Configuring address mapping options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see “Configuring LDAP profiles” on page 548.

1. Go to Profile > LDAP.
2. Click New to create a new profile or double click on an existing profile to edit it.
3. Click the arrow to expand the Address Mapping Options

Mappings usually should not translate an email address into one that belongs to an unprotected domain. However, unlike locally defined address mappings, this restriction is not enforced for mappings defined on an LDAP server.

After configuring a profile with this query, you must select it in order for the FortiMail unit to use it. For details, see “LDAP user alias / address mapping profile” on page 391.

Alternatively, you can configure email address mappings on the FortiMail unit itself. For details, see “Configuring address mappings” on page 444.

4. Configure the following:

Figure 233:Address Mapping Options section

GUI item	Description
Internal address attribute	Enter the name of the LDAP attribute, such as internalAddress, whose value is an email address in the same or another protected domain. This email address will be rewritten into the value of the external address attribute according to the match conditions and effects described in Table 51 on page 445. The name of this attribute may vary by the schema of your LDAP directory.

External address attribute Enter the name of the attribute, such as externalAddress, whose value is an email address in the same or another protected domain.

This email address will be rewritten into the value of the internal address attribute according to the match conditions and effects described in Table 51 on page 445.

The name of this attribute may vary by the schema of your LDAP directory.

Configuring domain lookup options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see “Configuring LDAP profiles” on page 548.

1. Go to Profile > LDAP.
2. Click New to create a new profile or double click on an existing profile to edit it.
3. Click the arrow to expand the AS/AV On/Off Options

Organizations with multiple domains may maintain a list of domains on the LDAP server. The FortiMail unit can query the LDAP server to verify the domain portion of a recipient’s email address.

For this option to work, your LDAP directory should contain a single generic user for each domain such as generic@dom1.com because the FortiMail unit will only look at the domain portion of the generic user’s mail address, such as dom1.com.

When an SMTP session is processed, the FortiMail unit will query the LDAP server for the domain portion retrieved from the recipient email address. If the LDAP server finds a user entry, it will reply with the domain objects defined in the LDAP directory, including parent domain attribute, generic mail host attribute, generic antispam attribute, and generic antivirus attribute. The FortiMail unit will remember the mapping domain, mail routing, and antispam and antivirus profiles information to avoid querying the LDAP server again for the same domain portion retrieved from a recipient email address in the future.

If there are no antispam and antivirus profiles for the user, the FortiMail unit will use the antispam and antivirus profiles from the matching IP policy.

If the LDAP server does not find a user matching the domain, the user is considered as unknown, and the mail will be rejected unless it has a specific access list entry.

4. Configure the following:

Figure 234:Domain Lookup Options section

GUI item		Description
Domain Lookup Query		Enter an LDAP query filter that selects a set of domain objects, whichever object class contains the attribute you configured for this option, from the LDAP directory. For details on query syntax, refer to any standard LDAP query filter reference manual. For this option to work, your LDAP directory should contain a single generic user for each domain. The user entry should be configured with attributes to represent the following: •      parent domain from which a domain inherits the specific RCPT check settings and quarantine report settings. For example, parentDomain=parent.com For information on parent domain, see “Configuring protected domains” on page 380. •      IP address of the backend mail server hosting the mailboxes of the domain. For example, mailHost=192.168.1.105 • antispam profile assigned to the domain. For example, genericAntispam=parentAntispam •            antivirus profile assigned to the domain. For example, genericAntivirus=parentAntivirus
Parent domain attribute		Enter the name of the attribute, such as parentDomain, whose value is the name of the parent domain from which a domain inherits the specific RCPT check settings and quarantine report settings. The name of this attribute may vary by the schema of your LDAP directory.
	Generic mail host attribute		Enter the name of the attribute, such as mailHost, whose value is the IP address of the backend mail server hosting the mailboxes of the domain. The name of this attribute may vary by the schema of your LDAP directory.
	Generic AntiSpam attribute		Enter the name of the attribute, such as genericAntispam, whose value is the name of the antispam profile assigned to the domain. The name of this attribute may vary by the schema of your LDAP directory. If you do not specify this attribute at all (that is, leave this field blank), the antispam profile in the matched recipient-based policy will be used.
	Generic AntiVirus attribute		Enter the name of the attribute, such as genericAntivirus, whose value is the name of the antivirus profile assigned to the domain. The name of this attribute may vary by the schema of your LDAP directory. If you do not specify this attribute at all (that is, leave this field blank), the antivirus profile in the matched recipient-based policy will be used.

Configuring advanced options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see “Configuring LDAP profiles” on page 548.

1. Go to Profile > LDAP.
2. Click New to create a new profile or double click on an existing profile to edit it.
3. Click the arrow to expand the AS/AV On/Off Options
4. Configure the following:

Figure 235:Advanced Options section

	GUI item		Description
	Timeout		Enter the maximum amount of time in seconds that the FortiMail unit will wait for query responses from the LDAP server.
Protocol version		Select the LDAP protocol version used by the LDAP server.
Allow unauthenticated bind		Enable to perform queries in this profile without supplying a bind DN and password for the directory search. Many LDAP servers require LDAP queries to be authenticated using a bind DN and password. However, if your LDAP server does not require the FortiMail unit to authenticate before performing queries, you may enable this option.
Enable cache		Enable to cache LDAP query results. Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiMail unit begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently. If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of 0 effectively disables caching.
TTL		Enter the amount of time, in minutes, that the FortiMail unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiMail unit to query the LDAP server, refreshing the cache. The default TTL value is 1440 minutes (one day). The maximum value is 10080 minutes (one week). Entering a value of 0 effectively disables caching. This option is applicable only if Enable cache is enabled.
Enable webmail password change		Enable if you want to allow FortiMail webmail users to change their password.
Password schema		Select your LDAP server’s user schema style, either Openldap or Active Directory.
Bypass recipient verification if server unavailable		If you have selected using LDAP server to verify recipient address in Mail Settings > Domains and your LDAP server is down, selecting this option abandons recipient address verification and the FortiMail unit will continue relaying email. For more information about recipient address verification, see “Configuring recipient address verification” on page 387.

The LDAP profile appears in the LDAP profile list. To apply it, select the profile in features that support LDAP queries, such as protected domains and policies.

Before using the LDAP profile in other areas of the configuration, verify the configuration of each query that you have enabled in the LDAP profile. Incorrect query configuration can result in unexpected mail processing behavior. For information on testing queries, see “Testing LDAP profile queries” on page 576.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!