Configuring IBE encryption
The Encryption > IBE > IBE Encryption submenu lets you configure the Identity Based Encryption (IBE) service. With IBE, you can send secured email through the FortiMail unit.
This section contains the following topics:
IBE is a type of public-key encryption. IBE uses identities (such as email addresses) to calculate encryption keys that can be used for encrypting and decrypting electronic messages. Compared with traditional public-key cryptography, IBE greatly simplifies the encryption process for both users and administrators. Another advantage is that a message recipient does not need any certificate, key pre-enrollment, or specialized software to access the email.
About FortiMail IBE
The FortiMail unit encrypts an email message using the public key generated with the recipient’s email address. The email recipient does not need to install any software or generate a pair of keys in order to access the email.
When an email reaches the FortiMail unit, the FortiMail unit applies its IP-based policies and recipient-based policies containing IBE-related content profiles as well as the message delivery rules to the email. If a policy or rule match is found, the FortiMail unit encrypts the email using the public key before sending a notification to the recipient. Sample secure message notification shows a sample notification.
The notification email contains an HTML attachment, which contains instructions and links telling the recipient how to access the encrypted email.
If this is the first time the recipient receives such a notification, the recipient must follow the instructions and links to register on the FortiMail unit before reading email.
If this is not the first time the recipient receives such a notification and the recipient has already registered on the FortiMail unit, the recipient only needs to log in to the FortiMail unit to read email.
When the recipient opens the mail on the FortiMail unit, the email is decrypted automatically.
Due to more confining security restrictions imposed by the iOS system, email attachments included in IBE PUSH (for details about IBE PUSH and PULL methods, see Configuring encryption profiles) notification messages can no longer be opened properly on iOS devices running version 10 and up. Therefore, users cannot view the encrypted email messages on these iOS devices. Users should download and open the attachments on their PCs as a workaround. |
How FortiMail works with IBE
Sample secure message notification
External IBE users can only access their secure messages via the link in the IBE notification email, while internal users (protected domain users) can also access their secure messages via webmail login. |
See also
FortiMail IBE configuration workflow
FortiMail IBE configuration workflow
Follow the general steps below to use the FortiMail IBE function:
- Configure and enable the IBE service. See Configuring IBE services.
- Manage IBE users. See Configuring IBE users.
- Configure an IBE encryption profile. See Configuring encryption profiles.
If you want to encrypt email based on the email contents:
- Add the IBE encryption profile to the content action profile. See Configuring content action profiles.
- Add the content action profile to the content profile and configure the scan criteria in the content profile, such as attachment filtering, file type filtering, and content monitor and filtering including the dictionary and action profiles. See Configuring content profiles.
- Add the content profile to the IP-based and recipient-based policies to determine email that needs to be encrypted with IBE. See Controlling email based on sender and recipient addresses, and Controlling email based on IP addresses.
- configured a dictionary profile that contains a pattern called “Confidential”, and enabled Search header (see Configuring dictionary profiles)
- added the dictionary profile to a content profile which also includes a content action profile that has an encryption profile in it
- included the content profile to IP and recipient policies
- Configure IBE email storage.
- Configure log settings for IBE encryption. See Configuring logging.
- View logs of IBE encryption. See Viewing log messages.
For example, on the FortiMail unit, you have:
You then notify your email users on how to mark the email subject line and header if they want to send encrypted email.
For example, Alice wants to send an encrypted email to Bob through the FortiMail unit. She can add “Confidential” in the email subject line, or “Confidential” in the header (in Microsoft Outlook, when compiling a new mail, go to Options > Message settings > Sensitivity, and select Confidential in the list). The FortiMail unit will apply the policies you configured to the email by checking the email’s subject line and header. If one of them matches the patterns defined in the dictionary profile, the email will be encrypted.
If you want to encrypt email using message delivery rules:
- Configure message delivery rules using encryption profiles to determine email that need to be encrypted with IBE. See Configuring delivery rules.
- Configure IBE email storage.
- Configure log settings for IBE encryption. See Configuring logging.
- View logs of IBE encryption. See Viewing log messages.
For full configuration and procedural details, depending on your environment's requirements, see the Cookbook recipes Encrypting confidential emails in FortiMail and How to encrypt emails sent from a designated source in FortiMail.
See also
Configuring IBE services
You can configure, enable, or disable IBE services which control how secured mail recipients use the FortiMail IBE function. For details about how to use IBE service, see FortiMail IBE configuration workflow.
To configure IBE service
- Go to Encryption > IBE > IBE Encryption.
- Configure the following:
GUI item |
Description |
Enable IBE service |
Select to enable the IBE service you configured. |
IBE service name |
Enter the name for the IBE service. This is the name the secure mail recipients will see once they access the FortiMail unit to view the mail. |
Activation is required for account registration |
When enabled, IBE users receive a validation email that contains an activation link to complete the account registration. When disabled, IBE users are redirected to the IBE account after registration. Note that if the IBE user registered by clicking the registration link inside the reset notification email, they will not be redirected, and will need to login to their account. |
Account registration expiry time (days) |
Enter the number of days that the secure mail recipient has to register on the FortiMail unit to view the mail before the registration expires. The starting date is the date when the FortiMail unit sends out the first notification to a mail recipient. |
Account inactivity expiry time (days) |
Enter the number of days the secure mail recipient can access the FortiMail unit without registration. For example, if you set the value to 30 days and if the mail recipient did not access the FortiMail unit for 30 days after the user registers on the unit, the recipient will need to register again if another secure mail is sent to the user. If the recipient accessed the FortiMail unit on the 15th days, the 30-day limit will be recalculated from the 15th day onwards. |
Account password reset expiry time (hours) |
Enter the password reset expiry time in hours. This is for the recipients who have forgotten their login passwords and request for new ones. The secured mail recipient must reset the password within this time limit to access the FortiMail unit. |
Encrypted email retention period (days) |
Enter the number of days that the secured mail will be saved on the FortiMail unit. |
Allow secure replying |
Select to allow the secure mail recipient to reply the email with encryption. |
Allow secure forwarding |
Select to allow the secure mail recipient to forward the email with encryption. |
Allow secure composing |
Select to allow the secure mail recipient to compose an email. The FortiMail unit will use policies and mail delivery rules to determine if this mail needs to be encrypted. For encrypted email, the domain of the composed mail’s recipient must be a protected one, otherwise an error message will appear and the mail will not be delivered. |
IBE base URL |
Enter the FortiMail unit URL, for example, https://192.168.100.20, on which a mail recipient can register or authenticate to access the secure mail. |
"Help" content URL |
You can create a help file on how to access the FortiMail secure email and enter the URL for the file. The mail recipient can click the “Help” link from the secure mail notification to view the file. If you leave this field empty, a default help file link will be added to the secure mail notification. |
"About" content URL |
You can create a file about the FortiMail IBE encryption and enter the URL for the file. The mail recipient can click the “About” link from the secure mail notification to view the file. If you leave this field empty, a link for a default file about the FortiMail IBE encryption will be added to the secure mail notification. |
Allow custom user control |
If your corporation has its own user authentication tools, enable this option and enter the URL. “Custom user control” URL: This is the URL where you can check for user existence. “Custom forgot password” URL: This is the URL where users get authenticated. |
Authentication Setting |
FortiMail supports the customization of IBE authentication settings, supporting two-factor authentication through the use of one-time password (OTP) tokens and passwords. Users may authenticate themselves through either SMS or email. Additionally, authenticated sessions may be time limited, to ensure historical emails are not accessed from the encrypted mailbox. Use this section to define the authentication mode, email and SMS secure token delivery options, and secure token and maximum attempt timeouts and limits. See the User registration process with two-factor authentication for more information on the user workflow. |
Notification Setting |
Under Account Status Notification, enable the types of account notifications you wish to be sent to users. For Expiration, also define when the expiration notification should be sent. Under Email Status Notification, you can choose to send a notification to the sender or recipient when the secure email is read or remains unread for a specified period of time. Click the Edit link to modify the email template. For details, see Customizing email templates. Depending on the IBE email access method (either PUSH or PULL) you defined in Configuring encryption profiles, the notification settings behave differently.
|