Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    7.6.3
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.7
    6.2.0
    6.0.6
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    Configuring IBE encryption

    Configuring IBE encryption

    The Encryption > IBE > IBE Encryption submenu lets you configure the Identity Based Encryption (IBE) service. With IBE, you can send secured email through the FortiMail unit.

    This section contains the following topics:

    IBE is a type of public-key encryption. IBE uses identities (such as email addresses) to calculate encryption keys that can be used for encrypting and decrypting electronic messages. Compared with traditional public-key cryptography, IBE greatly simplifies the encryption process for both users and administrators. Another advantage is that a message recipient does not need any certificate, key pre-enrollment, or specialized software to access the email.

    About FortiMail IBE

    The FortiMail unit encrypts an email message using the public key generated with the recipient’s email address. The email recipient does not need to install any software or generate a pair of keys in order to access the email.

    When an email reaches the FortiMail unit, the FortiMail unit applies its IP-based policies and recipient-based policies containing IBE-related content profiles as well as the message delivery rules to the email. If a policy or rule match is found, the FortiMail unit encrypts the email using the public key before sending a notification to the recipient. Sample secure message notification shows a sample notification.

    The notification email contains an HTML attachment, which contains instructions and links telling the recipient how to access the encrypted email.

    If this is the first time the recipient receives such a notification, the recipient must follow the instructions and links to register on the FortiMail unit before reading email.

    If this is not the first time the recipient receives such a notification and the recipient has already registered on the FortiMail unit, the recipient only needs to log in to the FortiMail unit to read email.

    When the recipient opens the mail on the FortiMail unit, the email is decrypted automatically.

    Note

    Due to more confining security restrictions imposed on Apple iOS devices, email attachments included in IBE push (for details about IBE push and pull methods, see Configuring encryption profiles) notification messages can no longer be opened properly on iOS 10 and later. Therefore, users cannot view the encrypted email messages on these iOS devices. Users should download and open the attachments on their computers as a workaround.
    How FortiMail works with IBE

    Sample secure message notification

    Note

    External IBE users can only access their secure messages via the link in the IBE notification email, while internal users (protected domain users) can also access their secure messages via webmail login.

    See also

    About FortiMail IBE

    FortiMail IBE configuration workflow

    Configuring IBE services

    FortiMail IBE configuration workflow

    Follow the general steps below to use the FortiMail IBE function:

    If you want to encrypt email based on the email contents:

    • Add the IBE encryption profile to the content action profile. See Configuring content action profiles.
    • Add the content action profile to the content profile and configure the scan criteria in the content profile, such as attachment filtering, file type filtering, and content monitor and filtering including the dictionary and action profiles. See Configuring content profiles.
    • Add the content profile to the IP-based and recipient-based policies to determine email that needs to be encrypted with IBE. See Controlling email based on sender and recipient addresses, and Controlling email based on IP addresses.

      • For example, on the FortiMail unit, you have:

    • configured a dictionary profile that contains a pattern called “Confidential”, and enabled Search header (see Configuring dictionary profiles)
    • added the dictionary profile to a content profile which also includes a content action profile that has an encryption profile in it
    • included the content profile to IP and recipient policies

      • You then notify your email users on how to mark the email subject line and header if they want to send encrypted email.

      For example, Alice wants to send an encrypted email to Bob through the FortiMail unit. She can add “Confidential” in the email subject line, or “Confidential” in the header (in Microsoft Outlook, when compiling a new mail, go to Options > Message settings > Sensitivity, and select Confidential in the list). The FortiMail unit will apply the policies you configured to the email by checking the email’s subject line and header. If one of them matches the patterns defined in the dictionary profile, the email will be encrypted.

    • Configure IBE email storage.
    • Configure log settings for IBE encryption. See Configuring logging.
    • View logs of IBE encryption. See Viewing log messages.

    If you want to encrypt email using message delivery rules:

    For full configuration and procedural details, depending on your environment's requirements, see Encrypting confidential emails in FortiMail and How to encrypt emails sent from a designated source in FortiMail.

    See also

    About FortiMail IBE

    Configuring IBE services

    Configuring IBE services

    You can configure, enable, or disable IBE services which control how secured mail recipients use the FortiMail IBE function. For details about how to use IBE service, see FortiMail IBE configuration workflow.

    To configure IBE service

    1. Go to Encryption > IBE > IBE Encryption.

    2. Configure the following:

      GUI item

      Description

      Enable IBE service

      Enable or disable IBE secure mail service.

      IBE service name

      Enter the name for the IBE service. This is the name the secure mail recipients will see once they access the FortiMail unit to view the secure mail.

      Activation is required for account registration

      When enabled, IBE users receive a validation email that contains an activation link to complete the account registration.

      When disabled, IBE users are redirected to the IBE account after registration.

      Note: If the IBE user registered by clicking the registration link inside the reset notification email, they will not be redirected, and will need to login to their account.

      Account registration expiry time (days)

      Enter the number of days that the secure mail recipient has to register on the FortiMail unit to view the mail before the registration expires. The starting date is the date when the FortiMail unit sends out the first notification to a mail recipient.

      Account inactivity expiry time (days)

      Enter the number of days the secure mail recipient can access the FortiMail unit without registration.

      For example, if you set the value to 30 days and if the mail recipient did not access the FortiMail unit for 30 days after the user registers on the unit, the recipient will need to register again if another secure mail is sent to the user. If the recipient accessed the FortiMail unit on the 15th days, the 30-day limit will be recalculated from the 15th day onwards.

      Account password reset expiry time (hours)

      Enter the password reset expiry time in hours.

      This is for the recipients who have forgotten their login passwords and request for new ones. The secured mail recipient must reset the password within this time limit to access the FortiMail unit.

      Encrypted email retention period (days)

      Enter the number of days that the secured mail will be saved on the FortiMail unit.

      Allow secure replying

      Select to allow the secure mail recipient to reply the email with encryption.

      Allow secure forwarding

      Select to allow the secure mail recipient to forward the email with encryption.

      Allow secure composing

      Select to allow the secure mail recipient to compose an email. The FortiMail unit will use policies and mail delivery rules to determine if this mail needs to be encrypted.

      For encrypted email, the domain of the composed mail’s recipient must be a protected one, otherwise an error message will appear and the mail will not be delivered.

      IBE base URL type

      Select the type of base URL where mail recipients register and access IBE secured mail and IBE notifications, either:

      • System: A FQDN that combines the FortiMail hostname and local domain name (see Configuring mail server settings). If you want to override this, configure IBE base URL.

      • Domain: A FQDN that combines the FortiMail hostname (see Configuring mail server settings) and the sender's protected domain (see Configuring protected domains). Public DNS servers for each protected domain must have an A/AAAA record that resolves these FQDNs to a public IP address used to reach FortiMail. This base URL is useful if you have multiple protected domains (such as an MSSP deployment), and each one needs a separate IBE portal. If the sender is not in a protected domain, then the system-wide URL is used instead.

        Note: If the protected domain is deleted, then the secure mail may not be accessible.

      IBE base URL

      If you want to override the base URL (for example, to use an IP address, such as https://10.0.0.5, or another FQDN that resolves to the FortiMail unit), enter the IBE base URL.

      This setting is configurable only if IBE base URL type is System.

      "Help" content URL

      If you want to create a custom help file on how to access the IBE secure email, enter the URL for your file. The mail recipient can click the "Help" link from the secure mail notification to view your file.

      If you leave this setting empty, a link to the default help file will be added to the secure mail notification.

      "About" content URL

      If you want to create a custom file about IBE secure mail, enter the URL for the file. The mail recipient can click the "About" link in the secure mail notification to view your file.

      If you leave this setting empty, a link to the default file about FortiMail IBE secure mail will be added to the secure mail notification.

      Allow custom user control

      If your organization has its own user authentication tools, enable this setting. Then configure:

      “Custom user control” URL: URL where you can determine if an IBE user exists.

      “Custom forgot password” URL: URL where IBE users authenticate.

      Authentication Setting

      In Authentication mode, select either two-factor authentication, one-time password (OTP) tokens, or password only. Then also configure Max. number of attempts for the maximum number of tries a user is allowed for authentication.

      Two-factor authentication tokens can be delivered via either SMS or email. To configure OTP or multi-factor authentication, see the FortiMail CLI Reference. See also the User registration process with two-factor authentication.

      Notification Setting

      Under Account Status Notification,select which notifications will be sent to users. For Expiration, also define when the expiration notification should be sent.

      Under Email Status Notification, you can choose to send a notification to the sender or recipient when the secure email is read or remains unread for a specified period of time.

      Click the Edit link to modify the email template. For details, see Customizing email templates.

      Depending on the IBE email access method (either push or pull) you defined in Configuring encryption profiles, the notification settings behave differently.

      • If the IBE message is stored on FortiMail (pull access method), the “read” notification will only be sent the first time the message is read.
      • If the IBE message is not stored on FortiMail (push access method), the “read” notification will be sent every time the message is read, that is, after the user pushes the message to FortiMail and FortiMail decrypts the message.
      • There is no “unread” notification for IBE push messages.
    Previous
    Next

    Configuring IBE encryption

    Configuring IBE encryption

    The Encryption > IBE > IBE Encryption submenu lets you configure the Identity Based Encryption (IBE) service. With IBE, you can send secured email through the FortiMail unit.

    This section contains the following topics:

    IBE is a type of public-key encryption. IBE uses identities (such as email addresses) to calculate encryption keys that can be used for encrypting and decrypting electronic messages. Compared with traditional public-key cryptography, IBE greatly simplifies the encryption process for both users and administrators. Another advantage is that a message recipient does not need any certificate, key pre-enrollment, or specialized software to access the email.

    About FortiMail IBE

    The FortiMail unit encrypts an email message using the public key generated with the recipient’s email address. The email recipient does not need to install any software or generate a pair of keys in order to access the email.

    When an email reaches the FortiMail unit, the FortiMail unit applies its IP-based policies and recipient-based policies containing IBE-related content profiles as well as the message delivery rules to the email. If a policy or rule match is found, the FortiMail unit encrypts the email using the public key before sending a notification to the recipient. Sample secure message notification shows a sample notification.

    The notification email contains an HTML attachment, which contains instructions and links telling the recipient how to access the encrypted email.

    If this is the first time the recipient receives such a notification, the recipient must follow the instructions and links to register on the FortiMail unit before reading email.

    If this is not the first time the recipient receives such a notification and the recipient has already registered on the FortiMail unit, the recipient only needs to log in to the FortiMail unit to read email.

    When the recipient opens the mail on the FortiMail unit, the email is decrypted automatically.

    Note

    Due to more confining security restrictions imposed on Apple iOS devices, email attachments included in IBE push (for details about IBE push and pull methods, see Configuring encryption profiles) notification messages can no longer be opened properly on iOS 10 and later. Therefore, users cannot view the encrypted email messages on these iOS devices. Users should download and open the attachments on their computers as a workaround.
    How FortiMail works with IBE

    Sample secure message notification

    Note

    External IBE users can only access their secure messages via the link in the IBE notification email, while internal users (protected domain users) can also access their secure messages via webmail login.

    See also

    About FortiMail IBE

    FortiMail IBE configuration workflow

    Configuring IBE services

    FortiMail IBE configuration workflow

    Follow the general steps below to use the FortiMail IBE function:

    If you want to encrypt email based on the email contents:

    • Add the IBE encryption profile to the content action profile. See Configuring content action profiles.
    • Add the content action profile to the content profile and configure the scan criteria in the content profile, such as attachment filtering, file type filtering, and content monitor and filtering including the dictionary and action profiles. See Configuring content profiles.
    • Add the content profile to the IP-based and recipient-based policies to determine email that needs to be encrypted with IBE. See Controlling email based on sender and recipient addresses, and Controlling email based on IP addresses.

      • For example, on the FortiMail unit, you have:

    • configured a dictionary profile that contains a pattern called “Confidential”, and enabled Search header (see Configuring dictionary profiles)
    • added the dictionary profile to a content profile which also includes a content action profile that has an encryption profile in it
    • included the content profile to IP and recipient policies

      • You then notify your email users on how to mark the email subject line and header if they want to send encrypted email.

      For example, Alice wants to send an encrypted email to Bob through the FortiMail unit. She can add “Confidential” in the email subject line, or “Confidential” in the header (in Microsoft Outlook, when compiling a new mail, go to Options > Message settings > Sensitivity, and select Confidential in the list). The FortiMail unit will apply the policies you configured to the email by checking the email’s subject line and header. If one of them matches the patterns defined in the dictionary profile, the email will be encrypted.

    • Configure IBE email storage.
    • Configure log settings for IBE encryption. See Configuring logging.
    • View logs of IBE encryption. See Viewing log messages.

    If you want to encrypt email using message delivery rules:

    For full configuration and procedural details, depending on your environment's requirements, see Encrypting confidential emails in FortiMail and How to encrypt emails sent from a designated source in FortiMail.

    See also

    About FortiMail IBE

    Configuring IBE services

    Configuring IBE services

    You can configure, enable, or disable IBE services which control how secured mail recipients use the FortiMail IBE function. For details about how to use IBE service, see FortiMail IBE configuration workflow.

    To configure IBE service

    1. Go to Encryption > IBE > IBE Encryption.

    2. Configure the following:

      GUI item

      Description

      Enable IBE service

      Enable or disable IBE secure mail service.

      IBE service name

      Enter the name for the IBE service. This is the name the secure mail recipients will see once they access the FortiMail unit to view the secure mail.

      Activation is required for account registration

      When enabled, IBE users receive a validation email that contains an activation link to complete the account registration.

      When disabled, IBE users are redirected to the IBE account after registration.

      Note: If the IBE user registered by clicking the registration link inside the reset notification email, they will not be redirected, and will need to login to their account.

      Account registration expiry time (days)

      Enter the number of days that the secure mail recipient has to register on the FortiMail unit to view the mail before the registration expires. The starting date is the date when the FortiMail unit sends out the first notification to a mail recipient.

      Account inactivity expiry time (days)

      Enter the number of days the secure mail recipient can access the FortiMail unit without registration.

      For example, if you set the value to 30 days and if the mail recipient did not access the FortiMail unit for 30 days after the user registers on the unit, the recipient will need to register again if another secure mail is sent to the user. If the recipient accessed the FortiMail unit on the 15th days, the 30-day limit will be recalculated from the 15th day onwards.

      Account password reset expiry time (hours)

      Enter the password reset expiry time in hours.

      This is for the recipients who have forgotten their login passwords and request for new ones. The secured mail recipient must reset the password within this time limit to access the FortiMail unit.

      Encrypted email retention period (days)

      Enter the number of days that the secured mail will be saved on the FortiMail unit.

      Allow secure replying

      Select to allow the secure mail recipient to reply the email with encryption.

      Allow secure forwarding

      Select to allow the secure mail recipient to forward the email with encryption.

      Allow secure composing

      Select to allow the secure mail recipient to compose an email. The FortiMail unit will use policies and mail delivery rules to determine if this mail needs to be encrypted.

      For encrypted email, the domain of the composed mail’s recipient must be a protected one, otherwise an error message will appear and the mail will not be delivered.

      IBE base URL type

      Select the type of base URL where mail recipients register and access IBE secured mail and IBE notifications, either:

      • System: A FQDN that combines the FortiMail hostname and local domain name (see Configuring mail server settings). If you want to override this, configure IBE base URL.

      • Domain: A FQDN that combines the FortiMail hostname (see Configuring mail server settings) and the sender's protected domain (see Configuring protected domains). Public DNS servers for each protected domain must have an A/AAAA record that resolves these FQDNs to a public IP address used to reach FortiMail. This base URL is useful if you have multiple protected domains (such as an MSSP deployment), and each one needs a separate IBE portal. If the sender is not in a protected domain, then the system-wide URL is used instead.

        Note: If the protected domain is deleted, then the secure mail may not be accessible.

      IBE base URL

      If you want to override the base URL (for example, to use an IP address, such as https://10.0.0.5, or another FQDN that resolves to the FortiMail unit), enter the IBE base URL.

      This setting is configurable only if IBE base URL type is System.

      "Help" content URL

      If you want to create a custom help file on how to access the IBE secure email, enter the URL for your file. The mail recipient can click the "Help" link from the secure mail notification to view your file.

      If you leave this setting empty, a link to the default help file will be added to the secure mail notification.

      "About" content URL

      If you want to create a custom file about IBE secure mail, enter the URL for the file. The mail recipient can click the "About" link in the secure mail notification to view your file.

      If you leave this setting empty, a link to the default file about FortiMail IBE secure mail will be added to the secure mail notification.

      Allow custom user control

      If your organization has its own user authentication tools, enable this setting. Then configure:

      “Custom user control” URL: URL where you can determine if an IBE user exists.

      “Custom forgot password” URL: URL where IBE users authenticate.

      Authentication Setting

      In Authentication mode, select either two-factor authentication, one-time password (OTP) tokens, or password only. Then also configure Max. number of attempts for the maximum number of tries a user is allowed for authentication.

      Two-factor authentication tokens can be delivered via either SMS or email. To configure OTP or multi-factor authentication, see the FortiMail CLI Reference. See also the User registration process with two-factor authentication.

      Notification Setting

      Under Account Status Notification,select which notifications will be sent to users. For Expiration, also define when the expiration notification should be sent.

      Under Email Status Notification, you can choose to send a notification to the sender or recipient when the secure email is read or remains unread for a specified period of time.

      Click the Edit link to modify the email template. For details, see Customizing email templates.

      Depending on the IBE email access method (either push or pull) you defined in Configuring encryption profiles, the notification settings behave differently.

      • If the IBE message is stored on FortiMail (pull access method), the “read” notification will only be sent the first time the message is read.
      • If the IBE message is not stored on FortiMail (push access method), the “read” notification will be sent every time the message is read, that is, after the user pushes the message to FortiMail and FortiMail decrypts the message.
      • There is no “unread” notification for IBE push messages.
    Previous
    Next