DOCUMENT LIBRARY

Administration Guide

Email concepts and process workflow
- Email protocols
- Client-server connections in SMTP
- DNS role in email delivery
- How FortiMail processes email
- FortiMail operation modes
- FortiMail high availability modes
- FortiMail management methods
Setting up FortiMail system
- Connecting to the web UI or CLI
- Choosing the operation mode
- Running the Quick Start Wizard
- Connecting to FortiGuard services
- Gateway mode deployment
- Transparent mode deployment
- Server mode deployment
- Testing the installation
- Backing up the configuration
Using the dashboard
- Viewing the dashboard
- Using the CLI Console
Using FortiView
- Viewing mail statistics
- View threat statistics
- Viewing top user statistics
- Viewing current IP sessions
Monitoring the system
- Viewing log messages
- Managing the quarantines
- Managing the mail queue
- Viewing the greylist statuses
- Viewing sender, authentication and endpoint reputation
- Managing archived email
- Viewing generated reports
Centrally monitoring the HA cluster
- Viewing the cluster status
- Viewing HA cluster mail statistics
- Viewing HA cluster threat statistics
- Searching the HA cluster logs
Configuring system settings
- Configuring network settings
- Configuring administrator accounts and access profiles
- Configuring system time, options, and other system options
- Configuring mail settings
- Customizing GUI, replacement messages, email templates, SSO, and Security Fabric
- Configuring RAID
- Using high availability (HA)
- Managing certificates
- Using FortiSandbox antivirus inspection
- Configuring FortiGuard services
- System maintenance
Configuring domains and users
- Configuring protected domains
- Managing users
- Configuring user aliases
- Configuring address mappings
- Configuring IBE users
- Managing the address book (server mode only)
- Sharing calendars and address books (server mode only)
- Migrating email from other mail servers (server mode only)
Configuring policies
- What is a policy?
- How to use policies
- Controlling SMTP access and delivery
- Controlling email based on IP addresses
- Controlling email based on sender and recipient addresses
Configuring profiles
- Configuring session profiles
- Configuring antispam profiles and antispam action profiles
- Configuring antivirus profiles and antivirus action profiles
- Configuring content profiles and content action profiles
- Configuring resource profiles
- Workflow to enable and configure authentication of email users
- Configuring authentication profiles
- Configuring LDAP profiles
- Configuring dictionary profiles
- Configuring security profiles
- Configuring IP pools
- Configuring email, IP and GeoIP groups
- Configuring notification profiles
Configuring security settings
- Configuring the FortiGuard URL filter
- Configuring authentication reputation
- Configuring email quarantines and quarantine reports
- Configuring the block lists and safe lists
- Configuring greylisting
- Configuring bounce verification and tagging
- Configuring endpoint reputation
- Training and maintaining the Bayesian databases
- Adding file signatures
- Configuring action profile preferences
- Configuring adult image analysis
Configuring encryption settings
- Configuring IBE encryption
- Configuring certificate bindings
Configuring data loss prevention
- DLP configuration workflow
- Defining the sensitive data
- Configuring DLP rules
- Configuring DLP profiles
Archiving email
- Email archiving workflow
- Configuring email archiving accounts
- Configuring email archiving policies
- Configuring email archiving exemptions
Logs, reports and alerts
- About FortiMail logging
- Configuring logging
- Configuring report profiles and generating mail statistic reports
- Configuring alert email
Microsoft 365 threat remediation
- Microsoft 365 protection workflow
- Configuring Microsoft 365 accounts
- Configuring profiles
- Configuring scanning policies
- Monitoring log messages
Installing firmware
- Testing firmware before installing it
- Installing firmware
- Clean installing firmware
- Upgrading firmware on HA units
Best practices and fine tuning
- General security tuning
- System security tuning
- Network topology tuning
- High availability (HA) tuning
- SMTP connectivity tuning
- Antispam tuning
- Policy tuning
- System maintenance tips
- Performance tuning
Troubleshooting
- Establish a system baseline
- Define the problem
- Search for a known solution
- Create a troubleshooting plan
- Gather system information
- Troubleshoot hardware issues
- Troubleshoot GUI and CLI connection issues
- Troubleshoot FortiGuard connection issues
- Troubleshoot MTA issues
- Troubleshoot antispam issues
- Troubleshoot HA issues
- Troubleshoot resource issues
- Troubleshoot bootup issues
- Troubleshoot installation issues
- Contact Fortinet customer support for assistance
Setup for email users
- Training Bayesian databases
- Managing tagged spam
- Accessing the personal quarantine and webmail
- Sending email from an email client (gateway and transparent mode)
Appendix A: Supported RFCs
Appendix B: Maximum Values
Appendix C: Port Numbers
Appendix D: Wildcards and regular expressions
- Special characters with regular expressions and wildcards
- Case sensitivity
- Modifiers
- Word boundary
- Syntax
- Examples
Appendix E: Working with TLS/SSL
- About TLS/SSL
- How TLS/SSL works
- FortiMail support of TLS/SSL
- Troubleshooting FortiMail TLS issues
Appendix F: PKI Authentication
- Introduction to PKI authentication
- FortiMail PKI architecture
- Configuring PKI authentication on FortiMail
Change Log

Home FortiMail 6.4.6 Administration Guide

6.4.6

Configuring authentication profiles

FortiMail units support the following authentication methods:

SMTP
IMAP
POP3
RADIUS
LDAP

LDAP profiles can configure many features other than authentication, and are not located in the Authentication menu. For information on LDAP profiles, see Configuring LDAP profiles.

In addition to authenticating email users for SMTP connections, SMTP profiles can be used to authenticate email users making webmail (HTTP or HTTPS) or POP3 connections to view their per-recipient quarantine, and when authenticating with another SMTP server to deliver email.

Depending on the mode in which your FortiMail unit is operating, you may be able to apply authentication profiles through incoming recipient-based policies, IP-based policies, and email user accounts. For more information, see Controlling email based on sender and recipient addresses, Controlling email based on IP addresses, and Configuring local user accounts (server mode only).

For the general procedure of how to enable and configure authentication, see Workflow to enable and configure authentication of email users.

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To configure an SMTP, IMAP, or POP3 authentication profile

Go to Profile > Authentication > SMTP, IMAP, or POP3.
Either click New to add a profile or double-click a profile to modify it.
Configure the following:

GUI item	Description
Domain	For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a protected domain name to apply it to that domain. You can see only the domains that are permitted by your administrator profile.
Profile name	For a new profile, enter the name of the profile. The profile name is editable later.
Server name/IP	Enter the fully qualified domain name (FQDN) or IP address of a server that will be queried to authenticate email users if they authenticate to send email, or when they are accessing their personal quarantine.
Server port	Enter the port number on which the authentication server listens. The default value varies by the protocol. You must change this value if the server is configured to listen on a different port number, including if the server requires use of SSL. For example, the standard port number for SMTP is 25. However, for SMTP with SSL, the default port number is 465. Similarly, IMAP is 143, while IMAP with SSL is 993; POP3 is 110, while POP3 with SSL is 995; and RADIUS is 1812.
Use generic LDAP mail host if available (SMTP authentication only)	Use generic LDAP mail host if available: For gateway and transparent mode, select this option if your LDAP server has a mail host entry for the generic user. for more information, see Domain Lookup Query. If you select this option, the FortiMail unit will query the generic LDAP server first to authenticate email users. If no results are returned for the query, the FortiMail unit will query the server you entered in the Server name/IP field.
Authentication mechanism	Select an authentication mechanism. For more information, consult the relevant RFCs.
Authentication options
SSL/TLS	Enable if you want to use transport layer security (TLS) to authenticate and encrypt communications between the FortiMail unit and this server, and if the server supports it.
STARTTLS	Enable if you want to upgrade the existing insecure connection to the secure connection using SSL/TLS.
Secure authentication	Enable if you want to use secure authentication to encrypt the passwords of email users when communicating with the server, and if the server supports it.
Server requires domain	Enable if the authentication server requires that email users authenticate using their full email address (such as user1@example.com) and not just the user name (such as user1).

To configure a RADIUS authentication profile

Go to Profile > Authentication > RADIUS.
Either click New to add a profile or double-click a profile to modify it.

GUI item	Description
Domain	For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a protected domain name to apply it to that domain. You can see only the domains that are permitted by your administrator profile.
Profile name	For a new profile, enter the name of the profile.
Server name/IP	Enter the fully qualified domain name (FQDN) or IP address of a server that will be queried to authenticate email users if they authenticate to send email, or when they are accessing their personal quarantine.
Server port	Enter the port number on which the authentication server listens. The default value varies by the protocol. You must change this value if the server is configured to listen on a different port number, including if the server requires use of SSL. For example, the standard port number for SMTP is 25. However, for SMTP with SSL, the default port number is 465. Similarly, IMAP is 143, while IMAP with SSL is 993; POP3 is 110, while POP3 with SSL is 995; and RADIUS is 1812.
Protocol	Select the authentication scheme for the RADIUS server.
NAS IP/Called station ID	Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiMail interface uses to communicate with the RADIUS server will be applied.
Server secret	Enter the secret required by the RADIUS server. It must be identical to the secret that is configured on the RADIUS server.
Server requires domain	Enable if the authentication server requires that email users authenticate using their full email address (such as user1@example.com) and not just the user name (such as user1).
Advanced Setting	When you add a FortiMail administrator (see Configuring administrator accounts), you must specify an access profile (the access privileges) for the administrator. You must also specify a domain (either system or a protected domain) that the administrator is entitled to access. If you are adding a RADIUS account, you can override the access profile and domain setting with the values of the remote attributes returned from the RADIUS server. Enable remote access override: Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile. If there is no match, the specified access profile will still be used. Vender ID: Enter the vender’s registered RADIUS ID for remote access permission override. The default ID is 12356, which is Fortinet. Attribute ID: Enter the attribute ID of the above vender for remote access permission override. The attribute should hold an access profile name that exists on FortiMail. The default ID is 6, which is Fortinet-Access-Profile. Enable remote domain override: Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain. If there is no match, the specified domain will still be used. Vender ID: Enter the vender’s registered RADIUS ID for remote domain override. The default ID is 12356, which is Fortinet. Attribute ID: Enter the attribute ID of the above vender for remote domain override. The attribute should hold a domain name that exists on FortiMail. The default ID is 3, which is Fortinet-Vdom-Name.

To apply the authentication profile, you must select it in a policy. You may also need to configure access control rules, user accounts, and certificates. For details, see Workflow to enable and configure authentication of email users.