admin-idle-timeout <timeout_int>

Enter the amount of time in minutes after which an idle administrative session will be automatically logged out.

The maximum idle time out is 480 minutes (eight hours). To improve security, do not increase the idle timeout.

admin-lockout-duration <timeout_int>

Enter the lockout duration in minutes after the failed login threshold is reached.

admin-lockout-threshold <attempts_int>

Enter the number of failed login attempts before being locked out.

admin-maintainer {enable | disable}

Enable or disable the maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is \'bcpb\' followed by the unit serial number.

Caution: There is a limited time to complete this login.

If you try to disable admin-maintainer, a message appears warning that the password recovery mechanism will be lost. Do not disable this option if you do not have a backup plan for recovery.

default-certificate <name_str>

Enter the name of a local certificate to use it as the “default" (that is, currently chosen for use) certificate.

FortiMail units require a local certificate that it can present to identify itself when clients request secure connections.

dh-params <bits_int>

Enter the minimum size of the Diffie-Hellman prime number for secure connections such as SSH, SMTPS, and HTTPS. Larger bit sizes are slower to generate, but generally more secure.

Alternatively, you can set the Diffie-Hellman bit size for individual protocols. See system security crypto.

disclaimer-per-domain {enable | disable}

Enable to allow individualized disclaimer messages to be configured for each protected domain. Also configure disclaimer-status {disabled | use-domain-setting | use-system-setting}.

disk-monitor {enable | disable}

Enable to monitor the hard disk status of the FortiMail unit. If a problem is found, FortiMail sends an alert email to the administrator.

email-migration-status {enable | disable}

Enable the email migration from external server.

hostname <host_str>

Enter the host name of the FortiMail unit.

hsts-max-age <days_int>

Enter the expiry age for HTTP Strict Transport Security (HSTS) header in HTTPS connections to the GUI. Enter 0 to disable expiry.

iscsi-initiator-name <name_str>

Enter the FortiMail iSCSI client name used to communicate with the iSCSI server for centralized quarantine storage.

This is only used to change the name generated by the FortiMail unit automatically.

lcd-pin <pin_int>

Enter the 6-digit personal identification number (PIN) that administrators must enter in order to access the FortiMail LCD panel.

The PIN is used only when lcdprotection is enable.

lcd-protection {enable | disable}

Enable to require that administrators enter a PIN in order to use the buttons on the front LCD panel. Also configure lcdpin.

ldap-server-sys-status {enable | disable}

Enable or disable the LDAP server for serving organizational information.

ldap-sess-cache-state {enable | disable}

Enable to keep the continuity of the connection sessions to the LDAP server. Repeated session connections waste network resources.

local-domain-name <name_str>

Enter the local domain name of the FortiMail unit.

mailstat-service {enable | disable}

Enable the mail statistic service.

After you enable this service, a new tab called Top User Statistics will appear under FortiView on the GUI.

max-admin-per-domain <administrators_int>

Enter the maximum number of administrators per domain. The valid range is 1 to 10.

mta-adv-ctrl-status {enable | disable}

Enable to configure advanced session-specific MTA settings (see profile session) and overwrite the global settings configured elsewhere.

Note: The MTA advanced control feature is license based. If you do not purchase the advanced management license, this feature is not available.

operation-mode {gateway | server | transparent}

Select the operation mode:

• gateway: The FortiMail unit acts as an SMTP gateway or MTA, but does not host email accounts.

• server: The FortiMail unit acts as a standalone email server that hosts email accounts and acts as an MTA.

• transparent: The FortiMail unit acts as an SMTP proxy.

Note: Only administrators with super_admin privileges may change the FortiMail unit's operation mode.

pki-certificate-req {yes | no}

If the administrator’s web browser does not provide a valid personal certificate for PKI authentication, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enter yes. To allow password-style fallback, enter no.

pki-mode {enable | disable}

Enable to allow PKI authentication for FortiMail administrators. See also user pki and system admin.

Also configure pki-certificate-req {yes | no}.

Caution:: Before you disable PKI authentication, enable another mode of authentication for FortiMail administrators and email users that are currently using PKI authentication. If you don't, they will not be able to log in.

port-http <port_int>

Enter the HTTP port number for administrative access on all interfaces.

port-https <port_int>

Enter the HTTPS port number for administrative access on all interfaces.

port-ssh <port_int>

Enter the SSH port number for administrative access on all interfaces.

port-telnet <port_int>

Enter the Telnet port number for administrative access on all interfaces.

post-login-banner {admin ibe webmail}

Select which login pages will display the legal disclaimer:

• admin: Select to display the disclaimer message after the administrator logs into the FortiMail administrative GUI.
• webmail: Select to display the disclaimer message after the user logs into FortiMail webmail.
• ibe: Select to display the disclaimer message after the user logs into the FortiMail unit to view IBE encrypted email.

pre-login-banner {admin}

Enable or disable the legal disclaimer before the administrator logs into the FortiMail GUI.

ssl-versions {ssl3 tls1_0 tls1_1 tls1_2 tls1_3}

Select which SSL/TLS version(s) FortiMail will accept in secure connections:

• from clients (HTTPS web browsers and SMTPS mail clients)
• to servers (protected mail servers and Syslog with TCP over TLS)

Separate multiple versions with a space.

Alternatively, for some protocols, you can individually specify which SSL/TLS versions FortiMail accepts. See system security crypto.

Note: The ssl3 option is not available if strong-crypto {enable | disable} is enabled.

Note: Some old versions of web browsers, email clients (for example, Microsoft Outlook 2007 and older), and MTAs may only support TLS 1.0. Therefore they cannot connect to FortiMail if you enable strong-crypto {enable | disable} and/or disable TLS 1.0.

strong-crypto {enable | disable}

Enable to use strong encryption and only allow strong ciphers (AES-128 or better) and digest (SHA-256 or better) for HTTPS, SSH, and Syslog with TCP over TLS. Old SSL/TLS versions with known vulnerabilities such as SSL 3.0 are also disabled, so this setting may partially override ssl-versions {ssl3 tls1_0 tls1_1 tls1_2 tls1_3}.

Alternatively, for some protocols, you can individually specify which cipher suites FortiMail accepts for each protocol. See system security crypto.

Note: Old mail clients and old browser versions such as Microsoft Internet Explorer 6.0 do not support strong encryption.