Fortinet white logo
Fortinet white logo

CLI Reference

profile ldap

profile ldap

Use this command to configure LDAP profiles which can query LDAP servers for authentication, email address mappings, and more.

Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server. When LDAP queries do not match with the server’s schema and/or contents, unintended mail processing behaviors can result, including bypassing antivirus scans. For details on how to use an LDAP directory with FortiMail LDAP profiles, see the FortiMail Administration Guide.

LDAP profiles each contain one or more queries that retrieve specific configuration data, such as user groups, from an LDAP server.

Syntax

config profile ldap

edit <profile_name>

set access-override {enable | disable}

set access-override-attribute <attribute_str>

set address-map-state {enable | disable}

set alias-base-dn <dn_str>

set alias-bind-dn <bind_dn_str>

set alias-bind-password <bindpw_str>

set alias-dereferencing {never | always | search | find}

set alias-expansion-level <limit_int>

set alias-group-expansion-state {enable | disable}

set alias-group-member-attribute <attribute_str>

set alias-group-query <query_str>

set alias-member-mail-attribute <attribute_str>

set alias-member-query <query_str>

set alias-schema {activedirectory | dominoperson | inetlocalmailrcpt | inetorgperson | userdefined}

set alias-scope {base one | sub}

set alias-state {enable | disable}

set antispam <attribute_str>

set antivirus <attribute_str>

set asav-state {enable | disable}

set auth-bind-dn {cnid | none | searchuser | upn}

set authstate {enable | disable}

set base-dn <basedn_str>

set bind-dn <binddn_str>

set bind-password <bindpw_str>

set cache-state {enable | disable}

set cache-ttl <ttl_int>

set chain <ldap-profile_name>

set chain-status {enable | disable}

set client-cert-auth {enable | disable}

set client-cert <certificate_name>

set cnid-name <cnid_str>

set content <content-profile_name>

set dereferencing {never | always | search | find}

set display-name

set domain-antispam-attr <attribute_str>

set domain-antivirus-attr <attribute_str>

set domain-content-attr

set domain-override {enable | disable}

set domain-override-attribute

set domain-parent-attr <attribute_str>

set domain-query <query_str>

set domain-routing-mail-host-attr <attribute_str>

set domain-state {enable | disable}

set external-address <attribute_str>

set fallback-port <port_int>

set fallback-server {<fqdn_str> | <server_ipv4>}

set group-base-dn <basedn_str>

set group-expansion-level

set group-membership-attribute <attribute_str>

set group-name-attribute <attribute_str>

set group-owner {enable | disable}

set group-owner-address-attribute <attribute_str>

set group-owner-attribute <attribute_str>

set group-relative-name {enable | disable}

set server-name <name_str>

set groupstate {enable | disable}

set internal-address <attribute_str>

set port <port_int>

set query <query_str>

set rcpt-vrfy-bypass {enable | disable}

set referrals-chase {enable | disable}

set routing-mail-host <attribute_str>

set routing-mail-addr <attribute_str>

set routing-state {enable | disable}

set schema {activedirectory | dominoperson | inetlocalmailrcpt | inetorgperson | userdefined}

set scope {base | one | sub}

set secure {none | ssl}

set server {<ldap_fqdn> | <ldap_ipv4> | <ldap_ipv6>

set timeout <timeout_int>

set unauth-bind {enable | disable}

set upn-suffix <upns_str>

set version {ver2 | ver3}

set webmail-password-change {enable | disable}

set webmail-password-schema {openldap | activedirectory}

end

Variable

Description

Default

<profile_name>

Enter the name of the LDAP profile.

access-override {enable | disable}

Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the LDAP server, if the returned value matches an existing access profile. If there is no match, the specified access profile will still be used.

Also specify the access profile attribute.

disable

access-override-attribute <attribute_str>

Specify the access profile attribtue.

address-map-state {enable | disable}

Enable to query the LDAP server defined in the LDAP profile for user objects’ mappings between email addresses.

disable

alias-base-dn <dn_str>

Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail will search for either alias or user objects.

User or alias objects should be child nodes of this location.

Whether you should specify the base DN of either user objects or alias objects varies by your LDAP schema style. Schema may resolve alias email addresses directly or indirectly (using references).

Direct resolution: Alias objects directly contain one or more email address attributes, such as mail or rfc822MailMember, whose values are user email addresses such as user@example.com, and that resolves the alias. The Base DN, such as ou=Aliases,dc=example,dc=com, should contain alias objects.

Indirect resolution: Alias objects do not directly contain an email address attribute that can resolve the alias; instead, in the style of LDAP group-like objects, the alias objects contain only references to user objects that are “members” of the alias “group.” User objects’ email address attribute values, such as user@example.com, actually resolve the alias. Alias objects refer to user objects by possessing one or more “member" attributes whose value is the DN of a user object, such as uid=user,ou=People,dc=example,dc=com. The FortiMail unit performs a first query to retrieve the distinguished names of “member" user objects, then performs a second query using those distinguished names to retrieve email addresses from each user object. The Base DN, such as ou=People,dc=example,dc=com, should contain user objects.

alias-bind-dn <bind_dn_str>

Enter the bind DN, such as cn=FortiMailA,dc=example,dc=com, of an LDAP user account with permissions to query the basedn.

This command may be optional if your LDAP server does not require the FortiMail unit to authenticate when performing queries, and if you have enabled unauth-bind {enable | disable}.

alias-bind-password <bindpw_str>

Enter the password of alias-bind-dn <bind_dn_str>.

alias-dereferencing {never | always | search | find}

Select the method to use, if any, when dereferencing attributes whose values are references:

  • never: Do not dereference.
  • always: Always dereference.
  • search: Dereference only when searching.
  • find: Dereference only when finding the base search object.

never

alias-expansion-level <limit_int>

Enter the maximum number of alias nesting levels that aliases the FortiMail unit will expand.

0

alias-group-expansion-state {enable | disable}

Enable if your LDAP schema resolves email aliases indirectly. For more information on direct vs. indirect resolution, see alias-base-dn <dn_str>.

When this option is disabled, alias resolution occurs using one query. The FortiMail unit queries the LDAP directory using the basedn and the alias-member-query, and then uses the value of each alias-member-mail-attribute to resolve the alias.

When this option is enabled, alias resolution occurs using two queries:

The FortiMail unit first performs a preliminary query using the basedn and alias-group-query, and uses the value of each alias-group-member-attribute as the base DN for the second query.

The FortiMail unit performs a second query using the distinguished names from the preliminary query (instead of the basedn) and the alias-member-query, and then uses the value of each alias-member-mail-attribute to resolve the alias.

The two-query approach is appropriate if, in your schema, alias objects are structured like group objects and contain references in the form of distinguished names of member user objects, rather than directly containing email addresses to which the alias resolves. In this case, the FortiMail unit must first “expand" the alias object into its constituent user objects before it can resolve the alias email address.

disable

alias-group-member-attribute <attribute_str>

Enter the name of the attribute for the group member, such as member, whose value is the DN of a user object.

This attribute must be present in alias objects only if they do not contain an email address attribute specified in alias-member-mail-attribute <attribute_str>.

alias-group-query <query_str>

Enter an LDAP query filter that selects a set of alias objects, represented as a group of member objects in the LDAP directory.

The query filter string filters the result set, and should be based upon any attributes that are common to all alias objects but also exclude non-alias objects.

For example, if alias objects in your directory have two distinguishing characteristics, their objectClass and proxyAddresses attributes, the query filter might be:

(&(objectClass=group) (proxyAddresses=smtp:$m))

where $m is the FortiMail variable for an email address.

alias-member-mail-attribute <attribute_str>

Enter the name of the attribute for the alias member’s mail address, such as mail or rfc822MailMember, whose value is an email address to which the email alias resolves, such as user@example.com.

This attribute must be present in either alias or user objects, as determined by your schema and whether it resolves aliases directly or indirectly.

alias-member-query <query_str>

Enter an LDAP query filter that selects a set of either user or email alias objects, whichever object class contains the attribute you configured in alias-member-mail-attribute <attribute_str>, from the LDAP directory.

The query filter string filters the result set, and should be based upon any attributes that are common to all user/alias objects but also exclude non-user/alias objects.

For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be:

(& (objectClass=alias) (mail=$m))

where $m is the FortiMail variable for a user's email address.

alias-schema {activedirectory | dominoperson | inetlocalmailrcpt | inetorgperson | userdefined}

Enter either the name of the LDAP directory’s schema, or enter userdefined to indicate a custom schema.

inetorgperson

alias-scope {base one | sub}

Enter which level of depth to query:

  • base: Query the basedn level.
  • one: Query only the one level directly below the basedn in the LDAP directory tree.
  • sub: Query recursively all levels below the basedn in the LDAP directory tree.

sub

alias-state {enable | disable}

Enable to query user objects for email address aliases.

disable

antispam <attribute_str>

Enter the name of the attribute, such as antispam, whose value indicates whether or not to perform antispam processing for that user.

antivirus <attribute_str>

Enter the name of the attribute, such as antivirus, whose value indicates whether or not to perform antivirus processing for that user.

asav-state {enable | disable}

Enable to query user objects for mappings between internal and external email addresses.

disable

auth-bind-dn {cnid | none | searchuser | upn}

Enter either none to not define a user authentication query, or one of the following to define a user authentication query:

cnid: Enter the name of the user objects’ common name attribute, such as cn or uid.

searchuser: Enter to form the user’s bind DN by using the DN retrieved for that user

This command applies only if schema is userdefined in “set ldap_profile profile user" on page 2407.

upn: Enter to form the user’s bind DN by prepending the user name portion of the email address ($u) to the User Principle Name (UPN, such as example.com).
By default, the FortiMail unit will use the mail domain as the UPN. If you want to use a UPN other than the mail domain, also configure upn-suffix <upns_str>.

searchuser

authstate {enable | disable}

Enable to perform user authentication queries.

disable

base-dn <basedn_str>

Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail unit will search for user objects, such as ou=People,dc=example,dc=com.

User objects should be child nodes of this location.

bind-dn <binddn_str>

Enter the bind DN, such as cn=FortiMailA,dc=example,dc=com, of an LDAP user account with permissions to query the basedn.

This command may be optional if your LDAP server does not require the FortiMail unit to authenticate when performing queries, and if you have enabled unauth-bind {enable | disable}.

bind-password <bindpw_str>

Enter the password of bind-dn <binddn_str>.

cache-state {enable | disable}

Enable to cache LDAP query results.

Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiMail unit begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently.

If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of 0 effectively disables caching.

disable

cache-ttl <ttl_int>

Enter the amount of time, in minutes, that the FortiMail unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiMail unit to query the LDAP server, refreshing the cache.

The default TTL value is 1,440 minutes (one day). The maximum value is 10,080 minutes (one week). Entering a value of 0 effectively disables caching.

1440

chain <ldap-profile_name>

Enter the LDAP profile that you want to add to the group of other LDAP profiles to create a chain query.

chain-status {enable | disable}

Enable the chain query.

disable

client-cert-auth {enable | disable}

Enable if the LDAP server requires that clients such as the FortiMail unit present a client certificate to authenticate themselves during secure connections. Also configure client-cert <certificate_name>.

This setting is only available when secure {none | ssl} is ssl.

disable

client-cert <certificate_name>

Enter the name of a local certificate if the LDAP server requires that clients such as the FortiMail unit present a client certificate to identify themselvers during secure connections.FortiMail unit will use as its client certificate. This can be used instead of, or in addition to, a bind DN and password.

Also configure client-cert-auth {enable | disable}. This setting is only available when secure {none | ssl} is ssl.

Note: The certificate that FortiMail uses for client authentication must:

  • not be expired
  • not be revoked
  • be signed by a certificate authority (CA), whose certificate you have imported into the FortiMail unit and that the server trusts (directly or indirectly, proven via a signing chain)

Otherwise the secure connection will fail.

Servers may have their own certificate validation requirements in addition to FortiMail requirements. For example, client certificates may require that Key Usage field allow client authentication. See yourLDAP server's documentation.

cnid-name <cnid_str>

Enter the name of the user objects’ common name attribute, such as cn or uid.

content <content-profile_name>

Enter the name of the attribute, such as genericContent, whose value is the name of the content profile assigned to the domain.

The name of this attribute may vary by the schema of your LDAP directory.

If you do not specify this attribute (that is, leave this field blank), then the content profile in the matched recipient-based policy will be used.

dereferencing {never | always | search | find}

Select the method to use, if any, when dereferencing attributes whose values are references.

  • never: Do not dereference.
  • always: Always dereference.
  • search: Dereference only when searching.
  • find: Dereference only when finding the base search object.

never

display-name

Enter the LDAP address mapping display name attribute.

domain-antispam-attr <attribute_str>

Enter the name of the antispam profile attribute, such as businessCategory, whose value is the name of the antispam profile assigned to the domain.

The name of this attribute may vary by the schema of your LDAP directory.

domain-antivirus-attr <attribute_str>

Enter the name of the antivirus profile attribute, such as preferredLanguage, whose value is the name of the antivirus profile assigned to the domain.

The name of this attribute may vary by the schema of your LDAP directory.

domain-content-attr

Enter the content attribute name.

domain-override {enable | disable}

Enable or disable system admin domain override.

domain-override-attribute

Enter the system admin domain ovveride attribute.

domain-parent-attr <attribute_str>

Enter the name of the parent domain attribute, such as description, whose value is the name of the parent domain from which a domain inheritate the specific RCPT check settings and quarantine report settings.

The name of this attribute may vary by the schema of your LDAP directory.

domain-query <query_str>

Enter an LDAP query filter that selects a set of domain objects, whichever object class contains the attribute you configured for this option, from the LDAP directory.

For details on query syntax, refer to any standard LDAP query filter reference manual.

For this option to work, your LDAP directory should contain a single generic user for each domain. Wildcard users (e.g. *@$d) are also supported for domain query, in cases where there is no generic domain user.

The user entry should be configured with attributes to represent the following:

  • parent domain from which a domain inherits the specific RCPT check settings and quarantine report settings.
    For example, description=parent.com

  • IP address of the backend mail server hosting the mailboxes of the domain.
    For example, mailHost=192.168.1.105

  • antispam profile assigned to the domain.
    For example, businessCategory=parentAntispam

  • antivirus profile assigned to the domain.
    For example, preferredLanguage=parentAntivirus

domain-routing-mail-host-attr <attribute_str>

Enter the name of the mail host attribute, such as mailHost, whose value is the name of the IP address of the backend mail server hosting the mailboxes of the domain.

The name of this attribute may vary by the schema of your LDAP directory.

domain-state {enable | disable}

Enable or disable the domain lookup option.

For more information about domain lookup, see domain-query <query_str>.

disable

external-address <attribute_str>

Enter the name of the attribute, such as externalAddress, whose value is an email address in the same or another protected domain.

This email address will be rewritten into the value of internal-address <attribute_str> according to the match conditions and effects described in Match evaluation and rewrite behavior for email address mappings:.

The name of this attribute may vary by the schema of your LDAP directory.

extAddress

fallback-port <port_int>

If you have configured a backup LDAP server that listens on a nonstandard port number, enter the TCP port number.

The standard port number for LDAP is 389. The standard port number for SSL-secured LDAP is 636.

The FortiMail unit will use SSL-secured LDAP to connect to the server if secure is ssl.

389

fallback-server {<fqdn_str> | <server_ipv4>}

Enter either the fully qualified domain name (FQDN) or IP address of the backup LDAP server.

If there is no fallback server, enter an empty string ( '' ).

group-base-dn <basedn_str>

Enter the base DN portion of the group’s full DN, such as ou=Groups,dc=example,dc=com.

This command applies only if group-relative-name is enable.

group-expansion-level

Enter how many levels of nested groups will be expanded for lookup. Valid range is 1-6.

1

group-membership-attribute <attribute_str>

Enter the name of the attribute, such as memberOf or gidNumber, whose value is the group number or DN of a group to which the user belongs.

This attribute must be present in user objects.

Whether the value must use common name, group number, or DN syntax varies by your LDAP server schema. For example, if your user objects use both inetOrgPerson and posixAccount schema, user objects have the attribute gidNumber, whose value must be an integer that is the group ID number, such as 10000.

group-name-attribute <attribute_str>

Enter the name of the attribute, such as cn, whose value is the group name of a group to which the user belongs.

This command applies only if group-relative-name is enable.

group-owner {enable | disable}

Enable to query the group object by its distinguished name (DN) to retrieve the DN of the group owner, which is a user that will receive that group’s spam reports. Using that user’s DN, the FortiMail unit will then perform a second query to retrieve that user’s email address, where the spam report will be sent.For more information on sending spam reports to the group owner, see domain-setting.

disable

group-owner-address-attribute <attribute_str>

Enter the name of the attribute, such as mail, whose value is the group owner’s email address.

If group-owner is enable, this attribute must be present in user objects.

group-owner-attribute <attribute_str>

Enter the name of the attribute, such as groupOwner, whose value is the distinguished name of a user object. You can configure the FortiMail unit to allow that user to be responsible for handling the group’s spam report.

If group-owner is enable, this attribute must be present in group objects.

group-relative-name {enable | disable}

Enable to specify the base distinguished name (DN) portion of the group’s full distinguished name (DN) in the LDAP profile. By specifying the group’s base DN and the name of its group name attribute in the LDAP profile, you will only need to supply the group name value when configuring each feature that uses this query.

For example, you might find it more convenient in each recipient-based policy to type only the group name, admins, rather than typing the full DN, cn=admins,ou=Groups,dc=example,dc=com. In this case, you could enable this option, then basedn (ou=Groups,dc=example,dc=com) and groupnameattribute (cn). When performing the query, the FortiMail unit would assemble the full DN by inserting the common name that you configured in the recipient-based policy between the groupnameattribute and the basedn configured in the LDAP profile.

Note: Enabling this option is appropriate only if your LDAP server’s schema specifies that the group membership attribute’s value must use DN syntax. It is not appropriate if this value uses another type of syntax, such as a number or common name.

For example, if your user objects use both inetOrgPerson and posixAccount schema, user objects have the attribute gidNumber, whose value must be an integer that is the group ID number, such as 10000. Because a group ID number does not use DN syntax, you would not enable this option.

disable

group-virtual {enable | disable}

Enable to use objects within the base DN of base-dn <basedn_str> as if they were members of a user group object.

For example, your LDAP directory might not contain user group objects. In that sense, groups do not really exist in the LDAP directory. However, you could mimic a group’s presence by enabling this option to treat all users that are child objects of the base DN in the user object query as if they were members of such a group.

disable

groupstate {enable | disable}

Enable to perform LDAP group queries.

disable

internal-address <attribute_str>

Enter the name of the LDAP attribute, such as internalAddress, whose value is an email address in the same or another protected domain.

This email address will be rewritten into the value of external-address <attribute_str> according to the match conditions and effects described in Match evaluation and rewrite behavior for email address mappings:.

The name of this attribute may vary by the schema of your LDAP directory.

intAddress

port <port_int>

If you have configured a backup LDAP server that listens on a nonstandard port number, enter the TCP port number.

The standard port number for LDAP is 389. The standard port number for SSL-secured LDAP is 636.

389

query <query_str>

Enter an LDAP query filter, enclosed in single quotes ( ' ), that selects a set of user objects from the LDAP directory.

The query filter string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects.

For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be:

(& (objectClass=inetOrgPerson) (mail=$m))

where $m is the FortiMail variable for a user's email address.

If the email address ($m) as it appears in the message header is different from the user’s email address as it appears in the LDAP directory, such as when you have enabled recipient tagging, a query for the user by the email address ($m) may fail. In this case, you can modify the query filter to subtract prepended or appended text from the user name portion of the email address before performing the LDAP query. For example, to subtract “-spam" from the end of the user name portion of the recipient email address, you could use the query filter:

(& (objectClass=inetOrgPerson) (mail=$m$
{-spam}))

where ${-spam} is the FortiMail variable for the tag to remove before performing the query. Similarly, to subtract “spam-" from the beginning of the user name portion of the recipient email address, you could use the query filter:

(& (objectClass=inetOrgPerson) (mail=$m$
{^spam-}))

where ${^spam-} is the FortiMail variable for the tag to remove before performing the query.

For some schemas, such as Microsoft Active Directory-style schemas, this query will retrieve both the user’s primary email address and the user’s alias email addresses. If your schema style is different, you may want to also configure an alias query to resolve aliases.

For details on query syntax, refer to any standard LDAP query filter reference manual.

This command applies only if schema is userdefined.

(& (objectClass=inetOrgPerson) (mail=$m))

rcpt-vrfy-bypass {enable | disable}

If you have selected using LDAP server to verify recipient address and your LDAP server is down, enabling this option abandons recipient address verification and the FortiMail unit will continue relaying email.

disable

referrals-chase {enable | disable}

Enable chase referrals.

disable

routing-mail-host <attribute_str>

Enter the name of the LDAP attribute, such as mailHost, whose value is the fully qualified domain name (FQDN) or IP address of the email server that stores email for the user’s email account.

mailHost

routing-mail-addr <attribute_str>

Enter the name of the LDAP attribute, such as mailRoutingAddress, whose value is the email address of a deliverable user on the email server, also known as the mail host.

For example, a user may have many aliases and external email addresses that are not necessarily known to the email server. These addresses would all map to a real email account (mail routing address) on the email server (mail host) where the user’s email is actually stored.

A user’s recipient email address located in the envelope or header portion of each email will be rewritten to this address.

mailRoutingAddress

routing-state {enable | disable}

Enable to perform LDAP queries for mail routing.

disable

schema {activedirectory | dominoperson | inetlocalmailrcpt | inetorgperson | userdefined}

Enter either the name of the LDAP directory’s schema, or enter userdefined to indicate a custom schema.

If you enter userdefined, you must configure query.

inetorgperson

scope {base | one | sub}

Enter which level of depth to query:

base: Query the basedn level.

one: Query only the one level directly below the basedn in the LDAP directory tree.

sub: Query recursively all levels below the basedn in the LDAP directory tree.

sub

secure {none | ssl}

Select whether or not to connect to the LDAP server(s) using an encrypted connection.

  • none: Use a non-secure connection.
  • ssl: Use an SSL/TLS-secured (LDAPS) connection.

Note: If your FortiMail unit is deployed in server mode, and you want to enable webmail-password-change {enable | disable} using an LDAP server that uses a Microsoft ActiveDirectory-style schema, then you must select ssl. ActiveDirectory servers require a secure connection for queries that change user passwords.

none

server {<ldap_fqdn> | <ldap_ipv4> | <ldap_ipv6>

Enter the fully qualified domain name (FQDN) or IP address of the LDAP server.

timeout <timeout_int>

Enter the maximum amount of time in seconds that the FortiMail unit will wait for query responses from the LDAP server.

10

unauth-bind {enable | disable}

An unauthenticated bind is a bind where the user supplies a user name with no password. Some LDAP servers (such as Active Directory) allow unauthenticated bind by default. For better security, FortiMail does not accept empty password when doing LDAP authentication even if the backend LDAP server allows it.

In some cases, such as allowing all members of a distribution list to access their quarantined email in gateway and transparent mode, this option needs to be enabled in the LDAP profile, so that FortiMail can accept LDAP authentication requests with empty password (user name must not be empty), and forward such requests to the backend LDAP server. If unauthenticated bind is permitted by the LDAP server, AND if the user exists on the server, FortiMail will consider authentication successful and grant access to the user.

It is highly recommended that a dedicated LDAP profile (with this option enabled) is used for the above case. All other users should use separate LDAP profiles with this option disabled (this is the default setting) to maintain maximum security.

Note: This option is available in CLI only. And it only takes effect for webmail access in gateway and transparent mode.

disable

upn-suffix <upns_str>

If you want to use a UPN other than the mail domain, enter that UPN. This can be useful if users authenticate with a domain other than the mail server’s principal domain name.

version {ver2 | ver3}

Enter the version of the protocol used to communicate with the LDAP server.

ver3

webmail-password-change {enable | disable}

Enable to perform password change queries for FortiMail webmail users.

disable

webmail-password-schema {openldap | activedirectory}

Enter one of the following to indicate the schema of your LDAP directory:

openldap: The LDAP directory uses an OpenLDAP-style schema.

activedirectory: The LDAP directory uses a Microsoft Active Directory-style schema.
Note: Microsoft Active Directory requires that password changes occur over an SSL-secured connection.

openldap

Email address mapping

Address mappings are bidirectional, one-to-one or many-to-many mappings. They can be useful when:

  • you want to hide a protected domain’s true email addresses from recipients
  • a mail domain’s domain name is not globally DNS-resolvable, and you want to replace the domain name with one that is
  • you want to rewrite email addresses

Like aliases, address mappings translate email addresses. They do not translate many email addresses into a single email address. However, unlike aliases:

  • Mappings cannot translate one email address into many.
  • Mappings cannot translate an email address into one that belongs to an unprotected domain (this restriction applies to locally defined address mappings only; it is not enforced for mappings defined on an LDAP server).
  • Mappings are applied bidirectionally, when an email is outgoing as well as when it is incoming to the protected domain.
  • Mappings may affect both sender and recipient email addresses, and may affect those email addresses in both the message envelope and the message header, depending on the match condition.

The following table illustrates the sequence in which parts of each email are compared with address mappings for a match, and which locations’ email addresses are translated if a match is found.

Both RCPT TO: and MAIL FROM: email addresses are always evaluated for a match with an address mapping. If both RCPT TO: and MAIL FROM: contain email addresses that match the mapping, both mapping translations will be performed.

Match evaluation and rewrite behavior for email address mappings:

Order of evaluation

Match condition

If yes...

Rewrite to...

1

Does RCPT TO: match an external email address?

Replace RCPT TO:.

Internal email address

2

Does MAIL FROM: match an internal email address?

For each of the following, if it matches an internal email address, replace it:

MAIL FROM:

RCPT TO:

From:

To:

Return-Path:

Cc:

Reply-To:

Return-Receipt-To:

Resent-From:

Resent-Sender:

Delivery-Receipt-To:

Disposition-Notification-To:

External email address

For example, you could create an address mapping between the internal email address user1@marketing.example.net and the external email address sales@example.com. The following effects would be observable on the simplest case of an outgoing email and an incoming reply:

For email from user1@marketing.example.net to others: user1@marketing.example.net in both the message envelope (MAIL FROM:) and many message headers (From:, etc.) would then be replaced with sales@example.com. Recipients would only be aware of the email address sales@example.com.

For email to sales@example.com from others: The recipient address in the message envelope (RCPT TO:), but not the message header (To:), would be replaced with user1@marketing.example.net. user1@marketing.example.net would be aware that the sender had originally sent the email to the mapped address, sales@example.com.

Alternatively, you can configure an LDAP profile to query for email address mappings.

Related topics

profile authentication

profile ldap

profile ldap

Use this command to configure LDAP profiles which can query LDAP servers for authentication, email address mappings, and more.

Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server. When LDAP queries do not match with the server’s schema and/or contents, unintended mail processing behaviors can result, including bypassing antivirus scans. For details on how to use an LDAP directory with FortiMail LDAP profiles, see the FortiMail Administration Guide.

LDAP profiles each contain one or more queries that retrieve specific configuration data, such as user groups, from an LDAP server.

Syntax

config profile ldap

edit <profile_name>

set access-override {enable | disable}

set access-override-attribute <attribute_str>

set address-map-state {enable | disable}

set alias-base-dn <dn_str>

set alias-bind-dn <bind_dn_str>

set alias-bind-password <bindpw_str>

set alias-dereferencing {never | always | search | find}

set alias-expansion-level <limit_int>

set alias-group-expansion-state {enable | disable}

set alias-group-member-attribute <attribute_str>

set alias-group-query <query_str>

set alias-member-mail-attribute <attribute_str>

set alias-member-query <query_str>

set alias-schema {activedirectory | dominoperson | inetlocalmailrcpt | inetorgperson | userdefined}

set alias-scope {base one | sub}

set alias-state {enable | disable}

set antispam <attribute_str>

set antivirus <attribute_str>

set asav-state {enable | disable}

set auth-bind-dn {cnid | none | searchuser | upn}

set authstate {enable | disable}

set base-dn <basedn_str>

set bind-dn <binddn_str>

set bind-password <bindpw_str>

set cache-state {enable | disable}

set cache-ttl <ttl_int>

set chain <ldap-profile_name>

set chain-status {enable | disable}

set client-cert-auth {enable | disable}

set client-cert <certificate_name>

set cnid-name <cnid_str>

set content <content-profile_name>

set dereferencing {never | always | search | find}

set display-name

set domain-antispam-attr <attribute_str>

set domain-antivirus-attr <attribute_str>

set domain-content-attr

set domain-override {enable | disable}

set domain-override-attribute

set domain-parent-attr <attribute_str>

set domain-query <query_str>

set domain-routing-mail-host-attr <attribute_str>

set domain-state {enable | disable}

set external-address <attribute_str>

set fallback-port <port_int>

set fallback-server {<fqdn_str> | <server_ipv4>}

set group-base-dn <basedn_str>

set group-expansion-level

set group-membership-attribute <attribute_str>

set group-name-attribute <attribute_str>

set group-owner {enable | disable}

set group-owner-address-attribute <attribute_str>

set group-owner-attribute <attribute_str>

set group-relative-name {enable | disable}

set server-name <name_str>

set groupstate {enable | disable}

set internal-address <attribute_str>

set port <port_int>

set query <query_str>

set rcpt-vrfy-bypass {enable | disable}

set referrals-chase {enable | disable}

set routing-mail-host <attribute_str>

set routing-mail-addr <attribute_str>

set routing-state {enable | disable}

set schema {activedirectory | dominoperson | inetlocalmailrcpt | inetorgperson | userdefined}

set scope {base | one | sub}

set secure {none | ssl}

set server {<ldap_fqdn> | <ldap_ipv4> | <ldap_ipv6>

set timeout <timeout_int>

set unauth-bind {enable | disable}

set upn-suffix <upns_str>

set version {ver2 | ver3}

set webmail-password-change {enable | disable}

set webmail-password-schema {openldap | activedirectory}

end

Variable

Description

Default

<profile_name>

Enter the name of the LDAP profile.

access-override {enable | disable}

Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the LDAP server, if the returned value matches an existing access profile. If there is no match, the specified access profile will still be used.

Also specify the access profile attribute.

disable

access-override-attribute <attribute_str>

Specify the access profile attribtue.

address-map-state {enable | disable}

Enable to query the LDAP server defined in the LDAP profile for user objects’ mappings between email addresses.

disable

alias-base-dn <dn_str>

Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail will search for either alias or user objects.

User or alias objects should be child nodes of this location.

Whether you should specify the base DN of either user objects or alias objects varies by your LDAP schema style. Schema may resolve alias email addresses directly or indirectly (using references).

Direct resolution: Alias objects directly contain one or more email address attributes, such as mail or rfc822MailMember, whose values are user email addresses such as user@example.com, and that resolves the alias. The Base DN, such as ou=Aliases,dc=example,dc=com, should contain alias objects.

Indirect resolution: Alias objects do not directly contain an email address attribute that can resolve the alias; instead, in the style of LDAP group-like objects, the alias objects contain only references to user objects that are “members” of the alias “group.” User objects’ email address attribute values, such as user@example.com, actually resolve the alias. Alias objects refer to user objects by possessing one or more “member" attributes whose value is the DN of a user object, such as uid=user,ou=People,dc=example,dc=com. The FortiMail unit performs a first query to retrieve the distinguished names of “member" user objects, then performs a second query using those distinguished names to retrieve email addresses from each user object. The Base DN, such as ou=People,dc=example,dc=com, should contain user objects.

alias-bind-dn <bind_dn_str>

Enter the bind DN, such as cn=FortiMailA,dc=example,dc=com, of an LDAP user account with permissions to query the basedn.

This command may be optional if your LDAP server does not require the FortiMail unit to authenticate when performing queries, and if you have enabled unauth-bind {enable | disable}.

alias-bind-password <bindpw_str>

Enter the password of alias-bind-dn <bind_dn_str>.

alias-dereferencing {never | always | search | find}

Select the method to use, if any, when dereferencing attributes whose values are references:

  • never: Do not dereference.
  • always: Always dereference.
  • search: Dereference only when searching.
  • find: Dereference only when finding the base search object.

never

alias-expansion-level <limit_int>

Enter the maximum number of alias nesting levels that aliases the FortiMail unit will expand.

0

alias-group-expansion-state {enable | disable}

Enable if your LDAP schema resolves email aliases indirectly. For more information on direct vs. indirect resolution, see alias-base-dn <dn_str>.

When this option is disabled, alias resolution occurs using one query. The FortiMail unit queries the LDAP directory using the basedn and the alias-member-query, and then uses the value of each alias-member-mail-attribute to resolve the alias.

When this option is enabled, alias resolution occurs using two queries:

The FortiMail unit first performs a preliminary query using the basedn and alias-group-query, and uses the value of each alias-group-member-attribute as the base DN for the second query.

The FortiMail unit performs a second query using the distinguished names from the preliminary query (instead of the basedn) and the alias-member-query, and then uses the value of each alias-member-mail-attribute to resolve the alias.

The two-query approach is appropriate if, in your schema, alias objects are structured like group objects and contain references in the form of distinguished names of member user objects, rather than directly containing email addresses to which the alias resolves. In this case, the FortiMail unit must first “expand" the alias object into its constituent user objects before it can resolve the alias email address.

disable

alias-group-member-attribute <attribute_str>

Enter the name of the attribute for the group member, such as member, whose value is the DN of a user object.

This attribute must be present in alias objects only if they do not contain an email address attribute specified in alias-member-mail-attribute <attribute_str>.

alias-group-query <query_str>

Enter an LDAP query filter that selects a set of alias objects, represented as a group of member objects in the LDAP directory.

The query filter string filters the result set, and should be based upon any attributes that are common to all alias objects but also exclude non-alias objects.

For example, if alias objects in your directory have two distinguishing characteristics, their objectClass and proxyAddresses attributes, the query filter might be:

(&(objectClass=group) (proxyAddresses=smtp:$m))

where $m is the FortiMail variable for an email address.

alias-member-mail-attribute <attribute_str>

Enter the name of the attribute for the alias member’s mail address, such as mail or rfc822MailMember, whose value is an email address to which the email alias resolves, such as user@example.com.

This attribute must be present in either alias or user objects, as determined by your schema and whether it resolves aliases directly or indirectly.

alias-member-query <query_str>

Enter an LDAP query filter that selects a set of either user or email alias objects, whichever object class contains the attribute you configured in alias-member-mail-attribute <attribute_str>, from the LDAP directory.

The query filter string filters the result set, and should be based upon any attributes that are common to all user/alias objects but also exclude non-user/alias objects.

For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be:

(& (objectClass=alias) (mail=$m))

where $m is the FortiMail variable for a user's email address.

alias-schema {activedirectory | dominoperson | inetlocalmailrcpt | inetorgperson | userdefined}

Enter either the name of the LDAP directory’s schema, or enter userdefined to indicate a custom schema.

inetorgperson

alias-scope {base one | sub}

Enter which level of depth to query:

  • base: Query the basedn level.
  • one: Query only the one level directly below the basedn in the LDAP directory tree.
  • sub: Query recursively all levels below the basedn in the LDAP directory tree.

sub

alias-state {enable | disable}

Enable to query user objects for email address aliases.

disable

antispam <attribute_str>

Enter the name of the attribute, such as antispam, whose value indicates whether or not to perform antispam processing for that user.

antivirus <attribute_str>

Enter the name of the attribute, such as antivirus, whose value indicates whether or not to perform antivirus processing for that user.

asav-state {enable | disable}

Enable to query user objects for mappings between internal and external email addresses.

disable

auth-bind-dn {cnid | none | searchuser | upn}

Enter either none to not define a user authentication query, or one of the following to define a user authentication query:

cnid: Enter the name of the user objects’ common name attribute, such as cn or uid.

searchuser: Enter to form the user’s bind DN by using the DN retrieved for that user

This command applies only if schema is userdefined in “set ldap_profile profile user" on page 2407.

upn: Enter to form the user’s bind DN by prepending the user name portion of the email address ($u) to the User Principle Name (UPN, such as example.com).
By default, the FortiMail unit will use the mail domain as the UPN. If you want to use a UPN other than the mail domain, also configure upn-suffix <upns_str>.

searchuser

authstate {enable | disable}

Enable to perform user authentication queries.

disable

base-dn <basedn_str>

Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail unit will search for user objects, such as ou=People,dc=example,dc=com.

User objects should be child nodes of this location.

bind-dn <binddn_str>

Enter the bind DN, such as cn=FortiMailA,dc=example,dc=com, of an LDAP user account with permissions to query the basedn.

This command may be optional if your LDAP server does not require the FortiMail unit to authenticate when performing queries, and if you have enabled unauth-bind {enable | disable}.

bind-password <bindpw_str>

Enter the password of bind-dn <binddn_str>.

cache-state {enable | disable}

Enable to cache LDAP query results.

Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiMail unit begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently.

If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of 0 effectively disables caching.

disable

cache-ttl <ttl_int>

Enter the amount of time, in minutes, that the FortiMail unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiMail unit to query the LDAP server, refreshing the cache.

The default TTL value is 1,440 minutes (one day). The maximum value is 10,080 minutes (one week). Entering a value of 0 effectively disables caching.

1440

chain <ldap-profile_name>

Enter the LDAP profile that you want to add to the group of other LDAP profiles to create a chain query.

chain-status {enable | disable}

Enable the chain query.

disable

client-cert-auth {enable | disable}

Enable if the LDAP server requires that clients such as the FortiMail unit present a client certificate to authenticate themselves during secure connections. Also configure client-cert <certificate_name>.

This setting is only available when secure {none | ssl} is ssl.

disable

client-cert <certificate_name>

Enter the name of a local certificate if the LDAP server requires that clients such as the FortiMail unit present a client certificate to identify themselvers during secure connections.FortiMail unit will use as its client certificate. This can be used instead of, or in addition to, a bind DN and password.

Also configure client-cert-auth {enable | disable}. This setting is only available when secure {none | ssl} is ssl.

Note: The certificate that FortiMail uses for client authentication must:

  • not be expired
  • not be revoked
  • be signed by a certificate authority (CA), whose certificate you have imported into the FortiMail unit and that the server trusts (directly or indirectly, proven via a signing chain)

Otherwise the secure connection will fail.

Servers may have their own certificate validation requirements in addition to FortiMail requirements. For example, client certificates may require that Key Usage field allow client authentication. See yourLDAP server's documentation.

cnid-name <cnid_str>

Enter the name of the user objects’ common name attribute, such as cn or uid.

content <content-profile_name>

Enter the name of the attribute, such as genericContent, whose value is the name of the content profile assigned to the domain.

The name of this attribute may vary by the schema of your LDAP directory.

If you do not specify this attribute (that is, leave this field blank), then the content profile in the matched recipient-based policy will be used.

dereferencing {never | always | search | find}

Select the method to use, if any, when dereferencing attributes whose values are references.

  • never: Do not dereference.
  • always: Always dereference.
  • search: Dereference only when searching.
  • find: Dereference only when finding the base search object.

never

display-name

Enter the LDAP address mapping display name attribute.

domain-antispam-attr <attribute_str>

Enter the name of the antispam profile attribute, such as businessCategory, whose value is the name of the antispam profile assigned to the domain.

The name of this attribute may vary by the schema of your LDAP directory.

domain-antivirus-attr <attribute_str>

Enter the name of the antivirus profile attribute, such as preferredLanguage, whose value is the name of the antivirus profile assigned to the domain.

The name of this attribute may vary by the schema of your LDAP directory.

domain-content-attr

Enter the content attribute name.

domain-override {enable | disable}

Enable or disable system admin domain override.

domain-override-attribute

Enter the system admin domain ovveride attribute.

domain-parent-attr <attribute_str>

Enter the name of the parent domain attribute, such as description, whose value is the name of the parent domain from which a domain inheritate the specific RCPT check settings and quarantine report settings.

The name of this attribute may vary by the schema of your LDAP directory.

domain-query <query_str>

Enter an LDAP query filter that selects a set of domain objects, whichever object class contains the attribute you configured for this option, from the LDAP directory.

For details on query syntax, refer to any standard LDAP query filter reference manual.

For this option to work, your LDAP directory should contain a single generic user for each domain. Wildcard users (e.g. *@$d) are also supported for domain query, in cases where there is no generic domain user.

The user entry should be configured with attributes to represent the following:

  • parent domain from which a domain inherits the specific RCPT check settings and quarantine report settings.
    For example, description=parent.com

  • IP address of the backend mail server hosting the mailboxes of the domain.
    For example, mailHost=192.168.1.105

  • antispam profile assigned to the domain.
    For example, businessCategory=parentAntispam

  • antivirus profile assigned to the domain.
    For example, preferredLanguage=parentAntivirus

domain-routing-mail-host-attr <attribute_str>

Enter the name of the mail host attribute, such as mailHost, whose value is the name of the IP address of the backend mail server hosting the mailboxes of the domain.

The name of this attribute may vary by the schema of your LDAP directory.

domain-state {enable | disable}

Enable or disable the domain lookup option.

For more information about domain lookup, see domain-query <query_str>.

disable

external-address <attribute_str>

Enter the name of the attribute, such as externalAddress, whose value is an email address in the same or another protected domain.

This email address will be rewritten into the value of internal-address <attribute_str> according to the match conditions and effects described in Match evaluation and rewrite behavior for email address mappings:.

The name of this attribute may vary by the schema of your LDAP directory.

extAddress

fallback-port <port_int>

If you have configured a backup LDAP server that listens on a nonstandard port number, enter the TCP port number.

The standard port number for LDAP is 389. The standard port number for SSL-secured LDAP is 636.

The FortiMail unit will use SSL-secured LDAP to connect to the server if secure is ssl.

389

fallback-server {<fqdn_str> | <server_ipv4>}

Enter either the fully qualified domain name (FQDN) or IP address of the backup LDAP server.

If there is no fallback server, enter an empty string ( '' ).

group-base-dn <basedn_str>

Enter the base DN portion of the group’s full DN, such as ou=Groups,dc=example,dc=com.

This command applies only if group-relative-name is enable.

group-expansion-level

Enter how many levels of nested groups will be expanded for lookup. Valid range is 1-6.

1

group-membership-attribute <attribute_str>

Enter the name of the attribute, such as memberOf or gidNumber, whose value is the group number or DN of a group to which the user belongs.

This attribute must be present in user objects.

Whether the value must use common name, group number, or DN syntax varies by your LDAP server schema. For example, if your user objects use both inetOrgPerson and posixAccount schema, user objects have the attribute gidNumber, whose value must be an integer that is the group ID number, such as 10000.

group-name-attribute <attribute_str>

Enter the name of the attribute, such as cn, whose value is the group name of a group to which the user belongs.

This command applies only if group-relative-name is enable.

group-owner {enable | disable}

Enable to query the group object by its distinguished name (DN) to retrieve the DN of the group owner, which is a user that will receive that group’s spam reports. Using that user’s DN, the FortiMail unit will then perform a second query to retrieve that user’s email address, where the spam report will be sent.For more information on sending spam reports to the group owner, see domain-setting.

disable

group-owner-address-attribute <attribute_str>

Enter the name of the attribute, such as mail, whose value is the group owner’s email address.

If group-owner is enable, this attribute must be present in user objects.

group-owner-attribute <attribute_str>

Enter the name of the attribute, such as groupOwner, whose value is the distinguished name of a user object. You can configure the FortiMail unit to allow that user to be responsible for handling the group’s spam report.

If group-owner is enable, this attribute must be present in group objects.

group-relative-name {enable | disable}

Enable to specify the base distinguished name (DN) portion of the group’s full distinguished name (DN) in the LDAP profile. By specifying the group’s base DN and the name of its group name attribute in the LDAP profile, you will only need to supply the group name value when configuring each feature that uses this query.

For example, you might find it more convenient in each recipient-based policy to type only the group name, admins, rather than typing the full DN, cn=admins,ou=Groups,dc=example,dc=com. In this case, you could enable this option, then basedn (ou=Groups,dc=example,dc=com) and groupnameattribute (cn). When performing the query, the FortiMail unit would assemble the full DN by inserting the common name that you configured in the recipient-based policy between the groupnameattribute and the basedn configured in the LDAP profile.

Note: Enabling this option is appropriate only if your LDAP server’s schema specifies that the group membership attribute’s value must use DN syntax. It is not appropriate if this value uses another type of syntax, such as a number or common name.

For example, if your user objects use both inetOrgPerson and posixAccount schema, user objects have the attribute gidNumber, whose value must be an integer that is the group ID number, such as 10000. Because a group ID number does not use DN syntax, you would not enable this option.

disable

group-virtual {enable | disable}

Enable to use objects within the base DN of base-dn <basedn_str> as if they were members of a user group object.

For example, your LDAP directory might not contain user group objects. In that sense, groups do not really exist in the LDAP directory. However, you could mimic a group’s presence by enabling this option to treat all users that are child objects of the base DN in the user object query as if they were members of such a group.

disable

groupstate {enable | disable}

Enable to perform LDAP group queries.

disable

internal-address <attribute_str>

Enter the name of the LDAP attribute, such as internalAddress, whose value is an email address in the same or another protected domain.

This email address will be rewritten into the value of external-address <attribute_str> according to the match conditions and effects described in Match evaluation and rewrite behavior for email address mappings:.

The name of this attribute may vary by the schema of your LDAP directory.

intAddress

port <port_int>

If you have configured a backup LDAP server that listens on a nonstandard port number, enter the TCP port number.

The standard port number for LDAP is 389. The standard port number for SSL-secured LDAP is 636.

389

query <query_str>

Enter an LDAP query filter, enclosed in single quotes ( ' ), that selects a set of user objects from the LDAP directory.

The query filter string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects.

For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be:

(& (objectClass=inetOrgPerson) (mail=$m))

where $m is the FortiMail variable for a user's email address.

If the email address ($m) as it appears in the message header is different from the user’s email address as it appears in the LDAP directory, such as when you have enabled recipient tagging, a query for the user by the email address ($m) may fail. In this case, you can modify the query filter to subtract prepended or appended text from the user name portion of the email address before performing the LDAP query. For example, to subtract “-spam" from the end of the user name portion of the recipient email address, you could use the query filter:

(& (objectClass=inetOrgPerson) (mail=$m$
{-spam}))

where ${-spam} is the FortiMail variable for the tag to remove before performing the query. Similarly, to subtract “spam-" from the beginning of the user name portion of the recipient email address, you could use the query filter:

(& (objectClass=inetOrgPerson) (mail=$m$
{^spam-}))

where ${^spam-} is the FortiMail variable for the tag to remove before performing the query.

For some schemas, such as Microsoft Active Directory-style schemas, this query will retrieve both the user’s primary email address and the user’s alias email addresses. If your schema style is different, you may want to also configure an alias query to resolve aliases.

For details on query syntax, refer to any standard LDAP query filter reference manual.

This command applies only if schema is userdefined.

(& (objectClass=inetOrgPerson) (mail=$m))

rcpt-vrfy-bypass {enable | disable}

If you have selected using LDAP server to verify recipient address and your LDAP server is down, enabling this option abandons recipient address verification and the FortiMail unit will continue relaying email.

disable

referrals-chase {enable | disable}

Enable chase referrals.

disable

routing-mail-host <attribute_str>

Enter the name of the LDAP attribute, such as mailHost, whose value is the fully qualified domain name (FQDN) or IP address of the email server that stores email for the user’s email account.

mailHost

routing-mail-addr <attribute_str>

Enter the name of the LDAP attribute, such as mailRoutingAddress, whose value is the email address of a deliverable user on the email server, also known as the mail host.

For example, a user may have many aliases and external email addresses that are not necessarily known to the email server. These addresses would all map to a real email account (mail routing address) on the email server (mail host) where the user’s email is actually stored.

A user’s recipient email address located in the envelope or header portion of each email will be rewritten to this address.

mailRoutingAddress

routing-state {enable | disable}

Enable to perform LDAP queries for mail routing.

disable

schema {activedirectory | dominoperson | inetlocalmailrcpt | inetorgperson | userdefined}

Enter either the name of the LDAP directory’s schema, or enter userdefined to indicate a custom schema.

If you enter userdefined, you must configure query.

inetorgperson

scope {base | one | sub}

Enter which level of depth to query:

base: Query the basedn level.

one: Query only the one level directly below the basedn in the LDAP directory tree.

sub: Query recursively all levels below the basedn in the LDAP directory tree.

sub

secure {none | ssl}

Select whether or not to connect to the LDAP server(s) using an encrypted connection.

  • none: Use a non-secure connection.
  • ssl: Use an SSL/TLS-secured (LDAPS) connection.

Note: If your FortiMail unit is deployed in server mode, and you want to enable webmail-password-change {enable | disable} using an LDAP server that uses a Microsoft ActiveDirectory-style schema, then you must select ssl. ActiveDirectory servers require a secure connection for queries that change user passwords.

none

server {<ldap_fqdn> | <ldap_ipv4> | <ldap_ipv6>

Enter the fully qualified domain name (FQDN) or IP address of the LDAP server.

timeout <timeout_int>

Enter the maximum amount of time in seconds that the FortiMail unit will wait for query responses from the LDAP server.

10

unauth-bind {enable | disable}

An unauthenticated bind is a bind where the user supplies a user name with no password. Some LDAP servers (such as Active Directory) allow unauthenticated bind by default. For better security, FortiMail does not accept empty password when doing LDAP authentication even if the backend LDAP server allows it.

In some cases, such as allowing all members of a distribution list to access their quarantined email in gateway and transparent mode, this option needs to be enabled in the LDAP profile, so that FortiMail can accept LDAP authentication requests with empty password (user name must not be empty), and forward such requests to the backend LDAP server. If unauthenticated bind is permitted by the LDAP server, AND if the user exists on the server, FortiMail will consider authentication successful and grant access to the user.

It is highly recommended that a dedicated LDAP profile (with this option enabled) is used for the above case. All other users should use separate LDAP profiles with this option disabled (this is the default setting) to maintain maximum security.

Note: This option is available in CLI only. And it only takes effect for webmail access in gateway and transparent mode.

disable

upn-suffix <upns_str>

If you want to use a UPN other than the mail domain, enter that UPN. This can be useful if users authenticate with a domain other than the mail server’s principal domain name.

version {ver2 | ver3}

Enter the version of the protocol used to communicate with the LDAP server.

ver3

webmail-password-change {enable | disable}

Enable to perform password change queries for FortiMail webmail users.

disable

webmail-password-schema {openldap | activedirectory}

Enter one of the following to indicate the schema of your LDAP directory:

openldap: The LDAP directory uses an OpenLDAP-style schema.

activedirectory: The LDAP directory uses a Microsoft Active Directory-style schema.
Note: Microsoft Active Directory requires that password changes occur over an SSL-secured connection.

openldap

Email address mapping

Address mappings are bidirectional, one-to-one or many-to-many mappings. They can be useful when:

  • you want to hide a protected domain’s true email addresses from recipients
  • a mail domain’s domain name is not globally DNS-resolvable, and you want to replace the domain name with one that is
  • you want to rewrite email addresses

Like aliases, address mappings translate email addresses. They do not translate many email addresses into a single email address. However, unlike aliases:

  • Mappings cannot translate one email address into many.
  • Mappings cannot translate an email address into one that belongs to an unprotected domain (this restriction applies to locally defined address mappings only; it is not enforced for mappings defined on an LDAP server).
  • Mappings are applied bidirectionally, when an email is outgoing as well as when it is incoming to the protected domain.
  • Mappings may affect both sender and recipient email addresses, and may affect those email addresses in both the message envelope and the message header, depending on the match condition.

The following table illustrates the sequence in which parts of each email are compared with address mappings for a match, and which locations’ email addresses are translated if a match is found.

Both RCPT TO: and MAIL FROM: email addresses are always evaluated for a match with an address mapping. If both RCPT TO: and MAIL FROM: contain email addresses that match the mapping, both mapping translations will be performed.

Match evaluation and rewrite behavior for email address mappings:

Order of evaluation

Match condition

If yes...

Rewrite to...

1

Does RCPT TO: match an external email address?

Replace RCPT TO:.

Internal email address

2

Does MAIL FROM: match an internal email address?

For each of the following, if it matches an internal email address, replace it:

MAIL FROM:

RCPT TO:

From:

To:

Return-Path:

Cc:

Reply-To:

Return-Receipt-To:

Resent-From:

Resent-Sender:

Delivery-Receipt-To:

Disposition-Notification-To:

External email address

For example, you could create an address mapping between the internal email address user1@marketing.example.net and the external email address sales@example.com. The following effects would be observable on the simplest case of an outgoing email and an incoming reply:

For email from user1@marketing.example.net to others: user1@marketing.example.net in both the message envelope (MAIL FROM:) and many message headers (From:, etc.) would then be replaced with sales@example.com. Recipients would only be aware of the email address sales@example.com.

For email to sales@example.com from others: The recipient address in the message envelope (RCPT TO:), but not the message header (To:), would be replaced with user1@marketing.example.net. user1@marketing.example.net would be aware that the sender had originally sent the email to the mapped address, sales@example.com.

Alternatively, you can configure an LDAP profile to query for email address mappings.

Related topics

profile authentication