admin-idle-timeout <timeout_int>

Enter the amount of time in minutes after which an idle administrative session will be automatically logged out.

The maximum idle time out is 480 minutes (eight hours). To improve security, do not increase the idle timeout.

admin-lockout-duration

Enter the lockout duration in minutes after the failed login threshold is reached.

admin-lockout-threshold

Enter the number of failed login attempts before being locked out.

admin-maintainer {enable | disable}

Enable or disable the maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is \'bcpb\' followed by the unit serial number.

Note that there is a limited time to complete this login.

If you attempt to disable admin-maintainer, a message appears warning that the password recovery mechanism will be lost. Do not disable this option if you do not have a backup plan for recovery.

default-certificate <name_str>

Enter the name of a local certificate to use it as the “default" (that is, currently chosen for use) certificate.

FortiMail units require a local server certificate that it can present when clients request secure connections.

dh-params <params_int>

Enter the minimum size of Diffie-Hellman prime for SSH/HTTPS.

disclaimer-per-domain {enable | disable}

Enable to allow individualized disclaimers to be configured for each protected domain.

disk-monitor {enable | disable}

Enable to monitor the hard disk status of the FortiMail unit. If a problem is found, an alert email is sent to the administrator.

email-migration-status {enable | disable}

Enable the email migration from external server.

hostname <host_str>

Enter the host name of the FortiMail unit.

hsts-max-age <days>

Set the HTTP Strict Transport Security (HSTS) max-age. 0 means to disable.

iscsi-initiator-name <name_str>

Enter the FortiMail ISCSI client name used to communicate with the ISCSI server for centralized quarantine storage.

This is only used to change the name generated by the FortiMail unit automatically.

lcd-pin <pin_int>

Enter the 6-digit personal identification number (PIN) that administrators must enter in order to access the FortiMail LCD panel.

The PIN is used only when lcdprotection is enable.

lcd-protection {enable | disable}

Enable to require that administrators enter a PIN in order to use the buttons on the front LCD panel. Also configure lcdpin.

ldap-server-sys-status {enable | disable}

Enable or disable the LDAP server for serving organizational information.

ldap-sess-cache-state {enable | disable}

Enable to keep the continuity of the connection sessions to the LDAP server. Repeated session connections waste network resources.

local-domain-name <name_str>

Enter the local domain name of the FortiMail unit.

mailbox-service {enable | disable}

Note: The mailbox service feature is license based. If you do not purchase the advanced management license, this feature is not available.

Enable the mailbox service.

After you enable this service, see report mailbox for information on configuring the mailbox service.

New options also appear in the GUI under FortiView > Mail Statistics > Active Mailbox.

mailstat-service {enable | disable}

Enable the mail statistic service.

After you enable this service, a new tab called Top User Statistics will appear under FortiView on the GUI.

mta-adv-ctrl-status {enable | disable}

Enable to configure session-specific MTA settings and overwrite the global settings configured elsewhere.

operation-mode {gateway | server | transparent}

Note: Only administrators with super admin privileges may change the FortiMail unit's operation mode.

Enter one of the following operation modes:

• gateway: The FortiMail unit acts as an email gateway or MTA, but does not host email accounts.

• server: The FortiMail unit acts as a standalone email server that hosts email accounts and acts as an MTA.

• transparent: The FortiMail unit acts as an email proxy.

pki-certificate-req {yes | no}

If the administrator’s web browser does not provide a valid personal certificate for PKI authentication, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enter yes. To allow password-style fallback, enter no.

pki-mode {enable | disable}

Enable to allow PKI authentication for FortiMail administrators. For more information, see user pki and system admin.

Also configure pki-certificate-req {yes | no}.

Caution: Before disabling PKI authentication, select another mode of authentication for FortiMail administrators and email users that are currently using PKI authentication. Failure to first select another authentication method before disabling PKI authentication will prevent them from being able to log in.

port-http <port_int>

Enter the HTTP port number for administrative access on all interfaces.

port-https <port_int>

Enter the HTTPS port number for administrative access on all interfaces.

port-ssh <port_int>

Enter the SSH port number for administrative access on all interfaces.

port-telnet <port_int>

Enter the TELNET port number for administrative access on all interfaces.

post-login-banner {admin | ibe | webmail}

Enable or disable the legal disclaimer.

admin: Select to display the disclaimer message after the administrator logs into the FortiMail web UI.

webmail: Select to display the disclaimer message after the user logs into the FortiMail webmail.

ibe: Select to display the disclaimer message after the user logs into the FortiMail unit to view IBE encrypted email.

pre-login-banner admin

Enable or disable the legal disclaimer before the administrator logs into the FortiMail web UI.

rest-api {enable | disable}

Enable or disable REST API support.

ssl-versions {ssl3 tls1_0 | tls1_1 | tls1_2 | tls1_3}

Specify which SSL/TLS versions you want to support for the HTTPS and SMTP access to FortiMail. Currently, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 are supported.

In 6.0.0 release, strong-crypto is enabled and TLS 1.0 is disabled by default. Because some old versions of email clients (for example, MS Outlook 2007 and older) and MTAs only support TLS 1.0, they may have issues connecting to FortiMail. To fix the issue, disable strong-crypto and add TLS 1.0 support.

Starting from 6.0.1 release, both strong-crypto and TLS 1.0 are enabled by default.

Starting from 6.2.0, when strong-crypto is enabled, TLS 1.0 is disabled.

When strong-crypto is enabled, SSL 3.0 is only supported in 5.4 releases, not in 6.0 and 6.2 releases.

strong-crypto {enable | disable}

Enable to use strong encryption and only allow strong ciphers (AES) and digest (SHA1) for HTTPS/SSH admin access.

When strong encryption is enabled, HTTPS is supported by the following web browsers: Netscape 7.2, Netscape 8.0, Firefox, and Microsoft Internet Explorer 7.0 (beta) and higher.

Note that Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption.