Fortinet black logo

CLI Reference

system encryption ibe

system encryption ibe

Use this command to configure, enable or disable Identity-Based Encryption (IBE) services, which control how secured mail recipients use the mail IBE function.

Syntax

config system encryption ibe

set account-notification {activation deletion expiration registration-confirmation reset-confirmation}

set auth-mode {password | token | two-factor}

set custom-user-control-status {enable | disable}

set expire-alert <days_int>

set expire-emails <days_int>

set expire-inactivity <days_int>

set expire-passwd-reset <hours_int>

set expire-registration <days_int>

set read-notification {enable | disable}

set secure-compose {enable | disable}

set secure-reply {enable | disable}

set secure-forward {enable | disable}

set secure-token-ttl <minutes>

set service-name <name_str>

set sms-account-id <id>

set sms-auth-key <key>

set sms-from-number <number>

set sms-provider <provider>

set status {enable | disable}

set two-factor-auth-max-attempt <attempts_int>

set two-factor-auth-method {email | sms}

set unread-days

set unread-notif-rcpt

set unread-notif-sender

set unread-notification {enable | disable}

set url-about <url_str>

set url-base <url_str>

set url-custom-user-control <url_str>

set url-forgot-pwd <psw_str>

set url-help <url_str>

end

Variable

Description

Default

account-notification {activation deletion expiration registration-confirmation reset-confirmation}

Enter the types of account notifications you wish to be sent to users.

Optionally, for multiple account notifications, separate each entry with a space.

activation expiration

auth-mode {password | token | two-factor}

Select the IBE user authentication mode.

password

custom-user-control-status {enable | disable}

If your corporation has its own user authentication tools, enable this option and enter the URL.

Also configure url-custom-user-control and url-forgot-pwd.

disable

expire-alert <days_int>

Enter the number of days before the user account's expiry date to send an alert email notification to the user. The valid range is 0 to 7, where 0 means the account is expired.

Optionally, for multiple alert email intervals, separate each entry with a space. For example, the default value (1 7) will send an alert email seven days and one day before the expiry date.

1 7

expire-emails <days_int>

Enter the number of days that the secured mail will be saved on the FortiMail unit.

180

expire-inactivity <days_int>

Enter the number of days the secured mail recipient can access the FortiMail unit without registration.
For example, if you set the value to 30 days and if the mail recipient did not access the FortiMail unit for 30 days after they registers on the unit, the recipient will need to register again if another secured mail is sent to them. If the recipient accessed the FortiMail unit on the 15th days, the 30-day limit will be recalculated from the 15th day onwards.

90

expire-passwd-reset <hours_int>

Enter the password reset expiry time in hours.
This is for the recipients who have forgotten their login passwords and request for new ones. The secured mail recipient must reset their password within this time limit to access the FortiMail unit.

24

expire-registration <days_int>

Enter the number of days that the secured mail recipient has to register on the FortiMail unit to view the mail before the registration expires. The starting date is the date when the FortiMail unit sends out the first notification to a mail recipient.

30

read-notification {enable | disable}

Enable to send the read notification the first time the mail is read.

disable

secure-compose {enable | disable}

Select to allow the secure mail recipient to compose an email. The FortiMail unit will use policies and mail delivery rules to determine if this mail needs to be encrypted.

For encrypted email, the domain of the composed mail’s recipient must be a protected one, otherwise an error message will appear and the mail will not be delivered.

disable

secure-reply {enable | disable}

Allow the secured mail recipient to reply to the email with encryption.

disable

secure-forward {enable | disable}

Allow the secured mail recipient to forward the email with encryption

disable

secure-token-ttl <minutes>

Enter the secure token timeout value in minutes. Set the value between 1-1440.

30

service-name <name_str>

Enter the name for the IBE service. This is the name the secured mail recipients will see once they access the FortiMail unit to view the mail.

sms-account-id <id>

Enter the account or service plan ID provided by your SMS provider.

sms-auth-key <key>

The authentication token, or API key, provided by your SMS provider.

sms-from-number <number>

Enter the phone number from which to send SMS messages.

sms-provider <provider>

SMS provider for two-factor authentication.

twilio

status {enable | disable}

Enable the IBE service you have configured.

disable

two-factor-auth-max-attempt <attempts_int>

Enter the maximum number of attempts a user is allowed for a two-factor authenticated session.

3

two-factor-auth-method {email | sms}

Note: This option is only available when auth-mode is set to either token or two-factor.

Enter the verification method for two-factor authentication: email or SMS.

email

unread-days

Note: This option is only available when unread-notification is set to enable.

Enter the unread notification days.

14

unread-notif-rcpt

Note: This option is only available when unread-notification is set to enable.

Enable to send the unread notification to the recipient.

disable

unread-notif-sender

Note: This option is only available when unread-notification is set to enable.

Enable to send the unread notification to the sender.

disable

unread-notification {enable | disable}

Enable to send the unread notification if the message remains unread for 14 days by default.

disable

url-about <url_str>

You can create a file about the FortiMail IBE encryption and enter the URL for the file. The mail recipient can click the “About” link from the secure mail notification to view the file.

If you leave this option empty, a link for a default file about the FortiMail IBE encryption will be added to the secure mail notification.

url-base <url_str>

Enter the FortiMail unit URL, for example, https://192.168.100.20, where a mail recipient can register or authenticate to access the secured mail.

url-custom-user-control <url_str>

Enter the URL where you can check for user existence. This command appears after you enable custom-user-control-status.

url-forgot-pwd <psw_str>

Enter the URL where users get authenticated. This command appears after you enable custom-user-control-status.

url-help <url_str>

You can create a help file on how to access the FortiMail secure email and enter the URL for the file. The mail recipient can click the “Help” link from the secure mail notification to view the file.

If you leave this option empty, a default help file link will be added to the secure mail notification.

Related topics

system encryption ibe-auth

system encryption ibe

Use this command to configure, enable or disable Identity-Based Encryption (IBE) services, which control how secured mail recipients use the mail IBE function.

Syntax

config system encryption ibe

set account-notification {activation deletion expiration registration-confirmation reset-confirmation}

set auth-mode {password | token | two-factor}

set custom-user-control-status {enable | disable}

set expire-alert <days_int>

set expire-emails <days_int>

set expire-inactivity <days_int>

set expire-passwd-reset <hours_int>

set expire-registration <days_int>

set read-notification {enable | disable}

set secure-compose {enable | disable}

set secure-reply {enable | disable}

set secure-forward {enable | disable}

set secure-token-ttl <minutes>

set service-name <name_str>

set sms-account-id <id>

set sms-auth-key <key>

set sms-from-number <number>

set sms-provider <provider>

set status {enable | disable}

set two-factor-auth-max-attempt <attempts_int>

set two-factor-auth-method {email | sms}

set unread-days

set unread-notif-rcpt

set unread-notif-sender

set unread-notification {enable | disable}

set url-about <url_str>

set url-base <url_str>

set url-custom-user-control <url_str>

set url-forgot-pwd <psw_str>

set url-help <url_str>

end

Variable

Description

Default

account-notification {activation deletion expiration registration-confirmation reset-confirmation}

Enter the types of account notifications you wish to be sent to users.

Optionally, for multiple account notifications, separate each entry with a space.

activation expiration

auth-mode {password | token | two-factor}

Select the IBE user authentication mode.

password

custom-user-control-status {enable | disable}

If your corporation has its own user authentication tools, enable this option and enter the URL.

Also configure url-custom-user-control and url-forgot-pwd.

disable

expire-alert <days_int>

Enter the number of days before the user account's expiry date to send an alert email notification to the user. The valid range is 0 to 7, where 0 means the account is expired.

Optionally, for multiple alert email intervals, separate each entry with a space. For example, the default value (1 7) will send an alert email seven days and one day before the expiry date.

1 7

expire-emails <days_int>

Enter the number of days that the secured mail will be saved on the FortiMail unit.

180

expire-inactivity <days_int>

Enter the number of days the secured mail recipient can access the FortiMail unit without registration.
For example, if you set the value to 30 days and if the mail recipient did not access the FortiMail unit for 30 days after they registers on the unit, the recipient will need to register again if another secured mail is sent to them. If the recipient accessed the FortiMail unit on the 15th days, the 30-day limit will be recalculated from the 15th day onwards.

90

expire-passwd-reset <hours_int>

Enter the password reset expiry time in hours.
This is for the recipients who have forgotten their login passwords and request for new ones. The secured mail recipient must reset their password within this time limit to access the FortiMail unit.

24

expire-registration <days_int>

Enter the number of days that the secured mail recipient has to register on the FortiMail unit to view the mail before the registration expires. The starting date is the date when the FortiMail unit sends out the first notification to a mail recipient.

30

read-notification {enable | disable}

Enable to send the read notification the first time the mail is read.

disable

secure-compose {enable | disable}

Select to allow the secure mail recipient to compose an email. The FortiMail unit will use policies and mail delivery rules to determine if this mail needs to be encrypted.

For encrypted email, the domain of the composed mail’s recipient must be a protected one, otherwise an error message will appear and the mail will not be delivered.

disable

secure-reply {enable | disable}

Allow the secured mail recipient to reply to the email with encryption.

disable

secure-forward {enable | disable}

Allow the secured mail recipient to forward the email with encryption

disable

secure-token-ttl <minutes>

Enter the secure token timeout value in minutes. Set the value between 1-1440.

30

service-name <name_str>

Enter the name for the IBE service. This is the name the secured mail recipients will see once they access the FortiMail unit to view the mail.

sms-account-id <id>

Enter the account or service plan ID provided by your SMS provider.

sms-auth-key <key>

The authentication token, or API key, provided by your SMS provider.

sms-from-number <number>

Enter the phone number from which to send SMS messages.

sms-provider <provider>

SMS provider for two-factor authentication.

twilio

status {enable | disable}

Enable the IBE service you have configured.

disable

two-factor-auth-max-attempt <attempts_int>

Enter the maximum number of attempts a user is allowed for a two-factor authenticated session.

3

two-factor-auth-method {email | sms}

Note: This option is only available when auth-mode is set to either token or two-factor.

Enter the verification method for two-factor authentication: email or SMS.

email

unread-days

Note: This option is only available when unread-notification is set to enable.

Enter the unread notification days.

14

unread-notif-rcpt

Note: This option is only available when unread-notification is set to enable.

Enable to send the unread notification to the recipient.

disable

unread-notif-sender

Note: This option is only available when unread-notification is set to enable.

Enable to send the unread notification to the sender.

disable

unread-notification {enable | disable}

Enable to send the unread notification if the message remains unread for 14 days by default.

disable

url-about <url_str>

You can create a file about the FortiMail IBE encryption and enter the URL for the file. The mail recipient can click the “About” link from the secure mail notification to view the file.

If you leave this option empty, a link for a default file about the FortiMail IBE encryption will be added to the secure mail notification.

url-base <url_str>

Enter the FortiMail unit URL, for example, https://192.168.100.20, where a mail recipient can register or authenticate to access the secured mail.

url-custom-user-control <url_str>

Enter the URL where you can check for user existence. This command appears after you enable custom-user-control-status.

url-forgot-pwd <psw_str>

Enter the URL where users get authenticated. This command appears after you enable custom-user-control-status.

url-help <url_str>

You can create a help file on how to access the FortiMail secure email and enter the URL for the file. The mail recipient can click the “Help” link from the secure mail notification to view the file.

If you leave this option empty, a default help file link will be added to the secure mail notification.

Related topics

system encryption ibe-auth