Fortinet white logo
Fortinet white logo

Administration Guide

Configuring protected domains

Configuring protected domains

The Domain tab displays the list of protected domains and domain groups.

Protected domains define connections and email messages for which the FortiMail unit can perform protective email processing by describing both:

  • the IP address of an SMTP server
  • the domain name portion (the portion which follows the @ symbol) of recipient email addresses in the SMTP envelope (RCPT TO:)

The FortiMail unit uses both parts to compare to connections and email messages when looking for traffic that involves the protected domain.

Note

For FortiMail units operating in server mode, protected domains list only the domain name, not the IP address: the IP address of the SMTP server is the IP address of the FortiMail unit itself.

For example, if you wanted to scan email from email addresses such as user.one@example.com hosted on the SMTP server 10.10.10.10, you would configure a protected domain of example.com whose SMTP server is 10.10.10.10.

Aside from defining the domain, protected domains contain settings that apply specifically to all email destined for that domain, such as mail routing and disclaimer messages.

With an advanced management license, domain groups can be created and used to associate to domain-level administrators, allowing administrators to potentially manage multiple domains and all log entries associated with their domains. Domain-level administrators may search history logs, with the results filtered based on the user's domain.

Many FortiMail features require that you configure a protected domain. For example, when applying recipient-based policies for email messages incoming to the protected domain, the FortiMail unit compares the domain name of the protected domain to the domain name portion of the recipient email addresses.

When FortiMail units operating in transparent mode are proxying email connections for a protected domain, the FortiMail unit will pass, drop or intercept connections destined for the IP address of an SMTP server associated with the protected domain, and can use the domain name of the protected domain during the SMTP greeting.

Usually, you have already configured at least one protected domain during installation of your FortiMail unit; however, some configurations may not require any protected domains. You can add more domains or modify the settings of existing ones if necessary.

Note

If you have many mail domains that will use identical settings, instead of creating many protected domains, you may want to create one protected domain, and then configure the others as associated domains. For details, see Domain Association.

If the FortiMail unit is operating in gateway mode, you must change the MX entries for the DNS records for your email domain, referring email to the FortiMail unit rather than to your email servers. If you create additional protected domains, you must modify the MX records for each additional email domain. Similarly, MX records must also refer to the FortiMail unit if it is operating in server mode.

Before you begin, if the protected domain will use an IP pool profile, first configure the IP pool profile. For details, see Configuring IP pools.

To configure a protected domain

  1. Go to Domain & User > Domain > Domain.

    The tab varies with the operation mode.

    GUI item

    Description

    Delete

    (button)

    Click Delete to remove the protected domain.

    Caution: This also deletes all associated email user accounts and preferences.

    Domain FQDN

    Displays the fully qualified domain name (FQDN) of the protected domain.

    If the protected domain is a subdomain or domain association, click the + next to a domain entry to expand the list of subdomains and domain associations. To collapse the entry, click the -.

    Relay Type

    (transparent and gateway mode only)

    Indicates how the SMTP server will receive email from the FortiMail unit for the protected domain:

    • Host
    • MX Record (this domain)
    • MX Record (alternative domain)
    • IP Group
    • LDAP Domain Mail Host

    SMTP server

    (transparent and gateway mode only)

    Displays the host name or IP address and port number of the mail exchanger (MX) for this protected domain.

    If Relay type is MX Record (this domain) or MX Record (alternative domain), this information is determined dynamically by querying the MX record of the DNS server, and this field will be empty.

    Recipient Verification (transparent and gateway mode only)

    Displays the SMTP server or LDAP server used for recipient address verification if it is enabled.

    Sub

    (transparent and gateway mode only)

    The number indicates how many subdomains this domain has.

    Association

    (transparent and gateway mode only)

    The number indicates how many domain associations this domain has. For more information on domain associations, see Domain Association.

    MTA Status

    (transparent and gateway mode only)

    Displays the recipient SMTP server status.

    Disk Usage (%)

    (transparent and gateway mode only)

    Displays the disk space used by quarantine reports in kilobytes (KB).

  2. Either click New to create a new protected domain, or click a row to modify it.

    A dialog appears. Its options vary with the operation mode.

  3. Configure the settings that apply to the operation mode and your choice for relay type:

    GUI item

    Description

    Domain name

    Enter the fully qualified domain name (FQDN) of the protected domain.

    For example, if you want to protect email addresses such as user1@example.com, you would enter the protected domain name example.com.

    Generally, your protected domain will use a valid, globally-resolvable top-level domain (TLD) such as .com. Exceptions could include testing scenarios, where you have created a .lab mail domain on your private network to prevent accidental conflicts with live mail systems legitimately using their globally-resolvable FQDN.

    Is subdomain

    Mark this check box to indicate the protected domain you are creating is a subdomain of an existing protected domain, then also configure Main domain.

    Subdomains, like their parent protected domains, can be selected when configuring policies specific to that subdomain. Unlike top-level protected domains, however, subdomains will appear as grouped under the parent protected domain when viewing the list of protected domains.

    This option is available only when another protected domain exists to select as the parent domain.

    Main domain

    Select the protected domain that is the parent of this subdomain. For example, lab.example.com might be a subdomain of example.com.

    This option is available only when Is subdomain is enabled.

    Relay type

    (transparent and gateway mode only)

    Select from one of the following methods of defining which SMTP server will receive email from the FortiMail unit that is destined for the protected domain:

    • Host: Configure the connection to one protected SMTP server or, if any, one fallback. Also configure SMTP server and Fallback SMTP server.
    • MX Record (this domain): Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them.
    • MX Record (alternative domain): Query the DNS server’s MX record of a domain name you specify for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them. Also configure Alternative domain name.
    • IP Group: Configure the connection to rotate among one or many protected SMTP servers for load balancing. Also configure IP group.
    • LDAP Domain Mail Host: Query the LDAP server for the FQDN or IP address of the SMTP server. Also configure LDAP profile (see Configuring LDAP profiles).

    Note: If an MX option is used, you may also be required to configure the FortiMail unit to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode of the FortiMail unit.

    • In gateway mode, a private DNS server is required. On the private DNS server, configure the MX record with the FQDN of the SMTP server that you are protecting for this domain, causing the FortiMail unit to route email to the protected SMTP server. This is different from how a public DNS server should be configured for that domain name, where the MX record usually should contain the FQDN of the FortiMail unit itself, causing external SMTP servers to route email through the FortiMail unit. Additionally, if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall, on the private DNS server, configure the protected SMTP server’s A record with its private IP address, while on the public DNS server, configure the FortiMail unit’s A record with its public IP address.
    • In transparent mode, a private DNS server is required if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall. On the private DNS server, configure the protected SMTP server’s A record with its private IP address. On the public DNS server, configure the protected SMTP server’s A record with its public IP address. Do not modify the MX record.
    • For performance reasons, DNS lookups are skipped in gateway and server mode unless the sending domain is blank.

    SMTP server

    (transparent and gateway mode only)

    Enter the fully qualified domain name (FQDN) or IP address of the primary SMTP server for this protected domain, then also configure Port and Use SMTPS.

    If you have an internal mail relay that is located on a physically separate server from your internal mail server, this could be your internal mail relay, instead of your internal mail server. Consider your network topology, directionality of the mail flow, and the operation mode of the FortiMail unit. For more information, see Inbound versus outbound email and Avoiding scanning email multiple times.

    This field appears only if Relay type is Host.

    Fallback SMTP server

    (transparent and gateway mode only)

    Enter the fully qualified domain name (FQDN) or IP address of the secondary SMTP server for this protected domain, then also configure Port and Use SMTPS.

    This SMTP server will be used if the primary SMTP server is unreachable.

    This field appears only if Relay type is Host.

    IP group

    (transparent and gateway mode only)

    Select the name of the IP group that is the range of IP addresses. Also configure Port and Use SMTPS.

    This field appears only if Relay type is IP Group.

    LDAP profile

    (transparent mode and gateway mode only)

    Select the name of the LDAP profile that has the FQDN or IP address of the SMTP server you want to query. Also configure Port and Use SMTPS.

    This field appears only if Relay type is LDAP Domain Mail Host.

    Port

    Enter the port number on which the SMTP server listens.

    If you enable Use SMTPS, Port automatically changes to the default port number for SMTPS, but can still be customized.

    This field appears only if Relay type is Host, IP Group or LDAP Domain Mail Host.

    See also Appendix C: Port Numbers.

    Alternative domain name

    (transparent and gateway mode only)

    Enter the domain name to use when querying the DNS server for MX records.

    This option appears only if Relay type is MX Record (alternative domain name).

    LDAP User Profile

    (server mode only)

    Select the name of an LDAP profile in which you have configured (see Configuring LDAP profiles), enabling you to authenticate email users and expand alias email addresses or replace one email address with another by using an LDAP query to retrieve alias members.

    Use SMTPS

    Enable to use SMTPS for connections originating from or destined for this protected server.

    This field appears only if Relay type is Host, IP Group or LDAP Domain Mail Host.

    Relay Authentication

    To test relay authentication, enable it and enter an email user name and password pair that exists on the mail server. Also specify the authentication type.

    Test

    (button)

    After you have entered the relay server information, you can click the Test button to test if the relay server is accessible.

    To further test mail delivery, click Advanced Group, and enter the SMTP HELO/EHLO, sender (MAIL FROM:), and recipient (RCPT TO:) information.

    Click Test. The test results will be displayed.

    Note: STARTTLS is not supported for relay host testing.

To configure domain groups

  1. Purchase the feature license and enable the feature. See Domain group support.

  2. Go to Domain & User > Domain > Domain Group.

  3. Click New, or select a row and click Edit to edit an existing group.

  4. Enter a Group Name.

  5. Click the domains that you want to add to the domain group from the Available text area, and click the right-arrow to bring them to the Members text area.

  6. Click Create.

  7. Configure the following sections:

Configuring recipient address verification

This section does not apply to server mode.

Select a method of confirming that the recipient email address in the message envelope (RCPT TO:) corresponds to an email user account that actually exists on the protected email server. If the recipient address is invalid, the FortiMail unit will reject the email. This prevents quarantine email messages for non-existent accounts, thereby conserving quarantine hard disk space.

Note

This feature can impact performance and be noticeable during peak traffic times. For a lesser performance impact, you can alternatively periodically automatically remove quarantined email messages for invalid email user accounts, rather than actively preventing them during each email message.

  1. Go to Domain & User > Domain > Domain.
  2. Either click New to create a new protected domain, or click an row to modify it.
  3. A dialog appears. Its options vary with the operation mode.

  4. Expand the recipient address verification section.
  5. Configure the following:

    GUI item

    Description

    Disable

    Do not verify that the recipient address is an email user account that actually exists.

    SMTP Server

    Query the SMTP server using either the SMTP VRFY command or RCPT command to verify that the recipient address is an email user account that actually exists. RCPT is the default command.
    If you want to query an SMTP server other than the one you have defined as the protected SMTP server, also enable Use alternative server, then enter the IP address or FQDN of the server in the field next to it. Also configure Port with the port number on which the SMTP server listens, and enable Use SMTPS if you want to use SMTPS for recipient address verification connections with the server. See also Appendix C: Port Numbers.

    In case you want to use different sender email addresses in the SMTP envelope (MAIL FROM:) for different domains, set Mail from address to Use domain setting and specify the address to use. If you select Use system setting (the default setting), FortiMail will use an emtpy sender email address unless you specify a global one with the following CLI commands:

    config mailsetting smtp-rcpt-verification

    set mail-from-addr <sender_email>

    end

    Note: Microsoft 365 does not accept an empty MAIL FROM for SMTP recipient verification. You must specify an envelope from address if FortiMail is protecting Microsoft 365 domains.

    Additionally, set Action on invalid recipient to either reject any unknown users, or discard unknown users (initially accept and silently discard).

    LDAP Server

    Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also select the LDAP profile that will be used to query the LDAP server. For more information on configuring LDAP profiles, see Configuring LDAP profiles.

    Additionally, set Action on invalid recipient to either reject any unknown users, or discard unknown users (initially accept and silently discard).

    Imported User

    Query an LDAP or Microsoft 365 server to verify that the imported users actually exist. For more information, see Managing imported users

    Additionally, set Action on invalid recipient to either reject any unknown users, or discard unknown users (initially accept and silently discard).

Configuring transparent mode options

This section appears only when the FortiMail unit operates in transparent mode.

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a new protected domain, or click an row to modify it.

    A multi-section dialog appears. Its options vary with the operation mode.

  3. Expand the transparent mode settings section.

  4. Configure the following:

    GUI item

    Description

    This server is on

    Select the network interface (a port) to which the protected SMTP server is connected.

    Note: Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface.

    Hide the transparent box

    Enable to preserve the IP address or domain name of the SMTP client for incoming email messages in:

    • the SMTP greeting (HELO/EHLO) in the envelope and in the Received: message headers of email messages
    • the IP addresses in the IP header

    This masks the existence of the FortiMail unit to the protected SMTP server.

    Disable to replace the SMTP client’s IP address or domain name with that of the FortiMail unit.

    For example, an external SMTP client might have the IP address 172.168.1.1, and the FortiMail unit might have the domain name fortimail.example.com. If the option is enabled, the message header would contain (difference highlighted in bold):

    Received: from 192.168.1.1 (EHLO 172.16.1.1) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:12:40 -0800

    Received: from smtpa ([172.16.1.2]) by [172.16.1.1] with SMTP id kAOFESEN001901 for <user1@external.example.com>; Fri, 24 Jul 2008 15:14:28 GMT

    But if the option is disabled, the message headers would contain:

    Received: from 192.168.1.1 (EHLO fortimail.example.com) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:17:45 -0800

    Received: from smtpa ([172.16.1.2]) by fortimail.example.com with SMTP id kAOFJl4j002011 for <user1@external.example.com>; Fri, 24 Jul 2008 15:19:47 GMT

    Note: If the protected SMTP server applies rate limiting according to IP addresses, enabling this option can improve performance. The rate limit will then be separate for each client connecting to the protected SMTP server, rather than shared among all connections handled by the FortiMail unit.

    Note: Unless you have enabled Take precedence over recipient based policy match in the IP-based policy, this option supercedes the Hide this box from the mail server option in the session profile, and may prevent it from applying to incoming email messages.

    Use this domain’s SMTP server to deliver the mail

    Enable to use the protected SMTP server, instead of the FortiMail built-in MTA, to deliver outgoing email messages from the SMTP clients whose sending MTA is the protected SMTP server.

    For example, if the protected domain example.com has the SMTP server 192.168.1.1, and an SMTP client for user1@example.com connects to it to send email to user2@external.example.net, enabling this option would cause the FortiMail unit to pass the mail message via its built-in MTA to the protected SMTP server, which will deliver the message.

    Disable to relay email using the built-in MTA to either the SMTP relay defined in Configuring SMTP relay hosts, if any, or directly to the MTA that is the mail exchanger (MX) for the recipient email address’s (RCPT TO:) domain. The email may not actually travel through the protected SMTP server, even though it was the relay originally specified by the SMTP client.

    This option does not affect incoming connections containing incoming email messages, which will always be handled by the built-in MTA. For details, see When FortiMail uses the proxies instead of the built-in MTA.

    Note: This option will be ignored for email that matches an antispam or content action profile.

Configuring removal of invalid quarantine accounts

This section does not apply to server mode.

Select a method by which to periodically remove quarantined spam for which an email user account does not actually exist on the protected email server.

If you select either SMTP or LDAP server, the FortiMail unit queries the server daily (at 4:00 AM daily unless configured for another time in the CLI; see the FortiMail CLI Reference) to verify the existence of email user accounts. If an email user account does not currently exist, the FortiMail unit removes all spam quarantined for that email user account.

In some instances, recipient verification is not always feasible via SMTP or LDAP. Select Purge Inactive to remove any inactive accounts.

Note

If you have also enabled Recipient Address Verification (see Configuring recipient address verification), the FortiMail unit does not form quarantine accounts for email user accounts that do not exist on the protected email server. In that case, invalid quarantine accounts are never formed, and this option may not be necessary, except when you delete email user accounts on the protected email server. If this is the case, you can improve the performance of the FortiMail unit by disabling this option.

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a new protected domain, or click an row to modify it.

    A multi-section dialog appears. Its options vary with the operation mode.

  3. Expand the Automatic Removal of Invalid Quarantine Accounts section.

  4. Configure the following:

    GUI item

    Description

    Disable

    Do not verify that the recipient address is an email user account that actually exists.

    SMTP Server

    Query the SMTP server to verify that the recipient address is an email user account that actually exists.

    LDAP Server

    Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also select the LDAP profile that will be used to query the LDAP server. For more information on configuring LDAP profiles, see Configuring LDAP profiles.

    Purge Inactive

    Checks how many days an email user account has been inactive. If the account has been inactive for more than the designated Retention period, the account is purged.

LDAP Option section

Use this section to configure the LDAP service usages.

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a new protected domain, or click an row to modify it.

    A multisection dialog appears. Its options vary with the operation mode.

  3. Expand the LDAP Option section.

  4. Configure the following:

    GUI item

    Description

    User alias / address mapping profile

    (transparent and gateway mode only)

    Select the name of an LDAP profile in which you have enabled and configured, enabling you to expand alias email addresses or replace one email address with another by using an LDAP query to retrieve alias members and/or address mappings.

    To use this option make sure that the email alias and/or address mappings do exist on the LDAP server. If the alias cannot be retrieved or LDAP server is not accessible, the email will be temp failed (451 error).

    For more information, see Configuring LDAP profiles.

    Mail routing LDAP profile

    Enable to perform mail routing, then click the arrow to expand the options and select the name of an LDAP profile in which you have enabled and configured. For more information, see Configuring LDAP profiles.

    Scan override profile

    Enable to query an LDAP server for an email user’s preferences to enable or disable antispam, antivirus, and/or content processing for email messages destined for them, then select the name of an LDAP profile in which you have enabled and configured. For more information, see Configuring LDAP profiles.

Advanced Setting section

Go to Domain & User > Domain > Domain and expand the Advanced Setting section to configure the following domain settings:

Quarantine Report Setting

The Quarantine Report Setting section that appears when configuring a protected domain lets you configure quarantine report settings. You can choose either to use the system-wide quarantine report settings or to configure domain-wide settings.

For information on system-wide quarantine report settings and quarantine reports in general, see Configuring global quarantine report settings and Customizing GUI, custom messages, email templates, and Security Fabric.

To configure per-domain quarantine report settings

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a protected domain or double-click a domain to modify it.

  3. Expand the Advanced Setting section.

  4. Click Quarantine Report Setting.

    A new dialog appears.

  5. Configure the following:

    GUI item

    Description

    Report destination

    Original recipient

    Enable to send the quarantine report to all recipients. For more information, see Managing the personal quarantines.

    Other recipient

    Select to send the quarantine report to a recipient other than the individual recipients or group owner. For example, you might delegate quarantine reports by sending them to an administrator whose email address is not locally deliverable to the protected domain, such as admin@lab.example.com.

    LDAP group owner based on LDAP profile

    Enable to send the quarantine report to a group owner, rather than individual recipients, then select the name of an LDAP profile in which you have enabled and configured the group query options (see Configuring group query options.

    Also configure the following two options for more granular control:

    • Only when original recipient is group
    • When group owner is found, do not send to original recipient

    Report schedule

    Click the arrow to expand the options.

    Schedule

    Select the schedule to use when sending quarantine reports.

    These Hours

    Select which hours to send the quarantine report for this protected domain.

    This option is available only when Schedule is Use domain settings.

    These Days

    Select which days to send the quarantine report for this protected domain.

    This option is available only when Schedule is Use domain settings.

    Report template

    Select an email template to use.

    If you choose to use the system settings, you can view the template but cannot edit from this page. But you can edit the system-wide template by going to System > Customization > Custom Email Template.

    If you choose to use the domain settings, you can click Edit to modify the template.

    Replacement messages often include variables, such as the MIME type of the file that was overwritten by the replacement message.

    Note

    Typically, you will customize text, but should not remove variables from the replacement message. Removing variables may result in an error message and reduced functionality. For example, removing %%SPAM_DELETE_URL%% would make users incapable of using the quarantine report to delete email individually from their personal quarantines.

  6. Click Create or OK.

Domain Association

When configuring a protected domain, you can configure associated domains. An associated domain uses the settings of the protected domain or subdomain with which it is associated.

Domain associations can be useful for saving time when you have multiple domains, and you would otherwise need to configure multiple protected domains with identical settings.

For example, if you have one SMTP server handling email for ten domains, you could:

  • Create ten separate protected domains and configure each with identical settings.
  • Create one protected domain and list the nine other domains as domain associations.

The advantage of using the second method is that you do not have to repeatedly configure the same things when creating or modifying the protected domains. This saves time and reduces chances for error. Changes to one protected domain automatically apply to all of its associated domains.

The maximum number of domain associations that you can create is separate from the maximum number of protected domains.

Domain associations do not appear if FortiMail is operating in server mode.

To configure domain associations

  1. Go to Domain & User > Domain > Domain.

  2. Click New to create a protected domain or double-click a domain to modify it.

  3. Under Advanced Setting, click Domain Association.

  4. If the relay type of this protected domain uses MX record (this domain) or MX record (alternative domain), for the MX record lookup option of the domain associations, you can choose to use the domain association’s (self) MX record, or this protected domain’s (parent) MX record.

    To create a domain association, click New and enter the fully qualified domain name (FQDN) of a mail domain that will use the same settings as the same protected domain. You can use wildcard, such as *.example.com.

  5. Click Create.

    The name of the associated domain appears in the Members area.

  6. Repeat the previous steps for all domains that you want to associate with this protected domain.

  7. Click Create or OK.

DKIM and ARC Setting

The FortiMail unit will sign outgoing email messages using the domain key for this protected domain if you have selected it when configuring sender validation in the session profile. For more information, see Configuring session profiles.

FortiMail also supports Authenticated Received Chain (ARC) validation and sealing.

DKIM signing requires a public-private key pair. The private key is kept on and used by the FortiMail unit to generate the DKIM signatures for the email messages; the public key is stored on the DNS server in the DNS record for the domain name, and used by receiving parties to verify the signature.

You can generate the key pair by creating a domain key selector; you can also manually import an existing key pair in PEM format.

After you generate or import the key pair, you can export the DNS record that contains the public key. The following is a sample of the exported DNS record:

example_com._domainkey IN TXT "t=y; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5xvUazqp2sBovpfumPuR5xC+yDvGbfndyHZuVQdSHhwdKAdsfiyOa03iPniCfQEbuM0d+4/AoPyTXHHPFBBnChMMHkWgHYlRDm5UMjrH5J1zDT5OyFxUEur+NtfS6LF29Te+6vSS+D3asfZ85V6WJDHSI9JV0504uwDeOOh/aewIDAQAB"

This DNS record can be generated either in multiple string or single string format.

Then you can publish the public key by adding it to the DNS zone file as a text record for the domain name on the DNS server. The recipient SMTP server, if enabled to use DKIM verification, will use the public key to decrypt the signature and compare the hash values of the email message in order to verify that the hash values match.

FortiMail performs DKIM signing for an associated domain with its parent domain DKIM key. You must publish the DKIM public key for the associated domain in order for the receiving MTA to validate the DKIM signature.

To configure DKIM and ARC settings

  1. Go to Domain & User > Domain > Domain.

  2. Double-click to modify an existing protected domain.

    Note

    You can only configure the DKIM and ARC setting for existing domains.

  3. Click to expand Advanced Setting.

  4. Click DKIM and ARC Setting.

  5. Configure both the DKIM signing option and ARC sealing option:

    • Disable:Disable DKIM signing/ARC sealing.
    • Incoming:Perform DKIM signing/ARC sealing for email sent from one protected domain to the same domain.
    • Outgoing:Perform DKIM signing/ARC sealing for email sent from one protected domain to other domains, including other protected domains and all external domains.
    • All:Perform DKIM signing/ARC sealing for both the incoming and outgoing email.
  6. Under Key Selectors, click New to configure the key pair required for DKIM signing.

  7. If you want to generate a key pair, enter a new selector to use for the DKIM key, such as example_com2, then select Auto Generation and click OK.

  8. If you want to import an existing key pair, enter a selector name, then select Manual Import, and upload the public key and private key. Optionally enter a password for the private key. Note that the key files must be in PEM format.

  9. Click Create.

    The selector name for the key pair appears in the list of domain key selectors. The key pair is generated and public key can be exported for publication on a DNS server.

    Note

    When a new key is created or imported, it is not active by default. This allows you to publish the public key on the DNS server before you activate the key. Also note that only one key pair can be active at a time.

  10. Click to select the domain key, then click Download.

    Optionally, specify whether you want to download the domain key in either multi-string or single-string format.

    Your web browser downloads the plain text file which contains the exported DNS record (.dkim) file.

  11. Publish the public key by inserting the exported DNS record into the DNS zone file of the DNS server that resolves this domain name. For details, see the documentation for your DNS server.

  12. Activate the key by selecting the key and then clicking Activate.

DMARC Report Setting

You can configure DMARC report settings that are system-wide (see DMARC Report Generation), or specific to this protected domain.

To configure per-domain DMARC report and statistics

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a protected domain or double-click a domain to modify it.

  3. Click to expand Advanced Setting.

  4. Click DMARC Report Setting.

  5. Configure the following:

    GUI item

    Description

    Report Generation

    Status

    Select whether or not to send DMARC reports, and which settings to use:

    • Enable — Collect DMARC check data. Each day, for each sender domain that matched a policy where DMARC checks are enabled, send a report to that domain's authorized DMARC report recipient.

      Also configure From address local part.

      Note: If a sender does not have a valid DMARC RUA/RUF configured in the domain's DNS TXT record, then even if you enable DMARC reports, FortiMail cannot send them to that domain because there is no report recipient email address.

      Tip: If you have the DMARC report analysis feature license, then you can instead use charts with statistics about DMARC reports.You can also generate DMARC reports on demand, and send them to other recipients. See Viewing DMARC report statistics, and the Status setting for analysis.

    • Disable — Do not collect DMARC check data. Do not generate a report.

    • Monitor Only — Collect DMARC check data, but do not generate a report.

    • Use System Setting — Use the system-wide setting.

    From address local part

    Enter the local part (username) that the FortiMail unit will use as its sender email address (From:) when it sends DMARC report email.

    Default is noreply. Change it if, for example, an administrator wants replies about DMARC reports.

    Also configure Status for report generation.

    Report Analysis

    Status

    Select whether or not to include data from this protected domain in charts with current DMARC statistics that FortiMail administrators can use when they log in (see Viewing DMARC report statistics), either:

    • Enable — Include data from this protected domain.

    • Disable — Do not include data from this protected domain.

    • Use System Setting — Use the system-wide setting.

Disclaimer

You can configure disclaimer messages that are system-wide (see Configuring global disclaimers), or specific to each protected domain.

A disclaimer message is text that is generally attached to email to warn the recipient that the email contents may be confidential. For disclaimers added to outgoing messages, you must configure an IP-based policy or an outgoing recipient-based policy.

Disclaimer messages can be appended for either or both incoming or outgoing email messages.

To configure a per-domain disclaimer messages

  1. Go to System > Mail Setting > Disclaimer.
  2. Enable Allow per-domain settings.
  3. If FortiMail is operating in transparent mode, also enable clients to send email using their specified SMTP server. For more information, see Use client-specified SMTP server to send email.
  4. Go to Domain & User > Domain > Domain.

  5. Either click New to create a protected domain or double-click a domain to modify it.

  6. Expand the Advanced Setting section.

  7. Click Disclaimer.

    A new dialog appears.

  8. Configure the following:

    GUI item

    Description

    Setting

    Select which type of disclaimer message to append.

    • Disable: Do not append disclaimer messages.
    • Use system setting: Append the system-wide disclaimer message.
    • Use domain setting: Append the disclaimer messages configured specifically for this protected domain. For information about how to configure disclaimer messages, see Configuring global disclaimers.

    This option is only available only if you have enabled per-domain disclaimer messages. See Configuring global disclaimers.

Sender Address Rate Control

For users in each protected domain, you can rate control how much email each user can send.

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a protected domain or double-click a domain to modify it.

  3. Expand the Advanced Setting section.

  4. Click Sender Address Rate Control.

    A new dialog appears.

  5. Configure the following:

    GUI item

    Description

    Status

    Enable or disable the following rate limits.

    Action

    Select which action to apply when a user exceeds any of the following rate limits. For details about actions, see Action.

    Exempt List

    Click to define which SMTP clients are exceptions, and the rate limits in this protected domain do not apply to them.

    Maximum number of messages per half hour

    Enter the maximum number of emails per user in each 30 minute time interval.

    Maximum number of recipients per half hour

    Enter the maximum number of unique email recipient addresses per user in each 30 minute time interval.

    Maximum data size per half hour (MB)

    Enter the maximum size, in megabytes (MB), per user in each 30 minute time interval.

    Maximum number of spam messages per half hour

    Enter the maximum number of spam email per user in each 30 minute time interval. If the sender's email are often detected as spam, then it is probable that they are intentionally sending unwanted email (not by accident).

    Send notification upon rate control violation

    If the user directly connects to FortiMail to send email, then Action will indicate to the user that their email was not accepted. Otherwise (or if you want to provide a detailed explanation), configure this option to send an explanation email to the user. See Configuring notification profiles.

See also

Use client-specified SMTP server to send email

Configuring global disclaimers

Incoming versus outgoing email

Configuring protected domains

Other

This section contains miscellaneous settings for the protected domain.

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a new protected domain, or click an row to modify it.

    A multi-section dialog appears. Its options vary with the operation mode.

  3. Expand the Advanced Setting section.

  4. Click Other.

    A new dialog appears.

  5. Configure the following:

    GUI item

    Description

    Webmail theme

    Either use the system setting or choose a color to overwrite the system setting.

    Webmail language

    Select either to use the default system language or a different language that the FortiMail unit will use to display webmail and quarantine folder pages. By default, the FortiMail unit uses the same language as the GUI. For more information, see Customizing the GUI appearance.

    Disk quota (GB)

    Enter the disk quota in gigabytes (GB). If the maximum disk quota of this domain is exceeded, users of this domain will no longer receive any new email.

    If the disk quota reaches 90% threshold, a warning email is sent to the domain customer email.

    For instances where a resource profile disk quota is set to 0, the domain quota is enforced. Setting any value on resource profile higher than the domain quota value results in the domain quota value being imposed. Resource profile quota values are imposed instead when they are lower than the domain quota.

    Note: This option is only available in server mode.

    Webmail single sign on

    For webmail SSO, enable the service and select an SSO profile from the dropdown menu.

    For more information, see Configuring single sign-on (SSO).

    Maximum message size (KB)

    Enter the limit in kilobytes (KB) of the message size. Email messages over the threshold size are rejected.

    Note: If the same email message is sent to recipients in multiple protected domains and the maximum message size limits in the domain settings are different, the smallest size setting will take effect and thus the email won't be delivered to any recipients. In this case, you can use the maximum message size setting in the content profile instead (under Profile > Content > Content). However, you can use the reject action only for separate SMTP sessions, not for one same session.

    Note: When you configure session profile settings under Profile > Session > Session, you can also set the message size limit. Here is how the two settings work together:

    • For outgoing email, only the size limit in the session profile will be matched. If there is no session profile defined or no IP-based policy matched, the default size limit of 10 MB will be used.
    • For incoming email, the size limits in both the session profile and domain settings will be checked. If there is no session profile defined or no IP-based policy matched, the default size limit of 10 MB will be compared with the size limit in the domain settings. The smaller size will be used.

    SMTP greeting
    (EHLO/HELO) Name (As Client)

    Select how the FortiMail unit will identify itself during the HELO or EHLO greeting when delivering mail to the protected SMTP server as a client.

    • Use this domain name: The FortiMail unit will identify itself using the domain name for this protected domain.
      If the FortiMail unit will handle internal email messages (those for which both the sender and recipient addresses in the envelope contain the domain name of the protected domain), to use this option, you must also configure your protected SMTP server to use its host name for SMTP greetings. Failure to do this will result in dropped SMTP sessions, as both the FortiMail unit and the protected SMTP server will be using the same domain name when greeting each other.
    • Use system host name: The FortiMail unit will identify itself using its own host name. This is the default setting.
    • Use other name: Specify a greeting name if you want to use a customized host name. For example, if you choose to use an IP group for this domain, you can specify a greeting name for this IP pool to use.

    This setting does not apply if email is incoming, according to the sender address in the envelope, from an unprotected domain.

    IP pool

    You can use a pool of IP addresses as the source IP address when sending email from this domain, or as the destination IP address when receiving email destined to this domain, or as both the source and destination IP addresses.

    • If you want to use the IP pool as the source IP address for this protected domain, according to the sender’s email address in the envelope (MAIL FROM:), select the IP pool to use and select Delivering as the Direction.
    • If you want to use the IP pool as the destination IP address (virtual host) for this protected domain, according to the recipient’s email address in the envelope (RCPT TO:), select the IP pool to use and select Receiving as the Direction. You must also configure the MX record to direct email to the IP pool addresses as well.
      This feature can be used to support multiple virtual hosts on a single physical interface, so that different profiles can be applied to different host and logging for each host can be separated as well.
    • If you want to use the IP pool as both the destination and source IP address, select the IP pool to use and select Both as the Direction.

    Each email that the FortiMail unit sends will use the next IP address in the range. When the last IP address in the range is used, the next email will use the first IP address.

    If the FortiMail unit is operating in transparent mode, and you have enabled Hide the transparent box or Use client-specified SMTP server to send email, you cannot use IP pools.

    For more information on IP pools, see Configuring IP pools.

    Remove received header of outgoing email

    Enable to remove the Received: message headers from email whose:

    • sender email address belongs to this protected domain
    • recipient email address is outgoing (that is, does not belong to this protected domain); if there are multiple recipients, only the first recipient’s email address is used to determine whether an email is outgoing

    Alternatively, you can remove this header from any matching email using session profiles. See Received:.

    Use global Bayesian database

    Enable to use the global Bayesian database instead of the Bayesian database for this protected domain.

    If you do not need the Bayesian database to be specific to the protected domain, you may want to use the global Bayesian database instead in order to simplify database maintenance and training.

    Disable to use the per-domain Bayesian database.

    Note: Train the global or per-domain Bayesian database before using it. If you do not train it first, Bayesian scan results may be unreliable. For more information on Bayesian database types and how to train them, see Types of Bayesian databases and Training the Bayesian databases.

    Bypass bounce verification

    Mark this check box to disable bounce verification for this protected domain.

    This option appears only if bounce verification is enabled. For more information, see Configuring bounce verification and tagging.

Service Settings section

If you are a managed security service provider (MSSP) which host multiple domains for multiple customers, for billing purpose, the super admin may want to limit usage of FortiMail resources by each protected domain. Domain administrators are not allowed to modify these settings.

These features are available only if FortiMail is operating in server mode.

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a new protected domain, or click an row to modify it.

  3. Expand the Advanced Setting section.

  4. Click Other.

    A new dialog appears.

  5. Expand the Service Setting section.

  6. Configure the following:

    GUI item

    Description

    Enable domain level service settings

    Select to enable the domain-level server controls.

    Email account limit

    Specify the maximum number of email account are allowed on this domain.

    Max user quota (MB)

    Specify the maximum disk quota for each user.

    Mail access

    Specify the allowed mail access protocol for the users: POP3, IMAP, or Webmail.

    Webmail service type

    For webmail access, if you select Limited Service, the users will be only able to change their passwords and configure mail forwarding. All other features will not be available.

Customer Information section

In each protected domain, you can make notes about the associated customer account.

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a new protected domain, or click an row to modify it.

    A multi-section dialog appears. Its options vary with the operation mode.

  3. Expand the Customer Information section.

  4. Configure the following:

    GUI item

    Description

    Name Enter the customer name.
    Email Enter the customer email address.
    Account limit Enter the user account limit.
    Description Optional. Enter a description or comment.

Mail Migration Settings section

If FortiMail is operating in server mode, and you enable the mail migration feature, this section will appear. For details, see Migrating email from other mail servers (server mode only).

Configuring protected domains

Configuring protected domains

The Domain tab displays the list of protected domains and domain groups.

Protected domains define connections and email messages for which the FortiMail unit can perform protective email processing by describing both:

  • the IP address of an SMTP server
  • the domain name portion (the portion which follows the @ symbol) of recipient email addresses in the SMTP envelope (RCPT TO:)

The FortiMail unit uses both parts to compare to connections and email messages when looking for traffic that involves the protected domain.

Note

For FortiMail units operating in server mode, protected domains list only the domain name, not the IP address: the IP address of the SMTP server is the IP address of the FortiMail unit itself.

For example, if you wanted to scan email from email addresses such as user.one@example.com hosted on the SMTP server 10.10.10.10, you would configure a protected domain of example.com whose SMTP server is 10.10.10.10.

Aside from defining the domain, protected domains contain settings that apply specifically to all email destined for that domain, such as mail routing and disclaimer messages.

With an advanced management license, domain groups can be created and used to associate to domain-level administrators, allowing administrators to potentially manage multiple domains and all log entries associated with their domains. Domain-level administrators may search history logs, with the results filtered based on the user's domain.

Many FortiMail features require that you configure a protected domain. For example, when applying recipient-based policies for email messages incoming to the protected domain, the FortiMail unit compares the domain name of the protected domain to the domain name portion of the recipient email addresses.

When FortiMail units operating in transparent mode are proxying email connections for a protected domain, the FortiMail unit will pass, drop or intercept connections destined for the IP address of an SMTP server associated with the protected domain, and can use the domain name of the protected domain during the SMTP greeting.

Usually, you have already configured at least one protected domain during installation of your FortiMail unit; however, some configurations may not require any protected domains. You can add more domains or modify the settings of existing ones if necessary.

Note

If you have many mail domains that will use identical settings, instead of creating many protected domains, you may want to create one protected domain, and then configure the others as associated domains. For details, see Domain Association.

If the FortiMail unit is operating in gateway mode, you must change the MX entries for the DNS records for your email domain, referring email to the FortiMail unit rather than to your email servers. If you create additional protected domains, you must modify the MX records for each additional email domain. Similarly, MX records must also refer to the FortiMail unit if it is operating in server mode.

Before you begin, if the protected domain will use an IP pool profile, first configure the IP pool profile. For details, see Configuring IP pools.

To configure a protected domain

  1. Go to Domain & User > Domain > Domain.

    The tab varies with the operation mode.

    GUI item

    Description

    Delete

    (button)

    Click Delete to remove the protected domain.

    Caution: This also deletes all associated email user accounts and preferences.

    Domain FQDN

    Displays the fully qualified domain name (FQDN) of the protected domain.

    If the protected domain is a subdomain or domain association, click the + next to a domain entry to expand the list of subdomains and domain associations. To collapse the entry, click the -.

    Relay Type

    (transparent and gateway mode only)

    Indicates how the SMTP server will receive email from the FortiMail unit for the protected domain:

    • Host
    • MX Record (this domain)
    • MX Record (alternative domain)
    • IP Group
    • LDAP Domain Mail Host

    SMTP server

    (transparent and gateway mode only)

    Displays the host name or IP address and port number of the mail exchanger (MX) for this protected domain.

    If Relay type is MX Record (this domain) or MX Record (alternative domain), this information is determined dynamically by querying the MX record of the DNS server, and this field will be empty.

    Recipient Verification (transparent and gateway mode only)

    Displays the SMTP server or LDAP server used for recipient address verification if it is enabled.

    Sub

    (transparent and gateway mode only)

    The number indicates how many subdomains this domain has.

    Association

    (transparent and gateway mode only)

    The number indicates how many domain associations this domain has. For more information on domain associations, see Domain Association.

    MTA Status

    (transparent and gateway mode only)

    Displays the recipient SMTP server status.

    Disk Usage (%)

    (transparent and gateway mode only)

    Displays the disk space used by quarantine reports in kilobytes (KB).

  2. Either click New to create a new protected domain, or click a row to modify it.

    A dialog appears. Its options vary with the operation mode.

  3. Configure the settings that apply to the operation mode and your choice for relay type:

    GUI item

    Description

    Domain name

    Enter the fully qualified domain name (FQDN) of the protected domain.

    For example, if you want to protect email addresses such as user1@example.com, you would enter the protected domain name example.com.

    Generally, your protected domain will use a valid, globally-resolvable top-level domain (TLD) such as .com. Exceptions could include testing scenarios, where you have created a .lab mail domain on your private network to prevent accidental conflicts with live mail systems legitimately using their globally-resolvable FQDN.

    Is subdomain

    Mark this check box to indicate the protected domain you are creating is a subdomain of an existing protected domain, then also configure Main domain.

    Subdomains, like their parent protected domains, can be selected when configuring policies specific to that subdomain. Unlike top-level protected domains, however, subdomains will appear as grouped under the parent protected domain when viewing the list of protected domains.

    This option is available only when another protected domain exists to select as the parent domain.

    Main domain

    Select the protected domain that is the parent of this subdomain. For example, lab.example.com might be a subdomain of example.com.

    This option is available only when Is subdomain is enabled.

    Relay type

    (transparent and gateway mode only)

    Select from one of the following methods of defining which SMTP server will receive email from the FortiMail unit that is destined for the protected domain:

    • Host: Configure the connection to one protected SMTP server or, if any, one fallback. Also configure SMTP server and Fallback SMTP server.
    • MX Record (this domain): Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them.
    • MX Record (alternative domain): Query the DNS server’s MX record of a domain name you specify for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them. Also configure Alternative domain name.
    • IP Group: Configure the connection to rotate among one or many protected SMTP servers for load balancing. Also configure IP group.
    • LDAP Domain Mail Host: Query the LDAP server for the FQDN or IP address of the SMTP server. Also configure LDAP profile (see Configuring LDAP profiles).

    Note: If an MX option is used, you may also be required to configure the FortiMail unit to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode of the FortiMail unit.

    • In gateway mode, a private DNS server is required. On the private DNS server, configure the MX record with the FQDN of the SMTP server that you are protecting for this domain, causing the FortiMail unit to route email to the protected SMTP server. This is different from how a public DNS server should be configured for that domain name, where the MX record usually should contain the FQDN of the FortiMail unit itself, causing external SMTP servers to route email through the FortiMail unit. Additionally, if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall, on the private DNS server, configure the protected SMTP server’s A record with its private IP address, while on the public DNS server, configure the FortiMail unit’s A record with its public IP address.
    • In transparent mode, a private DNS server is required if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall. On the private DNS server, configure the protected SMTP server’s A record with its private IP address. On the public DNS server, configure the protected SMTP server’s A record with its public IP address. Do not modify the MX record.
    • For performance reasons, DNS lookups are skipped in gateway and server mode unless the sending domain is blank.

    SMTP server

    (transparent and gateway mode only)

    Enter the fully qualified domain name (FQDN) or IP address of the primary SMTP server for this protected domain, then also configure Port and Use SMTPS.

    If you have an internal mail relay that is located on a physically separate server from your internal mail server, this could be your internal mail relay, instead of your internal mail server. Consider your network topology, directionality of the mail flow, and the operation mode of the FortiMail unit. For more information, see Inbound versus outbound email and Avoiding scanning email multiple times.

    This field appears only if Relay type is Host.

    Fallback SMTP server

    (transparent and gateway mode only)

    Enter the fully qualified domain name (FQDN) or IP address of the secondary SMTP server for this protected domain, then also configure Port and Use SMTPS.

    This SMTP server will be used if the primary SMTP server is unreachable.

    This field appears only if Relay type is Host.

    IP group

    (transparent and gateway mode only)

    Select the name of the IP group that is the range of IP addresses. Also configure Port and Use SMTPS.

    This field appears only if Relay type is IP Group.

    LDAP profile

    (transparent mode and gateway mode only)

    Select the name of the LDAP profile that has the FQDN or IP address of the SMTP server you want to query. Also configure Port and Use SMTPS.

    This field appears only if Relay type is LDAP Domain Mail Host.

    Port

    Enter the port number on which the SMTP server listens.

    If you enable Use SMTPS, Port automatically changes to the default port number for SMTPS, but can still be customized.

    This field appears only if Relay type is Host, IP Group or LDAP Domain Mail Host.

    See also Appendix C: Port Numbers.

    Alternative domain name

    (transparent and gateway mode only)

    Enter the domain name to use when querying the DNS server for MX records.

    This option appears only if Relay type is MX Record (alternative domain name).

    LDAP User Profile

    (server mode only)

    Select the name of an LDAP profile in which you have configured (see Configuring LDAP profiles), enabling you to authenticate email users and expand alias email addresses or replace one email address with another by using an LDAP query to retrieve alias members.

    Use SMTPS

    Enable to use SMTPS for connections originating from or destined for this protected server.

    This field appears only if Relay type is Host, IP Group or LDAP Domain Mail Host.

    Relay Authentication

    To test relay authentication, enable it and enter an email user name and password pair that exists on the mail server. Also specify the authentication type.

    Test

    (button)

    After you have entered the relay server information, you can click the Test button to test if the relay server is accessible.

    To further test mail delivery, click Advanced Group, and enter the SMTP HELO/EHLO, sender (MAIL FROM:), and recipient (RCPT TO:) information.

    Click Test. The test results will be displayed.

    Note: STARTTLS is not supported for relay host testing.

To configure domain groups

  1. Purchase the feature license and enable the feature. See Domain group support.

  2. Go to Domain & User > Domain > Domain Group.

  3. Click New, or select a row and click Edit to edit an existing group.

  4. Enter a Group Name.

  5. Click the domains that you want to add to the domain group from the Available text area, and click the right-arrow to bring them to the Members text area.

  6. Click Create.

  7. Configure the following sections:

Configuring recipient address verification

This section does not apply to server mode.

Select a method of confirming that the recipient email address in the message envelope (RCPT TO:) corresponds to an email user account that actually exists on the protected email server. If the recipient address is invalid, the FortiMail unit will reject the email. This prevents quarantine email messages for non-existent accounts, thereby conserving quarantine hard disk space.

Note

This feature can impact performance and be noticeable during peak traffic times. For a lesser performance impact, you can alternatively periodically automatically remove quarantined email messages for invalid email user accounts, rather than actively preventing them during each email message.

  1. Go to Domain & User > Domain > Domain.
  2. Either click New to create a new protected domain, or click an row to modify it.
  3. A dialog appears. Its options vary with the operation mode.

  4. Expand the recipient address verification section.
  5. Configure the following:

    GUI item

    Description

    Disable

    Do not verify that the recipient address is an email user account that actually exists.

    SMTP Server

    Query the SMTP server using either the SMTP VRFY command or RCPT command to verify that the recipient address is an email user account that actually exists. RCPT is the default command.
    If you want to query an SMTP server other than the one you have defined as the protected SMTP server, also enable Use alternative server, then enter the IP address or FQDN of the server in the field next to it. Also configure Port with the port number on which the SMTP server listens, and enable Use SMTPS if you want to use SMTPS for recipient address verification connections with the server. See also Appendix C: Port Numbers.

    In case you want to use different sender email addresses in the SMTP envelope (MAIL FROM:) for different domains, set Mail from address to Use domain setting and specify the address to use. If you select Use system setting (the default setting), FortiMail will use an emtpy sender email address unless you specify a global one with the following CLI commands:

    config mailsetting smtp-rcpt-verification

    set mail-from-addr <sender_email>

    end

    Note: Microsoft 365 does not accept an empty MAIL FROM for SMTP recipient verification. You must specify an envelope from address if FortiMail is protecting Microsoft 365 domains.

    Additionally, set Action on invalid recipient to either reject any unknown users, or discard unknown users (initially accept and silently discard).

    LDAP Server

    Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also select the LDAP profile that will be used to query the LDAP server. For more information on configuring LDAP profiles, see Configuring LDAP profiles.

    Additionally, set Action on invalid recipient to either reject any unknown users, or discard unknown users (initially accept and silently discard).

    Imported User

    Query an LDAP or Microsoft 365 server to verify that the imported users actually exist. For more information, see Managing imported users

    Additionally, set Action on invalid recipient to either reject any unknown users, or discard unknown users (initially accept and silently discard).

Configuring transparent mode options

This section appears only when the FortiMail unit operates in transparent mode.

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a new protected domain, or click an row to modify it.

    A multi-section dialog appears. Its options vary with the operation mode.

  3. Expand the transparent mode settings section.

  4. Configure the following:

    GUI item

    Description

    This server is on

    Select the network interface (a port) to which the protected SMTP server is connected.

    Note: Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface.

    Hide the transparent box

    Enable to preserve the IP address or domain name of the SMTP client for incoming email messages in:

    • the SMTP greeting (HELO/EHLO) in the envelope and in the Received: message headers of email messages
    • the IP addresses in the IP header

    This masks the existence of the FortiMail unit to the protected SMTP server.

    Disable to replace the SMTP client’s IP address or domain name with that of the FortiMail unit.

    For example, an external SMTP client might have the IP address 172.168.1.1, and the FortiMail unit might have the domain name fortimail.example.com. If the option is enabled, the message header would contain (difference highlighted in bold):

    Received: from 192.168.1.1 (EHLO 172.16.1.1) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:12:40 -0800

    Received: from smtpa ([172.16.1.2]) by [172.16.1.1] with SMTP id kAOFESEN001901 for <user1@external.example.com>; Fri, 24 Jul 2008 15:14:28 GMT

    But if the option is disabled, the message headers would contain:

    Received: from 192.168.1.1 (EHLO fortimail.example.com) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:17:45 -0800

    Received: from smtpa ([172.16.1.2]) by fortimail.example.com with SMTP id kAOFJl4j002011 for <user1@external.example.com>; Fri, 24 Jul 2008 15:19:47 GMT

    Note: If the protected SMTP server applies rate limiting according to IP addresses, enabling this option can improve performance. The rate limit will then be separate for each client connecting to the protected SMTP server, rather than shared among all connections handled by the FortiMail unit.

    Note: Unless you have enabled Take precedence over recipient based policy match in the IP-based policy, this option supercedes the Hide this box from the mail server option in the session profile, and may prevent it from applying to incoming email messages.

    Use this domain’s SMTP server to deliver the mail

    Enable to use the protected SMTP server, instead of the FortiMail built-in MTA, to deliver outgoing email messages from the SMTP clients whose sending MTA is the protected SMTP server.

    For example, if the protected domain example.com has the SMTP server 192.168.1.1, and an SMTP client for user1@example.com connects to it to send email to user2@external.example.net, enabling this option would cause the FortiMail unit to pass the mail message via its built-in MTA to the protected SMTP server, which will deliver the message.

    Disable to relay email using the built-in MTA to either the SMTP relay defined in Configuring SMTP relay hosts, if any, or directly to the MTA that is the mail exchanger (MX) for the recipient email address’s (RCPT TO:) domain. The email may not actually travel through the protected SMTP server, even though it was the relay originally specified by the SMTP client.

    This option does not affect incoming connections containing incoming email messages, which will always be handled by the built-in MTA. For details, see When FortiMail uses the proxies instead of the built-in MTA.

    Note: This option will be ignored for email that matches an antispam or content action profile.

Configuring removal of invalid quarantine accounts

This section does not apply to server mode.

Select a method by which to periodically remove quarantined spam for which an email user account does not actually exist on the protected email server.

If you select either SMTP or LDAP server, the FortiMail unit queries the server daily (at 4:00 AM daily unless configured for another time in the CLI; see the FortiMail CLI Reference) to verify the existence of email user accounts. If an email user account does not currently exist, the FortiMail unit removes all spam quarantined for that email user account.

In some instances, recipient verification is not always feasible via SMTP or LDAP. Select Purge Inactive to remove any inactive accounts.

Note

If you have also enabled Recipient Address Verification (see Configuring recipient address verification), the FortiMail unit does not form quarantine accounts for email user accounts that do not exist on the protected email server. In that case, invalid quarantine accounts are never formed, and this option may not be necessary, except when you delete email user accounts on the protected email server. If this is the case, you can improve the performance of the FortiMail unit by disabling this option.

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a new protected domain, or click an row to modify it.

    A multi-section dialog appears. Its options vary with the operation mode.

  3. Expand the Automatic Removal of Invalid Quarantine Accounts section.

  4. Configure the following:

    GUI item

    Description

    Disable

    Do not verify that the recipient address is an email user account that actually exists.

    SMTP Server

    Query the SMTP server to verify that the recipient address is an email user account that actually exists.

    LDAP Server

    Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also select the LDAP profile that will be used to query the LDAP server. For more information on configuring LDAP profiles, see Configuring LDAP profiles.

    Purge Inactive

    Checks how many days an email user account has been inactive. If the account has been inactive for more than the designated Retention period, the account is purged.

LDAP Option section

Use this section to configure the LDAP service usages.

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a new protected domain, or click an row to modify it.

    A multisection dialog appears. Its options vary with the operation mode.

  3. Expand the LDAP Option section.

  4. Configure the following:

    GUI item

    Description

    User alias / address mapping profile

    (transparent and gateway mode only)

    Select the name of an LDAP profile in which you have enabled and configured, enabling you to expand alias email addresses or replace one email address with another by using an LDAP query to retrieve alias members and/or address mappings.

    To use this option make sure that the email alias and/or address mappings do exist on the LDAP server. If the alias cannot be retrieved or LDAP server is not accessible, the email will be temp failed (451 error).

    For more information, see Configuring LDAP profiles.

    Mail routing LDAP profile

    Enable to perform mail routing, then click the arrow to expand the options and select the name of an LDAP profile in which you have enabled and configured. For more information, see Configuring LDAP profiles.

    Scan override profile

    Enable to query an LDAP server for an email user’s preferences to enable or disable antispam, antivirus, and/or content processing for email messages destined for them, then select the name of an LDAP profile in which you have enabled and configured. For more information, see Configuring LDAP profiles.

Advanced Setting section

Go to Domain & User > Domain > Domain and expand the Advanced Setting section to configure the following domain settings:

Quarantine Report Setting

The Quarantine Report Setting section that appears when configuring a protected domain lets you configure quarantine report settings. You can choose either to use the system-wide quarantine report settings or to configure domain-wide settings.

For information on system-wide quarantine report settings and quarantine reports in general, see Configuring global quarantine report settings and Customizing GUI, custom messages, email templates, and Security Fabric.

To configure per-domain quarantine report settings

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a protected domain or double-click a domain to modify it.

  3. Expand the Advanced Setting section.

  4. Click Quarantine Report Setting.

    A new dialog appears.

  5. Configure the following:

    GUI item

    Description

    Report destination

    Original recipient

    Enable to send the quarantine report to all recipients. For more information, see Managing the personal quarantines.

    Other recipient

    Select to send the quarantine report to a recipient other than the individual recipients or group owner. For example, you might delegate quarantine reports by sending them to an administrator whose email address is not locally deliverable to the protected domain, such as admin@lab.example.com.

    LDAP group owner based on LDAP profile

    Enable to send the quarantine report to a group owner, rather than individual recipients, then select the name of an LDAP profile in which you have enabled and configured the group query options (see Configuring group query options.

    Also configure the following two options for more granular control:

    • Only when original recipient is group
    • When group owner is found, do not send to original recipient

    Report schedule

    Click the arrow to expand the options.

    Schedule

    Select the schedule to use when sending quarantine reports.

    These Hours

    Select which hours to send the quarantine report for this protected domain.

    This option is available only when Schedule is Use domain settings.

    These Days

    Select which days to send the quarantine report for this protected domain.

    This option is available only when Schedule is Use domain settings.

    Report template

    Select an email template to use.

    If you choose to use the system settings, you can view the template but cannot edit from this page. But you can edit the system-wide template by going to System > Customization > Custom Email Template.

    If you choose to use the domain settings, you can click Edit to modify the template.

    Replacement messages often include variables, such as the MIME type of the file that was overwritten by the replacement message.

    Note

    Typically, you will customize text, but should not remove variables from the replacement message. Removing variables may result in an error message and reduced functionality. For example, removing %%SPAM_DELETE_URL%% would make users incapable of using the quarantine report to delete email individually from their personal quarantines.

  6. Click Create or OK.

Domain Association

When configuring a protected domain, you can configure associated domains. An associated domain uses the settings of the protected domain or subdomain with which it is associated.

Domain associations can be useful for saving time when you have multiple domains, and you would otherwise need to configure multiple protected domains with identical settings.

For example, if you have one SMTP server handling email for ten domains, you could:

  • Create ten separate protected domains and configure each with identical settings.
  • Create one protected domain and list the nine other domains as domain associations.

The advantage of using the second method is that you do not have to repeatedly configure the same things when creating or modifying the protected domains. This saves time and reduces chances for error. Changes to one protected domain automatically apply to all of its associated domains.

The maximum number of domain associations that you can create is separate from the maximum number of protected domains.

Domain associations do not appear if FortiMail is operating in server mode.

To configure domain associations

  1. Go to Domain & User > Domain > Domain.

  2. Click New to create a protected domain or double-click a domain to modify it.

  3. Under Advanced Setting, click Domain Association.

  4. If the relay type of this protected domain uses MX record (this domain) or MX record (alternative domain), for the MX record lookup option of the domain associations, you can choose to use the domain association’s (self) MX record, or this protected domain’s (parent) MX record.

    To create a domain association, click New and enter the fully qualified domain name (FQDN) of a mail domain that will use the same settings as the same protected domain. You can use wildcard, such as *.example.com.

  5. Click Create.

    The name of the associated domain appears in the Members area.

  6. Repeat the previous steps for all domains that you want to associate with this protected domain.

  7. Click Create or OK.

DKIM and ARC Setting

The FortiMail unit will sign outgoing email messages using the domain key for this protected domain if you have selected it when configuring sender validation in the session profile. For more information, see Configuring session profiles.

FortiMail also supports Authenticated Received Chain (ARC) validation and sealing.

DKIM signing requires a public-private key pair. The private key is kept on and used by the FortiMail unit to generate the DKIM signatures for the email messages; the public key is stored on the DNS server in the DNS record for the domain name, and used by receiving parties to verify the signature.

You can generate the key pair by creating a domain key selector; you can also manually import an existing key pair in PEM format.

After you generate or import the key pair, you can export the DNS record that contains the public key. The following is a sample of the exported DNS record:

example_com._domainkey IN TXT "t=y; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5xvUazqp2sBovpfumPuR5xC+yDvGbfndyHZuVQdSHhwdKAdsfiyOa03iPniCfQEbuM0d+4/AoPyTXHHPFBBnChMMHkWgHYlRDm5UMjrH5J1zDT5OyFxUEur+NtfS6LF29Te+6vSS+D3asfZ85V6WJDHSI9JV0504uwDeOOh/aewIDAQAB"

This DNS record can be generated either in multiple string or single string format.

Then you can publish the public key by adding it to the DNS zone file as a text record for the domain name on the DNS server. The recipient SMTP server, if enabled to use DKIM verification, will use the public key to decrypt the signature and compare the hash values of the email message in order to verify that the hash values match.

FortiMail performs DKIM signing for an associated domain with its parent domain DKIM key. You must publish the DKIM public key for the associated domain in order for the receiving MTA to validate the DKIM signature.

To configure DKIM and ARC settings

  1. Go to Domain & User > Domain > Domain.

  2. Double-click to modify an existing protected domain.

    Note

    You can only configure the DKIM and ARC setting for existing domains.

  3. Click to expand Advanced Setting.

  4. Click DKIM and ARC Setting.

  5. Configure both the DKIM signing option and ARC sealing option:

    • Disable:Disable DKIM signing/ARC sealing.
    • Incoming:Perform DKIM signing/ARC sealing for email sent from one protected domain to the same domain.
    • Outgoing:Perform DKIM signing/ARC sealing for email sent from one protected domain to other domains, including other protected domains and all external domains.
    • All:Perform DKIM signing/ARC sealing for both the incoming and outgoing email.
  6. Under Key Selectors, click New to configure the key pair required for DKIM signing.

  7. If you want to generate a key pair, enter a new selector to use for the DKIM key, such as example_com2, then select Auto Generation and click OK.

  8. If you want to import an existing key pair, enter a selector name, then select Manual Import, and upload the public key and private key. Optionally enter a password for the private key. Note that the key files must be in PEM format.

  9. Click Create.

    The selector name for the key pair appears in the list of domain key selectors. The key pair is generated and public key can be exported for publication on a DNS server.

    Note

    When a new key is created or imported, it is not active by default. This allows you to publish the public key on the DNS server before you activate the key. Also note that only one key pair can be active at a time.

  10. Click to select the domain key, then click Download.

    Optionally, specify whether you want to download the domain key in either multi-string or single-string format.

    Your web browser downloads the plain text file which contains the exported DNS record (.dkim) file.

  11. Publish the public key by inserting the exported DNS record into the DNS zone file of the DNS server that resolves this domain name. For details, see the documentation for your DNS server.

  12. Activate the key by selecting the key and then clicking Activate.

DMARC Report Setting

You can configure DMARC report settings that are system-wide (see DMARC Report Generation), or specific to this protected domain.

To configure per-domain DMARC report and statistics

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a protected domain or double-click a domain to modify it.

  3. Click to expand Advanced Setting.

  4. Click DMARC Report Setting.

  5. Configure the following:

    GUI item

    Description

    Report Generation

    Status

    Select whether or not to send DMARC reports, and which settings to use:

    • Enable — Collect DMARC check data. Each day, for each sender domain that matched a policy where DMARC checks are enabled, send a report to that domain's authorized DMARC report recipient.

      Also configure From address local part.

      Note: If a sender does not have a valid DMARC RUA/RUF configured in the domain's DNS TXT record, then even if you enable DMARC reports, FortiMail cannot send them to that domain because there is no report recipient email address.

      Tip: If you have the DMARC report analysis feature license, then you can instead use charts with statistics about DMARC reports.You can also generate DMARC reports on demand, and send them to other recipients. See Viewing DMARC report statistics, and the Status setting for analysis.

    • Disable — Do not collect DMARC check data. Do not generate a report.

    • Monitor Only — Collect DMARC check data, but do not generate a report.

    • Use System Setting — Use the system-wide setting.

    From address local part

    Enter the local part (username) that the FortiMail unit will use as its sender email address (From:) when it sends DMARC report email.

    Default is noreply. Change it if, for example, an administrator wants replies about DMARC reports.

    Also configure Status for report generation.

    Report Analysis

    Status

    Select whether or not to include data from this protected domain in charts with current DMARC statistics that FortiMail administrators can use when they log in (see Viewing DMARC report statistics), either:

    • Enable — Include data from this protected domain.

    • Disable — Do not include data from this protected domain.

    • Use System Setting — Use the system-wide setting.

Disclaimer

You can configure disclaimer messages that are system-wide (see Configuring global disclaimers), or specific to each protected domain.

A disclaimer message is text that is generally attached to email to warn the recipient that the email contents may be confidential. For disclaimers added to outgoing messages, you must configure an IP-based policy or an outgoing recipient-based policy.

Disclaimer messages can be appended for either or both incoming or outgoing email messages.

To configure a per-domain disclaimer messages

  1. Go to System > Mail Setting > Disclaimer.
  2. Enable Allow per-domain settings.
  3. If FortiMail is operating in transparent mode, also enable clients to send email using their specified SMTP server. For more information, see Use client-specified SMTP server to send email.
  4. Go to Domain & User > Domain > Domain.

  5. Either click New to create a protected domain or double-click a domain to modify it.

  6. Expand the Advanced Setting section.

  7. Click Disclaimer.

    A new dialog appears.

  8. Configure the following:

    GUI item

    Description

    Setting

    Select which type of disclaimer message to append.

    • Disable: Do not append disclaimer messages.
    • Use system setting: Append the system-wide disclaimer message.
    • Use domain setting: Append the disclaimer messages configured specifically for this protected domain. For information about how to configure disclaimer messages, see Configuring global disclaimers.

    This option is only available only if you have enabled per-domain disclaimer messages. See Configuring global disclaimers.

Sender Address Rate Control

For users in each protected domain, you can rate control how much email each user can send.

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a protected domain or double-click a domain to modify it.

  3. Expand the Advanced Setting section.

  4. Click Sender Address Rate Control.

    A new dialog appears.

  5. Configure the following:

    GUI item

    Description

    Status

    Enable or disable the following rate limits.

    Action

    Select which action to apply when a user exceeds any of the following rate limits. For details about actions, see Action.

    Exempt List

    Click to define which SMTP clients are exceptions, and the rate limits in this protected domain do not apply to them.

    Maximum number of messages per half hour

    Enter the maximum number of emails per user in each 30 minute time interval.

    Maximum number of recipients per half hour

    Enter the maximum number of unique email recipient addresses per user in each 30 minute time interval.

    Maximum data size per half hour (MB)

    Enter the maximum size, in megabytes (MB), per user in each 30 minute time interval.

    Maximum number of spam messages per half hour

    Enter the maximum number of spam email per user in each 30 minute time interval. If the sender's email are often detected as spam, then it is probable that they are intentionally sending unwanted email (not by accident).

    Send notification upon rate control violation

    If the user directly connects to FortiMail to send email, then Action will indicate to the user that their email was not accepted. Otherwise (or if you want to provide a detailed explanation), configure this option to send an explanation email to the user. See Configuring notification profiles.

See also

Use client-specified SMTP server to send email

Configuring global disclaimers

Incoming versus outgoing email

Configuring protected domains

Other

This section contains miscellaneous settings for the protected domain.

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a new protected domain, or click an row to modify it.

    A multi-section dialog appears. Its options vary with the operation mode.

  3. Expand the Advanced Setting section.

  4. Click Other.

    A new dialog appears.

  5. Configure the following:

    GUI item

    Description

    Webmail theme

    Either use the system setting or choose a color to overwrite the system setting.

    Webmail language

    Select either to use the default system language or a different language that the FortiMail unit will use to display webmail and quarantine folder pages. By default, the FortiMail unit uses the same language as the GUI. For more information, see Customizing the GUI appearance.

    Disk quota (GB)

    Enter the disk quota in gigabytes (GB). If the maximum disk quota of this domain is exceeded, users of this domain will no longer receive any new email.

    If the disk quota reaches 90% threshold, a warning email is sent to the domain customer email.

    For instances where a resource profile disk quota is set to 0, the domain quota is enforced. Setting any value on resource profile higher than the domain quota value results in the domain quota value being imposed. Resource profile quota values are imposed instead when they are lower than the domain quota.

    Note: This option is only available in server mode.

    Webmail single sign on

    For webmail SSO, enable the service and select an SSO profile from the dropdown menu.

    For more information, see Configuring single sign-on (SSO).

    Maximum message size (KB)

    Enter the limit in kilobytes (KB) of the message size. Email messages over the threshold size are rejected.

    Note: If the same email message is sent to recipients in multiple protected domains and the maximum message size limits in the domain settings are different, the smallest size setting will take effect and thus the email won't be delivered to any recipients. In this case, you can use the maximum message size setting in the content profile instead (under Profile > Content > Content). However, you can use the reject action only for separate SMTP sessions, not for one same session.

    Note: When you configure session profile settings under Profile > Session > Session, you can also set the message size limit. Here is how the two settings work together:

    • For outgoing email, only the size limit in the session profile will be matched. If there is no session profile defined or no IP-based policy matched, the default size limit of 10 MB will be used.
    • For incoming email, the size limits in both the session profile and domain settings will be checked. If there is no session profile defined or no IP-based policy matched, the default size limit of 10 MB will be compared with the size limit in the domain settings. The smaller size will be used.

    SMTP greeting
    (EHLO/HELO) Name (As Client)

    Select how the FortiMail unit will identify itself during the HELO or EHLO greeting when delivering mail to the protected SMTP server as a client.

    • Use this domain name: The FortiMail unit will identify itself using the domain name for this protected domain.
      If the FortiMail unit will handle internal email messages (those for which both the sender and recipient addresses in the envelope contain the domain name of the protected domain), to use this option, you must also configure your protected SMTP server to use its host name for SMTP greetings. Failure to do this will result in dropped SMTP sessions, as both the FortiMail unit and the protected SMTP server will be using the same domain name when greeting each other.
    • Use system host name: The FortiMail unit will identify itself using its own host name. This is the default setting.
    • Use other name: Specify a greeting name if you want to use a customized host name. For example, if you choose to use an IP group for this domain, you can specify a greeting name for this IP pool to use.

    This setting does not apply if email is incoming, according to the sender address in the envelope, from an unprotected domain.

    IP pool

    You can use a pool of IP addresses as the source IP address when sending email from this domain, or as the destination IP address when receiving email destined to this domain, or as both the source and destination IP addresses.

    • If you want to use the IP pool as the source IP address for this protected domain, according to the sender’s email address in the envelope (MAIL FROM:), select the IP pool to use and select Delivering as the Direction.
    • If you want to use the IP pool as the destination IP address (virtual host) for this protected domain, according to the recipient’s email address in the envelope (RCPT TO:), select the IP pool to use and select Receiving as the Direction. You must also configure the MX record to direct email to the IP pool addresses as well.
      This feature can be used to support multiple virtual hosts on a single physical interface, so that different profiles can be applied to different host and logging for each host can be separated as well.
    • If you want to use the IP pool as both the destination and source IP address, select the IP pool to use and select Both as the Direction.

    Each email that the FortiMail unit sends will use the next IP address in the range. When the last IP address in the range is used, the next email will use the first IP address.

    If the FortiMail unit is operating in transparent mode, and you have enabled Hide the transparent box or Use client-specified SMTP server to send email, you cannot use IP pools.

    For more information on IP pools, see Configuring IP pools.

    Remove received header of outgoing email

    Enable to remove the Received: message headers from email whose:

    • sender email address belongs to this protected domain
    • recipient email address is outgoing (that is, does not belong to this protected domain); if there are multiple recipients, only the first recipient’s email address is used to determine whether an email is outgoing

    Alternatively, you can remove this header from any matching email using session profiles. See Received:.

    Use global Bayesian database

    Enable to use the global Bayesian database instead of the Bayesian database for this protected domain.

    If you do not need the Bayesian database to be specific to the protected domain, you may want to use the global Bayesian database instead in order to simplify database maintenance and training.

    Disable to use the per-domain Bayesian database.

    Note: Train the global or per-domain Bayesian database before using it. If you do not train it first, Bayesian scan results may be unreliable. For more information on Bayesian database types and how to train them, see Types of Bayesian databases and Training the Bayesian databases.

    Bypass bounce verification

    Mark this check box to disable bounce verification for this protected domain.

    This option appears only if bounce verification is enabled. For more information, see Configuring bounce verification and tagging.

Service Settings section

If you are a managed security service provider (MSSP) which host multiple domains for multiple customers, for billing purpose, the super admin may want to limit usage of FortiMail resources by each protected domain. Domain administrators are not allowed to modify these settings.

These features are available only if FortiMail is operating in server mode.

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a new protected domain, or click an row to modify it.

  3. Expand the Advanced Setting section.

  4. Click Other.

    A new dialog appears.

  5. Expand the Service Setting section.

  6. Configure the following:

    GUI item

    Description

    Enable domain level service settings

    Select to enable the domain-level server controls.

    Email account limit

    Specify the maximum number of email account are allowed on this domain.

    Max user quota (MB)

    Specify the maximum disk quota for each user.

    Mail access

    Specify the allowed mail access protocol for the users: POP3, IMAP, or Webmail.

    Webmail service type

    For webmail access, if you select Limited Service, the users will be only able to change their passwords and configure mail forwarding. All other features will not be available.

Customer Information section

In each protected domain, you can make notes about the associated customer account.

  1. Go to Domain & User > Domain > Domain.

  2. Either click New to create a new protected domain, or click an row to modify it.

    A multi-section dialog appears. Its options vary with the operation mode.

  3. Expand the Customer Information section.

  4. Configure the following:

    GUI item

    Description

    Name Enter the customer name.
    Email Enter the customer email address.
    Account limit Enter the user account limit.
    Description Optional. Enter a description or comment.

Mail Migration Settings section

If FortiMail is operating in server mode, and you enable the mail migration feature, this section will appear. For details, see Migrating email from other mail servers (server mode only).