Configuring Profiles

Alias member query example

For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be:

(& (objectClass=alias) (mail=$m))

where $m is the FortiMail variable for a user’s email address.

If the email address ($m) as it appears in the message header is different from the alias email address as it appears in the LDAP directory, such as when you have enabled recipient tagging, a query for the alias by the email address ($m) may fail. In this case, you can modify the query filter to subtract prepended or appended text from the user name portion of the email address before performing the LDAP query. For example, to subtract -spam from the end of the user name portion of the recipient email address, you could use the query filter:

(& (objectClass=alias) (mail=$m${-spam}))

where ${-spam} is the FortiMail variable for the tag to remove before performing the query. Similarly, to subtract spam- from the beginning of the user name portion of the recipient email address, you could use the query filter:

(& (objectClass=alias) (mail=$m${^spam-}))

where ${^spam-} is the FortiMail variable for the tag to remove before performing the query.

Whether you should configure this query filter to retrieve user or alias objects depends on whether your schema resolves email addresses directly or indirectly (using references).For more information on direct versus indirect alias resolution, see “Base DN” on page 558.

If alias objects in your schema provide direct resolution, configure this query string to retrieve alias objects. Depending on your schema style, you can do this either using the user name

portion of the alias email address ($u), or the entire email address ($m). For example, for the email aliases finance@example.com and admin@example.com, if your LDAP directory contains alias objects distinguished by cn: finance and cn: admin, respectively, this query string could be cn=$u.

If alias objects in your schema provide indirect resolution, configure this query string to retrieve user objects by their distinguished name, such as distinguishedName=$b or dn=$b. Also enable User group expansion In advance, then configure Group member query to retrieve email address alias objects, and configure Group Member Attribute to be the name of the alias object attribute, such as member, whose value is the distinguished name of a user object.

Configuring mail routing

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see “Configuring LDAP profiles” on page 548.

  1. Go to Profile > LDAP.
  2. Click New to create a new profile or double click on an existing profile to edit it.
  3. Click the arrow to expand the Mail Routing Options

The Mail Routing Options section query occurs after recipient tagging processing. If you have enabled recipient tagging, the Mail Routing Options section query will then be based on the tagged recipient address. If the tagged email address does not exist for the user in the LDAP directory, you may prefer to transform the recipient address by using the User Alias Options.

For more information on routing email by LDAP query, see“Mail routing LDAP profile” on page 391.

  1. Configure the following:

Figure 231:Mail Routing Options section

GUI item Description
Mail host attribute Enter the name of the attribute, such as mailHost, whose value is the fully qualified domain name (FQDN) or IP address of the email server that stores email for the user’s email account.

This attribute must be present in user objects.

Mail routing address attribute Enter the name of the attribute, such as

mailRoutingAddress, whose value is the email address of a deliverable user on the email server, also known as the mail host.

For example, a user may have many aliases and external email addresses that are not necessarily known to the email server. These addresses would all map to a real email account (mail routing address) on the email server (mail host) where the user’s email is actually stored.

A user’s recipient email address located in the envelope or header portion of each email will be rewritten to this address.

This attribute must be present in user objects.

Configuring antispam and antivirus options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see “Configuring LDAP profiles” on page 548.

  1. Go to Profile > LDAP.
  2. Click New to create a new profile or double click on an existing profile to edit it.
  3. Click the arrow to expand the AS/AV On/Off Options

Figure 232:AS/AV On/Off Options section

GUI item Description
AntiSpam on/off attribute Enter the name of the attribute, such as antispam, whose value indicates whether or not to perform antispam processing for that user, and which antispam profile to use. Multiple value syntaxes are permissible. For details, see “LDAP directory requirements for each FortiMail LDAP profile query” on page 571.

If enabled, this attribute setting takes precedence over the generic antispam attribute setting in the domain lookup options (see “Configuring domain lookup options” on page 564).

If you enable this option but leave the attribute field blank, the antispam profile in the matched recipient-based policy will be used.

AntiVirus on/off attribute Enter the name of the attribute, such as antivirus, whose value indicates whether or not to perform antivirus processing for that user and which antivirus profile to use. Multiple value syntaxes are permissible. For details, see “LDAP directory requirements for each FortiMail LDAP profile query” on page 571.

If enabled, this attribute setting takes precedence over the generic antivirus attribute setting in the domain lookup options (see “Configuring domain lookup options” on page 564).

If you enable this option but leave the attribute field blank, the antivirus profile in the matched recipient-based policy will be used.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

6 thoughts on “Configuring Profiles

  1. Steve

    Hi, on these instructions it states “personal black lists and white lists” on page 620.”

    Where can i get the book to view page 620??

    Reply
  2. Laurent

    Hello,
    What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…

    Reply
    1. Mike Post author

      Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.

      Reply
  3. Dormond

    Hello,
    Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.

    Reply
  4. Laurent

    Hello,

    Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.