Fortinet black logo

Administration Guide

Configuring authentication profiles

Configuring authentication profiles

FortiMail units support the following authentication methods:

  • SMTP
  • IMAP
  • POP3
  • RADIUS
  • LDAP

Note

LDAP profiles can configure many features other than authentication, and are not located in the Authentication menu. For information on LDAP profiles, see Configuring LDAP profiles.

In addition to authenticating email users for SMTP connections, SMTP profiles can be used to authenticate email users making webmail (HTTP or HTTPS) or POP3 connections to view their per-recipient quarantine, and when authenticating with another SMTP server to deliver email.

Depending on the mode in which your FortiMail unit is operating, you may be able to apply authentication profiles through incoming recipient-based policies, IP-based policies, and email user accounts. For more information, see Controlling email based on sender and recipient addresses, Controlling email based on IP addresses, and Configuring local user accounts (server mode only).

For the general procedure of how to enable and configure authentication, see Workflow to enable and configure authentication of email users.

To configure an SMTP, IMAP, or POP3 authentication profile
  1. Go to Profile > Authentication > SMTP, IMAP or POP3.
  2. Either click New to add a profile or double-click a profile to modify it.
  3. Configure the following:

GUI item

Description

Domain

For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a protected domain name to apply it to that domain. You can see only the domains that are permitted by your administrator profile.

Profile name

For a new profile, enter the name of the profile. The profile name is editable later.

Server name/IP

Enter the fully qualified domain name (FQDN) or IP address of a server that will be queried to authenticate email users if they authenticate to send email, or when they are accessing their personal quarantine.

Server port

Enter the port number on which the authentication server listens.

The default value varies by the protocol. You must change this value if the server is configured to listen on a different port number, including if the server requires use of SSL.

For example, the standard port number for SMTP is 25. However, for SMTP with SSL, the default port number is 465. Similarly, IMAP is 143, while IMAP with SSL is 993; POP3 is 110, while POP3 with SSL is 995; and RADIUS is 1812.

Use generic LDAP mail host if available

(SMTP authentication only)

Use generic LDAP mail host if available: For gateway and transparent mode, select this option if your LDAP server has a mail host entry for the generic user. for more information, see Domain Lookup Query.

If you select this option, the FortiMail unit will query the generic LDAP server first to authenticate email users. If no results are returned for the query, the FortiMail unit will query the server you entered in the Server name/IP field.

Authentication mechanism

Select an authentication mechanism. For more information, consult the relevant RFCs.

Authentication options

SSL/TLS

Enable if you want to use transport layer security (TLS) to authenticate and encrypt communications between the FortiMail unit and this server, and if the server supports it.

STARTTLS

Enable if you want to upgrade the existing insecure connection to the secure connection using SSL/TLS.

Secure authentication

Enable if you want to use secure authentication to encrypt the passwords of email users when communicating with the server, and if the server supports it.

Server requires domain

Enable if the authentication server requires that email users authenticate using their full email address (such as user1@example.com) and not just the user name (such as user1).

To configure a RADIUS authentication profile
  1. Go to Profile > Authentication > RADIUS.
  2. Either click New to add a profile or double-click a profile to modify it.

GUI item

Description

Domain

For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a protected domain name to apply it to that domain. You can see only the domains that are permitted by your administrator profile.

Profile name

For a new profile, enter the name of the profile.

Server name/IP

Enter the fully qualified domain name (FQDN) or IP address of a server that will be queried to authenticate email users if they authenticate to send email, or when they are accessing their personal quarantine.

Server port

Enter the port number on which the authentication server listens.

The default value varies by the protocol. You must change this value if the server is configured to listen on a different port number, including if the server requires use of SSL.

For example, the standard port number for SMTP is 25. However, for SMTP with SSL, the default port number is 465. Similarly, IMAP is 143, while IMAP with SSL is 993; POP3 is 110, while POP3 with SSL is 995; and RADIUS is 1812.

Protocol

Select the authentication scheme for the RADIUS server.

NAS IP/Called station ID

Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiMail interface uses to communicate with the RADIUS server will be applied.

Server secret

Enter the secret required by the RADIUS server. It must be identical to the secret that is configured on the RADIUS server.

Server requires domain

Enable if the authentication server requires that email users authenticate using their full email address (such as user1@example.com) and not just the user name (such as user1).

Advanced Settings

When you add a FortiMail administrator (see Configuring administrator accounts), you must specify an access profile (the access privileges) for the administrator. You must also specify a domain (either system or a protected domain) that the administrator is entitled to access.

If you are adding a RADIUS account, you can override the access profile and domain setting with the values of the remote attributes returned from the RADIUS server.

  • Enable remote access override: Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile. If there is no match, the specified access profile will still be used.
  • Vender ID: Enter the vender’s registered RADIUS ID for remote access permission override. The default ID is 12356, which is Fortinet.
  • Attribute ID: Enter the attribute ID of the above vender for remote access permission override. The attribute should hold an access profile name that exists on FortiMail. The default ID is 6, which is Fortinet-Access-Profile.
  • Enable remote domain override: Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain. If there is no match, the specified domain will still be used.
  • Vender ID: Enter the vender’s registered RADIUS ID for remote domain override. The default ID is 12356, which is Fortinet.
  • Attribute ID: Enter the attribute ID of the above vender for remote domain override. The attribute should hold a domain name that exists on FortiMail. The default ID is 3, which is Fortinet-Vdom-Name.

To apply the authentication profile, you must select it in a policy. You may also need to configure access control rules, user accounts, and certificates. For details, see Workflow to enable and configure authentication of email users.

Configuring authentication profiles

FortiMail units support the following authentication methods:

  • SMTP
  • IMAP
  • POP3
  • RADIUS
  • LDAP

Note

LDAP profiles can configure many features other than authentication, and are not located in the Authentication menu. For information on LDAP profiles, see Configuring LDAP profiles.

In addition to authenticating email users for SMTP connections, SMTP profiles can be used to authenticate email users making webmail (HTTP or HTTPS) or POP3 connections to view their per-recipient quarantine, and when authenticating with another SMTP server to deliver email.

Depending on the mode in which your FortiMail unit is operating, you may be able to apply authentication profiles through incoming recipient-based policies, IP-based policies, and email user accounts. For more information, see Controlling email based on sender and recipient addresses, Controlling email based on IP addresses, and Configuring local user accounts (server mode only).

For the general procedure of how to enable and configure authentication, see Workflow to enable and configure authentication of email users.

To configure an SMTP, IMAP, or POP3 authentication profile
  1. Go to Profile > Authentication > SMTP, IMAP or POP3.
  2. Either click New to add a profile or double-click a profile to modify it.
  3. Configure the following:

GUI item

Description

Domain

For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a protected domain name to apply it to that domain. You can see only the domains that are permitted by your administrator profile.

Profile name

For a new profile, enter the name of the profile. The profile name is editable later.

Server name/IP

Enter the fully qualified domain name (FQDN) or IP address of a server that will be queried to authenticate email users if they authenticate to send email, or when they are accessing their personal quarantine.

Server port

Enter the port number on which the authentication server listens.

The default value varies by the protocol. You must change this value if the server is configured to listen on a different port number, including if the server requires use of SSL.

For example, the standard port number for SMTP is 25. However, for SMTP with SSL, the default port number is 465. Similarly, IMAP is 143, while IMAP with SSL is 993; POP3 is 110, while POP3 with SSL is 995; and RADIUS is 1812.

Use generic LDAP mail host if available

(SMTP authentication only)

Use generic LDAP mail host if available: For gateway and transparent mode, select this option if your LDAP server has a mail host entry for the generic user. for more information, see Domain Lookup Query.

If you select this option, the FortiMail unit will query the generic LDAP server first to authenticate email users. If no results are returned for the query, the FortiMail unit will query the server you entered in the Server name/IP field.

Authentication mechanism

Select an authentication mechanism. For more information, consult the relevant RFCs.

Authentication options

SSL/TLS

Enable if you want to use transport layer security (TLS) to authenticate and encrypt communications between the FortiMail unit and this server, and if the server supports it.

STARTTLS

Enable if you want to upgrade the existing insecure connection to the secure connection using SSL/TLS.

Secure authentication

Enable if you want to use secure authentication to encrypt the passwords of email users when communicating with the server, and if the server supports it.

Server requires domain

Enable if the authentication server requires that email users authenticate using their full email address (such as user1@example.com) and not just the user name (such as user1).

To configure a RADIUS authentication profile
  1. Go to Profile > Authentication > RADIUS.
  2. Either click New to add a profile or double-click a profile to modify it.

GUI item

Description

Domain

For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a protected domain name to apply it to that domain. You can see only the domains that are permitted by your administrator profile.

Profile name

For a new profile, enter the name of the profile.

Server name/IP

Enter the fully qualified domain name (FQDN) or IP address of a server that will be queried to authenticate email users if they authenticate to send email, or when they are accessing their personal quarantine.

Server port

Enter the port number on which the authentication server listens.

The default value varies by the protocol. You must change this value if the server is configured to listen on a different port number, including if the server requires use of SSL.

For example, the standard port number for SMTP is 25. However, for SMTP with SSL, the default port number is 465. Similarly, IMAP is 143, while IMAP with SSL is 993; POP3 is 110, while POP3 with SSL is 995; and RADIUS is 1812.

Protocol

Select the authentication scheme for the RADIUS server.

NAS IP/Called station ID

Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiMail interface uses to communicate with the RADIUS server will be applied.

Server secret

Enter the secret required by the RADIUS server. It must be identical to the secret that is configured on the RADIUS server.

Server requires domain

Enable if the authentication server requires that email users authenticate using their full email address (such as user1@example.com) and not just the user name (such as user1).

Advanced Settings

When you add a FortiMail administrator (see Configuring administrator accounts), you must specify an access profile (the access privileges) for the administrator. You must also specify a domain (either system or a protected domain) that the administrator is entitled to access.

If you are adding a RADIUS account, you can override the access profile and domain setting with the values of the remote attributes returned from the RADIUS server.

  • Enable remote access override: Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile. If there is no match, the specified access profile will still be used.
  • Vender ID: Enter the vender’s registered RADIUS ID for remote access permission override. The default ID is 12356, which is Fortinet.
  • Attribute ID: Enter the attribute ID of the above vender for remote access permission override. The attribute should hold an access profile name that exists on FortiMail. The default ID is 6, which is Fortinet-Access-Profile.
  • Enable remote domain override: Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain. If there is no match, the specified domain will still be used.
  • Vender ID: Enter the vender’s registered RADIUS ID for remote domain override. The default ID is 12356, which is Fortinet.
  • Attribute ID: Enter the attribute ID of the above vender for remote domain override. The attribute should hold a domain name that exists on FortiMail. The default ID is 3, which is Fortinet-Vdom-Name.

To apply the authentication profile, you must select it in a policy. You may also need to configure access control rules, user accounts, and certificates. For details, see Workflow to enable and configure authentication of email users.