Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiMail 7.2.5 Administration Guide
    7.2.5
    7.6.1
    7.6.0
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.7
    6.2.0
    6.0.6
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    Configuring IBE users

    Configuring IBE users

    You can send secured email with Identity Based Encryption (IBE) through the FortiMail unit. The IBE User option lets you manage the IBE mail users and IBE domains. For details about how to use IBE service, see FortiMail IBE configuration workflow.

    This section contains the following topics:

    Configuring active users

    The Active User tab lets you enable, delete, maintain, and reset the following secured mail recipients:

    • recipients who have received secured mail notifications from the FortiMail unit
    • recipients who have registered or authenticated on the FortiMail unit

    To view and manage active users, go to Domain & User > IBE User > Active User.

    GUI item

    Description

    Delete

    (button)

    Select to remove a selected user in the list.

    A deleted user cannot access the FortiMail unit.

    Maintenance

    (button)

    Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of a mailbox and empty a mailbox as required.

    The SecureMail mailbox contains the secured email for the user. The encrypted email are put into this mailbox if Pull is selected to retrieve IBE mail.

    The Bulk mailbox contains spam that are quarantined by the FortiMail unit.

    Reset User

    (button)

    Click to reset a mail user and require new login information to access the FortiMail unit.

    Resetting a user sends the user a new notification and the user needs to re-register on the FortiMail unit.

    IBE domain

    Select the name of an IBE domain to view its active users.

    For more information about IBE domain, see Configuring IBE authentication.

    Search

    Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria.

    To return to the complete user list, clear the search field and press Enter.

    Enabled

    Select the check box to activate a mail user. A disabled user cannot access the FortiMail unit.

    Email

    Displays the email address of mail users.

    First Name, Last Name

    Displays the first and last name of a mail user. This information appears when a mail user registers on the FortiMail unit.

    Recovery Email

    Displays the recovery email address of the mail users.

    Status

    The mail user has four status possibilities:

    • Pre-registered: The FortiMail unit encrypts an email and sends a notification to the recipient.
    • Activated: The mail recipient registers on the FortiMail unit.
    • Password reset: When a mail recipient who is provided with new password to access the FortiMail unit has actually changed the password, this status appears.
    • LDAP: When a mail recipient. who belongs to an IBE domain bound with an LDAP profile authenticates on the FortiMail unit, this status appears. For more information about IBE domain, see Configuring IBE authentication.

    Creation Time

    Displays when IBE user was registered and created.

    Last Access

    Displays the time stamp when:

    • the FortiMail unit sends a notification (Pre-registered status)
    • the mail recipient registers on the FortiMail unit (Activated status)
    • a mail user changes the password (Password reset status)
    • a mail recipient, who belongs to an IBE domain, authenticates on the FortiMail unit (LDAP status)

    See also

    Configuring expired users

    Configuring IBE authentication

    Configuring expired users

    Depending on the configuration of User registration expiry time and User inactivity expiry time in the IBE service, if email recipients fail to register or authenticate on the FortiMail unit, or fail to access the FortiMail unit after registration for a certain period of time, they become expired users. For more information about IBE service configuration, see Configuring IBE encryption.

    The Expired User tab displays the same information as the Active User tab except that the users in this list have expired. These users need to re-register on the FortiMail unit when a new notification arrives to become active.

    GUI item

    Description

    Delete

    (button)

    Select to remove a selected user in the list.

    A deleted user cannot access the FortiMail unit.

    Maintenance

    (button)

    Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of a mailbox and empty a mailbox as required.

    The SecureMail mailbox contains the secured email for the user. The encrypted email are put into this mailbox if Pull is selected to retrieve IBE mail.

    The Bulk mailbox contains spam that are quarantined by the FortiMail unit.

    Re-activate

    Select the expired IBE user record(s) you wish to re-activate and select Re-activate. Any re-activated IBE users will move to the Active User tab.

    Export

    Select from the dropdown menu if you wish to Export All or Export Selected expired IBE users in comma-separated value (CSV) file format.

    Note that Export All will export all records on the current page. If you wish to export a larger number of records, set Records per page to a higher value (maximum of 500).

    Records per page

    Define the maximum number of expired IBE user records appear on the current page.

    IBE domain

    Select the name of an IBE domain to view its active users.

    For more information about IBE domain, see Configuring IBE authentication.

    Search

    Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria.

    To return to the complete user list, clear the search field and press Enter.

    Email

    Displays the email address of mail users.

    First Name, Last Name

    Displays the first name of a mail user. This information appears when a mail user registers on the FortiMail unit.

    Last Name

    Displays the last name of a mail user. This information appears when a mail user registers on the FortiMail unit.

    Status

    The mail user has four status possibilities:

    • Pre-registered: The FortiMail unit encrypts an email and sends a notification to the recipient.
    • Activated: The mail recipient registers on the FortiMail unit.
    • Password reset: When a mail recipient who is provided with new password to access the FortiMail unit has actually changed the password, this status appears.
    • LDAP: When a mail recipient. who belongs to an IBE domain bound with an LDAP profile authenticates on the FortiMail unit, this status appears. For more information about IBE domain, see Configuring IBE authentication.

    Expiry Time

    Displays when the user’s registration expired.

    Last Access

    Displays the time stamp when the user was last active.

    See also

    Configuring active users

    Configuring IBE authentication

    Configuring IBE authentication

    When mail recipients of the IBE domains access the FortiMail unit after receiving a secure mail notification:

    • recipients of the IBE domains without LDAP authentication profiles need to register to view the email
    • recipients of the IBE domains with LDAP authentication profiles just need to authenticate because the FortiMail unit can query the LDAP servers for authentication information based on the LDAP profile

    In both cases, the FortiMail unit will record the domain names of the recipients who register or authenticate on it under the IBE Domain tab. For details, see Viewing and managing IBE domains.

    Go to Domain & User > IBE User > IBE Authentication to bind domains with LDAP authentication profiles with which the FortiMail unit can query the LDAP servers for authentication, email address mappings, and more. For more information about LDAP profiles, see Configuring LDAP profiles.

    To configure IBE authentication rules
    1. Go to Domain & User > IBE User > IBE Authentication.
    2. Click New and configure the following:

    GUI item

    Description

    Status

    Select to enable this rule.

    Domain pattern

    Enter a domain name that you want to bind to an LDAP authentication profile.

    If you want all IBE users to authenticate through an LDAP profile and do not want other non-LDAP-authenticated users to get registered on FortiMail, you can use wildcard * for the domain name and then bind it to an LDAP profile.

    For more information about LDAP profiles, see Configuring LDAP profiles.

    LDAP profile

    Select the LDAP profile you want to use to authenticate the domain users.

    User registration process with two-factor authentication

    As of FortiMail 6.4.0, the enforcement of security questions has been removed and replaced with two-factor authentication, via email and/or SMS text message.

    See Configuring IBE services for more information on configuring two-factor authentication settings.

    The user verification process for receiving and reading a secure message varies depending on which method is chosen.

    IBE user registration and check email process via email:
    1. When a secure message is sent to a user, the user receives a notification directing them to their inbox.
    2. The user opens the registration email and clicks the registration link.
    3. The user registers, providing their Language, Time zone, First name, and Last name.
    4. When the user clicks Next, they must confirm their Verification email address, then click OK.
    5. The user then receives a one-time password or token via email.
    6. Upon entering the token correctly, the user receives a successful registration notification email.

      7. Now that registration is complete, the user may only open the secure message once they have requested a token.

    7. The user clicks the secure message link and then clicks Request Token. The token is sent via email to the user.
    8. The user enters the token and clicks Verify Token.
    9. After the token is verified, the user is granted access to the secure message.
    IBE user registration and check email process via SMS:
    1. When a secure message is sent to a user, the user receives a notification. The user clicks Register.

      2. A registration email is sent to the user.

    2. The user opens the registration email and clicks the registration link.
    3. The user registers, providing their Language, Time zone, First name, and Last name.
    4. When the user clicks Next, they must confirm their Verification phone number, then click OK.
    5. The user then receives a one-time password or token via SMS.
    6. Upon entering the token correctly, the user receives a successful registration notification email.

      7. Now that registration is complete, the user may only open the secure message once they have requested a token.

    7. The user clicks the secure message link and then clicks Request Token. The token is sent via email to the user.
    8. The user enters the token and clicks Verify Token.
    9. After the token is verified, the user is granted access to the secure message.
    IBE user registration and check email process via email and SMS:
    1. When a secure message is sent to a user, the user receives a notification. The user clicks Register.

      2. A registration email is sent to the user.

    2. The user opens the registration email and clicks the registration link.
    3. The user registers, providing their Language, Time zone, First name, and Last name.

      4. Since the user has selected both email and SMS as token delivery methods, they must verify their email address and Mobile Station International Subscriber Directory Number (MSISDN). Note that a token is not required for the registration of the user's own email address.

    4. When the user clicks Next, they must confirm their Verification email address, then click OK.
    5. The user must then confirm their Verification phone number and request a token.
    6. The user then receives a one-time password or token via SMS.
    7. Upon entering the token correctly, the user receives a successful registration notification email.

      8. Now that registration is complete, the user may only open the secure message once they have requested a token.

    8. The user clicks the secure message link. Before the user clicks Request Token, they must select a Token method option: either SMS or Email. The token is sent via the selected option to the user.
    9. The user enters the token and clicks Verify Token.
    10. After the token is verified, the user is granted access to the secure message.

    See also

    Configuring active users

    Viewing and managing IBE domains

    The FortiMail unit records the domain names of the recipients who register or authenticate on FortiMail.

    To view those domains, go to Domain & User > IBE User > IBE Domain.

    GUI item

    Description

    Delete

    (button)

    Select to remove a selected domain.

    Deleting a domain also disables all its users. These users cannot access the FortiMail unit until they receive new secure mail notifications from the FortiMail unit.

    Remove All Users

    (button)

    Select to delete all mail users in a selected domain. These users cannot access the FortiMail unit until they receive new secure mail notifications from the FortiMail unit.

    Search

    (button)

    Select to search IBE domains. A search dialog appears.

    Active User Count

    Displays the active mail users in a domain. For more information about active users, see Configuring active users.

    Expired User Count

    Displays the expired mail users in a domain. For more information about active users, see Configuring expired users.
    Previous
    Next

    Configuring IBE users

    Configuring IBE users

    You can send secured email with Identity Based Encryption (IBE) through the FortiMail unit. The IBE User option lets you manage the IBE mail users and IBE domains. For details about how to use IBE service, see FortiMail IBE configuration workflow.

    This section contains the following topics:

    Configuring active users

    The Active User tab lets you enable, delete, maintain, and reset the following secured mail recipients:

    • recipients who have received secured mail notifications from the FortiMail unit
    • recipients who have registered or authenticated on the FortiMail unit

    To view and manage active users, go to Domain & User > IBE User > Active User.

    GUI item

    Description

    Delete

    (button)

    Select to remove a selected user in the list.

    A deleted user cannot access the FortiMail unit.

    Maintenance

    (button)

    Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of a mailbox and empty a mailbox as required.

    The SecureMail mailbox contains the secured email for the user. The encrypted email are put into this mailbox if Pull is selected to retrieve IBE mail.

    The Bulk mailbox contains spam that are quarantined by the FortiMail unit.

    Reset User

    (button)

    Click to reset a mail user and require new login information to access the FortiMail unit.

    Resetting a user sends the user a new notification and the user needs to re-register on the FortiMail unit.

    IBE domain

    Select the name of an IBE domain to view its active users.

    For more information about IBE domain, see Configuring IBE authentication.

    Search

    Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria.

    To return to the complete user list, clear the search field and press Enter.

    Enabled

    Select the check box to activate a mail user. A disabled user cannot access the FortiMail unit.

    Email

    Displays the email address of mail users.

    First Name, Last Name

    Displays the first and last name of a mail user. This information appears when a mail user registers on the FortiMail unit.

    Recovery Email

    Displays the recovery email address of the mail users.

    Status

    The mail user has four status possibilities:

    • Pre-registered: The FortiMail unit encrypts an email and sends a notification to the recipient.
    • Activated: The mail recipient registers on the FortiMail unit.
    • Password reset: When a mail recipient who is provided with new password to access the FortiMail unit has actually changed the password, this status appears.
    • LDAP: When a mail recipient. who belongs to an IBE domain bound with an LDAP profile authenticates on the FortiMail unit, this status appears. For more information about IBE domain, see Configuring IBE authentication.

    Creation Time

    Displays when IBE user was registered and created.

    Last Access

    Displays the time stamp when:

    • the FortiMail unit sends a notification (Pre-registered status)
    • the mail recipient registers on the FortiMail unit (Activated status)
    • a mail user changes the password (Password reset status)
    • a mail recipient, who belongs to an IBE domain, authenticates on the FortiMail unit (LDAP status)

    See also

    Configuring expired users

    Configuring IBE authentication

    Configuring expired users

    Depending on the configuration of User registration expiry time and User inactivity expiry time in the IBE service, if email recipients fail to register or authenticate on the FortiMail unit, or fail to access the FortiMail unit after registration for a certain period of time, they become expired users. For more information about IBE service configuration, see Configuring IBE encryption.

    The Expired User tab displays the same information as the Active User tab except that the users in this list have expired. These users need to re-register on the FortiMail unit when a new notification arrives to become active.

    GUI item

    Description

    Delete

    (button)

    Select to remove a selected user in the list.

    A deleted user cannot access the FortiMail unit.

    Maintenance

    (button)

    Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of a mailbox and empty a mailbox as required.

    The SecureMail mailbox contains the secured email for the user. The encrypted email are put into this mailbox if Pull is selected to retrieve IBE mail.

    The Bulk mailbox contains spam that are quarantined by the FortiMail unit.

    Re-activate

    Select the expired IBE user record(s) you wish to re-activate and select Re-activate. Any re-activated IBE users will move to the Active User tab.

    Export

    Select from the dropdown menu if you wish to Export All or Export Selected expired IBE users in comma-separated value (CSV) file format.

    Note that Export All will export all records on the current page. If you wish to export a larger number of records, set Records per page to a higher value (maximum of 500).

    Records per page

    Define the maximum number of expired IBE user records appear on the current page.

    IBE domain

    Select the name of an IBE domain to view its active users.

    For more information about IBE domain, see Configuring IBE authentication.

    Search

    Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria.

    To return to the complete user list, clear the search field and press Enter.

    Email

    Displays the email address of mail users.

    First Name, Last Name

    Displays the first name of a mail user. This information appears when a mail user registers on the FortiMail unit.

    Last Name

    Displays the last name of a mail user. This information appears when a mail user registers on the FortiMail unit.

    Status

    The mail user has four status possibilities:

    • Pre-registered: The FortiMail unit encrypts an email and sends a notification to the recipient.
    • Activated: The mail recipient registers on the FortiMail unit.
    • Password reset: When a mail recipient who is provided with new password to access the FortiMail unit has actually changed the password, this status appears.
    • LDAP: When a mail recipient. who belongs to an IBE domain bound with an LDAP profile authenticates on the FortiMail unit, this status appears. For more information about IBE domain, see Configuring IBE authentication.

    Expiry Time

    Displays when the user’s registration expired.

    Last Access

    Displays the time stamp when the user was last active.

    See also

    Configuring active users

    Configuring IBE authentication

    Configuring IBE authentication

    When mail recipients of the IBE domains access the FortiMail unit after receiving a secure mail notification:

    • recipients of the IBE domains without LDAP authentication profiles need to register to view the email
    • recipients of the IBE domains with LDAP authentication profiles just need to authenticate because the FortiMail unit can query the LDAP servers for authentication information based on the LDAP profile

    In both cases, the FortiMail unit will record the domain names of the recipients who register or authenticate on it under the IBE Domain tab. For details, see Viewing and managing IBE domains.

    Go to Domain & User > IBE User > IBE Authentication to bind domains with LDAP authentication profiles with which the FortiMail unit can query the LDAP servers for authentication, email address mappings, and more. For more information about LDAP profiles, see Configuring LDAP profiles.

    To configure IBE authentication rules
    1. Go to Domain & User > IBE User > IBE Authentication.
    2. Click New and configure the following:

    GUI item

    Description

    Status

    Select to enable this rule.

    Domain pattern

    Enter a domain name that you want to bind to an LDAP authentication profile.

    If you want all IBE users to authenticate through an LDAP profile and do not want other non-LDAP-authenticated users to get registered on FortiMail, you can use wildcard * for the domain name and then bind it to an LDAP profile.

    For more information about LDAP profiles, see Configuring LDAP profiles.

    LDAP profile

    Select the LDAP profile you want to use to authenticate the domain users.

    User registration process with two-factor authentication

    As of FortiMail 6.4.0, the enforcement of security questions has been removed and replaced with two-factor authentication, via email and/or SMS text message.

    See Configuring IBE services for more information on configuring two-factor authentication settings.

    The user verification process for receiving and reading a secure message varies depending on which method is chosen.

    IBE user registration and check email process via email:
    1. When a secure message is sent to a user, the user receives a notification directing them to their inbox.
    2. The user opens the registration email and clicks the registration link.
    3. The user registers, providing their Language, Time zone, First name, and Last name.
    4. When the user clicks Next, they must confirm their Verification email address, then click OK.
    5. The user then receives a one-time password or token via email.
    6. Upon entering the token correctly, the user receives a successful registration notification email.

      7. Now that registration is complete, the user may only open the secure message once they have requested a token.

    7. The user clicks the secure message link and then clicks Request Token. The token is sent via email to the user.
    8. The user enters the token and clicks Verify Token.
    9. After the token is verified, the user is granted access to the secure message.
    IBE user registration and check email process via SMS:
    1. When a secure message is sent to a user, the user receives a notification. The user clicks Register.

      2. A registration email is sent to the user.

    2. The user opens the registration email and clicks the registration link.
    3. The user registers, providing their Language, Time zone, First name, and Last name.
    4. When the user clicks Next, they must confirm their Verification phone number, then click OK.
    5. The user then receives a one-time password or token via SMS.
    6. Upon entering the token correctly, the user receives a successful registration notification email.

      7. Now that registration is complete, the user may only open the secure message once they have requested a token.

    7. The user clicks the secure message link and then clicks Request Token. The token is sent via email to the user.
    8. The user enters the token and clicks Verify Token.
    9. After the token is verified, the user is granted access to the secure message.
    IBE user registration and check email process via email and SMS:
    1. When a secure message is sent to a user, the user receives a notification. The user clicks Register.

      2. A registration email is sent to the user.

    2. The user opens the registration email and clicks the registration link.
    3. The user registers, providing their Language, Time zone, First name, and Last name.

      4. Since the user has selected both email and SMS as token delivery methods, they must verify their email address and Mobile Station International Subscriber Directory Number (MSISDN). Note that a token is not required for the registration of the user's own email address.

    4. When the user clicks Next, they must confirm their Verification email address, then click OK.
    5. The user must then confirm their Verification phone number and request a token.
    6. The user then receives a one-time password or token via SMS.
    7. Upon entering the token correctly, the user receives a successful registration notification email.

      8. Now that registration is complete, the user may only open the secure message once they have requested a token.

    8. The user clicks the secure message link. Before the user clicks Request Token, they must select a Token method option: either SMS or Email. The token is sent via the selected option to the user.
    9. The user enters the token and clicks Verify Token.
    10. After the token is verified, the user is granted access to the secure message.

    See also

    Configuring active users

    Viewing and managing IBE domains

    The FortiMail unit records the domain names of the recipients who register or authenticate on FortiMail.

    To view those domains, go to Domain & User > IBE User > IBE Domain.

    GUI item

    Description

    Delete

    (button)

    Select to remove a selected domain.

    Deleting a domain also disables all its users. These users cannot access the FortiMail unit until they receive new secure mail notifications from the FortiMail unit.

    Remove All Users

    (button)

    Select to delete all mail users in a selected domain. These users cannot access the FortiMail unit until they receive new secure mail notifications from the FortiMail unit.

    Search

    (button)

    Select to search IBE domains. A search dialog appears.

    Active User Count

    Displays the active mail users in a domain. For more information about active users, see Configuring active users.

    Expired User Count

    Displays the expired mail users in a domain. For more information about active users, see Configuring expired users.
    Previous
    Next