Monthly Archives: April 2016

Logs, Reports, and Alerts

4 Replies

Logs, reports and alerts

The Log and Report menu lets you configure logging, reports, and alert email.

FortiMail units provide extensive logging capabilities for virus incidents, spam incidents and system events. Detailed log information and reports provide analysis of network activity to help you identify security issues and reduce network misuse and abuse.

Logs are useful when diagnosing problems or when you want to track actions the FortiMail unit performs as it receives and processes traffic.

This section includes:

  • About FortiMail logging
  • Configuring logging
  • Configuring report profiles and generating reports
  • Configuring alert email
  • Viewing log messages
  • Viewing generated reports

About FortiMail logging

FortiMail units can log many different email activities and traffic including:

  • system-related events, such as system restarts and HA activity
  • virus detections
  • spam filtering results
  • POP3, SMTP, IMAP and webmail events

You can select which severity level an activity or event must meet in order to be recorded in the logs. For more information, see “Log message severity levels” on page 668.

A FortiMail unit can save log messages to its hard disk or a remote location, such as a Syslog server or a Fortinet FortiAnalyzer unit. For more information, see “Configuring logging” on page 671. It can also use log messages as the basis for reports. For more information, see “Configuring report profiles and generating reports” on page 676.

Accessing FortiMail log messages

There are several ways you can access FortiMail log messages:

  • On the FortiMail web UI, you can view log messages by going to Monitor > Log. For details, see the FortiMail Administration Guide.
  • On the FortiMail web UI, under Monitor > Log, you can download log messages to your local PC and view them later.
  • You can send log messages to a FortiAnalyzer unit by going to Log and Report > Log Settings > Remote Log Settings and view them on FortiAnalyzer.
  • You can send log messages to any Syslog server by going to Log and Report > Log Settings > Remote Log Settings.
Pages: 1 2 3 4 5 6 7 8

Archiving Email

Leave a reply

Archiving email

You can archive email messages according to various criteria and reasons. For example, you may want to archive email sent by certain senders or email contains certain words.

This section contains the following topics:

  • Email archiving workflow
  • Configuring email archiving accounts
  • Configuring email archiving policies
  • Configuring email archiving exemptions

Email archiving workflow

To use the email archiving feature, you must do the following:

  1. Create email archive accounts to send archived email to. See “Configuring email archiving accounts” on page 656.

Starting from version 4.2, you can create multiple archive accounts and send different categories of email to different accounts. For the maximum number of archive accounts you can create, see “Appendix B: Maximum Values Matrix” on page 726.

  1. Create email archive policies or exemption policies to specify the archiving criteria. See “Configuring email archiving policies” on page 660 and “Configuring email archiving exemptions” on page 662. Or, when creating antispam action profiles and content action profiles, choose to archive email as one of the actions. See “Configuring antispam profiles and antispam action profiles” on page 503 and “Configuring content profiles and content action profiles” on page 526.
  2. Assign the administrator account access privilege to the email archive. See “Configuring administrator accounts and access profiles” on page 289.
  3. You can search or view the archived email as the FortiMail administrator. See “Managing archived email” on page 203. You can also access email archives remotely through IMAP. See “Configuring email archiving accounts” on page 656.

Configuring email archiving accounts

Before you can archive email, you need to set up and enable email archiving accounts, as described below. The archived emails will be stored in the archiving accounts. You can create multiple archive accounts and send different categories of email to different accounts. For the maximum number of archive accounts you can create, see “Appendix B: Maximum Values Matrix” on page 726.

When email is archived, you can view and manage the archived email messages. For more information, see “Managing archived email” on page 203. You can also access the email archive remotely through IMAP.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

Page 656

To enable and configure an email archive account

  1. Go to Email Archiving > Archive Accounts > Archive Accounts.

Figure 293:Managing email archive accounts

GUI item Description
Status Select to enable an email archiving account. Clear the check box to disable it.
Account Lists email archive accounts.
Index Type Indicates if archive indexing is in use and how much is indexed. Indexing speeds up content searches. The choices are:

•      None: email is not indexed.

•      Header: email headers are indexed.

•      Full: the entire message is indexed.
Storage Indicates the type of archive storage: Local or Remote.
(Green dot in column heading) Indicates whether the archive is currently referred to by an archive policy. If so, a red dot appears in this column and the entry cannot be deleted.
  1. Click New to create an account or double-click an account to modify it.

A multisection dialog appears.

Figure 294:Configuring email archive accounts

  1. Configure the following sections, and click Create.
    • “Configuring account settings”
    • “Configuring rotation settings”
    • “Configuring destination settings”
Pages: 1 2 3

Configuring AntiSPAM Settings

1 Reply

Configuring antispam settings

The AntiSpam menu lets you configure antispam settings that are system-wide or otherwise not configured individually for each antispam profile.

Several antispam features require that you first configure system-wide, per-domain, or per-user settings in the AntiSpam menu before you can use the feature in an antispam profile. For more information on antispam profiles, see “Configuring antispam profiles and antispam action profiles” on page 503.

This section contains the following topics:

  • Configuring email quarantines and quarantine reports
  • Configuring the black lists and white lists
  • Configuring greylisting
  • Configuring bounce verification and tagging
  • Configuring endpoint reputation
  • Training and maintaining the Bayesian databases

Configuring email quarantines and quarantine reports

The Quarantine submenu lets you configure quarantine settings, and to configure system-wide settings for quarantine reports.

Using the email quarantine feature involves the following steps:

  • First, enable email quarantine when you configure antispam action profiles (see “Configuring antispam action profiles” on page 516) and content action profiles (see “Configuring content action profiles” on page 535).
  • Configure the system quarantine administrator account who can manage the system quarantine. See “Configuring the system quarantine administrator account and disk quota” on page 611.
  • Configure the quarantine control accounts, so that email users can send email to the accounts to release or delete email quarantines. See “Configuring the quarantine control accounts” on page 612.
  • Configure system-wide quarantine report settings, so that the FortiMail unit can send reports to inform email users of the mail quarantines. Then the users can decide if they want to release or delete the quarantined emails. See “Configuring global quarantine report settings” on page 602.
  • Configure domain-wide quarantine report settings for specific domains. See “Quarantine Report Setting” on page 394.
  • View and manage personal quarantines and system quarantines. See “Managing the quarantines” on page 182.
  • As the FortiMail administrator, you may also need to instruct end users about how to access their email quarantines. See “Accessing the personal quarantine and webmail” on page 720.
  • Configuring global quarantine report settings
  • Configuring the system quarantine administrator account and disk quota
  • Configuring the quarantine control accounts
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

Configuring Profiles

6 Replies

Configuring profiles

The Profile menu lets you configure many types of profiles. These are a collection of settings for antispam, antivirus, authentication, or other features.

After creating and configuring a profile, you can apply it either directly in a policy, or indirectly by inclusion in another profile that is selected in a policy. Policies apply each selected profile to all email messages and SMTP connections that the policy governs.

Creating multiple profiles for each type of policy lets you customize your email service by applying different profiles to policies that govern different SMTP connections or email users. For instance, if you are an Internet service provider (ISP), you might want to create and apply antivirus profiles only to policies governing email users who pay you to provide antivirus protection.

This section includes:

  • Configuring session profiles
  • Configuring antispam profiles and antispam action profiles
  • Configuring antivirus profiles and antivirus action profiles
  • Configuring content profiles and content action profiles
  • Configuring resource profiles (server mode only)
  • Configuring authentication profiles
  • Configuring LDAP profiles
  • Configuring dictionary profiles
  • Configuring security profiles
  • Configuring IP pools
  • Configuring email and IP groups
  • Configuring notification profiles

Configuring session profiles

Session profiles focus on the connection and envelope portion of the SMTP session. This is in contrast to other types of profiles that focus on the message header, body, or attachments.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.

To configure session profiles

  1. Go to Profile > Session > Session.
  2. Click New to add a profile or double-click a profile to modify it.

A multisection page appears.

Figure 193:Session Profile dialog

  1. For a new session profile, type the name in Profile name.
  2. Configure the following sections as needed:
  • “Configuring connection settings” on page 483
  • “Configuring sender reputation options” on page 485
  • “Configuring endpoint reputation options” on page 487
  • “Configuring sender validation options” on page 488
  • “Configuring session settings” on page 490
  • “Configuring unauthenticated session settings” on page 493
  • “Configuring SMTP limit options” on page 496
  • “Configuring error handling options” on page 497
  • “Configuring header manipulation options” on page 498
  • “Configuring list options” on page 499
  • Configuring advanced MTA control settings
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

Configuring Policies

Leave a reply

Configuring policies

The Policy menu lets you create policies that use profiles to filter email.

It also lets you control who can send email through the FortiMail unit, and stipulate rules for how it will deliver email that it proxies or relays.

                                 •    What is a policy?

  • How to use policies
  • Controlling SMTP access and delivery
  • Controlling email based on recipient addresses
  • Controlling email based on IP addresses

What is a policy?

A policy defines which way traffic will be filtered. It may also define user account settings, such as authentication type, disk quota, and access to webmail.

After creating the antispam, antivirus, content, authentication, TLS, or resource profiles (see “Configuring profiles” on page 482), you need to apply them to policies for them to take effect.

FortiMail units support three types of policies:

  • Access control and delivery rules that are typical to SMTP relays and servers (see

“Controlling SMTP access and delivery” on page 456)

  • Recipient-based policies (see “Controlling email based on recipient addresses” on page 468)
  • IP-based policies (see “Controlling email based on IP addresses” on page 475)

Recipient-based policies versus IP-based policies

  • Recipient-based policies

The FortiMail unit applies these based on the recipient’s email address or the recipient’s user group. May also define authenticated webmail or POP3 access by that email user to their per-recipient quarantine. Since version 4.0, the recipient-based policies also check sender patterns.

  • IP-based policies

The FortiMail unit applies these based on the SMTP client’s IP address (server mode or gateway mode), or the IP addresses of both the SMTP client and SMTP server (transparent mode).

Page 453

Incoming versus outgoing email messages

There are two types of recipient-based policies: incoming and outgoing. The FortiMail unit applies incoming policies to the incoming mail messages and outgoing policies to the outgoing mail messages.

Whether the email is incoming or outgoing is decided by the domain name in the recipient’s email address. If the domain is a protected domain, the FortiMail unit considers the message to be incoming and applies the first matching incoming recipient-based policy. If the recipient domain is not a protected domain, the message is considered to be outgoing, and applies outgoing recipient-based policy.

To be more specific, the FortiMail unit actually matches the recipient domain’s IP address with the IP list of the protected SMTP servers where the protected domains reside. If there is an IP match, the domain is deemed protected and the email destined to this domain is considered to be incoming. If there is no IP match, the domain is deemed unprotected and the email destined to this domain is considered to be outgoing.

For more information on protected domains, see “Configuring protected domains” on page 380.

Pages: 1 2 3 4 5 6 7 8 9

Managing Users

1 Reply

Managing users

The User menu enables you to configure email user-related settings, such as groups, PKI authentication, preferences, address mappings, and email address aliases. If the FortiMail unit is operating in server mode, the User menu also enables you to add email user accounts.

This section includes:

  • Configuring local user accounts (server mode only)
  • Configuring user preferences
  • Configuring PKI authentication
  • Configuring user groups
  • Configuring aliases
  • Configuring address mappings
  • Configuring IBE users

Configuring local user accounts (server mode only)

When operating in server mode, the FortiMail unit is a standalone email server. The FortiMail unit receives email messages, scans for viruses and spam, and then delivers email to its email users’ mailboxes. External MTAs connect to the FortiMail unit, which itself is also the protected email server.

When the FortiMail unit operates in server mode and the web UI operates in advanced mode, the User tab is available. It lets you configure email user accounts whose mailboxes are hosted on the FortiMail unit. Email users can then access their email hosted on the FortiMail unit using webmail, POP3 and/or IMAP. For information on webmail and other features used directly by email users, see “Setup for email users” on page 719.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.

For details, see “About administrator account permissions and domains” on page 290.

To view email user accounts, go to User > User > User.

Figure 170:User tab

Page 424

 

GUI item Description
Maintenance (button) Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of each mailbox, and empty or delete mailboxes as required.

The SecureMail mailbox contains the secured email for the user.

The Bulk mailbox contains spam quarantined by the FortiMail unit.

Click Back to return to the Users tab.
Export .CSV (button) Click to download a backup of the email users list in comma-separated value (CSV) file format. The user passwords are encoded for security.

Caution: Most of the email user accounts data, such as mailboxes and preferences, is not included in the .csv file. For information on performing a complete backup, see “Backup and restore” on page 218.
Import .CSV (button) In the field to the right of Import .CSV, enter the location of a CSV-formatted email user backup file, then click Import .CSV to upload the file to your FortiMail unit.

The import feature provides a simple way to add a list of new users in one operation. See “Importing a list of users” on page 427.

Before importing a user list or adding an email user, you must first configure one or more protected domains to which the email users will belong. For more information, see “Configuring protected domains” on page 380. You may also want to back up the existing email user accounts. For details, see “Backup and restore” on page 218.
Password

(button)

 Select a user and click this button to change a user’s password. A dialog appears. Choose whether to change the user password or to switch to LDAP authentication. You can create a new LDAP profile or edit an existing one. For details, see “Configuring LDAP profiles” on page 548.
Domain Select the protected domain to display its email users, or to select the protected domain to which you want to add an email user account before clicking New.

You can see only the domains that are permitted by your administrator profile.
Search user Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria.

To return to the complete user list, clear the search field and press Enter.
User Name Displays the user name of an email user, such as user1. This is also the local portion of the email user’s primary email address.
Type Displays the type of user: local, LDAP, or RADIUS.
Display Name Displays the display name of an email user, such as “J Smith”. This name appears in the From: field in the message headers of email messages sent from this email user.
Disk Usage (KB) Displays the disk space used by mailboxes for the email user in kilobytes (KB).
Pages: 1 2 3 4 5 6 7 8

Configuring Mail Settings

6 Replies

Configuring mail settings

The Mail Settings menu lets you configure the basic email settings of the FortiMail unit (such as the port number of the FortiMail SMTP relay/proxy/server), plus how to handle connections and how to manage the mail queues.

This section includes:

  • Configuring the built-in MTA and mail server
  • Configuring protected domains
  • Managing the address book (server mode only)
  • Sharing calendars and address books (server mode only)
  • Migrating email from other mail servers (server mode only)
  • Configuring proxies (transparent mode only)

Configuring the built-in MTA and mail server

Go to Mail Settings > Settings to configure assorted settings that apply to the SMTP server and webmail server that are built into the FortiMail unit.

This section includes:

  • Configuring mail server settings
  • Configuring global disclaimers
  • Configuring disclaimer exclusion list
  • Selecting the mail data storage location

Configuring mail server settings

Use the mail server settings to configure SMTP server/relay settings of the System domain, which is located on the local host (that is, your FortiMail unit).

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To configure local SMTP server settings

  1. Go to Mail Settings > Settings > Mail Server Settings.

A multisection page appears.

Page 366

Figure 153:Mail Server Settings tab

  1. Configure the following sections as needed:
  • “Configuring local host settings” on page 368
  • “Configuring SMTP relay hosts” on page 373
  • “Configuring deferred message delivery” on page 371
  • “Configuring DSN options” on page 369
  • “Configuring mail queue setting” on page 370
  • “Configuring domain check options” on page 372

Configuring local host settings

Provide the name and SMTP information for the mail server.

GUI item Description
Host name Enter the host name of the FortiMail unit.

Displays the FortiMail unit’s fully qualified domain name (FQDN) is in the format:

<host-name>.<local-domain-name>

such as fortimail-400.example.com, where fortimail-400 is the Host name and example.com is the Local domain name.

Note: The FQDN of the FortiMail unit should be different from that of protected SMTP servers. If the FortiMail unit uses the same FQDN as your mail server, it may become difficult to distinguish the two devices during troubleshooting.

Note: You should use a different host name for each FortiMail unit, especially when you are managing multiple FortiMail units of the same model, or when configuring a high availability (HA) cluster. This will let you to distinguish between different members of the cluster. If the FortiMail unit is in HA mode, the FortiMail unit will add the host name to the subject line of alert email messages. For details, see “Configuring alert email” on page 682.
Local domain name Enter the local domain name to which the FortiMail unit belongs.

The local domain name is used in many features such as email quarantine, Bayesian database training, quarantine report, and delivery status notification (DSN) email messages.

Displays the FortiMail unit’s fully qualified domain name (FQDN) is in the format:

<host-name>.<local-domain-name>

such as fortimail-400.example.com, where fortimail-400 is the Host name and example.com is the Local domain name.

Note: The IP address should be globally resolvable into the FQDN of the FortiMail unit if it will relay outgoing email. If it is not globally resolvable, reverse DNS lookups of the FortiMail unit’s domain name by external SMTP servers will fail. For quarantine reports, if the FortiMail unit is operating in server mode or gateway mode, DNS records for the local domain name may need to be globally resolvable to the IP address of the FortiMail unit. If it is not globally resolvable, web and email release/delete for the per-recipient quarantines may fail. For more information on configuring required DNS records, see “Setting up the system” on page 25.

Note: The Local domain name is not required to be different from or identical to any protected domain. It can be a subdomain or different, external domain.

For example, a FortiMail unit whose FQDN is fortimail.example.com could be configured with the protected domains example.com and accounting.example.net.
SMTP server port number Enter the port number on which the FortiMail unit’s SMTP server will listen for SMTP connections. The default port number is 25.
GUI item Description
SMTP over SSL/TLS Enable to allow SSL- and TLS-secured connections from SMTP clients that request SSL/TLS.

When disabled, SMTP connections with the FortiMail unit’s built-in MTA must occur as clear text, unencrypted.

Note: This option must be enabled to receive SMTPS connections. However, it does not require them. To enforce client use of SMTPS, see “Configuring access control rules” on page 456.
SMTPS server port number Enter the port number on which the FortiMail unit’s built-in MTA listens for secure SMTP connections. The default port number is 465.

This option is unavailable if SMTP over SSL/TLS is disabled.
SMTP MSA

service

 Enable let your email clients use SMTP for message submission on a separate TCP port number from deliveries or mail relay by MTAs.

For details on message submission by email clients as distinct from SMTP used by MTAs, see RFC 2476.
SMTP MSA port number Enter the TCP port number on which the FortiMail unit listens for email clients to submit email for delivery. The default port number is 587.
POP3 server port number Enter the port number on which the FortiMail unit’s POP3 server will listen for POP3 connections. The default port number is 110.

This option is available only if the FortiMail unit is operating in server mode.
Default domain for

authentication

 If you set one domain as the default domain, users on the default domain only need to enter their user names without the domain part for webmail/SMTP/IMAP/POP3 authentication, such as user1. Users on the non-default domains must enter both the user name part and domain part to authentication, such as user2@example.com.

Webmail access Enable to redirect HTTP webmail access to HTTPS.

Configuring DSN options

Use this section to configure mail server delivery status notifications.

For information on failed deliveries, see “Managing the deferred mail queue” on page 179 and “Managing undeliverable mail” on page 181.

For more information on DSN, see “Managing the deferred mail queue” on page 179.

GUI item Description
DSN (NDR) email generation Enable to allow the FortiMail unit to send DSN messages to notify email users of delivery delays and/or failure.
GUI item Description
Sender displayname Displays the name of the sender, such as FortiMail administrator, as it should appear in DSN email.

If this field is empty, the FortiMail unit uses the default name of postmaster.

Sender address Displays the sender email address in DSN.

If this field is empty, the FortiMail unit uses the default sender email address of postmaster@<domain_str>, where <domain_str> is the domain name of the FortiMail unit, such as example.com.

Pages: 1 2 3 4 5 6 7 8 9 10 11

Configuring IBE Encryption

2 Replies

Configuring IBE encryption

The System > Encryption > IBE Encryption submenu lets you configure the Identity Based Encryption (IBE) service. With IBE, you can send secured email through the FortiMail unit.

This section contains the following topics:

  • About IBE
  • About FortiMail IBE
  • FortiMail IBE configuration workflow
  • Configuring IBE services

About IBE

IBE is a type of public-key encryption. IBE uses identities (such as email addresses) to calculate encryption keys that can be used for encrypting and decrypting electronic messages. Compared with traditional public-key cryptography, IBE greatly simplifies the encryption process for both users and administrators. Another advantage is that a message recipient does not need any certificate or key pre-enrollment or specialized software to access the email.

About FortiMail IBE

The FortiMail unit encrypts an email message using the public key generated with the recipient’s email address. The email recipient does not need to install any software or generate a pair of keys in order to access the email.

What happens is that when an email reaches the FortiMail unit, the FortiMail unit applies its IP-based policies and recipient-based policies containing IBE-related content profiles as well as the message delivery rules to the email. If a policy or rule match is found, the FortiMail unit encrypts the email using the public key before sending a notification to the recipient. Figure 148 shows a sample notification.

The notification email contains an HTML attachment, which contains instructions and links telling the recipient how to access the encrypted email.

If this is the first time the recipient receives such a notification, the recipient must follow the instructions and links to register on the FortiMail unit before reading email.

If this is not the first time the recipient receives such a notification and the recipient has already registered on the FortiMail unit, the recipient only needs to log in to the FortiMail unit to read email.

When the recipient opens the mail on the FortiMail unit, the email is decrypted automatically. Figure  shows how FortiMail IBE works:

Figure 147:How FortiMail works with IBE

  1. The FortiMail unit applies its IBE-related IP-based policies ,

Figure 148:Sample secure message notification

FortiMail IBE configuration workflow

Follow the general steps below to use the FortiMail IBE function:

  • Configure and enable the IBE service. See “Configuring IBE services” on page 359.
  • Manage IBE users. See “Configuring IBE users” on page 447.
  • Configure an IBE encryption profile. See “Configuring encryption profiles” on page 594.

If you want to encrypt email based on the email contents:

  • Add the IBE encryption profile to the content action profile. See “Configuring content action profiles” on page 535.
  • Add the content action profile to the content profile and configure the scan criteria in the content profile, such as attachment filtering, file type filtering, and content monitor and filtering including the dictionary and action profiles. See “Configuring content profiles” on page 526.
  • Add the content profile to the IP-based and recipient-based policies to determine email that needs to be encrypted with IBE. See “Controlling email based on recipient addresses” on page 468, and “Controlling email based on IP addresses” on page 475.

For example, on the FortiMail unit, you have:

  • configured a dictionary profile that contains a pattern called “Confidential”, and enabled Search header (see “Configuring dictionary profiles” on page 586)
  • added the dictionary profile to a content profile which also includes a content action profile that has an encryption profile in it
  • included the content profile to IP and recipient policies

You then notify your email users on how to mark the email subject line and header if they want to send encrypted email.

For example, Alice wants to send an encrypted email to Bob through the FortiMail unit. She can add “Confidential” in the email subject line, or “Confidential” in the header (in MS Outlook, when compiling a new mail, go to Options > Message settings > Sensitivity, and select Confidential in the list). The FortiMail unit will apply the policies you configured to the email by checking the email’s subject line and header. If one of them matches the patterns defined in the dictionary profile, the email will be encrypted.

  • Configure IBE email storage. See “Selecting the mail data storage location” on page 376.
  • Configure log settings for IBE encryption. See “Configuring logging” on page 671.
  • View logs of IBE encryption. See “Viewing log messages” on page 206.

If you want to encrypt email using message delivery rules:

  • Configure message delivery rules using encryption profiles to determine email that need to be encrypted with IBE. See “Configuring delivery rules” on page 464.
  • Configure IBE email storage. See “Selecting the mail data storage location” on page 376.
  • Configure log settings for IBE encryption. See “Configuring logging” on page 671.
  • View logs of IBE encryption. See “Viewing log messages” on page 206.

Configuring IBE services

You can configure, enable, or disable IBE services which control how secured mail recipients use the FortiMail IBE function. For details about how to use IBE service, see “FortiMail IBE configuration workflow” on page 358.

To configure IBE service

  1. Go to System > Encryption > IBE Encryption.

Figure 149:IBE encryption tab

  1. Configure the following:

GUI item                   Description

Enable IBE service Select to enable the IBE service you configured.

IBE service name Enter the name for the IBE service. This is the name the secure mail recipients will see once they access the FortiMail unit to view the mail.
User registration expiry time (days) Enter the number of days that the secure mail recipient has to register on the FortiMail unit to view the mail before the registration expires. The starting date is the date when the FortiMail unit sends out the first notification to a mail recipient.
User inactivity expiry time (days) Enter the number of days the secure mail recipient can access the FortiMail unit without registration.

For example, if you set the value to 30 days and if the mail recipient did not access the FortiMail unit for 30 days after the user registers on the unit, the recipient will need to register again if another secure mail is sent to the user. If the recipient accessed the FortiMail unit on the 15th days, the 30-day limit will be recalculated from the 15th day onwards.

Encrypted email    Enter the number of days that the secured mail will be saved on the storage expiry time FortiMail unit. (days)

Password reset     Enter the password reset expiry time in hours. expiry time (hours)

This is for the recipients who have forgotten their login passwords and request for new ones. The secured mail recipient must reset the password within this time limit to access the FortiMail unit.

 

GUI item Description
Allow secure replying Select to allow the secure mail recipient to reply the email with encryption.
Allow secure forwarding Select to allow the secure mail recipient to forward the email with encryption.
Allow secure composing Select to allow the secure mail recipient to compose an email. The FortiMail unit will use policies and mail delivery rules to determine if this mail needs to be encrypted.

For encrypted email, the domain of the composed mail’s recipient must be a protected one, otherwise an error message will appear and the mail will not be delivered.
IBE base URL Enter the FortiMail unit URL, for example, https://192.168.100.20, on which a mail recipient can register or authenticate to access the secure mail.
“Help” content

URL

 You can create a help file on how to access the FortiMail secure email and enter the URL for the file. The mail recipient can click the “Help” link from the secure mail notification to view the file.

If you leave this field empty, a default help file link will be added to the secure mail notification.
“About” content

URL

 You can create a file about the FortiMail IBE encryption and enter the URL for the file. The mail recipient can click the “About” link from the secure mail notification to view the file.

If you leave this field empty, a link for a default file about the FortiMail IBE encryption will be added to the secure mail notification.

GUI item                   Description

Allow custom user control If your corporation has its own user authentication tools, enable this option and enter the URL.

“Custom user control” URL: This is the URL where you can check for user existence.

“Custom forgot password” URL: This is the URL where users get authenticated.
Notification Settings You can choose to send notification to the sender or recipient when the secure email is read or remains unread for a specified period of time.

Click the Edit link to modify the email template. For details, see “Customizing email templates” on page 288.

Depending on the IBE email access method (either PUSH or PULL) you defined in “Configuring encryption profiles” on page 594, the notification settings behave differently.

•      If the IBE message is stored on FortiMail PULL access method), the “read” notification will only be sent the first time the message is read.

•      If the IBE message is not stored on FortiMail (PUSH access method), the “read” notification will be sent every time the message is read, that is, after the user pushes the message to FortiMail and FortiMail decrypts the message.

•      There is no “unread” notification for IBE PUSH messages.
Pages: 1 2