and manage the archived email messages.
For more information, see “Managing archived email” on page 430.
To set up and enable the email archiving account

1 Go to Email Archiving > Settings.
2 Enter an email archiving account name and password. The default value for both
fields is “archive”.
3 Enter an email address to receive a copy of any email that the FortiMail unit
archives, if required. When adding a forwarding email, the FortiMail unit will not
forward previously archived email.
4 Select the Email archiving status check box to enable archiving.
5 Specify mailbox rotation size and time.
When the mailbox reaches the rotation size or time specified, whichever comes
first, the mailbox file (mbx file) will be automatically renamed and backed up. The
FortiMail unit will generate a new mailbox file, where it will save the new archived
email. You can still access all the rotated mailboxes when you search the email in
them.

06-30004-0154-20080904 429
Settings Email Archiving
6 Select one of the Archiving options when disk quota is full, either Overwrite, or Do
not archive.
7 Specify an archiving destination, either on the FortiMail local hard drive, or to a
remote storage server.
8 To archive email to the local disk, select Archive to local disk and set the disk
quota.
9 To archive email to a remote server, select Archive to remote host and configure
the following:
Protocol Select the protocol of the remote host. The FortiMail unit supports SFTP
and FTP protocols.
IP address Enter the IP address of the remote host.
User name Enter the user name for logging in to the remote host.
Password Enter the password for logging in to the remote host.
Remote Enter the directory on the remote host for archiving email.
directory
Local cache Set the FortiMail unit cache quota. Email messages archived on a remote
quota host are also cached by the FortiMail unit. This speeds up viewing and
searching cached email.
Remote disk Set the disk quota for the remote host to archive email.
quota
10 Select Apply.
Managing archived email

Once the email messages are archived, you can view and search them. You can
also download them, send them to an email address, and use them to train the
Bayesian databases.
For information on Bayesian databases, see “Training Bayesian databases” on
page 387.
Go to Email Archiving > Settings. Select the Enter link beside View archived
emails, enter the search parameters and select Search. Figure 318 displays a
sample search result.
You can manage the archived emails by accessing the FortiMail unit with the
archiving account via IMAP or POP3. Webmail access with this account is not
available.

430 06-30004-0154-20080904
Email Archiving Settings
Figure 318:Managing archived email

Previous page
Next page
Export Select to download all the currently selected messages.

Send Select to send the selected messages to an email address as an
mbx file.
Train bayesian Select to use the selected messages to train the Bayesian
database databases. For more information, see “To train Bayesian databases
with archived mail” on page 432.
New Search Select to open a new search page.
Previous page/Next Select to move through the pages of the archived message list.
page
Mark Select message check boxes and select Mark to mark messages for
further operations. This allows messages across multiple pages to
be marked at the same time.
Unmark Select a marked message and then Unmark to deselect it.
To search or view archived email

1 Go to Email Archiving > Settings > Settings.
2 Select the Enter link beside View archived emails. A new window opens.
3 To search email, type or select the search parameters to search by content or time
frame, then select Search.
Note: You can search archived email in the current mailbox and the rotated mailboxes
whether email is archived on the local disk or remote host. You can view only the archived
email in the current mailbox on the local disk.
To export archived email

3 Type or select the search parameters to search email by content or time frame,
then select Search.
4 In the search results, select the check boxes of all the messages in the current
window you want exported. If you want all the messages exported, select the
check box above the first message to select all of all the messages on the current
page.

06-30004-0154-20080904 431
Archiving Policy Email Archiving
5 Select Mark. A red check mark appears in the status column for all the previously
selected messages. If a message is mistakenly marked, select the check box and
select Unmark.
6 Continue to subsequent pages of search results and mark all messages to export.
When complete, select Export.
7 A new window opens. To start a new search without exporting, select New Search.
To initiate the download, select Click to download the exported mbx file. You can
choose the mbx filename and location.
To train Bayesian databases with archived mail

3 Type or select the search parameters to search email by content or time frame,
then select Search.
4 In the search results, select the messages you want to use to train the Bayesian
databases. If you are using all the messages for training, select the check box
above the first message to select the check boxes of all the messages on the
current page.
5 Select Mark. A red check mark will appear in the status column for all the
previously selected messages. If a message is mistakenly marked, select the
check box and select Unmark.
6 Select Train bayesian database.
7 Select to use the messages as spam or non-spam email.
8 Select the database you want to train: global, group, or user.
• Global requires no further information.
• For group training, select the domain.
• For user training, select the domain and enter of the name of the user.
9 Select OK.
Archiving Policy
The Archiving Policy enables you to configure criteria by which email will be
archived.
The Archiving Policy menu includes the following tab:
• Archiving Policy
Archiving Policy
The Archiving Policy tab enables you to specify the types of email to archive. The
criteria you specify are called policies.
To view the archiving policy list, go to Email Archiving > Archiving Policy >
Archiving Policy.

432 06-30004-0154-20080904
Email Archiving Archiving Policy
Figure 319:Archiving policy list
Move
Edit
Delete
# The order of archiving policies in the list.

Policy Id The identification numbers of the policies. IDs are generated by the
FortiMail unit.
Policy Type The policy type. The five types are pre-defined. See step 3 of “To set
email archiving policies” on page 433.
Pattern The pattern the FortiMail unit will search for in a location determined by
the chosen policy type.
Email archiving The policy status (enabled or disabled).
status
Modify Select Delete to remove a policy.
Select Edit to change a policy.
Select Move to change the order of the policies in the list.
To set email archiving policies

1 Go to Email Archiving > Archiving Policy > Archiving Policy.
3 Select a Policy Type.
There are five archive policy types:
• Sender address. The FortiMail unit will check the sender email address for the
specified pattern. Use an asterisk (*) as a wildcard when specifying a partial
address.
• Recipient address. The FortiMail unit will check the recipient email address for
the specified pattern. Use an asterisk (*) as a wildcard when specifying a
partial address.
• Keyword in subject. The FortiMail unit will check the message subject for the
specified pattern.
• Keyword in body. The FortiMail unit will check the message body for the
specified pattern.
• Attachment file name. The FortiMail unit will check the filenames of any
message attachments for the specified pattern. Use an asterisk (*) as a
wildcard when specifying a partial address.
4 Enter a pattern based on the selected policy type.
For example, if you select Sender address as the policy type and enter
*@example.com as the pattern, the FortiMail unit archives all email from the
example.com domain.
Note: The Pattern field can contain an asterisk (*) as a wildcard if the policy type is Sender
address, Recipient address, or Attachment file name.

06-30004-0154-20080904 433
Exempt Policy Email Archiving
5 Select Enabled.
6 Select OK.
Exempt Policy
The Exempt Policy menu enables you to exempt email messages from email
archiving.
The Exempt Policy includes the following tab:
• Exempt Policy
Exempt Policy
After setting up email archiving policies, you can define further criteria to prevent
the FortiMail unit from archiving certain email.
To view the archiving exempt list, go to Email Archiving > Exempt Policy >
Exempt Policy.
Figure 320:Exempt policy list
Move
Edit
Delete
# The order of exempt policies in the list.

Policy Id The identification numbers of the policies. IDs are generated by the
FortiMail unit.
Policy Type The policy type. The three types are pre-defined. See step 3 of “To set
exempt policies” on page 434.
Pattern Specific policy pattern for the chosen policy type.
Email Archiving The policy status (enabled or disabled).
Status
Modify Select Delete to remove a policy.
Select Edit to change a policy.
Select Move to change the order of the policies in the list.
To set exempt policies

1 Go to Email Archiving > Exempt Policy > Exempt Policy.

434 06-30004-0154-20080904
Email Archiving Exempt Policy
3 Select a Policy Type.

There are three exempt policy types:
• Sender address. The FortiMail unit will check the sender email address for the
specified pattern. Use an asterisk (*) as a wildcard when specifying a partial
address.
• Recipient address. The FortiMail unit will check the recipient email address for
the specified pattern. Use an asterisk (*) as a wildcard when specifying a
partial address.
• Spam email. The FortiMail unit will not archive any email it determines is spam.
The pattern field is ignored.
4 Enter the policy pattern based on the selected policy type.
For example, select Sender address as the policy type and enter
top20deals@example.com as the pattern. The FortiMail unit will not archive any
email from this address.
Note: The Pattern field can contain an asterisk (*) as a wildcard if the policy type is Sender
address or Recipient address. If the policy type is Spam email, the Pattern field will be
ignored.
5 Select Enabled.
6 Select OK.

06-30004-0154-20080904 435
Exempt Policy Email Archiving

436 06-30004-0154-20080904
Log & Report About FortiMail logging
Log & Report

The Log & Report menu enables you to configure and view logs and reports.
The FortiMail unit provides extensive logging capabilities for virus incidents, spam
incidents and system events. Detailed log information and reports provide
historical as well as current analysis of network activity to help you identify
security issues and reduce network misuse and abuse.
The Log & Report menu includes:
• Log Setting
• Logging
• Alert Email
• Reports
About FortiMail logging

A FortiMail unit can log many different email activities and traffic including:
• system-related events such as system restarts and HA activity
• antivirus infection and blocking
• spam filtering results
• POP3, SMTP, IMAP and webmail events
For more information about log types, see “Log types” on page 437.
You can customize both the log severity level and the location for storing logs.
There are six severity levels to choose from. For more information, see “Log
message severity levels” on page 438.
The FortiMail unit can save log messages to its hard disk, or to a remote location
such as a Syslog server or FortiAnalyzer™ unit. You can view the log messages
available on the hard disk by using the web-based manager. Customizable filters
enable you to easily locate specific information within the log files.
See the FortiMail Log Message Reference on the Fortinet Knowledge Center for
details and descriptions of log messages.
Log types
The FortiMail unit logs the following types of information:
Event log Log all management activity and events, such as administration and HA
activities activity.
When Log all management events, such as configuration
configuration has changes.
changed
Admin login/logout Log all administrative events, such as logins, resets,
event and configuration updates.

06-30004-0154-20080904 437
Log Setting Log & Report
System activity Log all system-related events, such as system restart.

event
POP3 server event Log all POP3 events. This is available when the
(server mode) FortiMail unit is in server mode.
IMAP server event Log all POP3 events. This is available when the
(server mode) FortiMail unit is in server mode.
SMTP server event Log all SMTP server (sendmail) activities.
Failed update Log all failed update events.
Successful update Log all successful update events.
HA activity Log all high availability activity. For more information,
see “HA log messages, alert email, and SNMP” on
page 479.
Webmail event Log all activities of webmail events. Webmail acts like a
desktop email client, such as Microsoft Outlook, but is
accessed on the Internet. Hotmail is considered a
provider of webmail.
Virus Log Enable logging of all email messages that contain a virus.
Virus infected Log all virus infections.
Spam Log Log all spam.
Spam detected Log detected spam.
History Log the meta-data of the SMTP email messages, including email
successfully or unsuccessfully sent. The history log also enables you to find
all log files.
Log message severity levels

Log messages contain severity levels. A severity level indicates important or
critical events that occur on your network. The FortiMail unit records all log
messages at and above the selected severity level. For example, if you select
Error, the FortiMail unit logs Error, Critical, Alert and Emergency level messages.
Table 20: Log severity levels
Levels Description
0 - Emergency The system has become unusable.
1 - Alert Immediate action is required.
2 - Critical Functionality is affected.
3 - Error An error condition exists and functionality could be affected.
4 - Warning Functionality could be affected.
5 - Notification Information about normal events.
6 - Information General information about system operations.
Log Setting
The Log Setting menu enables you to configure the types of log messages and
storage location of log messages that the FortiMail unit will record.

438 06-30004-0154-20080904
Log & Report Log Setting
The FortiMail unit can store logs in various locations, depending on your office
environment and configuration. You can configure the FortiMail unit to log to its
hard disk, a FortiAnalyzer unit, or a Syslog server, or to a combination of these
locations. For example, you can store information logs go to a Syslog server and
error log messages on the hard disk.
You can also configure the FortiMail unit to log to multiple FortiAnalyzer units and
Syslog servers, ensuring that logs are available at all times.
The Log Setting menu includes the following tab:
• Log Setting
Log Setting
The Log Setting tab enables you to configure the types of log messages to record,
and the location where the FortiMail unit will store them. These log types include
email traffic information, spam detection events, and system activity events.
For more information, see “Logging to the hard disk” on page 439, “Logging to a
Syslog server” on page 440, “Logging to a FortiAnalyzer unit” on page 440, and
“Logging to multiple logging devices” on page 441.
Logging to the hard disk

When configuring logging to the FortiMail hard disk, you need to decide a
maximum log file size and the number of days before the log file rolls (or rotates).
The log file will roll when it reaches either its specified maximum size or time by
starting a new log. A rolled log file has an incremental number, for example, elog1,
elog2, and so on.
The log file size is measured in megabytes and should be 1,000 MB or smaller.
Large log files may affect the performance and search capabilities of the FortiMail
unit.
To configure login to the hard disk

1 Go to Log & Report > Log Setting.
2 Select Log to Local Disk.
3 Enter a Log file size.
4 Enter the maximum number of days before the current log file rolls, and the new
log file is created.
5 Select a severity level. For information about severity levels, see “Log message
severity levels” on page 438.
6 Select Config Policy.
7 Select from the log types and select OK. For information about log types, see “Log
types” on page 437.
Overwrite Select to delete the oldest log entry and continue logging
when the maximum log disk space is reached.
Do not log Select to stop log messages going to the FortiMail hard disk
or other logging devices when the maximum log disk space is
reached.
9 Select Apply.

06-30004-0154-20080904 439
Log Setting Log & Report
Logging to a Syslog server

A Syslog server is a remote computer running Syslog software. Syslog is an
industry standard for forwarding log messages in an IP network. Any computer
can run Syslog software, such as Linux, Unix, and any Windows systems.
When configuring to log to a Syslog server, you need to also configure the facility
and the format for saving the log messages.
Facility, similar to severity levels, is a user-selectable identifier attached to log
entries from a device. If multiple devices are configured to send logs to a single
Syslog server, setting a different facility on each device makes the source of each
log entry easily identifiable.
You can download log files in one of two formats, Normal and CSV. If you
download a log file in Normal format, the file is saved as a text document,
displaying the log messages in a text-based program such as Notepad. If you
download a log file in CSV format, you can then display the log messages in a
spreadsheet format by using an application such as Microsoft Excel to open it.
To configure FortiMail to send logs to a Syslog server

2 Select the blue arrow to expand Log to Remote Host.
3 Select Remote Host 1 and select the blue arrow to expand the options.
4 Enter the IP address and port number of the remote computer running the syslog
software.
5 Select the severity level. For information about severity levels, see “Log message
8 Select a Facility level that easily identifies each log entry.
9 Enable the CSV format to save log messages in comma delimited text format.
10 Select Apply.
Logging to a FortiAnalyzer unit

You can configure a FortiMail unit to send logs to a FortiAnalyzer unit. Before
proceeding, contact the FortiAnalyzer administrator to make sure the IP address is
correct for connecting to the FortiAnalyzer unit.
To configure a FortiMail unit to send logs to a FortiAnalyzer unit

2 Select the blue arrow to expand the Log to Remote Host options.
3 Select Remote Host 1 and select the blue arrow to expand the options.
4 Enter the IP address and port number of the FortiAnalyzer unit.
5 Select the severity level. For information about severity levels, see “Log message
6 Select Config policy.

440 06-30004-0154-20080904
Log & Report Log Setting
8 Select a Facility level that easily identifies each log entry.
9 Select Apply.
Caution: Do not enble CSV format, because the FortiAnalyzer unit does not support log
! messages in comma delimited text format.
After configuring the log settings on the FortiMail unit, you or the FortiAnalyzer
administrator must configure the FortiAnalyzer unit to receive logs sent from the
FortiMail unit. If you need to configure a FortiAnalyzer unit to receive logs, but are
not a FortiAnalyzer administrator, follow the next procedure.
To configure a FortiAnalyzer unit to receive logs from the FortiMail unit

1 Log into the FortiAnalyzer web-based manager.
2 Go to Device > All.
3 Select Add Device.
4 Select FortiMail for the Device Type.
5 Set the following options:
Device Type Select FortiMail from the device list.

Device Name Enter a name to represent the FortiMail unit.
Device ID Enter the serial number of the FortiMail unit.Serial number
information is located in FortiMail by going to System > Status, in
the Unit Information area.
Description Enter additional information for the FortiMail unit, up to 128
characters long. Description information appears when you hover
the mouse over the name of the FortiMail unit in the devices list.
Allocated Disk Enter the amount of the FortiAnalyzer hard disk is allocated to log
Space (MB) files.
When Allocated Select what the FortiAnalyzer unit should do when the allocated
Disk Space is All disk space has been reached. Select to overwrite older files or
Used stop logging.
6 Expand the Device Privileges settings and verify that Allow FortiMail to send logs
is enabled.
7 Expand the Group Membership settings.
8 Select the group or groups where you want to include the Syslog server, and
select the right arrow button to add the Syslog servers to the group.
9 Select OK.
Logging to multiple logging devices

The FortiMail unit can log to multiple Syslog servers or FortiAnalyzer units, as well
as the local disk. Logging to multiple devices can provide you with redundancy,
sharing log traffic load.
Redundancy provides log availability in the event one of the logging devices
becomes unavailable. When multiple log devices share traffic between
themselves, system performance is better.

06-30004-0154-20080904 441
Logging Log & Report
You can configure redundancy by logging the same log types to different devices,
for example, enabling logging of events to the local disk, remote host 1, and
remote host 2. You can configure traffic and help share between logging devices
by logging different log types and devices. For example, you can log both events
and antispam to remote host 1 and remote host 2.
You can also configure the FortiMail unit to handle redundancy and traffic sharing
simultaneously, if required. For example, you can configure the unit so that the
local disk logs event, antivirus, antispam, and history while remote host 1 logs
event, and remote host 2 logs antivirus, antispam and history logs.
You can configure two of the same device, such as two FortiAnalyzer units, or
different devices. For example, one device is a FortiAnalyzer unit, the other a
Syslog server.
For information on configuring a logging device, see “Logging to a Syslog server”
on page 440 and repeat the steps for a secondary device.
You need to configure both FortiAnalyzer units to receive logs. See “To configure a
FortiAnalyzer unit to receive logs from the FortiMail unit” on page 441 for
configuring the FortiAnalyzer units to receive log files.
Logging
The Logging menu enables you to view the lists of log files and the log messages
stored in each log file.
Note: You can also view history log messages from System > Status > Status.
By default, the FortiMail unit stores all log files on a local hard disk. To ensure that
that local hard disk has sufficient disk space to store new log messages, you
should regularly download copies of older log files to your management computer
or other storage, and then delete them from the FortiMail unit. For more
information on downloading, deleting, and emptying log files, see “Downloading
log files” on page 450, “Emptying the current log file” on page 451, and “Deleting
rolled log files” on page 451.
The lists of log files for each log type display both the current log file and rolled log
files. When the current log file reaches either the configured maximum log file size
or the maximum age, the FortiMail unit renames the current log file to create a
rolled log file, and then begins a new current log file.
The lists of log files are sorted by the time range of the log messages contained in
the log file, with the most recent log files appearing near the top of the list. For
example, the current log file would appear at the top of the list, above a rolled log
file whose time ranges from “2008-05-08 11:59:36 Thu” to “2008-05-29 10:44:02
Thu”.
You can view log messages contained in a specific log file by selecting either Start
time or End time, or by selecting the View icon. For more information, see
“Viewing log messages” on page 444.

442 06-30004-0154-20080904
Log & Report Logging
The Logging menu includes the following tabs:

• History
• Event
• AntiSpam
• AntiVirus
Each tab contains a similar display. For example, by selecting the Event tab, you
can view all log files that contain log messages that were recorded due to system
events and activities. For more information about log types, see “Log types” on
page 437.
To view the list of log files, go to Log & Report > Logging, then select a log type
tab, such as History.
Figure 321:Viewing the log file list (Event tab)
Go to next page
Go to previous page
Search Delete Selected Items
Empty Log
View
Download Delete
Go to previous page Select to view the previous page of the list of log files.
page
Delete Selected Select the log files by marking each checkbox in the rows
Items corresponding to the log files that you want to delete, then select
Delete Selected Items to remove those items from the hard disk.
# The index number for the row in the list of log files.
Start time The beginning of the log file’s time range.
End time The end of the log file’s time range.

06-30004-0154-20080904 443
Size The size of the log file in bytes.

Action Select Empty Log to clear the current log file of all log messages.
This option appears only for the current log file. For more
information, see “Emptying the current log file” on page 451.
Select View to display the log messages in the log file. For more
information, see “Viewing log messages” on page 444.
Select Download to download the log file to your management
computer. For more information, see “Downloading log files” on
page 450.
Select Delete to remove the selected log file from the hard disk. For
more information, see “Deleting rolled log files” on page 451.
Viewing log messages

You can view the log messages contained in any log file, such as the Event log
file, in both a columnar and raw format.
Log messages are always displayed in columnar format, with one log field per
column. However, when viewing this columnar display, you can also view the log
message in raw format by hovering your mouse over the index number of the log
message, in the “#” column, as shown in Figure 322 on page 445.
You can select which columns to display or hide. For details, see “Downloading
log files” on page 450.
When hovering your mouse cursor over a log message, that row is temporarily
highlighted; however, this temporary highlight automatically follows the cursor,
and will move to a different row if you move your mouse. To create a row highlight
that does not move when you move your mouse, click anywhere in the row of the
log message.
For information on individual log messages, see the FortiMail Log Message
Reference in the Fortinet Knowledge Center at http://kc.fortinet.com/.
Note: You can also view history log messages on the Status tab. For more information,
see.“Status” on page 111
Note: The web-based manager of the FortiMail unit can only display log messages stored
locally, on the FortiMail unit’s hard disk. For information on viewing FortiMail log messages
stored remotely on either a FortiAnalyzer unit or a Syslog server, see the documentation for
that product.

444 06-30004-0154-20080904
Figure 322:Viewing log messages

Go to next page
Go to previous page
Search
Go to previous Select to view the previous page of the list of log files.
page
Level Select the severity level. The FortiMail unit will display only log
messages of the selected severity level and greater.
Subtype Select the subtype. The FortiMail unit will display only the log
messages of that subtype.
This option appears only when viewing event log messages.
page
Choose Columns Select to add or remove log information columns to display. For more
information see “Downloading log files” on page 450.
Using the Level and Subtype drop-down menus, you can constrain the display to
only event log messages with matching severity levels and subtype log fields. The
following tables describe each option of the Level and Subtype drop-down menus.

06-30004-0154-20080904 445
Table 21: Level drop-down list options
Emergency Displays only log messages at the Emergency severity level.

Alert Displays only log messages at the Alert severity level.
Critical Displays only log messages at the Critical severity level.
Error Displays only log messages at the Error severity level.
Warning Displays only log messages at the Warning severity level.
Notification Displays only log messages at the Notification severity level.
Information Displays only log messages at the Information severity level.
Table 22: Subtype drop-down list options
ALL Displays all log messages, without filtering by subtype.

Configuration Displays only log messages containing “configuration” in the
subtype log field.
Admin User Displays only log messages containing only “admin user” in the
subtype log field.
Web Mail Displays only log messages containing “webmail” in the subtype
log field.
System Displays only log messages containing “system” in the subtype
log field.
HA Displays only log messages containing “HA” in the subtype field.
Update Failure Displays only log messages containing “Update Failure” in the
subtype log field.
Update Displays only log messages containing “Update Success” in the
Success subtype log field.
POP3 Displays only log messages containing “POP3” in the subtype log
field.
IMAP Displays only log messages containing “IMAP” in the subtype log
field.
SMTP Displays only log messages containing “SMTP” in the subtype log
field.
OTHERS Displays all lines that have a value other than all of the above
subtypes, from Configuration to SMTP.
To view log messages

Log messages contained in that log file appear.
Displaying and arranging log columns

When viewing logs in Formatted view, you can display, hide and re-order columns
to display only relevant categories of information in your preferred order.
Available columns vary by log type.

446 06-30004-0154-20080904
Figure 323:Displaying and arranging log columns
To display or hide columns

5 Select which columns to hide or display.
• In the Hidden Columns area, select the names of individual columns you want
to display, then select Add-> to move them to the Displayed Columns area.
• In the Displayed Fields area, select the names of individual columns you want
to hide, then select <-Remove to move them to the Hidden Columns area.
6 Select Apply.
To change the order of the columns

5 In the Displayed Columns area, select a column name whose order of
appearance you want to change.

06-30004-0154-20080904 447
6 Select Move Up or Move Down to move the column in the ordered list.
Placing a column name towards the top of the Displayed Columns list will move
the column to the left side of the log message display.
7 Select Apply.
Searching log messages

You can search the log messages to quickly find specific log messages in a log
file, rather than browsing the entire contents of the log file.
Search appearance, like log fields, varies by log type.
Note: Some email processing such as mail routing and subject line tagging modifies the
recipient email address, the sender email address, and/or the subject line of an email
message. If you are searching for log messages by these attributes, enter your search
criteria using text exactly as it appears in the log messages, not in the email message. For
example, you might send an email message from sender@example.com; however, if you
have configured mail routing on the FortiMail unit or other network devices, this address, at
the time it was logged by the FortiMail unit, may have been sender-1@example.com. In
that case, you would search for sender-1@example.com instead of sender@example.com.
Figure 324:Searching the log messages (History log)
Figure 325:Searching the log messages (Event log)

448 06-30004-0154-20080904
Figure 326:Searching the log messages (AntiVirus log)
Figure 327:Searching the log messages (AntiSpam log)
To search log messages

3 In the Action column, in the row corresponding to the log file, select View to
display the contents of the log file.
4 Select Search.
5 Enter your search criteria by configuring one or more of the following:
Keyword Enter any word or words to search for within the log messages.
For example, you might enter “starting daemon” to locate all log
messages containing that exact phrase in any log field.
Message Enter all or part of the message log field.
Subject Enter all or part of the subject line of the email message as it appears
in the log message.
From Enter all or part of the sender’s email address as it appears in the log
message.

06-30004-0154-20080904 449
To Enter all or part of the recipient’s email address as it appears in the

log message.
Session Id Enter all or part of the session ID in the log message.
Log Id Enter all or part of the log ID in the log message.
Client Name Enter all or part of the domain name or IP address of the SMTP
client. For email users connecting to send email, this is usually an IP
address rather than a domain name. For SMTP servers connecting
to deliver mail, this may often be a domain name.
Time Select the time span of log messages to include in the search results.
For example, you might want to search only log messages that were
recorded during the two weeks and 8 hours previous to the current
date. In that case, you would specify the current date, and also
specify the size of the span of time (two weeks and 8 hours) before
that date.
6 Select Apply.
The FortiMail unit searches your currently selected log file for log messages that
match your search criteria, and displays any matching log messages. For
example, if you are currently viewing a rolled history log file, the search locates all
matching log messages located in that specific rolled history log file.
Downloading log files

You can download log files to your management computer. Downloading log files
can be useful if you want to view log messages on your management computer, or
if you want to download a backup copy of log files to another location before
deleting them from the FortiMail unit’s hard disk.
To download a log file

Normal format Downloads the log file in plain (ASCII) text format with a file
extension of .log. You can view this format in a plain text editor
such as Microsoft Notepad.
CSV format Downloads the log file in comma-separated value (CSV) format
with a file extension of .csv. You can view this format in a
spreadsheet application such as Microsoft Excel.
Compressed Downloads a compressed file with a file extension of .gz. This
format compressed file contains the log file in plain text format, with no
file extension.
If your management computer is running Microsoft Windows or
another operating system that requires file extensions, to enable
your operating system to open the file, you can rename the log file
to add a .log or .txt file extension.
If your web browser prompts you for the location to save the file, browse to select
or enter the name of the folder.

450 06-30004-0154-20080904
Emptying the current log file

You can empty the current log file to remove all of the log messages contained in
that file, without deleting the log file itself. This can be useful in cases such as
when you want to delete all old log messages from the FortiMail unit’s hard disk,
because rolled log files can be deleted but the current log file cannot.
Note: Only the current log file can be emptied. Rolled log files cannot be emptied, but may
be deleted instead. For more information, see “Deleting rolled log files” on page 451.
Caution: Back up the current log file before emptying the current log file. When emptying
! the log file, log messages are permanently removed, and cannot be recovered. For
instructions on how to download a backup copy of the current log file, see “Downloading log
files” on page 450.
To empty the current log file

3 In the Action column, in the row corresponding to the current log file, select Empty
Log.
Are you sure you want to delete: alog?
4 Select OK.
Deleting rolled log files

You can delete rolled log files. This can be useful if you want to free disk space
used by old log files to make disk space available for newer log files.
Note: Only rolled log files can be deleted. Current log files cannot be deleted, but may be
emptied instead. For more information, see “Emptying the current log file” on page 451.
Caution: Back up the current log file before deleting a log file. When deleting a log file, log
! messages are permanently removed, and cannot be recovered. For instructions on how to
download a backup copy of a log file, see “Downloading log files” on page 450.
To delete a rolled log file


06-30004-0154-20080904 451
Alert Email Log & Report
delete, select Delete.
Are you sure you want to delete: 2008-06-16-14:45:15_2007-
10-16-22:52:20.alog?
4 Select OK.
To delete multiple rolled log files

3 If you want to delete selected log files, mark the checkbox in each row
corresponding to a log file that you want to delete.
If you want to delete all rolled log files, mark the checkbox in the column heading
for the column that contains checkboxes. This automatically marks all other
checkboxes.
4 Select Delete Selected Items.
A confirmation dialog appears:
Are you sure you want to delete: selected log files?
5 Select OK.
Alert Email
The Alert Email menu enables you to configure the FortiMail unit to notify you by
email message when specific types of events occur and are logged. For example,
if you require notification about virus detections, you can configure the FortiMail
unit to send an alert email message whenever the FortiMail unit detects a virus.
To configure alerts, you must configure both the alert email recipients (see
“Configuration” on page 452) and which events will trigger the FortiMail unit to
send an alert email message (see “Categories” on page 453).
Alert email messages also require that you configure the FortiMail unit with the IP
address of at least one DNS server. The FortiMail unit uses the domain name of
the SMTP server to send alert email messages; to resolve this domain name into
an IP address, the FortiMail unit must be able to query a DNS server. For
information on configuring DNS, see “DNS” on page 133.
The Alert Email menu includes the following tabs:
• Configuration
• Categories
Configuration
The Configuration tab enables you to configure the recipient email addresses for
the alert email message.
Before the FortiMail unit can send alert email messages, you must configure one
or more recipients.

452 06-30004-0154-20080904
Log & Report Alert Email
You must also configure which categories of events will cause the FortiMail unit to
send alert email message. For more information, see “Categories” on page 453.
To configure recipients of alert email messages

1 Go to Log & Report > Alert Email > Configuration.
2 In Email To, enter one or more recipient email addresses.
Enter only one email address per field.
3 Select Apply.
A Test button appears below the Email To fields.
4 To verify that alert email is configured correctly by sending a sample alert email to
all configured recipients, select Test.
Categories
The Categories tab enables you to configure which events will cause the FortiMail
unit to send an alert email message.
Before the FortiMail unit can send an alert email message, you must select the
event or events that will cause the FortiMail unit to send an alert email message.
You must also configure alert email message recipients. For more information,
see “Configuration” on page 452.
To select events that will trigger an alert email message

2 Select one or more of the following event categories:
virus incidents Select to send an alert email message when the

FortiMail unit detects a virus.
critical events Select to send an alert email message when the
FortiMail unit detects a system error that may affect its
operation.
disk is full Select to send an alert email message when the hard
disk of the FortiMail unit is full.
remote archiving Select to send an alert email message when the remote
failures archiving feature encounters one or more failures.
HA events Select to send an alert email message when any high
availability (HA) event occurs.
When a FortiMail unit is operating in HA mode, the
subject line of the alert email includes the host name of
the cluster member. If you have configured a different
host name for each member of the cluster, this enables
you to identify which FortiMail unit in the HA cluster sent
the alert email message. For more information, see “HA
log messages, alert email, and SNMP” on page 479.
disk quota of an Select to send an alert email message when an email
account is exceeded user’s account exceeds its quota of hard disk space.
This option is available only if the FortiMail unit is in
server mode.
dictionary is Select to send an alert email message when a
corrupted dictionary is corrupt.

06-30004-0154-20080904 453
Reports Log & Report
system quarantine Select to send an alert email message when the system
quota is full quarantine reaches its quota of hard disk space. For
more information on the system quarantine, see “The
System quarantine tab displays the system quarantine.”
on page 371.
deferred emails # Select to send an alert email message if the deferred
over n, interval time email queue contains greater than this number of email
n minutes messages. Enter a number between 1 and 10000 to
define the alert threshold, then enter the interval of time
between each alert email message that the FortiMail
unit will send while the number of email messages in the
deferred email queue remains over this limit.
3 Select Apply.
Reports
The Reports menu enables you to configure and view reports.
FortiMail units can collate information collected from its log files and present the
information in tabular and graphical reports.
FortiMail units require log files and a report profile to be able to generate a report.
A report profile is a group of settings that contains the report name, file format,
subject matter, and other aspects that the FortiMail unit considers when
generating the report. For information on configuring a report profile, see
“Configuring a report profile” on page 458.
Note: In addition to viewing full reports, you can also view summary email statistics. For
more information, see “Mail Statistics” on page 120.
Note: Generating reports can be resource intensive. To avoid email processing

performance impacts, you may want to generate reports during times with low email traffic
volume, such as at night. For more information on scheduling the generation of reports, see
“Configuring the schedule of a report profile” on page 460.
The Reports menu includes the following tabs:

• Browse reports
• Configuring a report profile
Browse reports
The Browse tab displays a list of reports that have been generated from the report
profiles. You can delete, view, and/or download generated reports.
FortiMail units can generate reports automatically, according to the schedule that
you configure in the report profile, or manually, when you select Run Report in the
report profile list. For more information, see “Config” on page 457.
To view the list of generated reports, go to Log & Report > Reports > Browse.

454 06-30004-0154-20080904
Log & Report Reports
Figure 328:Browsing generated reports
Go to next page
Go to previous page Delete Selected Items
Delete
Download HTML
Download PDF
Go to next page View to the previous page.

Go to previous page View to the next page.
View n lines each page Select the number of reports displayed on each page.
Total lines The total number of rows in the list of generated reports.
Go to line Type the line number you want to display, then select Go.
Delete Selected Items In the column containing checkboxes, in each row corresponding
to a report that you want to delete, mark the checkbox, then
select Delete Selected Items.
Line # The index number of the row in the list of generated reports.
Report Files The name of the generated report, and the date and time at which
it was generated.
For example, “Report 1-2008-03-31-2112” is a report named
“Report 1”, generated on March 31, 2008 at 9:12 PM.
To view the report in HTML format, select the name of the report.
To view only an individual section of the report in HTML format,
select “+” next to the report name to expand the list of HTML files
that comprise the report, then select one of the file names.
Last Access Time The date and time when the FortiMail unit completed the
generated report.
Size (bytes) The file size of the report in HTML format.
Action Select Delete to remove the report.
Select Download HTML to download a compressed (.tgz) archive
containing the report in HTML file format to your management
computer.
Select Download PDF to download the report in PDF file format to
your management computer.
Viewing a generated report

After you have generated a report from a report profile, you can view it in any of its
configured file format outputs.

06-30004-0154-20080904 455
For HTML file format report output, each Query Selection in the report profile,
such as Spam by Recipient, becomes a separate HTML file, such as
“Spam_Recipient.html”. You can view the report either as individual HTML files, or
as a frame that contains all of the individual HTML files, where each section
corresponds to one of the Query Selections that you enabled.
Figure 329:Viewing a generated report (HTML file format, all sections)

\
To view a generated report

2 If you want to view the report in PDF file format, in the Action column, in the row
corresponding to the report that you want to view, select Download PDF.
3 If you want to view the report in HTML file format, you can view all sections of the
report together, or you can view a section individually.
• To view all report sections together, in the row corresponding to the report that
you want to view, select the name of the report, such as “treportprofile-2008-
06-27-1039”.
• To view one of the report sections, in the row corresponding to the report that
you want to view, select “+” next to the report name to expand the list of
sections, then select the file name of the section that you want to view, such as
“Spam_Recipient.html”.
The report appears in a new browser window.

456 06-30004-0154-20080904
Downloading a generated report

You can download generated reports to your management computer. This can be
useful for purposes such as archival and offline viewing.
To download a report
2 In the Action column, in the row corresponding to the report that you want to
download, select the which file format to download.
Download HTML Select to download a compressed (.tgz) archive containing the report
in HTML file format to your management computer.
Download PDF Select to download the report in PDF file format to your management
computer.
Config
The Config tab displays a list of report profiles, which are used to generate
reports, and define what information will appear in the generated report.
You may want to one create report profile for each type of report that you will
generate on demand or periodically, by schedule. For more information, see
If you used the Quick Start Wizard in the basic mode of the web-based manager
to perform initial setup of your FortiMail unit, the Quick Start Wizard automatically
created two report profiles:
• predefined_report_yesterday
• predefined_report_last_week
Otherwise, no report profiles exist by default.
To view the list of report profiles, go to Log & Report > Report > Config.
Figure 330:Viewing report profiles
Delete
Edit
Run Report
Config Name The name of the report profile.

Domain The name of the protected domain that is the subject matter of this
report.
Schedule The scheduled frequency when the FortiMail unit generates the report.
If this report in not scheduled to be periodically generated according to
the schedule configured in the report profile, but instead will be
generated only on demand, when you manually select Run Report,
“none” appears in this column.

06-30004-0154-20080904 457
Modify Select Delete to remove the report profile.

Select Edit to modify the report profile. For more information, see
Select Run Report to immediately generate a report using this report
profile. This option can be used with both scheduled and on demand
report profiles, and occurs independently of any automatic report
generation schedules you may have configured. For more information,
see “Configuring the schedule of a report profile” on page 460.
Create New Select to add a new report profile.
Configuring a report profile

You can create report profiles to define what information will appear in generated
reports.
To configure a report profile

1 Go to Log & Report > Report > Config.
3 In Report Name, enter a report name.
Report names must not include spaces.
4 Select the blue arrow next to each option, and configure the following:
Time Period Select the time span of log messages from which to generate the
report. For more information, see “Configuring the time period of a
report profile” on page 458.
Query Selection Select one or more subject matters to include in the report. For
more information, see “Configuring the query selection of a report
Schedule Select to generate reports from this report profile either manually
only or automatically, according to a schedule. For more
information, see “Configuring the schedule of a report profile” on
page 460.
Domain Select the protected domains to include in the report. For more
information, see “Configuring the protected domain of a report
Incoming Outgoing Select whether to report upon incoming email, outgoing email, or
both. For more information, see “Configuring incoming and
outgoing of a report profile” on page 461.
Output Select to email reports generated using this report profile by
adding recipients to the Email Notification list and selecting either
“html report” or “pdf report” file format for the attached report. This
field is optional. For more information, see “Configuring the output
of a report profile” on page 461.
5 Select OK.
Configuring the time period of a report profile

When configuring a report profile, you can select the time span of log messages
from which to generate the report.

458 06-30004-0154-20080904
Figure 331:Time Period
Time Period Select the time span of the report, such as This Month or
Last N Days.
Alternatively, select and configure From Date and To Date.
Last N Hours Enter the number N of the unit of time.
Last N Days This option appears only when you have
Last N Weeks selected Last N Hours, Last N Days, or
Last N Weeks from Time Period, and
therefore must define “N”.
From Date Select and configure the beginning of the time span. For
example, you may want the report to include log messages
starting from May 5, 2006 at 6 PM. You must also configure
To Date.
To Date Select to configure the end of the time
span. For example, you may want the
report to include log messages up to
May 6, at 12 AM. You must also select
and configure From Date.
Configuring the query selection of a report profile

When configuring a report profile, you can select one or more queries or query
groups that define the subject matter of the report.
Each query group contains multiple individual queries, each of which correspond
to a chart that will appear in the generated report. You can select all queries within
the group by marking the checkbox of the query group, or you can expand the
query group and then individually select each query that you want to include.
For example:
• If you want the report to include charts about spam, you might select both of
the query groups Spam by Sender and Spam by Recipient.
• If you want the report to specifically include only a chart about top virus
senders by date, you might expand the query group Virus by Sender, then
select only the individual query Top Virus Sender By Date.
Figure 332:Query Selection

06-30004-0154-20080904 459
Mail Statistics Select to include information on email message statistics, such as

Mail Stat Messages By Day.
Total Summary Select to include summary information, such as Total Sent And
Received.
High Level Select if you want to include all top level and summary information
Breakdown for all queries, such as Top Client IP By Date.
Mail by Sender Select to include information on email messages by each sender,
such as Top Sender By Date.
Mail by Recipient Select to include information on email messages by each recipient,
such as Top Recipient By Date.
Spam by Sender Select to include information on spam by each sender, such as Top
Spam Sender By Date.
Spam by Recipient Select to include information on spam by each recipient, such as
Top Spam Recipient By Date.
Virus by Sender Select to include information on infected email messages by each
sender, such as Top Virus Sender By Date.
Virus by Recipient Select to include information on infected email messages by each
recipient, such as Top Virus Recipient By Date.
Configuring the schedule of a report profile

When configuring a report profile, you can select whether the FortiMail unit will
generate the report on demand or according to the schedule that you configure.
Figure 333:Schedule
Schedules
Not Scheduled Select if you do not want the FortiMail unit to
generate the report automatically according to a
schedule.
If you select this option, the report will only be
generated on demand, when you manually select
Run Report from the report profile list. For more
information, see “Config” on page 457.
Daily Select to generate the report each day.
These Days Select generate the report on specific days of each
week, then select those days.
These Dates Select to generate the report on specific date of each
month, then enter those date numbers. Separate
date numbers by a comma.
For example, to generate a report on the first and
30th day of every month, enter 1,30.
At Hour Select the time of the day when the report will be generated.
This option does not apply if you have selected Not Scheduled.

460 06-30004-0154-20080904
Configuring the protected domain of a report profile

When configuring a report profile, you can select one or more protected domains
whose log messages will be used when generating the report.
Figure 334:Domain
Domain The list of protected domains whose log messages will be used when
generating the report.
Remove Selected Select one or more protected domains in the Domain area, then select
Remove Selected to remove them from that list.
Add Select All Domains or a protected domain from the drop-down menu,
then select Add to add that protected domain to the Domain area.
Configuring incoming and outgoing of a report profile

When configuring a report profile, you can select to report only on email
messages matching the directionality that you select: incoming, outgoing, or both.
For information about incoming and outgoing email, see.
Figure 335:Incoming Outgoing
Incoming Select the directionality, relative to the protected domain, of email

Outgoing messages that you want to report on.
• Incoming
• Outgoing
• Incoming and Outgoing
Configuring the output of a report profile

When configuring a report profile, you can configure the FortiMail unit to email a
copy of the report, in either HTML or PDF file format, to your designated
recipients.
Figure 336:Output

06-30004-0154-20080904 461
html report Select to attach a copy of the generated report in HTML format.
pdf report Select to attach a copy of the generated report in PDF file format.
Email Notification The list of recipients to which the FortiMail unit will send a copy of
reports generated using this report profile.
Remove From Email Notification, select one or more recipients that you want to
Selected remove, then select Remove Selected.
Add Enter the email address of a recipient, then select Add to add the email
address to the Email Notification area.

462 06-30004-0154-20080904
Configuring and operating FortiMail HA FortiMail active-passive HA
Configuring and operating FortiMail

HA
FortiMail units can operate in one of two high availability (HA) modes:
• Active-passive HA – Two FortiMail units operate as an HA group providing
failover protection. Most of this chapter describes how to configure and
operate an active-passive FortiMail HA group. See “FortiMail active-passive
HA” on page 463 for a definition of active-passive FortiMail HA.
• Config-only HA – Up to 25 FortiMail units share a common configuration, but
operate as separate FortiMail units. See “FortiMail config-only HA” on
page 464 for a definition of configuration FortiMail HA. (Also called config HA
or config only HA.)
The following topics are included in this chapter:
• FortiMail active-passive HA
• FortiMail config-only HA
• Mixing FortiMail models in a FortiMail HA group
• HA heartbeat and synchronization
• HA network interface configuration in master mode
• HA log messages, alert email, and SNMP
• HA and storing FortiMail mail data on a NAS Server
• Changing the FortiMail firmware for an operating HA group
• Viewing and changing HA status
• Configuring HA options
• Configuring active-passive HA service monitoring
• Gateway mode active-passive HA configuration example
• HA failover scenarios
FortiMail active-passive HA
FortiMail supports active-passive high availability (HA) with full FortiMail
configuration and mail data synchronization between two FortiMail units. Mail data
consists of the FortiMail system mail directory, user home directories, and Mail
Transfer Agent (MTA) spool directories.
A FortiMail active-passive HA group consists of two FortiMail units, one
functioning as a primary unit (also called the master) and the other as a backup
unit (also called the slave). The FortiMail units in the HA group do not have to be
the same FortiMail model but must be running the same firmware build. The
primary and backup units are configured separately and then joined together to
form the FortiMail HA group.

06-30004-0154-20080904 463
FortiMail config-only HA Configuring and operating FortiMail HA
Both FortiMail units in the group have the same configuration except for the
FortiMail unit host name, SNMP system information, and some HA settings. For
details about how configuration synchronization works and about what is
synchronized and what is not, see “Synchronizing the FortiMail configuration” on
page 468.
You can include different FortiMail models in an active-passive HA group. For
details, see “Mixing FortiMail models in a FortiMail HA group” on page 466.
The primary unit performs all email processing, including special FortiMail
services such as sending spam reports to email users. Email users connect to the
primary unit to download email, manage quarantined email, and to use FortiMail
webmail. To configure and manage the FortiMail HA group, administrators
connect to the primary unit web-based manager or CLI.
Figure 337:Example FortiMail active-passive HA group operating in gateway mode

Mail Server
Internal
network
Internet
Switch
HA Group
Administrators can also manage the backup FortiMail unit. The backup unit
monitors the primary unit to make sure that the primary unit is operating correctly.
If the backup unit determines that the primary unit has failed, the backup unit
becomes the primary unit without interrupting mail processing.
FortiMail gateway, transparent and server modes all support HA. The HA
configuration and operating procedures are similar in all three FortiMail operating
modes.
FortiMail config-only HA
Using FortiMail config-only HA you can set up a group of 2 to 25 FortiMail units.
The FortiMail units in the config-only HA group operate independently: processing
email and providing FortiMail services such as antispam and antivirus scanning,
and special FortiMail services such as sending spam reports to email users.
All FortiMail units in the group have the same configuration except for the
following:
• network settings including interface IP addresses and default routes
• the FortiMail unit host name and SNMP system information

464 06-30004-0154-20080904
Configuring and operating FortiMail HA FortiMail config-only HA
• other system names such as the local domain name and the spam report host
name
• some HA settings.
For details about how configuration synchronization works and about what is
synchronized and what is not, see “Synchronizing the FortiMail configuration” on
page 468.
You can include different FortiMail models in a config-only HA group. For details,
see “Mixing FortiMail models in a FortiMail HA group” on page 466.
Email users connect to any FortiMail unit to download email, manage quarantined
email, and to use FortiMail webmail. For most HA group configuration and
management operations, administrators connect to the primary unit web-based
manager or CLI. However, administrators must connect to each FortiMail unit in
the HA group to configure interface IP addresses and some HA settings for that
FortiMail unit.
A config-only HA group can function as a mail server farm for a large organization.
You can also install a FortiMail config-only HA group behind a load balancer. The
load balancer can distribute the mail processing load to all of the FortiMail units in
the config-only HA group, improving mail processing capacity.
To set up a FortiMail config-only HA group you configure one of the FortiMail units
as the config primary (or config master) and the other FortiMail units (up to 24) as
config backup units (also called config slaves or peer systems). Every
configuration change made to the config master is synchronized to all of the
config backup units.
FortiMail config-only HA does not synchronize mail data between the FortiMail
units in the config-only HA group. As well, FortiMail config-only HA does not
provide failover protection. If a FortiMail unit in a config-only HA group fails, mail
data on the unit is lost (unless the unit can be restarted) and the functioning of the
failed FortiMail unit will not be resumed by the other FortiMail units in the HA
group.
FortiMail units in a config-only HA group operate only in their configured operating
mode. The effective operating mode does not apply to config-only HA. The config
primary unit operates only in config master mode and the config backup units
operate only in config slave mode.
If the primary unit fails, the backup units will continue to operate normally.
However, with no primary unit, changes to the configuration are no longer
synchronized. You can manually switch one of the backup units to operate as the
primary unit. Then, when you make configuration changes to this new primary
unit, the changes synchronize to the remaining backup units.
You cannot configure service monitoring for a config-only HA group.

06-30004-0154-20080904 465
Mixing FortiMail models in a FortiMail HA group Configuring and operating FortiMail HA
Figure 338:Example FortiMail config-only HA group operating in gateway mode
Mail Server
Internal
network
Internet
Load balancer
Config only mode HA Group
Note: If the config-only HA group is installed behind a load balancer, the load balancer
stops sending email to the failed FortiMail unit. All sessions being processed by the failed
FortiMail unit must be restarted and will be re-directed by the load balancer to other
FortiMail units in the config-only HA group.
Config-only HA uses the same configuration synchronization mechanism as

active-passive HA. The only difference is that a config-only HA group can have up
to 24 peers. Part of configuring HA involves adding the IP addresses of all of the
peers to the config-only primary HA configuration.
You must give each backup unit a peer IP address that matches one of the peer IP
addresses added to the primary unit. The backup unit configuration also includes
the IP address of the primary unit.
Mixing FortiMail models in a FortiMail HA group

You can mix different FortiMail models in the same active-passive or config-only
HA group. However all units in the HA group should be running the same firmware
build.
You can mix FortiMail models in an HA group for a number of reasons. For
example, a FortiMail-100 unit may provide sufficient performance for your email
processing, but you may prefer the higher performance of a FortiMail-400 unit.
You can set up an active-passive HA group consisting of a FortiMail-400 unit
operating as the primary unit and a FortiMail-100 unit operating as the backup
unit. Usually the FortiMail-400 primary unit would be processing all email. If a
failover occurs, the FortiMail-100 backup unit would keep processing email until
you can restart or replace the failed FortiMail-400 unit.
You should make sure that the configuration settings that you add can be
supported on all of the models in the HA group. For example, in the scenario
described above you are limited by the capacity of the FortiMail-100 unit.

466 06-30004-0154-20080904
Configuring and operating FortiMail HA HA heartbeat and synchronization
According to the FortiMail 3.0 Maximum Values Matrix on the Fortinet Knowledge
Center you can add 50 domains to a FortiMail-100 unit and 500 domains to a
FortiMail-400 unit. So in an HA group consisting of a FortiMail-400 and a
FortiMail-100 you should add only 50 domains. For a complete list of configuration
limitations for all FortiMail models, see the FortiMail v3.0 Maximum Values Matrix.
HA heartbeat and synchronization

For an active-passive HA group FortiMail HA heartbeat and synchronization has
three primary functions: to monitor the status of the FortiMail units in the HA
group, to synchronize configuration changes from the primary unit to the backup
unit, and to synchronize mail data from the primary unit to the backup unit. Mail
data consists of the FortiMail system mail directory, user home directories, and
MTA spool directories.
For a config-only HA group, FortiMail HA heartbeat and synchronization is used to
synchronize the FortiMail configuration from the config primary unit to the config
backup units. FortiMail config-only HA configuration works the same way as
FortiMail active-passive HA configuration synchronization except that the
configuration is synchronized to multiple backup units.
HA heartbeat and synchronization consists of TCP packets transmitted between
the FortiMail units in the HA group over a dedicated heartbeat interface. As part of
the HA configuration you select one or two FortiMail unit interfaces to be used as
the primary and secondary heartbeat interfaces. You can also configure the TCP
ports that the heartbeat interface uses for its functions.
During normal FortiMail HA group operation, the backup unit expects to constantly
receive HA heartbeat packets from the primary unit. If the backup unit stops
receiving HA heartbeat packets, the backup unit determines that the primary unit
has failed. A failover then takes place. The backup unit becomes the primary unit
and continues processing email. During the failover no mail data or configuration
changes are lost. The failover may interrupt some in-progress email transactions.
These interrupted transactions may need to be restarted, but most email clients
and servers can gracefully handle the temporary service interruption that occurs
during a failover.
Note: If you restart the primary unit (by going to System > Status and selecting Restart or
from the CLI by entering execute reboot) or if you enter the execute reload
command from the primary unit CLI, the backup unit may stop receiving HA heartbeat
packets from the primary unit for enough time to determine that the primary unit has failed.
To prevent this type of false failover, the primary unit signals to the backup unit to wait for
the primary unit to complete the restart or reload.
This section describes the following about HA heartbeat synchronization:

• Configuring the HA heartbeat and synchronization interface
• Synchronizing the FortiMail configuration
• Synchronizing FortiMail mail data
• FortiMail MTA spool directory synchronization after a failover

06-30004-0154-20080904 467
HA heartbeat and synchronization Configuring and operating FortiMail HA
Configuring the HA heartbeat and synchronization interface

By default, HA uses the network interface with the highest number for HA
heartbeat and synchronization. For example, the FortiMail-400 has 6 network
interfaces numbered port1 to port6. By default a FortiMail-400 HA group would
use port6 as the primary heartbeat interface. If required, you can select a different
primary heartbeat interface. You can also configure a secondary heartbeat
interface. See “HA main configuration options” on page 492 and “HA daemon
configuration options” on page 495 for more information.
Caution: Using the same FortiMail network interface for user data and HA synchronization
! is not supported.
For a FortiMail HA group to operate correctly, you must maintain an Ethernet

connection between the heartbeat interfaces of the primary and backup FortiMail
units. You can use a crossover Ethernet cable or two regular Ethernet cables and
a switch to connect the network interfaces.
Note: Isolate heartbeat interfaces from your user networks. Heartbeat and synchronization
packets contain sensitive configuration information and can consume considerable network
bandwidth. For an active-passive or a config-only HA group consisting of only two FortiMail
units, directly connect the heartbeat interfaces using a crossover cable. For a config-only
HA group consisting of more than two FortiMail units, connect the heartbeat interfaces to a
switch and do not connect this switch to your user networks.
If the heartbeat interfaces become disconnected, the operation of the FortiMail HA

group will be interrupted. See “Failover scenario: primary heartbeat link fails” on
page 512 for information about how to detect when the primary heartbeat link fails
and how to solve any problems that occur.
By default, primary and backup unit heartbeat interfaces are configured with
special IP addresses. The default primary unit primary heartbeat interface IP
address is 10.0.0.1 and the default backup unit primary heartbeat interface IP
address is 10.0.0.2. You can change these IP addresses if required. The primary
and backup unit heartbeat interfaces must have different IP addresses.
Synchronizing the FortiMail configuration

Every time you change the configuration of the primary unit, the HA group
immediately synchronizes the configuration change to the backup unit (or peer
units in a config-only HA group). This synchronization uses the primary heartbeat
interface link. You can also configure FortiMail HA to synchronize the primary and
backup unit configurations at scheduled time intervals. The backup unit always
starts synchronization by asking the primary unit to send its configuration to the
backup unit.
Because the configuration of the primary unit is synchronized to the backup unit,
most configuration changes made to the backup unit are lost. You should only
make configuration changes on the primary unit. The backup unit web-based
manager displays “SLAVE MODE” as a reminder that you should not make
configuration changes to the backup unit.
See “HA daemon configuration options” on page 495 to configure how often the
HA group synchronizes the FortiMail configuration and to change the TCP port
used for synchronizing the configuration across the heartbeat link.

468 06-30004-0154-20080904
You can also manually synchronize configuration changes if you are concerned
about losing changes that you have just made. See “Forcing the HA group to
synchronize configuration and mail data” on page 487.
FortiGuard Antispam and FortiGuard Antivirus

You must license all of the FortiMail units in the HA group for the FortiGuard
Antispam service. If you license only the primary unit in an active-passive HA
group, after a failover the backup unit will not be able to connect to the FortiGuard
Antispam service.
You must also license all of the FortiMail units in the HA group for the FortiGuard
Antivirus service. Antivirus engine and antivirus definition versions are not
synchronized between the primary and backup units. Each unit in the HA group
connects to the FortiGuard Distribution Network to download its own FortiGuard
Antivirus updates.
Configuration settings that are not synchronized

All configuration settings on the primary unit are synchronized to the backup unit
except for the following settings:
FortiMail Operation In active-passive and config-only HA, the FortiMail operation

Mode mode is not synchronized. When configuring an HA group you
must set the operation mode of each HA group member before
configuring HA. (Go to System > Status. From the CLI enter set
system opmode.)
FortiMail unit host In active-passive and config-only HA, the mail server host name is
name (also called the not synchronized. (Go to Mail Settings > Settings. From the CLI
mail server host enter set system hostname.) To identify a FortiMail unit in an
HA group the host name appears at the bottom of the FortiMail
name) web-based manager. A FortiMail unit operating in HA mode also
adds the host name to the subject line of all alert email messages.
Interface In active-passive and config-only HA, each FortiMail unit in the HA
configuration group has its own interface configuration. (Go to System >
Network > Interface. From the CLI enter set system
interface.)
Some active-passive HA settings affect the interface
configuration. These HA settings are synchronized between both
FortiMail units in an active-passive HA group. See “HA interface
configuration in master mode options (active-passive HA)” on
page 497.
Transparent mode In active-passive and config-only HA, for FortiMail units operating
Management IP in transparent mode, all of the FortiMail units in the HA group
address should be configured with different management IP addresses.
The management IP address is not synchronized. (On a FortiMail
unit operating in transparent mode, go to System > Network >
Management IP. From the CLI enter set system
managementip.)
SNMP system In active-passive and config-only HA, the SNMP system
information information (including the system Description, Location, and
Contact information) are not synchronized. (Go to System >
Confg > SNMP v1/v2c. From the CLI enter set system snmp
sysinfo status.)
Main HA In active-passive and config-only HA, the main HA configuration,
configuration which includes the HA mode of operation of the unit (master or
slave) is not synchronized, because this configuration must be
different on the primary and backup units.

06-30004-0154-20080904 469
HA heartbeat and synchronization Configuring and operating FortiMail HA
HA Daemon In active-passive and config-only HA, the following HA daemon

configuration settings are synchronized (some of the settings listed below only
apply to active-passive HA):
• Heartbeat use port, test every timer, and take over after
failures number
• Configuration use port and synchronize every timer
• Data use port and synchronize every timer
The following HA daemon settings are not synchronized:
• Shared password
• Backup system mail directory
• Backup user home directories
• Backup MTA spool directories
All units in the HA group must use the same shared password to
identify the group. Because the password is not synchronized, you
need to add it to each unit in the HA group.
The remaining HA daemon options that are synchronized are
active-passive HA settings that affect how often the backup unit
tests the primary unit and how the backup unit synchronizes
configuration and mail data. Because the HA daemon settings on
the backup unit control how the HA daemon operates, in a
functioning HA group you would change the HA daemon
configuration on the backup unit to change how the HA daemon
operates. The HA daemon settings on the primary unit do not
affect the operation of the HA daemon.
In some active-passive HA groups, you may want to have different
HA daemon configurations on the primary and backup units. For
example, after a failover, if the failed primary unit restarts and
becomes a backup unit, you might not want the new backup unit
to synchronize with the new primary unit in the same way as when
the HA group is functioning normally.
HA service In active-passive HA, the HA service monitoring configuration is
monitoring not synchronized. The remote service monitoring configuration on
configuration the backup unit controls how the backup unit checks the operation
of the primary unit. The local services configuration on the primary
unit controls how the primary unit tests the operation of the
primary unit.
You might want to have a different service monitoring
configuration on the primary and backup units. For example, after
a failover you may not want service monitoring to operate until you
have fixed the problems that caused the failover and have
restarted normal operation of the HA group.
Config-only HA In addition to the settings mentioned above, the following settings
network settings and are not synchronized when operating config-only HA:
names • Default routes (Go to System > Network > Routing. From the
CLI enter set system route.)
• The mail server local domain name, the relay server local
domain name (Go to Mail Settings > Settings > Settings.
From the CLI enter set mailserver localdomain.)
• The spam report host name (Go to Anti-Spam > Quarantine >
Spam Report. From the CLI enter set as spamreport
hostname.)
Synchronizing FortiMail mail data

All FortiMail mail data is synchronized from the primary unit to the backup unit
according to the HA daemon data synchronization schedule.

470 06-30004-0154-20080904
Note: You should disable mail data synchronization if the HA group stores mail data on a
remote NAS server. See “HA and storing FortiMail mail data on a NAS Server” on
page 482.
Mail data consists of the following:
System mail directory Contains quarantined and archived email messages stored on the
FortiMail unit hard drives. The system mail directory may contain a
relatively large amount of data. However, this data does not
usually change rapidly so synchronizing the system mail directory
does not usually require a large amount of bandwidth or
processing time. You should synchronize the system mail
directory because it could be difficult to recover from a failed
FortiMail unit.
User home In server mode the user home directories contain user email
directories messages stored on the FortiMail unit hard drives. The user home
directories may also contain a relatively large amount of data.
However, this data also does not usually change rapidly so
synchronizing the user home directories does not usually require a
large amount of bandwidth or processing time. You should
synchronize the user home directories because it could be difficult
to recover this data from a failed FortiMail unit.
MTA spool directories Contain the FortiMail mail queue types including the outgoing
mail, deferred, spam, failed, and dead mail queues. For more
information on the mail queues, see “Mail Queue” on page 207.
The MTA spool directories may contain a large amount of data
that changes rapidly. Synchronizing large amounts of data that
changes rapidly may take considerable bandwidth and processing
time, both of which may affect the performance of the FortiMail
unit. Also, if the primary unit fails, when it is restarted, it becomes
a backup unit and synchronizes all MTA spool directories to the
new primary unit (see “FortiMail MTA spool directory
synchronization after a failover” on page 471 for more
information). Because of this synchronization, the data in the MTA
spool directories is usually recovered after failover.
If the primary unit experiences a hardware failure and you cannot
restart it, you might not be able to recover mail in the MTA spool
directories. Synchronizing the MTA spool directories prevents the
loss of this email if the primary unit experiences a hardware
failure.
See “HA daemon configuration options” on page 495 to configure how often the
HA group synchronizes mail data, to change the TCP port used for synchronizing
data across the heartbeat link, and to select the types of mail data to synchronize.
You can also manually synchronize mail data. See “Forcing the HA group to
synchronize configuration and mail data” on page 487.
FortiMail MTA spool directory synchronization after a failover

During failover no mail data, configuration changes, or email messages being
queued by the primary unit are lost. The new primary unit, email clients, or email
servers may need to restart in-progress email transactions that the primary unit
was actively sending or receiving at the time of the failure. However, most email
clients and servers can gracefully handle these types of temporary service
interruptions by restarting the interrupted email sessions with the new primary
unit.
During normal operation email messages are in one of two states:
• Being received by the primary unit
• Stored on the primary unit the system mail directory, the user home directories,
or the MTA spool directories (which includes the outgoing mail directory).

06-30004-0154-20080904 471
HA network interface configuration in master mode Configuring and operating FortiMail HA
When a failover occurs, the network connections between the sender and the
primary unit are cut off. From the sender’s point of view, the email send attempt
fails, and the sender attempts to re-send the email message.
Usually you should configure HA to synchronize the system mail directory and the
user home directory to prevent loss of any email messages in these directories
when a failover occurs. Then when a failover occurs, email being sent is stopped,
but the stored messages remain in a primary unit MTA mail directory.
The FortiMail HA group always synchronizes MTA spool directories after a
failover. This means that even if you choose not to configure the HA group to
synchronize MTA spool directories during normal operation, the email in the MTA
directories on the failed primary unit can still be delivered after a failover as long
as the failed primary unit can restart.
Even if the HA group synchronizes MTA spool directories there is a chance that,
because the synchronization is periodic, some of the email in these directories will
not be synchronized when a failover occurs. This is especially true for the
outgoing mail queue because the content of this queue changes very rapidly.
FortiMail HA uses the following mechanism to prevent loss of email messages in
the failed primary unit MTA spool directories after a failover.
Note: If the failed primary unit effective operating mode is FAILED, a sequence similar to
the following occurs automatically when the problem that caused the failure is corrected.
1 After a failover the former backup unit operates as the new primary unit.
2 The primary unit that failed starts up again, detects the presence of the new
primary unit, and becomes a backup unit.
Note: You may have to manually restart the failed primary unit.
3 The new backup unit synchronizes its MTA spool directories with the new primary
unit MTA spool directories.
This synchronization takes place over the heartbeat link between the primary and
backup FortiMail units. Synchronizing the MTA spool directories prevents
duplicate email messages from getting into the primary unit MTA spool directories.
4 The new primary unit continues to deliver the email messages in its MTA spool
directories, including the email messages synchronized from the new backup unit.
HA network interface configuration in master mode

Using the FortiMail HA network interface configuration in master mode settings,
you can modify how FortiMail network interfaces function when two FortiMail units
are operating as an active-passive HA group. You can also control how the
network interface configuration changes during a failover. The configuration that
you select depends on the FortiMail mode that the HA group is operating in
(gateway, transparent, or server) and on how the HA group connects to your
network.
To configure a config-only HA group heartbeat interface configuration you need to:
• Select the primary heartbeat interface,

472 06-30004-0154-20080904
Configuring and operating FortiMail HA HA network interface configuration in master mode
• Configure the heartbeat interface IP addresses of the primary and backup

units.
• Configure the IP addresses of the remaining interfaces of each of the FortiMail
units in the HA group according to the requirements of your network.
This section describes:
• Adding an IP address to an HA group interface using HA virtual IP addresses
• Changing the IP address of an HA group interface
• Removing an interface from an HA group
• Example config-only HA network interface configuration
Adding an IP address to an HA group interface using HA virtual IP addresses

Figure 339 shows two FortiMail-400 units operating as an HA group in gateway
mode. The port6 interfaces are connected together with a cross-over cable to
form the primary heartbeat link. The port1 interfaces of each FortiMail unit are
connected to the same switch, and this switch is connected to the network.
Figure 339:Example FortiMail-400 HA network connections
Internal
network
Mail Server
Internet
Network
Switch
HA Group
Primary unit
Switch for Primary

port1 interfaces Heartbeat
Link
Backup unit
For the new primary unit to continue to process mail sessions after a failover, the
new primary unit must have the same IP addresses as the original primary unit. In
most HA configurations you use FortiMail HA virtual IP address to make this
happen. When a FortiMail HA group is operating, network interfaces that send
and receive email or that users connect to for webmail access are configured with
HA virtual IP addresses. All email transactions and webmail connections use
these virtual IP addresses.
As well, the virtual IP addresses are associated with primary unit network
interfaces. Because of this association, the primary unit processes all email. After
a failover, the virtual IP addresses are associated with the new primary unit
interfaces. As a result, after a failover, the new primary unit (originally the backup
unit) now processes all email.

06-30004-0154-20080904 473
Outgoing traffic is sent from the virtual IP address

Adding a virtual IP address to a FortiMail interface gives the interface two IP
addresses: the virtual IP address and the actual IP address. The interface can
receive traffic sent to both of these IP addresses.
Normally you would configure your network (MX records, firewall policies, routing
and so on) so that clients and mail services use the virtual IP address. All replies
to sessions with the virtual IP address include the virtual IP address as the source
address.
All replies to sessions with the actual IP address include the actual IP address as
the source address.
All outgoing sessions that originate from this interface also use the virtual IP
address of the interface, not the actual IP address. This means that all outbound
mail or relayed mail packets that are sent from a FortiMail primary unit interface
configured with a virtual IP address will have the virtual IP address of the primary
unit interface as the source IP address. If you use this interface to send outgoing
email, you should configure your network devices (such as NAT firewalls) to
process traffic from the virtual primary unit interface IP address.
DNS and firewall settings for the HA virtual IP configuration

Incoming email client and SMTP traffic connects to the virtual IP address of the
primary unit. A single MX record that points at the virtual IP address is sufficient
for this traffic.
For outgoing traffic, if the FortiMail HA group is configured with public IP
addresses, and if you are using the virtual IP configuration, you still only require
one public IP address for the virtual IP address. However, you may want two
additional public addresses; one for the actual address of the primary unit
interface and one for the actual address of the backup unit interface. But these
two public IP addresses are not required.
However, if the FortiMail HA group is installed behind a NAT firewall, the virtual IP
address and the two actual IP addresses can all be private IP addresses. You can
then configure the NAT firewall to map outgoing traffic from the virtual IP address
to an external IP address. Only this single external IP address needs to be
resolvable and only packets from this external IP address are sent to external
MTAs.
Example configuration using HA virtual IP addresses

This example shows how you can implement HA virtual IP addresses for a basic
FortiMail-400 gateway configuration. In a typical standalone FortiMail gateway
configuration, you could set the IP address of the port1 network interface of the
FortiMail-400 unit to 172.16.5.2. You can also add a DNS record called
example.com that points to IP address 172.16.5.2 and an MX record for
gw.example.com that also points to IP address 172.16.5.2. Then users and
email servers can use the DNS and MX records to connect to the port1 network
interface of the FortiMail-400 unit.
To replicate the same configuration with a FortiMail HA group, you would set the
actual IP addresses of the port1 interfaces of the primary and backup units to
different IP address. Then in the HA configuration you would add a virtual IP
address to the port1 interface.

474 06-30004-0154-20080904
To configure FortiMail HA virtual IP addresses

1 Set the IP address of the primary unit port1 network interface to a new IP address
(for example, 172.16.5.10).
2 Set the IP address of the backup unit port1 network interface to another new IP
address (for example, 172.16.5.11).
3 Enable HA on the primary unit and add a virtual IP/netmask to the port1 network
interface. Set the virtual IP address to 172.16.5.2.
Note: Because of this virtual IP address configuration, port1 of the primary unit can receive
packets sent to IP address 172.16.5.10 and 172.16.5.2. All packets sent from the primary
unit port1 interface will have a source IP address of 172.16.5.2 (the virtual IP address).
After a failover, all packets sent from the backup unit port1 interface will have a source IP
address of 172.16.5.2.
4 Enable HA on the backup unit.

FortiMail HA synchronizes the HA network interface configuration from the
primary unit to the backup unit.
When the HA group is operating, the primary unit port1 network interface has a
virtual IP of 172.16.5.2. Users and email servers use DNS and MX records to
connect to the port1 network interface of the primary unit. Administrators can
manage the primary unit by connecting to 172.16.5.2 (the virtual IP address of
port1) or 172.16.5.10 (the actual IP address of port1). Administrators can manage
the backup unit by connecting to 172.16.5.11 (the IP address of port1 of the
backup unit).
Note: The configuration example, “Gateway mode active-passive HA configuration

example” on page 503 uses HA network interface virtual IP addresses as well as other HA
network interface settings.

06-30004-0154-20080904 475
Figure 340:Example FortiMail-400 HA virtual IP address configuration

Mail DNS
Server Server
DNS record
Internal example.com=172.16.5.2
network MX record
gw.example.com=172.16.5.2
Internet
Network
Switch
port1 virtual IP: 172.16.5.2

port1 IP: 172.16.5.10
Primary unit
Heartbeat HA Group
Link
Switch for
port1 interfaces Backup unit
port1 IP: 172.16.5.11
Changing the IP address of an HA group interface

The most common HA network interface in master mode configuration uses HA
virtual IPs. However, you can also use the “set interface IP/netmask” option to
change the IP address of any primary unit interface when the primary unit is
operating in HA mode. If a failover occurs, the IP address of this interface changes
on the new primary unit as well.
If an interface is set to “set interface IP/netmask” then the actual IP address of the
interface is disabled for the primary and backup units. This means that you can
connect only to the primary unit interface using this IP address and that you
cannot connect to the backup unit using this interface.
When you change the IP address of an HA group interface using the “set interface
IP/netmask” option, you replace the actual IP address of the interface with the set
IP address. The interface has only one IP address. (If you use HA virtual IPs, the
interface has two IP addresses.)

example” on page 503 uses the “set interface IP/netmask” option as well as other HA
network interface in master mode settings.
Removing an interface from an HA group

If you are not using a FortiMail interface for network traffic, management, or for HA
traffic, you can use the HA network interface configuration in master mode “do
nothing” option to remove the interface from the HA group. Removing the interface
means that a failover will not cause changes to the interface. It also means that
the primary unit will not monitor this interface.

476 06-30004-0154-20080904

example” on page 503 uses the “do nothing” option as well as other HA network interface in
master mode settings.
Example config-only HA network interface configuration

This example config-only HA network interface configuration consists of a config
mode HA group of three FortiMail-400 units. The port6 interfaces of each FortiMail
unit are used for HA communications, so these interfaces are connected together
with a switch.
The port1 interfaces of each FortiMail unit are connected to a load balancer. The
port1 interface of each FortiMail unit has a different IP address so that the load
balancer can send traffic to each FortiMail unit.
Figure 341:Example FortiMail-400 config-only heartbeat interface configuration

Mail DNS
Server Server
Internal
network
Internet
Network
Switch
Config mode HA Group
port1 IP: 172.16.5.1
Primary unit Primary

Heartbeat: port6
Load balancer for Local IP: 10.0.0.1
port1 interfaces
port1 IP: 172.16.5.2
Backup Switch for

Backup unit 1
peer 1 IP: 10.0.0.2 Heartbeat
Link
port1 IP: 172.16.5.3
Backup unit 2 Backup

peer 2 IP: 10.0.0.3
To configure the FortiMail config-only HA group

1 Configure the primary unit:
• Go to System > HA > Configuration.
• Set Mode of Operation to config master.
• Set Primary Heartbeat to port6.
• Set Local IP Address to 10.0.0.1.
• Change Config Daemon settings as required.
• Add the IP addresses of both peer systems (10.0.0.2, and 10.0.0.3).
• Go to System > Network > Interface and set the IP address of the port1
interface to 172.16.5.1

06-30004-0154-20080904 477
Figure 342:Example config-only HA primary unit HA configuration
2 Configure backup unit 1:

• Set Mode of Operation to config slave.
• Set Local IP address to 10.0.0.2.
• Set the Master Configuration IP address to the local IP address of the primary
unit (10.0.0.1).
interface to 172.16.5.2.
Figure 343:Example config-only HA backup unit 1 HA configuration

478 06-30004-0154-20080904
Configuring and operating FortiMail HA HA log messages, alert email, and SNMP
3 Configure backup unit 2:

• Set Mode of Operation to config slave.
• Set Local IP address to 10.0.0.3.
• Set the Master Configuration IP address to the local IP address of the primary
unit (10.0.0.1).
interface to 172.16.5.3.
HA log messages, alert email, and SNMP

Active-passive and config-only HA groups support logging, alert email, and
SNMP.
You configure logging and alert email on the primary unit. When the configuration
changes are synchronized to the backup unit or units, all of the FortiMail units in
the HA group record separate log messages and send separate alert email
messages.
You configure SNMP separately for each FortiMail unit in an HA group. If you
enable SNMP for all of these units they can all send SNMP traps. As well, you can
use an SNMP server to monitor the primary and backup units for HA settings such
as the HA configured and effective operating modes.
HA does not synchronize log messages between the primary and backup units.
During normal operation the primary unit sends log messages to a remote host or
saves log messages on the primary unit local disks. The backup unit or units send
log messages to a remote host or save log messages on the backup unit local
disks. Log messages are not lost during a failover. After a failover the new primary
unit uses the same Log & Report configuration to send or save log messages as
does the backup unit.
The backup unit can send alert email messages and SNMP traps only if at least
one of its interfaces (or the management interface in transparent mode) has an IP
address and is connected to your network.
You can use logging to a remote host, alert email, and SNMP to monitor a
FortiMail HA group for failover messages and other HA event messages.
Monitoring the HA group in this way may aid in quick discovery and diagnosis of
HA problems. For information about how to configure logging, alert email, and
SNMP to monitor HA events, see:
• “Sending HA log messages to a remote syslog server” on page 480
• “Sending alert email for HA events” on page 481, “Sending SNMP traps for HA
events” on page 481
• “Getting the HA information using SNMP” on page 482.
See “Restarting the HA processes on a stopped primary unit” on page 489 for a
sample HA log message and alert email.

06-30004-0154-20080904 479
HA log messages, alert email, and SNMP Configuring and operating FortiMail HA

• Recording HA log messages on the primary and backup unit hard disks
• Sending HA log messages to a remote syslog server
• Sending alert email for HA events
• Sending SNMP traps for HA events
• Getting the HA information using SNMP
Recording HA log messages on the primary and backup unit hard disks
Use the following steps to configure the units in an HA group to record HA log
messages on their hard disks. This configuration is synchronized to all units in the
HA group. A unit in the HA group records a log message when that unit detects an
HA event.
To record HA log messages on the primary and backup unit hard disks
1 Log into the primary unit web-based manager.
3 Select Log to Local Disk.
4 Set Level to Information to generate all HA messages.
You can also set Level to Warning if you just want to generate HA log messages
when a problem occurs. A problem could be a failover or a synchronization
problem.
6 Select Event Log and under Event log select HA activity event.
7 Select OK and Apply.
Sending HA log messages to a remote syslog server

Use the following steps to configure the units in an HA group to send HA log
messages to a remote syslog server. This configuration is synchronized to all units
in the HA group. A unit in the HA group sends a log message to the remote syslog
server when that unit detects an HA event.
To send HA log messages to a remote syslog server

3 Select the blue arrow to expand the Remote Host options.
4 Select Remote Host 1.
5 Enter the IP address of your syslog server.
6 Change the Port if your syslog server receives log messages on a custom TCP
port.
The most commonly used TCP port number for syslog messages is 514.
7 Set Level to Information to generate all HA messages.
You can also set Level to Warning if you just want to generate HA log messages
when a problem occurs. A problem could be a failover or a synchronization
problem.

480 06-30004-0154-20080904
Configuring and operating FortiMail HA HA log messages, alert email, and SNMP

9 Select Event Log and under Event log select HA activity event.
10 Select OK and Apply.
Sending alert email for HA events

Use the following steps to configure a the units in an HA group to send alert email
messages when HA events occur. This configuration is synchronized to all units in
the HA group. A unit in the HA group sends an alert email when that unit detects
an HA event.
When a FortiMail unit operating in HA mode sends an alert email, the subject line
of the alert email includes a title, followed by the host name in square brackets of
the FortiMail unit that sent the message. If each FortiMail unit in the HA group has
a different host name, you can identify the FortiMail unit that sent the alert email
according to the host name in the alert email subject line.
To send alert mail messages for HA events

1 Log on to the primary unit web-based manager.
2 Go to Log & Report > Alert Email.
3 Add email addresses of the system administrators who should receive HA alert
email messages.
4 Select Apply.
You can select Test to confirm that the primary unit can successfully send alert
email messages to your addresses. You can also log into the backup unit
web-based manager and select Test to confirm that the backup unit can
successfully send alert email messages to your addresses.
6 Select HA events.
7 Select Apply.
Sending SNMP traps for HA events

Use the following steps to configure all of the units in a FortiMail HA group to send
SNMP traps when HA events occur. You configure SNMP separately for each
FortiMail unit in an HA group. If you enable SNMP for all of the FortiMail units in
the HA group all of the units can send SNMP traps for HA events.
To send SNMP traps for HA events

1 Log on to the primary unit web-based manager.
2 Go to System > Config > SNMP v1/v2c.
3 Enable the SNMP agent.
4 Add a new community or edit a community that has already been added.
5 Enter a Description, Location and Contact for the SNMP Agent.
6 Configure the community as required.
7 Select HA event.
8 Select OK.
9 Repeat these steps for all the backup units in the HA group.

06-30004-0154-20080904 481
HA and storing FortiMail mail data on a NAS Server Configuring and operating FortiMail HA
Getting the HA information using SNMP

You can use an SNMP server to get information about how FortiMail HA is
operating. The FortiMail MIB (fortimail.mib) and the FortiMail trap MIB
(fortimail.trap.mib) include the HA fields listed in Table 23.
Table 23: New HA FortiMail MIB and FortiMail trap MIB fields
MIB Field Description

fortimail.mib
fmlHAEventId The ID of the most recent HA event.
fmlHAUnitIp The IP address of the port1 interface of the FortiMail unit on which
an HA event occurred.
fmlHAEventReason A description of the reason for the HA event.
fmlHAMode The HA configured operating mode. The HA operating mode that
you have configured the FortiMail unit to operate in. Configured
operating mode can be MASTER (primary unit) or SLAVE
(backup unit).
fmlHAEffectiveMode The effective HA operating mode (applies to active-passive HA
only). The HA operating mode that the FortiMail unit is currently
operating in. The effective operating mode matches the
configured operating mode unless a failure has occurred.
fortimail.trap.mib
fmlTrapHAEvent The FortiMail HA trap that is sent when an HA event occurs. This
trap includes the contents of the fmlSysSerial, fmlHAEventId,
fmlHAUnitIp, and fmlHAEventReason MIB fields.
HA and storing FortiMail mail data on a NAS Server

You can go to Mail Settings > Settings > Storage and select the blue arrow to
expand the Network Attached Storage (NAS) options to select the location to store
the FortiMail unit’s mail data. Mail data consists of the FortiMail system mail
directory, user home directories, and MTA spool directories. By default, the
FortiMail unit stores mail data on the FortiMail unit local hard disk. Alternatively
you can select NAS Server to store mail data on a remote NAS server using the
network file system (NFS) protocol. The FortiMail unit uses the NAS server in the
same way as it uses the FortiMail unit local hard disk.
Storing mail data on a NAS server may benefit your organization in several ways.
For example, backing up your NAS server regularly can help prevent loss of mail
data. Also, if your FortiMail unit experiences a temporary failure, you can still
access the mail data on the NAS server. And when the FortiMail unit restarts, the
unit can usually continue to access and use the mail data stored on the NAS
server.
This section describes how storing mail data on a NAS server can affect FortiMail
HA operation and also recommends some HA configuration settings if you are
using a NAS server with FortiMail HA.
• Active-passive HA and storing mail data on a NAS server
• Config-only HA and storing mail data on a NAS server

482 06-30004-0154-20080904
Configuring and operating FortiMail HA Changing the FortiMail firmware for an operating HA group
Active-passive HA and storing mail data on a NAS server

For a FortiMail HA group operating in active-passive HA mode, the primary unit
reads and writes all mail data to and from the NAS server in the same way as a
standalone unit. If a failover occurs, the new primary unit uses the same NAS
server for mail data. The new primary unit can access all of the mail data that the
original primary unit stored on the NAS server. So if you are using a NAS server to
store mail data, after a failover the new primary unit continues operating with no
loss of mail data.
Using a NAS server in this way is an effective replacement for enabling HA mail
data synchronization (see “Synchronizing FortiMail mail data” on page 470). Mail
data synchronization is intended to prevent loss of mail data in the event of a
failover, by providing a backup copy of mail data on the backup unit. As mentioned
above you can achieve the same result by using a NAS server.
In fact, if you are using a NAS server, you should disable mail data
synchronization. Otherwise both the primary and backup units would have the
same NAS server configuration and would therefore store mail data at the same
location on the same NAS server. There is no benefit to storing mail data twice to
the same location. Turning off mail data synchronization saves CPU cycles and
network bandwidth.
Config-only HA and storing mail data on a NAS server

For a FortiMail HA group operating in config-only HA mode, all of the units in the
HA group use the same NAS server for storing mail data. Each FortiMail unit
maintains its own mail data on the NAS server. Mail data is not synchronized
between the units in a config-only HA group.
Also, in a NAS server configuration, only the primary unit sends spam reports to
email users. The primary unit also acts as a proxy between email users and the
NAS server when email users use FortiMail webmail to access quarantined email
and to configure their own Bayesian filters.
Changing the FortiMail firmware for an operating HA group

You can upgrade the FortiMail firmware of an operating HA group without
interrupting the normal operation of the group. The following procedure describes
upgrading the primary unit firmware first. After the primary unit firmware upgrade
is complete and the primary unit is functioning normally, the next step is to
upgrade the backup unit firmware.
Similar to upgrading the firmware of a standalone FortiMail unit, normal email
processing is temporarily interrupted while the primary unit firmware upgrades.
Upgrading the firmware of the backup unit does not affect normal email
processing.
Use the following procedure to upgrade the firmware from the FortiMail
web-based manager. You can use a similar procedure to upgrade the firmware
from the FortiMail CLI.

06-30004-0154-20080904 483
Viewing and changing HA status Configuring and operating FortiMail HA
To upgrade HA group firmware

2 Upgrade the primary unit firmware.
See “Changing the firmware of your FortiMail unit” on page 114 for details. During
the upgrade the primary unit temporarily stops processing email.
During a firmware upgrade, the primary unit signals the backup unit that a
firmware upgrade is taking place. The HA daemon operating on the backup unit
stops checking the status of the primary unit for a short time. Once the firmware
upgrade is complete the primary unit signals the backup unit to resume normal
operation. The backup unit waits a few minutes for this signal and if it is not
received the backup unit resumes checking the primary unit. If the primary unit
has failed during the firmware upgrade the backup unit fails over and becomes the
new primary unit.
3 Log into the backup unit web-based manager.
4 Upgrade the backup unit firmware.
See “Changing the firmware of your FortiMail unit” on page 114 for details.
After the backup unit firmware upgrade completes, the backup unit synchronizes
configuration information and mail data with the primary unit.
5 If you are operating a config-only HA group, you can repeat steps 3 and 4 for each
backup unit.
Viewing and changing HA status

You can view the HA status of the primary or backup unit in a FortiMail HA group
by connecting to the web-based manager of the unit and going to System > HA >
Status.
For an active-passive HA group, HA status displays the configured and effective
operating mode of the primary unit and the configured and effective operating
mode and daemon status of the backup unit. For a config-only group, HA status
displays the configured operating mode for the primary unit and the configured
operating mode and daemon status of the backup units.
• About HA configured and effective operating modes
• Viewing HA daemon status
• Forcing the HA group to synchronize configuration and mail data
• Resetting a FortiMail unit to its configured HA operating mode
• Restarting the HA processes on a stopped primary unit
About HA configured and effective operating modes

On the primary or backup unit, you can go to System > HA > Status to view the
configured operating mode of the unit. For an active-passive HA group you can
also view the effective operating mode of the unit.

484 06-30004-0154-20080904
Configuring and operating FortiMail HA Viewing and changing HA status
Configured Operating The HA operating mode that you have configured the unit to
Mode operate in. Configured operating mode can be MASTER (primary
unit) or SLAVE (backup unit).
Effective Operating The HA operating mode that the unit is currently operating in. The
Mode effective operating mode matches the configured operating mode
unless a failure has occurred.
Figure 344:Normal primary unit active-passive HA mode status
Figure 345:Normal primary unit config-only HA mode status
Note: If the effective operating mode of a FortiMail unit is SLAVE (backup) the FortiMail
web-based manager displays “SLAVE MODE”.
During normal operation the configured and effective operating modes of each
FortiMail unit in the active-passive HA group match. If a failover occurs, the
configured and effective operating modes may not match. For example, after a
failover, the backup unit becomes the primary unit. The effective operating mode
of the new primary unit changes to MASTER (primary), but the configured
operating mode is SLAVE (backup).
Depending on the On Failure setting, the failed primary unit effective operating
mode could be OFF or FAILED. If the effective operating mode is FAILED, the
effective operating mode could change to BACKUP or MASTER depending on the
On Failure setting, after the problem that caused the failure is corrected. See “HA
main configuration options” on page 492 for more information about setting On
Failure.
If the failed primary unit restarts, it finds the new primary unit and switches to
operating as the new backup unit. So, after a failure, the effective operating mode
of a restarted primary unit becomes SLAVE (backup) while the configured
operating mode of this unit becomes MASTER (primary). See Table 24 for more
examples of configured and effective operating modes.

06-30004-0154-20080904 485
Table 24: Configured and effective operating modes
Configured Effective Description

Operating Operating
mode Mode
MASTER MASTER Normal operation for a FortiMail unit configured to be the
primary unit and operating as the primary unit.
SLAVE SLAVE Normal operation for a FortiMail unit configured to be the
backup unit and operating as the backup unit.
MASTER OFF A FortiMail unit configured to be the primary unit has detected
a failure. The effective operating mode can also display OFF if
the FortiMail unit is in the process of switching to operating in
HA mode.
SLAVE OFF A FortiMail unit configured to be the backup unit has
experienced a failure. The effective operating mode can also
display OFF if the FortiMail unit is in the process of switching
to operating in HA mode.
In some special cases, after the backup unit starts up and
connects with the primary unit to form an HA group, the first
configuration synchronization fails. In this case, the backup
unit effective operating mode changes to OFF.
If subsequent configuration synchronization fails, the backup
unit operates as though the primary unit has failed and the
backup unit effective operating mode becomes MASTER.
If the first configuration synchronization after startup fails,
switching to OFF prevents both the backup and primary units
from operating as primary units at the same time.
MASTER FAILED A FortiMail unit configured to be the primary unit has switched
to FAILED mode because remote service monitoring or local
network interface monitoring detected a failure of the primary
unit and On Failure is set to wait for recovery then restore
original role or wait for recovery then assume slave role.
If the effective operating mode is FAILED, the primary unit
uses remote service monitoring to attempt to connect to the
other FortiMail unit. If the problem that caused the failure is
corrected, the effective operating mode switches from FAILED
to SLAVE or to match the configured operating mode
(depending on the On Failure setting).
Also for the backup unit of aFortiMail HA group operating in
transparent mode, if the effective operating mode changes to
FAILED, on System > Network > Interface the interface
status shows bridging (waiting for recovery).
MASTER SLAVE A FortiMail unit configured to be the primary unit has
experienced a failure but then returned to operation. When the
failure occurred the unit configured to be the backup unit
became the primary unit. Then the unit configured to be the
primary unit restarted, found the other primary unit and so
switched to operating as the backup unit.
SLAVE MASTER A FortiMail unit configured to be the backup unit has
registered that the FortiMail unit configured to be the primary
unit failed. When the failure occurred, the unit configured to be
the backup unit became the primary unit.
MASTER N/A Normal operating mode for a FortiMail unit configured as a
CONFIG primary unit in a config-only HA group.
SLAVE N/A Normal operating mode for a FortiMail unit configured as a
CONFIG backup unit in a config-only HA group.

486 06-30004-0154-20080904
Viewing HA daemon status

On the backup unit, go to System > HA > Status to view the HA daemon status of
the HA group. The HA daemon status contains information about the last time the
backup unit checked the status of the primary unit and the last time the FortiMail
configuration and mail data was synchronized from the primary unit to the backup
unit.
Figure 346:Example HA daemon status
Monitor The time at which the backup unit HA daemon will check to make sure that
the primary unit is operating correctly. This checking takes place across
the heartbeat link between the primary and backup units. If the heartbeat
link becomes disconnected, the next time the backup unit checks for the
primary unit, the primary unit will not respond, so the backup unit operates
as though the primary unit has failed and becomes the primary unit.
Change monitor timing using the HA Daemon Heartbeat setting. See “HA
daemon configuration options” on page 495.
Configuration The time at which the backup unit HA daemon will synchronize the
FortiMail configuration from the primary unit to the backup unit.
Change configuration synchronization timing using the HA Daemon
Configuration setting. See “HA daemon configuration options” on
page 495.
The message “slave unit is currently synchronizing” displays when the HA
daemon is synchronizing the configuration.
Data The time at which the backup unit HA daemon will synchronize mail data
from the primary unit to the backup unit.
Change data synchronization timing using the HA Daemon Data setting.
See “HA daemon configuration options” on page 495.
The message “slave unit is currently synchronizing” displays when the HA
daemon is synchronizing data.
Forcing the HA group to synchronize configuration and mail data

Use the following procedure to force the backup unit to synchronize its
configuration and mail data with the primary unit. In a functioning HA group you
can run this procedure either from the backup unit or from the primary unit. In both
cases it is the backup unit that requests information and data from the primary
unit. This procedure applies to active-passive and config-only HA groups.

06-30004-0154-20080904 487
To force an HA group to synchronize the FortiMail configuration and mail

data
1 From either the primary or backup unit web-based manager, go to System > HA >
Status.
2 Select click HERE to start a configuration/data sync.
The synchronization can take a few minutes.
Resetting a FortiMail unit to its configured HA operating mode

If the configured operating mode and effective operating mode of a FortiMail unit
in an active-passive HA group do not match, you can use the following procedure
to reset the unit to its configured operating mode. You can run this procedure from
the primary unit or backup unit when the click HERE to restore configured
operating mode option appears on the HA status page.
This procedure is necessary only if the normal operation of the HA group has
been affected by a failure, and you want to restore the HA group or one of the
units in the HA group to normal operation. Before completing this procedure, you
should resolve any problems that could have caused a failure.
For example, if the heartbeat interfaces of the primary and backup units are
disconnected, the backup unit effective operating mode will change to MASTER
(primary). Before resetting the operating mode of the backup unit you should
reconnect the heartbeat interfaces.
If you do find and resolve the problem that caused the effective operating mode of
one or both FortiMail units in an HA group to change, you can use the following
procedure to successfully reset the operating modes of both FortiMail units and
resume normal operation of the FortiMail HA group.
Figure 347:Restoring the configured operating mode
To restore the effective operating mode of a FortiMail unit

This procedure restores only the operating mode of the current unit. If you want to
restore the operating modes of both units in an HA group you must complete this
procedure separately for each unit.
1 Go to System > HA > Status.
2 Select click HERE to restore configured operating mode.
The effective operating mode of the FortiMail unit becomes the same as the
configured operating mode.

488 06-30004-0154-20080904
Restarting the HA processes on a stopped primary unit

If you have configured local service monitoring on an active-passive HA group
(see “Configuring HA primary unit local services monitoring to monitor network
interfaces and hard drives” on page 502) and the primary unit detects that an
interface as failed, the primary unit effective operating mode changes to OFF. The
primary unit stops processing email and all HA processes on the primary unit
stop.
You can use the following steps to restart the HA processes on the primary unit.
Before beginning you should find and resolve the problem that caused the failure.
If local service monitoring detects a failure, the primary unit sends alert email and
records log messages with information about the problem.
For example, if local service monitoring detects that port2 failed, the primary unit
records a log message similar to the following.
date=2005-11-18 time=18:20:31 device_id=FE-4002905500194
log_id=0107000000 type=event subtype=ha pri=notice user=ha
ui=ha action=unknown status=success msg="monitord: local
problem detected (port2), shutting down"
The primary unit (with host name primary-host-name) also sends an alert email
with the following content:
Subject: monitord: local problem detected (port2), shutting
down [primary-host-name]
This is the FortiMail HA unit at 10.0.0.1.
A local problem (port2) has been detected, telling remote to
take over and shutting down.
Figure 348:Status page after local service monitoring detected a failure
Resolving this problem could be as simple as reconnecting the port2 interface.

Once the problem is resolved, use the following steps to restart the stopped
primary unit:
To restart a stopped primary unit

2 Go to System > HA > Status.
3 Select click HERE to restart the HA system.
The primary unit restarts and rejoins the HA group.

06-30004-0154-20080904 489
Configuring HA options Configuring and operating FortiMail HA
Configuring HA options
You set HA configuration options by going to System > HA > Configuration. To
configure a FortiMail HA group, you must set the HA configuration separately on
the primary and backup units. The configuration of both types of units is very
similar.
Config-only HA options are similar to active-passive HA configuration options.
This section describes both active-passive HA options and config-only HA
options.
Figure 349 shows a typical HA configuration for a FortiMail-400 unit operating as a
primary unit in gateway mode.
Figure 349:HA configuration example: primary unit operating in gateway mode

490 06-30004-0154-20080904
Configuring and operating FortiMail HA Configuring HA options
Figure 350 shows a typical HA configuration for a FortiMail-400 unit operating as

a backup unit in transparent mode.
Figure 350:HA configuration example: backup unit operating in gateway mode
Figure 351:Config-only HA example: primary unit with three backup units

06-30004-0154-20080904 491
Figure 352:Config-only HA example: backup unit

• HA main configuration options
• HA daemon configuration options
• HA interface configuration in master mode options (active-passive HA)
• HA peer systems options (config-only HA primary unit)
• HA master configuration options (config-only HA backup units)
HA main configuration options

Set the main HA configuration options to switch a FortiMail unit into HA mode and
to configure other required HA settings. The HA main configuration options are not
synchronized and must be set separately on the primary and backup units.
• Mode of Operation
• On Failure (active-passive HA)
• Primary Heartbeat
• Secondary Heartbeat (active-passive HA)
• Treat remote services as a heartbeat (active-passive HA)
Figure 353:HA Main Configuration options (active-passive primary unit)

492 06-30004-0154-20080904
Mode of Operation
Set the HA configured operating mode of the FortiMail unit. The FortiMail unit
switches to operating in the HA configured operating mode immediately after you
enter this command. The configured operating mode can be one of the following:
• off if the FortiMail unit is not operating in HA mode
• master if the FortiMail unit is the primary unit in the HA group
• slave if the FortiMail unit is a backup unit in the HA group
• config master if the FortiMail unit is the primary unit in a config-only HA group
• config slave if the FortiMail unit is a backup unit in a config-only HA group.
On Failure (active-passive HA)

Control the behavior of a FortiMail unit in an active-passive HA group when
remote service monitoring detects a failure. In most cases you should set On
Failure to the “wait for recovery then assume slave role” option.
Depending on your requirements, you can select this On Failure option or one of
the others, as described below:
• Switch OFF. The FortiMail unit effective operating mode changes to OFF. The
FortiMail unit will not process email or join the HA group until you manually
change the FortiMail unit effective operating mode to MASTER (primary) or
SLAVE (backup).
• wait for recovery then restore original role. Similar to the “wait for recovery
then assume slave role” option, the primary unit effective operating mode
changes to FAILED when remote service monitoring detects a failure.
However, on recovery the failed primary unit effective operating mode switches
back to its configured operating mode. This behavior may be useful in some
scenarios but may cause problems in others.
• wait for recovery then assume slave role. The primary unit effective operating
mode changes to FAILED when remote service or local network interface
service monitoring detects a failure. In FAILED mode the failed primary unit
uses remote service monitoring to attempt to connect to the other FortiMail unit
in the HA group (which should now be operating as the new primary unit with
effective operating mode of MASTER). If you fix the problem that caused the
failure, the failed FortiMail unit recovers by changing its effective operating
mode to SLAVE (backup), and then synchronizes the content of its MTA spool
directories to the FortiMail unit now operating as the primary unit. The new
primary unit can then deliver this email.
See Table 24 on page 486 for information about configured and effective
operating modes including OFF and FAILED. See “Configuring active-passive HA
service monitoring” on page 500 for information about local and remote service
monitoring.
Primary Heartbeat
Select the network interface to be used as the primary heartbeat interface. This is
the primary heartbeat link between the units in the HA group. The primary
heartbeat link is used for the HA heartbeat and synchronization. The default
primary heartbeat interface is the network interface with the highest number. In
most cases you would not have to select a different network interface.

06-30004-0154-20080904 493
Note: The primary heartbeat interface configuration in master mode is set to “do nothing”
and this setting cannot be changed.
For information about the heartbeat interface and about HA heartbeat and
synchronization, see “Configuring the HA heartbeat and synchronization interface”
on page 468.
Caution: Using the same FortiMail network interface for user data and HA synchronization
! is not supported.
Note: Isolate heartbeat interfaces from your user networks. Heartbeat and synchronization
packets contain sensitive configuration information and can consume considerable network
bandwidth. For an active-passive or a config-only HA group consisting of only two FortiMail
units, directly connect the heartbeat interfaces using a crossover cable. For a config-only
HA group consisting of more than two FortiMail units, connect the heartbeat interfaces to a
switch and do not connect this switch to your user networks.
The local IP is the primary heartbeat IP address for this FortiMail unit. When the
FortiMail unit is operating in HA mode, the primary heartbeat local IP appears on
the System > Network > Interface list for the heartbeat interface.
For the primary heartbeat you must configure the local IP and peer IP as follows:
• The local IP of the primary unit must match the peer IP of the backup unit.
Normally you would set the local IP of the primary unit to 10.0.0.1.
• The local IP of the backup unit must match the peer IP of the primary unit. In
an active-passive HA group you would normally set the local IP on the backup
unit to 10.0.0.2.
• For an active-passive HA group the peer IP is the local IP of the other FortiMail
unit in the HA group. This is the IP address that the FortiMail unit expects to
connect to by using the primary heartbeat to find the other FortiMail unit in the
HA group.
• The peer IP of the primary unit must match the local IP of the backup unit.
Normally you would set the peer IP of the primary unit to 10.0.0.2.
• The peer IP of the backup unit must match the local IP of the primary unit.
Normally you would set the peer IP address of the backup unit to 10.0.0.1.
Local IP Address (config-only HA)

For config-only HA the local IP Address is the primary heartbeat IP address for
this FortiMail unit. When the FortiMail unit is operating in HA mode, the local IP
address appears on the System > Network > Interface list for the heartbeat
interface.
The local IP address of the primary unit must match the Master Configuration IP
address of the backup units. Normally you would set the local IP address of the
primary unit to 10.0.0.1.
You would normally set 10.0.0.2 as the local IP address of the first backup unit,
10.0.0.3 as the local IP address of the second backup unit, 10.0.0.4 as the local IP
address of the third backup unit, and so on.

494 06-30004-0154-20080904
Secondary Heartbeat (active-passive HA)

Optionally select the network interface to use as the secondary heartbeat
interface. The secondary heartbeat interface is the backup heartbeat link between
the units in the HA group. If the primary heartbeat link is operating, the secondary
heartbeat link is used for the HA heartbeat. If the primary heartbeat link fails, the
secondary link is used for the HA heartbeat and for HA synchronization.
Note: The secondary heartbeat interface configuration in master mode is set to “do
nothing” and this setting cannot be changed.
Select “disabled” if you are not going to use the secondary heartbeat.
You can also select “any port” if you do not want to use a specific interface as the
backup heartbeat interface. Selecting “any port” means that any interface with its
HA interface configuration in master mode set to the “do nothing” option can be
used as the secondary heartbeat interface.
Configure the secondary heartbeat local IP and peer IP in the same manner as
the primary heartbeat. The secondary heartbeat IPs cannot be on the same
subnet as the primary heartbeat IPs.
Treat remote services as a heartbeat (active-passive HA)

If you enable remote service monitoring, you can select this option so that if both
the primary and secondary heartbeat links fail or become disconnected, remote
service monitoring takes over the role of the HA heartbeat and the FortiMail HA
group can continue to operate.
Using remote services as heartbeat provides HA heartbeat only. Only the primary
or secondary heartbeat can support HA synchronization. To avoid synchronization
problems, you should not use remote service monitoring as a heartbeat for
extended periods. This feature is intended only as a temporary heartbeat solution
that operates until you reestablish a normal primary or secondary heartbeat link.
HA daemon configuration options

Change HA daemon configuration options to change the HA group shared
password and to change default HA heartbeat and synchronization settings.
Usually you do not have to change any of the HA daemon settings. However you
should change the shared password to uniquely identify the HA group. Also, you
may want to change HA heartbeat and synchronization settings to improve
failover protection or to reduce the processing load that the HA daemon uses to
synchronization configuration and mail data. The HA daemon shared password,
Heartbeat, Configuration, and Data configuration options are not synchronized;
you must set them separately on the primary and backup units. You configure the
type of mail data to back up on the primary unit and these settings are then
synchronized to the backup unit.

06-30004-0154-20080904 495
Figure 354:HA Daemon Configuration options (active-passive backup unit)
Shared Password Enter a password for the HA group. The password must be the same
on the primary and backup unit.
Heartbeat Set options used by the HA daemon for sending HA heartbeat
(active-passive HA) packets. Set the following options:
• The TCP port used for HA heartbeat communications. The default
TCP port is 20000.
• The time between which the FortiMail units in the HA group send
HA heartbeat packets. The default test interval between HA
heartbeat packets is 5 seconds. The test interval range is 2 to 60
seconds. Heartbeat packets are sent at regular intervals so that
each FortiMail unit in an active-passive HA group can confirm that
the other unit in the group is functioning. If the primary unit detects
that the backup unit has failed the primary unit continues to
operate normally. If the backup unit detects that the primary unit
has failed, the HA effective operating mode of the backup unit
changes to MASTER and the back up unit becomes the primary
unit.
• The number of consecutive times the HA heartbeat detects a
failure before a FortiMail unit in an active-passive HA unit decides
that the primary unit has failed. The number of times the check
fails range is 1 to a very high number. Set the number of times the
check fails to 0 to disable interface monitoring or hard drive
monitoring.
In most cases you do not have to change heartbeat settings. The
default settings mean that if the primary unit fails, the backup unit
switches to being the primary unit after 3 x 5 or about 15 seconds;
resulting in a failure detection time of 15 seconds.
If the failure detection time is too long the primary unit could fail and a
delay in detecting the failure could mean that email is delayed or lost.
Decrease the failure detection time if email is delayed or lost because
of an HA failover.
If the failure detection time is too short, the backup unit may detect a
failure when none has occurred. For example, if the primary unit is
very busy processing email it may not respond to HA heartbeat
packets in time. In this situation, the backup unit may operate as
though the primary unit has failed when the primary unit is actually just
busy. Increase the failure detection time to prevent the backup unit
from detecting a failure when none has occurred.

496 06-30004-0154-20080904
Configuration Set the TCP port and time interval for synchronizing the configuration.
Set the following:
• The TCP port used for synchronizing the configuration of the
primary unit to the backup unit. The default TCP port is 20001.
• How often HA synchronizes the configuration. The default
configuration synchronization time is 60 minutes. The
configuration synchronization time range 15 to 999 minutes.
Set the configuration synchronization time to 0 to disable
configuration synchronization.
In most cases you do not have to change the default settings.
However if you are making a lot of configuration changes, you may
want to reduce the time between synchronizations so that changes
are not lost if a failover occurs. During normal operation,
synchronizing the configuration every 60 minutes is usually sufficient.
You can also synchronize the configuration manually. See “Forcing
the HA group to synchronize configuration and mail data” on
page 487.
For more information about how FortiMail HA synchronizes the
configuration and about what is synchronized and what is not
synchronized, see “Synchronizing the FortiMail configuration” on
page 468.
Data Set the TCP port and time interval for synchronizing mail data. Set the
(active-passive HA) following:
• The TCP port used for synchronizing mail data. The default TCP
port is 20002.
• How often the synchronization occurs. The default data
synchronization time is every 30 minutes. The data
synchronization range is 15 to 999 minutes. Set the data
synchronization time to 0 to disable data synchronization.
• The type of mail data to synchronize. You can synchronize the
system mail directory, the user home directories, and the MTA
spool directories. See “Synchronizing FortiMail mail data” on
page 470 for more information about what to consider before
configuring mail data synchronization. Synchronization of all three
types of mail data is disabled by default.
In most cases you do not have to change the default settings except
to select the data to synchronize. You might also want to reduce the
synchronization time if you find you are losing mail data during a
failover. Also, synchronizing large amounts of mail data may cause
processing delays. Reducing how often mail data is synchronized may
alleviate this problem. During normal operation, synchronizing data
once every 30 minutes is usually sufficient.
You can also synchronize mail data manually. See “Forcing the HA
group to synchronize configuration and mail data” on page 487.
You should disable mail data synchronization if the HA group stores
mail data on a remote NAS server. See “HA and storing FortiMail mail
data on a NAS Server” on page 482.
HA interface configuration in master mode options (active-passive HA)

Use HA interface configuration in master mode options to control how
active-passive HA changes network interface IP addressing and status for the
primary unit. See “HA network interface configuration in master mode” on
page 472 for more information.
Note: The primary and secondary heartbeat interface configuration is set to “do nothing”
and this setting cannot be changed.

06-30004-0154-20080904 497
Figure 355:HA Interface Configuration In Master Mode options (active-passive)

backup unit operating in gateway mode
do nothing The default setting for all network interfaces. Select this option if you
do not want to apply special functionality to a network interface when
operating in HA mode.
See “Removing an interface from an HA group” on page 476 for more
information about this option. See “Gateway mode active-passive HA
configuration example” on page 503 for a FortiMail configuration
example that uses this option.
set interface Set an IP address and netmask for a network interface. Select this
IP/netmask option and add an IP address and netmask. When operating in HA
mode, this option changes the IP address of the selected network
interface of the primary unit to the specified IP address. When a
failover occurs this IP address is assigned to the corresponding
network interface of the new primary unit.
See “Changing the IP address of an HA group interface” on page 476
for more information about the set interface IP/netmask option. See
“Gateway mode active-passive HA configuration example” on
page 503 for a FortiMail configuration example that uses this option.
Changing the IP address of an HA group interface using this option
replaces the actual IP address of the interface with the set IP address.
The interface has only one IP address. (This is different from the
virtual IP address configuration, which results in the interface having
two IP addresses.)

498 06-30004-0154-20080904
add virtual Assign a virtual IP address to a network interface. Select this option
IP/netmask and add an IP address and netmask. When operating in HA mode,
this option adds the specified IP address to the selected interface of
the primary unit. Email processing, FortiMail users, and FortiMail
administrators can all connect to this virtual IP address to connect to
the primary unit. If a failover occurs, the virtual IP address is
transferred to the new primary unit. Email processing, FortiMail users,
and FortiMail administrators can now connect to the same IP address
to connect to the new primary unit.
In most cases you would select this option for all FortiMail network
interfaces that will be processing email when the FortiMail HA group is
operating in gateway or server mode. See “Adding an IP address to
an HA group interface using HA virtual IP addresses” on page 473 for
more information about HA virtual IP addresses. See “Gateway mode
active-passive HA configuration example” on page 503 for a FortiMail
configuration example that uses HA virtual IP addresses.
Configuring virtual IP addresses for FortiMail active-passive HA
configuration may produce unexpected results. Adding a virtual IP
address to a FortiMail interface gives the interface two IP addresses:
the virtual IP address and the actual IP address.
Normally you would configure your network (MX records, firewall
policies, routing and so on) so that clients and mail services use the
virtual IP address. All replies to sessions with the virtual IP address
include the virtual IP address as the source address.
However, all outgoing sessions that originate from this interface use
the actual IP address of the interface and not the virtual IP address.
This means that all outbound mail or relayed mail packets sent from a
FortiMail primary unit interface, configured with a virtual IP address,
will have the actual IP address of the primary unit interface as the
source IP address.
add to bridge For a FortiMail HA group operating in transparent mode, select this
option for all network interfaces to be added to the FortiMail
transparent mode bridge for a FortiMail HA group operating in
transparent mode.
When you select add to bridge for an interface that is not physically
connected, the interface name is displayed with red text.
For the primary unit, “add to bridge” has the same affect as “do
nothing”. In both cases the interface is added to the bridge.
For the backup unit, add to bridge means that the interface is
disconnected and cannot process traffic when the effective operating
mode of the unit is SLAVE. The interface is disconnected to prevent
layer 2 loops. If the effective operating mode of the unit changes to
MASTER the interface becomes connected again and as part of the
bridge can process traffic. For this reason, selecting add to bridge is
the recommended configuration.
The add to bridge option is only available for FortiMail interfaces that
are already added to the bridge. If you have added an IP address to
an interface you cannot select add to bridge for the interface.
When you select add to bridge, on System > Network > Interface the
interface status shows bridged (isolated) indicating that the interface
is not connected to the network.
If the effective operating mode changes to FAILED, on System >
Network > Interface the interface status shows bridging (waiting for
recovery).
HA peer systems options (config-only HA primary unit)

Use HA peer systems options to add the IP addresses of the backup units in the
config-only HA group to the configuration of the primary unit. The primary unit
requires these IP addresses to communicate with the backup units.

06-30004-0154-20080904 499
Configuring active-passive HA service monitoring Configuring and operating FortiMail HA
Known Peers The list of backup unit IP addresses that have been added to the
primary unit HA configuration. The primary unit synchronizes only with
backup units that have IP addresses in the known peers list. You can
select the Delete icon for any IP address in the Known Peers list to
remove the IP address of this backup unit from the primary unit HA
configuration.
New Peer Add the IP address of a backup unit and select Add to add the backup
unit IP address to the known peers list. You can add up to 24 backup
units or peers.
HA master configuration options (config-only HA backup units)

Use HA master configuration options to add the IP address of the primary unit to
the configuration of the backup units in a config-only HA group.
IP address The heartbeat interface IP address of the primary unit in the config-
only HA group. The backup unit uses the master configuration IP
address to communicate with the primary unit. The master
configuration IP address must be the same as the local IP address
added to the primary unit HA configuration.
The master configuration IP address is equivalent to the Peer IP
address that you add to the backup unit in an active-passive HA
group.
Configuring active-passive HA service monitoring

For an active-passive HA group, you can go to System > HA > Services to
configure HA service monitoring. Use HA service monitoring to configure remote
service monitoring, local network interface monitoring, and local hard drive
monitoring.
You can configure remote service monitoring so that the backup unit confirms that
it can connect to the primary unit over the network using SMTP service, POP
service (POP3), and Web service (HTTP) connections.
You can configure local network interface monitoring and local hard drive
monitoring so that the primary unit monitors its own network interfaces and hard
drives.
If remote service monitoring detects a failure, the effective operating mode of the
backup unit switches to MASTER and the backup unit operates as the primary
unit. As well, the effective operating mode of the primary unit switches to OFF or
FAILED (depending on the On Failure setting). When these HA events occur, the
FortiMail units send HA event alert email, write HA event log messages, and send
HA event SNMP traps.
HA service monitoring options are not synchronized and you must set them
separately on the primary and backup units.
See “HA main configuration options” on page 492 for information about the On
Failure setting. See “About HA configured and effective operating modes” on
page 484 for information about FortiMail HA effective operating modes.
Note: HA services monitoring is not supported for config-only HA groups.

500 06-30004-0154-20080904
Configuring and operating FortiMail HA Configuring active-passive HA service monitoring
Figure 356:HA services monitoring

• Configuring the backup unit to monitor remote services on the primary unit
• Configuring HA primary unit local services monitoring to monitor network
interfaces and hard drives
Configuring the backup unit to monitor remote services on the primary unit
For an active-passive HA group, you can connect to the backup unit, go to
System > HA > Services and configure remote service monitoring so that the
backup unit monitors the primary unit to verify that the primary unit can accept
SMTP service, POP service (POP3), and Web service (HTTP) connections.
For each service you can enter the IP address and TCP port number to check.
You can enter the same IP address or a different one for each service.
Remote service monitoring is an effective way to make sure that both FortiMail
units in the HA group are connected to your network. If the primary unit becomes
disconnected from the network, the HA group can no longer process email. If you
have configured remote service monitoring, the backup unit detects that the
primary unit network connection has failed.
Normally you set remote monitoring to monitor the IP address of the primary unit
interface that processes email. For example, if the primary unit uses port1 for
email traffic, set the remote service monitoring IP address to the port1 IP address
of the primary unit.
If you set the remote service monitoring IP address to the IP address of the
primary heartbeat interface or the secondary heartbeat interface of the primary
unit, checking takes place over the heartbeat link.
For each protocol, you must specify an IP address and port number, and
configure all settings for each protocol. You must also specify the check time
interval in minutes to wait between checks and the response wait time in seconds
to wait for a response. You must also specify how many times the check fails
before a failover occurs.

06-30004-0154-20080904 501
Configuring active-passive HA service monitoring Configuring and operating FortiMail HA
The check time interval range is 1 to 60 minutes. Set the time interval to 0 to
disable remote service monitoring. The response wait time range for service
checks is 1 to a high number of seconds. Set the response wait time to 0 to
disable remote service monitoring.
The number of times the check fails range is 1 to a high number. Set the number
of times the check fails to 0 to disable interface monitoring or hard drive
monitoring.
If the backup unit detects a remote service failure, the backup unit HA effective
operating mode changes to MASTER. The backup unit becomes the new primary
unit. The primary unit effective operating mode changes to OFF or FAILED
depending on the On Failure setting. See “HA main configuration options” on
page 492 for information about setting On Failure.
Configuring HA primary unit local services monitoring to monitor network

interfaces and hard drives
You can connect to the primary unit and go to System > HA > Services to
configure an active-passive HA primary unit to monitor its own network interfaces
or hard drives. In the Local Services section, you must configure the check time
interval in seconds to wait between checks of the interfaces or hard drives and
how many consecutive times the check fails before a failover occurs.
The check time interval range is 1 to 60 seconds. Set the check time interval to 0
to disable interface monitoring or hard drive monitoring. The number of times the
check fails range is 1 to a high number. Set the number of times the check fails to
0 to disable interface monitoring or hard drive monitoring.
Network interface monitoring checks all active network interfaces. Network
interface monitoring does not check interfaces set to “do nothing”. For information
about HA network interface configuration, see “HA interface configuration in
master mode options (active-passive HA)” on page 497.
If the primary unit detects an interface failure (for example, if the network cable is
disconnected from a monitored interface) or a hard drive failure the primary unit
effective operating mode changes to OFF or FAILED depending on the On Failure
setting. See “HA main configuration options” on page 492 for information about
setting On Failure.
If the primary unit effective operating mode changes to OFF of FAILED the
primary unit will no longer respond to HA heartbeat packets sent by the backup
unit. The backup unit operates as though the primary unit has failed and becomes
the new primary unit.

502 06-30004-0154-20080904
Configuring and operating FortiMail HA Gateway mode active-passive HA configuration example
Gateway mode active-passive HA configuration example

The following example describes how to configure two new FortiMail-400 units to
operate in gateway mode as an active-passive HA group, and then how to
connect them to your network. This example contains the following steps:
• Deciding on the HA network interface configuration in master mode settings
• Configuring the primary unit for HA operation
• Configuring the backup unit for HA operation
• Connecting the gateway mode HA group to your network
• Configuring and administering the HA group
Deciding on the HA network interface configuration in master mode settings

You can decide on the HA network interface configuration in master mode settings
that meet your requirements if you can understand the required standalone
FortiMail network interface configuration. In this example, you want to configure a
gateway mode HA group consisting of two FortiMail-400 units that have two
connections to your network. First, examine the standalone FortiMail-400 network
interface configuration as shown in Table 25 and Figure 357.
Table 25: Example standalone network interface configuration
FortiMail IP address Used for

interface setting
port1 172.20.2.10 Administrative connections to the FortiMail unit.
port2 to port4 Default IP. Not connected.
port5 172.16.5.2 The target of your email DNS and MX records, this
gigabit Ethernet interface is used for all mail processing
and email user connections. There is no administrative
access to this interface.
port6 Default IP. Not connected.
Figure 357:Example FortiMail-400 gateway standalone configuration

Mail DNS
Server Server
DNS record
network MX record
Network
Switch
Internet
port5
IP: 172.16.5.2
port1
IP: 172.20.2.10 Administrators

06-30004-0154-20080904 503
Gateway mode active-passive HA configuration example Configuring and operating FortiMail HA
When operating as an HA group, DNS and MX records should target the port5
interface of the primary FortiMail-400 unit. As well, administrators should be able
to administer the HA group by connecting to port1 of the primary unit.
If a failover occurs, port5 of the backup unit should become the DNS and MX
record target. As well, administrators should be able to connect to port1 of the
backup unit using the same administration IP address.
Additionally, all connections to port5 should use only the 172.16.5.2 IP address,
and, during normal HA group operation, users should not be able to connect to
port5 of the backup unit. Administrators should be able to connect to port1 of the
backup unit at any time.
The network configuration shown in Table 26 supports these requirements for the
primary unit.
Table 26: Example primary unit HA network interface configuration
HA Network Interface
configuration in master
FortiMail IP address mode
interface setting Setting IP address Description
port1 172.20.2.20 add virtual 172.20.2.10 Enable HTTPS, SSH, and ping
IP/netmask access. Administrative access to
this interface uses IP address
172.20.2.20 or 172.20.2.10.
port2 to Default IP. do nothing
port4
port5 Default IP. set interface 172.16.5.2 The target of your email DNS and
IP/netmask MX records, this interface is used
for all mail processing and email
user connections. No
administrative access to this
interface.
port6 Default IP. do nothing 10.0.0.1 Primary heartbeat interface. The
default IP address of this interface
is 10.0.0.1.
The HA network interface configuration in master mode is synchronized between

the primary and backup units, so you do not need to change the HA network
interface configuration in master mode of the backup unit. Table 27 shows the
network interface changes required for the backup unit.
Table 27: Example backup unit HA network interface configuration
HA Network Interface
configuration in master
FortiMail IP address mode
interface setting Setting IP address Description
port1 172.20.2.30 N/A N/A Enable HTTPS, SSH, and ping
access. Administrative access to
this interface uses IP address
172.20.2.30.
port2 to Default IP. N/A N/A
port5
port6 Default IP. N/A 10.0.0.2 Primary heartbeat interface. The
default IP address of this interface
is 10.0.0.2.

504 06-30004-0154-20080904
Figure 358:Example FortiMail-400 gateway HA group configuration
Mail DNS
Server Server
DNS record
network MX record
Network
Switch
Internet
primary unit port1

IP: 172.20.2.20 Primary unit port5
virtual IP: 172.20.2.10 virtual IP: 172.16.5.2
Primary unit
Port 6
Primary
Heartbeat
Administrators
Backup unit
backup unit port1

IP: 172.20.2.30
HA Group
Configuring the primary unit for HA operation

The following procedure describes how to prepare a FortiMail unit for HA
operation as the primary unit by setting the operating mode, configuring interface
IP addresses, and configuring HA.
This example includes the primary heartbeat interface only. As well, On Failure is
set to wait for recovery then resume slave role. Since the HA daemon
configuration of the backup unit controls how the HA daemon operates, this
example does not include steps to change the HA daemon settings of the primary
unit.
To configure the primary unit for HA operation

1 Power up the primary unit.
2 Connect to the FortiMail web-based manager.
3 Go to System > Status and change the operating mode to Gateway.
4 Reconnect to the primary unit and go to System > Network > Interface.

06-30004-0154-20080904 505
5 Configure the port1 interface.
IP/Netmask 172.20.2.20/255.255.255.0
Access Enable HTTPS, SSH, and PING.
6 Select OK.
7 Connect to the port1 interface using https://172.20.2.20.
8 Go to System > HA > Configuration and change the following settings:
Main Configuration
Mode of Operation master
On Failure wait for recovery then assume slave role
Primary Heartbeat
Use Keep the default setting.
Local IP 10.0.0.1
Peer IP 10.0.0.2
Secondary Heartbeat
Use disabled
Treat Remote Services as a Keep the default setting.
heartbeat
Daemon Configuration
Shared Password PassW0rd
Heartbeat Keep the default setting.
Configuration Keep the default setting.
Data Keep the default setting.
Backup system mail directory Keep the default setting.
Backup user home directories Keep the default setting.
Backup MTA spool directories Keep the default setting.
Interface Configuration in Master Mode
port1 add virtual IP/netmask
172.20.2.10/255.255.255.0
port5 set interface/netmask 172.16.5.2/255.255.255.0
port2 to 4 and port6 Keep the default setting.
Note: The backup unit HA daemon configuration settings control how the HA daemon
operates. For the initial configuration of the primary unit there is no need to change these
settings. However, after the HA group is operating you might want to change the primary
unit HA daemon configuration settings to control how the primary unit operates when it
becomes the new backup unit after a failover.
9 Select Apply. The primary unit switches to HA mode.

You can connect to port1 of the primary unit using https://172.20.2.10 as well as
https://172.20.2.20.
10 Optionally go to System > HA > Status to confirm that the primary unit configured
and effective operating modes are both set to MASTER. See “Viewing and
changing HA status” on page 484.

506 06-30004-0154-20080904
Figure 359:Primary unit status
11 Power off the primary unit.
Configuring the backup unit for HA operation

The following procedure describes how to prepare a FortiMail unit for HA
operation as the backup unit by setting the operating mode, configuring interface
IP addresses, and configuring HA. This procedure also changes HA daemon
settings so that the HA daemon synchronizes the system email directory.
To configure the backup unit for HA operation

1 Power up the backup unit.
2 Connect to the FortiMail web-based manager.
3 Go to System > Status and change the operating mode to Gateway.
4 Reconnect to the backup unit and go to System > Network > Interface.
5 Configure the port3 interface.
IP/Netmask 172.20.2.30/255.255.255.0
Access Enable HTTPS, SSH, and PING.
6 Select OK.
7 Connect to the port1 interface using https://172.20.2.30.
8 Go to System > HA > Configuration and change the following settings:
Main Configuration
Mode of Operation slave
Primary Heartbeat
Use Keep the default setting.
Local IP 10.0.0.2
Peer IP 10.0.0.1
Secondary Heartbeat
Use disabled
Treat Remote Services as a Keep the default setting.
heartbeat
Daemon Configuration
Shared Password PassW0rd (enter the same password as the
primary unit).
Heartbeat Keep the default setting.
Configuration Keep the default setting.
Data Keep the default setting.
Backup system mail directory Select

06-30004-0154-20080904 507
Backup user home directories Keep the default setting.

Backup MTA spool directories Keep the default setting.
Interface Configuration in Master Mode
port2 to port6 Keep the default setting. (The heartbeat interface
configuration is synchronized from the primary
unit.)
9 Select Apply. The backup unit switches to HA mode.

The only address that you can use to connect to the backup unit is
https://172.20.2.30.
10 Optionally go to System > HA > Status to confirm that the backup unit configured
operating mode is SLAVE. See “Viewing and changing HA status” on page 484.
Because the heartbeat interfaces are not connected, the backup unit cannot
connect to the primary unit so the backup unit operates as though the primary unit
has failed and switches the effective operating mode to MASTER.
Figure 360:Backup unit status page
11 Power off the backup unit.
Connecting the gateway mode HA group to your network

Use the following procedure to connect the gateway mode HA group to your
network. In this example, because you are connecting the port1 and port5
interfaces to your network, you must connect these interfaces together using a
switch before connecting them to your network. As well, you must connect the
port6 interfaces together because the port6 interfaces are used for the heartbeat
link. Figure 358 on page 505 shows the connections required for this gateway
mode HA group.
Connecting the HA group creates new physical connections that may temporarily
interrupt communications on the network. Also, starting the HA group interrupts
traffic to the FortiMail units until the HA group is operating.
1 Connect the port1 interfaces of the primary and backup FortiMail units to a switch
and connect the switch to the network that administrators would use to connect to
the HA group.
The port1 interface is used for administrator connections to the FortiMail unit.
2 Connect the port5 interfaces of the primary and backup FortiMail units to a switch
and connect the switch to the network that connects the FortiMail unit to the
Internet and to your email users.
The port5 interface is used for mail processing connections to the FortiMail unit.

508 06-30004-0154-20080904
Configuring and operating FortiMail HA HA failover scenarios
3 Connect the port6 primary heartbeat interface of the primary and backup FortiMail
units together using a crossover Ethernet cable.
You can also use two regular Ethernet cables and a switch.
4 Turn on the FortiMail units.
The FortiMail units startup and automatically form an HA group.
Configuring and administering the HA group

You connect to the primary unit to configure FortiMail settings. As you make
configuration changes they are synchronized to the backup unit.
HA main configuration changes, daemon configuration changes, and service
monitoring changes are not synchronized to the backup unit. You must make
these configuration changes by connecting to the backup unit.
Connect to the primary unit to view and manage log messages recorded on the
primary unit hard disk. Connect to the backup unit to view and manage log
messages recorded on the backup unit hard disk.
1 Connect to the web-based manager of the primary unit.
You can browse to actual IP address of the primary unit port1 interface
(https://172.20.2.20)or to the virtual IP address of the primary unit port1 interface
(https://172.20.2.10)
2 Configure the HA group in the same way as you would configure a standalone
FortiMail unit.
All configuration changes made to the primary unit are synchronized to the
backup unit.
3 Connect to the web-based manager of the backup unit by browsing to the actual
IP address of the backup unit port1 interface (https://172.20.2.30).
HA failover scenarios
This section describes some basic FortiMail active-passive HA failover scenarios.
For each scenario you can refer to the HA group shown in Figure 361. To simplify
the descriptions of these scenarios:
• P1 identifies the FortiMail unit configured to be the primary unit (also called the
master) in the HA group.
• B2 identifies the FortiMail unit configured to be the backup unit (also called the
slave) in the HA group.

06-30004-0154-20080904 509
HA failover scenarios Configuring and operating FortiMail HA
Figure 361:Example FortiMail HA group
HA Group
port1 virtual IP: 172.16.5.2

port1 IP: 172.16.5.10
Primary unit (P1)
Switch for Heartbeat

port1 interfaces Link
Backup unit (B2)
port1 IP: 172.16.5.11

• Failover scenario: Temporary failure of the primary unit
• Failover scenario: primary heartbeat link fails
• Failover scenario: Network connection between primary and backup units fails
(remote service monitoring detects a failure)
Failover scenario: Temporary failure of the primary unit

In this scenario, the primary unit (P1) fails because of a software failure or a
recoverable hardware failure (in this example, the P1 power cable is unplugged).
HA logging and alert email are configured for HA group.
When the backup unit (B2) detects that P1 has failed, B2 becomes the new
primary unit and continues processing email.
1 The FortiMail HA group is operating normally.
2 The power is accidentally disconnected from P1.
3 The B2 primary heartbeat test detects that P1 has failed.
How soon this happens depends on the HA daemon configuration of B2.
4 The effective operating mode of B2 changes to MASTER.
5 B2 sends an alert email similar to the following, indicating that B2 has determined
that P1 has failed and that B2 is switching its effective operating mode to
MASTER.
Date sent: Wed, 30 Nov 2009 20:27:18 GMT
From: example@example.com
Subject: Remote HA Event
To: example@example.net
A remote problem (heartbeat) has been detected, telling the

remote to shutdown and taking over.

510 06-30004-0154-20080904
6 B2 records the following event log messages (among others) indicating that B2
has determined that P1 has failed and that B2 is switching its effective operating
mode to MASTER.
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=notice user=ha ui=ha action=unknown status=success
msg="monitord: peer stop responding (heartbeat), assuming
MASTER role"
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: main loop stopping"
msg="backupd: main loop stopping"
msg="configd: main loop stopping"
msg="configd: main loop starting, entering master mode"
msg="backupd: main loop starting, entering master mode"
msg="monitord: main loop starting, entering MASTER mode"

06-30004-0154-20080904 511
Recovering from temporary failure of the primary unit

Use the following steps to return to normal operation of the HA group after the P1
power cable is unplugged.
1 Turn off the P1 power switch, reconnect the power cable and then turn the power
switch back on.
P1 starts up and finds B2 operating as a primary unit. P1 switches its effective
operating mode to SLAVE.
P1 records the following log messages (among others) as this happens.
msg="monitord: starting pre-amble"
msg="monitord: ** response from peer, setting to SLAVE mode"
The configured operating mode of P1 is MASTER and the effective operating
mode of P1 is SLAVE.
The configured operating mode of B2 is SLAVE and the effective operating mode
of B2 is MASTER.
P1 synchronizes the content of its MTA spool directories to B2. Email in these
directories can now be delivered by B2.
2 Connect to the P1 web-based manager, go to System > HA > Status.
3 Check for synchronization messages.
Do not proceed to the next step until P1 has synchronized with B2.
4 Connect to the B2 web-based manager, go to System > HA > Status and select
click HERE to restore configured operating mode.
5 Connect to the P1 web-based manager, go to System > HA > Status and select
P1 should return to operating as the primary unit and B2 should return to
operating as the backup unit. You may have to repeat steps 4 and 5 a few times.
6 P1 and B2 synchronize their MTA spool directories again. All of the email in these
directories can now be delivered by P1.
Failover scenario: primary heartbeat link fails

If the primary heartbeat link fails and you have not configured the secondary
heartbeat link, the units in the HA group cannot use the HA heartbeat to verify that
the other is operating. As a result the backup unit (B2) changes to operating as a
primary unit.
The primary unit (P1) continues to operate as a primary unit. In fact P1 is not
aware that HA communication has been disrupted.

512 06-30004-0154-20080904
Two primary units connected to the same network may cause address conflicts on
your network because matching interfaces will have the same IP addresses. As
well, because the heartbeat link is interrupted, the units in the HA group cannot
synchronize configuration changes or mail data changes.
Even after reconnecting the heartbeat link, both units will continue operating as
primary units. To return the HA group to normal operation you must connect to the
B2 web-based manager to restore B2 to operating as the backup unit.
2 The heartbeat link Ethernet cable is accidently disconnected.
3 The B2 HA heartbeat test detects that the primary unit has failed.
How soon this happens depends on the HA daemon configuration of B2.
MASTER.
Date sent: Wed, 30 Jan 2005 16:27:18 GMT


06-30004-0154-20080904 513
mode to MASTER.
MASTER role"
msg="backupd:mainloopstarting,enteringmastermode"
msg="configd:mainloopstarting,enteringmastermode"
Recovering from a heartbeat link failure

Use the following steps to return to normal operation of the HA group after the
heartbeat link fails.
1 Reconnect the primary heartbeat interface by reconnecting the heartbeat link
Ethernet cable.
Even though the effective operating mode of B2 is MASTER, B2 is continues to
attempt to find the other primary unit. When the heartbeat link is reconnected, B2
finds P1 and determines that P1 is also operating as a primary unit. So B2 sends
an HA heartbeat packet to notify P1 to stop operating as a primary unit. The
effective operating mode of P1 changes to OFF.
2 P1 sends an alert email similar to the following, indicating that P1 has stopped
Subject: HA Event
The slave unit detected a problem and has told me to shutdown

514 06-30004-0154-20080904
3 P1 records the following log messages (among others) indicating that P1 is

switching to OFF mode.
msg="monitord: remote detected problem, shutting down"
msg="backupd: main loop starting, entering off mode"
msg="configd: main loop starting, entering off mode"
The configured operating mode of P1 is MASTER and the effective operating
mode of P1 is OFF.
The configured operating mode of B2 is SLAVE and the effective operating mode
of B2 is MASTER.
P1 synchronizes the content of its MTA spool directories to B2. Email in these
directories can now be delivered by B2.
4 Connect to the P1 web-based manager, go to System > HA > Status.
The HA group should return to normal operation. P1 records the following log
message (among others) indicating that B2 asked P1 to return to operating as the
primary unit.
msg="monitord: being asked to assume original role"
7 P1 and B2 synchronize their MTA spool directories. All of the email in these
directories can now be delivered by P1.

06-30004-0154-20080904 515
Failover scenario: Network connection between primary and backup units

fails (remote service monitoring detects a failure)
Depending on your network configuration, the network connection between the
primary and backup units can fail for a number of reasons. In the network
configuration shown in Figure 361 on page 510, the connection between port1 of
primary unit (P1) and port1 of the backup unit (B2) can fail if a network cable is
disconnected or if the switch between P1 and B2 fails.
A more complex network configuration could include a number of network devices
between the primary and backup unit network interfaces. In any configuration,
remote service monitoring can detect only a simple communication failure.
Remote service monitoring cannot determine where the failure occurred or the
reason for the failure.
In this scenario remote service monitoring has been configured to make sure that
B2 can connect to P1. The HA main configuration On Failure setting is wait for
recovery then assume slave role. See “HA main configuration options” on
page 492 for information about setting On Failure. See “Configuring the backup
unit to monitor remote services on the primary unit” on page 501 for information
about remote service monitoring.
The failure occurs when power to the switch that connects the P1 and B2 port1
interfaces is disconnected. Remote service monitoring detects the failure of the
network connection between the primary and backup units. Because of the On
Failure setting, P1 changes its effective operating mode to FAILED.
When the failure is corrected, P1 detects the correction because while operating
in failed mode P1 has been attempting to connect to B2 using the port1 interface.
When P1 can connect to B2, the effective operating mode of P1 changes to
SLAVE and the mail data on P1 will be synchronized to B2. B2 can now deliver
this mail. The HA group continues to operate in this manner until an administrator
resets the effective operating modes of the FortiMail units.
2 The power cable for the switch between P1 and B2 is accidently disconnected.
3 B2 remote service monitoring cannot connect to the primary unit.
How soon this happens depends on the remote service monitoring configuration
of B2.
4 Over the HA heartbeat link B2 signals P1 to shut down.
5 The effective operating mode of P1 changes to FAILED.

516 06-30004-0154-20080904
MASTER.

mode to MASTER.
MASTER role"
msg="backupd:mainloopstarting,enteringmastermode"
msg="configd:mainloopstarting,enteringmastermode"

06-30004-0154-20080904 517
9 P1 sends an alert email similar to the following, indicating that P1 has stopped
Subject: HA Event
The slave unit detected a problem and has told me to shutdown
10 P1 records the following log messages (among others) indicating that P1 is

switching to OFF mode.
msg="monitord: remote detected problem, shutting down"
msg="backupd: main loop starting, entering off mode"
msg="configd: main loop starting, entering failed mode"
Recovering from a network connection failure

Use the following steps to return to normal operation of the HA group after the
heartbeat link fails.
1 Reconnect power to the switch.
Because the effective operating mode of P1 is FAILED, P1 is using remote service
monitoring to attempt to connect to B2 through the switch.
2 When the switch resumes operating, P1 successfully connects to B2.
P1 has determined the B2 can connect to the network and process email.

518 06-30004-0154-20080904
3 The effective operating mode of P1 switches to SLAVE.

P1 records the following log messages (among others) as this happens.
msg="monitord: starting pre-amble"
msg="monitord: ** response from peer, setting to SLAVE mode"
4 P1 synchronizes the content of its MTA spool directories to B2. B2 can now
deliver all of the email in these directories.
The HA group can continue to operate with B2 as the primary unit and P1 as the
backup unit. However, you can use the following steps to restore each unit to its
configured operating mode.
5 Connect to the P1 web-based manager and go to System > HA > Status.
8 Connect to the P1 web-based manager, go to System > HA > Status and select
P1 should return to operating as the primary unit and B2 should return to
operating as the backup unit. You may have to repeat steps 4 and 5 a few times.
9 P1 and B2 synchronize their MTA spool directories again. P1 can now deliver all
of the email in these directories.

06-30004-0154-20080904 519

520 06-30004-0154-20080904
Upgrading firmware FortiMail v3.0 upgrade information
Upgrading firmware
This section describes the general procedures and some caveats for upgrading
the FortiMail firmware. For information about upgrading to a specific release, see
the Release Notes that come with that release.
This section includes upgrading issues for all FortiMail firmware versions and how
to revert back to a previous firmware version.
In addition to major releases and maintenance releases, Fortinet releases patch
releases. A patch release is a firmware image that resolves specific issues without
containing new features and/or changes to existing features. It is recommended to
download and install a patch release as soon as it is released. When you install a
patch release, you can use the same procedures as when upgrading to a current
firmware image, including backing up your current configuration.
This section includes the following topics:
• FortiMail v3.0 upgrade information
• Backing up your configuration
• Upgrading your FortiMail unit
• Reverting to a previous firmware version
FortiMail v3.0 upgrade information

If you are upgrading from v2.8 to v3.0, it is important to read the following to learn
about any limitations or caveats.
Loading default profiles
FortiMail v3.0 includes default antispam, antivirus and content profiles. After
upgrading to FortiMail v3.0, you need to log in to the CLI and load the default
profiles using the CLI command syntax, execute factoryreset.
Caution: Always back up your configuration before upgrading, downgrading, or executing

! a factory reset. A factory reset restores all default settings, and all current settings,
including email, are lost. Backing up your configuration ensures that you can restore a
current configuration.
Configuration limits
The following configuration limits carry forward to FortiMail v3.0 MR1 and higher
unless otherwise stated. For the most recent FortiMail maximum value matrix, see
http://kc.forticare.com.

06-30004-0154-20080904 521
FortiMail v3.0 upgrade information Upgrading firmware
Table 28: FortiMail maximum value matrix
FortiMail-100 • 50 email domains

• 20 recipient-based policies per domain for incoming mail
• 50 recipient-based policies for outgoing email
• 20 IP-based policies
• 60 AS profiles
• 60 AV profiles
• 60 Authentication profiles
• 60 content profiles
• 60 session profiles
• 256 email aliases
• 128 SMTP connections
• 5 tiered administration domains
FortiMail-400 • 500 email domains
• 40 recipient-based policies per domain for incoming mail
• 175 AS profiles
• 175 AV profiles
• 175 authentication profiles
FortiMail-2000, • 3000 email domains (increased from 1500 in the previous
2000A and 4000A versions)
• 100 recipient-based policies per domain for incoming email
• 550 AS profiles
• 550 AV profiles
• 550 authentication profiles
Heuristic default setting changes (v3.0 MR1)

Heuristic settings are now -20.000/3.500. It is recommended to review your
heuristic settings, starting with the default thresholds.
IP-based policy changes (v3.0 MR2 and newer releases)

522 06-30004-0154-20080904
Upgrading firmware Backing up your configuration
You will need to create appropriate recipient-based policies after upgrading if you
enabled only IP-based policies for POP3 and Webmail in FortiMail v3.0 MR1 or
lower. FortiMail v3.0 MR2 and higher releases require recipient-based policies
because IP-based policies no longer check POP3 and Webmail access.
Resetting to factory defaults in FortiMail v3.0 MR2 and newer releases
In FortiMail v3.0 MR2 and newer releases, there are two modes: basic
management mode and advanced management mode. When the FortiMail unit is
reset to factory default settings, the default mode is basic management mode. In
this mode you can easily re-configure basic settings such as IP addresses, as well
as switch back to advanced management mode.
Backing up your configuration

Fortinet recommends backing up all configuration settings from your FortiMail
unit(s) before upgrading. This ensures all configuration settings are not lost if you
require downgrading and want to restore those configuration settings.
Backing up your configuration using the web-based manager

The following procedure describes how to back up configuration settings and
separately back up lists. Lists configured for Dictionary, Black/White List, as well
as Bayesian databases, are not included in the backed up configuration file when
you select Backup system settings on the System Setting Backup page.
Note: Session profile black/white lists are not included in the configuration backup file or
the black/white list maintenance backup file. Session profile black/white lists are not
affected when you backup, restore or reset.
To back up configuration settings using the web-based manager

1 In the Advanced configuration mode, go to System > Status > Status.
2 Under System Settings, select Backup.
3 Select Back up system settings.
4 Save the file to the management computer.
5 Select Return to go back to the Status page.
To back up lists and Bayesian databases

1 In the Advanced configuration mode, go to Anti-Spam > Black/White List >
Black/White List Maintenance.
This does not include session black/white lists.
2 Select Backup Black/White List.
3 Select Download Black/White List backup file, and save the file to the
4 In the Advanced configuration mode, go to Profile > Dictionary > Maintenance.
5 Select Backup dictionary and save the file to the management computer.
6 In the Advanced configuration mode, go to Anti-Spam > Bayesian > DB
Maintenance.
This backs up all Bayesian databases.

06-30004-0154-20080904 523
Testing firmware before upgrading Upgrading firmware
7 Select Backup bayesian database.

8 Select Download bayesian database backup file, and save the file to the
Backing up your configuration using the CLI

You need a TFTP server when using the CLI to back up the current configuration.
This procedure only backs up the configuration file. All lists are not backed up.
It is recommended to back up the Bayesian database, dictionary and black/white
lists separately as well. When backing up lists and the Bayesian database, use the
procedure “To back up lists and Bayesian databases” on page 523 since there are
no CLI commands for backing up lists.
To back up the configuration file using the CLI

Enter the following to back up the configuration:
execute backup config <filename> <tftp_ipv4>
This may take longer than a minute.
After successfully backing up your configuration file(s), either from the CLI or the
web-based manager, proceed with upgrading to the new firmware releases.
Testing firmware before upgrading

You can test a new firmware image by installing the firmware image from a system
reboot and saving it to system memory. After completing this procedure, the
FortiMail unit operates using the new firmware image with the current
configuration. This new firmware image is not permanently installed. The next time
the FortiMail unit restarts, it operates with the originally installed firmware image
using the current configuration. If the new firmware image operates successfully,
you can install it permanently using the procedure “Upgrading your FortiMail unit”
on page 526.
When using the following procedure, you need to connect to the CLI using the
console port and a TFTP server. The TFTP server should be on the same subnet
as the internal interface.
To test the new firmware image

1 Copy the firmware, previously downloaded from the support website, to the root
directory of the TFTP server.
2 Start the TFTP server.
3 Log in to the CLI.
4 Enter the following to ping the computer running the TFTP server:
execute ping <tftp_ipv4>
Pinging the computer running the TFTP server verifies that the FortiMail unit and
TFTP server are successfully connected.

524 06-30004-0154-20080904
Upgrading firmware Testing firmware before upgrading
5 Enter the following to restart the FortiMail unit:

execute reboot
As the FortiMail unit reboots, press the key to interrupt the system startup. As the
FortiMail unit starts, a series of system startup messages appears. When the
following message appears:
Press any key to display configuration menu…
6 Immediately press any key to interrupt the system startup. You have only 3
seconds to press any key; if you do not press a key soon enough, the FortiMail
reboots and you must log in and repeat the execute reboot command again.
If you successfully interrupt the startup process, the following message appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware set as default
[C]: Configuration and Information.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G, F, B, C, Q, or H:
7 Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
8 Type the address of the TFTP server and press Enter.
Enter Local Address [192.168.1.188]:
9 Type an IP address of the FortiMail unit to connect to the TFTP server.
The IP address must be on the same network as the TFTP server, but make sure
you do not use the IP address of another device on the network.
Enter File Name [image.out]:
10 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and the
following appears:
Save the Default firmware/Backup firmware/Run image without
saving: [D/B/R]
11 Type R.
The FortiMail image is installed to system memory and the FortiMail unit starts
running the new firmware image but with its current configuration.
You can test the new firmware image as required. When you are done testing, you
can reboot the FortiMail unit, and the FortiMail unit will resume using the firmware
that was running before you installed the test firmware.

06-30004-0154-20080904 525
Upgrading your FortiMail unit Upgrading firmware
Upgrading your FortiMail unit

After backing up your current configuration, download the current firmware version
from the support website before upgrading. All current, as well as previous,
firmware versions are located at http://support.fortinet.com.
In the event upgrading to a current firmware version is unsuccessful, see
“Reverting to a previous firmware version” on page 528 to downgrade to a
previous firmware version.
Upgrading to a current firmware version

The following procedures explain how to upgrade to any FortiMail v3.0 firmware
version, using either the web-based manager or the CLI. After successfully
upgrading to FortiMail v3.0 or higher releases, the current antivirus definitions are
replaced with definitions included in the new firmware release; you need to update
the antivirus definitions to ensure they are current. For details, see “Update” on
page 122.
After upgrading to FortiMail v3.0 from any older releases, you will need to create
new LDAP profiles because LDAP profiles do not carry forward to FortiMail v3.0.
For details, see “LDAP” on page 311.
You need a TFTP server when using the CLI to upgrade to a current firmware
version.
You can use the following procedures when installing a patch release. A patch
release is a firmware image that resolves specific issues without containing new
features and/or changes to existing features. You can install a patch release
whether you upgraded to the current firmware version or not.

To upgrade to a current firmware version using the web-based manager

2 Log in to the web-based manager.
3 In the Advanced configuration mode, go to System > Status > Status.
4 Under System Information, beside Firmware Version, select Update.
5 Enter the path and filename of the firmware image file, or select Browse and
locate the file.
6 Select OK.
The FortiMail unit uploads the firmware image file, upgrades to the new firmware
version, reboots, and displays the login. This process takes longer than one
minute.
See “Verifying the upgrade” on page 527 to re-connect to the FortiMail unit and
verify that the upgrade was successful.

526 06-30004-0154-20080904
Upgrading firmware Upgrading your FortiMail unit
To upgrade to a current firmware version using the CLI

5 Enter the following to copy the firmware image from the TFTP server to the
FortiMail unit:
execute restore image <name_str> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ipv4> is
the IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.68, enter:
execute restore image.out 192.168.1.68
6 The FortiMail unit responds with a message similar to the following:
This operation will replace the current firmware version!
Do you want to continue?(y/n)
7 Enter y.
The FortiMail unit uploads the firmware image file, upgrades to the new firmware
version, and reboots. This process takes a few minutes.
8 Log back in to the CLI.
9 Enter the following to confirm the firmware image successfully installed:
get system status
See “Verifying the upgrade” on page 527 to verify that configuration settings
carried forward.
Verifying the upgrade

You can verify that configuration settings carried forward after successfully
upgrading to the current firmware version. Verifying configuration settings
provides familiarity with the new features and changes in the current firmware
release.
To verify the upgrade

1 Clear your browser’s cache and refresh the page.
2 Log in to the web-based manager using /admin at the end of the URL address.
For example:
http://172.31.100.165/admin
3 Go through each menu to verify that the configuration settings carried forward.
4 Configure settings that did not carry forward, for example, LDAP profiles.

06-30004-0154-20080904 527
Reverting to a previous firmware version Upgrading firmware
Reverting to a previous firmware version

You may need to revert to a previous firmware version if the upgrade did not install
successfully.

Downgrading to a previous firmware version

When downgrading the firmware, all configuration settings are lost. It is
recommended to back up your current configuration in the event you want to try
upgrading to the new firmware version again. You may want the current FortiMail
configuration in the event you decide to upgrade to the current release.
To downgrade using the web-based manager

1 Copy the firmware, previously downloaded and saved from the support website, to
the root directory of the TFTP server.
3 Go to Management > Status > Status in the Basic configuration mode.
4 Under System Information, beside Firmware Version, select Update.
5 Enter the path and filename of the firmware image file, or select Browse and
locate the file.
6 Select OK.
The FortiMail unit uploads the firmware image file, reverts to the old firmware
version, resets the configuration, restarts, and displays the login. This process
takes a few minutes.
After downgrading successfully, you will need to re-enter the internal IP address
because it reverts to the default setting, 192.168.1.99. See “Reconnecting to the
FortiMail unit” on page 529 for more information.
To downgrade using the CLI

1 Copy the firmware, previously downloaded and saved from the support website, to
the root directory of the TFTP server.

528 06-30004-0154-20080904
Upgrading firmware Reverting to a previous firmware version
5 Enter the following to copy the firmware image from the TFTP server to the
FortiMail unit:
execute restore image <name_str> <tftp_ipv4>
When <name_str> is the name of the firmware image file and <tftp_ipv4> is
the IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.68, enter:
execute restore image.out 192.168.1.68
6 The FortiMail unit responds with a message similar to the following:
This operation will downgrade the current firmware version!
Do you want to continue?(y/n)
7 Enter y.
The FortiMail unit uploads the firmware image file, downgrades to the new
firmware version, and reboots. This process may take a few minutes.
8 Log back in to the CLI.
9 Enter the following to confirm the firmware image successfully installed:
get system status
Reconnect to the FortiMail unit by following the next procedure.
Reconnecting to the FortiMail unit

After successfully downgrading to a previous firmware version, the FortiMail unit
reverts to factory default settings. This includes the internal IP address that
connects you to the FortiMail web-based manager.
Use the following procedures whenever the FortiMail unit has been reset to
factory defaults and you need to reconnect to the FortiMail unit.
To reconnect to the FortiMail unit using the LCD interface

1 Press Enter to display the Main Menu.
2 Press Enter to display the interface list.
3 Use the up or down arrows to highlight the internal interface and press Enter.
4 Press Enter for IP Address.
5 Use the up and down arrows to increase or decrease each number of each IP
address digit. Press Enter to go to the next IP address digit or press Esc to move
to the previous digit.
6 After selecting the last IP address digit, press Enter to save the IP address.
7 Repeat steps 4 to 7 to enter the netmask address for the internal interface.
8 After selecting the last netmask address digit, press Enter to save the netmask
address.
9 Press Esc to return to the Main Menu.
To reconnect to the FortiMail unit using the CLI


06-30004-0154-20080904 529
Reverting to a previous firmware version Upgrading firmware
2 Enter the following to set the internal IP address:

set system interface <interface_name> mode static ip
<interface_ipv4> <ipv4_mask>
3 Enter the following to set the allow access settings for the internal IP address:
set system interface <interface_name> config allowaccess
ping http https
5 Go to Management > Status > Status in the Basic configuration mode to verify
that the firmware downgraded.
Restoring the previous configuration

You can restore your configuration settings that were saved previously, before
upgrading to a new firmware version.
You require a TFTP server if restoring the configuration using the CLI.
To restore configuration settings using the web-based manager

1 Clear your browser’s cache and refresh the browser.
3 Go to Management > Status > Status in the Basic configuration mode.
4 Under System Settings, select Restore.
5 Enter the file name or select Browse to locate the file.
6 Select OK.
The FortiMail unit restores the previous configuration settings, and reboots. This
may take longer than a minute.
To restore configuration settings using the CLI

2 Enter the following to restore the previous configuration settings:
execute restore config <file_name> <tftp_ipv4>
This operation will overwrite the current settings!
(The current admin password will be preserved.)
Do you want to continue? (y/n)
3 Enter y.
The FortiMail unit restores the previous configuration settings, and reboots. This
may take a few minutes.
You can verify that the configuration settings are restored by logging in to the
web-based manager and going through the various menus and tabs.

530 06-30004-0154-20080904
Instructions for email users Training Bayesian databases
Instructions for email users

This chapter details information needed by email users on a network serviced by
a FortiMail unit. This email user information is included in the Administration
Guide for a number of reasons:
• Email users are unlikely to even know their network has a FortiMail unit, much
less where to get documentation for it.
• Email users will not know the mode in which the FortiMail unit is operating.
• If administrators have not enabled all the documented features (e.g. Bayesian
scanning, spam quarantine), this can cause confusion when end-users try to
access an unavailable feature.
• Administrators know their end-users and may wish to tailor the information to
their email users’ needs.
• Some information may be too technical for some email users.
For all these reasons, the basic email user information is provided here so the
administrator can deliver what the email users need to know in a form best suited
to their situation.
The following FortiMail features involve email user efforts:
• Training Bayesian databases
• Managing tagged spam
• Accessing quarantined email
• Sending email remotely (gateway and transparent mode)
Training Bayesian databases

Bayesian scanning is one of the key technologies the FortiMail unit uses to filter
email for spam. The FortiMail unit uses an account system to train the Bayesian
databases that are the core of Bayesian scanning. For details about Bayesian
database training, see “Training Bayesian databases” on page 387.
By training the Bayesian databases, email users can help to improve the accuracy
of the database by selectively forwarding messages to the FortiMail unit. A
database is said to be well-trained when it becomes more accurate at catching
spam through this method.
Training the Bayesian databases involves two steps:
• First, email users must forward spam and non-spam messages to the FortiMail
unit (see the first two bulleted items in the box below). This is especially
important when your databases are empty.
• Later, email users can forward spam the FortiMail unit has failed to catch, or
email the FortiMail unit has incorrectly detected as spam, to the FortiMail unit
to fine-tune the databases (see the third and fourth bulleted items in the box
below).

06-30004-0154-20080904 531
Managing tagged spam Instructions for email users
The FortiMail system administrator is responsible for setting up the FortiMail

Bayesian accounts for email users to send spam information to. The administrator
also needs to send email users instructions similar to the following on how to train
the Bayesian databases:
To train the Bayesian databases:

• If you have collected spam email messages and want to train your personal Bayesian
database on the FortiMail unit, forward them to learn-is-spam@example.com from
your company email account. This ensures that similar email will be tagged as spam
by the FortiMail unit in the future.
• If you have collected non-spam email messages and want to train your personal
Bayesian database on the FortiMail unit, forward them to learn-is-not-
spam@example.com from your company email account. This ensures that similar
email will not be tagged as spam by the FortiMail unit in the future.
• If you receive spam email messages that have not been caught and tagged by the
FortiMail unit, forward them to is-spam@example.com from your company email
account to ensure that similar email will be caught by the FortiMail unit in the future.
• If you receive email messages that the FortiMail unit has incorrectly tagged as spam,
forward them to is-not-spam@example.com from your company email account to
ensure that similar email will not be tagged as spam by the FortiMail unit in the future.
• If you belong to an email alias and receive a spam message sent to the alias address,
forward it to the FortiMail "is-spam" Bayesian account to train the database of the alias
address. Remember to enter the alias address, instead of your own, in the "From"
field.
Managing tagged spam

The administrator can configures the FortiMail unit to send found spam to
recipients with tags in the subject line or header when creating antispam profiles.
For details, see “Actions options” on page 257.
Email users can set up a rule-based folder in their email clients to automatically
collect the spam based on tags. The administrator needs to provide email users
with the subject line or header tags.
For example, if the spam email are tagged with “SPAM” in the email header, email
users can use the filter rules to collect the tagged email into a spam folder they
create in their email clients.
Consult the documentation provided by the email clients (for example, Microsoft
Outlook or Mozilla Thunderbird) for information on setting up a rule-based folder.
Accessing quarantined email

The FortiMail unit has a spam folder for each email user. The spam messages in
the folder are “quarantined”. If necessary, email users can retrieve the quarantined
spam from the FortiMail unit to ensure the messages are truly spam.

532 06-30004-0154-20080904
Instructions for email users Accessing quarantined email
There are multiple ways for email users to access the quarantined spam, which
vary by the operation mode of the FortiMail unit:
• Using FortiMail webmail (gateway and transparent mode)
• Using FortiMail webmail (server mode)
• Using daily spam summary reports
• Using POP3 access (gateway and transparent mode)
• Using POP3 access (server mode)
Using FortiMail webmail (gateway and transparent mode)

When configuring recipient-based policies, the administrator can allow email
users to access the quarantined spam email by webmail. For details, see
“Incoming policies” on page 357.
The administrator also needs to create an authentication profile to allow the email
users to access the FortiMail unit. For details, see “Authentication” on page 267.
Then the administrator needs to inform the email users of the URL or IP address
of the FortiMail unit, so the email users can log on to FortiMail webmail to view the
quarantined messages. Once the email users log on, they can view all the
quarantined spam email. In fact, the spam email are the only email messages
stored in the webmail inbox.
Email users can also consult the FortiMail webmail online help after they log on to
the FortiMail webmail.
Using FortiMail webmail (server mode)

For the FortiMail unit currently operating in server mode, end users can view
spam email in the Bulk folder after the users log on to the FortiMail webmail.
Regular email are stored in the Inbox folder.
Email users can also consult the FortiMail webmail online help after they log on to
the FortiMail webmail.
Using daily spam summary reports

If the FortiMail administrator has enabled the FortiMail auto release and auto
delete accounts (see “Control Account” on page 375) and enabled the FortiMail
unit to send you a daily spam summary (see “Spam Report” on page 376), email
users will receive a daily summary from the FortiMail unit, similar to one of the
samples below.
Email users can follow the instructions in the report to release or delete their
quarantined email.

06-30004-0154-20080904 533
Accessing quarantined email Instructions for email users
Sample spam report in HTML format

Email users will receive a report like the following, which informs the email user
about how many messages are in quarantine, and explains how to delete one or
all quarantined messages, and how to release an individual message. Email users
can make decisions based on a message’s subject and sender information
contained in the body of the report.

534 06-30004-0154-20080904
Instructions for email users Accessing quarantined email
Sample spam report in text format

The following sample report in text format informs email users about how many
messages are in quarantine, and explains how to delete one or all quarantined
messages, and how to release an individual message. Email users can make
decisions based on a message’s subject and sender information contained in the
body of the report.
From: release-ctrl@fm3.example.com
Subject: Quarantine Summary: [3 message(s) quarantined from Wed, 11 Jul 2007 11:00:01
to Wed, 11 Jul 2007 12:00:01]
Date: Wed, 11 Jul 2007 12:00:01 -0400
Date: Wed, 11 Jul 2007 11:11:25

Subject: Sign up for FREE offers!!!
From: "Spam Sender" <spamsender@example.org>
Message-Id: 1184166681.l6BFAj510009380000@fm3.example.com
Date: Wed, 11 Jul 2007 11:14:16

Subject: Buy cheap stuff!
Message-Id: 1184166854.l6BFDchG0009440000@fm3.example.com
Date: Wed, 11 Jul 2007 11:15:46

Subject: Why pay more?
Message-Id: 1184166944.l6BFF7HI0009460000@fm3.example.com
Actions:
o) Release a message:
Send an email to <release-ctrl@fm3.example.com> with subject line set to
o) Delete a message:
Send an email to <delete-ctrl@fm3.example.com> with subject line set to
o) Delete all messages:

Send an email to <delete-ctrl@fm3.example.com> with subject line set to
"delete_all:user1@example.com:ea809095:ac146004:05737c7c111d68d0111d68d0111d68d0".
Using POP3 access (gateway and transparent mode)

When configuring recipient-based policies, the administrator can allow email
users to access the quarantined spam email with their POP3 email clients. For
details, see “Incoming policies” on page 357.
The email user must set up a POP3 account in the email client to retrieve the
quarantined messages from the FortiMail unit.
To set up a POP3 account, the email user need to:
• Get the FortiMail unit host name or IP address from the administrator and set
the FortiMail unit as the incoming SMTP server.
• Get the FortiMail login user name and password from the administrator.
Usually, the user name and password are the ones the email user uses to log
on to the SMTP server that is protected by the FortiMail unit. For the email
user to be authenticated, the administrator must also create an authentication
profile. For details, see “Authentication” on page 267.
For details about how to set up POP3 accounts, see the documentation of the
email clients.

06-30004-0154-20080904 535
Sending email remotely (gateway and transparent mode) Instructions for email users
Using POP3 access (server mode)

If the FortiMail unit is currently operating in server mode and end users use POP3
to access their email, all the email, including both valid email and spam, are
released to the users. If spam email are tagged (see “Actions options” on
page 257), email users can use filtering rules in their email clients to collect spam
email in a separate folder. For details, see the documentation of the email clients.
Sending email remotely (gateway and transparent mode)

Although FortiMail units operating in transparent mode or gateway mode have no
local email user accounts, they support SMTP authentication to allow roaming
email users to send email through the FortiMail unit.
For the roaming users to be able to send email through the FortiMail unit, the
FortiMail administrator needs to:
• Create an authentication profile to authenticate the users. For details, see
“Authentication” on page 267.
• Enable the SMTP authentication feature in the incoming recipient-based policy.
For details, see “Incoming policies” on page 357
On the roaming user side, the email user needs to:
• Enable SMTP authentication when configuring an email account in the email
client.
• Use the user and password provided by the administrator as the authentication
credentials. Because the FortiMail unit supports multiple domains, use full
domain names for login account names, for example user1@example.com.

536 06-30004-0154-20080904
Index
Index
A Bayesian scan 23
black/white list 24
access DNSBL 23
discard 20 forged IP 23
access control FortiGuard Antispam 21
authentication 199 greylist 23
default action 205 heuristic scan 24
TLS 199, 206 PDF scan 425
Access Control List (ACL) 164 profile 241
access control rules 287 sender reputation 25
action 257, 263 SHASH 21
automatically update white list 84, 258 spam quarantine 49, 366
configuring 257 SURBL 23
discard 84, 87, 258, 263 system quarantine 54, 371
quarantine 84, 258 whitelist word scan 25
quarantine for review 263 antispam profile 241
reject 83, 87, 258, 263 antivirus
rewrite recipient email address 259, 264 profile 264
tag email in header 83, 87, 258, 263 antivirus definitions
tag email in subject 83, 86, 257, 263 HA 469
active-passive manually initiating updates 125
HA 463 update 125
add to bridge update from a file 42, 125
HA interface option 499 appearance, web-based manager 176
add virtual IP/netmask archive 429
HA interface option 499 exempting spam from 434
address book policies 432
adding an 211 archived email
address book, global 211 exporting 431
address map 214, 234 HA synchronization 471
creating 235 using for Bayesian training 432
address verification 20 ASCII 304
admin 58, 139 associated domains 70, 71, 186, 191
administrative access 62, 130 AUTH 198
administrator account authentication
adding and editing 57 IMAP 269
system quarantine 384 LDAP 320
advanced mode 109 PKI 235
advanced protection settings POP3 271
description 20 profile 268
Radius 272
advanced settings
SMTP 268
configuring 169
description 20 autoexempt list
search 415
alert email 105, 452
configuring 105, 452
example message 489 B
HA 479 back up
selecting event categories 106, 453 Bayesian databases
sending for HA events 481 all databases 396
alert email, logging 105, 452 global or group 392
alias 214 user 393
alias object 314 black/white lists
antispam domain 403
banned word scan 25 personal 404

06-30004-0154-20080904 537
Index
system 402 C
dictionaries 310
mail queues 48, 211 category
system settings 41, 118 logging 106, 453
backing up certificate 154
using the CLI 524 backup 160
using web-based manager 523 local 155
backing up configuration 523 options 156
server 155
backup unit 463
certificate authority (CA) 156, 158, 159, 161, 162, 163,
banned word scan 25
236
Base64 158
certificate request
basic 33 downloading and submitting 158
basic mode 33 certificate revocation list (CRL) 162, 163, 236
Bayesian accounts clear
configuring 394 Bayesian databases
Bayesian database all databases 396
global 191 global or group 392
per protected domain 191
user 394
Bayesian database training 72, 167
CLI
Bayesian databases
backing up 524
back up
all databases 396 column view
logs 92, 446
global or group 392
comma-separated value (CSV) 212
user 393
config master
repairing 396
HA mode 493
reset
all databases 396 config only HA
see config-only HA 463
global or group 392
config slave
user 394
HA mode 493
restore
config-only
all users 396
HA 463, 464
global or group 392
configuration 472
user 393 HA Daemon status 487
train HA synchronization 468
from archived email 432 configuration example
global or group 391 HA 503
user 393 configuration limits, 3.0 521
training example 396 configured HA operating mode
types 387 using SNMP 482
Bayesian scan 23 configured operating mode
bind DN 323, 327, 334 HA 484, 485
black/white list 24 content
action 405 profile 276, 281
backing up content monitor
domain 403 profile 279, 284
personal 404 quarantine 54, 371
system 402 controller card 153
hierarchy 400 CPU Usage History 36, 113
restoring CSV (comma-separated value) 75, 220
domain 403 custom messages 173
personal 405 customer service 13
system 402 customizing column views 92, 450
blacklist action 405
Boolean 315 D
bounce verification
bypass 291 daemon
disable 191 HA 470, 495
bridge HA daemon status 487
add to bridge HA interface option 499 daily
browsing reports 98, 454 update schedule 126
data

538 06-30004-0154-20080904
Index
HA Daemon status 487 DomainKeys 291

data striping 150 domains, email
date and time description 19
setting 136 Downgrading 528
DDNS 66 downgrading
dead email list using web-based manager 528
managing 47 downgrading to previous firmware 528
dead mail queue download
HA 471 logs 95, 450
deep header scan downloading
Black IP scan 248 log files 95, 450
Header analysis 248 reports 100, 457
deferred queue DSN notifications 72, 167
HA 471 dynamic DNS 157
managing 44 dynamic public IP address 133
definition
updating antivirus 125 E
deleting log files 96
delivery status notification (DSN) 20, 44, 46, 47, 170, effective HA operating mode
171, 203, 207, 209, 210, 294, 295 using SNMP 482
DHCP 64, 127, 132 effective operating mode
dictionary profile 299 HA 484, 485
category 304 EHLO 188, 190
creation steps 298 email
dictionary 301 HA alert email 479
dictionary group 306 how FortiMail handles 19
language 305 email access
maintenance 310 configuring 200
digital certificate requests 154 email address map 234
discard creating 235
domain access 20 email archiving
disclaimer 189 configuring settings 429
disclaimers policies 432
adding 172, 197 setting exempt policies 434
disclaimers, adding to email 172 email domains
disk space description 19
syslog server 441 email settings 17, 167
disk space quota 273 emptying a log file 96
display name end of message (EOM) 294
mail user 75, 221 end-user guide
Distinguished Name (DN) 155, 161, 162, 163 gateway and transparent modes 531
distribution list 314 Error Correcting Code (ECC) 153
DKIM 189, 291 event log 89, 443
DNS expire
configuring 65 system status 121
DNS black list (DNSBL) 246 export
DNSBL 23 archived email 431
do nothing Extended Simple Mail Transfer Protocol (ESMTP) 169,
HA interface option 498 171
documentation
FortiMail 12 F
domain factory defaults 38, 42, 116, 119
protected 67, 180 failed queue
domain access HA 471
discard 20 managing 47
reject 20 failover
relay 20, 45, 46, 48, 208, 209, 210 email data 471
domain associations 70, 71, 186, 191 HA 467, 509
domain keys 189 failover messages 142
domain name 190 false positive 49, 366
local 73, 169 FDN 135

06-30004-0154-20080904 539
Index
HTTPS 124 backup unit monitors remote services 501

port 443 124 changing an interface IP address in HA mode 476
troubleshooting 124 changing FortiMail firmware 483
firmware changing status 484
changing the firmware on an operating cluster 483 config only 463
upgrading to a new version 115 config-only 463, 464
firmware version 33, 34, 111, 112 config-only configuration synchronization 464
upgrading 37, 115 config-only HA heartbeat and synchronization 467
forged IP 23 config-only HA interface configuration 472, 477
formatted view config-only interface configuration 469
logs 92, 446 config-only master configuration options 500
config-only operating mode 465
FortiAnalyzer unit
config-only overview 464
logging 440
config-only peer systems options 499
FortiGuard Antispam 21 configuration 497
HA 469 configuration not synchronized 469
FortiGuard Antivirus configuration options 490
HA 469 configuration synchronization 468, 497, 509
FortiGuard Distribution Network (FDN) 122, 124 configuration synchronization options 497
FortiGuard-Antispam configured operating mode 484, 485
configuring 385 configuring an HA group 509
FortiMail connecting an HA group to your network 508
configuration and management 17 daemon options 470, 495
FortiMail 400 149 daemon status 487
FortiMail firmware 37, 114 data synchronization 470
installing 37 dead mail queue 471
FortiMail-2000 59, 140, 149, 152 deferred queue 471
FortiMail-400 59, 140 effective operating mode 484, 485
example 503
FortiMail-4000 149
example alert email 489
Fortinet customer service 13 example log message 489
Fortinet Distribution Network (FDN) 33, 35, 42, 111, example virtual IP configuration 474
122, 267, 385 failed queue 471
Fortinet MIB 146, 147 failover 467
from IP failover email data 471
system status 121 failover messages 142
from port failover scenario 509
system status 121 forcing configuration synchronization 487
fully qualified domain name (FQDN) 68, 69, 71, 73, forcing data synchronization 487
169, 181, 185, 192 FortiGuard Antispam 469
fully-qualified domain name (FQDN) 157 FortiGuard Antivirus 469
gateway mode configuration example 503
G HA activity event 480, 481
hard disk monitoring 502
gateway mode 64, 131, 132, 237 heartbeat 467, 496
MX record 69, 182 heartbeat interface 468
global address book 211 heartbeat TCP port 496
greylist 23 interface 472
configuring 406 local hard drive monitoring 502
search 411 local IP 494
group object 314 local network interface monitoring 502
local service monitoring 502
logging 479
H mail data 497
HA 463, 471, 502 mail data synchronization 470
active-passive 463 mail data synchronization options 497
active-passive configuration synchronization 464 mail data TCP port 497
adding an IP address to an interface 473 mail queue sync after a failover 471
alert email 479 main configuration 469, 492
alert email for HA events 481 master unit 463
antivirus definitions 469 mode of operation 493
archived email synchronization 470 monitoring 467
backup unit 463 monitoring HTTP 500
backup unit configuration 507 monitoring POP service 500

540 06-30004-0154-20080904
Index
monitoring POP3 500 add virtual IP/netmask 499

monitoring SMTP 500 do nothing 498
MTA spool directories 470 set interface IP/netmask 498
MTA spool directory sync after a failover 471 halt 39, 116
NAS server for mail data 482 hard disk
network interface configuration in master mode 472 logging to 439
network interface in master mode options 497 header rewrite
on failure 493 antispam action 259, 264
on failure switch off 493 heartbeat
outgoing mail queue 471 HA 467, 496
overview 463
heartbeat interface
peer IP 494
HA 468, 493
primary heartbeat 493
primary unit 463 HELO 190
primary unit configuration 505 heuristic scan 24
quarantined email synchronization 470 high availability 463
recording HA log messages 480 high-availability (HA) 31
recording HA log messages to a remote syslog home directories
server 480 user 471, 497
remote service monitoring 501 host name 70, 73, 168, 185, 186, 190
removing an interface from an HA group 476 hot spare 150, 153
resetting the configured HA operating mode 488 hourly
restarting HA processes on a stopped primary unit update 126
489 HTTP
secondary heartbeat 495 monitoring for HA 500
sending alert email for HA events 481
HTTPS 155, 157
service monitoring 500, 501
services monitoring 470
shared password 496 I
slave unit 463 image spam scan 244, 261
SNMP 479 IMAP 219
SNMP to view HA configured operating mode 482 server authentication 269
SNMP to view HA effective operating mode 482
IMAPS 155
SNMP trap for HA event 481
SNMP traps for HA events 481 InetLocalMailRecipient 323
spam queue 471 InetOrgPerson 323
spam reports 464 interface
storing mail data on a NAS server 482 configuring for HA 472
synchronization interface 468 DHCP 127
synchronization TCP port 497 HA heartbeat 468
synchronization timer 497 interface address
synchronizing MTA spool directories 471, 497 resetting 42, 119
synchronizing the system mail directory 471, 497 interface configuration
synchronizing user home directories 471, 497 config only HA mode 477
system mail directory 470 interface monitoring 502
treat remote services as heartbeat 495 Invalid Quarantine Accounts 189
user home directories 470 IP address 133
viewing status 484 IP pool 190
virtual IP 473 profile 348
virtual IP DNS settings 474
IP-based policy 359
virtual IP firewall settings 474
gateway mode 360
virtual IP outgoing traffic 474
server mode 361
wait for recovery then assume slave role 493
transparent mode 363
wait for recovery then restore original role 493
web service 500
HA activity event K
event log 480, 481 key size
HA heartbeat certification 158
configuration options 496 key type
HA monitoring 467 certificate 158
overview 467 known peers
TCP port 496 HA config-only option 500
HA interface
add to bridge 499

06-30004-0154-20080904 541
Index
L severity levels 438

storing logs 439
language syslog server 440
web-based manager 137 viewing logs 88, 442, 444
Layer 2 bridge 63, 130 logs
layer 2 bridge 62, 130 column view 92, 446
LDAP 187, 189, 190, 204 download 95, 450
attribute 314 formatted view 92, 446
authentication 268 saving to the hard disk 439
bind 323 Lotus Domino 323
bind DN 327, 334
cache 334 M
email alias objects 314
group objects 314 mail data
password 323 HA synchronization 470
profile 320 mail delivery rules
query string 314, 330, 331 configuring 206
schema 311, 313 mail directory
secure connection 322 system 471, 497
syntax 315 mail exchanger (MX) 67, 68, 70, 181, 182, 185
timeout 334 failover 70, 186
TTL 334 primary 70, 185
user objects 314 MAIL FROM 198
loading default profiles, 3.0 521 mail queues
local certificate back up and restore 48, 211
options 156 dead email 47
local domain name 73, 169 deferred 44
local hard drive monitoring failed 47
HA 502 spam 45
local IP mail routing 189, 332
HA 494 mail settings 17, 167
local network interface monitoring configuring 167
HA 502 mail statistics
log viewing 43, 120
message levels 438 mail user
messages 89, 444 adding 77, 222
log files display name 75, 221
downloading 95, 450 mail user agent (MUA) 215
log message maintenance
example 489 Bayesian database back up
log messages all databases 396
searching 93, 448 global or group 392
logging user 393
alert email 105, 452 Bayesian database restore
alert email, selecting event categories 106, 453 all databases 396
category 106, 453 global or group 392
customizing column views 92, 450 user 393
deleting log files 96
black/white list back up
downloading a report 100, 457
domain 403
downloading log files 95, 450
emptying a log file 96 personal 404
FortiAnalyzer unit 440 system 402
HA 479 black/white list restore
hard disk 439 domain 403
log message severity levels 438 personal 405
log to local disk 439 system 402
log to multiple devices 441 dictionary back up and restore 310
log to syslog server 440 mail queue back up and restore 48, 211
recording HA log messages 480 management IP 64, 131, 135
reports 97, 454 management IP address 135
reports on demand 100, 457 manual
roll up report 100, 457 virus definition updates 125
searching log messages 93, 448
master

542 06-30004-0154-20080904
Index
HA mode 493 switch off 493

master configuration wait for recovery then assume slave role 493
HA config-only 500 wait for recovery then restore original role 493
master unit 463 Online Certificate Status Protocol (OCSP) 237, 238
maximum transmission unit (MTU) 65, 133 online certificate status protocol (OCSP) 163, 236
Memory Usage History 36, 113 operating mode
message delivery rules 287 changing 39, 117
messages with viruses config-only HA mode 465
treating as spam 244, 261 operation mode 18
messages, log 89, 444 HA 488
MIB 147 outgoing mail queue 471
FortiGate 146 override server
RFC 1213 146 add 126
RFC 2665 146
Microsoft ActiveDirectory 238 P
MIME type 175 password
mirrored array 149 shared HA password 496
misc profile 273 PDF scan 425
MM3 290 configuring 257
mode of operation peer IP
HA 493 HA 494
monitor peer systems
HA 467 HA config-only 499
HA Daemon status 487 Perl regular expressions 426
monitoring services PIN (Personal Identification Number) 137
for HA 470, 500 pipelining 292
MS Active Directory 323 PKCS #10 158
MSISDN reputation score 290 PKCS #12 158, 159, 160, 161
MTA spool directories policy
synchronizing 471, 497 archive 432
multimedia messaging service (MMS) 290 defined 355
MX record 68, 69, 129, 181, 182 IP-based 359
preference number 129 IP-based, gateway mode 360
MX record configuration 40, 65, 117, 133 IP-based, server mode 361
IP-based, transparent mode 363
N recipient-based 357
recipient-based, transparent and gateway modes
NAS server 179 incoming 357
NAS server for mail data outgoing 358
HA 482
POP service
NAT device 127 monitoring for HA 500
Network Attached Storage (NAS) 178 POP3 219
network configuration monitoring for HA 500
config-only HA mode 477 server authentication 271
network interface POP3S 155
configuring for HA 472 port 9443 127
of proxies 187
port1 64, 131
Network Time Protocol (NTP) 56, 136
primary heartbeat
Network Utilization History 36, 113 HA 493
new peer primary unit 463
HA config-only option 500
privacy-enhanced email (PEM) 158
next hop router 66, 135
profile
NFS 178 antispam 241
antivirus 264
O authentication 268
off content 276, 281
HA mode 493 content monitor 279, 284
dictionary 299
on failure
IP pool 348
HA 493
LDAP 320
on HA failure misc 273

06-30004-0154-20080904 543
Index
session 287 outgoing 358

TLS 350 reconnecting to the FortiMail unit 529
protected domain 67, 180 Redundant Array of Independent Disks (RAID) 148
subdomain 186 regular expressions 301, 304, 426
protocol reject
system status 121 domain access 20
proxy relay
configuring 214 domain access 20, 45, 46, 48, 208, 209, 210
SMTP 167 remote service monitoring
public key 159 HA 501
public key infrastructure (PKI) 235, 236 remote services
push update monitored by the HA backup unit 501
enabling 127 repair
FortiMail IP addresses change 127 Bayesian databases 396
through a NAT device 127 replacement messages 20, 173
push updates custom 173
enabling 127 report
spam
Q HTML format 380
quarantine text format 378
language 190 reports
spam 49, 366 browsing 98, 454
system 54, 371 browsing reports 98, 454
quarantine to review. See quarantine, system configuring a report profile, domains 104, 461
quarantined email configuring a report profile, incoming & outgoing
HA synchronization 471 104
managing 365 configuring a report profile, incoming&outgoing 461
managing in basic mode 48 configuring a report profile, output 104, 461
query filter 314, 330, 331 configuring a report profile, query selection 102,
459
query string 314, 330, 331
configuring a report profile, schedule 103, 460
configuring a report profile, time period 102, 458
R configuring reports 100, 457
RADIUS 268 downloading 100, 457
Radius on demand 100, 457
server authentication 272 roll up 100, 457
viewing reports 99, 455
RAID 149
level 149 reset
mirrored array 149 Bayesian databases
striped array 149 all databases 396
RAID 0 149, 150 global or group 392
RAID 1 149 user 394
RAID 10 150 restart 39, 116
RAID 10 + hot spare 150 primary unit 489
RAID 5 150 restore
Bayesian databases
RAID 50 150
all users 396
RAID 50 + hot spare 150
global or group 392
RAID controller card 153
user 393
RCPT TO 198
black/white lists
read & write domain 403
administrator 57, 59, 60, 138, 140, 141
personal 405
read & write access level
system 402
administrator account 56, 123, 137
factory defaults 42, 119
read only
mail queues 48, 211
administrator 59, 60, 140, 141
system settings 41, 119
read only access level
restoring previous configuration 530
administrator account 56, 137
RFC 1213 146
recipient address verification 20
RFC 1869 171
recipient-based policy 357
in transparent and gateway modes RFC 2665 146
incoming 357 routing

544 06-30004-0154-20080904
Index
static 66, 134 SNMP community 144

SNMP get
S HA configured operating mode 482
HA effective operating mode 482
scheduled updates SNMP manager 144, 146
enable 126
SNMP MIB 143
secondary heartbeat
SNMP traps
HA 495
sending for HA events 481
secure SMTP 73, 169
SNMP, MIB 147
secure socket layers (SSL) 269, 270, 272
spam
send alert email for HA events 481 action 257, 263
send SNMP trap for HA event 481 exempting from archive 434
sender policy framework (SPF) 291 image 244, 261
sender reputation 417 also see antispam
sender validation spam queue
DKIM 291 HA 471
domain keys 291 managing 45
SPF 291 spam report
serial number 33, 34, 111, 112 HA 464
server mode 64, 74, 131, 132, 211, 212, 268, 273 HTML format 380
email user 77, 222 text format 378
service spam reports 72, 167
monitoring for HA 500 spam URI realtime black list (SURBL) 248
service monitoring SSL 73, 169
HA 500 STARTTLS 198
services static routing 66, 134
monitored by the HA backup unit 501 status
monitoring for HA 470 HA 484
services monitoring viewing and changing HA status 484
HA 470 status bar 31
session storing mail data on a NAS server
profile 287 HA 482
Session History 36, 113 striped array 149
session list 121 subdomain 186
view 121 subject information
viewing 121 certificate 156
set interface IP/netmask support
HA interface option 498 customer service and technical 13
shared password SURBL 23
HA 496
switch off
SHASH 21 on HA failure 493
shut down 39, 116 syn interval 56, 137
slave synchronization
HA mode 493 HA 470
slave unit 463 synchronization interface
SMTP HA 468, 493
greeting 67, 181, 190 syslog server
monitoring for HA 500 disk space 441
proxy settings 167 logging to 440
reply code 550 202
system date and time
server authentication 268
setting 136
SMTP connection, blocked 217
system mail directory
SMTP connection, dropped 217 synchronizing 471, 497
SMTPS 70, 73, 155, 169, 185, 186 system options
SNMP changing 137
community, configuring 144 system settings
HA 479 backing up 41, 118
MIBs 146 restoring 41, 119
RFC 12123 146 reverting to factory defaults 42, 119
RFC 2665 146
system status 125
traps 146
system update 125

06-30004-0154-20080904 545
Index
T uptime 112
user alias
technical support 13 creating 231
time and date user groups
setting 136 creating 230
time zone 56, 137 user guide
TLS 73, 169 gateway and transparent modes 531
access control 199, 206 user home directories
profile 350 synchronizing 471, 497
to IP user name 75, 221, 225
system status 121 user object 314
to port User Principle Name (UPN) 327
system status 121
UTF-8 304
top level domain (TLD) 202
train
Bayesian databases
V
global or group 391 verification of recipient addresses 20
user 393 verifying the upgrade 527
transparent mode 64, 131, 132, 135, 214, 237 viewing 92, 450
transport layer security (TLS) 161, 269, 271, 272, 349 viewing reports 99, 455
traps virtual IP
SNMP 146 DNS settings 474
treat remote services as heartbeat example HA virtual IP configuration 474
HA 495 firewall settings 474
trusted host 61, 142 HA 473
outgoing traffic 474
U virus definition
manual update 125
unknown servers virus status
configuring SMTP options for 216, 294 view 121
update
antivirus definitions 125 W
antivirus definitions, from a file 42, 125
enabling push updates 127 wait for recovery then assume slave role
enabling push updates through a NAT device 127 on HA failure 493
hourly 126 wait for recovery then restore original role
logging 126 on HA failure 493
manual virus definition update 125 web service
weekly 126 monitoring for HA 500
upgrade web-based manager
firmware 115 backing up 523
upgrade information, 3.0 521 customizing appearance 176
configuration limits 521 downgrading 528
loading default profiles 521 language 137
upgrading webmail
FortiMail unit 526 language 190
upgrading firmware weekly
on an HA cluster 483 update 126
upgrading to current firmware version 526 Whitelist word scan 25

546 06-30004-0154-20080904
www.fortinet.com
www.fortinet.com

FortiMail Administration Guide 06-30004-0154-20080904

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiMail Administration Guide 06-30004-0154-20080904

Uploaded by

Copyright:

Available Formats

ADMINISTRATION GUIDE

FortiMail™ Secure Messaging Platform

CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type.

What’s new in 3.0 MR4..................................................................... 15

About the web-based manager....................................................... 31

Basic mode ....................................................................................... 33

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

Log & Report.................................................................................................... 87

Advanced mode ............................................................................. 109

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

Mail Settings ................................................................................... 167

User ................................................................................................. 219

Profile .............................................................................................. 241

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

Policy .............................................................................................. 355

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

AntiSpam ........................................................................................ 365

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

Using Perl regular expressions.................................................................... 426

Email Archiving.............................................................................. 429

Log & Report .................................................................................. 437

Configuring and operating FortiMail HA...................................... 463

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

HA heartbeat and synchronization .............................................................. 467

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

Upgrading firmware ....................................................................... 521

Instructions for email users.......................................................... 531

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

About FortiMail units

About this document

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

Note: Highlights useful additional information.

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

• FortiMail Webmail online help

Fortinet Documentation Web Site

Fortinet Knowledge Center

Comments on FortiMail technical documentation

Customer service and technical support

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

Register your Fortinet product

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

What’s new in 3.0 MR4

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

• Domain Association – A domain association is a domain name that uses all

Log & Report

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

Basic concepts and workflow

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

In general, you may find it helpful to use the following order:

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

How FortiMail units process email

Access control rules

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

Recipient address verification

Customizing messages and appearance

Advanced delivery features

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

FortiGuard Antispam service

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

5 The results are cached on the FortiMail unit.

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide

Deep header scanning

FortiMail™ Secure Messaging Platform Version 3.0 MR4 Administration Guide