Fortinet white logo
Fortinet white logo

Administration Guide

Configuring IBE encryption

Configuring IBE encryption

The Encryption > IBE > IBE Encryption submenu lets you configure the Identity Based Encryption (IBE) service. With IBE, you can send secured email through the FortiMail unit.

This section contains the following topics:

IBE is a type of public-key encryption. IBE uses identities (such as email addresses) to calculate encryption keys that can be used for encrypting and decrypting electronic messages. Compared with traditional public-key cryptography, IBE greatly simplifies the encryption process for both users and administrators. Another advantage is that a message recipient does not need any certificate, key pre-enrollment, or specialized software to access the email.

About FortiMail IBE

The FortiMail unit encrypts an email message using the public key generated with the recipient’s email address. The email recipient does not need to install any software or generate a pair of keys in order to access the email.

When an email reaches the FortiMail unit, the FortiMail unit applies its IP-based policies and recipient-based policies containing IBE-related content profiles as well as the message delivery rules to the email. If a policy or rule match is found, the FortiMail unit encrypts the email using the public key before sending a notification to the recipient. Sample secure message notification shows a sample notification.

The notification email contains an HTML attachment, which contains instructions and links telling the recipient how to access the encrypted email.

If this is the first time the recipient receives such a notification, the recipient must follow the instructions and links to register on the FortiMail unit before reading email.

If this is not the first time the recipient receives such a notification and the recipient has already registered on the FortiMail unit, the recipient only needs to log in to the FortiMail unit to read email.

When the recipient opens the mail on the FortiMail unit, the email is decrypted automatically.

Note

Due to more confining security restrictions imposed by the iOS system, email attachments included in IBE PUSH (for details about IBE PUSH and PULL methods, see Configuring encryption profiles) notification messages can no longer be opened properly on iOS 10 and later. Therefore, users cannot view the encrypted email messages on these iOS devices. Users should download and open the attachments on their PCs as a workaround.

How FortiMail works with IBE

Sample secure message notification

Note

External IBE users can only access their secure messages via the link in the IBE notification email, while internal users (protected domain users) can also access their secure messages via webmail login.

See also

About FortiMail IBE

FortiMail IBE configuration workflow

Configuring IBE services

FortiMail IBE configuration workflow

Follow the general steps below to use the FortiMail IBE function:

If you want to encrypt email based on the email contents:

  • Add the IBE encryption profile to the content action profile. See Configuring content action profiles.
  • Add the content action profile to the content profile and configure the scan criteria in the content profile, such as attachment filtering, file type filtering, and content monitor and filtering including the dictionary and action profiles. See Configuring content profiles.
  • Add the content profile to the IP-based and recipient-based policies to determine email that needs to be encrypted with IBE. See Controlling email based on sender and recipient addresses, and Controlling email based on IP addresses.
  • For example, on the FortiMail unit, you have:

  • configured a dictionary profile that contains a pattern called “Confidential”, and enabled Search header (see Configuring dictionary profiles)
  • added the dictionary profile to a content profile which also includes a content action profile that has an encryption profile in it
  • included the content profile to IP and recipient policies
  • You then notify your email users on how to mark the email subject line and header if they want to send encrypted email.

    For example, Alice wants to send an encrypted email to Bob through the FortiMail unit. She can add “Confidential” in the email subject line, or “Confidential” in the header (in Microsoft Outlook, when compiling a new mail, go to Options > Message settings > Sensitivity, and select Confidential in the list). The FortiMail unit will apply the policies you configured to the email by checking the email’s subject line and header. If one of them matches the patterns defined in the dictionary profile, the email will be encrypted.

  • Configure IBE email storage.
  • Configure log settings for IBE encryption. See Configuring logging.
  • View logs of IBE encryption. See Viewing log messages.

If you want to encrypt email using message delivery rules:

For full configuration and procedural details, depending on your environment's requirements, see Encrypting confidential emails in FortiMail and How to encrypt emails sent from a designated source in FortiMail.

See also

About FortiMail IBE

Configuring IBE services

Configuring IBE services

You can configure, enable, or disable IBE services which control how secured mail recipients use the FortiMail IBE function. For details about how to use IBE service, see FortiMail IBE configuration workflow.

To configure IBE service
  1. Go to Encryption > IBE > IBE Encryption.
  2. Configure the following:

GUI item

Description

Enable IBE service

Select to enable the IBE service you configured.

IBE service name

Enter the name for the IBE service. This is the name the secure mail recipients will see once they access the FortiMail unit to view the mail.

Activation is required for account registration

When enabled, IBE users receive a validation email that contains an activation link to complete the account registration.

When disabled, IBE users are redirected to the IBE account after registration.

Note that if the IBE user registered by clicking the registration link inside the reset notification email, they will not be redirected, and will need to login to their account.

Account registration expiry time (days)

Enter the number of days that the secure mail recipient has to register on the FortiMail unit to view the mail before the registration expires. The starting date is the date when the FortiMail unit sends out the first notification to a mail recipient.

Account inactivity expiry time (days)

Enter the number of days the secure mail recipient can access the FortiMail unit without registration.

For example, if you set the value to 30 days and if the mail recipient did not access the FortiMail unit for 30 days after the user registers on the unit, the recipient will need to register again if another secure mail is sent to the user. If the recipient accessed the FortiMail unit on the 15th days, the 30-day limit will be recalculated from the 15th day onwards.

Account password reset expiry time (hours)

Enter the password reset expiry time in hours.

This is for the recipients who have forgotten their login passwords and request for new ones. The secured mail recipient must reset the password within this time limit to access the FortiMail unit.

Encrypted email retention period (days)

Enter the number of days that the secured mail will be saved on the FortiMail unit.

Allow secure replying

Select to allow the secure mail recipient to reply the email with encryption.

Allow secure forwarding

Select to allow the secure mail recipient to forward the email with encryption.

Allow secure composing

Select to allow the secure mail recipient to compose an email. The FortiMail unit will use policies and mail delivery rules to determine if this mail needs to be encrypted.

For encrypted email, the domain of the composed mail’s recipient must be a protected one, otherwise an error message will appear and the mail will not be delivered.

IBE base URL

Enter the FortiMail unit URL, for example, https://192.168.100.20, on which a mail recipient can register or authenticate to access the secure mail.

"Help" content URL

You can create a help file on how to access the FortiMail secure email and enter the URL for the file. The mail recipient can click the “Help” link from the secure mail notification to view the file.

If you leave this field empty, a default help file link will be added to the secure mail notification.

"About" content URL

You can create a file about the FortiMail IBE encryption and enter the URL for the file. The mail recipient can click the “About” link from the secure mail notification to view the file.

If you leave this field empty, a link for a default file about the FortiMail IBE encryption will be added to the secure mail notification.

Allow custom user control

If your corporation has its own user authentication tools, enable this option and enter the URL.

“Custom user control” URL: This is the URL where you can check for user existence.

“Custom forgot password” URL: This is the URL where users get authenticated.

Authentication Setting

FortiMail supports the customization of IBE authentication settings, supporting two-factor authentication through the use of one-time password (OTP) tokens and passwords.

Users may authenticate themselves through either SMS or email. Additionally, authenticated sessions may be time limited, to ensure historical emails are not accessed from the encrypted mailbox.

Use this section to define the authentication mode, email and SMS secure token delivery options, and secure token and maximum attempt timeouts and limits.

See the User registration process with two-factor authentication for more information on the user workflow.

Notification Setting

Under Account Status Notification, enable the types of account notifications you wish to be sent to users. For Expiration, also define when the expiration notification should be sent.

Under Email Status Notification, you can choose to send a notification to the sender or recipient when the secure email is read or remains unread for a specified period of time.

Click the Edit link to modify the email template. For details, see Customizing email templates.

Depending on the IBE email access method (either PUSH or PULL) you defined in Configuring encryption profiles, the notification settings behave differently.

  • If the IBE message is stored on FortiMail (PULL access method), the “read” notification will only be sent the first time the message is read.
  • If the IBE message is not stored on FortiMail (PUSH access method), the “read” notification will be sent every time the message is read, that is, after the user pushes the message to FortiMail and FortiMail decrypts the message.
  • There is no “unread” notification for IBE PUSH messages.

Configuring IBE encryption

Configuring IBE encryption

The Encryption > IBE > IBE Encryption submenu lets you configure the Identity Based Encryption (IBE) service. With IBE, you can send secured email through the FortiMail unit.

This section contains the following topics:

IBE is a type of public-key encryption. IBE uses identities (such as email addresses) to calculate encryption keys that can be used for encrypting and decrypting electronic messages. Compared with traditional public-key cryptography, IBE greatly simplifies the encryption process for both users and administrators. Another advantage is that a message recipient does not need any certificate, key pre-enrollment, or specialized software to access the email.

About FortiMail IBE

The FortiMail unit encrypts an email message using the public key generated with the recipient’s email address. The email recipient does not need to install any software or generate a pair of keys in order to access the email.

When an email reaches the FortiMail unit, the FortiMail unit applies its IP-based policies and recipient-based policies containing IBE-related content profiles as well as the message delivery rules to the email. If a policy or rule match is found, the FortiMail unit encrypts the email using the public key before sending a notification to the recipient. Sample secure message notification shows a sample notification.

The notification email contains an HTML attachment, which contains instructions and links telling the recipient how to access the encrypted email.

If this is the first time the recipient receives such a notification, the recipient must follow the instructions and links to register on the FortiMail unit before reading email.

If this is not the first time the recipient receives such a notification and the recipient has already registered on the FortiMail unit, the recipient only needs to log in to the FortiMail unit to read email.

When the recipient opens the mail on the FortiMail unit, the email is decrypted automatically.

Note

Due to more confining security restrictions imposed by the iOS system, email attachments included in IBE PUSH (for details about IBE PUSH and PULL methods, see Configuring encryption profiles) notification messages can no longer be opened properly on iOS 10 and later. Therefore, users cannot view the encrypted email messages on these iOS devices. Users should download and open the attachments on their PCs as a workaround.

How FortiMail works with IBE

Sample secure message notification

Note

External IBE users can only access their secure messages via the link in the IBE notification email, while internal users (protected domain users) can also access their secure messages via webmail login.

See also

About FortiMail IBE

FortiMail IBE configuration workflow

Configuring IBE services

FortiMail IBE configuration workflow

Follow the general steps below to use the FortiMail IBE function:

If you want to encrypt email based on the email contents:

  • Add the IBE encryption profile to the content action profile. See Configuring content action profiles.
  • Add the content action profile to the content profile and configure the scan criteria in the content profile, such as attachment filtering, file type filtering, and content monitor and filtering including the dictionary and action profiles. See Configuring content profiles.
  • Add the content profile to the IP-based and recipient-based policies to determine email that needs to be encrypted with IBE. See Controlling email based on sender and recipient addresses, and Controlling email based on IP addresses.
  • For example, on the FortiMail unit, you have:

  • configured a dictionary profile that contains a pattern called “Confidential”, and enabled Search header (see Configuring dictionary profiles)
  • added the dictionary profile to a content profile which also includes a content action profile that has an encryption profile in it
  • included the content profile to IP and recipient policies
  • You then notify your email users on how to mark the email subject line and header if they want to send encrypted email.

    For example, Alice wants to send an encrypted email to Bob through the FortiMail unit. She can add “Confidential” in the email subject line, or “Confidential” in the header (in Microsoft Outlook, when compiling a new mail, go to Options > Message settings > Sensitivity, and select Confidential in the list). The FortiMail unit will apply the policies you configured to the email by checking the email’s subject line and header. If one of them matches the patterns defined in the dictionary profile, the email will be encrypted.

  • Configure IBE email storage.
  • Configure log settings for IBE encryption. See Configuring logging.
  • View logs of IBE encryption. See Viewing log messages.

If you want to encrypt email using message delivery rules:

For full configuration and procedural details, depending on your environment's requirements, see Encrypting confidential emails in FortiMail and How to encrypt emails sent from a designated source in FortiMail.

See also

About FortiMail IBE

Configuring IBE services

Configuring IBE services

You can configure, enable, or disable IBE services which control how secured mail recipients use the FortiMail IBE function. For details about how to use IBE service, see FortiMail IBE configuration workflow.

To configure IBE service
  1. Go to Encryption > IBE > IBE Encryption.
  2. Configure the following:

GUI item

Description

Enable IBE service

Select to enable the IBE service you configured.

IBE service name

Enter the name for the IBE service. This is the name the secure mail recipients will see once they access the FortiMail unit to view the mail.

Activation is required for account registration

When enabled, IBE users receive a validation email that contains an activation link to complete the account registration.

When disabled, IBE users are redirected to the IBE account after registration.

Note that if the IBE user registered by clicking the registration link inside the reset notification email, they will not be redirected, and will need to login to their account.

Account registration expiry time (days)

Enter the number of days that the secure mail recipient has to register on the FortiMail unit to view the mail before the registration expires. The starting date is the date when the FortiMail unit sends out the first notification to a mail recipient.

Account inactivity expiry time (days)

Enter the number of days the secure mail recipient can access the FortiMail unit without registration.

For example, if you set the value to 30 days and if the mail recipient did not access the FortiMail unit for 30 days after the user registers on the unit, the recipient will need to register again if another secure mail is sent to the user. If the recipient accessed the FortiMail unit on the 15th days, the 30-day limit will be recalculated from the 15th day onwards.

Account password reset expiry time (hours)

Enter the password reset expiry time in hours.

This is for the recipients who have forgotten their login passwords and request for new ones. The secured mail recipient must reset the password within this time limit to access the FortiMail unit.

Encrypted email retention period (days)

Enter the number of days that the secured mail will be saved on the FortiMail unit.

Allow secure replying

Select to allow the secure mail recipient to reply the email with encryption.

Allow secure forwarding

Select to allow the secure mail recipient to forward the email with encryption.

Allow secure composing

Select to allow the secure mail recipient to compose an email. The FortiMail unit will use policies and mail delivery rules to determine if this mail needs to be encrypted.

For encrypted email, the domain of the composed mail’s recipient must be a protected one, otherwise an error message will appear and the mail will not be delivered.

IBE base URL

Enter the FortiMail unit URL, for example, https://192.168.100.20, on which a mail recipient can register or authenticate to access the secure mail.

"Help" content URL

You can create a help file on how to access the FortiMail secure email and enter the URL for the file. The mail recipient can click the “Help” link from the secure mail notification to view the file.

If you leave this field empty, a default help file link will be added to the secure mail notification.

"About" content URL

You can create a file about the FortiMail IBE encryption and enter the URL for the file. The mail recipient can click the “About” link from the secure mail notification to view the file.

If you leave this field empty, a link for a default file about the FortiMail IBE encryption will be added to the secure mail notification.

Allow custom user control

If your corporation has its own user authentication tools, enable this option and enter the URL.

“Custom user control” URL: This is the URL where you can check for user existence.

“Custom forgot password” URL: This is the URL where users get authenticated.

Authentication Setting

FortiMail supports the customization of IBE authentication settings, supporting two-factor authentication through the use of one-time password (OTP) tokens and passwords.

Users may authenticate themselves through either SMS or email. Additionally, authenticated sessions may be time limited, to ensure historical emails are not accessed from the encrypted mailbox.

Use this section to define the authentication mode, email and SMS secure token delivery options, and secure token and maximum attempt timeouts and limits.

See the User registration process with two-factor authentication for more information on the user workflow.

Notification Setting

Under Account Status Notification, enable the types of account notifications you wish to be sent to users. For Expiration, also define when the expiration notification should be sent.

Under Email Status Notification, you can choose to send a notification to the sender or recipient when the secure email is read or remains unread for a specified period of time.

Click the Edit link to modify the email template. For details, see Customizing email templates.

Depending on the IBE email access method (either PUSH or PULL) you defined in Configuring encryption profiles, the notification settings behave differently.

  • If the IBE message is stored on FortiMail (PULL access method), the “read” notification will only be sent the first time the message is read.
  • If the IBE message is not stored on FortiMail (PUSH access method), the “read” notification will be sent every time the message is read, that is, after the user pushes the message to FortiMail and FortiMail decrypts the message.
  • There is no “unread” notification for IBE PUSH messages.