Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

profile authentication

Use this command to configure the FortiMail unit to connect to an external SMTP server in order to authenticate email users.

FortiMail units support the following authentication methods:

  • SMTP
  • IMAP
  • POP3
  • RADIUS

When the FortiMail unit is operating in server mode, only local and RADIUS authentication are available.

In addition to authenticating email users for SMTP connections, SMTP profiles can be used to authenticate email users making webmail (HTTP or HTTPS) or POP3 connections to view their per-recipient quarantine, and when authenticating with another SMTP server to deliver email.

Depending on the mode in which your FortiMail unit is operating, you may be able to apply authentication profiles through inbound recipient-based policies, IP-based policies, and email user accounts.

For more information, see the FortiMail Administration Guide.

Syntax

config profile authentication imap

edit <profile_name>

set option {ssl secure tls senddomain}

set port <port_int>

set server {<fqdn_str> | <host_ipv4>}

config profile authentication pop3

edit <profile_name>

set option {ssl secure tls senddomain}

set port <port_int>

set server {<fqdn_str> | <host_ipv4>}

config profile authentication radius

edit <profile_name>

set access-override {enable | disable}

set access-override-attribute <integer>

set access-override-vendor <integer>

set auth-prot {auto | chap | mschap | mschap2 | pap}

set domain-override {enable | disable}

set domain-override-attribute <integer>

set domain-override-vendor <integer>

set nas-ip <ip_addr>

set port <port_int>

set secret <password_str>

set send-domain {enable | disable}

set server {<fqdn_str> | <host_ipv4>}

config profile authentication smtp

edit <profile_name>

set option {ssl secure tls senddomain}

set server {<fqdn_str> | <host_ipv4>}

set port <port_int>

set try-ldap-mailhost {enable | disable}

end

Variable

Description

Default

<profile_name>

Enter the name of the profile.

To view a list of existing entries, enter a question mark ( ? ).

 

access-override {enable | disable}

Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile.

disable

access-override-attribute <integer>

Enter the attribute ID of a vender for remote access permission override. The attribute should hold an access profile name that exists on FortiMail. The default ID is 6, which is Fortinet-Access-Profile.

6

access-override-vendor <integer>

Enter the vender’s registered RADIUS ID for remote access permission override. The default ID is 12356, which is Fortinet.

12356

option {ssl secure tls senddomain}

Enter one or more of the following in a space-delimited list:

senddomain: Enable if the IMAP server requires both the user name and the domain when authenticating.

ssl: Enables secure socket layers (SSL) to secure message transmission.

secure: Enables secure authentication.

tls: Enables transport layer security (TLS) to ensure privacy between communicating application

 

port <port_int>

Enter the TCP port number of the IMAP server.

The standard port number for IMAP is 143; for SSL-secured IMAP, it is 993.

 

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the IMAP server.

 

option {ssl secure tls senddomain}

If you want to enable any of the following options, enter them in a space-delimited list:

domain: Enable if the POP3 server requires both the user name and the domain when authenticating.

ssl: Enables secure socket layers (SSL) to secure message transmission.

secure: Enables secure authentication.

tls: Enables transport layer security (TLS) to ensure privacy between communicating application

 

port <port_int>

Enter the TCP port number of the POP3 server.

The standard port number for POP3 is 110; for SSL-secured POP3, it is 995.

 

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the POP3 server.

 

auth-prot {auto | chap | mschap | mschap2 | pap}

Enter the authentication method for the RADIUS server.

 

auto

domain-override {enable | disable}

Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain.

disable

domain-override-attribute <integer>

Enter the attribute ID of a vender for remote domain override. The attribute should hold a domain name that exists on FortiMail. The default ID is 3, which is Fortinet-Vdom-Name.

3

domain-override-vendor <integer>

Enter the vender’s registered RADIUS ID for remote domain override. The default ID is 12356, which is Fortinet.

12356

nas-ip <ip_addr>

Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiMail interface uses to communicate with the RADIUS server will be applied.

0.0.0.0

port <port_int>

If the RADIUS server listens on a nonstandard port number, enter the port number of the RADIUS server.

The standard port number for RADIUS is 1812.

1812

secret <password_str>

Enter the password for the RADIUS server.

 

send-domain {enable | disable}

Enable if the RADIUS server requires both the user name and the domain when authenticating.

 

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the RADIUS server.

 

option {ssl secure tls senddomain}

If you want to enable any of the following options, enter them in a space-delimited list:

senddomain: Enable if the SMTP server requires both the user name and the domain when authenticating.

ssl: Enables secure socket layers (SSL) to secure message transmission.

secure: Enables secure authentication.

tls: Enables transport layer security (TLS) to ensure privacy between communicating application

 

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the SMTP server.

 

port <port_int>

Enter the TCP port number of the SMTP server.

The standard port number for SMTP is 25; for SSL-secured SMTP, it is 465.

 

try-ldap-mailhost {enable | disable}

Enable if your LDAP server has a mail host entry for the generic user

If you select this option, the FortiMail unit will query the generic LDAP server first to authenticate email users. If no results are returned for the query, the FortiMail unit will query the server you entered in the server field.

disable

Related topics

profile certificate-binding

profile encryption

profile authentication

Use this command to configure the FortiMail unit to connect to an external SMTP server in order to authenticate email users.

FortiMail units support the following authentication methods:

  • SMTP
  • IMAP
  • POP3
  • RADIUS

When the FortiMail unit is operating in server mode, only local and RADIUS authentication are available.

In addition to authenticating email users for SMTP connections, SMTP profiles can be used to authenticate email users making webmail (HTTP or HTTPS) or POP3 connections to view their per-recipient quarantine, and when authenticating with another SMTP server to deliver email.

Depending on the mode in which your FortiMail unit is operating, you may be able to apply authentication profiles through inbound recipient-based policies, IP-based policies, and email user accounts.

For more information, see the FortiMail Administration Guide.

Syntax

config profile authentication imap

edit <profile_name>

set option {ssl secure tls senddomain}

set port <port_int>

set server {<fqdn_str> | <host_ipv4>}

config profile authentication pop3

edit <profile_name>

set option {ssl secure tls senddomain}

set port <port_int>

set server {<fqdn_str> | <host_ipv4>}

config profile authentication radius

edit <profile_name>

set access-override {enable | disable}

set access-override-attribute <integer>

set access-override-vendor <integer>

set auth-prot {auto | chap | mschap | mschap2 | pap}

set domain-override {enable | disable}

set domain-override-attribute <integer>

set domain-override-vendor <integer>

set nas-ip <ip_addr>

set port <port_int>

set secret <password_str>

set send-domain {enable | disable}

set server {<fqdn_str> | <host_ipv4>}

config profile authentication smtp

edit <profile_name>

set option {ssl secure tls senddomain}

set server {<fqdn_str> | <host_ipv4>}

set port <port_int>

set try-ldap-mailhost {enable | disable}

end

Variable

Description

Default

<profile_name>

Enter the name of the profile.

To view a list of existing entries, enter a question mark ( ? ).

 

access-override {enable | disable}

Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile.

disable

access-override-attribute <integer>

Enter the attribute ID of a vender for remote access permission override. The attribute should hold an access profile name that exists on FortiMail. The default ID is 6, which is Fortinet-Access-Profile.

6

access-override-vendor <integer>

Enter the vender’s registered RADIUS ID for remote access permission override. The default ID is 12356, which is Fortinet.

12356

option {ssl secure tls senddomain}

Enter one or more of the following in a space-delimited list:

senddomain: Enable if the IMAP server requires both the user name and the domain when authenticating.

ssl: Enables secure socket layers (SSL) to secure message transmission.

secure: Enables secure authentication.

tls: Enables transport layer security (TLS) to ensure privacy between communicating application

 

port <port_int>

Enter the TCP port number of the IMAP server.

The standard port number for IMAP is 143; for SSL-secured IMAP, it is 993.

 

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the IMAP server.

 

option {ssl secure tls senddomain}

If you want to enable any of the following options, enter them in a space-delimited list:

domain: Enable if the POP3 server requires both the user name and the domain when authenticating.

ssl: Enables secure socket layers (SSL) to secure message transmission.

secure: Enables secure authentication.

tls: Enables transport layer security (TLS) to ensure privacy between communicating application

 

port <port_int>

Enter the TCP port number of the POP3 server.

The standard port number for POP3 is 110; for SSL-secured POP3, it is 995.

 

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the POP3 server.

 

auth-prot {auto | chap | mschap | mschap2 | pap}

Enter the authentication method for the RADIUS server.

 

auto

domain-override {enable | disable}

Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain.

disable

domain-override-attribute <integer>

Enter the attribute ID of a vender for remote domain override. The attribute should hold a domain name that exists on FortiMail. The default ID is 3, which is Fortinet-Vdom-Name.

3

domain-override-vendor <integer>

Enter the vender’s registered RADIUS ID for remote domain override. The default ID is 12356, which is Fortinet.

12356

nas-ip <ip_addr>

Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiMail interface uses to communicate with the RADIUS server will be applied.

0.0.0.0

port <port_int>

If the RADIUS server listens on a nonstandard port number, enter the port number of the RADIUS server.

The standard port number for RADIUS is 1812.

1812

secret <password_str>

Enter the password for the RADIUS server.

 

send-domain {enable | disable}

Enable if the RADIUS server requires both the user name and the domain when authenticating.

 

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the RADIUS server.

 

option {ssl secure tls senddomain}

If you want to enable any of the following options, enter them in a space-delimited list:

senddomain: Enable if the SMTP server requires both the user name and the domain when authenticating.

ssl: Enables secure socket layers (SSL) to secure message transmission.

secure: Enables secure authentication.

tls: Enables transport layer security (TLS) to ensure privacy between communicating application

 

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the SMTP server.

 

port <port_int>

Enter the TCP port number of the SMTP server.

The standard port number for SMTP is 25; for SSL-secured SMTP, it is 465.

 

try-ldap-mailhost {enable | disable}

Enable if your LDAP server has a mail host entry for the generic user

If you select this option, the FortiMail unit will query the generic LDAP server first to authenticate email users. If no results are returned for the query, the FortiMail unit will query the server you entered in the server field.

disable

Related topics

profile certificate-binding

profile encryption