Configuring mail queue setting
Use these sections to configure mail queues and the use of Extended Simple Mail Transfer Protocol (ESMTP).
For more information on the FortiMail mail queue, see “Managing the deferred mail queue” on page 179 and “Managing undeliverable mail” on page 181.
| GUI item | Description |
| Mail Queue section | |
| Maximum time
for email in queue |
Select the maximum number of hours that deferred email messages can remain in the deferred or quarantined email queue, during which the FortiMail unit periodically retries to send the message.
After it reaches the maximum time, the FortiMail unit sends a final delivery status notification (DSN) email message to notify the sender that the email message was undeliverable. |
| Maximum time
for DSN email in queue |
Select the maximum number of hours a delivery status notification (DSN) message can remain in the mail queues. After it reaches the maximum, the FortiMail unit moves the DSN email to the dead mail folder.
If set to zero (0), the FortiMail unit attempts to deliver the DSN only once. |
| Time before delay warning | Select the number of hours after an initial failure to deliver an email message before the FortiMail unit sends the first delivery status notification (DSN) message to notify the sender that the email message was deferred.
After sending this initial DSN, the FortiMail unit continues trying to sending the email until reaching the limit configured in Maximum time for email in queue. |
Time interval for Select the number of minutes between delivery retries for email retry messages in the deferred and spam mail queues.
Dead mail Enter the number of days that undeliverable email and its associated retention period DSN will be kept in the dead mail folder. After this time, the dead email and its DSN are automatically deleted.
Configuring outgoing email options
For outgoing email, you can specify to use an STMP relay, instead of the FortiMail built-in MTA, to deliver email.
Under some circumstance, connections from certain relays may by blocked by other parties. If you have other backup relays, you can use them instead.
For information about adding STMP relays, see “Configuring SMTP relay hosts” on page 373.
| GUI item | Description |
| Deliver to relay host | Select a relay that you configured in “Configuring SMTP relay hosts” on page 373. |
| Disable ESMTP | Mark the check box to disable (ESMTP) for outgoing email.
By default, FortiMail units can use ESMTP commands. ESMTP supports email messages with graphics, sound, video, and text in various languages. For more information on ESMTP, see RFC 1869. |
| Delivery Failure Handling | When email delivery fails, you can choose to use the mail queue settings (“Configuring mail queue setting” on page 370) to handle the temporary or permanent failures. You can also try another relay that you know might work. |
| Normal | Select this option if you want to queue the email and use the mail queue settings. |
| Deliver to relay host | Select another relay (backup relay) that you want to use for failed deliveries. Then specify how long the undelivered email should wait in the normal queue before trying the backup relay.
You can also specify which types of failed connections the backup relay should take over and retry: • DNS failure: failed DNS lookups • Network failure — connection • Netowrk failure — other • Temporary failure from remote MTA (4XX reply code) • Permanent failure from remote MTA (5XX reply code) |
Configuring deferred message delivery
You can choose to defer delivery of two types of email to conserve bandwidth and improve performance of the mail server:
- large email messages
- lower priority email from certain senders, for example, marketing campaign email and mass mailing
Oversized message delivery can be resource-intensive. For improved FortiMail performance, schedule delivery during times when email traffic volume is low, such as nights and weekends.
To set a deferral period, configure both of the following:
- In Start delivering messages at, select the hour and minute of the day at which to begin delivering oversize email messages.
- In Stop delivering messages at, select the hour and minute of the day at which to stop delivering oversize email messages.
To configure the size limit or senders of deferred email, see “Configuring content profiles” on page 527.
Configuring domain check options
Use this section for LDAP compatibility.
If the domain lookup option is also enabled in the LDAP profile (see “Configuring domain lookup options” on page 565), the parent domain from the domain lookup query is used to hold domain association.
| GUI item | Description |
| Perform LDAP domain
verification for unknown domains |
Enable to verify the existence of domains that are not configured as protected domains. Also configure LDAP profile for domain check.
To verify the existence of unknown domains, the FortiMail unit queries an LDAP server for a user object that contains the email address. If the user object exists, the verification is successful, and: • If Automatically create domain association for verified domain is enabled, the FortiMail unit automatically adds the unknown domain as a domain associated of the protected domain selected in Internal domain to hold association. • If Automatically create domain association for verified domain is disabled, and the DNS lookup of the unknown domain name is successful, the FortiMail unit routes the email to the IP address resolved for the domain name during the DNS lookup. Because the domain is not formally defined as a protected domain, the email is considered to be outgoing, and outgoing recipient-based policies are used to scan the email. For more information, see “Controlling email based on recipient addresses” on page 468. |
| LDAP profile for domain check | Select the LDAP profile to use when verifying existence of unknown domains. The LDAP query is configured under User Query Options in an LDAP profile. If you also enable the domain lookup option in the LDAP profile, the option must be enabled for the domain.
This option is available only if Perform LDAP domain verification for unknown domains is enabled. |
| Automatically create domain association for verified domain | Enable to automatically add unknown domains as domain associations if they are successfully verified by the LDAP query. See “Configuring domain lookup options” on page 565.
For more information about domain association, see “Domain Association” on page 393. This option is available only if Perform LDAP domain verification for unknown domains is enabled. |
Internal domain Select the name of a protected domain with which to associate unknown to hold domain domains, if they pass domain verification. However, if the domain lookup association query (see “Configuring domain lookup options” on page 565) returned its own parent domain, that parent domain is used.
This option is available only if Automatically create domain association for verified domain is enabled.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Hi,
Do you think I could use fortimail in server mode integrated with office 365?
Can i use this setup to be able to create email accounts in office 365 and some emails in fortimail?
In my case I have like 140 permanent users and 30-40 users let say “temporar users”(3-4 months/year). For them I want to create emails accounts in fortimail.
Ex: someone@testdomain.com is an office365 account, and someone2@testdomain.com to be an fortimail account.
When an email is received I want to be able to be redirected where it belongs. If an email created in office 365 to be redirected there, if was created in fortimail should be redirected to fortimail.
Is possible this setup?
Thank you
I have only ever deployed a FortiMail for Office 365 utilizing Gateway mode. I’m not sure, off hand, how one would make it work in server mode.
This is possible. Your O 365 server should relay to Fortimail if user not found on O 365
I have several associated domains in Fortimail, mainly for ease of administration. We currently have DKIM and SPF set up for O365 outbound mail but I’d like to start using Fortimail for outbound filtering. Will Fortimail just transparently relay the mail leaving the DKIM signature and SPF IP address unaltered and valid? Or will it strip them requiring me to use Fortimail for DKIM and its IP address in our SPF record? DKIM is so easy to set up in O365 so I would hate to have to redo it and split all our associated domains into dedicated domains.
Hi we Have created a user in migrated user and start to migrate mailbox from exchange after couple of minutes give connection error. We sniff on cli and get an error code 500.5.3.3 can you find whats problem thanks
I have configured the LDAP in my Outlook 2010. Is there a way to automatically sync the LDAP contacts to my local Outlook contact list, so i can search contacts even when i am offline?