profile authentication
Use this command to configure the FortiMail unit to connect to an external SMTP server in order to authenticate email users.
FortiMail units support the following authentication methods:
|
When the FortiMail unit is operating in server mode, only local and RADIUS authentication are available.
|
In addition to authenticating email users for SMTP connections, SMTP profiles can be used to authenticate email users making webmail (HTTP or HTTPS) or POP3 connections to view their per-recipient quarantine, and when authenticating with another SMTP server to deliver email.
Depending on the mode in which your FortiMail unit is operating, you may be able to apply authentication profiles through inbound recipient-based policies, IP-based policies, and email user accounts.
For more information, see the FortiMail Administration Guide.
Syntax
config profile authentication imap
edit <profile_name>
set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}
set option {ssl secure tls senddomain}
set port <port_int>
set server {<fqdn_str> | <host_ipv4>}
config profile authentication pop3
edit <profile_name>
set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}
set option {ssl secure tls senddomain}
set port <port_int>
set server {<fqdn_str> | <host_ipv4>}
config profile authentication radius
edit <profile_name>
set access-override {enable | disable}
set access-override-attribute <integer>
set access-override-vendor <integer>
set auth-prot {auto | chap | mschap | mschap2 | pap}
set domain-override {enable | disable}
set domain-override-attribute <integer>
set domain-override-vendor <integer>
set nas-ip <ip_addr>
set port <port_int>
set secret <password_str>
set send-domain {enable | disable}
set server {<fqdn_str> | <host_ipv4>}
config profile authentication smtp
edit <profile_name>
set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}
set option {ssl secure tls senddomain}
set server {<fqdn_str> | <host_ipv4>}
set port <port_int>
set try-ldap-mailhost {enable | disable}
end
<profile_name>
|
Enter the name of the profile.
To view a list of existing entries, enter a question mark ( ? ).
|
|
auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}
|
Enter an authentication type.
|
auto
|
access-override {enable | disable}
|
Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile.
|
disable
|
access-override-attribute <integer>
|
Enter the attribute ID of a vender for remote access permission override. The attribute should hold an access profile name that exists on FortiMail. The default ID is 6, which is Fortinet-Access-Profile.
|
6
|
access-override-vendor <integer>
|
Enter the vender’s registered RADIUS ID for remote access permission override. The default ID is 12356, which is Fortinet.
|
12356
|
option {ssl secure tls senddomain}
|
Enter one or more of the following in a space-delimited list:
-
senddomain : Enable if the IMAP server requires both the user name and the domain when authenticating.
-
ssl : Enables secure socket layers (SSL) to secure message transmission.
-
secure : Enables secure authentication.
-
tls : Enables transport layer security (TLS) to ensure privacy between communicating application.
|
|
port <port_int>
|
Enter the TCP port number of the IMAP server.
The standard port number for SSL-secured IMAP is 993.
|
143
|
server {<fqdn_str> | <host_ipv4>}
|
Enter the IP address or fully qualified domain name (FQDN) of the IMAP server.
|
|
option {ssl secure tls senddomain}
|
If you want to enable any of the following options, enter them in a space-delimited list:
-
domain : Enable if the POP3 server requires both the user name and the domain when authenticating.
-
ssl : Enables secure socket layers (SSL) to secure message transmission.
-
secure : Enables secure authentication.
-
tls : Enables transport layer security (TLS) to ensure privacy between communicating application.
|
|
port <port_int>
|
Enter the TCP port number of the POP3 server.
The standard port number for SSL-secured POP3 is 995.
|
110
|
server {<fqdn_str> | <host_ipv4>}
|
Enter the IP address or fully qualified domain name (FQDN) of the POP3 server.
|
|
auth-prot {auto | chap | mschap | mschap2 | pap}
|
Enter the authentication method for the RADIUS server.
|
mschap2
|
domain-override {enable | disable}
|
Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain.
|
disable
|
domain-override-attribute <integer>
|
Enter the attribute ID of a vender for remote domain override. The attribute should hold a domain name that exists on FortiMail. The default ID is 3, which is Fortinet-Vdom-Name.
|
3
|
domain-override-vendor <integer>
|
Enter the vender’s registered RADIUS ID for remote domain override. The default ID is 12356, which is Fortinet.
|
12356
|
nas-ip <ip_addr>
|
Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiMail interface uses to communicate with the RADIUS server will be applied.
|
0.0.0.0
|
port <port_int>
|
If the RADIUS server listens on a nonstandard port number, enter the port number of the RADIUS server.
|
1812
|
secret <password_str>
|
Enter the password for the RADIUS server.
|
|
send-domain {enable | disable}
|
Enable if the RADIUS server requires both the user name and the domain when authenticating.
|
disable
|
server {<fqdn_str> | <host_ipv4>}
|
Enter the IP address or fully qualified domain name (FQDN) of the RADIUS server.
|
|
option {ssl secure tls senddomain}
|
If you want to enable any of the following options, enter them in a space-delimited list:
-
senddomain : Enable if the SMTP server requires both the user name and the domain when authenticating.
-
ssl : Enables secure socket layers (SSL) to secure message transmission.
-
secure : Enables secure authentication.
-
tls : Enables transport layer security (TLS) to ensure privacy between communicating application
|
|
server {<fqdn_str> | <host_ipv4>}
|
Enter the IP address or fully qualified domain name (FQDN) of the SMTP server.
|
|
port <port_int>
|
Enter the TCP port number of the SMTP server.
The standard port number for SSL-secured SMTP is 465.
|
25
|
try-ldap-mailhost {enable | disable}
|
Enable if your LDAP server has a mail host entry for the generic user.
If you select this option, the FortiMail unit will query the generic LDAP server first to authenticate email users. If no results are returned for the query, the FortiMail unit will query the server you entered in the server field.
|
enable
|
Related topics
profile certificate-binding
profile encryption