Administration Guide

Email concepts and process workflow
- Email protocols
- Client-server connections in SMTP
- DNS role in email delivery
- How FortiMail processes email
- FortiMail operation modes
- FortiMail high availability modes
- FortiMail management methods
Setting up FortiMail system
- Connecting to the web UI or CLI
- Choosing the operation mode
- Running the Quick Start Wizard
- Connecting to FortiGuard services
- Gateway mode deployment
- Transparent mode deployment
- Server mode deployment
- Testing the installation
- Backing up the configuration
Using the dashboard
- Viewing the dashboard
- Using the CLI Console
Using FortiView
- Viewing mail statistics
- View threat statistics
- View outbreak statistics
- Viewing top user statistics
- Viewing current IP sessions
Monitoring the system
- Viewing log messages
- Managing the quarantines
- Managing the mail queue
- Viewing the greylist statuses
- Viewing sender, authentication and endpoint reputation
- Managing archived email
- Viewing generated reports
Centrally monitoring the HA cluster
- Viewing the cluster status
- Viewing HA cluster mail statistics
- Viewing HA cluster threat statistics
- Searching the HA cluster logs
Configuring system settings
- Configuring network settings
- Configuring administrator accounts and access profiles
- Configuring system time, options, and other system options
- Configuring mail settings
- Customizing GUI, custom messages, email templates, SSO, and Security Fabric
- Configuring RAID
- Using high availability (HA)
- Managing certificates
- Using FortiNDR malware inspection
- Using FortiSandbox antivirus inspection
- Configuring FortiGuard services
- System maintenance
- System utility
Configuring domains and users
- Configuring protected domains
- Managing users
- Configuring user aliases
- Configuring address mappings
- Configuring IBE users
- Managing the address book (server mode only)
- Sharing calendars and address books (server mode only)
- Migrating email from other mail servers (server mode only)
Configuring policies
- What is a policy?
- How to use policies
- Controlling SMTP access and delivery
- Controlling email based on IP addresses
- Controlling email based on sender and recipient addresses
Configuring profiles
- Configuring session profiles
- Configuring antispam profiles and antispam action profiles
- Configuring antivirus profiles, file signatures, and antivirus action profiles
- Configuring content profiles and content action profiles
- Configuring replacement message profiles and variables
- Configuring resource profiles
- Workflow to enable and configure authentication of email users
- Configuring authentication profiles
- Configuring LDAP profiles
- Configuring dictionary profiles
- Configuring security profiles
- Configuring IP pools
- Configuring email, IP and GeoIP groups
- Configuring notification profiles
Configuring security settings
- Configuring the FortiGuard URL filter
- Configuring content disarm and reconstruction
- Configuring authentication reputation
- Configuring email quarantines and quarantine reports
- Configuring the block lists and safe lists
- Configuring greylisting
- Configuring bounce verification and tagging
- Configuring sender rewriting scheme
- Configuring endpoint reputation
- Training and maintaining the Bayesian databases
Configuring encryption settings
- Configuring IBE encryption
- Configuring certificate bindings
Configuring data loss prevention
- DLP configuration workflow
- Defining the sensitive data
- Configuring DLP rules
- Configuring DLP profiles
Archiving email
- Email archiving workflow
- Configuring email archiving accounts
- Configuring email archiving policies
- Configuring email archiving exemptions
Logs, reports and alerts
- About FortiMail logging
- Configuring logging
- Configuring report profiles and generating mail statistic reports
- Configuring alert email
Microsoft 365 threat remediation
- Microsoft 365 protection workflow
- Configuring Microsoft 365 accounts
- Configuring profiles
- Configuring scanning policies
- Monitoring log messages
Managing firmware and configuration
- Testing firmware before installing it
- Installing firmware
- Clean installing firmware
- Upgrading firmware on HA units
Best practices and fine tuning
- General security tuning
- System security tuning
- Network topology tuning
- High availability (HA) tuning
- SMTP connectivity tuning
- Antispam tuning
- Policy tuning
- System maintenance tips
- Performance tuning
Troubleshooting
- Establish a system baseline
- Define the problem
- Search for a known solution
- Create a troubleshooting plan
- Gather system information
- Troubleshoot hardware issues
- Troubleshoot GUI and CLI connection issues
- Troubleshoot FortiGuard connection issues
- Troubleshoot MTA issues
- Troubleshoot antispam issues
- Troubleshoot HA issues
- Troubleshoot resource issues
- Troubleshoot bootup issues
- Troubleshoot installation issues
- Contact Fortinet customer support for assistance
Setup for email users
- Training Bayesian databases
- Managing tagged spam
- Accessing the personal quarantine and webmail
- Sending email from an email client (gateway and transparent mode)
Appendix A: Supported RFCs
Appendix B: Maximum Values
Appendix C: Port Numbers
Appendix D: Wildcards and regular expressions
- Special characters with regular expressions and wildcards
- Case sensitivity
- Modifiers
- Word boundary
- Syntax
- Examples
Appendix E: Working with TLS/SSL
- About TLS/SSL
- How TLS/SSL works
- FortiMail support of TLS/SSL
- Troubleshooting FortiMail TLS issues
Appendix F: PKI Authentication
- Introduction to PKI authentication
- FortiMail PKI architecture
- Configuring PKI authentication on FortiMail
Change Log

Home FortiMail 7.2.3 Administration Guide

7.2.3

Configuring content disarm and reconstruction

Content disarm and reconstruction (CDR) allows the FortiMail unit to decide what action to take on emails with attachments that contain any active content in them, such as hyperlinks, embedded media, JavaScript, and macros from the files, without affecting the integrity of its textual content.

Configuring CDR attachment settings

Go to Security > Disarm & Reconstruction > Attachment.
Configuring the following:

GUI item	Description
Attachment handling for deferred email	Configure the following: Send notification: Enable for recipient to receive a notification for any time an email attachment is subjected to deferred scanning. Disarm: Send notification with the disarmed Office/PDF attachments and remove all other non-CDR supported attachments. Remove: Send the notification with all the attachments removed. Verdict threshold to disarm on delivery: The defined level and higher verdict at which attachments will be disarmed. For example, if set to Medium, the attachments with Medium, High, and Malicious will all be disarmed.
Attachment scan by FortiSandbox	If your FortiMail unit is running 7.0 or newer releases, the FortiSandbox scan on successful content disarm is bypassed by default. Enable Continue FortiSandbox scan on successful content disarm if you want to allow FortiSandbox to scan the attachment upon successful CDR. If your FortiMail unit is running 6.4 or older firmware, even on successful CDR, FortiSandbox scanning for the attachment will not be bypassed.

GUI item

Description

Attachment handling for deferred email

Configure the following:

Send notification: Enable for recipient to receive a notification for any time an email attachment is subjected to deferred scanning.
- Disarm: Send notification with the disarmed Office/PDF attachments and remove all other non-CDR supported attachments.
- Remove: Send the notification with all the attachments removed.
Verdict threshold to disarm on delivery: The defined level and higher verdict at which attachments will be disarmed. For example, if set to Medium, the attachments with Medium, High, and Malicious will all be disarmed.

Attachment scan by FortiSandbox

If your FortiMail unit is running 7.0 or newer releases, the FortiSandbox scan on successful content disarm is bypassed by default. Enable Continue FortiSandbox scan on successful content disarm if you want to allow FortiSandbox to scan the attachment upon successful CDR.

If your FortiMail unit is running 6.4 or older firmware, even on successful CDR, FortiSandbox scanning for the attachment will not be bypassed.

Configuring URL click protection and removal options

When configuring the content profiles (see Configuring content disarm and reconstruction (CDR)), you can choose what to do with the URLs contained in the email messages: either remove them or leave them.

However, if the URLs are not removed, there is a chance that email users may click and follow them. To protect users from harmful or spam URLs, such as phishing or advertising web sites, FortiMail uses FortiGuard URL filter service (see Configuring heuristic options) and FortiSandbox to scan the URLs after the users click the URLs. Depending on the inspection results from FortiGuard and FortiSandbox, you can decide if you would allow the users to access the URLs or block them.

Starting from 6.2 release, you can also choose to use FortiIsolator to isolate threats. FortiIsolator is a browser isolation solution, which protects users against zero day malware and phishing threats that are delivered over the web and email. These threats may result in data loss, compromise, or ransomware. This protection is achieved by creating a visual air gap between users' browsers and websites, which prevents content from breaching the gap. With FortiIsolator, web content is executed in a remote disposable container and displayed to users visually.

To configure URL click protection options

Go to Security > Disarm & Reconstruction > URL and configure the following:

GUI item			Description
URL Click Protection Option			Configure the following URL click protection options.
	URL Rewrite		FortiMail must rewrite URLs to ensure that the URLs will be directed to FortiMail first when users click the URLs.
		Category	Specify what URL categories will be rewritten.
		Base URL	Enter prefix “https://” and the FortiMail FQDN or IP address. Note that without the prefix, the URL will not work. The rewritten URL will be in this format: `https://company.com/fmlurlsvc/?fewReq/baseValue&url=originalUrlEscaped` Using the originalUrlEscaped part, you can get the original URL with the help of a URL decoding web site, such as https://www.urldecoder.org.
	URL Click Handling		When users click the URLs in the email messages, you can choose to block or allow their access.
		Category	Choose the URL category for the below action. For information about URL categories, see Configuring heuristic options.
		Action	Specify either to Block or Allow with Confirmation for the above URL category.
		FortiSandbox Scan	For all other URL categories not specified above, you can choose to send them to FortiSandbox (see Using FortiSandbox antivirus inspection) for further scanning. Enable: Toggle to enable or disable FortiSandbox scan. Action: Allow with Confirmation means to allow access with warning; Block means to block access; and Submit only means to allow access while sending the URLs for scanning. Timeout action: When the URLs are sent to FortiSandbox for scanning, it may take a while to get the results back. You should specify how long you want to wait for the results before you take Block, Allow, or Allow with Confirmation actions. Timeout: Specify how long (in seconds) you want to wait for FortiSandbox scan results before you take Block, Allow, or Allow with Confirmation actions.
	FortiIsolator Integration
		Category	Specify what URL categories will be going through FortiIsolator. For information about URL categories, see Configuring heuristic options.
		Base URL	Enter prefix “https://” and the FortiIsolator FQDN or IP address. Note that without the prefix, the URL will not work.
URL Removal			You can also choose to remove the URLs in the specified category.
	Category		Specify the URL category to remove the URLs. For information about URL categories, see Configuring heuristic options.