system global
Use this command to configure many FortiMail system-wide configurations.
Syntax
config system global
set admin-idle-timeout <timeout_int>
set admin-maintainer {enable | disable}
set default-certificate <name_str>
set disclaimer-per-domain {enable | disable}
set disk-monitor {enable | disable}
set email-migration-status {enable | disable}
set iscsi-initiator-name <name_str>
set lcd-protection {enable | disable}
set ldap-server-sys-status {enable | disable}
set ldap-sess-cache-state {enable | disable}
set local-domain-name <name_str>
set mailbox-service {enable | disable}
set mailstat-service {enable | disable}
set mta-adv-ctrl-status {enable | disable}
set operation mode {gateway | server | transparent}
set pki-certificate-req {yes | no}
set pki-mode {enable | disable}
set post-login-banner {admin | ibe | webmail}
set rest-api {enable | disable}
set ssl-versions {ssl3 tls1_0 | tls1_1 | tls1_2 | tls1_3}
set strong-crypto {enable | disable}
end
Variable |
Description |
Default |
Enter the amount of time in minutes after which an idle administrative session will be automatically logged out. The maximum idle time out is 480 minutes (eight hours). To improve security, do not increase the idle timeout. |
5 |
|
Enter the lockout duration in minutes after the failed login threshold is reached. |
3 |
|
Enter the number of failed login attempts before being locked out. |
4 |
|
Enable or disable the maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is Note that there is a limited time to complete this login. If you attempt to disable |
enable |
|
Enter the name of a local certificate to use it as the “default" (that is, currently chosen for use) certificate. FortiMail units require a local server certificate that it can present when clients request secure connections. |
factory |
|
Enter the minimum size of Diffie-Hellman prime for SSH/HTTPS. |
1024 |
|
Enable to allow individualized disclaimers to be configured for each protected domain. |
|
|
Enable to monitor the hard disk status of the FortiMail unit. If a problem is found, an alert email is sent to the administrator. |
disable |
|
Enable the email migration from external server. |
|
|
Enter the host name of the FortiMail unit. |
Varies by model. |
|
hsts-max-age <days> |
Set the HTTP Strict Transport Security (HSTS) max-age. 0 means to disable. |
365 |
Enter the FortiMail ISCSI client name used to communicate with the ISCSI server for centralized quarantine storage. This is only used to change the name generated by the FortiMail unit automatically. |
|
|
Enter the 6-digit personal identification number (PIN) that administrators must enter in order to access the FortiMail LCD panel. The PIN is used only when |
Encoded value varies. |
|
Enable to require that administrators enter a PIN in order to use the buttons on the front LCD panel. Also configure lcdpin. |
disable |
|
Enable or disable the LDAP server for serving organizational information. |
enable |
|
Enable to keep the continuity of the connection sessions to the LDAP server. Repeated session connections waste network resources. |
enable |
|
Enter the local domain name of the FortiMail unit. |
|
|
Note: The mailbox service feature is license based. If you do not purchase the MSSP license, this feature is not available. Enable the mailbox service. After you enable this service, see report mailbox for information on configuring the mailbox service. New options also appear in the GUI under FortiView > Mail Statistics > Active Mailbox. |
|
|
Enable the mail statistic service. After you enable this service, a new tab called Top User Statistics will appear under FortiView on the GUI. |
disable |
|
Enable to configure session-specific MTA settings and overwrite the global settings configured elsewhere. |
enable |
|
Enter one of the following operation modes:
|
gateway |
|
If the administrator’s web browser does not provide a valid personal certificate for PKI authentication, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enter |
no |
|
Enable to allow PKI authentication for FortiMail administrators. For more information, see user pki and system admin. Also configure pki-certificate-req {yes | no}. Caution: Before disabling PKI authentication, select another mode of authentication for FortiMail administrators and email users that are currently using PKI authentication. Failure to first select another authentication method before disabling PKI authentication will prevent them from being able to log in. |
disable |
|
Enter the HTTP port number for administrative access on all interfaces. |
80 |
|
Enter the HTTPS port number for administrative access on all interfaces. |
443 |
|
Enter the SSH port number for administrative access on all interfaces. |
22 |
|
Enter the TELNET port number for administrative access on all interfaces. |
23 |
|
Enable or disable the legal disclaimer.
|
admin
|
|
Enable or disable the legal disclaimer before the administrator logs into the FortiMail web UI. |
admin |
|
Enable or disable REST API support. |
disable |
|
Specify which SSL/TLS versions you want to support for the HTTPS and SMTP access to FortiMail. Currently, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 are supported. In 6.0.0 release, Starting from 6.0.1 release, both Starting from 6.2.0, when strong-crypto is enabled, TLS 1.0 is disabled. When |
ssl3 |
|
Enable to use strong encryption and only allow strong ciphers (AES) and digest (SHA1) for HTTPS/SSH admin access. When strong encryption is enabled, HTTPS is supported by the following web browsers: Netscape 7.2, Netscape 8.0, Firefox, and Microsoft Internet Explorer 7.0 (beta) and higher. Note that Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption. |
enable |
|
Enable to allow use of TFTP in FIPS mode. |
enable |