Configuring Profiles

Configuring encryption profiles

The Encryption tab lets you create encryption profiles, which contain encryption settings for secure MIME (S/MIME) and identity-based encryption (IBE).

Encryption profiles are applied through either message delivery rules or content action profiles used in content profiles which are included in policies. For more information, see “Configuring delivery rules” on page 464 and “Configuring content action profiles” on page 535.

Before S/MIME encryption will work, you must also create at least one internal address certificate binding. For details, see “Configuring certificate bindings” on page 362.

For more information about using S/MIME encryption, see “Using S/MIME encryption” on page 596.

For more information about using IBE, see “Configuring IBE encryption” on page 357.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.

To view or configure encryption profiles

  1. Go to Profile > Security > Encryption.

Figure 259:Encryption tab

GUI item Description
Clone

(button)

Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.
Profile Name Displays the name of the profile.
Protocol Displays the protocol used for this profile, S/MIME or IBE.
Encryption Algorithm Displays the encryption algorithm that will be used to encrypt the email ( AES 128, AES 192, AES 256, CAST5 128, or Triple DES).
Action On Failure Indicates the action the FortiMail unit takes when S/MIME or IBE cannot be used:

•      Drop and send DSN: Send a delivery status notification (DSN) email to the sender’s email address, indicating that the email is permanently undeliverable.

•      Send plain message: Deliver the email without encryption.

•      Enforce TLS: If the TLS level in the TLS profile selected in the message delivery rule is Encrypt or Secure, the FortiMail unit will not do anything. If the message delivery rule has no TLS profile or the TLS level in its profile is None or Preferred, the FortiMail unit will enforce the Encrypt level. For more information, see “Configuring delivery rules” on page 464 and “Configuring TLS security profiles” on page 591.

IBE Action Displays the action used by the mail recipients to retrieve IBE messages.

•      Push: A notification and a secure mail is delivered to the recipient who needs to go to the FortiMail unit to open the message. The FortiMail unit does not store the message.

•      Pull: A notification is delivered to the recipient who needs to go to the FortiMail unit to open the message. The FortiMail unit stores the message.

Max Push Size (KB) Displays the settings of the maximum message size (KB) of the secure mail delivered (or pushed) to the recipient.

If the message exceeds the size limit, it will be delivered with the Pull method.

(Green dot in column heading) Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.
  1. Either click New to add a profile or double-click a profile to modify it.

A dialog appears.

Figure 260:Encryption Profile dialog

  1. For a new profile, enter the name of the profile in Profile name.
  2. In Protocol, select S/MIME or IBE.

The availability of the following options varies by your selection in Protocol.

  1. If you selected IBE as the protocol:
    • Select the Action method (Push or Pull) for the mail recipients.
    • For Push, specify the maximum message size (KB) for the Push (Messages exceeding the size limit will be delivered with the Pull method.)
  2. From Encryption algorithm, select the encryption algorithm that will be used to encrypt email (AES 128, AES 192, AES 256, CAST5 128, or Triple DES).
  3. From Action on failure, select the action the FortiMail unit takes when encryption cannot be used.
    • Drop and send DSN: Send a delivery status notification (DSN) email to the sender’s email address, indicating that the email is permanently undeliverable.
    • Send plain message: Deliver the email without encryption.
    • Enforce TLS: If the TLS level in the TLS profile selected in the message delivery rule is Encrypt or Secure, the FortiMail unit will not do anything. If the message delivery rule has no TLS profile or the TLS level in its profile is None or Preferred, the FortiMail unit will enforce the Encrypt
  4. Click Create or OK.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

6 thoughts on “Configuring Profiles

  1. Steve

    Hi, on these instructions it states “personal black lists and white lists” on page 620.”

    Where can i get the book to view page 620??

    Reply
  2. Laurent

    Hello,
    What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…

    Reply
    1. Mike Post author

      Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.

      Reply
  3. Dormond

    Hello,
    Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.

    Reply
  4. Laurent

    Hello,

    Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.