Fortinet black logo

Administration Guide

Managing the quarantines

Managing the quarantines

You can quarantine email messages based on the message content, such as whether the email is spam or contains a prohibited word or phrase. FortiMail units have three types of quarantine:

Personal quarantine

Quarantines email messages into separate folders for each recipient address in each protected domain. The FortiMail unit periodically sends quarantine reports to notify recipients, their designated group owner, and/or another email address of the email messages that were added to the quarantine folder for that recipient. See Managing the personal quarantines.

System quarantine

Quarantines email messages into a system-wide quarantine. Unlike the per-recipient quarantine, the FortiMail unit does not send a quarantine report. The FortiMail administrator should review the quarantined email messages to decide if they should be released or deleted. See Managing the system quarantine.

Domain quarantine
Note

Domain quarantines are only available to FortiMail units with a valid purchased advanced management license.

Quarantines email messages into separate folders for each protected domain, in the case of a multi-tenant environment. Unlike the per-recipient quarantine, the FortiMail unit does not send a quarantine report. The FortiMail administrator, assigned to their respective domain, should review the quarantined email messages to decide if they should be released or deleted. See Managing the domain quarantines.

To quarantine spam and/or email with prohibited content, you must select a quarantine action in an antispam, antivirus, content, or DLP profile. For details, see:

Sample Submission

You may also submit samples of spam email to a specified email account so it may either be reviewed by an administrator or sent directly to FortiGuard. See Managing the spam sample submissions.

All FortiMail models can be configured to remotely store their quarantined email messages in a centralized quarantine hosted on a high end FortiMail model (FortiMail VM02, FortiMail 400E series and above).

Managing the personal quarantines

The Personal Quarantine tab displays a list of personal quarantines, also called per-recipient quarantines.

In advanced mode, when incoming email matches a policy that directs quarantined email to the personal quarantine, the FortiMail unit will save the email to its hard drive and not deliver it to the recipient. Instead, the FortiMail unit will periodically send a quarantine report to email users, their designated group owner, or another recipient (if you have configured one using the advanced mode of the web UI).

In basic mode, incoming quarantined email also is kept on the FortiMail unit’s hard drive.

The quarantine report, by default sent once a day at 9 AM, lists all email messages that were withheld since the previous quarantine report. Using the quarantine report, email users can review email message details and release any email messages that are false positives by clicking the link associated with them. The email message will then be released from quarantine and delivered to the email user’s inbox. Using the web UI, FortiMail administrators can also manually release or delete quarantined email. For more information on deleting email that has been quarantined to the per-recipient quarantine, see Managing the personal quarantines. For information on configuring the schedule and recipients of the quarantine report, see Configuring global quarantine report settings.

You can configure the FortiMail unit to send email to the per-recipient quarantine by selecting Quarantine in action profiles, content profiles and antispam profiles. For more information, see Configuring antispam action profiles and Configuring content profiles.

Unlike the system-wide quarantine, the per-recipient quarantine can be accessed remotely by email users so that they can manage their own quarantined email. For information on configuring remote per-recipient quarantine access, see How to enable, configure, and use personal quarantines.

To view the list of per-recipient quarantine folders for a protected domain
  1. Go to Monitor > Quarantine > Personal Quarantine.
  2. Select the name of a protected domain from Domain.

You can view, delete, and release email that has been quarantined to each personal quarantine mailbox.

Note

To reduce disk usage, regularly delete the quarantined email. Releasing quarantined email does not reduce disk usage.

Note

Email users can also manage their own per-recipient quarantines through quarantine reports. For more information, see Releasing and deleting email via quarantine reports.

To view email messages inside a personal quarantine mailbox
  1. Go to Monitor > Quarantine > Personal Quarantine.
  2. Double-click the row corresponding to that mailbox.
  3. To view an email in the mailbox, double-click it.

How to enable, configure, and use personal quarantines

In general, to use personal quarantines, you should complete the following:

  1. Configure the host name and mail queue of the FortiMail unit.
  2. If you want to specify an alternate FQDN that will be used only by web release/delete URLs in HTML-formatted quarantine reports, see Web release host name/IP. This FQDN should be globally resolvable.

  3. Select the recipients, delivery schedule, and release methods of the quarantine report. For details, see Configuring protected domains for quarantine report settings that are domain-specific, or Configuring global quarantine report settings for quarantine report settings that are system-wide.
  4. If email users will release/delete email from their quarantine by sending email, configure the user name portion (also known as the local-part) for the quarantine control email addresses (the domain-part will be the local domain name of the FortiMail unit). For details, see Configuring the quarantine control options.
  5. For gateway mode or transparent mode, configure authentication profiles that will allow email users to authenticate when accessing their per-recipient quarantine. Alternatively, if email users require only HTTP/HTTPS access, you may configure PKI user accounts.
  6. For server mode, configure the email user accounts. Email users can authenticate using this account to access their per-recipient quarantine.

    For details, see Workflow to enable and configure authentication of email users.

  7. Enable quarantine reports in each email user’s preferences. Both FortiMail administrators and email users can do this. For details, see Configuring user preferences, or the online help for FortiMail webmail and per-recipient quarantines.
  8. If the FortiMail unit is operating in server mode and you want to enable web release/delete, configure resource profiles in which Webmail access is enabled.
  9. Enable the Personal quarantine and Send quarantine report option in incoming antispam and/or content profiles. If you want to allow email users to release and/or delete email from their quarantine by email or web release/delete, also enable Email release and Web release.
  10. For details, see Configuring antispam action profiles and/or Configuring content action profiles.

  11. Select the antispam and/or content profiles in incoming recipient-based policies. If you configured a resource profile in step If the FortiMail unit is operating in server mode and you want to enable web release/delete, configure resource profiles in which Webmail access is enabled.6, also select the resource profile.
  12. If the FortiMail unit is operating in gateway or transparent mode and you want to enable web release/delete, enable Allow quarantined email access through webmail in each incoming recipient-based policy.

    For details, see Controlling email based on sender and recipient addresses.

  13. Either email users or FortiMail administrators can manage email in the per-recipient quarantines. For details, see Managing the personal quarantines and Releasing and deleting email via quarantine reports.

Searching email in the personal quarantine

You can search the personal quarantine for email messages based on their contents, senders, recipients, and time frames, across any or all protected domains.

The search action involves the following steps:

  • Create a search task, where you can specify search criteria.
  • Execute and view the search results.

See below for detailed instructions.

To search the personal quarantine
  1. Go to Monitor > Quarantine > Personal Quarantine.
  2. Click Search. The Personal Quarantine Search tab appears, displaying all search tasks, if there are any.
  3. Click New to add a search task.
  4. A dialog appears.

  5. Configure the search criteria, including Time Range to define the date/s and time of the search, various Search Filter criterion, and determine whether the search should be conducted across all or multiple domains.
  6. Email messages must match all criteria that you configure to be included in the search results. For example, if you configure From and Subject, only email messages matching both From and Subject will be included in the search results. Select from the list of available header options under Field:

  • From

  • To

  • Cc

  • To or Cc

  • From, To or Cc

  • Subject

  • Text

  • Attachment

  • Message-ID

  • Client IP

  • Endpoint ID

  • Policy ID

  • Custom Header

Wildcard header search support is also available.

  • Click Search to execute and save the task. The task name is the time when the task is created. The Personal Quarantine Search tab displays the search tasks and their search status as follows:
    • Done: The FortiMail unit has finished the search. You can click the View Search Result button to view the search results.
    • Pending: The search task is in the waiting list.
    • Running: The search task is still running. You can choose to stop the task by clicking the Stop button.
    • Stopped: The search task is stopped. You can choose to resume the task by clicking the Resume button.

    Managing the system quarantine

    The System Quarantine tab displays the system quarantine.

    Unlike the per-recipient quarantine, the system quarantine cannot be accessed remotely by email users. Also, they do not receive quarantine reports for email held in the system quarantine and cannot manage the system quarantine themselves. A FortiMail administrator should periodically review the contents of the system quarantine. Alternatively, you can configure a special-purpose system quarantine administrator for this task. For more information, see Configuring the system quarantine setting.

    Note

    To reduce disk usage, regularly delete the quarantined email. Releasing quarantined email does not reduce disk usage.

    By default, the system quarantine is not used until you configure the FortiMail unit to send per-recipient quarantine to system quarantine by selecting System quarantine in antivirus action profiles, content action profiles, and antispam action profiles. For more information, see Configuring antivirus action profiles, Configuring antispam action profiles and Configuring content action profiles.

    To view and manage system quarantine folders
    1. Go to Monitor > Quarantine > System Quarantine.
    2. From the Folder dropdown list, select which type of quarantined email you want to view:
    3. GUI item

      Description

      View (button)

      Select a item in the table and click View to open item.

      Delete (button)

      Click to delete the selected item.

      Compact

      (button)

      Select the check boxes of each email user whose quarantine folder you want to compact and click Compact.

      For performance reasons, when you delete an email, it is marked for deletion but not actually removed from the hard disk at that time, and so still consumes some disk space. Compaction reclaims this hard disk space.

      Note: FortiMail updates folder sizes once an hour. The reduction in folder size is not immediately reflected after compacting.

      Search (button)

      Click to search the mail data.

      Release (button)

      Starting from 6.2.0 release, you can select a folder and batch release the email in the folder according to the criteria you specify:

      • Start date
      • End date
      • Message type: Either Unreleased Only or All Messages.
      • Release to: Original recipient(s) or other recipient(s) you specify.

      Folder (dropdown list)

      From the dropdown list, select a folder to view.

      Folder

      Lists the current folder. Older system quarantine mailboxes, also called rotated folders, are named according to their creation date and the rename date. For information on configuring rotation of the system quarantine mailbox, see Configuring the system quarantine setting.

      To view email messages quarantined in that mailbox, double-click its row. For more information, see Managing the system quarantine.

      Size

      Lists the size of the quarantine folder in kilobytes (KB).

      Note: Mailbox sizes are updated once an hour.

      Message Count

      Lists the total number of quarantined messages in the mailbox.

      Note

      You can also configure a system quarantine administrator account whose exclusive purpose is to manage the system quarantine. For more information, see Configuring the system quarantine setting.

    4. Double-click a system quarantine mailbox.
    5. You can view, delete, release, and forward email in the system quarantine.

      GUI item

      Description

      View (button)

      To view a message, either double-click it, or mark its check box and click View.

      Delete (button)

      Click to delete the selected item.

      Release

      (button)

      To release all email messages in the current view, mark the top check box and click Release.

      To release individual email messages, mark their check boxes and click Release.

      In the pop-up window, you can select to release email to the original recipient and/or to other recipients. If want to release email to other recipients, enter the email addresses. You can add up to five email addresses.

      Back

      (button)

      Click to return to viewing the list of system quarantine folders.

      Filter

      Use the filter to display the released or unreleased email only.

      By default, FortiMail only displays the unreleased email.

      Search

      (button)

      Click to search the system quarantine folder that you are currently viewing. For details, see Searching email in the system quarantine.

      Subject

      Lists the subject line of the email. Click to display the email message.

      From

      Lists the display name of the sender as it appears in the message header, such as "User 1".

      To

      Lists the display name of the recipient as it appears in the message header, such as "User 2".

      Rcpt To

      Lists the user name portion (also known as the local-part) of the recipient email address (RCPT TO:) as it appears in the message envelope, such as user2 where the full recipient email address is user2@example.com.

      Session ID

      Lists the session ID of each email.

      Received

      Lists the time that the email was received.

      Size

      Lists the size of the email message in kilobytes (KB).

    6. Double-click an email message to open it.
    7. The email message appears, including basic message headers such as the subject and date.

    8. Select the action that you want to perform on the quarantined email.
    • To view additional message headers, click the + button, then click Detailed Header.
    • To release the email message to its recipient, click Release.
    • To download the email message from the quarantine, click Download.

    Searching email in the system quarantine

    You can search a system quarantine folder (content, virus or bulk) for email messages based on their message body content and message headers.

    The search process is similar to the personal quarantine search. For details, see Searching email in the personal quarantine.

    Managing the domain quarantines

    The Domain Quarantine tab displays a list of quarantines for each domain on the FortiMail unit. Note that this is only available with a valid purchased advanced management license.

    In multi-tenant environments with multiple domains, administrators are given per-domain permissions to view and perform actions on quarantined messages within their domain. Domain administrators are provided their privileges from the Domain Quarantine access control permission within their assigned admin profile. See Configuring admin profiles for more information. Note that domain/domain-group administrators cannot access system quarantined messages.

    Similarly to the system quarantine, domain quarantine administrators do not receive quarantine reports for email held in the domain quarantine and cannot manage the domain quarantine themselves. Domain administrators should periodically review the contents of the domain quarantine.

    Options for viewing and managing the domain quarantine folders is similar to the options available for system quarantine. See To view and manage system quarantine folders for more information.

    Searching email in the domain quarantine

    With a valid advanced management license, you can search the domain quarantine for email messages based on their contents, senders, recipients, and time frames, across any or all protected domains.

    The search action involves the following steps:

    • Create a search task, where you can specify search criteria.
    • Execute and view the search results.

    See below for detailed instructions.

    To search the domain quarantine
    1. Go to Monitor > Quarantine > Domain Quarantine.
    2. Click Search. The Domain Quarantine Search tab appears, displaying all search tasks, if there are any.
    3. Click New to add a search task.
    4. A dialog appears.

    5. Configure the search criteria, including Time Range to define the date/s and time of the search, various Search Filter criterion, the particular domain to search, and determine whether the search should be conducted across all or multiple folders, or mailboxes.
    6. Email messages must match all criteria that you configure to be included in the search results. For example, if you configure From and Subject, only email messages matching both From and Subject will be included in the search results. Select from the list of available header options under Field:

    • From

    • To

    • Cc

    • To or Cc

    • From, To or Cc

    • Subject

    • Text

    • Attachment

    • Message-ID

    • Client IP

    • Endpoint ID

    • Policy ID

    • Custom Header

    Wildcard header search support is also available.

  • Click Search to execute and save the task. The task name is the time when the task is created. The Domain Quarantine Search tab displays the search tasks and their search status as follows:
    • Done: The FortiMail unit has finished the search. You can click the View Search Result button to view the search results.
    • Pending: The search task is in the waiting list.
    • Running: The search task is still running. You can choose to stop the task by clicking the Stop button.
    • Stopped: The search task is stopped. You can choose to resume the task by clicking the Resume button.

    Managing the spam sample submissions

    Once the sample submission service is enabled and email addresses are set to receive sample submissions of spam or non-spam, you can search for email messages based on whether they have been submitted as spam, non-spam (or ham), or if they have been detected to contain spam by FortiGuard.

    Depending on the email addresses defined to receive these submissions, emails are placed into the Spam or Ham (non-spam) folders. Any emails that FortiGuard detected spam are placed into the Spam_detected folder.

    Note

    The All folder is limited to displaying only the current day's messages.

    To view all historically submitted messages, you must select the appropriate folder (either Spam, Ham, or Spam_detected).

    To submit and view sample submissions, the service must first be enabled. See Configuring spam sample submission service for more information.

    To view and manage sample submission folders
    1. Go to Monitor > Quarantine > Sample Submission.
    2. From the Folder dropdown list, select which type of spam sample submission email you want to view:
    3. GUI item

      Description

      View (button)

      Select a item in the table and click View to open item.

      Delete (button)

      Click to delete the selected item.

      Compact

      (button)

      Select the check boxes of each email user whose quarantine folder you want to compact and click Compact.

      For performance reasons, when you delete an email, it is marked for deletion but not actually removed from the hard disk at that time, and so still consumes some disk space. Compaction reclaims this hard disk space.

      Note: FortiMail updates folder sizes once an hour. The reduction in folder size is not immediately reflected after compacting.

      Search (button)

      Click to search the mail data.

      Submit (button)

      Select a folder and batch submit the email in the folder according to the criteria you specify:

      • Start date
      • End date
      • Message type: Either Not Submitted Only or All Messages.
      • Submit to: Either FortiGuard or Other recipient(s) you specify.

      Folder (dropdown list)

      From the dropdown list, select a folder to view.

      Folder

      Lists the current folder. Older system quarantine mailboxes, also called rotated folders, are named according to their creation date and the rename date. For information on configuring rotation of the system quarantine mailbox, see Configuring the system quarantine setting.

      Size

      Lists the size of the quarantine folder in kilobytes (KB).

      Note:Mailbox sizes are updated once an hour.

      Message Count

      Lists the total number of quarantined messages in the mailbox.

    4. Double-click a spam sample submission folder.
    5. You can view, delete, submit, and filter sample submissions.

      GUI item

      Description

      Filter

      Use the filter to display the submitted or unsubmitted email only.

      By default, FortiMail only displays the unsubmitted email.

      Subject

      Lists the subject line of the email. Click to display the email message.

      From

      Lists the display name of the sender as it appears in the message header, such as "User 1".

      To

      Lists the display name of the recipient as it appears in the message header, such as "User 2".

      Rcpt To

      Lists the user name portion (also known as the local-part) of the recipient email address (RCPT TO:) as it appears in the message envelope, such as user2 where the full recipient email address is user2@example.com.

      Session ID

      Lists the session ID of each sample submission.

      Received

      Lists the time that the email was received.

      Size

      Lists the size of the email message in kilobytes (KB).

    6. Double-click an email message to open it.
    7. The email message appears, including basic message headers such as the subject and date.

    Managing the quarantines

    You can quarantine email messages based on the message content, such as whether the email is spam or contains a prohibited word or phrase. FortiMail units have three types of quarantine:

    Personal quarantine

    Quarantines email messages into separate folders for each recipient address in each protected domain. The FortiMail unit periodically sends quarantine reports to notify recipients, their designated group owner, and/or another email address of the email messages that were added to the quarantine folder for that recipient. See Managing the personal quarantines.

    System quarantine

    Quarantines email messages into a system-wide quarantine. Unlike the per-recipient quarantine, the FortiMail unit does not send a quarantine report. The FortiMail administrator should review the quarantined email messages to decide if they should be released or deleted. See Managing the system quarantine.

    Domain quarantine
    Note

    Domain quarantines are only available to FortiMail units with a valid purchased advanced management license.

    Quarantines email messages into separate folders for each protected domain, in the case of a multi-tenant environment. Unlike the per-recipient quarantine, the FortiMail unit does not send a quarantine report. The FortiMail administrator, assigned to their respective domain, should review the quarantined email messages to decide if they should be released or deleted. See Managing the domain quarantines.

    To quarantine spam and/or email with prohibited content, you must select a quarantine action in an antispam, antivirus, content, or DLP profile. For details, see:

    Sample Submission

    You may also submit samples of spam email to a specified email account so it may either be reviewed by an administrator or sent directly to FortiGuard. See Managing the spam sample submissions.

    All FortiMail models can be configured to remotely store their quarantined email messages in a centralized quarantine hosted on a high end FortiMail model (FortiMail VM02, FortiMail 400E series and above).

    Managing the personal quarantines

    The Personal Quarantine tab displays a list of personal quarantines, also called per-recipient quarantines.

    In advanced mode, when incoming email matches a policy that directs quarantined email to the personal quarantine, the FortiMail unit will save the email to its hard drive and not deliver it to the recipient. Instead, the FortiMail unit will periodically send a quarantine report to email users, their designated group owner, or another recipient (if you have configured one using the advanced mode of the web UI).

    In basic mode, incoming quarantined email also is kept on the FortiMail unit’s hard drive.

    The quarantine report, by default sent once a day at 9 AM, lists all email messages that were withheld since the previous quarantine report. Using the quarantine report, email users can review email message details and release any email messages that are false positives by clicking the link associated with them. The email message will then be released from quarantine and delivered to the email user’s inbox. Using the web UI, FortiMail administrators can also manually release or delete quarantined email. For more information on deleting email that has been quarantined to the per-recipient quarantine, see Managing the personal quarantines. For information on configuring the schedule and recipients of the quarantine report, see Configuring global quarantine report settings.

    You can configure the FortiMail unit to send email to the per-recipient quarantine by selecting Quarantine in action profiles, content profiles and antispam profiles. For more information, see Configuring antispam action profiles and Configuring content profiles.

    Unlike the system-wide quarantine, the per-recipient quarantine can be accessed remotely by email users so that they can manage their own quarantined email. For information on configuring remote per-recipient quarantine access, see How to enable, configure, and use personal quarantines.

    To view the list of per-recipient quarantine folders for a protected domain
    1. Go to Monitor > Quarantine > Personal Quarantine.
    2. Select the name of a protected domain from Domain.

    You can view, delete, and release email that has been quarantined to each personal quarantine mailbox.

    Note

    To reduce disk usage, regularly delete the quarantined email. Releasing quarantined email does not reduce disk usage.

    Note

    Email users can also manage their own per-recipient quarantines through quarantine reports. For more information, see Releasing and deleting email via quarantine reports.

    To view email messages inside a personal quarantine mailbox
    1. Go to Monitor > Quarantine > Personal Quarantine.
    2. Double-click the row corresponding to that mailbox.
    3. To view an email in the mailbox, double-click it.

    How to enable, configure, and use personal quarantines

    In general, to use personal quarantines, you should complete the following:

    1. Configure the host name and mail queue of the FortiMail unit.
    2. If you want to specify an alternate FQDN that will be used only by web release/delete URLs in HTML-formatted quarantine reports, see Web release host name/IP. This FQDN should be globally resolvable.

    3. Select the recipients, delivery schedule, and release methods of the quarantine report. For details, see Configuring protected domains for quarantine report settings that are domain-specific, or Configuring global quarantine report settings for quarantine report settings that are system-wide.
    4. If email users will release/delete email from their quarantine by sending email, configure the user name portion (also known as the local-part) for the quarantine control email addresses (the domain-part will be the local domain name of the FortiMail unit). For details, see Configuring the quarantine control options.
    5. For gateway mode or transparent mode, configure authentication profiles that will allow email users to authenticate when accessing their per-recipient quarantine. Alternatively, if email users require only HTTP/HTTPS access, you may configure PKI user accounts.
    6. For server mode, configure the email user accounts. Email users can authenticate using this account to access their per-recipient quarantine.

      For details, see Workflow to enable and configure authentication of email users.

    7. Enable quarantine reports in each email user’s preferences. Both FortiMail administrators and email users can do this. For details, see Configuring user preferences, or the online help for FortiMail webmail and per-recipient quarantines.
    8. If the FortiMail unit is operating in server mode and you want to enable web release/delete, configure resource profiles in which Webmail access is enabled.
    9. Enable the Personal quarantine and Send quarantine report option in incoming antispam and/or content profiles. If you want to allow email users to release and/or delete email from their quarantine by email or web release/delete, also enable Email release and Web release.
    10. For details, see Configuring antispam action profiles and/or Configuring content action profiles.

    11. Select the antispam and/or content profiles in incoming recipient-based policies. If you configured a resource profile in step If the FortiMail unit is operating in server mode and you want to enable web release/delete, configure resource profiles in which Webmail access is enabled.6, also select the resource profile.
    12. If the FortiMail unit is operating in gateway or transparent mode and you want to enable web release/delete, enable Allow quarantined email access through webmail in each incoming recipient-based policy.

      For details, see Controlling email based on sender and recipient addresses.

    13. Either email users or FortiMail administrators can manage email in the per-recipient quarantines. For details, see Managing the personal quarantines and Releasing and deleting email via quarantine reports.

    Searching email in the personal quarantine

    You can search the personal quarantine for email messages based on their contents, senders, recipients, and time frames, across any or all protected domains.

    The search action involves the following steps:

    • Create a search task, where you can specify search criteria.
    • Execute and view the search results.

    See below for detailed instructions.

    To search the personal quarantine
    1. Go to Monitor > Quarantine > Personal Quarantine.
    2. Click Search. The Personal Quarantine Search tab appears, displaying all search tasks, if there are any.
    3. Click New to add a search task.
    4. A dialog appears.

    5. Configure the search criteria, including Time Range to define the date/s and time of the search, various Search Filter criterion, and determine whether the search should be conducted across all or multiple domains.
    6. Email messages must match all criteria that you configure to be included in the search results. For example, if you configure From and Subject, only email messages matching both From and Subject will be included in the search results. Select from the list of available header options under Field:

    • From

    • To

    • Cc

    • To or Cc

    • From, To or Cc

    • Subject

    • Text

    • Attachment

    • Message-ID

    • Client IP

    • Endpoint ID

    • Policy ID

    • Custom Header

    Wildcard header search support is also available.

  • Click Search to execute and save the task. The task name is the time when the task is created. The Personal Quarantine Search tab displays the search tasks and their search status as follows:
    • Done: The FortiMail unit has finished the search. You can click the View Search Result button to view the search results.
    • Pending: The search task is in the waiting list.
    • Running: The search task is still running. You can choose to stop the task by clicking the Stop button.
    • Stopped: The search task is stopped. You can choose to resume the task by clicking the Resume button.

    Managing the system quarantine

    The System Quarantine tab displays the system quarantine.

    Unlike the per-recipient quarantine, the system quarantine cannot be accessed remotely by email users. Also, they do not receive quarantine reports for email held in the system quarantine and cannot manage the system quarantine themselves. A FortiMail administrator should periodically review the contents of the system quarantine. Alternatively, you can configure a special-purpose system quarantine administrator for this task. For more information, see Configuring the system quarantine setting.

    Note

    To reduce disk usage, regularly delete the quarantined email. Releasing quarantined email does not reduce disk usage.

    By default, the system quarantine is not used until you configure the FortiMail unit to send per-recipient quarantine to system quarantine by selecting System quarantine in antivirus action profiles, content action profiles, and antispam action profiles. For more information, see Configuring antivirus action profiles, Configuring antispam action profiles and Configuring content action profiles.

    To view and manage system quarantine folders
    1. Go to Monitor > Quarantine > System Quarantine.
    2. From the Folder dropdown list, select which type of quarantined email you want to view:
    3. GUI item

      Description

      View (button)

      Select a item in the table and click View to open item.

      Delete (button)

      Click to delete the selected item.

      Compact

      (button)

      Select the check boxes of each email user whose quarantine folder you want to compact and click Compact.

      For performance reasons, when you delete an email, it is marked for deletion but not actually removed from the hard disk at that time, and so still consumes some disk space. Compaction reclaims this hard disk space.

      Note: FortiMail updates folder sizes once an hour. The reduction in folder size is not immediately reflected after compacting.

      Search (button)

      Click to search the mail data.

      Release (button)

      Starting from 6.2.0 release, you can select a folder and batch release the email in the folder according to the criteria you specify:

      • Start date
      • End date
      • Message type: Either Unreleased Only or All Messages.
      • Release to: Original recipient(s) or other recipient(s) you specify.

      Folder (dropdown list)

      From the dropdown list, select a folder to view.

      Folder

      Lists the current folder. Older system quarantine mailboxes, also called rotated folders, are named according to their creation date and the rename date. For information on configuring rotation of the system quarantine mailbox, see Configuring the system quarantine setting.

      To view email messages quarantined in that mailbox, double-click its row. For more information, see Managing the system quarantine.

      Size

      Lists the size of the quarantine folder in kilobytes (KB).

      Note: Mailbox sizes are updated once an hour.

      Message Count

      Lists the total number of quarantined messages in the mailbox.

      Note

      You can also configure a system quarantine administrator account whose exclusive purpose is to manage the system quarantine. For more information, see Configuring the system quarantine setting.

    4. Double-click a system quarantine mailbox.
    5. You can view, delete, release, and forward email in the system quarantine.

      GUI item

      Description

      View (button)

      To view a message, either double-click it, or mark its check box and click View.

      Delete (button)

      Click to delete the selected item.

      Release

      (button)

      To release all email messages in the current view, mark the top check box and click Release.

      To release individual email messages, mark their check boxes and click Release.

      In the pop-up window, you can select to release email to the original recipient and/or to other recipients. If want to release email to other recipients, enter the email addresses. You can add up to five email addresses.

      Back

      (button)

      Click to return to viewing the list of system quarantine folders.

      Filter

      Use the filter to display the released or unreleased email only.

      By default, FortiMail only displays the unreleased email.

      Search

      (button)

      Click to search the system quarantine folder that you are currently viewing. For details, see Searching email in the system quarantine.

      Subject

      Lists the subject line of the email. Click to display the email message.

      From

      Lists the display name of the sender as it appears in the message header, such as "User 1".

      To

      Lists the display name of the recipient as it appears in the message header, such as "User 2".

      Rcpt To

      Lists the user name portion (also known as the local-part) of the recipient email address (RCPT TO:) as it appears in the message envelope, such as user2 where the full recipient email address is user2@example.com.

      Session ID

      Lists the session ID of each email.

      Received

      Lists the time that the email was received.

      Size

      Lists the size of the email message in kilobytes (KB).

    6. Double-click an email message to open it.
    7. The email message appears, including basic message headers such as the subject and date.

    8. Select the action that you want to perform on the quarantined email.
    • To view additional message headers, click the + button, then click Detailed Header.
    • To release the email message to its recipient, click Release.
    • To download the email message from the quarantine, click Download.

    Searching email in the system quarantine

    You can search a system quarantine folder (content, virus or bulk) for email messages based on their message body content and message headers.

    The search process is similar to the personal quarantine search. For details, see Searching email in the personal quarantine.

    Managing the domain quarantines

    The Domain Quarantine tab displays a list of quarantines for each domain on the FortiMail unit. Note that this is only available with a valid purchased advanced management license.

    In multi-tenant environments with multiple domains, administrators are given per-domain permissions to view and perform actions on quarantined messages within their domain. Domain administrators are provided their privileges from the Domain Quarantine access control permission within their assigned admin profile. See Configuring admin profiles for more information. Note that domain/domain-group administrators cannot access system quarantined messages.

    Similarly to the system quarantine, domain quarantine administrators do not receive quarantine reports for email held in the domain quarantine and cannot manage the domain quarantine themselves. Domain administrators should periodically review the contents of the domain quarantine.

    Options for viewing and managing the domain quarantine folders is similar to the options available for system quarantine. See To view and manage system quarantine folders for more information.

    Searching email in the domain quarantine

    With a valid advanced management license, you can search the domain quarantine for email messages based on their contents, senders, recipients, and time frames, across any or all protected domains.

    The search action involves the following steps:

    • Create a search task, where you can specify search criteria.
    • Execute and view the search results.

    See below for detailed instructions.

    To search the domain quarantine
    1. Go to Monitor > Quarantine > Domain Quarantine.
    2. Click Search. The Domain Quarantine Search tab appears, displaying all search tasks, if there are any.
    3. Click New to add a search task.
    4. A dialog appears.

    5. Configure the search criteria, including Time Range to define the date/s and time of the search, various Search Filter criterion, the particular domain to search, and determine whether the search should be conducted across all or multiple folders, or mailboxes.
    6. Email messages must match all criteria that you configure to be included in the search results. For example, if you configure From and Subject, only email messages matching both From and Subject will be included in the search results. Select from the list of available header options under Field:

    • From

    • To

    • Cc

    • To or Cc

    • From, To or Cc

    • Subject

    • Text

    • Attachment

    • Message-ID

    • Client IP

    • Endpoint ID

    • Policy ID

    • Custom Header

    Wildcard header search support is also available.

  • Click Search to execute and save the task. The task name is the time when the task is created. The Domain Quarantine Search tab displays the search tasks and their search status as follows:
    • Done: The FortiMail unit has finished the search. You can click the View Search Result button to view the search results.
    • Pending: The search task is in the waiting list.
    • Running: The search task is still running. You can choose to stop the task by clicking the Stop button.
    • Stopped: The search task is stopped. You can choose to resume the task by clicking the Resume button.

    Managing the spam sample submissions

    Once the sample submission service is enabled and email addresses are set to receive sample submissions of spam or non-spam, you can search for email messages based on whether they have been submitted as spam, non-spam (or ham), or if they have been detected to contain spam by FortiGuard.

    Depending on the email addresses defined to receive these submissions, emails are placed into the Spam or Ham (non-spam) folders. Any emails that FortiGuard detected spam are placed into the Spam_detected folder.

    Note

    The All folder is limited to displaying only the current day's messages.

    To view all historically submitted messages, you must select the appropriate folder (either Spam, Ham, or Spam_detected).

    To submit and view sample submissions, the service must first be enabled. See Configuring spam sample submission service for more information.

    To view and manage sample submission folders
    1. Go to Monitor > Quarantine > Sample Submission.
    2. From the Folder dropdown list, select which type of spam sample submission email you want to view:
    3. GUI item

      Description

      View (button)

      Select a item in the table and click View to open item.

      Delete (button)

      Click to delete the selected item.

      Compact

      (button)

      Select the check boxes of each email user whose quarantine folder you want to compact and click Compact.

      For performance reasons, when you delete an email, it is marked for deletion but not actually removed from the hard disk at that time, and so still consumes some disk space. Compaction reclaims this hard disk space.

      Note: FortiMail updates folder sizes once an hour. The reduction in folder size is not immediately reflected after compacting.

      Search (button)

      Click to search the mail data.

      Submit (button)

      Select a folder and batch submit the email in the folder according to the criteria you specify:

      • Start date
      • End date
      • Message type: Either Not Submitted Only or All Messages.
      • Submit to: Either FortiGuard or Other recipient(s) you specify.

      Folder (dropdown list)

      From the dropdown list, select a folder to view.

      Folder

      Lists the current folder. Older system quarantine mailboxes, also called rotated folders, are named according to their creation date and the rename date. For information on configuring rotation of the system quarantine mailbox, see Configuring the system quarantine setting.

      Size

      Lists the size of the quarantine folder in kilobytes (KB).

      Note:Mailbox sizes are updated once an hour.

      Message Count

      Lists the total number of quarantined messages in the mailbox.

    4. Double-click a spam sample submission folder.
    5. You can view, delete, submit, and filter sample submissions.

      GUI item

      Description

      Filter

      Use the filter to display the submitted or unsubmitted email only.

      By default, FortiMail only displays the unsubmitted email.

      Subject

      Lists the subject line of the email. Click to display the email message.

      From

      Lists the display name of the sender as it appears in the message header, such as "User 1".

      To

      Lists the display name of the recipient as it appears in the message header, such as "User 2".

      Rcpt To

      Lists the user name portion (also known as the local-part) of the recipient email address (RCPT TO:) as it appears in the message envelope, such as user2 where the full recipient email address is user2@example.com.

      Session ID

      Lists the session ID of each sample submission.

      Received

      Lists the time that the email was received.

      Size

      Lists the size of the email message in kilobytes (KB).

    6. Double-click an email message to open it.
    7. The email message appears, including basic message headers such as the subject and date.