Using S/MIME encryption

S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data. The FortiMail unit supports S/MIME encryption.

You can encrypt email messages with S/MIME between two FortiMail units. For example, if you want to encrypt and send an email from FortiMail unit A to FortiMail unit B, you need to do the following:

1. On FortiMail unit A:
   • import the CA certificate. For details, see “Managing certificates” on page 346.
   • create an external certificate binding to obtain FortiMail unit B’s public key in the certificate to encrypt the email. For details, see “Configuring certificate bindings” on page 362.
   • create an S/MIME encryption profile. For details, see “Configuring encryption profiles” on page 594.
   • apply the S/MIME encryption profile in a policy to trigger the S/MIME encryption by either creating a message delivery rule to use the S/MIME encryption profile (see “Configuring delivery rules” on page 464), or creating a policy to include a content profile containing a content action profile with an S/MIME encryption profile (see “Controlling email based on recipient addresses” on page 468, “Controlling email based on IP addresses” on page 475, “Configuring content action profiles” on page 535, and “Configuring content profiles” on page 526).

2. On FortiMail unit B:

• import the CA certificate. For details, see “Managing certificates” on page 346.
• create an internal certificate binding and import both FortiMail unit B’s private key and certificate to decrypt the email encrypted by FortiMail unit A using FortiMail unit B’s private key.

Configuring IP pools

The Profile > IP Pool tab displays the list of IP pool profiles.

IP pools define a range of IP addresses, and can be used in multiple ways:

• To define destination IP addresses of multiple protected SMTP servers if you want to load balance incoming email between them (see “Relay type” on page 384)
• To define source IP addresses used by the FortiMail unit if you want outgoing email to originate from a range of IP addresses (see “IP pool” on page 392)
• To define destination addresses used by the FortiMail unit if you want incoming email to destine to the virtual host on a range of IP addresses (see “IP pool” on page 392)

Each email that the FortiMail unit sends will use the next IP address in the range. When the last IP address in the range is used, the next email will use the first IP address.

• An IP pool in an IP policy will be used to deliver incoming emails from FortiMail to the protected server. It will also be used to deliver outgoing emails if the sender domain doesn’t have a delivery IP pool or, although it has a delivery IP pool, Take precedence over recipient based policy match is enabled in the IP-based policy.
• An IP pool (either in an IP policy or domain settings) will NOT be used to deliver emails to the protected domain servers if the mail flow is from internal to internal domains.
• When an email message’s MAIL FROM is empty “<>”, normally the email is a NDR or DSN bounced message. FortiMail will check the IP address of the sender device against the IP list of the protected domains. If the sender IP is found in the protected domain IP list, the email flow is considered as from internal to internal and the above rule is applied (the IP pool will be skipped). FortiMail will also skip the DNS query if servers of the protected domains are configured as host names and MX record.

To access this part of the web UI, your administrator account’s:

• Domain must be System
• access profile must have Read or Read-Write permission to the Policy

For details, see “About administrator account permissions and domains” on page 290.

To manage IP pool profiles

1. Go to Profile > IP Pool > IP Pool.
2. Either click New to add a profile or double-click a profile to modify it.
3. For a new profile, enter a name in Pool name.

The name must contain only alphanumeric characters, hyphens ( – ) and underscores ( _ ). Spaces are not allowed.

4. Under IP Ranges, click New.

Fields appear beneath Start IP and Range.

5. In Start IP, enter the IP address that begins the range of IP addresses that will be used for this IP pool.
6. In Range, enter the total number of IP addresses in the contiguous range of the IP pool, including that of the Start IP.

For example, if Start IP is 10.0.0.3 and Range is 5, the IP pool will contain the IP addresses 10.0.0.3, 10.0.0.4, 10.0.0.5, 10.0.0.6, and 10.0.0.7.

7. To include additional ranges of IP addresses in this IP pool, repeat the previous steps. To remove a range of IP addresses from this IP pool, select the range and click Delete.
8. Click Create or OK.

To apply the IP pool, select it in a protected domain or IP-based policy. For details, see “Relay type” on page 384, “IP pool” on page 392, and/or “IP Pool” on page 478.

Configuring email and IP groups

The Profile > Group tab displays the list of email and IP group profiles.

To access this part of the web UI, your administrator account’s:

• Domain must be System
• access profile must have Read or Read-Write permission to the Policy

For details, see “About administrator account permissions and domains” on page 290.

Configuring email groups

Email groups include groups of email addresses that can be used when configuring access control rules. For information about access control rules, see “Configuring access control rules” on page 456.

To configure email groups

1. Go to Profile > Group > Email Group.
2. Either click New to add a profile or double-click a profile to modify it.

A dialog appears.

3. For a new group, enter a name for this email group.

The name must contain only alphanumeric characters. Spaces are not allowed.

4. In New member, enter the email address of a group member and click -> to move the address to the Current members

You can also use wildcards to enter partial patterns that can match multiple email addresses. The asterisk represents one or more characters and the question mark (?) represents any single character.

For example, the pattern ??@*.com will match any email user with a two letter email user name from any “.com” domain name.

Configuring IP groups

IP groups include groups of IP addresses that can be used when configuring access control rules. For information about access control rules, see “Configuring access control rules” on page 456.

To configure an IP group

1. Go to Profile > Group > IP Group.
2. Either click New to add a profile or double-click profile to modify it.
   • dialog appears.
3. For a new group, enter a name in Group name.

The name must contain only alphanumeric characters. Spaces are not allowed.

4. Under IP Groups, click New.
   • field appears under IP/Netmask.
5. Enter the IP address and netmask of the group. Use the netmask, the portion after the slash (/), to specify the matching subnet.

For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

To match any address, enter 0.0.0.0/0.

6. Click Create.

Configuring notification profiles

When FortiMail takes actions against email messages, you may wan to inform email senders, recipients, or any other users of the actions, that is, what happened to the email.

To achieve this purpose, you need to create such kind of notification profiles and then use them in antispam, antivirus, and content action profiles. For details, see “Configuring antispam action profiles” on page 516, “Configuring antivirus action profiles” on page 522, and “Configuring content action profiles” on page 535.

Figure 261:Creating a notification profile

To create a notification profile

1. Go to Profile > Notification. If you have created some notification profiles, you can view, clone, edit, or delete them there.
2. Click New to create a profile.
3. For Name, enter a profile name.
4. Choose whom you want to send notification to: sender, recipient, or other users. If you choose Others, you click manage the email list by using the Add and Remove
5. Select an email template to use. You can also click New to create a new template or click Edit to modify an existing template. For details about email templates, see “Customizing email templates” on page 288.
6. Optionally select Include original message as attachment.
7. Click OK.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!