Fortinet black logo

CLI Reference

profile authentication

profile authentication

Use this command to configure the FortiMail unit to connect to an external SMTP server in order to authenticate email users.

FortiMail units support the following authentication methods:

  • IMAP
  • POP3
  • RADIUS
  • SMTP

When the FortiMail unit is operating in server mode, only local and RADIUS authentication are available.

In addition to authenticating email users for SMTP connections, SMTP profiles can be used to authenticate email users making webmail (HTTP or HTTPS) or POP3 connections to view their per-recipient quarantine, and when authenticating with another SMTP server to deliver email.

Depending on the mode in which your FortiMail unit is operating, you may be able to apply authentication profiles through inbound recipient-based policies, IP-based policies, and email user accounts.

For more information, see the FortiMail Administration Guide.

Syntax

config profile authentication imap

edit <profile_name>

set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

set option {ssl secure tls senddomain}

set port <port_int>

set server {<fqdn_str> | <host_ipv4>}

config profile authentication pop3

edit <profile_name>

set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

set option {ssl secure tls senddomain}

set port <port_int>

set server {<fqdn_str> | <host_ipv4>}

config profile authentication radius

edit <profile_name>

set access-override {enable | disable}

set access-override-attribute <integer>

set access-override-vendor <integer>

set auth-prot {auto | chap | mschap | mschap2 | pap}

set domain-override {enable | disable}

set domain-override-attribute <integer>

set domain-override-vendor <integer>

set nas-ip <ip_addr>

set port <port_int>

set secret <password_str>

set send-domain {enable | disable}

set server {<fqdn_str> | <host_ipv4>}

config profile authentication smtp

edit <profile_name>

set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

set option {ssl secure tls senddomain}

set server {<fqdn_str> | <host_ipv4>}

set port <port_int>

set try-ldap-mailhost {enable | disable}

end

Variable

Description

Default

<profile_name>

Enter the name of the profile.

To view a list of existing entries, enter a question mark ( ? ).

auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

Enter an authentication type.

auto

access-override {enable | disable}

Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile.

disable

access-override-attribute <integer>

Enter the attribute ID of a vender for remote access permission override. The attribute should hold an access profile name that exists on FortiMail. The default ID is 6, which is Fortinet-Access-Profile.

6

access-override-vendor <integer>

Enter the vender’s registered RADIUS ID for remote access permission override. The default ID is 12356, which is Fortinet.

12356

option {ssl secure tls senddomain}

Enter one or more of the following in a space-delimited list:

  • senddomain: Enable if the IMAP server requires both the user name and the domain when authenticating.
  • ssl: Enables secure socket layers (SSL) to secure message transmission.
  • secure: Enables secure authentication.
  • tls: Enables transport layer security (TLS) to ensure privacy between communicating application.

port <port_int>

Enter the TCP port number of the IMAP server.

The standard port number for SSL-secured IMAP is 993.

143

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the IMAP server.

option {ssl secure tls senddomain}

If you want to enable any of the following options, enter them in a space-delimited list:

  • domain: Enable if the POP3 server requires both the user name and the domain when authenticating.
  • ssl: Enables secure socket layers (SSL) to secure message transmission.
  • secure: Enables secure authentication.
  • tls: Enables transport layer security (TLS) to ensure privacy between communicating application.

port <port_int>

Enter the TCP port number of the POP3 server.

The standard port number for SSL-secured POP3 is 995.

110

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the POP3 server.

auth-prot {auto | chap | mschap | mschap2 | pap}

Enter the authentication method for the RADIUS server.

mschap2

domain-override {enable | disable}

Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain.

disable

domain-override-attribute <integer>

Enter the attribute ID of a vender for remote domain override. The attribute should hold a domain name that exists on FortiMail. The default ID is 3, which is Fortinet-Vdom-Name.

3

domain-override-vendor <integer>

Enter the vender’s registered RADIUS ID for remote domain override. The default ID is 12356, which is Fortinet.

12356

nas-ip <ip_addr>

Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiMail interface uses to communicate with the RADIUS server will be applied.

0.0.0.0

port <port_int>

If the RADIUS server listens on a nonstandard port number, enter the port number of the RADIUS server.

1812

secret <password_str>

Enter the password for the RADIUS server.

send-domain {enable | disable}

Enable if the RADIUS server requires both the user name and the domain when authenticating.

disable

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the RADIUS server.

option {ssl secure tls senddomain}

If you want to enable any of the following options, enter them in a space-delimited list:

  • senddomain: Enable if the SMTP server requires both the user name and the domain when authenticating.
  • ssl: Enables secure socket layers (SSL) to secure message transmission.
  • secure: Enables secure authentication.
  • tls: Enables transport layer security (TLS) to ensure privacy between communicating application

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the SMTP server.

port <port_int>

Enter the TCP port number of the SMTP server.

The standard port number for SSL-secured SMTP is 465.

25

try-ldap-mailhost {enable | disable}

Enable if your LDAP server has a mail host entry for the generic user.

If you select this option, the FortiMail unit will query the generic LDAP server first to authenticate email users. If no results are returned for the query, the FortiMail unit will query the server you entered in the server field.

enable

Related topics

profile certificate-binding

profile encryption

profile authentication

Use this command to configure the FortiMail unit to connect to an external SMTP server in order to authenticate email users.

FortiMail units support the following authentication methods:

  • IMAP
  • POP3
  • RADIUS
  • SMTP

When the FortiMail unit is operating in server mode, only local and RADIUS authentication are available.

In addition to authenticating email users for SMTP connections, SMTP profiles can be used to authenticate email users making webmail (HTTP or HTTPS) or POP3 connections to view their per-recipient quarantine, and when authenticating with another SMTP server to deliver email.

Depending on the mode in which your FortiMail unit is operating, you may be able to apply authentication profiles through inbound recipient-based policies, IP-based policies, and email user accounts.

For more information, see the FortiMail Administration Guide.

Syntax

config profile authentication imap

edit <profile_name>

set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

set option {ssl secure tls senddomain}

set port <port_int>

set server {<fqdn_str> | <host_ipv4>}

config profile authentication pop3

edit <profile_name>

set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

set option {ssl secure tls senddomain}

set port <port_int>

set server {<fqdn_str> | <host_ipv4>}

config profile authentication radius

edit <profile_name>

set access-override {enable | disable}

set access-override-attribute <integer>

set access-override-vendor <integer>

set auth-prot {auto | chap | mschap | mschap2 | pap}

set domain-override {enable | disable}

set domain-override-attribute <integer>

set domain-override-vendor <integer>

set nas-ip <ip_addr>

set port <port_int>

set secret <password_str>

set send-domain {enable | disable}

set server {<fqdn_str> | <host_ipv4>}

config profile authentication smtp

edit <profile_name>

set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

set option {ssl secure tls senddomain}

set server {<fqdn_str> | <host_ipv4>}

set port <port_int>

set try-ldap-mailhost {enable | disable}

end

Variable

Description

Default

<profile_name>

Enter the name of the profile.

To view a list of existing entries, enter a question mark ( ? ).

auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

Enter an authentication type.

auto

access-override {enable | disable}

Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile.

disable

access-override-attribute <integer>

Enter the attribute ID of a vender for remote access permission override. The attribute should hold an access profile name that exists on FortiMail. The default ID is 6, which is Fortinet-Access-Profile.

6

access-override-vendor <integer>

Enter the vender’s registered RADIUS ID for remote access permission override. The default ID is 12356, which is Fortinet.

12356

option {ssl secure tls senddomain}

Enter one or more of the following in a space-delimited list:

  • senddomain: Enable if the IMAP server requires both the user name and the domain when authenticating.
  • ssl: Enables secure socket layers (SSL) to secure message transmission.
  • secure: Enables secure authentication.
  • tls: Enables transport layer security (TLS) to ensure privacy between communicating application.

port <port_int>

Enter the TCP port number of the IMAP server.

The standard port number for SSL-secured IMAP is 993.

143

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the IMAP server.

option {ssl secure tls senddomain}

If you want to enable any of the following options, enter them in a space-delimited list:

  • domain: Enable if the POP3 server requires both the user name and the domain when authenticating.
  • ssl: Enables secure socket layers (SSL) to secure message transmission.
  • secure: Enables secure authentication.
  • tls: Enables transport layer security (TLS) to ensure privacy between communicating application.

port <port_int>

Enter the TCP port number of the POP3 server.

The standard port number for SSL-secured POP3 is 995.

110

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the POP3 server.

auth-prot {auto | chap | mschap | mschap2 | pap}

Enter the authentication method for the RADIUS server.

mschap2

domain-override {enable | disable}

Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain.

disable

domain-override-attribute <integer>

Enter the attribute ID of a vender for remote domain override. The attribute should hold a domain name that exists on FortiMail. The default ID is 3, which is Fortinet-Vdom-Name.

3

domain-override-vendor <integer>

Enter the vender’s registered RADIUS ID for remote domain override. The default ID is 12356, which is Fortinet.

12356

nas-ip <ip_addr>

Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiMail interface uses to communicate with the RADIUS server will be applied.

0.0.0.0

port <port_int>

If the RADIUS server listens on a nonstandard port number, enter the port number of the RADIUS server.

1812

secret <password_str>

Enter the password for the RADIUS server.

send-domain {enable | disable}

Enable if the RADIUS server requires both the user name and the domain when authenticating.

disable

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the RADIUS server.

option {ssl secure tls senddomain}

If you want to enable any of the following options, enter them in a space-delimited list:

  • senddomain: Enable if the SMTP server requires both the user name and the domain when authenticating.
  • ssl: Enables secure socket layers (SSL) to secure message transmission.
  • secure: Enables secure authentication.
  • tls: Enables transport layer security (TLS) to ensure privacy between communicating application

server {<fqdn_str> | <host_ipv4>}

Enter the IP address or fully qualified domain name (FQDN) of the SMTP server.

port <port_int>

Enter the TCP port number of the SMTP server.

The standard port number for SSL-secured SMTP is 465.

25

try-ldap-mailhost {enable | disable}

Enable if your LDAP server has a mail host entry for the generic user.

If you select this option, the FortiMail unit will query the generic LDAP server first to authenticate email users. If no results are returned for the query, the FortiMail unit will query the server you entered in the server field.

enable

Related topics

profile certificate-binding

profile encryption