Administration Guide

Email concepts and process workflow
- Email protocols
- Client-server connections in SMTP
- DNS role in email delivery
- How FortiMail processes email
- FortiMail operation modes
- FortiMail high availability
- FortiMail management methods
Setting up the FortiMail system
- Connecting to the GUI or CLI
- Choosing the operation mode
- Running the Quick Start Wizard
- Connecting to FortiGuard services
- Gateway mode deployment
- Transparent mode deployment
- Server mode deployment
- Testing the installation
- Backing up the configuration
Using the dashboard
- Viewing the dashboard
- Using the CLI Console
Using FortiView
- Viewing mail statistics
- View threat statistics
- View outbreak statistics
- Viewing top user statistics
- Viewing current IP sessions
Monitoring the system
- Viewing log messages
- Managing the quarantines
- Managing the mail queue
- Viewing DMARC report statistics
  - Viewing the DMARC and SPF report summary
  - Viewing details about DMARC and SPF report statistics
- Viewing the greylist statuses
- Viewing sender, authentication and endpoint reputation
- Managing archived email
- Viewing reports
Centrally monitoring the HA cluster
- Viewing the cluster status
- Viewing HA cluster mail statistics
- Viewing HA cluster threat statistics
- Searching the HA cluster logs
Configuring system settings
- Configuring network settings
- Configuring administrator accounts and access profiles
- Configuring system time, options, and other system options
- Configuring mail settings
- Customizing GUI, custom messages, email templates, and Security Fabric
- Configuring single sign-on (SSO)
- Configuring RAID
- Using high availability (HA)
- Managing certificates
- Using FortiNDR malware inspection
- Using FortiSandbox antivirus inspection
- Configuring FortiGuard services and licensed features
  - Configuring licensed features
    - Configuring image analysis
- System maintenance
- System utility
Configuring domains and users
- Configuring protected domains
- Managing users
- Configuring user aliases
- Configuring address mappings
- Configuring IBE users
- Configuring the address book
- Sharing calendars and address books (server mode only)
- Migrating email from other mail servers (server mode only)
Configuring policies
- What is a policy?
- How to use policies
- Controlling SMTP access and delivery
- Controlling email based on IP addresses
- Controlling email based on sender and recipient addresses
Configuring profiles
- Configuring session profiles
- Configuring antispam profiles and actions
- Configuring antivirus profiles, file signatures, and actions
- Configuring content profiles and content action profiles
- Configuring replacement message profiles and variables
- Configuring resource profiles
- Workflow to enable and configure authentication of email users
- Configuring authentication profiles
- Configuring LDAP profiles
- Configuring dictionary profiles
- Configuring security profiles
- Configuring IP pools
- Configuring email, IP and GeoIP groups
- Configuring notification profiles
Configuring security settings
- Configuring URL filter profiles
- Configuring a threat feed
  - Types and file formats of threat feeds
- Configuring content disarming and reconstruction
- Configuring authentication reputation
- Configuring email quarantines and quarantine reports
- Configuring the block lists and safe lists
- Configuring greylisting
- Configuring bounce verification and tagging
- Configuring sender rewriting scheme
- Configuring endpoint reputation
- Configuring preferences
- Training and maintaining the Bayesian databases
Configuring encryption settings
- Configuring IBE encryption
- Configuring certificate bindings
Configuring data loss prevention
- DLP configuration workflow
- Defining the sensitive data
- Configuring DLP rules
- Configuring DLP profiles
Archiving email
- Email archiving workflow
- Configuring email archiving accounts
- Configuring email archiving policies
- Configuring email archiving exemptions
Logs, reports, and alerts
- About FortiMail logging
- Configuring logging
- Configuring report profiles and generating reports
- Configuring alert email
Microsoft 365, Exchange and Google Workspace threat remediation
- Microsoft 365, Exchange, and Google Workspace protection workflow
- To create a Microsoft Exchange account
- Configuring scanning policies
- Configuring profiles
- Monitoring log messages
Managing firmware and configuration
- Testing firmware before installing it
- Installing firmware
- Clean installing firmware
- Upgrading firmware on HA units
Best practices and fine tuning
- General security tuning
- System security tuning
- Network topology tuning
- High availability (HA) tuning
- SMTP connectivity tuning
- Antispam tuning
- Policy tuning
- System maintenance tips
- Performance tuning
Troubleshooting
- Establish a system baseline
- Define the problem
- Search for a known solution
- Create a troubleshooting plan
- Gather system information
- Troubleshoot hardware issues
- Troubleshoot GUI and CLI connection issues
- Troubleshoot FortiGuard connection issues
- Troubleshoot MTA issues
- Troubleshoot antispam issues
- Troubleshoot HA issues
- Troubleshoot resource issues
- Troubleshoot bootup issues
- Troubleshoot installation issues
- Contact Fortinet customer support for assistance
Setup for email users
- Training Bayesian databases
- Managing tagged spam
- Accessing the personal quarantine and webmail
- Sending email from an email client (gateway and transparent mode)
Appendix A: Supported RFCs
Appendix B: Maximum Values
Appendix C: Port Numbers
Appendix D: Wildcards and regular expressions
- Special characters with regular expressions and wildcards
- Case sensitivity
- Modifiers
- Word boundary
- Syntax
- Example regular expressions
Appendix E: Working with TLS/SSL
- About TLS/SSL
- How TLS/SSL works
- FortiMail support of TLS/SSL
- Troubleshooting FortiMail TLS issues
Appendix F: PKI Authentication
- Introduction to PKI authentication
- FortiMail PKI architecture
- Configuring PKI authentication on FortiMail
Change log

Home FortiMail 7.6.1 Administration Guide

7.6.1

Configuring impersonation profiles

Email impersonation is a type of email spoofing attack. It forges the email header to deceive the recipient because the message appears to be from a different source than the actual address.

To use this feature, you must have a license for the Fortinet Enterprise Advanced Threat Protection (ATP) bundle.

To fight against email impersonation, you can map high valued target display names with correct email addresses and FortiMail can check for the mapping. For example, an external spammer wants to impersonate the CEO of your company(ceo@company.com). The spammer will put From: CEO ABC <ceo@external.com> in the email header, and send such email to a user(victim@company.com). If FortiMail has been configured with a manual entry "CEO ABC"/"ceo@company.com" in an impersonation analysis profile to indicate the correct display name/email pair, or it has learned display name/email pair through the dynamic process, then such email will be detected by impersonation analysis, because the spammer uses an external email address and an internal user's display name.

Impersonation analysis inspects both the From: and Reply-To: message headers.

Entries can be mapped either:

Manually: You enter mappings between display names and email addresses.
Dynamically: The FortiMail mail statistics service automatically learns the mappings.

To create an impersonation analysis profile

Go to Profile > AntiSpam > Impersonation.
Either click New or Clone to add a profile, or double-click a profile to modify it.

Alternatively, see Batch editing antispam profiles.

Configure the following:

GUI item		Description
Domain		Select which protected domain this profile belongs to, or System (all protected domains can use this profile). You can only see the domains that are permitted by your administrator profile. See About administrator account permissions and domains.
Name		Enter a unique name.
Comment		Enter a comment or description.

In the Impersonation section, select either Match Rule or Exempt Rule.

To avoid false positives, impersonation analysis also follows some other exemptions.

Click New and then configure the following:

GUI item	Description
Display name pattern	Enter the display name to be mapped to the email address. You can use a wildcard or regular expression.
Pattern type	Select either: Wildcard Regular expression See Appendix D: Wildcards and regular expressions.
Email address	Enter the email address to be mapped to the display name. The email address can be from protected/internal domains or unprotected/external domains. If the email address is from an external domain, such as gmail.com or hotmail.com, the display name matching the external email address will be passed. Otherwise, it will be caught by impersonation analysis.

Click Create.
Repeat the previous step until all rules have been created.
Click Create or OK.
To apply impersonation profile, select it in an antispam profile. For details, see Business email compromise section.