account-notification {activation deletion expiration registration-confirmation reset-confirmation}

Select which types of account notifications to send to users.

auth-max-attempt <attempts_int>

Enter the maximum number of tries a user is allowed for authentication.

auth-mode {password | token | two-factor}

Select the IBE user authentication method, either:

• password: Password only.

• token: One-time password (OTP) token.

• two-factor: Multi-factor authentication. Also configure two-factor-auth-method {email | sms}.

custom-user-control-status {enable | disable}

If your organization has its own user authentication tools, enable this setting. Then configure url-custom-user-control <user-check_url> and url-forgot-pwd <forgot-password_url>.

etisalat-password <password_str>

Enter the password for the Etisalat username.

This setting is available if sms-provider {etisalat | twilio} is etisalat.

etisalat-sender <sender_email>

Enter the Etisalat sender name.

This setting is available if sms-provider {etisalat | twilio} is etisalat.

etisalat-username <username_str>

Enter the Etisalat username.

This setting is available if sms-provider {etisalat | twilio} is etisalat.

expire-alert {<days_int> ...}

Enter the number of days before the user account's expiry date to send an alert email notification to the user. Valid range is 0 to 7, where 0 means the account expires with no notification.

Optionally, for multiple alert email intervals, separate each entry with a space. For example, the default value (1 7) will send an alert email seven days and one day before the expiry date.

expire-emails <days_int>

Enter the number of days that the secured mail will be saved on the FortiMail unit.

expire-inactivity <days_int>

Enter the number of days the secured mail recipient can access the FortiMail unit without registration.
For example, if you set the value to 30 days and if the mail recipient did not access the FortiMail unit for 30 days after they registers on the unit, the recipient will need to register again if another secured mail is sent to them. If the recipient accessed the FortiMail unit on the 15th days, the 30-day limit will be recalculated from the 15th day onwards.

expire-passwd-reset <hours_int>

Enter the password reset expiry time in hours.
This is for the recipients who have forgotten their login passwords and request for new ones. The secured mail recipient must reset their password within this time limit to access the FortiMail unit.

expire-registration <days_int>

Enter the number of days that the secured mail recipient has to register on the FortiMail unit to view the mail before the registration expires. The starting date is the date when the FortiMail unit sends out the first notification to a mail recipient.

read-notification {enable | disable}

Enable to send the read notification the first time the mail is read.

secure-compose {enable | disable}

Select to allow the secure mail recipient to compose an email. The FortiMail unit will use policies and mail delivery rules to determine if this mail needs to be encrypted.

For encrypted email, the domain of the composed mail’s recipient must be a protected one, otherwise an error message will appear and the mail will not be delivered.

secure-reply {enable | disable}

Enable to allow the secured mail recipient to reply to the email with IBE encryption.

secure-forward {enable | disable}

Enable to allow the secured mail recipient to forward the email with IBE encryption.

secure-token-ttl <minutes_int>

Enter the secure token timeout value in minutes. Valid range is 1-1440.

service-name "<name_str>"

Enter the name for the IBE service. This is the name the secure mail recipients will see once they access the FortiMail unit to view the secure mail.

sms-account-id <account-id_str>

Enter the account or service plan ID provided by your SMS provider.

sms-auth-key <key_str>

Enter the authentication token or API key provided by your SMS provider.

sms-from-number <number>

Enter the phone number from which to send SMS messages.

sms-provider {etisalat | twilio}

Select the name of the SMS provider for two-factor authentication. Then configure related settings such as etisalat-username <username_str>.

status {enable | disable}

Enable or disable the IBE secure mail service.

two-factor-auth-method {email | sms}

Select the verification method for two-factor authentication: email or SMS.

This setting is not available when auth-mode {password | token | two-factor} password.

unread-days <days_int>

Enter the time threshold in days for notification about unread email.

This setting is only available when unread-notification {enable | disable} is enable.

unread-notif-rcpt <to_email>

Enable to send the unread notification to the recipient.

This setting is only available when unread-notification {enable | disable} is enable.

unread-notif-sender <from_email>

Enable to send the unread notification to the sender.

This setting is only available when unread-notification {enable | disable} is enable.

unread-notification {enable | disable}

Enable to send the unread notification if the message remains unread after the period of time that you configure in unread-days <days_int>.

url-about <about_url>

If you want to create a custom file about IBE secure mail, enter the URL for the file. The mail recipient can click the "About" link in the secure mail notification to view your file.

If you leave this setting empty, a link to the default file about FortiMail IBE secure mail will be added to the secure mail notification.

url-base "<base_url>"

Enter the base URL where mail recipients can register and authenticate to access IBE secured mail and IBE notifications. If this setting is empty, the default base URL is used.

This setting is available if url-base-type {domain | system} is system.

url-base-type {domain | system}

Select the type of base URL where mail recipients register and access IBE secured mail and IBE notifications, either:

• domain: A FQDN that combines the FortiMail hostname (hostname <host_str>) and the sender's protected domain (config domain). Public DNS servers for each protected domain must have an A/AAAA record that resolves this FQDN to a public IP address used to reach FortiMail. This base URL is useful if you have multiple protected domains (such as an MSSP deployment), and each one needs a separate IBE portal. If the sender is not in a protected domain, then the system-wide URL is used instead.

  Note: If the protected domain is deleted, then the secure mail may not be accessible.

• system: A FQDN that combines the FortiMail hostname (hostname <host_str>) and local domain name (local-domain-name <local-domain_str>). If you want to override this, configure url-base "<base_url>".

url-custom-user-control <user-check_url>

Enter the URL where you can determine if an IBE user exists.

This setting is available if custom-user-control-status {enable | disable} is enable.

url-forgot-pwd <forgot-password_url>

Enter the URL where IBE users authenticate.

This setting is available if custom-user-control-status {enable | disable} is enable