Managing users
The User menu enables you to configure email user-related settings, such as user preferences and PKI authentication. If the FortiMail unit is operating in server mode, the User menu also enables you to add email user accounts.
This section includes:
- Configuring local user accounts (server mode only)
- Configuring user preferences
- Configuring PKI authentication
- Managing imported users
- Configuring user import profiles
Configuring local user accounts (server mode only)
When operating in server mode, the FortiMail unit is a standalone email server. The FortiMail unit receives email messages, scans for viruses and spam, and then delivers email to its email users’ mailboxes. External MTAs connect to the FortiMail unit, which itself is also the protected email server.
When the FortiMail unit operates in server mode and the GUI operates in advanced mode, the User tab is available. It lets you configure email user accounts whose mailboxes are hosted on the FortiMail unit. Email users can then access their email hosted on the FortiMail unit using webmail, POP3 and/or IMAP. For information on webmail and other features used directly by email users, see Setup for email users.
To view email user accounts, go to Domain & User > User > User.
GUI item |
Description |
(button) |
Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of each mailbox, and empty or delete mailboxes as required. The SecureMail mailbox contains the secured email for the user. The Bulk mailbox contains spam quarantined by the FortiMail unit. Click Back to return to the Users tab. |
Export .CSV (button) |
Click to download a backup of the email users list in comma-separated value (CSV) file format. The user passwords are encoded for security. Caution: Most of the email user accounts data, such as mailboxes and preferences, is not included in the .csv file. For information on performing a complete backup, see Backup and restore. |
Import .CSV (button) |
In the field to the right of Import .CSV, enter the location of a CSV-formatted email user backup file, then click Import .CSV to upload the file to your FortiMail unit. The import feature provides a simple way to add a list of new users in one operation. See Importing a list of users. Before importing a user list or adding an email user, you must first configure one or more protected domains to which the email users will belong. For more information, see Configuring protected domains. You may also want to back up the existing email user accounts. For details, see Backup and restore. |
(button) |
Select a user and click this button to change a user’s password. A dialog appears. Choose whether to change the user password or to switch to LDAP authentication. You can create a new LDAP profile or edit an existing one. For details, see Configuring LDAP profiles. |
Domain |
Select the protected domain to display its email users, or to select the protected domain to which you want to add an email user account before clicking New. You can see only the domains that are permitted by your administrator profile. |
Search user |
Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users displays again with just those users that meet the search criteria. To return to the complete user list, clear the search field and press Enter. |
Displays the user name of an email user, such as |
|
Type |
Displays the type of user: local, LDAP, or RADIUS. |
Displays the display name of an email user, such as |
|
Disk Usage (KB) |
Displays the disk space used by mailboxes for the email user in kilobytes (KB). |
Configuring users in server mode
You can create users one at a time or import a list of users. Before importing a user list or adding an email user, you must first configure one or more protected domains to which the email users will belong. For more information, see Configuring protected domains.
To configure an email user account
- Go to Domain & User > User > User.
- From Domain, select the name of the protected domain to which you want to add an email user. You can also set the domain on the user dialog.
- Either click New to add an email user or double-click an email user to modify it.
- In User name, enter the name of the account in the selected domain whose email will be locally deliverable on the FortiMail unit.
- You can change the user’s domain if it necessary. In the dropdown menu to the right of the
@
symbol, select the name of the protected domain to which the email user belongs. - For Authentication type, select one of the following:
A dialog appears.
For example, an email user may have numerous aliases, mail routing, and other email addresses on other systems in your network, such as accounting@example.com
. However, the user name you enter in the New User dialog reflects the email user’s account that they will use to log in to this FortiMail unit at the selected domain; such as, jsmith
if the email address is jsmith@example.com
.
- select Local and then enter the password for this email account
- select LDAP and select the name of an existing LDAP profile in the dropdown list
- select RADIUS and select the name of an existing RADIUS profile in the dropdown list.
If no profile exists, click New to create one.
If a profile exists but needs modification, select it and click Edit.
The LDAP option requires that you first create an LDAP profile in which you have enabled and configured user authentication options. See Configuring user authentication options. |
From:
field in the message header.For example, an email user whose email address is user1@example.com
may prefer that their Display Name be "J Zang"
.
For a new user, the FortiMail unit creates the account. Authentication is not yet enabled and a policy may not exist that allows the account to send and receive email.
Complete the next two steps as applicable.
If you rename an existing user account to a new user account name using the CLI command, all the user’s preferences and mail data will be ported to the new user. However, due to the account name change, the new user will not be able to decrypt and read the encrypted email that is sent to the old user name before. |
Importing a list of users
The import feature provides a simple way to add a list of new local users in one operation. You can create a CSV file in any spreadsheet and import the data as long as the columns match the FortiMail format.
To create and import user records
- Go to Domain & User > User > User.
- Create at least one local (not LDAP) user.
- Select that user and click Export .CSV.
- Save the file on your local computer.
- Open the CSV file in a spreadsheet editor, such as Microsoft Excel.
- Enter user records in the pre-existing columns so the new users exactly match the exported format (delete the original exported user record).
Sample CSV format:
- Use the Save As feature to save the file in plain CSV format.
- On the User tab, click Import.
- Click Browse to locate the CSV file to import and click Open.
- Click OK.
A dialog appears.
A field appears showing the percentage of import completion.
A dialog appears showing the number of imported records.
The import feature does not overwrite existing records.
To change the password of multiple email user accounts
This procedure sets the same password for one or more email user accounts, which can result in reduced security of the email users’ accounts. To reduce risk, set a strong password and notify each email user whose password has been reset to configure a unique, strong password as soon as possible. |
- Go to Domain & User > User > User.
- From Domain, select the name of the protected domain in which you want to change email user account passwords.
- To change the passwords of all email user accounts for the protected domain, mark the check box located in the check box column heading.
- Click Password.
- Select either:
To change the passwords of individual email user accounts, in the check box column, mark the check boxes of each email user account whose password you want to change.
- Password, then enter the password for this email account, or
- LDAP, then select the name of an LDAP profile in which you have enabled and configured the User Auth Options query, which enables the FortiMail unit to query the LDAP server to authenticate the email user.
You can create LDAP profiles using the advanced mode of the GUI. For more information, see Configuring LDAP profiles. |
See also
Managing the disk usage of email users mailboxes
Configuring PKI authentication
Managing the disk usage of email users mailboxes
If your email users often send or receive large attachments, email users’ mailboxes may rapidly consume the hard disk space of the FortiMail unit. You can manage the disk usage of email users’ mailboxes by monitoring the size of the folders, and optionally deleting their contents.
For example, if each email user has a mailbox folder named “Spam” that receives tagged spam, you might want to periodically empty the contents of these folders to reclaim hard disk space.
Alternatively, you can assign email users’ disk space quota in their resource profile. For details, see Configuring resource profiles.
To empty a mailbox folder
- Go to Domain & User > User > User.
- Select the check box for the user.
- Click Maintenance.
- Select the mailbox folder that you want to empty, such as Trash, then click Empty.
- Click OK.
A list of mailbox folder names with their hard disk usages appears.
A confirmation dialog appears.
See also
Configuring local user accounts (server mode only)
Configuring user preferences
The User Preferences tab lets you configure preferences for each email user, such as per-user safe lists and preferred webmail quarantine language.
Preferences apply to email user accounts in all operation modes but vary slightly in implementation. For example:
- Out-of-office status messages and mail forwarding can only be configured when the FortiMail unit is operating in server mode.
- In server mode, user accounts are stored on the FortiMail unit.
- With gateway or transparent mode, user accounts are stored hosted on your protected SMTP server.
Although you may have created a local user account, the user’s preferences may not be created. You can either wait for an event that requires it to be automatically initialized using the default values, or you can manually create and modify it.
Administrators can modify preferences for each email user through the GUI. Email users can modify their own preferences by logging in to the FortiMail webmail or email quarantine.
To view and manage existing user preferences
- Go to Domain & User > User > User Preference.
- Clear Safe List
- Clear Block List
- Enable Safelisting Outgoing Recipient
- Disable Safelisting Outgoing Recipient
- Enable Adding Recipient of Sent Email to Personal Address Book
- Disable Adding Recipient of Sent Email to Personal Address Book
- Global Edit (user preferences of) Selected User(s)/All Domain Users
- Reset (resets preferences to their defaults)
- New: A personal safe list does not exist for this email user.
- Edit: A personal safe list exists for this email user.
- New: A personal block list does not exist for this email user.
- Edit: A personal block list exists for this email user.
- New: A secondary access list does not exist for this email user.
- Edit: A secondary access list exists for this email user.
- A green check mark icon indicates automatic per-user safelisting is enabled.
- A red X icon indicates automatic per-user safelisting is disabled.
- an email user logs in to FortiMail webmail
- an email user sends outgoing email through the FortiMail unit
- a FortiMail administrator configures the email user’s personal block or safe list (see Managing the personal block lists and safe lists)
- Either click New or double-click the user’s preferences to modify them.
- Configure the user preferences as required.
GUI item |
Description |
Delete User Data (button) |
Select the user and then click this button to delete the user preference settings and mail data. |
(button) |
Click to reveal a dropdown menu with preference management options. |
Domain |
Select the protected domain to display its email users, or to select the protected domain to which you want to add an email user account before clicking New. You can see only the domains that are permitted by your administrator profile. |
Search user |
Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria. To return to the complete user list, clear the search field and press Enter. |
Displays the user name of an email user, such as |
|
Display name (server mode only) |
Displays the display name of the email user. |
Language |
Displays the language in which this email user prefers to display their quarantine and, if the FortiMail unit is operating in server mode, webmail. By default, this language preference is the same as the system-wide default webmail language preference. For more information, see Customizing the GUI appearance. |
Safe List |
The icon in this column indicates whether or not a personal safe list currently exists for this email user. Hover the mouse pointer over the list icon to determine its status: Click the icon to open a dialog where you can configure, back up, or restore the personal safe list. Safe lists include sender IP addresses, domain names, and email addresses that the email user wants to permit. Note: System-level lists take precedence over domain-level lists while domain-level lists take precedence over personal-level lists. For more information on safe lists and block lists, see Managing the personal block lists and safe lists. |
Block List |
The icon in this column indicates whether or not a personal block list currently exists for this email user. Hover the mouse pointer over the list icon to determine its status: Click the icon to open a dialog where you can configure, back up, or restore the personal block list. Block lists include sender IP addresses, domain names, and email addresses that the email user wants to block Note: System-level lists take precedence over domain-level lists while domain-level lists take precedence over personal-level lists. For more information on safe lists and block lists, see Managing the personal block lists and safe lists. |
Secondary Accounts |
The icon in this column indicates whether or not this email user will also handle quarantined email messages for other email addresses. Hover the mouse pointer over the list icon to determine its status: A list of email accounts in sub-domains that are linked to a user on the parent domain. For example, if user1@example.com can have that email address linked to the following secondary accounts: user1@one.example.com, and user1@two.example.com. Select the New or Edit icon to add accounts to the secondary accounts for this user. Note that any accounts must first be created before they can be added to this list. Click the icon to open a dialog where you can add or remove secondary accounts. The addresses must exist in one of the existing FortiMail domains to be added. |
Outgoing Recipient Safelisting (icon) |
The icon indicates whether or not the FortiMail unit will automatically add recipient addresses in outgoing email sent by this email user to their per-user safe list, if it is allowed in the antispam profile. Email users can change this setting in their webmail preferences. For more information, log in to the FortiMail webmail, then click Help. This setting can be initialized manually or automatically. FortiMail administrators can manually create and configure this setting when configuring email user preferences. If the setting has not yet been created when either: then the FortiMail unit will automatically initialize this setting as disabled. |
Preference |
The green check mark indicates that the user preference has been configured and the settings will be used. The red check mark indicates that the user preference has not be configured and the default settings will be used. |
Disk Usage |
Displays how much disk space each user mailbox is using. |
A dialog appears that varies depending on the operation mode.
See also
Configuring local user accounts (server mode only)
Configuring PKI authentication
Configuring PKI authentication
Go to Domain & User > User > PKI User to configure public key infrastructure (PKI) user authentication.
PKI users can authenticate by presenting a valid client certificate, rather than by entering a user name and password.
A PKI user can be either an email user or a FortiMail administrator.
When a PKI user connects to the FortiMail unit with a web browser, the browser presents the PKI user’s certificate to the FortiMail unit. If the certificate is valid, the FortiMail unit then authenticates the PKI user. To be valid, a client certificate must:
- not be expired
- not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
- be signed by a certificate authority (CA), whose certificate you have imported into the FortiMail unit
- contain a
CA
field whose value matches the CA certificate - contain a
Issuer
field whose value matches theSubject
field in the CA certificate - contain a
Subject
field whose value contains the subject, or is empty - contain a
Common Name
(CN) orSubject Alternative
field, if LDAP Query is enabled, whose value matches the email address of a user object retrieved using the User Query Options of the LDAP profile.
Web browsers may have their own certificate validation requirements in addition to FortiMail requirements. For example, personal certificates may be required to contain the PKI user’s email address in the |
If the client certificate is not valid, depending on whether you have configured the FortiMail unit to require valid certificates, authentication will either fail absolutely, or fail over to user name and password authentication.
If the certificate is valid and authentication succeeds, the PKI user’s web browser is redirected to either the GUI (for PKI users that are FortiMail administrators), or FortiMail webmail or the personal quarantine (for PKI users that are email users).
For details and examples about how to use PKI authentication for FortiMail email users and administrators, see Appendix F: PKI Authentication.
To view and configure PKI users
- Go to Domain & User > User > PKI User.
- Whether the LDAP query setting is enabled (indicated by
E
) or disabled (indicated by “-
”). - Displays the name of the LDAP profile used for the query. For more information, see Configuring LDAP profiles.
- Displays the name of the field in the client certificate (either Subject Alternative or CN) whose value must match the email address of a user object in the LDAP directory.
- Whether OSCP is enabled (indicated by
E
) or disabled (indicated by “-
”). - Displays the URL of the OCSP server.
- Displays the action to take if the OCSP server is unavailable. If set to ignore, the FortiMail unit allows the user to authenticate. If set to revoke, the FortiMail unit behaves as if the certificate is currently revoked, and authentication fails.
- Click New to add PKI authentication for an email user or administrator account or double-click an account to modify it.
- Configure the following:
- If no profile exists, click New to create one.
- If a profile exists but needs modification, select it and click Edit.
GUI item |
Description |
Name |
Displays the user name of the PKI user. |
Displays the protected domain to which the PKI user is assigned. If Domain is empty, the PKI user is an administrator. |
|
CA |
Displays the name of the CA certificate used when validating the CA’s signature of the client certificate. For more information, see Managing certificate authority certificates. |
Subject |
Displays a string used to match part of the value in the If empty, matching values are not considered when validating the client certificate presented by the PKI user’s web browser. |
LDAP |
If LDAP query is enabled, the LDAP configuration of this PKI user is shown in three parts: For example, |
OCSP |
If this is enabled, the OCSP configuration of this PKI user is shown in three parts: For example, |
GUI item |
Description |
|
User name |
For a new user, enter the name of the PKI user. There is no requirement to use the same name as the administrator or email user’s account name, although you may find it helpful to be so. For example, you might have an administrator account named |
|
Domain |
Select either the protected domain to which the PKI user is assigned, or, if the PKI user is a FortiMail administrator, select System. You can see only the domains that are permitted by your administrator profile. |
|
Select either None or the name of the CA certificate to use when validating the CA’s signature of the client certificate. For more information, see Managing certificate authority certificates. If you select None, you must configure Subject. |
||
Enter the value which must match the The FortiMail unit will use a CA certificate to authenticate a PKI user only if the subject string you enter here also appears in the CA certificate subject. If no subject is entered here, the subject not considered when the FortiMail unit selects the certificate to use. |
||
Enable to query an LDAP directory, such as Microsoft Active Directory, to determine the existence of the PKI user who is attempting to authenticate, then also configure LDAP profile and Query field. Note: If this option is enabled, no local user configuration is necessary. Instead, the FortiMail unit creates the personal quarantine folder and other necessary items when PKI authentication queries the LDAP server. |
||
|
From the dropdown list, select the LDAP profile to use when querying the LDAP server. In both cases, the Edit LDAP Profile dialog appears. For more information, see Configuring LDAP profiles. This option is available only if LDAP query is enabled. |
|
|
Select the name of the field in the client certificate (either CN or Subject Alternative) which contains the email address of the PKI user. This email address will be compared with the value of the email address attribute for each user object queried from the LDAP directory to determine if the PKI user exists in the LDAP directory. This option is available only if LDAP query is enabled. |
|
Enable to use an Online Certificate Status Protocol (OCSP) server to query whether the client certificate has been revoked, then also configure URL, Remote certificate, and Unavailable action. |
||
|
Displays the URL of the OCSP server. See also Appendix C: Port Numbers. This option is available only if OCSP is enabled. |
|
|
Select the remote certificate that is used to verify the identity of the OCSP server. For more information, see Managing OCSP server certificates. This option is available only if OCSP is enabled. |
|
|
Select the action to take if the OCSP server is unavailable. If set to Ignore, the FortiMail unit allows the user to authenticate. If set to Revoke, the FortiMail unit behaves as if the certificate is currently revoked, and authentication fails. This option is available only if OCSP is enabled. |
You need to take additional steps to activate and complete a PKI user’s configuration.
To complete PKI user configuration
- To enable PKI authentication on your FortiMail unit for all PKI users, open the CLI and enter the following command:
- For each PKI user, import the client certificate into the user’s web browser on each computer the PKI user will use to access the FortiMail unit. For details on installing certificates, see the documentation for your web browser. Client certificates must be valid. For information on how FortiMail units validate the client certificates of PKI users, see Configuring PKI authentication.
- In the GUI, import the CA certificate into the FortiMail unit. For more information, see Managing certificate authority certificates.
- For PKI users that are FortiMail administrators, select the PKI authentication type and select a PKI user to which the administrator account corresponds. For more information, see Configuring administrator accounts and access profiles.
- For PKI users that are email users, enable PKI user authentication in the incoming recipient-based policies which match those email users. For more information, see Controlling email based on sender and recipient addresses.
config system global
set pki-mode enable
end
Control access to each PKI user’s computer. Certificate-based PKI authentication controls access to the FortiMail unit based on PKI certificates, which are installed on each email user or administrator’s computer. If anyone can access the computers where those PKI certificates are installed, they can gain access to the FortiMail unit, which can compromise the security of your FortiMail unit. |
See also
Configuring local user accounts (server mode only)
Configuring PKI authentication
Managing imported users
Go to Domain & User > User > Imported User to manually create users and/or groups, and to import and export users and/or groups via .CSV file.
Currently, you can periodically synchronize users from an LDAP server (such as Azure AD) or Microsoft 365 cloud server in order to verify mailbox count information. This feature is particularly beneficial for automatically maintaining up-to-date remote server information, as remote user/group records change over time.
All user email addresses (primary and secondary if applicable) can be synchronized, including distribution lists and alias addresses. Profiles are created and assigned to remote users/groups to configure synchronization schedules.
Note that if the delivered email address is a secondary address of the synced account, it will not be counted as a new mailbox.
Note that this advanced management feature is only available when User management is enabled under System > FortiGuard > Licensed Feature. For more information, see Configuring advanced management features.
To view and manage imported users
GUI item |
Description |
Import (button) |
Select to import users/groups by uploading a .CSV file. |
Export (button) |
Select to export the selected imported users/groups to .CSV format, allowing you to review the information elsewhere. |
Type |
Select whether the view individual imported users or groups. |
Domain |
Select the protected domain to display its imported email users/groups, or to select the protected domain to which you want to add an email user/group before clicking New. You can see only the domains that are permitted by your administrator profile. |
Status |
A green check mark icon indicates that the imported user/group is enabled. |
Display Name |
Display name of the imported email user/group. This name appears in the
|
|
Displays the email address of the imported email user/group. |
Type |
Displays the entity type: User or Group. |
Profile |
Displays the user import profile the recipient belongs to. See Configuring user import profiles for more information. |
Configuring user import profiles
You can map remote users/groups to maintain a synchronization schedule with LDAP or Microsoft 365 servers.
To configure user import profiles
-
Purchase the feature license and enable the feature. See User management.
-
Go to Domain & User > User > User Import Profile.
GUI item
Description
Clone
(button)
Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. Enter a name and apply a domain for the new profile, and click OK. Sync Now
(button)
Click to prompt a synchronization between the FortiMail unit and the LDAP and/or Microsoft 365 servers to retrieve up-to-date user data. Domain Select the protected domain to display its user import profiles, or to select the protected domain to which you want to add a user import profile before clicking New. You can see only the domains that are permitted by your administrator profile.
Name Displays the user import profile name. Domain Displays the protected domain the user import profile is assigned to.
Type Displays whether the user import profile is for LDAP or Microsoft 365. Description Displays the description of the user import profile. Schedule Displays at what time intervals the user import profile conducts user import synchronizations. Sync Status Displays the current synchronization status. Last Sync
Displays the last time a successful user import synchronization occurred.
-
Click New to add a profile or double-click a profile to modify it.
-
Configure the following general settings:
-
Base DN: Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail will search for user objects, such as
ou=People,dc=example,dc=com
.User objects should be child nodes of this location.
-
Bind DN: Enter the bind DN, such as
cn=fortimail,dc=example,dc=com
, of an LDAP user account with permissions to query the Base DN. -
Bind password: Enter the password of the Bind DN.
Click Browse to locate the LDAP directory from the location that you specified in Base DN, or, if you have not yet entered a Base DN, beginning from the root of the LDAP directory tree.
Browsing the LDAP tree can be useful if you need to locate your Base DN, or need to look up attribute names. For example, if the Base DN is unknown, browsing can help you to locate it.
Before using, first configure Server name/IP, Secure LDAP connection, Bind DN, Bind password, and Protocol version, then click Create or OK. These fields provide minimum information required to establish the directory browsing connection.
-
User query: Enter the LDAP query string to get all users.For example, (mail=*) if using OpenLDAP.
-
Display name attribute: Enter the LDAP display name attribute, such CN.
-
Primary address attribute: Enter the LDAP user's primary email address attribute, such as mail.
-
Secondary address attribute: Enter the LDAP user's secondary email address attribute.
-
Group query: Enter the LDAP query string to get all groups.
-
Display name attribute: Enter the LDAP group/mailinglist display name attribute.
-
Primary address attribute: Enter the LDAP group's primary email address attribute.
-
Secondary address attribute: Enter the LDAP group's secondary email address attribute.
-
Schedule: Define a synchronization schedule of either Daily, Weekly, or Monthly (or none). If setting a weekly or monthly schedule, set the days of the week or days of the month that you wish to schedule synchronizations to occur.
-
At hour: Define the hour of the day at which synchronization will occur.
GUI item |
Description |
---|---|
Profile name | For a new profile, enter its name. |
Domain |
Select the name of a protected domain to apply to the user import profile. You can see only the domains that are permitted by your administrator profile. |
Search timeout | Define the synchronization query timeout period in seconds. Set the value between 60-600. |
Type | Define the remote server type, either LDAP or Microsoft 365. |
Tenant ID |
Enter the Microsoft 365 tenant ID. |
Application ID |
Enter the Microsoft 365 application ID. |
Application secret |
Enter the Microsoft 365 application secret. |
Server name/IP |
Enter the fully qualified domain name (FQDN) or IP address of the LDAP server. |
Enter the port number where the LDAP server listens. The default port number varies by Secure LDAP connection. See also Appendix C: Port Numbers. |
|
Secure LDAP connection |
Enable to connect to the LDAP servers using an encrypted connection. |
Protocol version | Select the LDAP server protocol version. |
Scope |
Define the search scope of the LDAP server, either Base, One Level, or Subtree. |
Description |
Optionally enter a description for the profile. |
Default Bind Option |
Click to expand and configure the following: |
User Query Option |
Click to expand and configure the following: |
Group Query Option |
Click to expand and configure the following: |
Schedule |
Click to expand and configure the following: |