Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    8.0.0
    8.0.0
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    profile authentication

    profile authentication

    Use these commands to configure FortiMail to connect to a remote authentication server. These commands configure all remote authentication methods except LDAP and SSO. For those methods, instead see profile ldap and profile sso.

    You can define administrator and user accounts locally (on FortiMail), but often organizations have already defined accounts on a directory server or mail server. To avoid maintaining separate accounts on multiple systems, you may want to reuse accounts on that server. FortiMail. FortiMail supports authentication with remote servers via:

    • SMTP

    • IMAP

    • POP3

    • RADIUS

    • LDAP

    • SSO

    When FortiMail is operating in server mode, SMTP, IMAP, and POP3 authentication are not available.
    Note

    LDAP profiles can configure many more features than just authentication. For details, see profile ldap.

    SMTP profiles can be used to authenticate SMTP connections, but they can also authenticate email users making webmail (HTTP or HTTPS) or POP3 connections to view their per-recipient quarantine, and when FortiMail authenticates with another SMTP server to deliver email.

    For the general procedure of how to configure authentication for email users, see the FortiMail Administration Guide.

    Syntax

    config profile authentication smtp

    edit <profile_name>

    [set comment "<comment_str>"]

    set server {<fqdn_str> | <host_ipv4>}

    set port <port_int>

    set option {ssl secure tls senddomain}

    set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    set try-ldap-mailhost {enable | disable}

    config profile authentication imap

    edit <profile_name>

    [set comment "<comment_str>"]

    set server {<fqdn_str> | <host_ipv4>}

    set port <port_int>

    set option {ssl secure tls senddomain}

    set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    config profile authentication pop3

    edit <profile_name>

    [set comment "<comment_str>"]

    set server {<fqdn_str> | <host_ipv4>}

    set port <port_int>

    set option {ssl secure tls senddomain}

    set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    config profile authentication radius

    edit <profile_name>

    [set comment "<comment_str>"]

    set server {<fqdn_str> | <host_ipv4>}

    set transport-protocol {tls | tcp | udp}

    set ca-cert <ca_name>

    set port <port_int>

    set secret <password_str>

    set auth-prot {auto | chap | mschap | mschap2 | pap}

    set send-domain {enable | disable}

    [set nas-ip <FortiMail_ipv4>]

    set access-override {enable | disable}

    set access-override-attribute <attribute_int>

    set access-override-vendor <vendor_int>

    set domain-override {enable | disable}

    set domain-override-attribute <attribute_int>

    set domain-override-vendor <vendor_int>

    end

    Variable

    Description

    Default

    <profile_name>

    Enter the name of the profile.

    To view a list of existing entries, enter a question mark ( ? ).

    access-override-attribute <attribute_int>

    Enter the attribute ID of a vendor for remote access permission override. The attribute should hold an access profile name that exists on FortiMail. The default ID is 6, which is Fortinet-Access-Profile.

    6

    access-override-vendor <vendor_int>

    Enter the vendor’s registered RADIUS ID for remote access permission override. The default ID is 12356, which is Fortinet.

    12356

    access-override {enable | disable}

    Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile.

    disable

    auth-prot {auto | chap | mschap | mschap2 | pap}

    Select an authentication method that the RADIUS server supports, either:

    • auto: Negotiate automatically by preferring password authentication, Microsoft challenge handshake V2, and then challenge handshake, in that order.

    • pap: Password authentication.

    • chap: Challenge handshake authentication.

    • mschap: Microsoft Challenge Handshake Authentication.

    • mschap2: Microsoft Challenge Handshake Authentication V2.

    mschap2

    auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    Select an authentication mechanism. For details, seethe relevant RFCs.

    This setting is ignored if option {ssl secure tls senddomain} does not include secure.

    auto

    ca-cert <ca_name>

    Select the name of the certificate authority (CA) certificate that will be used to validate the signature on the RADIUS server's certificate. For details, see system certificate ca.

    This setting is only available if transport-protocol {tls | tcp | udp} is tls.

    domain-override-attribute <attribute_int>

    Enter the attribute ID of a vendor for remote domain override. The attribute should hold a domain name that exists on FortiMail. The default ID is 3, which is Fortinet-Vdom-Name.

    3

    comment "<comment_str>"

    Enter a description or comment.

    domain-override-vendor <vendor_int>

    Enter the vendor’s registered RADIUS ID for remote domain override. The default ID is 12356, which is Fortinet.

    12356

    domain-override {enable | disable}

    Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain.

    disable

    nas-ip <FortiMail_ipv4>

    Enter the NAS IP address, also known as Called-Station-ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes).

    If you do not enter an IP address, FortiMail uses the IP address of the interface that communicates with the RADIUS server.

    0.0.0.0

    option {ssl secure tls senddomain}

    If you want to enable any of the following options, enter them in a space-delimited list:

    • senddomain: Enable if the authentication server requires that users log in with both the user name and the domain (for example, user1@example.com, not only user1).

    • secure: Enable if the authentication server supports or requires encrypted passwords. Then select the algorithm in auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}.

      Caution: Only the password is encrypted by this setting. It does not authenticate the server's identity nor encrypt the entire connection, and therefore does not provide privacy and tamper-proofing of the results. Other data in the query still may be clear text (unencrypted). If the query occurs over untrusted networks such as the Internet, you should also use ssl and/or tls.

    • ssl: Enable if the authentication server supports secure socket layers (SSL) and/or transport layer security (TLS) for a secure connection.

      To establish a secure connection, FortiMail must be able to validate the CA signature on the authentication server's certificate. For details, see system certificate ca.

    • tls: Enable if the authentication server supports STARTTLS to try to convert an unsecured connection to a secure connection.

    For ssl and tls, see also STARTTLS vs. SSL/TLS differences on FortiMail.

    port <port_int>

    Enter the port number on which the authentication server listens.

    FortiMail uses IANA standard port numbers by default. See the default port numbers in the FortiMail Administration Guide.

    Varies by type of authentication server.

    secret <password_str>

    Enter the password for the RADIUS server.

    send-domain {enable | disable}

    Enable if the RADIUS server requires both the user name and the domain when authenticating.

    disable

    server {<fqdn_str> | <host_ipv4>}

    Enter the IP address or fully qualified domain name (FQDN) of an authentication server.

    transport-protocol {tls | tcp | udp}

    Select the protocol that the authentication server uses, either:

    • tls: TCP connection over TLS 1.2 for secure RADIUS (also called RadSec).

      To establish a secure connection, FortiMail must be able to validate the CA signature on the authentication server's certificate. For details, see system certificate ca.

      Currently mutual authentication is not supported: FortiMail validates the RADIUS server's certificate, but does not send its own local certificate. Therefore the RADIUS server must not require client certificate validation.

    • tcp: Reliable transport of queries via a TCP connection.

    • udp: Queries sent via a UDP session.

    Caution: Do not select UDP or TCP if queries occur over untrusted networks such as the Internet. They are not secure connections, and do not provide encryption nor authentication of the server's identity. Attackers could use this to gain unauthorized access.

    udp

    try-ldap-mailhost {enable | disable}

    Enable if your LDAP server has a mail host entry for the generic user.

    If you enable this option, FortiMail will query the generic LDAP server first to authenticate email users. If no results are returned, then FortiMail will query the server in server {<fqdn_str> | <host_ipv4>}.

    enable

    Related topics

    profile tls

    profile certificate-binding

    profile encryption

    system certificate ca

    system global

    Previous
    Next

    profile authentication

    profile authentication

    Use these commands to configure FortiMail to connect to a remote authentication server. These commands configure all remote authentication methods except LDAP and SSO. For those methods, instead see profile ldap and profile sso.

    You can define administrator and user accounts locally (on FortiMail), but often organizations have already defined accounts on a directory server or mail server. To avoid maintaining separate accounts on multiple systems, you may want to reuse accounts on that server. FortiMail. FortiMail supports authentication with remote servers via:

    • SMTP

    • IMAP

    • POP3

    • RADIUS

    • LDAP

    • SSO

    When FortiMail is operating in server mode, SMTP, IMAP, and POP3 authentication are not available.
    Note

    LDAP profiles can configure many more features than just authentication. For details, see profile ldap.

    SMTP profiles can be used to authenticate SMTP connections, but they can also authenticate email users making webmail (HTTP or HTTPS) or POP3 connections to view their per-recipient quarantine, and when FortiMail authenticates with another SMTP server to deliver email.

    For the general procedure of how to configure authentication for email users, see the FortiMail Administration Guide.

    Syntax

    config profile authentication smtp

    edit <profile_name>

    [set comment "<comment_str>"]

    set server {<fqdn_str> | <host_ipv4>}

    set port <port_int>

    set option {ssl secure tls senddomain}

    set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    set try-ldap-mailhost {enable | disable}

    config profile authentication imap

    edit <profile_name>

    [set comment "<comment_str>"]

    set server {<fqdn_str> | <host_ipv4>}

    set port <port_int>

    set option {ssl secure tls senddomain}

    set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    config profile authentication pop3

    edit <profile_name>

    [set comment "<comment_str>"]

    set server {<fqdn_str> | <host_ipv4>}

    set port <port_int>

    set option {ssl secure tls senddomain}

    set auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    config profile authentication radius

    edit <profile_name>

    [set comment "<comment_str>"]

    set server {<fqdn_str> | <host_ipv4>}

    set transport-protocol {tls | tcp | udp}

    set ca-cert <ca_name>

    set port <port_int>

    set secret <password_str>

    set auth-prot {auto | chap | mschap | mschap2 | pap}

    set send-domain {enable | disable}

    [set nas-ip <FortiMail_ipv4>]

    set access-override {enable | disable}

    set access-override-attribute <attribute_int>

    set access-override-vendor <vendor_int>

    set domain-override {enable | disable}

    set domain-override-attribute <attribute_int>

    set domain-override-vendor <vendor_int>

    end

    Variable

    Description

    Default

    <profile_name>

    Enter the name of the profile.

    To view a list of existing entries, enter a question mark ( ? ).

    access-override-attribute <attribute_int>

    Enter the attribute ID of a vendor for remote access permission override. The attribute should hold an access profile name that exists on FortiMail. The default ID is 6, which is Fortinet-Access-Profile.

    6

    access-override-vendor <vendor_int>

    Enter the vendor’s registered RADIUS ID for remote access permission override. The default ID is 12356, which is Fortinet.

    12356

    access-override {enable | disable}

    Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile.

    disable

    auth-prot {auto | chap | mschap | mschap2 | pap}

    Select an authentication method that the RADIUS server supports, either:

    • auto: Negotiate automatically by preferring password authentication, Microsoft challenge handshake V2, and then challenge handshake, in that order.

    • pap: Password authentication.

    • chap: Challenge handshake authentication.

    • mschap: Microsoft Challenge Handshake Authentication.

    • mschap2: Microsoft Challenge Handshake Authentication V2.

    mschap2

    auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

    Select an authentication mechanism. For details, seethe relevant RFCs.

    This setting is ignored if option {ssl secure tls senddomain} does not include secure.

    auto

    ca-cert <ca_name>

    Select the name of the certificate authority (CA) certificate that will be used to validate the signature on the RADIUS server's certificate. For details, see system certificate ca.

    This setting is only available if transport-protocol {tls | tcp | udp} is tls.

    domain-override-attribute <attribute_int>

    Enter the attribute ID of a vendor for remote domain override. The attribute should hold a domain name that exists on FortiMail. The default ID is 3, which is Fortinet-Vdom-Name.

    3

    comment "<comment_str>"

    Enter a description or comment.

    domain-override-vendor <vendor_int>

    Enter the vendor’s registered RADIUS ID for remote domain override. The default ID is 12356, which is Fortinet.

    12356

    domain-override {enable | disable}

    Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain.

    disable

    nas-ip <FortiMail_ipv4>

    Enter the NAS IP address, also known as Called-Station-ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes).

    If you do not enter an IP address, FortiMail uses the IP address of the interface that communicates with the RADIUS server.

    0.0.0.0

    option {ssl secure tls senddomain}

    If you want to enable any of the following options, enter them in a space-delimited list:

    • senddomain: Enable if the authentication server requires that users log in with both the user name and the domain (for example, user1@example.com, not only user1).

    • secure: Enable if the authentication server supports or requires encrypted passwords. Then select the algorithm in auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}.

      Caution: Only the password is encrypted by this setting. It does not authenticate the server's identity nor encrypt the entire connection, and therefore does not provide privacy and tamper-proofing of the results. Other data in the query still may be clear text (unencrypted). If the query occurs over untrusted networks such as the Internet, you should also use ssl and/or tls.

    • ssl: Enable if the authentication server supports secure socket layers (SSL) and/or transport layer security (TLS) for a secure connection.

      To establish a secure connection, FortiMail must be able to validate the CA signature on the authentication server's certificate. For details, see system certificate ca.

    • tls: Enable if the authentication server supports STARTTLS to try to convert an unsecured connection to a secure connection.

    For ssl and tls, see also STARTTLS vs. SSL/TLS differences on FortiMail.

    port <port_int>

    Enter the port number on which the authentication server listens.

    FortiMail uses IANA standard port numbers by default. See the default port numbers in the FortiMail Administration Guide.

    Varies by type of authentication server.

    secret <password_str>

    Enter the password for the RADIUS server.

    send-domain {enable | disable}

    Enable if the RADIUS server requires both the user name and the domain when authenticating.

    disable

    server {<fqdn_str> | <host_ipv4>}

    Enter the IP address or fully qualified domain name (FQDN) of an authentication server.

    transport-protocol {tls | tcp | udp}

    Select the protocol that the authentication server uses, either:

    • tls: TCP connection over TLS 1.2 for secure RADIUS (also called RadSec).

      To establish a secure connection, FortiMail must be able to validate the CA signature on the authentication server's certificate. For details, see system certificate ca.

      Currently mutual authentication is not supported: FortiMail validates the RADIUS server's certificate, but does not send its own local certificate. Therefore the RADIUS server must not require client certificate validation.

    • tcp: Reliable transport of queries via a TCP connection.

    • udp: Queries sent via a UDP session.

    Caution: Do not select UDP or TCP if queries occur over untrusted networks such as the Internet. They are not secure connections, and do not provide encryption nor authentication of the server's identity. Attackers could use this to gain unauthorized access.

    udp

    try-ldap-mailhost {enable | disable}

    Enable if your LDAP server has a mail host entry for the generic user.

    If you enable this option, FortiMail will query the generic LDAP server first to authenticate email users. If no results are returned, then FortiMail will query the server in server {<fqdn_str> | <host_ipv4>}.

    enable

    Related topics

    profile tls

    profile certificate-binding

    profile encryption

    system certificate ca

    system global

    Previous
    Next