Fortinet black logo

Administration Guide

Configuring IBE users

Configuring IBE users

You can send secured email with Identity Based Encryption (IBE) through the FortiMail unit. The IBE User option lets you manage the IBE mail users and IBE domains. For details about how to use IBE service, see FortiMail IBE configuration workflow.

This section contains the following topics:

Configuring active users

The Active User tab lets you enable, delete, maintain, and reset the following secured mail recipients:

  • recipients who have received secured mail notifications from the FortiMail unit
  • recipients who have registered or authenticated on the FortiMail unit

To view and manage active users, go to Domain & User > IBE User > Active User.

GUI item

Description

Delete

(button)

Select to remove a selected user in the list.

A deleted user cannot access the FortiMail unit.

Maintenance

(button)

Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of a mailbox and empty a mailbox as required.

The SecureMail mailbox contains the secured email for the user. The encrypted email are put into this mailbox if Pull is selected to retrieve IBE mail.

The Bulk mailbox contains spam that are quarantined by the FortiMail unit.

Reset User

(button)

Click to reset a mail user and require new login information to access the FortiMail unit.

Resetting a user sends the user a new notification and the user needs to re-register on the FortiMail unit.

IBE domain

Select the name of an IBE domain to view its active users.

For more information about IBE domain, see Configuring IBE authentication.

Search

Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria.

To return to the complete user list, clear the search field and press Enter.

Enabled

Select the check box to activate a mail user. A disabled user cannot access the FortiMail unit.

Email

Displays the email address of mail users.

First Name, Last Name

Displays the first and last name of a mail user. This information appears when a mail user registers on the FortiMail unit.

Recovery Email

Displays the recovery email address of the mail users.

Status

The mail user has four status possibilities:

  • Pre-registered: The FortiMail unit encrypts an email and sends a notification to the recipient.
  • Activated: The mail recipient registers on the FortiMail unit.
  • Password reset: When a mail recipient who is provided with new password to access the FortiMail unit has actually changed the password, this status appears.
  • LDAP: When a mail recipient. who belongs to an IBE domain bound with an LDAP profile authenticates on the FortiMail unit, this status appears. For more information about IBE domain, see Configuring IBE authentication.

Creation Time

Displays when IBE user was registered and created.

Last Access

Displays the time stamp when:

  • the FortiMail unit sends a notification (Pre-registered status)
  • the mail recipient registers on the FortiMail unit (Activated status)
  • a mail user changes the password (Password reset status)
  • a mail recipient, who belongs to an IBE domain, authenticates on the FortiMail unit (LDAP status)

See also

Configuring expired users

Configuring IBE authentication

Configuring expired users

Depending on the configuration of User registration expiry time and User inactivity expiry time in the IBE service, if email recipients fail to register or authenticate on the FortiMail unit, or fail to access the FortiMail unit after registration for a certain period of time, they become expired users. For more information about IBE service configuration, see Configuring IBE encryption.

The Expired User tab displays the same information as the Active User tab except that the users in this list have expired. These users need to re-register on the FortiMail unit when a new notification arrives to become active.

GUI item

Description

Delete

(button)

Select to remove a selected user in the list.

A deleted user cannot access the FortiMail unit.

Maintenance

(button)

Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of a mailbox and empty a mailbox as required.

The SecureMail mailbox contains the secured email for the user. The encrypted email are put into this mailbox if Pull is selected to retrieve IBE mail.

The Bulk mailbox contains spam that are quarantined by the FortiMail unit.

IBE domain

Select the name of an IBE domain to view its active users.

For more information about IBE domain, see Configuring IBE authentication.

Search

Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria.

To return to the complete user list, clear the search field and press Enter.

Email

Displays the email address of mail users.

First Name, Last Name

Displays the first name of a mail user. This information appears when a mail user registers on the FortiMail unit.

Last Name

Displays the last name of a mail user. This information appears when a mail user registers on the FortiMail unit.

Status

The mail user has four status possibilities:

  • Pre-registered: The FortiMail unit encrypts an email and sends a notification to the recipient.
  • Activated: The mail recipient registers on the FortiMail unit.
  • Password reset: When a mail recipient who is provided with new password to access the FortiMail unit has actually changed the password, this status appears.
  • LDAP: When a mail recipient. who belongs to an IBE domain bound with an LDAP profile authenticates on the FortiMail unit, this status appears. For more information about IBE domain, see Configuring IBE authentication.

Expiry Time

Displays when the user’s registration expired.

Last Access

Displays the time stamp when the user was last active.

See also

Configuring active users

Configuring IBE authentication

Configuring IBE authentication

When mail recipients of the IBE domains access the FortiMail unit after receiving a secure mail notification:

  • recipients of the IBE domains without LDAP authentication profiles need to register to view the email
  • recipients of the IBE domains with LDAP authentication profiles just need to authenticate because the FortiMail unit can query the LDAP servers for authentication information based on the LDAP profile

In both cases, the FortiMail unit will record the domain names of the recipients who register or authenticate on it under the IBE Domain tab. For details, see Viewing and managing IBE domains.

Go to Domain & User > IBE User > IBE Authentication to bind domains with LDAP authentication profiles with which the FortiMail unit can query the LDAP servers for authentication, email address mappings, and more. For more information about LDAP profiles, see Configuring LDAP profiles.

To configure IBE authentication rules
  1. Go to Domain & User > IBE User > IBE Authentication.
  2. Click New and configure the following:

GUI item

Description

Status

Select to enable this rule.

Domain pattern

Enter a domain name that you want to bind to an LDAP authentication profile.

If you want all IBE users to authenticate through an LDAP profile and do not want other non-LDAP-authenticated users to get registered on FortiMail, you can use wildcard * for the domain name and then bind it to an LDAP profile.

For more information about LDAP profiles, see Configuring LDAP profiles.

LDAP profile

Select the LDAP profile you want to use to authenticate the domain users.

User registration process with two-factor authentication

As of FortiMail 6.4.0, the enforcement of security questions has been removed and replaced with two-factor authentication, via email and/or SMS text message.

See Configuring IBE services for more information on configuring two-factor authentication settings.

The user verification process for receiving and reading a secure message varies depending on which method is chosen.

IBE user registration and check email process via email:
  1. When a secure message is sent to a user, the user receives a notification directing them to their inbox.
  2. The user opens the registration email and clicks the registration link.
  3. The user registers, providing their Language, Time zone, First name, and Last name.
  4. When the user clicks Next, they must confirm their Verification email address, then click OK.
  5. The user then receives a one-time password or token via email.
  6. Upon entering the token correctly, the user receives a successful registration notification email.
  7. Now that registration is complete, the user may only open the secure message once they have requested a token.

  8. The user clicks the secure message link and then clicks Request Token. The token is sent via email to the user.
  9. The user enters the token and clicks Verify Token.
  10. After the token is verified, the user is granted access to the secure message.
IBE user registration and check email process via SMS:
  1. When a secure message is sent to a user, the user receives a notification. The user clicks Register.
  2. A registration email is sent to the user.

  3. The user opens the registration email and clicks the registration link.
  4. The user registers, providing their Language, Time zone, First name, and Last name.
  5. When the user clicks Next, they must confirm their Verification phone number, then click OK.
  6. The user then receives a one-time password or token via SMS.
  7. Upon entering the token correctly, the user receives a successful registration notification email.
  8. Now that registration is complete, the user may only open the secure message once they have requested a token.

  9. The user clicks the secure message link and then clicks Request Token. The token is sent via email to the user.
  10. The user enters the token and clicks Verify Token.
  11. After the token is verified, the user is granted access to the secure message.
IBE user registration and check email process via email and SMS:
  1. When a secure message is sent to a user, the user receives a notification. The user clicks Register.
  2. A registration email is sent to the user.

  3. The user opens the registration email and clicks the registration link.
  4. The user registers, providing their Language, Time zone, First name, and Last name.
  5. Since the user has selected both email and SMS as token delivery methods, they must verify their email address and Mobile Station International Subscriber Directory Number (MSISDN). Note that a token is not required for the registration of the user's own email address.

  6. When the user clicks Next, they must confirm their Verification email address, then click OK.
  7. The user must then confirm their Verification phone number and request a token.
  8. The user then receives a one-time password or token via SMS.
  9. Upon entering the token correctly, the user receives a successful registration notification email.
  10. Now that registration is complete, the user may only open the secure message once they have requested a token.

  11. The user clicks the secure message link. Before the user clicks Request Token, they must select a Token method option: either SMS or Email. The token is sent via the selected option to the user.
  12. The user enters the token and clicks Verify Token.
  13. After the token is verified, the user is granted access to the secure message.

See also

Configuring active users

Viewing and managing IBE domains

The FortiMail unit records the domain names of the recipients who register or authenticate on FortiMail.

To view those domains, go to Domain & User > IBE User > IBE Domain.

GUI item

Description

Delete

(button)

Select to remove a selected domain.

Deleting a domain also disables all its users. These users cannot access the FortiMail unit until they receive new secure mail notifications from the FortiMail unit.

Remove All Users

(button)

Select to delete all mail users in a selected domain. These users cannot access the FortiMail unit until they receive new secure mail notifications from the FortiMail unit.

Search

(button)

Select to search IBE domains. A search dialog appears.

Active User Count

Displays the active mail users in a domain. For more information about active users, see Configuring active users.

Expired User Count

Displays the expired mail users in a domain. For more information about active users, see Configuring expired users.

Configuring IBE users

You can send secured email with Identity Based Encryption (IBE) through the FortiMail unit. The IBE User option lets you manage the IBE mail users and IBE domains. For details about how to use IBE service, see FortiMail IBE configuration workflow.

This section contains the following topics:

Configuring active users

The Active User tab lets you enable, delete, maintain, and reset the following secured mail recipients:

  • recipients who have received secured mail notifications from the FortiMail unit
  • recipients who have registered or authenticated on the FortiMail unit

To view and manage active users, go to Domain & User > IBE User > Active User.

GUI item

Description

Delete

(button)

Select to remove a selected user in the list.

A deleted user cannot access the FortiMail unit.

Maintenance

(button)

Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of a mailbox and empty a mailbox as required.

The SecureMail mailbox contains the secured email for the user. The encrypted email are put into this mailbox if Pull is selected to retrieve IBE mail.

The Bulk mailbox contains spam that are quarantined by the FortiMail unit.

Reset User

(button)

Click to reset a mail user and require new login information to access the FortiMail unit.

Resetting a user sends the user a new notification and the user needs to re-register on the FortiMail unit.

IBE domain

Select the name of an IBE domain to view its active users.

For more information about IBE domain, see Configuring IBE authentication.

Search

Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria.

To return to the complete user list, clear the search field and press Enter.

Enabled

Select the check box to activate a mail user. A disabled user cannot access the FortiMail unit.

Email

Displays the email address of mail users.

First Name, Last Name

Displays the first and last name of a mail user. This information appears when a mail user registers on the FortiMail unit.

Recovery Email

Displays the recovery email address of the mail users.

Status

The mail user has four status possibilities:

  • Pre-registered: The FortiMail unit encrypts an email and sends a notification to the recipient.
  • Activated: The mail recipient registers on the FortiMail unit.
  • Password reset: When a mail recipient who is provided with new password to access the FortiMail unit has actually changed the password, this status appears.
  • LDAP: When a mail recipient. who belongs to an IBE domain bound with an LDAP profile authenticates on the FortiMail unit, this status appears. For more information about IBE domain, see Configuring IBE authentication.

Creation Time

Displays when IBE user was registered and created.

Last Access

Displays the time stamp when:

  • the FortiMail unit sends a notification (Pre-registered status)
  • the mail recipient registers on the FortiMail unit (Activated status)
  • a mail user changes the password (Password reset status)
  • a mail recipient, who belongs to an IBE domain, authenticates on the FortiMail unit (LDAP status)

See also

Configuring expired users

Configuring IBE authentication

Configuring expired users

Depending on the configuration of User registration expiry time and User inactivity expiry time in the IBE service, if email recipients fail to register or authenticate on the FortiMail unit, or fail to access the FortiMail unit after registration for a certain period of time, they become expired users. For more information about IBE service configuration, see Configuring IBE encryption.

The Expired User tab displays the same information as the Active User tab except that the users in this list have expired. These users need to re-register on the FortiMail unit when a new notification arrives to become active.

GUI item

Description

Delete

(button)

Select to remove a selected user in the list.

A deleted user cannot access the FortiMail unit.

Maintenance

(button)

Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of a mailbox and empty a mailbox as required.

The SecureMail mailbox contains the secured email for the user. The encrypted email are put into this mailbox if Pull is selected to retrieve IBE mail.

The Bulk mailbox contains spam that are quarantined by the FortiMail unit.

IBE domain

Select the name of an IBE domain to view its active users.

For more information about IBE domain, see Configuring IBE authentication.

Search

Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria.

To return to the complete user list, clear the search field and press Enter.

Email

Displays the email address of mail users.

First Name, Last Name

Displays the first name of a mail user. This information appears when a mail user registers on the FortiMail unit.

Last Name

Displays the last name of a mail user. This information appears when a mail user registers on the FortiMail unit.

Status

The mail user has four status possibilities:

  • Pre-registered: The FortiMail unit encrypts an email and sends a notification to the recipient.
  • Activated: The mail recipient registers on the FortiMail unit.
  • Password reset: When a mail recipient who is provided with new password to access the FortiMail unit has actually changed the password, this status appears.
  • LDAP: When a mail recipient. who belongs to an IBE domain bound with an LDAP profile authenticates on the FortiMail unit, this status appears. For more information about IBE domain, see Configuring IBE authentication.

Expiry Time

Displays when the user’s registration expired.

Last Access

Displays the time stamp when the user was last active.

See also

Configuring active users

Configuring IBE authentication

Configuring IBE authentication

When mail recipients of the IBE domains access the FortiMail unit after receiving a secure mail notification:

  • recipients of the IBE domains without LDAP authentication profiles need to register to view the email
  • recipients of the IBE domains with LDAP authentication profiles just need to authenticate because the FortiMail unit can query the LDAP servers for authentication information based on the LDAP profile

In both cases, the FortiMail unit will record the domain names of the recipients who register or authenticate on it under the IBE Domain tab. For details, see Viewing and managing IBE domains.

Go to Domain & User > IBE User > IBE Authentication to bind domains with LDAP authentication profiles with which the FortiMail unit can query the LDAP servers for authentication, email address mappings, and more. For more information about LDAP profiles, see Configuring LDAP profiles.

To configure IBE authentication rules
  1. Go to Domain & User > IBE User > IBE Authentication.
  2. Click New and configure the following:

GUI item

Description

Status

Select to enable this rule.

Domain pattern

Enter a domain name that you want to bind to an LDAP authentication profile.

If you want all IBE users to authenticate through an LDAP profile and do not want other non-LDAP-authenticated users to get registered on FortiMail, you can use wildcard * for the domain name and then bind it to an LDAP profile.

For more information about LDAP profiles, see Configuring LDAP profiles.

LDAP profile

Select the LDAP profile you want to use to authenticate the domain users.

User registration process with two-factor authentication

As of FortiMail 6.4.0, the enforcement of security questions has been removed and replaced with two-factor authentication, via email and/or SMS text message.

See Configuring IBE services for more information on configuring two-factor authentication settings.

The user verification process for receiving and reading a secure message varies depending on which method is chosen.

IBE user registration and check email process via email:
  1. When a secure message is sent to a user, the user receives a notification directing them to their inbox.
  2. The user opens the registration email and clicks the registration link.
  3. The user registers, providing their Language, Time zone, First name, and Last name.
  4. When the user clicks Next, they must confirm their Verification email address, then click OK.
  5. The user then receives a one-time password or token via email.
  6. Upon entering the token correctly, the user receives a successful registration notification email.
  7. Now that registration is complete, the user may only open the secure message once they have requested a token.

  8. The user clicks the secure message link and then clicks Request Token. The token is sent via email to the user.
  9. The user enters the token and clicks Verify Token.
  10. After the token is verified, the user is granted access to the secure message.
IBE user registration and check email process via SMS:
  1. When a secure message is sent to a user, the user receives a notification. The user clicks Register.
  2. A registration email is sent to the user.

  3. The user opens the registration email and clicks the registration link.
  4. The user registers, providing their Language, Time zone, First name, and Last name.
  5. When the user clicks Next, they must confirm their Verification phone number, then click OK.
  6. The user then receives a one-time password or token via SMS.
  7. Upon entering the token correctly, the user receives a successful registration notification email.
  8. Now that registration is complete, the user may only open the secure message once they have requested a token.

  9. The user clicks the secure message link and then clicks Request Token. The token is sent via email to the user.
  10. The user enters the token and clicks Verify Token.
  11. After the token is verified, the user is granted access to the secure message.
IBE user registration and check email process via email and SMS:
  1. When a secure message is sent to a user, the user receives a notification. The user clicks Register.
  2. A registration email is sent to the user.

  3. The user opens the registration email and clicks the registration link.
  4. The user registers, providing their Language, Time zone, First name, and Last name.
  5. Since the user has selected both email and SMS as token delivery methods, they must verify their email address and Mobile Station International Subscriber Directory Number (MSISDN). Note that a token is not required for the registration of the user's own email address.

  6. When the user clicks Next, they must confirm their Verification email address, then click OK.
  7. The user must then confirm their Verification phone number and request a token.
  8. The user then receives a one-time password or token via SMS.
  9. Upon entering the token correctly, the user receives a successful registration notification email.
  10. Now that registration is complete, the user may only open the secure message once they have requested a token.

  11. The user clicks the secure message link. Before the user clicks Request Token, they must select a Token method option: either SMS or Email. The token is sent via the selected option to the user.
  12. The user enters the token and clicks Verify Token.
  13. After the token is verified, the user is granted access to the secure message.

See also

Configuring active users

Viewing and managing IBE domains

The FortiMail unit records the domain names of the recipients who register or authenticate on FortiMail.

To view those domains, go to Domain & User > IBE User > IBE Domain.

GUI item

Description

Delete

(button)

Select to remove a selected domain.

Deleting a domain also disables all its users. These users cannot access the FortiMail unit until they receive new secure mail notifications from the FortiMail unit.

Remove All Users

(button)

Select to delete all mail users in a selected domain. These users cannot access the FortiMail unit until they receive new secure mail notifications from the FortiMail unit.

Search

(button)

Select to search IBE domains. A search dialog appears.

Active User Count

Displays the active mail users in a domain. For more information about active users, see Configuring active users.

Expired User Count

Displays the expired mail users in a domain. For more information about active users, see Configuring expired users.