Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiMail 7.4.2 CLI Reference
    7.4.2
    7.6.1
    7.6.0
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    profile authentication

    profile authentication

    Use this command to configure the FortiMail unit to connect to an external SMTP server in order to authenticate email users.

    FortiMail units support the following authentication methods:

    • IMAP
    • POP3
    • RADIUS
    • SMTP

    When the FortiMail unit is operating in server mode, only local and RADIUS authentication are available.

    In addition to authenticating email users for SMTP connections, SMTP profiles can be used to authenticate email users making webmail (HTTP or HTTPS) or POP3 connections to view their per-recipient quarantine, and when authenticating with another SMTP server to deliver email.

    Depending on the mode in which your FortiMail unit is operating, you may be able to apply authentication profiles through inbound recipient-based policies, IP-based policies, and email user accounts.

    For more information, see the FortiMail Administration Guide.

    Syntax

    config profile authentication imap

    edit <profile_name>

    set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    set option {ssl secure tls senddomain}

    set port <port_int>

    set server {<fqdn_str> | <host_ipv4>}

    config profile authentication pop3

    edit <profile_name>

    set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    set option {ssl secure tls senddomain}

    set port <port_int>

    set server {<fqdn_str> | <host_ipv4>}

    config profile authentication radius

    edit <profile_name>

    set access-override {enable | disable}

    set access-override-attribute <integer>

    set access-override-vendor <integer>

    set auth-prot {auto | chap | mschap | mschap2 | pap}

    set domain-override {enable | disable}

    set domain-override-attribute <integer>

    set domain-override-vendor <integer>

    set nas-ip <ip_addr>

    set port <port_int>

    set secret <password_str>

    set send-domain {enable | disable}

    set server {<fqdn_str> | <host_ipv4>}

    config profile authentication smtp

    edit <profile_name>

    set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    set option {ssl secure tls senddomain}

    set server {<fqdn_str> | <host_ipv4>}

    set port <port_int>

    set try-ldap-mailhost {enable | disable}

    end

    Variable

    Description

    Default

    <profile_name>

    Enter the name of the profile.

    To view a list of existing entries, enter a question mark ( ? ).

    auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    Enter an authentication type.

    auto

    access-override {enable | disable}

    Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile.

    disable

    access-override-attribute <integer>

    Enter the attribute ID of a vender for remote access permission override. The attribute should hold an access profile name that exists on FortiMail. The default ID is 6, which is Fortinet-Access-Profile.

    6

    access-override-vendor <integer>

    Enter the vender’s registered RADIUS ID for remote access permission override. The default ID is 12356, which is Fortinet.

    12356

    option {ssl secure tls senddomain}

    Enter one or more of the following in a space-delimited list:

    • senddomain: Enable if the IMAP server requires both the user name and the domain when authenticating.
    • ssl: Enables secure socket layers (SSL) to secure message transmission.
    • secure: Enables secure authentication.
    • tls: Enables transport layer security (TLS) to ensure privacy between communicating application.

    port <port_int>

    Enter the TCP port number of the IMAP server.

    The standard port number for SSL-secured IMAP is 993.

    143

    server {<fqdn_str> | <host_ipv4>}

    Enter the IP address or fully qualified domain name (FQDN) of the IMAP server.

    option {ssl secure tls senddomain}

    If you want to enable any of the following options, enter them in a space-delimited list:

    • domain: Enable if the POP3 server requires both the user name and the domain when authenticating.
    • ssl: Enables secure socket layers (SSL) to secure message transmission.
    • secure: Enables secure authentication.
    • tls: Enables transport layer security (TLS) to ensure privacy between communicating application.

    port <port_int>

    Enter the TCP port number of the POP3 server.

    The standard port number for SSL-secured POP3 is 995.

    110

    server {<fqdn_str> | <host_ipv4>}

    Enter the IP address or fully qualified domain name (FQDN) of the POP3 server.

    auth-prot {auto | chap | mschap | mschap2 | pap}

    Enter the authentication method for the RADIUS server.

    mschap2

    domain-override {enable | disable}

    Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain.

    disable

    domain-override-attribute <integer>

    Enter the attribute ID of a vender for remote domain override. The attribute should hold a domain name that exists on FortiMail. The default ID is 3, which is Fortinet-Vdom-Name.

    3

    domain-override-vendor <integer>

    Enter the vender’s registered RADIUS ID for remote domain override. The default ID is 12356, which is Fortinet.

    12356

    nas-ip <ip_addr>

    Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiMail interface uses to communicate with the RADIUS server will be applied.

    0.0.0.0

    port <port_int>

    If the RADIUS server listens on a nonstandard port number, enter the port number of the RADIUS server.

    1812

    secret <password_str>

    Enter the password for the RADIUS server.

    send-domain {enable | disable}

    Enable if the RADIUS server requires both the user name and the domain when authenticating.

    disable

    server {<fqdn_str> | <host_ipv4>}

    Enter the IP address or fully qualified domain name (FQDN) of the RADIUS server.

    option {ssl secure tls senddomain}

    If you want to enable any of the following options, enter them in a space-delimited list:

    • senddomain: Enable if the SMTP server requires both the user name and the domain when authenticating.
    • ssl: Enables secure socket layers (SSL) to secure message transmission.
    • secure: Enables secure authentication.
    • tls: Enables transport layer security (TLS) to ensure privacy between communicating application

    server {<fqdn_str> | <host_ipv4>}

    Enter the IP address or fully qualified domain name (FQDN) of the SMTP server.

    port <port_int>

    Enter the TCP port number of the SMTP server.

    The standard port number for SSL-secured SMTP is 465.

    25

    try-ldap-mailhost {enable | disable}

    Enable if your LDAP server has a mail host entry for the generic user.

    If you select this option, the FortiMail unit will query the generic LDAP server first to authenticate email users. If no results are returned for the query, the FortiMail unit will query the server you entered in the server field.

    enable

    Related topics

    profile certificate-binding

    profile encryption

    Previous
    Next

    profile authentication

    profile authentication

    Use this command to configure the FortiMail unit to connect to an external SMTP server in order to authenticate email users.

    FortiMail units support the following authentication methods:

    • IMAP
    • POP3
    • RADIUS
    • SMTP

    When the FortiMail unit is operating in server mode, only local and RADIUS authentication are available.

    In addition to authenticating email users for SMTP connections, SMTP profiles can be used to authenticate email users making webmail (HTTP or HTTPS) or POP3 connections to view their per-recipient quarantine, and when authenticating with another SMTP server to deliver email.

    Depending on the mode in which your FortiMail unit is operating, you may be able to apply authentication profiles through inbound recipient-based policies, IP-based policies, and email user accounts.

    For more information, see the FortiMail Administration Guide.

    Syntax

    config profile authentication imap

    edit <profile_name>

    set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    set option {ssl secure tls senddomain}

    set port <port_int>

    set server {<fqdn_str> | <host_ipv4>}

    config profile authentication pop3

    edit <profile_name>

    set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    set option {ssl secure tls senddomain}

    set port <port_int>

    set server {<fqdn_str> | <host_ipv4>}

    config profile authentication radius

    edit <profile_name>

    set access-override {enable | disable}

    set access-override-attribute <integer>

    set access-override-vendor <integer>

    set auth-prot {auto | chap | mschap | mschap2 | pap}

    set domain-override {enable | disable}

    set domain-override-attribute <integer>

    set domain-override-vendor <integer>

    set nas-ip <ip_addr>

    set port <port_int>

    set secret <password_str>

    set send-domain {enable | disable}

    set server {<fqdn_str> | <host_ipv4>}

    config profile authentication smtp

    edit <profile_name>

    set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    set option {ssl secure tls senddomain}

    set server {<fqdn_str> | <host_ipv4>}

    set port <port_int>

    set try-ldap-mailhost {enable | disable}

    end

    Variable

    Description

    Default

    <profile_name>

    Enter the name of the profile.

    To view a list of existing entries, enter a question mark ( ? ).

    auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    Enter an authentication type.

    auto

    access-override {enable | disable}

    Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile.

    disable

    access-override-attribute <integer>

    Enter the attribute ID of a vender for remote access permission override. The attribute should hold an access profile name that exists on FortiMail. The default ID is 6, which is Fortinet-Access-Profile.

    6

    access-override-vendor <integer>

    Enter the vender’s registered RADIUS ID for remote access permission override. The default ID is 12356, which is Fortinet.

    12356

    option {ssl secure tls senddomain}

    Enter one or more of the following in a space-delimited list:

    • senddomain: Enable if the IMAP server requires both the user name and the domain when authenticating.
    • ssl: Enables secure socket layers (SSL) to secure message transmission.
    • secure: Enables secure authentication.
    • tls: Enables transport layer security (TLS) to ensure privacy between communicating application.

    port <port_int>

    Enter the TCP port number of the IMAP server.

    The standard port number for SSL-secured IMAP is 993.

    143

    server {<fqdn_str> | <host_ipv4>}

    Enter the IP address or fully qualified domain name (FQDN) of the IMAP server.

    option {ssl secure tls senddomain}

    If you want to enable any of the following options, enter them in a space-delimited list:

    • domain: Enable if the POP3 server requires both the user name and the domain when authenticating.
    • ssl: Enables secure socket layers (SSL) to secure message transmission.
    • secure: Enables secure authentication.
    • tls: Enables transport layer security (TLS) to ensure privacy between communicating application.

    port <port_int>

    Enter the TCP port number of the POP3 server.

    The standard port number for SSL-secured POP3 is 995.

    110

    server {<fqdn_str> | <host_ipv4>}

    Enter the IP address or fully qualified domain name (FQDN) of the POP3 server.

    auth-prot {auto | chap | mschap | mschap2 | pap}

    Enter the authentication method for the RADIUS server.

    mschap2

    domain-override {enable | disable}

    Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain.

    disable

    domain-override-attribute <integer>

    Enter the attribute ID of a vender for remote domain override. The attribute should hold a domain name that exists on FortiMail. The default ID is 3, which is Fortinet-Vdom-Name.

    3

    domain-override-vendor <integer>

    Enter the vender’s registered RADIUS ID for remote domain override. The default ID is 12356, which is Fortinet.

    12356

    nas-ip <ip_addr>

    Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiMail interface uses to communicate with the RADIUS server will be applied.

    0.0.0.0

    port <port_int>

    If the RADIUS server listens on a nonstandard port number, enter the port number of the RADIUS server.

    1812

    secret <password_str>

    Enter the password for the RADIUS server.

    send-domain {enable | disable}

    Enable if the RADIUS server requires both the user name and the domain when authenticating.

    disable

    server {<fqdn_str> | <host_ipv4>}

    Enter the IP address or fully qualified domain name (FQDN) of the RADIUS server.

    option {ssl secure tls senddomain}

    If you want to enable any of the following options, enter them in a space-delimited list:

    • senddomain: Enable if the SMTP server requires both the user name and the domain when authenticating.
    • ssl: Enables secure socket layers (SSL) to secure message transmission.
    • secure: Enables secure authentication.
    • tls: Enables transport layer security (TLS) to ensure privacy between communicating application

    server {<fqdn_str> | <host_ipv4>}

    Enter the IP address or fully qualified domain name (FQDN) of the SMTP server.

    port <port_int>

    Enter the TCP port number of the SMTP server.

    The standard port number for SSL-secured SMTP is 465.

    25

    try-ldap-mailhost {enable | disable}

    Enable if your LDAP server has a mail host entry for the generic user.

    If you select this option, the FortiMail unit will query the generic LDAP server first to authenticate email users. If no results are returned for the query, the FortiMail unit will query the server you entered in the server field.

    enable

    Related topics

    profile certificate-binding

    profile encryption

    Previous
    Next