Category Archives: Administration Guides

Best Practices and Fine Tuning

Best practices and fine tuning

This section is a collection of guidelines to ensure the most secure and reliable operation of FortiMail units.

These same guidelines can be found alongside their related setting throughout this

Administration Guide. To provide a convenient checklist, these guidelines are also listed here.

This section includes:

Network topology tuning
Network topology tuning
System security tuning
High availability (HA) tuning
SMTP connectivity tuning
Antispam tuning
Policy tuning
System maintenance tips
Performance tuning

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7 8

Installing Firmware

Installing firmware

Fortinet periodically releases FortiMail firmware updates to include enhancements and address issues. After you have registered your FortiMail unit, FortiMail firmware is available for download at http://support.fortinet.com.

Installing new firmware can overwrite antivirus and antispam packages using the versions of the packages that were current at the time that the firmware image was built. To avoid repeat updates, update the firmware before updating your FortiGuard packages.

New firmware can also introduce new features which you must configure for the first time.

For information specific to the firmware release version, see the Release Notes available with that release.

In addition to major releases that contain new features, Fortinet releases patch releases that resolve specific issues without containing new features and/or changes to existing features. It is recommended to download and install patch releases as soon as they are available.

Before you can download firmware updates for your FortiMail unit, you must first register your FortiMail unit with Fortinet Technical Support. For details, go to http://support.fortinet.com/ or contact Fortinet Technical Support.

This section includes:

Testing firmware before installing it
Installing firmware
Clean installing firmware

Pages: 1 2 3 4 5

Logs, Reports, and Alerts

4 Replies

Logs, reports and alerts

The Log and Report menu lets you configure logging, reports, and alert email.

FortiMail units provide extensive logging capabilities for virus incidents, spam incidents and system events. Detailed log information and reports provide analysis of network activity to help you identify security issues and reduce network misuse and abuse.

Logs are useful when diagnosing problems or when you want to track actions the FortiMail unit performs as it receives and processes traffic.

This section includes:

About FortiMail logging
Configuring logging
Configuring report profiles and generating reports
Configuring alert email
Viewing log messages
Viewing generated reports

About FortiMail logging

FortiMail units can log many different email activities and traffic including:

system-related events, such as system restarts and HA activity
virus detections
spam filtering results
POP3, SMTP, IMAP and webmail events

You can select which severity level an activity or event must meet in order to be recorded in the logs. For more information, see “Log message severity levels” on page 668.

A FortiMail unit can save log messages to its hard disk or a remote location, such as a Syslog server or a Fortinet FortiAnalyzer unit. For more information, see “Configuring logging” on page 671. It can also use log messages as the basis for reports. For more information, see “Configuring report profiles and generating reports” on page 676.

Accessing FortiMail log messages

There are several ways you can access FortiMail log messages:

On the FortiMail web UI, you can view log messages by going to Monitor > Log. For details, see the FortiMail Administration Guide.
On the FortiMail web UI, under Monitor > Log, you can download log messages to your local PC and view them later.
You can send log messages to a FortiAnalyzer unit by going to Log and Report > Log Settings > Remote Log Settings and view them on FortiAnalyzer.
You can send log messages to any Syslog server by going to Log and Report > Log Settings > Remote Log Settings.

Pages: 1 2 3 4 5 6 7 8

Archiving Email

Archiving email

You can archive email messages according to various criteria and reasons. For example, you may want to archive email sent by certain senders or email contains certain words.

This section contains the following topics:

Email archiving workflow
Configuring email archiving accounts
Configuring email archiving policies
Configuring email archiving exemptions

Email archiving workflow

To use the email archiving feature, you must do the following:

Create email archive accounts to send archived email to. See “Configuring email archiving accounts” on page 656.

Starting from version 4.2, you can create multiple archive accounts and send different categories of email to different accounts. For the maximum number of archive accounts you can create, see “Appendix B: Maximum Values Matrix” on page 726.

Create email archive policies or exemption policies to specify the archiving criteria. See “Configuring email archiving policies” on page 660 and “Configuring email archiving exemptions” on page 662. Or, when creating antispam action profiles and content action profiles, choose to archive email as one of the actions. See “Configuring antispam profiles and antispam action profiles” on page 503 and “Configuring content profiles and content action profiles” on page 526.
Assign the administrator account access privilege to the email archive. See “Configuring administrator accounts and access profiles” on page 289.
You can search or view the archived email as the FortiMail administrator. See “Managing archived email” on page 203. You can also access email archives remotely through IMAP. See “Configuring email archiving accounts” on page 656.

Configuring email archiving accounts

Before you can archive email, you need to set up and enable email archiving accounts, as described below. The archived emails will be stored in the archiving accounts. You can create multiple archive accounts and send different categories of email to different accounts. For the maximum number of archive accounts you can create, see “Appendix B: Maximum Values Matrix” on page 726.

When email is archived, you can view and manage the archived email messages. For more information, see “Managing archived email” on page 203. You can also access the email archive remotely through IMAP.

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

Page 656

To enable and configure an email archive account

Go to Email Archiving > Archive Accounts > Archive Accounts.

Figure 293:Managing email archive accounts

GUI item	Description
Status	Select to enable an email archiving account. Clear the check box to disable it.
Account	Lists email archive accounts.
Index Type	Indicates if archive indexing is in use and how much is indexed. Indexing speeds up content searches. The choices are: • None: email is not indexed. • Header: email headers are indexed. • Full: the entire message is indexed.
Storage	Indicates the type of archive storage: Local or Remote.
(Green dot in column heading)	Indicates whether the archive is currently referred to by an archive policy. If so, a red dot appears in this column and the entry cannot be deleted.

Click New to create an account or double-click an account to modify it.

A multisection dialog appears.

Figure 294:Configuring email archive accounts

Configure the following sections, and click Create.
- “Configuring account settings”
- “Configuring rotation settings”
- “Configuring destination settings”

Pages: 1 2 3

Configuring AntiSPAM Settings

2 Replies

Configuring antispam settings

The AntiSpam menu lets you configure antispam settings that are system-wide or otherwise not configured individually for each antispam profile.

Several antispam features require that you first configure system-wide, per-domain, or per-user settings in the AntiSpam menu before you can use the feature in an antispam profile. For more information on antispam profiles, see “Configuring antispam profiles and antispam action profiles” on page 503.

This section contains the following topics:

Configuring email quarantines and quarantine reports
Configuring the black lists and white lists
Configuring greylisting
Configuring bounce verification and tagging
Configuring endpoint reputation
Training and maintaining the Bayesian databases

Configuring email quarantines and quarantine reports

The Quarantine submenu lets you configure quarantine settings, and to configure system-wide settings for quarantine reports.

Using the email quarantine feature involves the following steps:

First, enable email quarantine when you configure antispam action profiles (see “Configuring antispam action profiles” on page 516) and content action profiles (see “Configuring content action profiles” on page 535).
Configure the system quarantine administrator account who can manage the system quarantine. See “Configuring the system quarantine administrator account and disk quota” on page 611.
Configure the quarantine control accounts, so that email users can send email to the accounts to release or delete email quarantines. See “Configuring the quarantine control accounts” on page 612.
Configure system-wide quarantine report settings, so that the FortiMail unit can send reports to inform email users of the mail quarantines. Then the users can decide if they want to release or delete the quarantined emails. See “Configuring global quarantine report settings” on page 602.
Configure domain-wide quarantine report settings for specific domains. See “Quarantine Report Setting” on page 394.
View and manage personal quarantines and system quarantines. See “Managing the quarantines” on page 182.
As the FortiMail administrator, you may also need to instruct end users about how to access their email quarantines. See “Accessing the personal quarantine and webmail” on page 720.
Configuring global quarantine report settings
Configuring the system quarantine administrator account and disk quota
Configuring the quarantine control accounts

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

Configuring Profiles

6 Replies

Configuring profiles

The Profile menu lets you configure many types of profiles. These are a collection of settings for antispam, antivirus, authentication, or other features.

After creating and configuring a profile, you can apply it either directly in a policy, or indirectly by inclusion in another profile that is selected in a policy. Policies apply each selected profile to all email messages and SMTP connections that the policy governs.

Creating multiple profiles for each type of policy lets you customize your email service by applying different profiles to policies that govern different SMTP connections or email users. For instance, if you are an Internet service provider (ISP), you might want to create and apply antivirus profiles only to policies governing email users who pay you to provide antivirus protection.

This section includes:

Configuring session profiles
Configuring antispam profiles and antispam action profiles
Configuring antivirus profiles and antivirus action profiles
Configuring content profiles and content action profiles
Configuring resource profiles (server mode only)
Configuring authentication profiles
Configuring LDAP profiles
Configuring dictionary profiles
Configuring security profiles
Configuring IP pools
Configuring email and IP groups
Configuring notification profiles

Configuring session profiles

Session profiles focus on the connection and envelope portion of the SMTP session. This is in contrast to other types of profiles that focus on the message header, body, or attachments.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.

To configure session profiles

Go to Profile > Session > Session.
Click New to add a profile or double-click a profile to modify it.

A multisection page appears.

Figure 193:Session Profile dialog

For a new session profile, type the name in Profile name.
Configure the following sections as needed:

“Configuring connection settings” on page 483
“Configuring sender reputation options” on page 485
“Configuring endpoint reputation options” on page 487
“Configuring sender validation options” on page 488
“Configuring session settings” on page 490
“Configuring unauthenticated session settings” on page 493
“Configuring SMTP limit options” on page 496
“Configuring error handling options” on page 497
“Configuring header manipulation options” on page 498
“Configuring list options” on page 499
Configuring advanced MTA control settings

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

Configuring Policies

Configuring policies

The Policy menu lets you create policies that use profiles to filter email.

It also lets you control who can send email through the FortiMail unit, and stipulate rules for how it will deliver email that it proxies or relays.

• What is a policy?

How to use policies
Controlling SMTP access and delivery
Controlling email based on recipient addresses
Controlling email based on IP addresses

What is a policy?

A policy defines which way traffic will be filtered. It may also define user account settings, such as authentication type, disk quota, and access to webmail.

After creating the antispam, antivirus, content, authentication, TLS, or resource profiles (see “Configuring profiles” on page 482), you need to apply them to policies for them to take effect.

FortiMail units support three types of policies:

Access control and delivery rules that are typical to SMTP relays and servers (see

“Controlling SMTP access and delivery” on page 456)

Recipient-based policies (see “Controlling email based on recipient addresses” on page 468)
IP-based policies (see “Controlling email based on IP addresses” on page 475)

Recipient-based policies versus IP-based policies

Recipient-based policies

The FortiMail unit applies these based on the recipient’s email address or the recipient’s user group. May also define authenticated webmail or POP3 access by that email user to their per-recipient quarantine. Since version 4.0, the recipient-based policies also check sender patterns.

IP-based policies

The FortiMail unit applies these based on the SMTP client’s IP address (server mode or gateway mode), or the IP addresses of both the SMTP client and SMTP server (transparent mode).

Page 453

Incoming versus outgoing email messages

There are two types of recipient-based policies: incoming and outgoing. The FortiMail unit applies incoming policies to the incoming mail messages and outgoing policies to the outgoing mail messages.

Whether the email is incoming or outgoing is decided by the domain name in the recipient’s email address. If the domain is a protected domain, the FortiMail unit considers the message to be incoming and applies the first matching incoming recipient-based policy. If the recipient domain is not a protected domain, the message is considered to be outgoing, and applies outgoing recipient-based policy.

To be more specific, the FortiMail unit actually matches the recipient domain’s IP address with the IP list of the protected SMTP servers where the protected domains reside. If there is an IP match, the domain is deemed protected and the email destined to this domain is considered to be incoming. If there is no IP match, the domain is deemed unprotected and the email destined to this domain is considered to be outgoing.

For more information on protected domains, see “Configuring protected domains” on page 380.

Pages: 1 2 3 4 5 6 7 8 9

Managing Users

1 Reply

Managing users

The User menu enables you to configure email user-related settings, such as groups, PKI authentication, preferences, address mappings, and email address aliases. If the FortiMail unit is operating in server mode, the User menu also enables you to add email user accounts.

This section includes:

Configuring local user accounts (server mode only)
Configuring user preferences
Configuring PKI authentication
Configuring user groups
Configuring aliases
Configuring address mappings
Configuring IBE users

Configuring local user accounts (server mode only)

When operating in server mode, the FortiMail unit is a standalone email server. The FortiMail unit receives email messages, scans for viruses and spam, and then delivers email to its email users’ mailboxes. External MTAs connect to the FortiMail unit, which itself is also the protected email server.

When the FortiMail unit operates in server mode and the web UI operates in advanced mode, the User tab is available. It lets you configure email user accounts whose mailboxes are hosted on the FortiMail unit. Email users can then access their email hosted on the FortiMail unit using webmail, POP3 and/or IMAP. For information on webmail and other features used directly by email users, see “Setup for email users” on page 719.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.

For details, see “About administrator account permissions and domains” on page 290.

To view email user accounts, go to User > User > User.

Figure 170:User tab

Page 424

GUI item	Description
Maintenance (button)	Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of each mailbox, and empty or delete mailboxes as required. The SecureMail mailbox contains the secured email for the user. The Bulk mailbox contains spam quarantined by the FortiMail unit. Click Back to return to the Users tab.
Export .CSV (button)	Click to download a backup of the email users list in comma-separated value (CSV) file format. The user passwords are encoded for security. Caution: Most of the email user accounts data, such as mailboxes and preferences, is not included in the .csv file. For information on performing a complete backup, see “Backup and restore” on page 218.
Import .CSV (button)	In the field to the right of Import .CSV, enter the location of a CSV-formatted email user backup file, then click Import .CSV to upload the file to your FortiMail unit. The import feature provides a simple way to add a list of new users in one operation. See “Importing a list of users” on page 427. Before importing a user list or adding an email user, you must first configure one or more protected domains to which the email users will belong. For more information, see “Configuring protected domains” on page 380. You may also want to back up the existing email user accounts. For details, see “Backup and restore” on page 218.
Password (button)	Select a user and click this button to change a user’s password. A dialog appears. Choose whether to change the user password or to switch to LDAP authentication. You can create a new LDAP profile or edit an existing one. For details, see “Configuring LDAP profiles” on page 548.
Domain	Select the protected domain to display its email users, or to select the protected domain to which you want to add an email user account before clicking New. You can see only the domains that are permitted by your administrator profile.
Search user	Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria. To return to the complete user list, clear the search field and press Enter.
User Name	Displays the user name of an email user, such as user1. This is also the local portion of the email user’s primary email address.
Type	Displays the type of user: local, LDAP, or RADIUS.
Display Name	Displays the display name of an email user, such as “J Smith”. This name appears in the From: field in the message headers of email messages sent from this email user.
Disk Usage (KB)	Displays the disk space used by mailboxes for the email user in kilobytes (KB).

Pages: 1 2 3 4 5 6 7 8