admin-idle-timeout <timeout_int>

Enter the amount of time in minutes after which an idle administrative session will be automatically logged out.

The maximum idle time out is 480 minutes (8 hours). To improve security, do not increase the idle timeout.

admin-lockout-duration <timeout_int>

Enter the lockout duration in minutes after the failed login threshold is reached.

admin-lockout-threshold <attempts_int>

Enter the number of failed login attempts before an administrator account is locked out.

admin-maintainer {enable | disable}

Enable or disable the maintainer administrator login.

The maintainer account can be used to log in from the console after a hard reboot. The password is \'bcpb\' followed by the FortiMail system serial number. There is a limited time to complete this login.

Do not disable this setting if you do not have a backup plan for recovery, such as a complete configuration and data backup restoration after you make a firmware clean install. If you disable admin-maintainer, a message appears warning that the password recovery mechanism will be lost.

default-certificate <cert_name>

Enter the name of a local certificate to use it as the “default" (that is, currently chosen for use) certificate.

FortiMail systems require a local certificate that it can present to identify itself when clients request secure connections.

dh-params <bits_int>

Enter the minimum size of the Diffie-Hellman prime number for secure connections such as SSH, SMTPS, and HTTPS. Larger bit sizes are slower to generate, but generally more secure.

Alternatively, you can set the Diffie-Hellman bit size for individual protocols. See system security crypto.

disk-monitor {enable | disable}

Enable to monitor the hard disk status of the FortiMail system. If a problem is found, FortiMail sends an alert email to the administrator.

email-migration-status {enable | disable}

Enable to start the email migration service and to show the mail migration features in the GUI and CLI. Then also configure:

• config system remote-mail-server

• config email-migration-domain-replacement

• for each protected domain, email-migration-status {enable | disable}

before you run the migration.

Email migration is used to move email user accounts and data from an external mail server to this FortiMail system. See the email migration workflow.

This setting is available only in server mode.

fortiidentity-cloud-push-status {enable | disable}

Enable to accept push responses from FortiIdentity Cloud during MFA.

This setting is used only if fortiidentity-cloud-status {enable | disable} is enable.

fortiidentity-cloud-region <region_name>

Enter the deployment region that FortiMail will connect to for FortiIdentity Cloud. To get a list of currently available deployment regions, see region-info.

This setting is used only if fortiidentity-cloud-status {enable | disable} is enable.

fortiidentity-cloud-status {enable | disable}

Enable to make multi-factor authentication (MFA) settings available. Then also:

1. Activate the trial license(see trial) or purchase a service license and register it to the owner in FortiIdentity Cloud (see show service).

   Currently, only FortiIdentity Cloud is supported. MFA with FortiIdentity Cloud requires a valid paid or trial service license. For paid licenses, the license owner must be the same as the FortiMail system. Unauthorized devices cannot use the service. For details, see the FortiIdentity Cloud documentation.

2. Configure the MFA service provider region (fortiidentity-cloud-region <region_name>).

3. For each administrator account that will use MFA, configure tfa-status {enable | disable} etc.

hostname <host_str>

Enter the host name of the FortiMail system. Together with local-domain-name <local-domain_str>, this forms the FQDN, and is used by many features, such as the IBE URL, webmail URL, and more.

hsts-max-age <days_int>

Enter the expiry age for HTTP Strict Transport Security (HSTS) header in HTTPS connections to the GUI. To disable expiry, enter 0.

iscsi-initiator-name <name_str>

Enter the FortiMail iSCSI client name used to communicate with the iSCSI server for centralized quarantine storage.

This is used to change the name generated by the FortiMail system automatically.

lcd-pin <pin_int>

Enter the 6-digit personal identification number (PIN) that administrators must enter to access the FortiMail LCD panel.

The PIN is used only when lcd-protection {enable | disable} is enable.

lcd-protection {enable | disable}

Enable to require that administrators enter a PIN to use the buttons on the front LCD panel. Also configure lcd-pin <pin_int>.

ldap-server-sys-status {enable | disable}

Enable or disable the LDAP server for serving organizational information.

ldap-sess-cache-state {enable | disable}

Enable to keep the continuity of the connection sessions to the LDAP server. Repeated session connections waste network resources.

local-domain-name <name_str>

Enter the local domain name of the FortiMail system.

mailstat-service {enable | disable}

Enable the mail statistics service.

After you enable this service, a new tab appears on the GUI: FortiView > Top User Statistics. The mail service is also required if you use dynamic impersonation analysis (impersonation-analysis {manual dynamic}).

max-admin-per-domain <administrators_int>

Enter the maximum number of administrators per protected domain. Valid range is 1 to 10.

mta-adv-ctrl-status {enable | disable}

Enable to use advanced MTA settings, statistics, and reports (see profile session and system advanced-management) and to override the global settings configured elsewhere.

Advanced MTA control features are license based. If you do not purchase the advanced management license, or downgrade the license or let it expire, then this feature is not available. To inspect your configuration for invalid settings after the license is downgraded or expires, see diag system value-condition.

operation-mode {gateway | server | transparent}

Select the operation mode:

• gateway: The FortiMail system acts as an SMTP gateway or MTA, but does not host email accounts.

• server: The FortiMail system acts as a standalone email server that hosts email accounts and acts as an MTA.

• transparent: The FortiMail system acts as an SMTP proxy.

Only administrators with super_admin privileges may change the FortiMail system's operation mode.

pki-certificate-req {yes | no}

If the administrator’s web browser does not provide a valid personal certificate for PKI authentication, the FortiMail system will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enter yes. To allow password-style fallback, enter no.

pki-mode {enable | disable}

Enable to allow PKI authentication for FortiMail administrators. See also user pki and system admin.

Also configure pki-certificate-req {yes | no}.

Before you disable PKI authentication, enable another mode of authentication for FortiMail administrators and email users that are currently using PKI authentication. If you don't, they will not be able to log in.

port-http <port_int>

Enter the HTTP port number for administrative access on all interfaces.

port-https <port_int>

Enter the HTTPS port number for administrative access on all interfaces.

port-ssh <port_int>

Enter the SSH port number for administrative access on all interfaces.

port-telnet <port_int>

Enter the Telnet port number for administrative access on all interfaces.

post-login-banner {admin ibe webmail}

Select which login pages will display the legal disclaimer:

• admin: Select to display the disclaimer message after the administrator logs into the FortiMail administrative GUI.

• webmail: Select to display the disclaimer message after the user logs into FortiMail webmail.

• ibe: Select to display the disclaimer message after the user logs into the FortiMail system to view IBE encrypted email.

Disclaimers can be system-wide or domain-specific. See system disclaimer and system disclaimer-message.

pre-login-banner {admin}

Enable or disable the legal disclaimer before the administrator logs into the FortiMail GUI.

remote-auth-timeout <timeout-factor_int>

Enter the timeout factor for responses to RADIUS remote authentication requests such as Access-Request, Access-Challenge, Access-Accept, or Access-Reject.

To get the total timeout in seconds, multiply this setting by 3 and then add 1. For example, enter 10 to make a 31 second timeout.

Valid range is 1 to 300 (15 minutes 1 second).

ssl-versions {ssl3 tls1_0 tls1_1 tls1_2 tls1_3}

Select which SSL/TLS version(s) FortiMail will accept in secure connections:

• from clients (HTTPS web browsers and SMTPS mail clients)

• to servers (protected mail servers and Syslog with TCP over TLS)

Separate multiple versions with a space.

Alternatively, for some protocols, you can individually specify which SSL/TLS versions FortiMail accepts. See system security crypto. For FIPS-CC compliance, use status {disable | fips-ciphers} instead.

Authentication profiles with secure RADIUS use TLS 1.2; this is not currently configurable.

The ssl3 option is not available if strong-crypto {enable | disable} is enabled.

Some old versions of web browsers, email clients (for example, Microsoft Outlook 2007 and older), and MTAs may only support TLS 1.0. Therefore they cannot connect to FortiMail if you enable strong-crypto {enable | disable} and/or disable TLS 1.0.

strong-crypto {enable | disable}

By default, this option is enabled to use strong encryption and only allow strong ciphers (AES-128 or better) and digest (SHA-256 or better) for HTTPS, SSH, and Syslog with TCP over TLS. Old SSL/TLS versions with known vulnerabilities such as SSL 3.0 are also disabled, so this setting may partially override ssl-versions {ssl3 tls1_0 tls1_1 tls1_2 tls1_3}.

Alternatively, for some protocols, you can individually specify which cipher suites FortiMail accepts for each protocol. See system security crypto.

Old mail clients and old browser versions such as Microsoft Internet Explorer 6.0 do not support strong encryption.