Fortinet black logo

Administration Guide

Managing users

Managing users

The User menu enables you to configure email user-related settings, such as user preferences and PKI authentication. If the FortiMail unit is operating in server mode, the User menu also enables you to add email user accounts.

This section includes:

Configuring local user accounts (server mode only)

When operating in server mode, the FortiMail unit is a standalone email server. The FortiMail unit receives email messages, scans for viruses and spam, and then delivers email to its email users’ mailboxes. External MTAs connect to the FortiMail unit, which itself is also the protected email server.

When the FortiMail unit operates in server mode and the web UI operates in advanced mode, the User tab is available. It lets you configure email user accounts whose mailboxes are hosted on the FortiMail unit. Email users can then access their email hosted on the FortiMail unit using webmail, POP3 and/or IMAP. For information on webmail and other features used directly by email users, see Setup for email users.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.

For details, see About administrator account permissions and domains.

To view email user accounts, go to Domain & User > User > User.

GUI item

Description

Maintenance

(button)

Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of each mailbox, and empty or delete mailboxes as required.

The SecureMail mailbox contains the secured email for the user.

The Bulk mailbox contains spam quarantined by the FortiMail unit.

Click Back to return to the Users tab.

Export .CSV

(button)

Click to download a backup of the email users list in comma-separated value (CSV) file format. The user passwords are encoded for security.

Caution: Most of the email user accounts data, such as mailboxes and preferences, is not included in the .csv file. For information on performing a complete backup, see Backup and restore.

Import .CSV

(button)

In the field to the right of Import .CSV, enter the location of a CSV-formatted email user backup file, then click Import .CSV to upload the file to your FortiMail unit.

The import feature provides a simple way to add a list of new users in one operation. See Importing a list of users.

Before importing a user list or adding an email user, you must first configure one or more protected domains to which the email users will belong. For more information, see Configuring protected domains. You may also want to back up the existing email user accounts. For details, see Backup and restore.

Password

(button)

Select a user and click this button to change a user’s password. A dialog appears. Choose whether to change the user password or to switch to LDAP authentication. You can create a new LDAP profile or edit an existing one. For details, see Configuring LDAP profiles.

Domain

Select the protected domain to display its email users, or to select the protected domain to which you want to add an email user account before clicking New.

You can see only the domains that are permitted by your administrator profile.

Search user

Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users displays again with just those users that meet the search criteria.

To return to the complete user list, clear the search field and press Enter.

User Name

Displays the user name of an email user, such as user1. This is also the local portion of the email user’s primary email address.

Type

Displays the type of user: local, LDAP, or RADIUS.

Display Name

Displays the display name of an email user, such as "J Smith". This name appears in the From: field in the message headers of email messages sent from this email user.

Disk Usage (KB)

Displays the disk space used by mailboxes for the email user in kilobytes (KB).

Configuring users in server mode

You can create users one at a time or import a list of users. Before importing a user list or adding an email user, you must first configure one or more protected domains to which the email users will belong. For more information, see Configuring protected domains.

To configure an email user account
  1. Go to Domain & User > User > User.
  2. From Domain, select the name of the protected domain to which you want to add an email user. You can also set the domain on the user dialog.
  3. Either click New to add an email user or double-click an email user to modify it.
  4. A dialog appears.

  5. In User name, enter the name of the account in the selected domain whose email will be locally deliverable on the FortiMail unit.
  6. For example, an email user may have numerous aliases, mail routing, and other email addresses on other systems in your network, such as accounting@example.com. However, the user name you enter in the New User dialog reflects the email user’s account that they will use to log in to this FortiMail unit at the selected domain; such as, jsmith if the email address is jsmith@example.com.

  7. You can change the user’s domain if it necessary. In the drop-down menu to the right of the @ symbol, select the name of the protected domain to which the email user belongs.
  8. For Authentication type, select one of the following:
  • select Local and then enter the password for this email account
  • select LDAP and select the name of an existing LDAP profile in the dropdown list
  • select RADIUS and select the name of an existing RADIUS profile in the dropdown list.

If no profile exists, click New to create one.

If a profile exists but needs modification, select it and click Edit.

Note

The LDAP option requires that you first create an LDAP profile in which you have enabled and configured in Configuring user authentication options.

  • In Display Name, enter the name of the user as it should appear in the From: field in the message header.
  • For example, an email user whose email address is user1@example.com may prefer that their Display Name be "J Zang".

  • Click OK.
  • For a new user, the FortiMail unit creates the account. Authentication is not yet enabled and a policy may not exist that allows the account to send and receive email.

    Complete the next two steps as applicable.

  • To enable the user account, create a recipient-based policy that both matches its email address and uses a resource profile in which User account status is enabled. For details, see Workflow to enable and configure authentication of email users and Configuring resource profiles.
  • To allow the user account to send and receive email, configure an access control rule and either an IP-based policy or an incoming recipient-based policy. For details, see Configuring policies.
  • Caution

    If you rename an existing user account to a new user account name using the CLI command, all the user’s preferences and mail data will be ported to the new user. However, due to the account name change, the new user will not be able to decrypt and read the encrypted email that is sent to the old user name before.

    Importing a list of users

    The import feature provides a simple way to add a list of new local users in one operation. You can create a CSV file in any spreadsheet and import the data as long as the columns match the FortiMail format.

    To create and import user records
    1. Go to Domain & User > User > User.
    2. Create at least one local (non-LDAP) user.
    3. Select that user and click Export .CSV.
    4. Save the file on your local computer.
    5. Open the CSV file in a spreadsheet editor, such as Microsoft Excel.
    6. Enter user records in the pre-existing columns so the new users exactly match the exported format. (Delete the original exported user record.)
    Sample CSV format:

    1. Use the Save As feature to save the file in plain CSV format.
    2. On the User tab, click Import.
    3. A dialog appears.

    4. Click Browse to locate the CSV file to import and click Open.
    5. Click OK.
    6. A field appears showing the percentage of import completion.

      A dialog appears showing the number of imported records.

    The import feature does not overwrite existing records.

    To change the password of multiple email user accounts
    Caution

    This procedure sets the same password for one or more email user accounts, which can result in reduced security of the email users’ accounts. To reduce risk, set a strong password and notify each email user whose password has been reset to configure a unique, strong password as soon as possible.

    1. Go to Domain & User > User > User.
    2. From Domain, select the name of the protected domain in which you want to change email user account passwords.
    3. To change the passwords of all email user accounts for the protected domain, mark the check box located in the check box column heading.
    4. To change the passwords of individual email user accounts, in the check box column, mark the check boxes of each email user account whose password you want to change.

    5. Click Password.
    6. Select either:
    • Password, then enter the password for this email account, or
    • LDAP, then select the name of an LDAP profile in which you have enabled and configured the User Auth Options query, which enables the FortiMail unit to query the LDAP server to authenticate the email user.
    Note

    You can create LDAP profiles using the advanced mode of the web-based manager. For more information, see Configuring LDAP profiles.

  • Click OK.
  • See also

    Managing the disk usage of email users mailboxes

    Configuring user preferences

    Configuring user aliases

    Configuring address mappings

    Configuring PKI authentication

    Configuring LDAP profiles

    Managing the disk usage of email users mailboxes

    If your email users often send or receive large attachments, email users’ mailboxes may rapidly consume the hard disk space of the FortiMail unit. You can manage the disk usage of email users’ mailboxes by monitoring the size of the folders, and optionally deleting their contents.

    For example, if each email user has a mailbox folder named “Spam” that receives tagged spam, you might want to periodically empty the contents of these folders to reclaim hard disk space.

    Alternatively, you can assign email users’ disk space quota in their resource profile. For details, see Configuring resource profiles.

    To empty a mailbox folder
    1. Go to Domain & User > User > User.
    2. Select the check box for the user.
    3. Click Maintenance.
    4. A list of mailbox folder names with their hard disk usages appears.

    5. Select the mailbox folder that you want to empty, such as Trash, then click Empty.
    6. A confirmation dialog appears.

    7. Click OK.
    See also

    Configuring local user accounts (server mode only)

    Configuring resource profiles

    Configuring user preferences

    The User Preferences tab lets you configure preferences for each email user, such as per-user safe lists and preferred webmail quarantine language.

    Preferences apply to email user accounts in all operation modes but vary slightly in implementation. For example:

    • Out-of-office status messages and mail forwarding can only be configured when the FortiMail unit is operating in server mode.
    • In server mode, user accounts are stored on the FortiMail unit.
    • With gateway or transparent mode, user accounts are stored hosted on your protected SMTP server.

    Although you may have created a local user account, the user’s preferences may not be created. You can either wait for an event that requires it to be automatically initialized using the default values, or you can manually create and modify it.

    Administrators can modify preferences for each email user through the web UI. Email users can modify their own preferences by logging in to the FortiMail webmail or email quarantine.

    To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.

    For details, see About administrator account permissions and domains.

    To view and manage existing user preferences
    1. Go to Domain & User > User > User Preferences.
    2. GUI item

      Description

      Delete User Data

      (button)

      Select the user and then click this button to delete the user preference settings and mail data.

      Maintenance

      (button)

      Click to reveal a drop-down menu with preference management options.

      • Clear Safe List
      • Clear Block List
      • Enable Outgoing Recipient Safelisting
      • Disable Outgoing Recipient Safelisting
      • Reset (resets preferences to their defaults)

      Domain

      Select the protected domain to display its email users, or to select the protected domain to which you want to add an email user account before clicking New.

      You can see only the domains that are permitted by your administrator profile.

      Search user

      Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria.

      To return to the complete user list, clear the search field and press Enter.

      User Name

      Displays the user name of an email user, such as user1.

      Display name

      (server mode only)

      Displays the display name of the email user.

      Language

      Displays the language in which this email user prefers to display their quarantine and, if the FortiMail unit is operating in server mode, webmail. By default, this language preference is the same as the system-wide default webmail language preference. For more information, see Customizing the GUI appearance.

      Safe List

      The icon in this column indicates whether or not a personal safe list currently exists for this email user. Hover the mouse pointer over the list icon to determine its status:

      • New: A personal safe list does not exist for this email user.
      • Edit: A personal safe list exists for this email user.

      Click the icon to open a dialog where you can configure, back up, or restore the personal safe list. Safe lists include sender IP addresses, domain names, and email addresses that the email user wants to permit.

      Note: System-level lists take precedence over domain-level lists while domain-level lists take precedence over personal-level lists.

      For more information on safe lists and block lists, see Managing the personal block lists and safe lists.

      Block List

      The icon in this column indicates whether or not a personal block list currently exists for this email user. Hover the mouse pointer over the list icon to determine its status:

      • New: A personal block list does not exist for this email user.
      • Edit: A personal block list exists for this email user.

      Click the icon to open a dialog where you can configure, back up, or restore the personal block list. Block lists include sender IP addresses, domain names, and email addresses that the email user wants to block

      Note: System-level lists take precedence over domain-level lists while domain-level lists take precedence over personal-level lists.

      For more information on safe lists and block lists, see Managing the personal block lists and safe lists.

      Secondary Accounts

      The icon in this column indicates whether or not this email user will also handle quarantined email messages for other email addresses. Hover the mouse pointer over the list icon to determine its status:

      • New: A secondary access list does not exist for this email user.
      • Edit: A secondary access list exists for this email user.

      A list of email accounts in sub-domains that are linked to a user on the parent domain. For example, if user1@example.com can have that email address linked to the following secondary accounts: user1@one.example.com, and user1@two.example.com.

      Select the New or Edit icon to add accounts to the secondary accounts for this user. Note that any accounts must first be created before they can be added to this list.

      Click the icon to open a dialog where you can add or remove secondary accounts. The addresses must exist in one of the existing FortiMail domains to be added.

      Outgoing Recipient Safelisting sic

      (icon)

      The icon indicates whether or not the FortiMail unit will automatically add recipient addresses in outgoing email sent by this email user to their per-user safe list, if it is allowed in the antispam profile.

      • A green check mark icon indicates automatic per-user safelisting is enabled.
      • A red X icon indicates automatic per-user safelisting is disabled.

      Email users can change this setting in their webmail preferences. For more information, log in to the FortiMail webmail, then click Help.

      This setting can be initialized manually or automatically. FortiMail administrators can manually create and configure this setting when configuring email user preferences. If the setting has not yet been created when either:

      • an email user logs in to FortiMail webmail
      • an email user sends outgoing email through the FortiMail unit
      • a FortiMail administrator configures the email user’s personal block or safe list (see Managing the personal block lists and safe lists)

      then the FortiMail unit will automatically initialize this setting as disabled.

      Preference

      The green check mark indicates that the user preference has been configured and the settings will be used.

      The red check mark indicates that the user preference has not be configured and the default settings will be used.

      Disk Usage

      Displays how much disk space each user mailbox is using.

    3. Either click New or double-click the user’s preferences to modify them.
    4. A dialog appears that varies depending on the operation mode.

    5. Configure the user preferences as required.
    See also

    Configuring local user accounts (server mode only)

    Configuring user preferences

    Configuring user aliases

    Configuring address mappings

    Configuring PKI authentication

    Configuring PKI authentication

    Go to Domain & User > User > PKI User to configure public key infrastructure (PKI) user authentication.

    PKI users can authenticate by presenting a valid client certificate, rather than by entering a user name and password.

    A PKI user can be either an email user or a FortiMail administrator.

    When a PKI user connects to the FortiMail unit with a web browser, the browser presents the PKI user’s certificate to the FortiMail unit. If the certificate is valid, the FortiMail unit then authenticates the PKI user. To be valid, a client certificate must:

    • not be expired
    • not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
    • be signed by a certificate authority (CA), whose certificate you have imported into the FortiMail unit
    • contain a CA field whose value matches the CA certificate
    • contain a Issuer field whose value matches the Subject field in the CA certificate
    • contain a Subject field whose value contains the subject, or is empty
    • contain a Common Name (CN) or Subject Alternative field, if LDAP Query is enabled, whose value matches the email address of a user object retrieved using the User Query Options of the LDAP profile.
    Note

    Web browsers may have their own certificate validation requirements in addition to FortiMail requirements. For example, personal certificates may be required to contain the PKI user’s email address in the Subject Alternative Name field, and that Key Usage field contain Digital Signature, Data Encipherment, Key Encipherment. For browser requirements, see your web browser’s documentation.

    If the client certificate is not valid, depending on whether you have configured the FortiMail unit to require valid certificates, authentication will either fail absolutely, or fail over to user name and password authentication.

    If the certificate is valid and authentication succeeds, the PKI user’s web browser is redirected to either the web UI (for PKI users that are FortiMail administrators), or FortiMail webmail or the personal quarantine (for PKI users that are email users).

    For details and examples about how to use PKI authentication for FortiMail email users and administrators, see Appendix F: PKI Authentication.

    To access this part of the web UI, your administrator account’s:

    • Domain must be System
    • access profile must have Read or Read-Write permission to the Policy category

    For details, see About administrator account permissions and domains.

    To view and configure PKI users
    1. Go to Domain & User > User > PKI User.
    2. GUI item

      Description

      Name

      Displays the user name of the PKI user.

      Domain

      Displays the protected domain to which the PKI user is assigned. If Domain is empty, the PKI user is an administrator.

      CA

      Displays the name of the CA certificate used when validating the CA’s signature of the client certificate. For more information, see Managing certificate authority certificates.

      Subject

      Displays a string used to match part of the value in the Subject field of the client certificate. It does not have to match the entire subject.

      If empty, matching values are not considered when validating the client certificate presented by the PKI user’s web browser.

      LDAP

      If LDAP query is enabled, the LDAP configuration of this PKI user is shown in three parts:

      • Whether the LDAP query setting is enabled (indicated by E) or disabled (indicated by “-”).
      • Displays the name of the LDAP profile used for the query. For more information, see Configuring LDAP profiles.
      • Displays the name of the field in the client certificate (either Subject Alternative or CN) whose value must match the email address of a user object in the LDAP directory.

      For example, E/ldapprof/Subject Alternative indicates that LDAP query is enabled, and will use the LDAP profile named ldapprof to validate the Subject Alternative field of the client certificate.

      OCSP

      If this is enabled, the OCSP configuration of this PKI user is shown in three parts:

      • Whether OSCP is enabled (indicated by E) or disabled (indicated by “-”).
      • Displays the URL of the OCSP server.
      • Displays the action to take if the OCSP server is unavailable. If set to ignore, the FortiMail unit allows the user to authenticate. If set to revoke, the FortiMail unit behaves as if the certificate is currently revoked, and authentication fails.

      For example, E/https://www.example.com/Revoke indicates OCSP is enabled, using the OSCP server at https://www.example.com, and if the OSCP server is unavailable, the FortiMail unit prevents the user from authenticating.

    3. Click New to add PKI authentication for an email user or administrator account or double-click an account to modify it.
    4. Configure the following:
    5. GUI item

      Description

      User name

      For a new user, enter the name of the PKI user.

      There is no requirement to use the same name as the administrator or email user’s account name, although you may find it helpful to be so.

      For example, you might have an administrator account named admin1.You might therefore find it most straightforward to also name the PKI user admin1, making it easy to remember which account you intended to use these PKI settings.

      Domain

      Select either the protected domain to which the PKI user is assigned, or, if the PKI user is a FortiMail administrator, select System.

      You can see only the domains that are permitted by your administrator profile.

      CA

      Select either None or the name of the CA certificate to use when validating the CA’s signature of the client certificate. For more information, see Managing certificate authority certificates.

      If you select None, you must configure Subject.

      Subject

      Enter the value which must match the Subject field of the client certificate, or leave this field empty. If empty, matching values are not considered when validating the client certificate presented by the PKI user’s web browser.

      The FortiMail unit will use a CA certificate to authenticate a PKI user only if the subject string you enter here also appears in the CA certificate subject. If no subject is entered here, the subject not considered when the FortiMail unit selects the certificate to use.

      If you do not configure Subject, you must configure CA.

      LDAP query

      Enable to query an LDAP directory, such as Microsoft Active Directory, to determine the existence of the PKI user who is attempting to authenticate, then also configure LDAP profile and Query field.

      Note: If this option is enabled, no local user configuration is necessary. Instead, the FortiMail unit creates the personal quarantine folder and other necessary items when PKI authentication queries the LDAP server.

      LDAP profile

      From the drop-down list, select the LDAP profile to use when querying the LDAP server.

      • If no profile exists, click New to create one.
      • If a profile exists but needs modification, select it and click Edit.

      In both cases, the Edit LDAP Profile dialog appears. For more information, see Configuring LDAP profiles.

      This option is available only if LDAP query is enabled.

      Query field

      Select the name of the field in the client certificate (either CN or Subject Alternative) which contains the email address of the PKI user.

      This email address will be compared with the value of the email address attribute for each user object queried from the LDAP directory to determine if the PKI user exists in the LDAP directory.

      This option is available only if LDAP query is enabled.

      OCSP

      Enable to use an Online Certificate Status Protocol (OCSP) server to query whether the client certificate has been revoked, then also configure URL, Remote certificate, and Unavailable action.

      URL

      Displays the URL of the OCSP server.

      This option is available only if OCSP is enabled.

      Remote certificate

      Select the remote certificate that is used to verify the identity of the OCSP server. For more information, see Managing OCSP server certificates.

      This option is available only if OCSP is enabled.

      Unavailable action

      Select the action to take if the OCSP server is unavailable. If set to Ignore, the FortiMail unit allows the user to authenticate. If set to Revoke, the FortiMail unit behaves as if the certificate is currently revoked, and authentication fails.

      This option is available only if OCSP is enabled.

    You need to take additional steps to activate and complete a PKI user’s configuration.

    To complete PKI user configuration
    1. To enable PKI authentication on your FortiMail unit for all PKI users, open the CLI and enter the following command:
    2. config system global

      set pki-mode enable

      end

    3. For each PKI user, import the client certificate into the user’s web browser on each computer the PKI user will use to access the FortiMail unit. For details on installing certificates, see the documentation for your web browser. Client certificates must be valid. For information on how FortiMail units validate the client certificates of PKI users, see Configuring PKI authentication.
    4. In the web UI, import the CA certificate into the FortiMail unit. For more information, see Managing certificate authority certificates.
    5. For PKI users that are FortiMail administrators, select the PKI authentication type and select a PKI user to which the administrator account corresponds. For more information, see Configuring administrator accounts and access profiles.
    6. For PKI users that are email users, enable PKI user authentication in the incoming recipient-based policies which match those email users. For more information, see Controlling email based on sender and recipient addresses.
    7. Caution

      Control access to each PKI user’s computer. Certificate-based PKI authentication controls access to the FortiMail unit based on PKI certificates, which are installed on each email user or administrator’s computer. If anyone can access the computers where those PKI certificates are installed, they can gain access to the FortiMail unit, which can compromise the security of your FortiMail unit.

    See also

    Configuring local user accounts (server mode only)

    Configuring user preferences

    Configuring user aliases

    Configuring address mappings

    Configuring PKI authentication

    Managing users

    The User menu enables you to configure email user-related settings, such as user preferences and PKI authentication. If the FortiMail unit is operating in server mode, the User menu also enables you to add email user accounts.

    This section includes:

    Configuring local user accounts (server mode only)

    When operating in server mode, the FortiMail unit is a standalone email server. The FortiMail unit receives email messages, scans for viruses and spam, and then delivers email to its email users’ mailboxes. External MTAs connect to the FortiMail unit, which itself is also the protected email server.

    When the FortiMail unit operates in server mode and the web UI operates in advanced mode, the User tab is available. It lets you configure email user accounts whose mailboxes are hosted on the FortiMail unit. Email users can then access their email hosted on the FortiMail unit using webmail, POP3 and/or IMAP. For information on webmail and other features used directly by email users, see Setup for email users.

    To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.

    For details, see About administrator account permissions and domains.

    To view email user accounts, go to Domain & User > User > User.

    GUI item

    Description

    Maintenance

    (button)

    Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of each mailbox, and empty or delete mailboxes as required.

    The SecureMail mailbox contains the secured email for the user.

    The Bulk mailbox contains spam quarantined by the FortiMail unit.

    Click Back to return to the Users tab.

    Export .CSV

    (button)

    Click to download a backup of the email users list in comma-separated value (CSV) file format. The user passwords are encoded for security.

    Caution: Most of the email user accounts data, such as mailboxes and preferences, is not included in the .csv file. For information on performing a complete backup, see Backup and restore.

    Import .CSV

    (button)

    In the field to the right of Import .CSV, enter the location of a CSV-formatted email user backup file, then click Import .CSV to upload the file to your FortiMail unit.

    The import feature provides a simple way to add a list of new users in one operation. See Importing a list of users.

    Before importing a user list or adding an email user, you must first configure one or more protected domains to which the email users will belong. For more information, see Configuring protected domains. You may also want to back up the existing email user accounts. For details, see Backup and restore.

    Password

    (button)

    Select a user and click this button to change a user’s password. A dialog appears. Choose whether to change the user password or to switch to LDAP authentication. You can create a new LDAP profile or edit an existing one. For details, see Configuring LDAP profiles.

    Domain

    Select the protected domain to display its email users, or to select the protected domain to which you want to add an email user account before clicking New.

    You can see only the domains that are permitted by your administrator profile.

    Search user

    Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users displays again with just those users that meet the search criteria.

    To return to the complete user list, clear the search field and press Enter.

    User Name

    Displays the user name of an email user, such as user1. This is also the local portion of the email user’s primary email address.

    Type

    Displays the type of user: local, LDAP, or RADIUS.

    Display Name

    Displays the display name of an email user, such as "J Smith". This name appears in the From: field in the message headers of email messages sent from this email user.

    Disk Usage (KB)

    Displays the disk space used by mailboxes for the email user in kilobytes (KB).

    Configuring users in server mode

    You can create users one at a time or import a list of users. Before importing a user list or adding an email user, you must first configure one or more protected domains to which the email users will belong. For more information, see Configuring protected domains.

    To configure an email user account
    1. Go to Domain & User > User > User.
    2. From Domain, select the name of the protected domain to which you want to add an email user. You can also set the domain on the user dialog.
    3. Either click New to add an email user or double-click an email user to modify it.
    4. A dialog appears.

    5. In User name, enter the name of the account in the selected domain whose email will be locally deliverable on the FortiMail unit.
    6. For example, an email user may have numerous aliases, mail routing, and other email addresses on other systems in your network, such as accounting@example.com. However, the user name you enter in the New User dialog reflects the email user’s account that they will use to log in to this FortiMail unit at the selected domain; such as, jsmith if the email address is jsmith@example.com.

    7. You can change the user’s domain if it necessary. In the drop-down menu to the right of the @ symbol, select the name of the protected domain to which the email user belongs.
    8. For Authentication type, select one of the following:
    • select Local and then enter the password for this email account
    • select LDAP and select the name of an existing LDAP profile in the dropdown list
    • select RADIUS and select the name of an existing RADIUS profile in the dropdown list.

    If no profile exists, click New to create one.

    If a profile exists but needs modification, select it and click Edit.

    Note

    The LDAP option requires that you first create an LDAP profile in which you have enabled and configured in Configuring user authentication options.

  • In Display Name, enter the name of the user as it should appear in the From: field in the message header.
  • For example, an email user whose email address is user1@example.com may prefer that their Display Name be "J Zang".

  • Click OK.
  • For a new user, the FortiMail unit creates the account. Authentication is not yet enabled and a policy may not exist that allows the account to send and receive email.

    Complete the next two steps as applicable.

  • To enable the user account, create a recipient-based policy that both matches its email address and uses a resource profile in which User account status is enabled. For details, see Workflow to enable and configure authentication of email users and Configuring resource profiles.
  • To allow the user account to send and receive email, configure an access control rule and either an IP-based policy or an incoming recipient-based policy. For details, see Configuring policies.
  • Caution

    If you rename an existing user account to a new user account name using the CLI command, all the user’s preferences and mail data will be ported to the new user. However, due to the account name change, the new user will not be able to decrypt and read the encrypted email that is sent to the old user name before.

    Importing a list of users

    The import feature provides a simple way to add a list of new local users in one operation. You can create a CSV file in any spreadsheet and import the data as long as the columns match the FortiMail format.

    To create and import user records
    1. Go to Domain & User > User > User.
    2. Create at least one local (non-LDAP) user.
    3. Select that user and click Export .CSV.
    4. Save the file on your local computer.
    5. Open the CSV file in a spreadsheet editor, such as Microsoft Excel.
    6. Enter user records in the pre-existing columns so the new users exactly match the exported format. (Delete the original exported user record.)
    Sample CSV format:

    1. Use the Save As feature to save the file in plain CSV format.
    2. On the User tab, click Import.
    3. A dialog appears.

    4. Click Browse to locate the CSV file to import and click Open.
    5. Click OK.
    6. A field appears showing the percentage of import completion.

      A dialog appears showing the number of imported records.

    The import feature does not overwrite existing records.

    To change the password of multiple email user accounts
    Caution

    This procedure sets the same password for one or more email user accounts, which can result in reduced security of the email users’ accounts. To reduce risk, set a strong password and notify each email user whose password has been reset to configure a unique, strong password as soon as possible.

    1. Go to Domain & User > User > User.
    2. From Domain, select the name of the protected domain in which you want to change email user account passwords.
    3. To change the passwords of all email user accounts for the protected domain, mark the check box located in the check box column heading.
    4. To change the passwords of individual email user accounts, in the check box column, mark the check boxes of each email user account whose password you want to change.

    5. Click Password.
    6. Select either:
    • Password, then enter the password for this email account, or
    • LDAP, then select the name of an LDAP profile in which you have enabled and configured the User Auth Options query, which enables the FortiMail unit to query the LDAP server to authenticate the email user.
    Note

    You can create LDAP profiles using the advanced mode of the web-based manager. For more information, see Configuring LDAP profiles.

  • Click OK.
  • See also

    Managing the disk usage of email users mailboxes

    Configuring user preferences

    Configuring user aliases

    Configuring address mappings

    Configuring PKI authentication

    Configuring LDAP profiles

    Managing the disk usage of email users mailboxes

    If your email users often send or receive large attachments, email users’ mailboxes may rapidly consume the hard disk space of the FortiMail unit. You can manage the disk usage of email users’ mailboxes by monitoring the size of the folders, and optionally deleting their contents.

    For example, if each email user has a mailbox folder named “Spam” that receives tagged spam, you might want to periodically empty the contents of these folders to reclaim hard disk space.

    Alternatively, you can assign email users’ disk space quota in their resource profile. For details, see Configuring resource profiles.

    To empty a mailbox folder
    1. Go to Domain & User > User > User.
    2. Select the check box for the user.
    3. Click Maintenance.
    4. A list of mailbox folder names with their hard disk usages appears.

    5. Select the mailbox folder that you want to empty, such as Trash, then click Empty.
    6. A confirmation dialog appears.

    7. Click OK.
    See also

    Configuring local user accounts (server mode only)

    Configuring resource profiles

    Configuring user preferences

    The User Preferences tab lets you configure preferences for each email user, such as per-user safe lists and preferred webmail quarantine language.

    Preferences apply to email user accounts in all operation modes but vary slightly in implementation. For example:

    • Out-of-office status messages and mail forwarding can only be configured when the FortiMail unit is operating in server mode.
    • In server mode, user accounts are stored on the FortiMail unit.
    • With gateway or transparent mode, user accounts are stored hosted on your protected SMTP server.

    Although you may have created a local user account, the user’s preferences may not be created. You can either wait for an event that requires it to be automatically initialized using the default values, or you can manually create and modify it.

    Administrators can modify preferences for each email user through the web UI. Email users can modify their own preferences by logging in to the FortiMail webmail or email quarantine.

    To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.

    For details, see About administrator account permissions and domains.

    To view and manage existing user preferences
    1. Go to Domain & User > User > User Preferences.
    2. GUI item

      Description

      Delete User Data

      (button)

      Select the user and then click this button to delete the user preference settings and mail data.

      Maintenance

      (button)

      Click to reveal a drop-down menu with preference management options.

      • Clear Safe List
      • Clear Block List
      • Enable Outgoing Recipient Safelisting
      • Disable Outgoing Recipient Safelisting
      • Reset (resets preferences to their defaults)

      Domain

      Select the protected domain to display its email users, or to select the protected domain to which you want to add an email user account before clicking New.

      You can see only the domains that are permitted by your administrator profile.

      Search user

      Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria.

      To return to the complete user list, clear the search field and press Enter.

      User Name

      Displays the user name of an email user, such as user1.

      Display name

      (server mode only)

      Displays the display name of the email user.

      Language

      Displays the language in which this email user prefers to display their quarantine and, if the FortiMail unit is operating in server mode, webmail. By default, this language preference is the same as the system-wide default webmail language preference. For more information, see Customizing the GUI appearance.

      Safe List

      The icon in this column indicates whether or not a personal safe list currently exists for this email user. Hover the mouse pointer over the list icon to determine its status:

      • New: A personal safe list does not exist for this email user.
      • Edit: A personal safe list exists for this email user.

      Click the icon to open a dialog where you can configure, back up, or restore the personal safe list. Safe lists include sender IP addresses, domain names, and email addresses that the email user wants to permit.

      Note: System-level lists take precedence over domain-level lists while domain-level lists take precedence over personal-level lists.

      For more information on safe lists and block lists, see Managing the personal block lists and safe lists.

      Block List

      The icon in this column indicates whether or not a personal block list currently exists for this email user. Hover the mouse pointer over the list icon to determine its status:

      • New: A personal block list does not exist for this email user.
      • Edit: A personal block list exists for this email user.

      Click the icon to open a dialog where you can configure, back up, or restore the personal block list. Block lists include sender IP addresses, domain names, and email addresses that the email user wants to block

      Note: System-level lists take precedence over domain-level lists while domain-level lists take precedence over personal-level lists.

      For more information on safe lists and block lists, see Managing the personal block lists and safe lists.

      Secondary Accounts

      The icon in this column indicates whether or not this email user will also handle quarantined email messages for other email addresses. Hover the mouse pointer over the list icon to determine its status:

      • New: A secondary access list does not exist for this email user.
      • Edit: A secondary access list exists for this email user.

      A list of email accounts in sub-domains that are linked to a user on the parent domain. For example, if user1@example.com can have that email address linked to the following secondary accounts: user1@one.example.com, and user1@two.example.com.

      Select the New or Edit icon to add accounts to the secondary accounts for this user. Note that any accounts must first be created before they can be added to this list.

      Click the icon to open a dialog where you can add or remove secondary accounts. The addresses must exist in one of the existing FortiMail domains to be added.

      Outgoing Recipient Safelisting sic

      (icon)

      The icon indicates whether or not the FortiMail unit will automatically add recipient addresses in outgoing email sent by this email user to their per-user safe list, if it is allowed in the antispam profile.

      • A green check mark icon indicates automatic per-user safelisting is enabled.
      • A red X icon indicates automatic per-user safelisting is disabled.

      Email users can change this setting in their webmail preferences. For more information, log in to the FortiMail webmail, then click Help.

      This setting can be initialized manually or automatically. FortiMail administrators can manually create and configure this setting when configuring email user preferences. If the setting has not yet been created when either:

      • an email user logs in to FortiMail webmail
      • an email user sends outgoing email through the FortiMail unit
      • a FortiMail administrator configures the email user’s personal block or safe list (see Managing the personal block lists and safe lists)

      then the FortiMail unit will automatically initialize this setting as disabled.

      Preference

      The green check mark indicates that the user preference has been configured and the settings will be used.

      The red check mark indicates that the user preference has not be configured and the default settings will be used.

      Disk Usage

      Displays how much disk space each user mailbox is using.

    3. Either click New or double-click the user’s preferences to modify them.
    4. A dialog appears that varies depending on the operation mode.

    5. Configure the user preferences as required.
    See also

    Configuring local user accounts (server mode only)

    Configuring user preferences

    Configuring user aliases

    Configuring address mappings

    Configuring PKI authentication

    Configuring PKI authentication

    Go to Domain & User > User > PKI User to configure public key infrastructure (PKI) user authentication.

    PKI users can authenticate by presenting a valid client certificate, rather than by entering a user name and password.

    A PKI user can be either an email user or a FortiMail administrator.

    When a PKI user connects to the FortiMail unit with a web browser, the browser presents the PKI user’s certificate to the FortiMail unit. If the certificate is valid, the FortiMail unit then authenticates the PKI user. To be valid, a client certificate must:

    • not be expired
    • not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
    • be signed by a certificate authority (CA), whose certificate you have imported into the FortiMail unit
    • contain a CA field whose value matches the CA certificate
    • contain a Issuer field whose value matches the Subject field in the CA certificate
    • contain a Subject field whose value contains the subject, or is empty
    • contain a Common Name (CN) or Subject Alternative field, if LDAP Query is enabled, whose value matches the email address of a user object retrieved using the User Query Options of the LDAP profile.
    Note

    Web browsers may have their own certificate validation requirements in addition to FortiMail requirements. For example, personal certificates may be required to contain the PKI user’s email address in the Subject Alternative Name field, and that Key Usage field contain Digital Signature, Data Encipherment, Key Encipherment. For browser requirements, see your web browser’s documentation.

    If the client certificate is not valid, depending on whether you have configured the FortiMail unit to require valid certificates, authentication will either fail absolutely, or fail over to user name and password authentication.

    If the certificate is valid and authentication succeeds, the PKI user’s web browser is redirected to either the web UI (for PKI users that are FortiMail administrators), or FortiMail webmail or the personal quarantine (for PKI users that are email users).

    For details and examples about how to use PKI authentication for FortiMail email users and administrators, see Appendix F: PKI Authentication.

    To access this part of the web UI, your administrator account’s:

    • Domain must be System
    • access profile must have Read or Read-Write permission to the Policy category

    For details, see About administrator account permissions and domains.

    To view and configure PKI users
    1. Go to Domain & User > User > PKI User.
    2. GUI item

      Description

      Name

      Displays the user name of the PKI user.

      Domain

      Displays the protected domain to which the PKI user is assigned. If Domain is empty, the PKI user is an administrator.

      CA

      Displays the name of the CA certificate used when validating the CA’s signature of the client certificate. For more information, see Managing certificate authority certificates.

      Subject

      Displays a string used to match part of the value in the Subject field of the client certificate. It does not have to match the entire subject.

      If empty, matching values are not considered when validating the client certificate presented by the PKI user’s web browser.

      LDAP

      If LDAP query is enabled, the LDAP configuration of this PKI user is shown in three parts:

      • Whether the LDAP query setting is enabled (indicated by E) or disabled (indicated by “-”).
      • Displays the name of the LDAP profile used for the query. For more information, see Configuring LDAP profiles.
      • Displays the name of the field in the client certificate (either Subject Alternative or CN) whose value must match the email address of a user object in the LDAP directory.

      For example, E/ldapprof/Subject Alternative indicates that LDAP query is enabled, and will use the LDAP profile named ldapprof to validate the Subject Alternative field of the client certificate.

      OCSP

      If this is enabled, the OCSP configuration of this PKI user is shown in three parts:

      • Whether OSCP is enabled (indicated by E) or disabled (indicated by “-”).
      • Displays the URL of the OCSP server.
      • Displays the action to take if the OCSP server is unavailable. If set to ignore, the FortiMail unit allows the user to authenticate. If set to revoke, the FortiMail unit behaves as if the certificate is currently revoked, and authentication fails.

      For example, E/https://www.example.com/Revoke indicates OCSP is enabled, using the OSCP server at https://www.example.com, and if the OSCP server is unavailable, the FortiMail unit prevents the user from authenticating.

    3. Click New to add PKI authentication for an email user or administrator account or double-click an account to modify it.
    4. Configure the following:
    5. GUI item

      Description

      User name

      For a new user, enter the name of the PKI user.

      There is no requirement to use the same name as the administrator or email user’s account name, although you may find it helpful to be so.

      For example, you might have an administrator account named admin1.You might therefore find it most straightforward to also name the PKI user admin1, making it easy to remember which account you intended to use these PKI settings.

      Domain

      Select either the protected domain to which the PKI user is assigned, or, if the PKI user is a FortiMail administrator, select System.

      You can see only the domains that are permitted by your administrator profile.

      CA

      Select either None or the name of the CA certificate to use when validating the CA’s signature of the client certificate. For more information, see Managing certificate authority certificates.

      If you select None, you must configure Subject.

      Subject

      Enter the value which must match the Subject field of the client certificate, or leave this field empty. If empty, matching values are not considered when validating the client certificate presented by the PKI user’s web browser.

      The FortiMail unit will use a CA certificate to authenticate a PKI user only if the subject string you enter here also appears in the CA certificate subject. If no subject is entered here, the subject not considered when the FortiMail unit selects the certificate to use.

      If you do not configure Subject, you must configure CA.

      LDAP query

      Enable to query an LDAP directory, such as Microsoft Active Directory, to determine the existence of the PKI user who is attempting to authenticate, then also configure LDAP profile and Query field.

      Note: If this option is enabled, no local user configuration is necessary. Instead, the FortiMail unit creates the personal quarantine folder and other necessary items when PKI authentication queries the LDAP server.

      LDAP profile

      From the drop-down list, select the LDAP profile to use when querying the LDAP server.

      • If no profile exists, click New to create one.
      • If a profile exists but needs modification, select it and click Edit.

      In both cases, the Edit LDAP Profile dialog appears. For more information, see Configuring LDAP profiles.

      This option is available only if LDAP query is enabled.

      Query field

      Select the name of the field in the client certificate (either CN or Subject Alternative) which contains the email address of the PKI user.

      This email address will be compared with the value of the email address attribute for each user object queried from the LDAP directory to determine if the PKI user exists in the LDAP directory.

      This option is available only if LDAP query is enabled.

      OCSP

      Enable to use an Online Certificate Status Protocol (OCSP) server to query whether the client certificate has been revoked, then also configure URL, Remote certificate, and Unavailable action.

      URL

      Displays the URL of the OCSP server.

      This option is available only if OCSP is enabled.

      Remote certificate

      Select the remote certificate that is used to verify the identity of the OCSP server. For more information, see Managing OCSP server certificates.

      This option is available only if OCSP is enabled.

      Unavailable action

      Select the action to take if the OCSP server is unavailable. If set to Ignore, the FortiMail unit allows the user to authenticate. If set to Revoke, the FortiMail unit behaves as if the certificate is currently revoked, and authentication fails.

      This option is available only if OCSP is enabled.

    You need to take additional steps to activate and complete a PKI user’s configuration.

    To complete PKI user configuration
    1. To enable PKI authentication on your FortiMail unit for all PKI users, open the CLI and enter the following command:
    2. config system global

      set pki-mode enable

      end

    3. For each PKI user, import the client certificate into the user’s web browser on each computer the PKI user will use to access the FortiMail unit. For details on installing certificates, see the documentation for your web browser. Client certificates must be valid. For information on how FortiMail units validate the client certificates of PKI users, see Configuring PKI authentication.
    4. In the web UI, import the CA certificate into the FortiMail unit. For more information, see Managing certificate authority certificates.
    5. For PKI users that are FortiMail administrators, select the PKI authentication type and select a PKI user to which the administrator account corresponds. For more information, see Configuring administrator accounts and access profiles.
    6. For PKI users that are email users, enable PKI user authentication in the incoming recipient-based policies which match those email users. For more information, see Controlling email based on sender and recipient addresses.
    7. Caution

      Control access to each PKI user’s computer. Certificate-based PKI authentication controls access to the FortiMail unit based on PKI certificates, which are installed on each email user or administrator’s computer. If anyone can access the computers where those PKI certificates are installed, they can gain access to the FortiMail unit, which can compromise the security of your FortiMail unit.

    See also

    Configuring local user accounts (server mode only)

    Configuring user preferences

    Configuring user aliases

    Configuring address mappings

    Configuring PKI authentication