system global
Use this command to configure many FortiMail system-wide configurations.
Syntax
config system global
set admin-idle-timeout <timeout_int>
set admin-lockout-duration <timeout_int>
set admin-lockout-threshold <attempts_int>
set admin-maintainer {enable | disable}
set default-certificate <name_str>
set disclaimer-per-domain {enable | disable}
set disk-monitor {enable | disable}
set email-migration-status {enable | disable}
set iscsi-initiator-name <name_str>
set lcd-protection {enable | disable}
set ldap-server-sys-status {enable | disable}
set ldap-sess-cache-state {enable | disable}
set local-domain-name <name_str>
set mailbox-service {enable | disable}
set mailstat-service {enable | disable}
set max-admin-per-domain <administrators_int>
set mta-adv-ctrl-status {enable | disable}
set operation-mode {gateway | server | transparent}
set pki-certificate-req {yes | no}
set pki-mode {enable | disable}
set post-login-banner {admin ibe webmail}
set ssl-versions {ssl3 tls1_0 tls1_1 tls1_2 tls1_3}
set strong-crypto {enable | disable}
end
|
Variable |
Description |
Default |
|
Enter the amount of time in minutes after which an idle administrative session will be automatically logged out. The maximum idle time out is 480 minutes (eight hours). To improve security, do not increase the idle timeout. |
5 |
|
|
Enter the lockout duration in minutes after the failed login threshold is reached. |
3 |
|
|
Enter the number of failed login attempts before being locked out. |
4 |
|
|
Enable or disable the maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is Caution: There is a limited time to complete this login. If you attempt to disable |
enable |
|
|
Enter the name of a local certificate to use it as the “default" (that is, currently chosen for use) certificate. FortiMail units require a local certificate that it can present to identify itself when clients request secure connections. |
factory |
|
|
Enter the minimum size of the Diffie-Hellman prime number for secure connections such as SSH and HTTPS. |
1024 |
|
|
Enable to allow individualized disclaimers to be configured for each protected domain. |
|
|
|
Enable to monitor the hard disk status of the FortiMail unit. If a problem is found, FortiMail sends an alert email to the administrator. |
disable |
|
|
Enable the email migration from external server. |
|
|
|
Enter the host name of the FortiMail unit. |
Varies by model. |
|
|
Enter the expiry age for HTTP Strict Transport Security (HSTS) header in HTTPS connections to the GUI. Enter |
365 |
|
|
Enter the FortiMail iSCSI client name used to communicate with the iSCSI server for centralized quarantine storage. This is only used to change the name generated by the FortiMail unit automatically. |
|
|
|
Enter the 6-digit personal identification number (PIN) that administrators must enter in order to access the FortiMail LCD panel. The PIN is used only when |
Encoded value varies. |
|
|
Enable to require that administrators enter a PIN in order to use the buttons on the front LCD panel. Also configure lcdpin. |
disable |
|
|
Enable or disable the LDAP server for serving organizational information. |
enable |
|
|
Enable to keep the continuity of the connection sessions to the LDAP server. Repeated session connections waste network resources. |
enable |
|
|
Enter the local domain name of the FortiMail unit. |
|
|
|
Note: The mailbox service feature is license based. If you do not purchase the advanced management license, this feature is not available. Enable the mailbox service. After you enable this service, see report mailbox for information on configuring the mailbox service. New options also appear in the GUI under FortiView > Mail Statistics > Active Mailbox. |
|
|
|
Enable the mail statistic service. After you enable this service, a new tab called Top User Statistics will appear under FortiView on the GUI. |
disable |
|
|
Set the maximum number of administrators per domain. The valid range is 1 to 10. |
3 |
|
|
Enable to configure advanced session-specific MTA settings (see profile session) and overwrite the global settings configured elsewhere. Note: The MTA advanced control feature is license based. If you do not purchase the advanced management license, this feature is not available. |
enable |
|
|
Select the operation mode:
Note: Only administrators with super admin privileges may change the FortiMail unit's operation mode. |
gateway |
|
|
If the administrator’s web browser does not provide a valid personal certificate for PKI authentication, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enter |
no |
|
|
Enable to allow PKI authentication for FortiMail administrators. See also user pki and system admin. Also configure pki-certificate-req {yes | no}. Caution:: Before disabling PKI authentication, select another mode of authentication for FortiMail administrators and email users that are currently using PKI authentication. Failure to first select another authentication method before disabling PKI authentication will prevent them from being able to log in. |
disable |
|
|
Enter the HTTP port number for administrative access on all interfaces. |
80 |
|
|
Enter the HTTPS port number for administrative access on all interfaces. |
443 |
|
|
Enter the SSH port number for administrative access on all interfaces. |
22 |
|
|
Enter the TELNET port number for administrative access on all interfaces. |
23 |
|
|
Select which login pages will display the legal disclaimer:
|
admin |
|
|
Enable or disable the legal disclaimer before the administrator logs into the FortiMail GUI. |
admin |
|
|
Select which SSL/TLS versions you want to support for the HTTPS and SMTP access to FortiMail. Currently, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 are supported. Tip: Because some old versions of email clients (for example, Microsoft Outlook 2007 and older) and MTAs only support TLS 1.0, they may have issues connecting to FortiMail if you enable |
ssl3 |
|
|
Enable to use strong encryption and only allow strong ciphers (AES) and digest (SHA1) for HTTPS/SSH access. |
enable |
|
|
Enable to allow use of TFTP in FIPS mode. |
enable |