Fortinet white logo
Fortinet white logo

Administration Guide

Configuring LDAP profiles

Configuring LDAP profiles

The LDAP submenu lets you configure LDAP profiles which can query LDAP servers such as FortiAuthenticator, Microsoft Active Directory, Red Hat Directory Server, or Google Cloud Identity for authentication, email address mappings, and more.

Caution

Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server. When LDAP queries do not match with the server’s schema and/or contents, unintended mail processing behaviors can result, including bypassing antivirus scans. For details on preparing an LDAP directory for use with FortiMail LDAP profiles, see Preparing your LDAP schema for FortiMail LDAP profiles.

LDAP profiles each contain one or more queries that retrieve specific configuration data, such as user groups, from an LDAP server. The LDAP profile list indicates which queries you have enabled in each LDAP profile.

To view the list of LDAP profiles, go to Profile > LDAP > LDAP.

GUI item

Description

Clone

(button)

Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.

Comment

Displays the comment in the profile.

Name

Displays the name of the profile.

Server

Displays the domain name or IP address of the LDAP server.

Port

Displays the listening port of the LDAP server.

Group

Indicates whether Group Query Options is enabled.

Auth

Indicates whether User Authentication Options is enabled.

Alias

Indicates whether User Alias Options is enabled.

Routing

Indicates whether Mail Routing Options is enabled.

Address Map

Indicates whether Address Mapping Options is enabled.

Cache

Indicates whether query result caching is enabled.

Ref.

Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

You can add an LDAP profile to define a set of queries that the FortiMail unit can use with an LDAP server. You might create more than one LDAP profile if, for example, you have more than one LDAP server, or you want to configure multiple, separate query sets for the same LDAP server.

After you have created an LDAP profile, LDAP profile options will appear in other areas of the FortiMail unit’s configuration. These options let you to select the LDAP profile where you might otherwise create a reference to a configuration item stored locally on the FortiMail unit itself. These other configuration areas will only allow you to select applicable LDAP profiles — that is, those LDAP profiles in which you have enabled the query required by that feature. For example, if a feature requires a definition of user groups, you can select only from those LDAP profiles where Group Query Options are enabled.

To configure an LDAP profile

  1. Go to Profile > LDAP > LDAP.

  2. Click New to add a profile or double-click a profile to modify it.

    A dialog appears.

  3. Configure the following settings:

    GUI item

    Description

    Name

    For a new profile, enter a unique name.

    Comment

    Optional. Enter a descriptive comment.

    Server name/IP

    Enter the fully qualified domain name (FQDN) or IP address of the LDAP server.

    Port: Enter the port number where the LDAP server listens.

    The default port number varies by your selection in Use secure connection. See also Appendix C: Port Numbers.

    Fallback server name/IP

    Optional. Enter the fully qualified domain name (FQDN) or IP address of an alternate LDAP server that the FortiMail unit can query if the primary LDAP server is unreachable.

    Port: Enter the port number where the fallback LDAP server listens.

    The default port number varies by your selection in Use secure connection. See also Appendix C: Port Numbers.

    Use secure connection

    Select whether or not to connect to the LDAP servers using an encrypted connection.

    • none: Use a non-secure connection.
    • SSL: Use an SSL/TLS-secured (LDAPS) connection.

      If the LDAP server requires that clients such as the FortiMail unit present a client certificate to identify themselves during secure connections, then select the certificate from the Client certificate dropdown. Optionally,to authenticate using the selected certificate, enable Use client certificate for TLS authentication.This can be used instead of, or in addition to, a bind DN and password. See also Managing local certificates.

    Click Test LDAP Query to test the connection. A pop-up window appears. For details, see To verify user query options.

    Note: If your FortiMail unit is deployed in server mode, and you want to enable Enable webmail password change using an LDAP server that uses a Microsoft Active Directory-style schema, then you must select SSL. Active Directory servers require a secure connection for queries that change user passwords.

    Note: The certificate that FortiMail uses for client authentication must:

    • not be expired
    • not be revoked
    • be signed by a certificate authority (CA), whose certificate you have imported into the FortiMail unit and that the server trusts (directly or indirectly, proven via a signing chain)

    Otherwise the secure connection will fail.

    Servers may have their own certificate validation requirements in addition to FortiMail requirements. For example, client certificates may require that Key Usage field allow client authentication. See your LDAP server's documentation.

    Default Bind Options

    Base DN

    Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail will search for user objects, such as:

    ou=People,dc=example,dc=com

    User objects should be child nodes of this location.

    Bind DN

    Enter the bind DN of an LDAP user account with permissions to query the Base DN, such as:

    cn=fortimail,dc=example,dc=com

    Bind password

    Enter the password of the Bind DN.

    Click Browse to locate the LDAP directory from the location that you specified in Base DN, or, if you have not yet entered a Base DN, beginning from the root of the LDAP directory tree.

    Browsing the LDAP tree can be useful if you need to locate your Base DN, or need to look up attribute names. For example, if the Base DN is unknown, browsing can help you to locate it.

    Note: Before you click Browse, you must configure Server name/IP, Use secure connection, Bind DN, Bind password, and Protocol version, then click Create or OK. These fields provide minimum information required to establish the directory browsing connection.

  4. Configure the following sections:

Configuring user query options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

  1. Go to Profile > LDAP > LDAP.

  2. Click New to create a new profile or double click on an existing profile to edit it.

  3. Click the arrow to expand User Query Options section.

  4. Configure the query to retrieve the distinguished names (DN) of user objects by their email addresses:

    GUI item

    Description

    Schema

    Click Schema to select a schema style. Then you can edit the schema or select User Defined and write your own schema.

    User query

    Enter an LDAP query filter that selects a set of user objects from the LDAP directory.

    The query string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects. For details, see Example: LDAP user query.

    For details on query syntax, refer to any standard LDAP query filter reference manual.

    Warning: To avoid user query confusion, this field cannot be empty.

    Scope

    Select which level of depth to query, starting from Base DN.

    • One level: Query only the one level directly below the base DN in the LDAP directory tree.
    • Subtree: Query recursively all levels below the base DN in the LDAP directory tree.

    Derefer

    Select the method to use, if any, when dereferencing attributes whose values are references.

    • Never: Do not dereference.
    • Always: Always dereference.
    • Search: Dereference only when searching.
    • Find: Dereference only when finding the base search object.

    Retrieve display name for webmail

    If enabled, when a webmail user (authenticated using LDAP) composes email, the display name of the From header will be automatically set to the value defined in LDAP, instead of the user preference.

    Display name attribute

    Specify the LDAP attribute of the display name to query. The default value is "cn".

Example: LDAP user query

For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be:

(& (objectClass=inetOrgPerson) (mail=$m))

where $m is the FortiMail variable for a user's email address.

If the email address ($m) as it appears in the message header is different from the user’s email address as it appears in the LDAP directory, such as when you have enabled recipient tagging, a query for the user by the email address ($m) may fail. In this case, you can modify the query filter to subtract prepended or appended text from the user name portion of the email address before performing the LDAP query. For example, to subtract -spam from the end of the user name portion of the recipient email address, you could use the query filter:

(& (objectClass=inetOrgPerson) (mail=$m$
{-spam}))

where ${-spam} is the FortiMail variable for the tag to remove before performing the query. Similarly, to subtract spam- from the beginning of the user name portion of the recipient email address, you could use the query filter:

(& (objectClass=inetOrgPerson) (mail=$m$
{^spam-}))

where ${^spam-} is the FortiMail variable for the tag to remove before performing the query.

For some schemas, such as Microsoft Active Directory-style schemas, this query will retrieve both the user’s primary email address and the user’s alias email addresses. If your schema style is different, you may want to also configure User Alias Options to resolve aliases. For details, see Configuring user alias options.

Configuring group query options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

  1. Go to Profile > LDAP > LDAP.

  2. Click New to create a new profile or double click on an existing profile to edit it.

  3. Click the arrow to expand Group Query Options section.

    For more information on determining user group membership by LDAP query, see Controlling email based on sender and recipient addresses or Controlling email based on IP addresses.

  4. Configure the following:

    GUI item

    Description

    Use LDAP tree node as group

    Enable to use objects within the Base DN of User Query Options as if they were members of a user group object.

    For example, your LDAP directory might not contain user group objects. In that sense, groups do not really exist in the LDAP directory. However, you could mimic a group’s presence by enabling this option to treat all users that are child objects of the Base DN in User Query Options as if they were members of such a group.

    Group membership attribute

    Enter the name of the attribute, such as memberOf or gidNumber, whose value is the group number or DN of a group to which the user belongs.

    This attribute must be present in user objects.

    Whether the value must use common name, group number, or DN syntax varies by your LDAP server schema. For example, if your user objects use both inetOrgPerson and posixAccount schema, user objects have the attribute gidNumber, whose value must be an integer that is the group ID number, such as 10000.

    Use group name with base DN as group DN

    Enable to specify the base distinguished name (DN) portion of the group’s full DN in the LDAP profile. By specifying the group’s base DN and the name of its group name attribute in the LDAP profile, you will only need to supply the group name value when configuring each feature that uses this query.

    For example, you might find it more convenient in each recipient-based policy to type only the group name, admins, rather than typing the full DN, cn=admins,ou=Groups,dc=example,dc=com. In this case, you could enable this option, then configure Group base DN (ou=Groups,dc=example,dc=com) and Group name attribute (cn). When performing the query, the FortiMail unit would assemble the full DN by inserting the common name that you configured in the recipient-based policy between the Group name attribute and the Group base DN configured in the LDAP profile.

    Note: Enabling this option is appropriate only if your LDAP server’s schema specifies that the group membership attribute’s value must use DN syntax. It is not appropriate if this value uses another type of syntax, such as a number or common name.

    For example, if your user objects use both inetOrgPerson and posixAccount schema, user objects have the attribute gidNumber, whose value must be an integer that is the group ID number, such as 10000. Because a group ID number does not use DN syntax, you would not enable this option.

    Group base DN

    Enter the base DN portion of the group’s full DN, such as:

    ou=Groups,dc=example,dc=com

    This option is available only if Use group name with base DN as group DN is enabled.

    Group name attribute

    Enter the name of the attribute, such as cn, whose value is the group name of a group to which the user belongs.

    This option is available only if Use group name with base DN as group DN is enabled.

    Max group expansion level

    Enter how many levels of nested groups will be expanded for lookup. Valid range is 1-6. Default value is 1.

    Lookup group owner

    Enable to query the group object by its distinguished name (DN) to retrieve the DN of the group owner, which is a user that will receive that group’s quarantine reports. Using that user’s DN, the FortiMail unit will then perform a second query to retrieve that user’s email address, where the quarantine report will be sent.

    For more information on sending quarantine reports to the group owner, see Quarantine Report Setting and Managing the personal quarantines.

    Group owner attribute

    Enter the name of the attribute, such as groupOwner, whose value is the distinguished name of a user object. You can configure the FortiMail unit to allow that user to be responsible for handling the group’s quarantine report.

    If Lookup group owner is enabled, this attribute must be present in group objects.

    Group owner address attribute

    Enter the name of the attribute, such as mail, whose value is the group owner’s email address.

    If Lookup group owner is enabled, this attribute must be present in user objects.

Configuring user authentication options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

  1. Go to Profile > LDAP > LDAP.

  2. Click New to create a new profile or double click on an existing profile to edit it.

  3. Click the arrow to expand the User Authentication Options section.

    For more information on authenticating users by LDAP query, see Controlling email based on sender and recipient addresses.

  4. Configure the following:

    GUI item

    Description

    Try UPN or mail address as bind DN

    Select to form the user’s bind DN by prepending the user name portion of the email address ($u) to the User Principle Name (UPN, such as example.com).

    By default, the FortiMail unit will use the mail domain as the UPN. If you want to use a UPN other than the mail domain, enter that UPN in the field named Alternative UPN suffix. This can be useful if users authenticate with a domain other than the mail server’s principal domain name.

    Try common name with base DN as bind DN

    Select to form the user’s bind DN by prepending a common name to the base DN. Also enter the name of the user objects’ common name attribute, such as cn or uid into the field.

    This option is preconfigured and read-only if, in User Query Options, you have selected from Schema any schema style other than User Defined.

    Search user and try bind DN

    Select to form the user’s bind DN by using the DN retrieved for that user by User Query Options.

Configuring user alias options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

  1. Go to Profile > LDAP > LDAP.

  2. Click New to create a new profile or double click on an existing profile to edit it.

  3. Click the arrow to expand the User Alias Options section.

    Resolving aliases to real email addresses enables the FortiMail unit to send a single quarantine report and maintain a single quarantine mailbox at each user’s primary email account, rather than sending separate quarantine reports and maintaining separate quarantine mailboxes for each alias email address. For FortiMail units operating in server mode, this means that users need only log in to their primary account in order to manage their spam quarantine, rather than logging in to each alias account individually.

  4. Configure the following:

    GUI item

    Description

    Schema

    (dropdown list)

    Click Schema to select a schema style. Then you can edit the schema or select User Defined and write your own schema.

    Alias member attribute

    Enter the name of the attribute, such as mail or rfc822MailMember, whose value is an email address to which the email alias resolves, such as user@example.com.

    This attribute must be present in either alias or user objects, as determined by your schema and whether it resolves aliases directly or indirectly. For more information, see Base DN.

    This option is preconfigured and read-only if, in User Alias Options, you have selected from Schema any schema style other than User Defined.

    Alias member query

    Enter an LDAP query filter that selects a set of either user or email alias objects, whichever object class contains the attribute you configured in Alias member attribute, from the LDAP directory.

    This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined.

    The query string filters the result set, and should be based upon any attributes that are common to all user/alias objects but also exclude objects that are not user/alias objects. For details, see Example: Alias member query.

    For more information on required object types and their attributes, see Preparing your LDAP schema for FortiMail LDAP profiles.

    For details on query syntax, refer to any standard LDAP query filter reference manual.

    User group expansion In advance

    Enable if your LDAP schema resolves email aliases indirectly. For more information on direct versus indirect resolution, see Base DN.

    When this option is disabled, alias resolution occurs using one query. The FortiMail unit queries the LDAP directory using the Base DN and the Alias member query, and then uses the value of each Alias member attribute to resolve the alias.

    When this option is enabled, alias resolution occurs using two queries:

    The two-query approach is appropriate if, in your schema, alias objects are structured like group objects and contain references in the form of distinguished names of member user objects, rather than directly containing email addresses to which the alias resolves. In this case, the FortiMail unit must first “expand” the alias object into its constituent user objects before it can resolve the alias email address.

    This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined.

    Group member attribute

    Enter the name of the attribute, such as member, whose value is the DN of a user object.

    This attribute must be present in alias objects only if they do not contain an email address attribute specified in Alias member attribute.

    This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. If you have selected User Defined, this option is available only if User group expansion In advance is enabled.

    Group member query

    Enter an LDAP query filter that selects a set of alias objects, represented as a group of member objects in the LDAP directory.

    The query string filters the result set, and should be based upon any attributes that are common to all alias objects but also exclude non-alias objects.

    For example, if alias objects in your directory have two distinguishing characteristics, their objectClass and proxyAddresses attributes, the query filter might be:

    (&(objectClass=group) (proxyAddresses=smtp:$m))

    where $m is the FortiMail variable for a recipient email address. ($s is a sender email address.)

    This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. If you have selected User Defined, this option is available only if User group expansion In advance is enabled.

    For details on query syntax, refer to any standard LDAP query filter reference manual.

    Max alias expansion level

    Specify the maximum number of alias nesting levels that will be expanded for lookup. Valid range is 1-12 and the default value is 1.

    Scope

    Select which level of depth to query, starting from Base DN.

    • One level: Query only the one level directly below the base DN in the LDAP directory tree.
    • Subtree: Query recursively all levels below the base DN in the LDAP directory tree.

    Derefer

    Select the method to use, if any, when dereferencing attributes whose values are references.

    • Never: Do not dereference.
    • Always: Always dereference.
    • Search: Dereference only when searching.
    • Find: Dereference only when finding the base search object.

    Use separate bind (configure the following if Default Bind Options is not what you want)

    Base DN

    Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail will search for either alias or user objects.

    User or alias objects should be child nodes of this location.

    Whether you should specify the base DN of either user objects or alias objects varies by your LDAP schema style. Schema may resolve alias email addresses directly or indirectly (using references).

    • With a direct resolution, alias objects directly contain one or more email address attributes, such as mail or rfc822MailMember, whose values are user email addresses such as user@example.com, and that resolves the alias. The Base DN, such as ou=Aliases,dc=example,dc=com, should contain alias objects.
    • With an indirect resolution, alias objects do not directly contain an email address attribute that can resolve the alias; instead, in the style of LDAP group-like objects, the alias objects contain only references to user objects that are “members” of the alias “group.” User objects’ email address attribute values, such as user@example.com, actually resolve the alias. Alias objects refer to user objects by possessing one or more “member” attributes whose value is the DN of a user object, such as uid=user,ou=People,dc=example,dc=com. The FortiMail unit performs a first query to retrieve the distinguished names of “member” user objects, then performs a second query using those distinguished names to retrieve email addresses from each user object. The Base DN, such as ou=People,dc=example,dc=com, should contain user objects.

    Bind DN

    Enter the bind DN of an LDAP user account with permissions to query the Base DN, such as:

    cn=FortiMailA,dc=example,dc=com

    Bind password

    Enter the password of the Bind DN.

Example: Alias member query

For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be:

(& (objectClass=alias) (mail=$m))

where $m is the FortiMail variable for a user's email address.

If the email address ($m) as it appears in the message header is different from the alias email address as it appears in the LDAP directory, such as when you have enabled recipient tagging, a query for the alias by the email address ($m) may fail. In this case, you can modify the query filter to subtract prepended or appended text from the user name portion of the email address before performing the LDAP query. For example, to subtract -spam from the end of the user name portion of the recipient email address, you could use the query filter:

(& (objectClass=alias) (mail=$m${-spam}))

where ${-spam} is the FortiMail variable for the tag to remove before performing the query. Similarly, to subtract spam- from the beginning of the user name portion of the recipient email address, you could use the query filter:

(& (objectClass=alias) (mail=$m${^spam-}))

where ${^spam-} is the FortiMail variable for the tag to remove before performing the query.

Whether you should configure this query filter to retrieve user or alias objects depends on whether your schema resolves email addresses directly or indirectly (using references). For more information on direct versus indirect alias resolution, see Base DN.

If alias objects in your schema provide direct resolution, configure this query string to retrieve alias objects. Depending on your schema style, you can do this either using the user name portion of the alias email address ($u), or the entire email address ($m). For example, for the email aliases finance@example.com and admin@example.com, if your LDAP directory contains alias objects distinguished by cn: finance and cn: admin, respectively, this query string could be cn=$u.

If alias objects in your schema provide indirect resolution, configure this query string to retrieve user objects by their distinguished name, such as distinguishedName=$b or dn=$b. Also enable User group expansion In advance, then configure Group member query to retrieve email address alias objects, and configure Group Member Attribute to be the name of the alias object attribute, such as member, whose value is the distinguished name of a user object.

Configuring mail routing

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

  1. Go to Profile > LDAP > LDAP.

  2. Click New to create a new profile or double click on an existing profile to edit it.

  3. Click the arrow to expand the Mail Routing Options section.

    Note

    The Mail Routing Options section query occurs after recipient tagging processing. If you have enabled recipient tagging, the Mail Routing Options section query will then be based on the tagged recipient address. If the tagged email address does not exist for the user in the LDAP directory, you may prefer to transform the recipient address by using the User Alias Options.

  4. Configure the following:

    GUI item

    Description

    Mail host attribute

    Enter the name of the attribute, such as mailHost, whose value is the fully qualified domain name (FQDN) or IP address of the email server that stores email for the user’s email account.

    This attribute must be present in user objects.

    Mail routing address attribute

    Enter the name of the attribute, such as mailRoutingAddress, whose value is the email address of a deliverable user on the email server, also known as the mail host.

    For example, a user may have many aliases and external email addresses that are not necessarily known to the email server. These addresses would all map to a real email account (mail routing address) on the email server (mail host) where the user’s email is actually stored.

    A user’s recipient email address located in the envelope or header portion of each email will be rewritten to this address.

    This attribute must be present in user objects.

Configuring address mapping options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

  1. Go to Profile > LDAP > LDAP.

  2. Click New to create a new profile or double click on an existing profile to edit it.

  3. Click the arrow to expand the Address Mapping Options section.

    Mappings usually should not translate an email address into one that belongs to an unprotected domain. However, unlike locally defined address mappings, this restriction is not enforced for mappings defined on an LDAP server.

    After configuring a profile with this query, you must select it in order for the FortiMail unit to use it.

    Alternatively, you can configure email address mappings on the FortiMail unit itself.

  4. Configure the following:

    GUI item

    Description

    Internal address attribute

    Enter the name of the LDAP attribute, such as internalAddress, whose value is an email address in the same or another protected domain.

    This email address will be rewritten to the value of the external address attribute according to the match conditions and effects.

    The name of this attribute may vary by the schema of your LDAP directory.

    External address attribute

    Enter the name of the attribute, such as externalAddress, whose value is an email address in the same or another protected domain.

    This email address will be rewritten to the value of the internal address attribute according to the match conditions and effects.

    The name of this attribute may vary by the schema of your LDAP directory.

    Display name attribute

    Enter the name of the attribute, such as displayName, whose value is the display name of the user.

    This display name will be inserted into the sender message header before the external email address, such as:

    From: Display Name<externalAddress@example.com>

    The name of this attribute may vary by the schema of your LDAP directory.

Configuring scan override options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

  1. Go to Profile > LDAP > LDAP.

  2. Click New to create a new profile or double click on an existing profile to edit it.

  3. Click the arrow to expand the Scan Override Options section.

    Note

    If the Scan Override Options query fails, then the FortiMail unit will instead use the antispam, antivirus, and content processing settings defined in the profile for that policy.

  4. Configure the following:

    GUI item

    Description

    AntiSpam attribute

    Enter the name of the attribute, such as antispam, whose value indicates whether or not to perform antispam processing for that user, and which antispam profile to use. Multiple syntax values are permissible. For details, see LDAP directory requirements for each FortiMail LDAP profile query.

    If enabled, this attribute setting takes precedence over the generic antispam attribute setting in the domain lookup options (see Configuring domain lookup options).

    If you enable this option but leave the attribute field blank, the antispam profile in the matched recipient-based policy will be used.

    AntiVirus attribute

    Enter the name of the attribute, such as antivirus, whose value indicates whether or not to perform antivirus processing for that user and which antivirus profile to use. Multiple value syntaxes are permissible. For details, see LDAP directory requirements for each FortiMail LDAP profile query.

    If enabled, this attribute setting takes precedence over the generic antivirus attribute setting in the domain lookup options (see Configuring domain lookup options).

    If you enable this option but leave the attribute field blank, the antivirus profile in the matched recipient-based policy will be used.

    Content attribute

    Enter the name of the attribute, such as content, whose value indicates whether or not to perform content processing for that user and which content profile to use. Multiple value syntaxes are permissible. For details, see LDAP directory requirements for each FortiMail LDAP profile query.

    If enabled, this attribute setting takes precedence over the generic content attribute setting in the domain lookup options (see Configuring domain lookup options).

    If you enable this option but leave the attribute field blank, the content profile in the matched recipient-based policy will be used.

Configuring domain lookup options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

When configuring domain settings in gateway and transparent mode, if you set the Relay Type to LDAP Domain Mail Host, FortiMail will query the LDAP server to look up the domain and apply the antispam, antivirus, and content profiles assigned to this domain. If you set the Relay Type to other methods, the following settings will not apply.

If the LDAP server does not find a user matching the domain, the user is considered as unknown, and the mail will be rejected unless it has a specific access list entry.

For this option to work, your LDAP directory should contain a single generic user for each domain such as generic@example.com because the FortiMail unit will only look at the domain portion of the generic user’s mail address, such as example.com.

When an SMTP session is processed, the FortiMail unit will query the LDAP server for the domain portion retrieved from the recipient email address. If the LDAP server finds a user entry, it will reply with the domain objects defined in the LDAP directory, including parent domain attribute, generic mail host attribute, generic antispam attribute, and generic antivirus attribute. The FortiMail unit will remember the mapping domain, mail routing, and antispam and antivirus profiles information to avoid querying the LDAP server again for the same domain portion retrieved from a recipient email address in the future.

If there are no antispam and antivirus profiles for the user, the FortiMail unit will use the antispam and antivirus profiles from the matching IP policy.

  1. Go to Profile > LDAP > LDAP.

  2. Click New to create a new profile or double click on an existing profile to edit it.

  3. Click the arrow to expand the Domain Lookup Options section.

  4. Configure the following:

    GUI item

    Description

    Domain Lookup Query

    Enter an LDAP query filter that selects a set of domain objects, whichever object class contains the attribute you configured for this option, from the LDAP directory.

    Since each domain needs a generic user in the LDAP directory, you can specify the query filter as the following:

    mail=generic@$d

    Where the value of $d is the domain name.

    Parent domain attribute

    Enter the name of the attribute, such as parentDomain, whose value is the name of the parent domain from which a domain inherits the specific RCPT TO: check settings and quarantine report settings.

    The name of this attribute may vary by the schema of your LDAP directory.

    Mail host attribute

    Enter the name of the attribute, such as mailHost, whose value is the IP address of the backend mail server hosting the mailboxes of the domain.

    The name of this attribute may vary by the schema of your LDAP directory.

    AntiSpam attribute

    Enter the name of the attribute, such as genericAntispam, whose value is the name of the antispam profile assigned to the domain.

    The name of this attribute may vary by the schema of your LDAP directory.

    If you do not specify this attribute (that is, leave this field blank), the antispam profile in the matched recipient-based policy will be used.

    AntiVirus attribute

    Enter the name of the attribute, such as genericAntivirus, whose value is the name of the antivirus profile assigned to the domain.

    The name of this attribute may vary by the schema of your LDAP directory.

    If you do not specify this attribute (that is, leave this field blank), the antivirus profile in the matched recipient-based policy will be used.

    Content attribute

    Enter the name of the attribute, such as genericContent, whose value is the name of the content profile assigned to the domain.

    The name of this attribute may vary by the schema of your LDAP directory.

    If you do not specify this attribute (that is, leave this field blank), the content profile in the matched recipient-based policy will be used.

Configuring remote access override options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

When you add a FortiMail administrator (see Configuring administrator accounts), you must specify an access profile (the access privileges) for the administrator. You must also specify a domain (either system or a protected domain) that the administrator is allowed to access.

If you are adding an LDAP account, you can override the access profile and domain setting with the values of the remote attributes returned from the LDAP server.

  1. Go to Profile > LDAP > LDAP.

  2. Click New to create a new profile or double click on an existing profile to edit it.

  3. Click the arrow to expand the Remote Access Override Options section.

  4. Configure the following:

    GUI item

    Description

    Enable remote access override

    Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the LDAP server, if the returned value matches an existing access profile. If there is no match, the specified access profile will still be used.

    Also specify the access profile attribute.

    Enable remote domain override

    Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the LDAP server, if the returned value matches an existing protected domain. If there is no match, the specified domain will still be used.

    Also specify the domain name attribute.

Configuring LDAP chain query

If you use different attributes for similar or same values on different LDAP servers, you may want to query all of the LDAP servers one by one (a chain query).

You can do this by grouping several LDAP profiles into one LDAP profile. The order of the profiles determines the sequential order of the queries.

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

  1. Go to Profile > LDAP > LDAP.

  2. Click New to create a new profile or double click on an existing profile to edit it.

  3. Click the arrow to expand the LDAP Profile Chain.

  4. From the LDAP profile list, select the profile you want to add to the chain and click the plus sign.

  5. Repeat the above step to add more profiles.

Configuring advanced options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

  1. Go to Profile > LDAP > LDAP.

  2. Click New to create a new profile or double click on an existing profile to edit it.

  3. Click the arrow to expand the Advanced Options section.

  4. Configure the following:

    GUI item

    Description

    Timeout

    Enter the maximum amount of time in seconds that the FortiMail unit will wait for query responses from the LDAP server.

    Protocol version

    Select the LDAP protocol version used by the LDAP server.

    Referrals chase

    Enable to use the LDAP server’s function of referral chasing, that is, instead of returning a result, it will return a referal to another LDAP server, which may contain further information.

    Enable cache

    Enable to cache LDAP query results.

    Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiMail unit begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently.

    If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of 0 effectively disables caching.

    Clear Cache

    Select to empty the FortiMail unit’s LDAP query cache.

    This can be useful if you have updated the LDAP directory, and want the FortiMail unit to refresh its LDAP query cache with the new information.

    TTL

    Enter the amount of time, in minutes, that the FortiMail unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiMail unit to query the LDAP server, refreshing the cache.

    The default TTL value is 1440 minutes (one day). The maximum value is 10080 minutes (one week). Entering a value of 0 effectively disables caching.

    This option is applicable only if Enable cache is enabled.

    Enable webmail password change

    Enable if you want to allow FortiMail webmail users to change their password.

    This option does not appear for FortiMail units operating in gateway or transparent mode. Active Directory appears only if Use secure connection is SSL.

    Password schema

    Select your LDAP server’s user schema style, either Openldap or Active Directory.

    Bypass user verification if server is unavailable

    If you have selected using LDAP server to verify recipient or sender address and your LDAP server is not accessible, then you can enable this option to bypass the address verification process.

    Note: This option only takes effect in gateway and transparent mode.

    For more information about recipient address verification, see Configuring recipient address verification.

Preparing your LDAP schema for FortiMail LDAP profiles

FortiMail units can be configured to consult an LDAP server for many things that you might otherwise normally have to configure on the FortiMail unit itself, such as user authentication, group membership, mail routing, and other features. Especially if you have a large amount of users and groups already defined on an LDAP directory, you may find it more convenient to query those existing definitions than to recreate the definition of those same users locally on the FortiMail unit. To accomplish this, you would configure an LDAP profile, then select that LDAP profile in other areas of the configuration that should use its LDAP queries.

LDAP profiles require compatible LDAP server directory schema and contents. Your LDAP server configuration may already be compatible. However, if your LDAP server configuration does not contain required information in a schema acceptable to LDAP profile queries, you may be required to modify either or both your LDAP profile and LDAP directory schema.

Note

Verify your LDAP server’s configuration for each query type that you enable and configure. For example, if you enable mail routing queries, verify connectivity and that each user object in the LDAP directory includes the attributes and values required by mail routing. Failure to verify enabled queries can result in unexpected mail processing behavior.

Using common schema styles

Your LDAP server schema may require no modification if:

  • your LDAP server already contains all information required by the LDAP profile queries you want to enable
  • your LDAP server uses a common schema style, and a matching predefined LDAP query configuration exists for that schema style

If both of those conditions are true, your LDAP profile configuration may also be very minimal. Some queries in LDAP profiles contain schema options that automatically configure the query to match common schema styles such as IBM Lotus Domino, Microsoft ActiveDirectory (AD), and OpenLDAP. If you will only enable those queries that have schema options, it may be sufficient to select your schema style for each query.

For example, your LDAP server might use an OpenLDAP-style schema, where two types of user object classes exist, but both already have mail and userPassword attributes. Your FortiMail unit is in gateway mode, and you want to use LDAP queries to use users’ email addresses to query for authentication. In this scenario, it may be sufficient to:

  1. In the LDAP profile, enter the domain name or IP address of the LDAP server.
  2. Configure the LDAP profile queries:
  • In User Query Options, select from Schema which OpenLDAP schema your user objects follow: either InetOrgPerson or InetLocalMailRecipient. Also enter the Base DN, Base DN, and Bind password to authenticate queries by the FortiMail unit and to specify which part of the directory tree to search.
  • In User Authentication Options, enable the query with the option to Search user and try bind DN.
  • Configure mail domains and policies to use the LDAP profile to authenticate users and perform recipient verification.
  • Using other schema styles

    If your LDAP server’s schema is not one of the predefined common schema styles, or if you want to enable queries that require information that does not currently exist in your directory, you may need to adapt either or both your LDAP server and LDAP profile query configuration.

    Note

    Before modifying your LDAP directory, verify that changes will be compatible with other applications using the directory. You may prefer to modify the LDAP profile query and/or add new attributes than to modify existing structures that are used by other applications, in order to reduce the likelihood of disruption to other applications. For instructions on modifying schema or setting attribute values, consult the documentation for your specific LDAP server.

    The primary goal when modifying your LDAP directory is to provide, in some way that can be retrieved by LDAP profile queries, the information required by FortiMail features which can use LDAP profiles. Depending on the LDAP profile queries that you enable, you may need to add to your LDAP directory:

    • user objects
    • user group objects
    • email alias objects

    Keep in mind that for some schema styles, such as that of Microsoft ActiveDirectory, user group objects may also play a double role as both user group objects and email alias objects. For the purpose of FortiMail LDAP queries, email alias objects can be any object that can be used to expand email aliases into deliverable email addresses, which are sometimes called distribution lists.

    For each of those object types, you may also need to add required attributes in a syntax compatible with the FortiMail features that uses those attributes.

    At a minimum, your LDAP directory must have user objects that each contain an email address attribute, and the value of that email address attribute must use full email address syntax (for example, mail: user@example.com). This attribute is required by User Query Options, a query which is required in every LDAP profile.

    Many other aspects of LDAP profiles are flexible enough to query for the required information in more than one way. It may be sufficient to modify the query strings and other fields in the LDAP profile to match your individual LDAP directory.

    For example, the purpose of the User Query Options is to find the distinguished name (DN) of user objects by their email addresses, represented by the FortiMail variable $m. Often user objects can be distinguished by the fact that they are the only records that contain the attribute-value pair objectClass: User. If the class of user name objects in your LDAP directory is not objectClass: User but instead objectClass: inetOrgPerson, you could either modify:

    • the LDAP profile’s user query to request user objects as they are denoted on your particular server, using objectClass=inetOrgPerson; for example, you might modify the user query from:

    (&(objectClass=User)(mail=$m))

    to be:

    (&(objectClass=inetOrgPerson)(mail=$m))

    • the LDAP server’s schema to match the queries’ expected structure, where user objects are defined by objectClass=User

    Alternatively, perhaps there are too many user objects, and you prefer to instead retrieve only those user objects belonging to a specific group number. In this case, you might modify the query string from:

    (&(objectClass=User)(mail=$m))

    to be:

    (&(objectClass=User)(gidNumber=102)(mail=$m))

    You can use any attribute-value pairs to filter the query result set, as long as they are unique and common to all objects in your intended result set.

    For example, most directories do not contain an antivirus processing switch attribute for each user. However, FortiMail units can perform antivirus processing, which can be switched off or on depending on the results from an LDAP query. The FortiMail unit expects the query to return a value that may use Boolean syntax (TRUE or FALSE) that reflects whether or not, respectively, to perform antivirus processing. In this case, you would add to user objects in your LDAP directory an antivirus attribute whose value is a Boolean value.

    The following table indicates expected object types, attribute names, and value syntax, as well as query results, for each LDAP profile query. Attributes listed should be present, but their names may vary by schema. Attributes that do not have a default name require that you configure them in both your LDAP profile and your LDAP directory’s schema.

    LDAP directory requirements for each FortiMail LDAP profile query

    Object type

    Attribute

    Value

    Query result

    User Query Options

    User object classes such as inetOrgPerson, inetLocalMailRecipient, User, dominoPerson.

    mail

    A user’s email address.

    Query compares the email address to the value of this attribute to find the matching user, and retrieve that user’s distinguished name (DN), which is the basis for most other LDAP profile queries.

    Group Query Options

    (Objects from User Query Options.)

    gidNumber or memberOf

    Varies by schema. Typically is either a group number or the distinguished name (DN) of the group.

    Query retrieves the group name for any user defined by User Query Options.

    (Objects from User Query Options.)

    mail

    A user’s email address.

    Query uses the DN retrieved from groupOwner to retrieve the email address of the user specified by that DN.

    User group object classes such as group or groupOfNames.

    groupOwner

    A user object’s DN.

    Query retrieves the DN of a user object from the group defined in gidNumber or memberOf.

    User Authentication Options

    (Objects from User Query Options.)

    userPassword

    Any.

    Query verifies user identity by binding with the user password for any user defined by User Query Options.

    User Alias Options

    Email alias object classes such as nisMailAlias, or user objects from User Query Options, depending on whether your schema resolves email aliases directly or indirectly, respectively. For details, see Base DN.

    rfc822MailMember (for alias objects) or mail (for user objects)

    Either the user name portion of an email address (e.g. user; for alias objects), or the entire email address (e.g. user@example.com; for user objects).

    Query expands an alias to one or more user email addresses.

    If the alias is resolved directly, this query retrieves the email addresses from the alias object itself. If the alias is resolved indirectly, this query first queries the alias object for member attributes, then uses the DN of each member in a second query to retrieve the email addresses of those user objects. For details, see Base DN.

    User group object classes such as group or groupOfNames.

    User groups are not inherently associated with email aliases, but for some schemas, such as Microsoft Active Directory, group objects play the role of email alias objects, and are used to indirectly resolve email aliases. For details, see Base DN.

    member

    A user object’s DN, or the DN of another alias object.

    Query retrieves the DN of a user object that is a member of the group.

    This attribute is required only if aliases resolve to user email addresses indirectly. For details, see Base DN.

    Mail Routing Options

    (Objects from User Query Options.)

    mailHost

    A fully qualified domain name (FQDN) or IP address.

    Query retrieves the fully qualified domain name (FQDN) or IP address of the mail server — sometimes also called the mail host — that stores email for any user defined by User Query Options.

    mailRoutingAddress

    A user’s email address for a user account whose email is physically stored on mailHost.

    Query retrieves the email address for a real account physically stored on mailHost for any user defined by User Query Options.

    Scan Override Options

    (Objects from User Query Options.)

    No default attribute name.

    Varies by schema. May be:

    • TRUE, YES, 1, ENABLE or ENABLED (on)
    • FALSE, NO, 0, DISABLE, or DISABLED, or any other value not associated with “on” (off)
    • the name of an antivirus profile

    Query retrieves whether or not to perform antivirus processing, or which profile to use, for any user defined by User Query Options.

    No default attribute name.

    Varies by schema. May be:

    • TRUE, YES, 1, ENABLE or ENABLED (on)
    • FALSE, NO, 0, DISABLE, or DISABLED, or any other value not associated with “on” (off)
    • the name of an antivirus profile

    Query retrieves whether or not to perform antispam processing, or which profile to use, for any user defined by User Query Options.

    Address Mapping Options

    (Objects from User Query Options.)

    No default attribute name.

    A user’s internal email address.

    Query retrieves the user’s internal email address

    No default attribute name.

    A user’s external email address.

    Query retrieves the user’s external email address.

    Enable webmail password change

    (Objects from User Query Options.)

    userPassword

    Any.

    Query, upon successful bind using the existing password, changes the password for any user defined by User Query Options.

    Each LDAP profile query filter string may indicate expected value syntax by the FortiMail variables used in the query filter string.

    • $b: the query filter expects the attribute’s value to be a bind DN
    • $d: the query filter expects the attribute’s value to be a domain name
    • $f: the query filter expects the attribute’s value to be a sender domain name
    • $m: the query filter expects the attribute’s value to be a recipient email address
    • $s: the query filter expects the attribute’s value to be a sender email address
    • $u: the query filter expects the attribute’s value to be a user name

    The following example illustrates a matching LDAP directory and LDAP profile. Labels indicate the part of the LDAP profile that is configured to match the directory schema.

    Example: Compatible LDAP directory and LDAP profile

    Testing LDAP profile queries

    After you have created an LDAP profile, you should test each enabled query in the LDAP profile to verify that the FortiMail unit can connect to the LDAP server, that the LDAP directory contains the required attributes and values, and that the query configuration is correct.

    When testing a query in an LDAP profile, you may encounter error messages that indicate failure of the query and how to fix the problem.

    LDAP Query Failure Message

    Meaning and Solution

    Empty input

    The query cannot be performed until you provide the information required by the query.

    Connection Failed

    The FortiMail unit could not connect to the LDAP server. The LDAP server may be unreachable, or the LDAP profile may be configured with an incorrect IP address, port number, or secure connection setting.

    Failed to bind with bind DN and password

    The FortiMail unit successfully connected to the LDAP server, but could not authenticate in order to perform the query. If the server permits anonymous queries, the Bind DN and Bind password you specified in User Query Options section should be blank. Otherwise, you must enter a valid bind DN and its password.

    Unable to found user DN that matches mail address

    The FortiMail unit successfully connected to the LDAP server, and, if configured, bound, but could not find a user whose email address attribute matched that value. The user may not exist on the LDAP server in the Base DN and using the query filter you specified in User Query Options, or the value of the user’s email address attribute does not match the value that you supplied in Mail address.

    Unable to find LDAP group for user

    The FortiMail unit successfully located a user with that email address, but their group membership attribute did not match your supplied value. The group membership attribute you specified in Group Query Options may not exist, or the value of the group membership attribute may not match the value that you supplied in Group base DN. If the value does not match, verify that you have supplied the Group base DN according to the syntax expected by both your LDAP server and your configuration of Group Query Options.

    Group owner query failure

    The FortiMail unit successfully connected to the LDAP server, but could not find a group whose distinguished name matched that value. The group may not exist on the LDAP server, or the value of the group’s distinguished name attribute does not match the value that you entered in Group base DN.

    Authentication failure

    Failed to bind

    The FortiMail unit successfully located a user with that email address, but the user’s bind failed and the FortiMail unit was unable to authenticate the user. Binding may fail if the value of the user’s password attribute does not match the value that you supplied in Old password. If this error message appears when testing Enable webmail password change, it also implies that the query failed to change the password.

    Unable to find mail alias

    The FortiMail unit was unable to find the email alias. The email address alias may not exist on the LDAP server in the Base DN and using the query filter you specified in User Alias Options, or the value of the alias’ email address attribute does not match the value that you supplied in Mail address.

    Error for LDAP user profile ID

    The FortiMail unit failed to change the email user’s password. Verify that you have entered the correct existing password in Old password.

    To verify user query options

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose User Query Options section query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query.

    4. From Select query type, select User.

    5. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.

    6. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record.

    To verify group query options

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose Group Query Options section query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query. Fields displayed in the window vary by whether or not Use group name with base DN as group DN is enabled in Group Query Options section.

    4. From Select query type, select Group.

    5. In Email address, enter the email address of a user on the LDAP server, such as test@example.com.

    6. Either the Group DN or Group Name field appears. If Group DN appears, enter the value of the user’s group membership attribute. If Group Name appears, enter only the group name portion of the value of the user’s group membership attribute.

      For example, a Group DN entry with valid syntax could be either:

      • 10000
      • admins
      • cn=admins,ou=People,dc=example,dc=com

      but a Group Name entry with valid syntax would be admins.

      Valid syntax varies by your LDAP server’s schema and by whether Use group name with base DN as group DN is enabled, but is identical to what you should enter when using this LDAP profile and entering the group name elsewhere in the FortiMail configuration, such as for a recipient-based policy.

    7. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the group to which the user belongs.

    To verify group query options group owner

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose Group Query Options group owner query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query. Fields displayed in the window vary by whether or not Use group name with base DN as group DN is enabled in Group Query Options.

    4. From Select query type, select Group Owner.

    5. Either the Group DN or Group Name field appears. If Group DN appears, enter the distinguished name of the group object. If Group Name appears, enter only the group name portion of the distinguished name of the group object.

      For example, a Group DN entry with valid syntax would be cn=admins,ou=People,dc=example,dc=com, but a Group Name entry with valid syntax would be admins.

      Valid syntax varies by your LDAP server’s schema and by whether Use group name with base DN as group DN is enabled, but is identical to what you should enter when using this LDAP profile and entering the group name elsewhere in the FortiMail configuration, such as for a recipient-based policy.

    6. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the group record and find the group owner and their email address.

    To verify user authentication options

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query.

    4. From Select query type, select Authentication.

    5. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.

    6. In Password, enter the current password for that user.

    7. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record, or binding to authenticate the user.

    To verify user query options

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose user query options you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query.

    4. From Select query type, select Alias.

    5. In Email address, enter the email address alias of a user on the LDAP server, such as test-alias@example.com.

    6. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the alias record, or binding to authenticate the user.

    To verify mail routing options

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose Mail Routing Options query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query.

    4. From Select query type, select Mail Routing.

    5. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.

    6. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the mail host and mail routing address for that user.

    To verify scan override options

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose Scan Override Options (antispam, antivirus, and content profile preference) query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query.

    4. From Select query type, select Scan Override.

    5. In Email address, enter the email address of a user on the LDAP server, such as test@example.com.

    6. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the antispam and antivirus processing preferences for that user.

    To verify address mapping options

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose Address Mapping Options query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query.

    4. From Select query type, select Address Mapping.

    5. In Email address, enter the email address of a user on the LDAP server, such as test@example.com.

    6. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the internal and external email addresses for that user.

    To verify the webmail password change query

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose webmail password change query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query.

    4. From Select query type, select Change Password.

    5. In Email address, enter the email address of a user on the LDAP server, such as test@example.com.

      Caution

      Only use an email account whose password it is acceptable to change, and make note of the new password. Verifying the Webmail Password Options query configuration performs a real password change, and does not restore the previous password after the query has been verified.

    6. In Password, enter the current password for that user.

    7. In New Password, enter the new password for that user.

    8. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record, binding to authenticate the password change, and the password change operation itself.

    Clearing the LDAP profile cache

    You can clear the FortiMail unit’s cache of query results for any LDAP profile.

    This may be useful after, for example, you have updated parts of your LDAP directory that are used by that LDAP profile, and you want the FortiMail unit to discard outdated cached query results and reflect changes to the LDAP directory. After the cache is emptied, any subsequent request for information from that LDAP profile causes the FortiMail unit to query the updated LDAP server, refreshing the cache.

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose query cache you want to clear.

    3. Click Test LDAP Query.

    4. From Select query type, select Clear Cache.

      A warning appears at the bottom of the window, notifying you that the cache for this LDAP profile will be cleared if you proceed. All queries will therefore be new again, resulting in decreased performance until the query results are again cached.

    5. Click OK.

      The FortiMail unit empties cached LDAP query responses associated with that LDAP profile.

    Configuring LDAP profiles

    Configuring LDAP profiles

    The LDAP submenu lets you configure LDAP profiles which can query LDAP servers such as FortiAuthenticator, Microsoft Active Directory, Red Hat Directory Server, or Google Cloud Identity for authentication, email address mappings, and more.

    Caution

    Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server. When LDAP queries do not match with the server’s schema and/or contents, unintended mail processing behaviors can result, including bypassing antivirus scans. For details on preparing an LDAP directory for use with FortiMail LDAP profiles, see Preparing your LDAP schema for FortiMail LDAP profiles.

    LDAP profiles each contain one or more queries that retrieve specific configuration data, such as user groups, from an LDAP server. The LDAP profile list indicates which queries you have enabled in each LDAP profile.

    To view the list of LDAP profiles, go to Profile > LDAP > LDAP.

    GUI item

    Description

    Clone

    (button)

    Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.

    Comment

    Displays the comment in the profile.

    Name

    Displays the name of the profile.

    Server

    Displays the domain name or IP address of the LDAP server.

    Port

    Displays the listening port of the LDAP server.

    Group

    Indicates whether Group Query Options is enabled.

    Auth

    Indicates whether User Authentication Options is enabled.

    Alias

    Indicates whether User Alias Options is enabled.

    Routing

    Indicates whether Mail Routing Options is enabled.

    Address Map

    Indicates whether Address Mapping Options is enabled.

    Cache

    Indicates whether query result caching is enabled.

    Ref.

    Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

    You can add an LDAP profile to define a set of queries that the FortiMail unit can use with an LDAP server. You might create more than one LDAP profile if, for example, you have more than one LDAP server, or you want to configure multiple, separate query sets for the same LDAP server.

    After you have created an LDAP profile, LDAP profile options will appear in other areas of the FortiMail unit’s configuration. These options let you to select the LDAP profile where you might otherwise create a reference to a configuration item stored locally on the FortiMail unit itself. These other configuration areas will only allow you to select applicable LDAP profiles — that is, those LDAP profiles in which you have enabled the query required by that feature. For example, if a feature requires a definition of user groups, you can select only from those LDAP profiles where Group Query Options are enabled.

    To configure an LDAP profile

    1. Go to Profile > LDAP > LDAP.

    2. Click New to add a profile or double-click a profile to modify it.

      A dialog appears.

    3. Configure the following settings:

      GUI item

      Description

      Name

      For a new profile, enter a unique name.

      Comment

      Optional. Enter a descriptive comment.

      Server name/IP

      Enter the fully qualified domain name (FQDN) or IP address of the LDAP server.

      Port: Enter the port number where the LDAP server listens.

      The default port number varies by your selection in Use secure connection. See also Appendix C: Port Numbers.

      Fallback server name/IP

      Optional. Enter the fully qualified domain name (FQDN) or IP address of an alternate LDAP server that the FortiMail unit can query if the primary LDAP server is unreachable.

      Port: Enter the port number where the fallback LDAP server listens.

      The default port number varies by your selection in Use secure connection. See also Appendix C: Port Numbers.

      Use secure connection

      Select whether or not to connect to the LDAP servers using an encrypted connection.

      • none: Use a non-secure connection.
      • SSL: Use an SSL/TLS-secured (LDAPS) connection.

        If the LDAP server requires that clients such as the FortiMail unit present a client certificate to identify themselves during secure connections, then select the certificate from the Client certificate dropdown. Optionally,to authenticate using the selected certificate, enable Use client certificate for TLS authentication.This can be used instead of, or in addition to, a bind DN and password. See also Managing local certificates.

      Click Test LDAP Query to test the connection. A pop-up window appears. For details, see To verify user query options.

      Note: If your FortiMail unit is deployed in server mode, and you want to enable Enable webmail password change using an LDAP server that uses a Microsoft Active Directory-style schema, then you must select SSL. Active Directory servers require a secure connection for queries that change user passwords.

      Note: The certificate that FortiMail uses for client authentication must:

      • not be expired
      • not be revoked
      • be signed by a certificate authority (CA), whose certificate you have imported into the FortiMail unit and that the server trusts (directly or indirectly, proven via a signing chain)

      Otherwise the secure connection will fail.

      Servers may have their own certificate validation requirements in addition to FortiMail requirements. For example, client certificates may require that Key Usage field allow client authentication. See your LDAP server's documentation.

      Default Bind Options

      Base DN

      Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail will search for user objects, such as:

      ou=People,dc=example,dc=com

      User objects should be child nodes of this location.

      Bind DN

      Enter the bind DN of an LDAP user account with permissions to query the Base DN, such as:

      cn=fortimail,dc=example,dc=com

      Bind password

      Enter the password of the Bind DN.

      Click Browse to locate the LDAP directory from the location that you specified in Base DN, or, if you have not yet entered a Base DN, beginning from the root of the LDAP directory tree.

      Browsing the LDAP tree can be useful if you need to locate your Base DN, or need to look up attribute names. For example, if the Base DN is unknown, browsing can help you to locate it.

      Note: Before you click Browse, you must configure Server name/IP, Use secure connection, Bind DN, Bind password, and Protocol version, then click Create or OK. These fields provide minimum information required to establish the directory browsing connection.

    4. Configure the following sections:

    Configuring user query options

    The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

    1. Go to Profile > LDAP > LDAP.

    2. Click New to create a new profile or double click on an existing profile to edit it.

    3. Click the arrow to expand User Query Options section.

    4. Configure the query to retrieve the distinguished names (DN) of user objects by their email addresses:

      GUI item

      Description

      Schema

      Click Schema to select a schema style. Then you can edit the schema or select User Defined and write your own schema.

      User query

      Enter an LDAP query filter that selects a set of user objects from the LDAP directory.

      The query string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects. For details, see Example: LDAP user query.

      For details on query syntax, refer to any standard LDAP query filter reference manual.

      Warning: To avoid user query confusion, this field cannot be empty.

      Scope

      Select which level of depth to query, starting from Base DN.

      • One level: Query only the one level directly below the base DN in the LDAP directory tree.
      • Subtree: Query recursively all levels below the base DN in the LDAP directory tree.

      Derefer

      Select the method to use, if any, when dereferencing attributes whose values are references.

      • Never: Do not dereference.
      • Always: Always dereference.
      • Search: Dereference only when searching.
      • Find: Dereference only when finding the base search object.

      Retrieve display name for webmail

      If enabled, when a webmail user (authenticated using LDAP) composes email, the display name of the From header will be automatically set to the value defined in LDAP, instead of the user preference.

      Display name attribute

      Specify the LDAP attribute of the display name to query. The default value is "cn".

    Example: LDAP user query

    For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be:

    (& (objectClass=inetOrgPerson) (mail=$m))

    where $m is the FortiMail variable for a user's email address.

    If the email address ($m) as it appears in the message header is different from the user’s email address as it appears in the LDAP directory, such as when you have enabled recipient tagging, a query for the user by the email address ($m) may fail. In this case, you can modify the query filter to subtract prepended or appended text from the user name portion of the email address before performing the LDAP query. For example, to subtract -spam from the end of the user name portion of the recipient email address, you could use the query filter:

    (& (objectClass=inetOrgPerson) (mail=$m$
    {-spam}))

    where ${-spam} is the FortiMail variable for the tag to remove before performing the query. Similarly, to subtract spam- from the beginning of the user name portion of the recipient email address, you could use the query filter:

    (& (objectClass=inetOrgPerson) (mail=$m$
    {^spam-}))

    where ${^spam-} is the FortiMail variable for the tag to remove before performing the query.

    For some schemas, such as Microsoft Active Directory-style schemas, this query will retrieve both the user’s primary email address and the user’s alias email addresses. If your schema style is different, you may want to also configure User Alias Options to resolve aliases. For details, see Configuring user alias options.

    Configuring group query options

    The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

    1. Go to Profile > LDAP > LDAP.

    2. Click New to create a new profile or double click on an existing profile to edit it.

    3. Click the arrow to expand Group Query Options section.

      For more information on determining user group membership by LDAP query, see Controlling email based on sender and recipient addresses or Controlling email based on IP addresses.

    4. Configure the following:

      GUI item

      Description

      Use LDAP tree node as group

      Enable to use objects within the Base DN of User Query Options as if they were members of a user group object.

      For example, your LDAP directory might not contain user group objects. In that sense, groups do not really exist in the LDAP directory. However, you could mimic a group’s presence by enabling this option to treat all users that are child objects of the Base DN in User Query Options as if they were members of such a group.

      Group membership attribute

      Enter the name of the attribute, such as memberOf or gidNumber, whose value is the group number or DN of a group to which the user belongs.

      This attribute must be present in user objects.

      Whether the value must use common name, group number, or DN syntax varies by your LDAP server schema. For example, if your user objects use both inetOrgPerson and posixAccount schema, user objects have the attribute gidNumber, whose value must be an integer that is the group ID number, such as 10000.

      Use group name with base DN as group DN

      Enable to specify the base distinguished name (DN) portion of the group’s full DN in the LDAP profile. By specifying the group’s base DN and the name of its group name attribute in the LDAP profile, you will only need to supply the group name value when configuring each feature that uses this query.

      For example, you might find it more convenient in each recipient-based policy to type only the group name, admins, rather than typing the full DN, cn=admins,ou=Groups,dc=example,dc=com. In this case, you could enable this option, then configure Group base DN (ou=Groups,dc=example,dc=com) and Group name attribute (cn). When performing the query, the FortiMail unit would assemble the full DN by inserting the common name that you configured in the recipient-based policy between the Group name attribute and the Group base DN configured in the LDAP profile.

      Note: Enabling this option is appropriate only if your LDAP server’s schema specifies that the group membership attribute’s value must use DN syntax. It is not appropriate if this value uses another type of syntax, such as a number or common name.

      For example, if your user objects use both inetOrgPerson and posixAccount schema, user objects have the attribute gidNumber, whose value must be an integer that is the group ID number, such as 10000. Because a group ID number does not use DN syntax, you would not enable this option.

      Group base DN

      Enter the base DN portion of the group’s full DN, such as:

      ou=Groups,dc=example,dc=com

      This option is available only if Use group name with base DN as group DN is enabled.

      Group name attribute

      Enter the name of the attribute, such as cn, whose value is the group name of a group to which the user belongs.

      This option is available only if Use group name with base DN as group DN is enabled.

      Max group expansion level

      Enter how many levels of nested groups will be expanded for lookup. Valid range is 1-6. Default value is 1.

      Lookup group owner

      Enable to query the group object by its distinguished name (DN) to retrieve the DN of the group owner, which is a user that will receive that group’s quarantine reports. Using that user’s DN, the FortiMail unit will then perform a second query to retrieve that user’s email address, where the quarantine report will be sent.

      For more information on sending quarantine reports to the group owner, see Quarantine Report Setting and Managing the personal quarantines.

      Group owner attribute

      Enter the name of the attribute, such as groupOwner, whose value is the distinguished name of a user object. You can configure the FortiMail unit to allow that user to be responsible for handling the group’s quarantine report.

      If Lookup group owner is enabled, this attribute must be present in group objects.

      Group owner address attribute

      Enter the name of the attribute, such as mail, whose value is the group owner’s email address.

      If Lookup group owner is enabled, this attribute must be present in user objects.

    Configuring user authentication options

    The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

    1. Go to Profile > LDAP > LDAP.

    2. Click New to create a new profile or double click on an existing profile to edit it.

    3. Click the arrow to expand the User Authentication Options section.

      For more information on authenticating users by LDAP query, see Controlling email based on sender and recipient addresses.

    4. Configure the following:

      GUI item

      Description

      Try UPN or mail address as bind DN

      Select to form the user’s bind DN by prepending the user name portion of the email address ($u) to the User Principle Name (UPN, such as example.com).

      By default, the FortiMail unit will use the mail domain as the UPN. If you want to use a UPN other than the mail domain, enter that UPN in the field named Alternative UPN suffix. This can be useful if users authenticate with a domain other than the mail server’s principal domain name.

      Try common name with base DN as bind DN

      Select to form the user’s bind DN by prepending a common name to the base DN. Also enter the name of the user objects’ common name attribute, such as cn or uid into the field.

      This option is preconfigured and read-only if, in User Query Options, you have selected from Schema any schema style other than User Defined.

      Search user and try bind DN

      Select to form the user’s bind DN by using the DN retrieved for that user by User Query Options.

    Configuring user alias options

    The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

    1. Go to Profile > LDAP > LDAP.

    2. Click New to create a new profile or double click on an existing profile to edit it.

    3. Click the arrow to expand the User Alias Options section.

      Resolving aliases to real email addresses enables the FortiMail unit to send a single quarantine report and maintain a single quarantine mailbox at each user’s primary email account, rather than sending separate quarantine reports and maintaining separate quarantine mailboxes for each alias email address. For FortiMail units operating in server mode, this means that users need only log in to their primary account in order to manage their spam quarantine, rather than logging in to each alias account individually.

    4. Configure the following:

      GUI item

      Description

      Schema

      (dropdown list)

      Click Schema to select a schema style. Then you can edit the schema or select User Defined and write your own schema.

      Alias member attribute

      Enter the name of the attribute, such as mail or rfc822MailMember, whose value is an email address to which the email alias resolves, such as user@example.com.

      This attribute must be present in either alias or user objects, as determined by your schema and whether it resolves aliases directly or indirectly. For more information, see Base DN.

      This option is preconfigured and read-only if, in User Alias Options, you have selected from Schema any schema style other than User Defined.

      Alias member query

      Enter an LDAP query filter that selects a set of either user or email alias objects, whichever object class contains the attribute you configured in Alias member attribute, from the LDAP directory.

      This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined.

      The query string filters the result set, and should be based upon any attributes that are common to all user/alias objects but also exclude objects that are not user/alias objects. For details, see Example: Alias member query.

      For more information on required object types and their attributes, see Preparing your LDAP schema for FortiMail LDAP profiles.

      For details on query syntax, refer to any standard LDAP query filter reference manual.

      User group expansion In advance

      Enable if your LDAP schema resolves email aliases indirectly. For more information on direct versus indirect resolution, see Base DN.

      When this option is disabled, alias resolution occurs using one query. The FortiMail unit queries the LDAP directory using the Base DN and the Alias member query, and then uses the value of each Alias member attribute to resolve the alias.

      When this option is enabled, alias resolution occurs using two queries:

      The two-query approach is appropriate if, in your schema, alias objects are structured like group objects and contain references in the form of distinguished names of member user objects, rather than directly containing email addresses to which the alias resolves. In this case, the FortiMail unit must first “expand” the alias object into its constituent user objects before it can resolve the alias email address.

      This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined.

      Group member attribute

      Enter the name of the attribute, such as member, whose value is the DN of a user object.

      This attribute must be present in alias objects only if they do not contain an email address attribute specified in Alias member attribute.

      This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. If you have selected User Defined, this option is available only if User group expansion In advance is enabled.

      Group member query

      Enter an LDAP query filter that selects a set of alias objects, represented as a group of member objects in the LDAP directory.

      The query string filters the result set, and should be based upon any attributes that are common to all alias objects but also exclude non-alias objects.

      For example, if alias objects in your directory have two distinguishing characteristics, their objectClass and proxyAddresses attributes, the query filter might be:

      (&(objectClass=group) (proxyAddresses=smtp:$m))

      where $m is the FortiMail variable for a recipient email address. ($s is a sender email address.)

      This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. If you have selected User Defined, this option is available only if User group expansion In advance is enabled.

      For details on query syntax, refer to any standard LDAP query filter reference manual.

      Max alias expansion level

      Specify the maximum number of alias nesting levels that will be expanded for lookup. Valid range is 1-12 and the default value is 1.

      Scope

      Select which level of depth to query, starting from Base DN.

      • One level: Query only the one level directly below the base DN in the LDAP directory tree.
      • Subtree: Query recursively all levels below the base DN in the LDAP directory tree.

      Derefer

      Select the method to use, if any, when dereferencing attributes whose values are references.

      • Never: Do not dereference.
      • Always: Always dereference.
      • Search: Dereference only when searching.
      • Find: Dereference only when finding the base search object.

      Use separate bind (configure the following if Default Bind Options is not what you want)

      Base DN

      Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail will search for either alias or user objects.

      User or alias objects should be child nodes of this location.

      Whether you should specify the base DN of either user objects or alias objects varies by your LDAP schema style. Schema may resolve alias email addresses directly or indirectly (using references).

      • With a direct resolution, alias objects directly contain one or more email address attributes, such as mail or rfc822MailMember, whose values are user email addresses such as user@example.com, and that resolves the alias. The Base DN, such as ou=Aliases,dc=example,dc=com, should contain alias objects.
      • With an indirect resolution, alias objects do not directly contain an email address attribute that can resolve the alias; instead, in the style of LDAP group-like objects, the alias objects contain only references to user objects that are “members” of the alias “group.” User objects’ email address attribute values, such as user@example.com, actually resolve the alias. Alias objects refer to user objects by possessing one or more “member” attributes whose value is the DN of a user object, such as uid=user,ou=People,dc=example,dc=com. The FortiMail unit performs a first query to retrieve the distinguished names of “member” user objects, then performs a second query using those distinguished names to retrieve email addresses from each user object. The Base DN, such as ou=People,dc=example,dc=com, should contain user objects.

      Bind DN

      Enter the bind DN of an LDAP user account with permissions to query the Base DN, such as:

      cn=FortiMailA,dc=example,dc=com

      Bind password

      Enter the password of the Bind DN.

    Example: Alias member query

    For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be:

    (& (objectClass=alias) (mail=$m))

    where $m is the FortiMail variable for a user's email address.

    If the email address ($m) as it appears in the message header is different from the alias email address as it appears in the LDAP directory, such as when you have enabled recipient tagging, a query for the alias by the email address ($m) may fail. In this case, you can modify the query filter to subtract prepended or appended text from the user name portion of the email address before performing the LDAP query. For example, to subtract -spam from the end of the user name portion of the recipient email address, you could use the query filter:

    (& (objectClass=alias) (mail=$m${-spam}))

    where ${-spam} is the FortiMail variable for the tag to remove before performing the query. Similarly, to subtract spam- from the beginning of the user name portion of the recipient email address, you could use the query filter:

    (& (objectClass=alias) (mail=$m${^spam-}))

    where ${^spam-} is the FortiMail variable for the tag to remove before performing the query.

    Whether you should configure this query filter to retrieve user or alias objects depends on whether your schema resolves email addresses directly or indirectly (using references). For more information on direct versus indirect alias resolution, see Base DN.

    If alias objects in your schema provide direct resolution, configure this query string to retrieve alias objects. Depending on your schema style, you can do this either using the user name portion of the alias email address ($u), or the entire email address ($m). For example, for the email aliases finance@example.com and admin@example.com, if your LDAP directory contains alias objects distinguished by cn: finance and cn: admin, respectively, this query string could be cn=$u.

    If alias objects in your schema provide indirect resolution, configure this query string to retrieve user objects by their distinguished name, such as distinguishedName=$b or dn=$b. Also enable User group expansion In advance, then configure Group member query to retrieve email address alias objects, and configure Group Member Attribute to be the name of the alias object attribute, such as member, whose value is the distinguished name of a user object.

    Configuring mail routing

    The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

    1. Go to Profile > LDAP > LDAP.

    2. Click New to create a new profile or double click on an existing profile to edit it.

    3. Click the arrow to expand the Mail Routing Options section.

      Note

      The Mail Routing Options section query occurs after recipient tagging processing. If you have enabled recipient tagging, the Mail Routing Options section query will then be based on the tagged recipient address. If the tagged email address does not exist for the user in the LDAP directory, you may prefer to transform the recipient address by using the User Alias Options.

    4. Configure the following:

      GUI item

      Description

      Mail host attribute

      Enter the name of the attribute, such as mailHost, whose value is the fully qualified domain name (FQDN) or IP address of the email server that stores email for the user’s email account.

      This attribute must be present in user objects.

      Mail routing address attribute

      Enter the name of the attribute, such as mailRoutingAddress, whose value is the email address of a deliverable user on the email server, also known as the mail host.

      For example, a user may have many aliases and external email addresses that are not necessarily known to the email server. These addresses would all map to a real email account (mail routing address) on the email server (mail host) where the user’s email is actually stored.

      A user’s recipient email address located in the envelope or header portion of each email will be rewritten to this address.

      This attribute must be present in user objects.

    Configuring address mapping options

    The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

    1. Go to Profile > LDAP > LDAP.

    2. Click New to create a new profile or double click on an existing profile to edit it.

    3. Click the arrow to expand the Address Mapping Options section.

      Mappings usually should not translate an email address into one that belongs to an unprotected domain. However, unlike locally defined address mappings, this restriction is not enforced for mappings defined on an LDAP server.

      After configuring a profile with this query, you must select it in order for the FortiMail unit to use it.

      Alternatively, you can configure email address mappings on the FortiMail unit itself.

    4. Configure the following:

      GUI item

      Description

      Internal address attribute

      Enter the name of the LDAP attribute, such as internalAddress, whose value is an email address in the same or another protected domain.

      This email address will be rewritten to the value of the external address attribute according to the match conditions and effects.

      The name of this attribute may vary by the schema of your LDAP directory.

      External address attribute

      Enter the name of the attribute, such as externalAddress, whose value is an email address in the same or another protected domain.

      This email address will be rewritten to the value of the internal address attribute according to the match conditions and effects.

      The name of this attribute may vary by the schema of your LDAP directory.

      Display name attribute

      Enter the name of the attribute, such as displayName, whose value is the display name of the user.

      This display name will be inserted into the sender message header before the external email address, such as:

      From: Display Name<externalAddress@example.com>

      The name of this attribute may vary by the schema of your LDAP directory.

    Configuring scan override options

    The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

    1. Go to Profile > LDAP > LDAP.

    2. Click New to create a new profile or double click on an existing profile to edit it.

    3. Click the arrow to expand the Scan Override Options section.

      Note

      If the Scan Override Options query fails, then the FortiMail unit will instead use the antispam, antivirus, and content processing settings defined in the profile for that policy.

    4. Configure the following:

      GUI item

      Description

      AntiSpam attribute

      Enter the name of the attribute, such as antispam, whose value indicates whether or not to perform antispam processing for that user, and which antispam profile to use. Multiple syntax values are permissible. For details, see LDAP directory requirements for each FortiMail LDAP profile query.

      If enabled, this attribute setting takes precedence over the generic antispam attribute setting in the domain lookup options (see Configuring domain lookup options).

      If you enable this option but leave the attribute field blank, the antispam profile in the matched recipient-based policy will be used.

      AntiVirus attribute

      Enter the name of the attribute, such as antivirus, whose value indicates whether or not to perform antivirus processing for that user and which antivirus profile to use. Multiple value syntaxes are permissible. For details, see LDAP directory requirements for each FortiMail LDAP profile query.

      If enabled, this attribute setting takes precedence over the generic antivirus attribute setting in the domain lookup options (see Configuring domain lookup options).

      If you enable this option but leave the attribute field blank, the antivirus profile in the matched recipient-based policy will be used.

      Content attribute

      Enter the name of the attribute, such as content, whose value indicates whether or not to perform content processing for that user and which content profile to use. Multiple value syntaxes are permissible. For details, see LDAP directory requirements for each FortiMail LDAP profile query.

      If enabled, this attribute setting takes precedence over the generic content attribute setting in the domain lookup options (see Configuring domain lookup options).

      If you enable this option but leave the attribute field blank, the content profile in the matched recipient-based policy will be used.

    Configuring domain lookup options

    The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

    When configuring domain settings in gateway and transparent mode, if you set the Relay Type to LDAP Domain Mail Host, FortiMail will query the LDAP server to look up the domain and apply the antispam, antivirus, and content profiles assigned to this domain. If you set the Relay Type to other methods, the following settings will not apply.

    If the LDAP server does not find a user matching the domain, the user is considered as unknown, and the mail will be rejected unless it has a specific access list entry.

    For this option to work, your LDAP directory should contain a single generic user for each domain such as generic@example.com because the FortiMail unit will only look at the domain portion of the generic user’s mail address, such as example.com.

    When an SMTP session is processed, the FortiMail unit will query the LDAP server for the domain portion retrieved from the recipient email address. If the LDAP server finds a user entry, it will reply with the domain objects defined in the LDAP directory, including parent domain attribute, generic mail host attribute, generic antispam attribute, and generic antivirus attribute. The FortiMail unit will remember the mapping domain, mail routing, and antispam and antivirus profiles information to avoid querying the LDAP server again for the same domain portion retrieved from a recipient email address in the future.

    If there are no antispam and antivirus profiles for the user, the FortiMail unit will use the antispam and antivirus profiles from the matching IP policy.

    1. Go to Profile > LDAP > LDAP.

    2. Click New to create a new profile or double click on an existing profile to edit it.

    3. Click the arrow to expand the Domain Lookup Options section.

    4. Configure the following:

      GUI item

      Description

      Domain Lookup Query

      Enter an LDAP query filter that selects a set of domain objects, whichever object class contains the attribute you configured for this option, from the LDAP directory.

      Since each domain needs a generic user in the LDAP directory, you can specify the query filter as the following:

      mail=generic@$d

      Where the value of $d is the domain name.

      Parent domain attribute

      Enter the name of the attribute, such as parentDomain, whose value is the name of the parent domain from which a domain inherits the specific RCPT TO: check settings and quarantine report settings.

      The name of this attribute may vary by the schema of your LDAP directory.

      Mail host attribute

      Enter the name of the attribute, such as mailHost, whose value is the IP address of the backend mail server hosting the mailboxes of the domain.

      The name of this attribute may vary by the schema of your LDAP directory.

      AntiSpam attribute

      Enter the name of the attribute, such as genericAntispam, whose value is the name of the antispam profile assigned to the domain.

      The name of this attribute may vary by the schema of your LDAP directory.

      If you do not specify this attribute (that is, leave this field blank), the antispam profile in the matched recipient-based policy will be used.

      AntiVirus attribute

      Enter the name of the attribute, such as genericAntivirus, whose value is the name of the antivirus profile assigned to the domain.

      The name of this attribute may vary by the schema of your LDAP directory.

      If you do not specify this attribute (that is, leave this field blank), the antivirus profile in the matched recipient-based policy will be used.

      Content attribute

      Enter the name of the attribute, such as genericContent, whose value is the name of the content profile assigned to the domain.

      The name of this attribute may vary by the schema of your LDAP directory.

      If you do not specify this attribute (that is, leave this field blank), the content profile in the matched recipient-based policy will be used.

    Configuring remote access override options

    The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

    When you add a FortiMail administrator (see Configuring administrator accounts), you must specify an access profile (the access privileges) for the administrator. You must also specify a domain (either system or a protected domain) that the administrator is allowed to access.

    If you are adding an LDAP account, you can override the access profile and domain setting with the values of the remote attributes returned from the LDAP server.

    1. Go to Profile > LDAP > LDAP.

    2. Click New to create a new profile or double click on an existing profile to edit it.

    3. Click the arrow to expand the Remote Access Override Options section.

    4. Configure the following:

      GUI item

      Description

      Enable remote access override

      Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the LDAP server, if the returned value matches an existing access profile. If there is no match, the specified access profile will still be used.

      Also specify the access profile attribute.

      Enable remote domain override

      Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the LDAP server, if the returned value matches an existing protected domain. If there is no match, the specified domain will still be used.

      Also specify the domain name attribute.

    Configuring LDAP chain query

    If you use different attributes for similar or same values on different LDAP servers, you may want to query all of the LDAP servers one by one (a chain query).

    You can do this by grouping several LDAP profiles into one LDAP profile. The order of the profiles determines the sequential order of the queries.

    The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

    1. Go to Profile > LDAP > LDAP.

    2. Click New to create a new profile or double click on an existing profile to edit it.

    3. Click the arrow to expand the LDAP Profile Chain.

    4. From the LDAP profile list, select the profile you want to add to the chain and click the plus sign.

    5. Repeat the above step to add more profiles.

    Configuring advanced options

    The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.

    1. Go to Profile > LDAP > LDAP.

    2. Click New to create a new profile or double click on an existing profile to edit it.

    3. Click the arrow to expand the Advanced Options section.

    4. Configure the following:

      GUI item

      Description

      Timeout

      Enter the maximum amount of time in seconds that the FortiMail unit will wait for query responses from the LDAP server.

      Protocol version

      Select the LDAP protocol version used by the LDAP server.

      Referrals chase

      Enable to use the LDAP server’s function of referral chasing, that is, instead of returning a result, it will return a referal to another LDAP server, which may contain further information.

      Enable cache

      Enable to cache LDAP query results.

      Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiMail unit begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently.

      If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of 0 effectively disables caching.

      Clear Cache

      Select to empty the FortiMail unit’s LDAP query cache.

      This can be useful if you have updated the LDAP directory, and want the FortiMail unit to refresh its LDAP query cache with the new information.

      TTL

      Enter the amount of time, in minutes, that the FortiMail unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiMail unit to query the LDAP server, refreshing the cache.

      The default TTL value is 1440 minutes (one day). The maximum value is 10080 minutes (one week). Entering a value of 0 effectively disables caching.

      This option is applicable only if Enable cache is enabled.

      Enable webmail password change

      Enable if you want to allow FortiMail webmail users to change their password.

      This option does not appear for FortiMail units operating in gateway or transparent mode. Active Directory appears only if Use secure connection is SSL.

      Password schema

      Select your LDAP server’s user schema style, either Openldap or Active Directory.

      Bypass user verification if server is unavailable

      If you have selected using LDAP server to verify recipient or sender address and your LDAP server is not accessible, then you can enable this option to bypass the address verification process.

      Note: This option only takes effect in gateway and transparent mode.

      For more information about recipient address verification, see Configuring recipient address verification.

    Preparing your LDAP schema for FortiMail LDAP profiles

    FortiMail units can be configured to consult an LDAP server for many things that you might otherwise normally have to configure on the FortiMail unit itself, such as user authentication, group membership, mail routing, and other features. Especially if you have a large amount of users and groups already defined on an LDAP directory, you may find it more convenient to query those existing definitions than to recreate the definition of those same users locally on the FortiMail unit. To accomplish this, you would configure an LDAP profile, then select that LDAP profile in other areas of the configuration that should use its LDAP queries.

    LDAP profiles require compatible LDAP server directory schema and contents. Your LDAP server configuration may already be compatible. However, if your LDAP server configuration does not contain required information in a schema acceptable to LDAP profile queries, you may be required to modify either or both your LDAP profile and LDAP directory schema.

    Note

    Verify your LDAP server’s configuration for each query type that you enable and configure. For example, if you enable mail routing queries, verify connectivity and that each user object in the LDAP directory includes the attributes and values required by mail routing. Failure to verify enabled queries can result in unexpected mail processing behavior.

    Using common schema styles

    Your LDAP server schema may require no modification if:

    • your LDAP server already contains all information required by the LDAP profile queries you want to enable
    • your LDAP server uses a common schema style, and a matching predefined LDAP query configuration exists for that schema style

    If both of those conditions are true, your LDAP profile configuration may also be very minimal. Some queries in LDAP profiles contain schema options that automatically configure the query to match common schema styles such as IBM Lotus Domino, Microsoft ActiveDirectory (AD), and OpenLDAP. If you will only enable those queries that have schema options, it may be sufficient to select your schema style for each query.

    For example, your LDAP server might use an OpenLDAP-style schema, where two types of user object classes exist, but both already have mail and userPassword attributes. Your FortiMail unit is in gateway mode, and you want to use LDAP queries to use users’ email addresses to query for authentication. In this scenario, it may be sufficient to:

    1. In the LDAP profile, enter the domain name or IP address of the LDAP server.
    2. Configure the LDAP profile queries:
    • In User Query Options, select from Schema which OpenLDAP schema your user objects follow: either InetOrgPerson or InetLocalMailRecipient. Also enter the Base DN, Base DN, and Bind password to authenticate queries by the FortiMail unit and to specify which part of the directory tree to search.
    • In User Authentication Options, enable the query with the option to Search user and try bind DN.
  • Configure mail domains and policies to use the LDAP profile to authenticate users and perform recipient verification.
  • Using other schema styles

    If your LDAP server’s schema is not one of the predefined common schema styles, or if you want to enable queries that require information that does not currently exist in your directory, you may need to adapt either or both your LDAP server and LDAP profile query configuration.

    Note

    Before modifying your LDAP directory, verify that changes will be compatible with other applications using the directory. You may prefer to modify the LDAP profile query and/or add new attributes than to modify existing structures that are used by other applications, in order to reduce the likelihood of disruption to other applications. For instructions on modifying schema or setting attribute values, consult the documentation for your specific LDAP server.

    The primary goal when modifying your LDAP directory is to provide, in some way that can be retrieved by LDAP profile queries, the information required by FortiMail features which can use LDAP profiles. Depending on the LDAP profile queries that you enable, you may need to add to your LDAP directory:

    • user objects
    • user group objects
    • email alias objects

    Keep in mind that for some schema styles, such as that of Microsoft ActiveDirectory, user group objects may also play a double role as both user group objects and email alias objects. For the purpose of FortiMail LDAP queries, email alias objects can be any object that can be used to expand email aliases into deliverable email addresses, which are sometimes called distribution lists.

    For each of those object types, you may also need to add required attributes in a syntax compatible with the FortiMail features that uses those attributes.

    At a minimum, your LDAP directory must have user objects that each contain an email address attribute, and the value of that email address attribute must use full email address syntax (for example, mail: user@example.com). This attribute is required by User Query Options, a query which is required in every LDAP profile.

    Many other aspects of LDAP profiles are flexible enough to query for the required information in more than one way. It may be sufficient to modify the query strings and other fields in the LDAP profile to match your individual LDAP directory.

    For example, the purpose of the User Query Options is to find the distinguished name (DN) of user objects by their email addresses, represented by the FortiMail variable $m. Often user objects can be distinguished by the fact that they are the only records that contain the attribute-value pair objectClass: User. If the class of user name objects in your LDAP directory is not objectClass: User but instead objectClass: inetOrgPerson, you could either modify:

    • the LDAP profile’s user query to request user objects as they are denoted on your particular server, using objectClass=inetOrgPerson; for example, you might modify the user query from:

    (&(objectClass=User)(mail=$m))

    to be:

    (&(objectClass=inetOrgPerson)(mail=$m))

    • the LDAP server’s schema to match the queries’ expected structure, where user objects are defined by objectClass=User

    Alternatively, perhaps there are too many user objects, and you prefer to instead retrieve only those user objects belonging to a specific group number. In this case, you might modify the query string from:

    (&(objectClass=User)(mail=$m))

    to be:

    (&(objectClass=User)(gidNumber=102)(mail=$m))

    You can use any attribute-value pairs to filter the query result set, as long as they are unique and common to all objects in your intended result set.

    For example, most directories do not contain an antivirus processing switch attribute for each user. However, FortiMail units can perform antivirus processing, which can be switched off or on depending on the results from an LDAP query. The FortiMail unit expects the query to return a value that may use Boolean syntax (TRUE or FALSE) that reflects whether or not, respectively, to perform antivirus processing. In this case, you would add to user objects in your LDAP directory an antivirus attribute whose value is a Boolean value.

    The following table indicates expected object types, attribute names, and value syntax, as well as query results, for each LDAP profile query. Attributes listed should be present, but their names may vary by schema. Attributes that do not have a default name require that you configure them in both your LDAP profile and your LDAP directory’s schema.

    LDAP directory requirements for each FortiMail LDAP profile query

    Object type

    Attribute

    Value

    Query result

    User Query Options

    User object classes such as inetOrgPerson, inetLocalMailRecipient, User, dominoPerson.

    mail

    A user’s email address.

    Query compares the email address to the value of this attribute to find the matching user, and retrieve that user’s distinguished name (DN), which is the basis for most other LDAP profile queries.

    Group Query Options

    (Objects from User Query Options.)

    gidNumber or memberOf

    Varies by schema. Typically is either a group number or the distinguished name (DN) of the group.

    Query retrieves the group name for any user defined by User Query Options.

    (Objects from User Query Options.)

    mail

    A user’s email address.

    Query uses the DN retrieved from groupOwner to retrieve the email address of the user specified by that DN.

    User group object classes such as group or groupOfNames.

    groupOwner

    A user object’s DN.

    Query retrieves the DN of a user object from the group defined in gidNumber or memberOf.

    User Authentication Options

    (Objects from User Query Options.)

    userPassword

    Any.

    Query verifies user identity by binding with the user password for any user defined by User Query Options.

    User Alias Options

    Email alias object classes such as nisMailAlias, or user objects from User Query Options, depending on whether your schema resolves email aliases directly or indirectly, respectively. For details, see Base DN.

    rfc822MailMember (for alias objects) or mail (for user objects)

    Either the user name portion of an email address (e.g. user; for alias objects), or the entire email address (e.g. user@example.com; for user objects).

    Query expands an alias to one or more user email addresses.

    If the alias is resolved directly, this query retrieves the email addresses from the alias object itself. If the alias is resolved indirectly, this query first queries the alias object for member attributes, then uses the DN of each member in a second query to retrieve the email addresses of those user objects. For details, see Base DN.

    User group object classes such as group or groupOfNames.

    User groups are not inherently associated with email aliases, but for some schemas, such as Microsoft Active Directory, group objects play the role of email alias objects, and are used to indirectly resolve email aliases. For details, see Base DN.

    member

    A user object’s DN, or the DN of another alias object.

    Query retrieves the DN of a user object that is a member of the group.

    This attribute is required only if aliases resolve to user email addresses indirectly. For details, see Base DN.

    Mail Routing Options

    (Objects from User Query Options.)

    mailHost

    A fully qualified domain name (FQDN) or IP address.

    Query retrieves the fully qualified domain name (FQDN) or IP address of the mail server — sometimes also called the mail host — that stores email for any user defined by User Query Options.

    mailRoutingAddress

    A user’s email address for a user account whose email is physically stored on mailHost.

    Query retrieves the email address for a real account physically stored on mailHost for any user defined by User Query Options.

    Scan Override Options

    (Objects from User Query Options.)

    No default attribute name.

    Varies by schema. May be:

    • TRUE, YES, 1, ENABLE or ENABLED (on)
    • FALSE, NO, 0, DISABLE, or DISABLED, or any other value not associated with “on” (off)
    • the name of an antivirus profile

    Query retrieves whether or not to perform antivirus processing, or which profile to use, for any user defined by User Query Options.

    No default attribute name.

    Varies by schema. May be:

    • TRUE, YES, 1, ENABLE or ENABLED (on)
    • FALSE, NO, 0, DISABLE, or DISABLED, or any other value not associated with “on” (off)
    • the name of an antivirus profile

    Query retrieves whether or not to perform antispam processing, or which profile to use, for any user defined by User Query Options.

    Address Mapping Options

    (Objects from User Query Options.)

    No default attribute name.

    A user’s internal email address.

    Query retrieves the user’s internal email address

    No default attribute name.

    A user’s external email address.

    Query retrieves the user’s external email address.

    Enable webmail password change

    (Objects from User Query Options.)

    userPassword

    Any.

    Query, upon successful bind using the existing password, changes the password for any user defined by User Query Options.

    Each LDAP profile query filter string may indicate expected value syntax by the FortiMail variables used in the query filter string.

    • $b: the query filter expects the attribute’s value to be a bind DN
    • $d: the query filter expects the attribute’s value to be a domain name
    • $f: the query filter expects the attribute’s value to be a sender domain name
    • $m: the query filter expects the attribute’s value to be a recipient email address
    • $s: the query filter expects the attribute’s value to be a sender email address
    • $u: the query filter expects the attribute’s value to be a user name

    The following example illustrates a matching LDAP directory and LDAP profile. Labels indicate the part of the LDAP profile that is configured to match the directory schema.

    Example: Compatible LDAP directory and LDAP profile

    Testing LDAP profile queries

    After you have created an LDAP profile, you should test each enabled query in the LDAP profile to verify that the FortiMail unit can connect to the LDAP server, that the LDAP directory contains the required attributes and values, and that the query configuration is correct.

    When testing a query in an LDAP profile, you may encounter error messages that indicate failure of the query and how to fix the problem.

    LDAP Query Failure Message

    Meaning and Solution

    Empty input

    The query cannot be performed until you provide the information required by the query.

    Connection Failed

    The FortiMail unit could not connect to the LDAP server. The LDAP server may be unreachable, or the LDAP profile may be configured with an incorrect IP address, port number, or secure connection setting.

    Failed to bind with bind DN and password

    The FortiMail unit successfully connected to the LDAP server, but could not authenticate in order to perform the query. If the server permits anonymous queries, the Bind DN and Bind password you specified in User Query Options section should be blank. Otherwise, you must enter a valid bind DN and its password.

    Unable to found user DN that matches mail address

    The FortiMail unit successfully connected to the LDAP server, and, if configured, bound, but could not find a user whose email address attribute matched that value. The user may not exist on the LDAP server in the Base DN and using the query filter you specified in User Query Options, or the value of the user’s email address attribute does not match the value that you supplied in Mail address.

    Unable to find LDAP group for user

    The FortiMail unit successfully located a user with that email address, but their group membership attribute did not match your supplied value. The group membership attribute you specified in Group Query Options may not exist, or the value of the group membership attribute may not match the value that you supplied in Group base DN. If the value does not match, verify that you have supplied the Group base DN according to the syntax expected by both your LDAP server and your configuration of Group Query Options.

    Group owner query failure

    The FortiMail unit successfully connected to the LDAP server, but could not find a group whose distinguished name matched that value. The group may not exist on the LDAP server, or the value of the group’s distinguished name attribute does not match the value that you entered in Group base DN.

    Authentication failure

    Failed to bind

    The FortiMail unit successfully located a user with that email address, but the user’s bind failed and the FortiMail unit was unable to authenticate the user. Binding may fail if the value of the user’s password attribute does not match the value that you supplied in Old password. If this error message appears when testing Enable webmail password change, it also implies that the query failed to change the password.

    Unable to find mail alias

    The FortiMail unit was unable to find the email alias. The email address alias may not exist on the LDAP server in the Base DN and using the query filter you specified in User Alias Options, or the value of the alias’ email address attribute does not match the value that you supplied in Mail address.

    Error for LDAP user profile ID

    The FortiMail unit failed to change the email user’s password. Verify that you have entered the correct existing password in Old password.

    To verify user query options

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose User Query Options section query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query.

    4. From Select query type, select User.

    5. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.

    6. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record.

    To verify group query options

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose Group Query Options section query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query. Fields displayed in the window vary by whether or not Use group name with base DN as group DN is enabled in Group Query Options section.

    4. From Select query type, select Group.

    5. In Email address, enter the email address of a user on the LDAP server, such as test@example.com.

    6. Either the Group DN or Group Name field appears. If Group DN appears, enter the value of the user’s group membership attribute. If Group Name appears, enter only the group name portion of the value of the user’s group membership attribute.

      For example, a Group DN entry with valid syntax could be either:

      • 10000
      • admins
      • cn=admins,ou=People,dc=example,dc=com

      but a Group Name entry with valid syntax would be admins.

      Valid syntax varies by your LDAP server’s schema and by whether Use group name with base DN as group DN is enabled, but is identical to what you should enter when using this LDAP profile and entering the group name elsewhere in the FortiMail configuration, such as for a recipient-based policy.

    7. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the group to which the user belongs.

    To verify group query options group owner

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose Group Query Options group owner query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query. Fields displayed in the window vary by whether or not Use group name with base DN as group DN is enabled in Group Query Options.

    4. From Select query type, select Group Owner.

    5. Either the Group DN or Group Name field appears. If Group DN appears, enter the distinguished name of the group object. If Group Name appears, enter only the group name portion of the distinguished name of the group object.

      For example, a Group DN entry with valid syntax would be cn=admins,ou=People,dc=example,dc=com, but a Group Name entry with valid syntax would be admins.

      Valid syntax varies by your LDAP server’s schema and by whether Use group name with base DN as group DN is enabled, but is identical to what you should enter when using this LDAP profile and entering the group name elsewhere in the FortiMail configuration, such as for a recipient-based policy.

    6. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the group record and find the group owner and their email address.

    To verify user authentication options

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query.

    4. From Select query type, select Authentication.

    5. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.

    6. In Password, enter the current password for that user.

    7. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record, or binding to authenticate the user.

    To verify user query options

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose user query options you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query.

    4. From Select query type, select Alias.

    5. In Email address, enter the email address alias of a user on the LDAP server, such as test-alias@example.com.

    6. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the alias record, or binding to authenticate the user.

    To verify mail routing options

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose Mail Routing Options query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query.

    4. From Select query type, select Mail Routing.

    5. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.

    6. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the mail host and mail routing address for that user.

    To verify scan override options

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose Scan Override Options (antispam, antivirus, and content profile preference) query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query.

    4. From Select query type, select Scan Override.

    5. In Email address, enter the email address of a user on the LDAP server, such as test@example.com.

    6. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the antispam and antivirus processing preferences for that user.

    To verify address mapping options

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose Address Mapping Options query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query.

    4. From Select query type, select Address Mapping.

    5. In Email address, enter the email address of a user on the LDAP server, such as test@example.com.

    6. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the internal and external email addresses for that user.

    To verify the webmail password change query

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose webmail password change query you want to test.

    3. Click Test LDAP Query.

      A pop-up window appears allowing you to test the query.

    4. From Select query type, select Change Password.

    5. In Email address, enter the email address of a user on the LDAP server, such as test@example.com.

      Caution

      Only use an email account whose password it is acceptable to change, and make note of the new password. Verifying the Webmail Password Options query configuration performs a real password change, and does not restore the previous password after the query has been verified.

    6. In Password, enter the current password for that user.

    7. In New Password, enter the new password for that user.

    8. Click Test.

      The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record, binding to authenticate the password change, and the password change operation itself.

    Clearing the LDAP profile cache

    You can clear the FortiMail unit’s cache of query results for any LDAP profile.

    This may be useful after, for example, you have updated parts of your LDAP directory that are used by that LDAP profile, and you want the FortiMail unit to discard outdated cached query results and reflect changes to the LDAP directory. After the cache is emptied, any subsequent request for information from that LDAP profile causes the FortiMail unit to query the updated LDAP server, refreshing the cache.

    1. Go to Profile > LDAP > LDAP.

    2. Double-click the LDAP profile whose query cache you want to clear.

    3. Click Test LDAP Query.

    4. From Select query type, select Clear Cache.

      A warning appears at the bottom of the window, notifying you that the cache for this LDAP profile will be cleared if you proceed. All queries will therefore be new again, resulting in decreased performance until the query results are again cached.

    5. Click OK.

      The FortiMail unit empties cached LDAP query responses associated with that LDAP profile.