Category Archives: Administration Guides

Configuring Mail Settings

Configuring mail settings

The Mail Settings menu lets you configure the basic email settings of the FortiMail unit (such as the port number of the FortiMail SMTP relay/proxy/server), plus how to handle connections and how to manage the mail queues.

This section includes:

Configuring the built-in MTA and mail server
Configuring protected domains
Managing the address book (server mode only)
Sharing calendars and address books (server mode only)
Migrating email from other mail servers (server mode only)
Configuring proxies (transparent mode only)

Configuring the built-in MTA and mail server

Go to Mail Settings > Settings to configure assorted settings that apply to the SMTP server and webmail server that are built into the FortiMail unit.

This section includes:

Configuring mail server settings
Configuring global disclaimers
Configuring disclaimer exclusion list
Selecting the mail data storage location

Configuring mail server settings

Use the mail server settings to configure SMTP server/relay settings of the System domain, which is located on the local host (that is, your FortiMail unit).

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To configure local SMTP server settings

Go to Mail Settings > Settings > Mail Server Settings.

A multisection page appears.

Page 366

Figure 153:Mail Server Settings tab

Configure the following sections as needed:

“Configuring local host settings” on page 368
“Configuring SMTP relay hosts” on page 373
“Configuring deferred message delivery” on page 371
“Configuring DSN options” on page 369
“Configuring mail queue setting” on page 370
“Configuring domain check options” on page 372

Configuring local host settings

Provide the name and SMTP information for the mail server.

GUI item	Description
Host name	Enter the host name of the FortiMail unit. Displays the FortiMail unit’s fully qualified domain name (FQDN) is in the format: <host-name>.<local-domain-name> such as fortimail-400.example.com, where fortimail-400 is the Host name and example.com is the Local domain name. Note: The FQDN of the FortiMail unit should be different from that of protected SMTP servers. If the FortiMail unit uses the same FQDN as your mail server, it may become difficult to distinguish the two devices during troubleshooting. Note: You should use a different host name for each FortiMail unit, especially when you are managing multiple FortiMail units of the same model, or when configuring a high availability (HA) cluster. This will let you to distinguish between different members of the cluster. If the FortiMail unit is in HA mode, the FortiMail unit will add the host name to the subject line of alert email messages. For details, see “Configuring alert email” on page 682.
Local domain name	Enter the local domain name to which the FortiMail unit belongs. The local domain name is used in many features such as email quarantine, Bayesian database training, quarantine report, and delivery status notification (DSN) email messages. Displays the FortiMail unit’s fully qualified domain name (FQDN) is in the format: <host-name>.<local-domain-name> such as fortimail-400.example.com, where fortimail-400 is the Host name and example.com is the Local domain name. Note: The IP address should be globally resolvable into the FQDN of the FortiMail unit if it will relay outgoing email. If it is not globally resolvable, reverse DNS lookups of the FortiMail unit’s domain name by external SMTP servers will fail. For quarantine reports, if the FortiMail unit is operating in server mode or gateway mode, DNS records for the local domain name may need to be globally resolvable to the IP address of the FortiMail unit. If it is not globally resolvable, web and email release/delete for the per-recipient quarantines may fail. For more information on configuring required DNS records, see “Setting up the system” on page 25. Note: The Local domain name is not required to be different from or identical to any protected domain. It can be a subdomain or different, external domain. For example, a FortiMail unit whose FQDN is fortimail.example.com could be configured with the protected domains example.com and accounting.example.net.
SMTP server port number	Enter the port number on which the FortiMail unit’s SMTP server will listen for SMTP connections. The default port number is 25.
GUI item	Description
SMTP over SSL/TLS	Enable to allow SSL- and TLS-secured connections from SMTP clients that request SSL/TLS. When disabled, SMTP connections with the FortiMail unit’s built-in MTA must occur as clear text, unencrypted. Note: This option must be enabled to receive SMTPS connections. However, it does not require them. To enforce client use of SMTPS, see “Configuring access control rules” on page 456.
SMTPS server port number	Enter the port number on which the FortiMail unit’s built-in MTA listens for secure SMTP connections. The default port number is 465. This option is unavailable if SMTP over SSL/TLS is disabled.
SMTP MSA service	Enable let your email clients use SMTP for message submission on a separate TCP port number from deliveries or mail relay by MTAs. For details on message submission by email clients as distinct from SMTP used by MTAs, see RFC 2476 .
SMTP MSA port number	Enter the TCP port number on which the FortiMail unit listens for email clients to submit email for delivery. The default port number is 587.
POP3 server port number	Enter the port number on which the FortiMail unit’s POP3 server will listen for POP3 connections. The default port number is 110. This option is available only if the FortiMail unit is operating in server mode.
Default domain for authentication	If you set one domain as the default domain, users on the default domain only need to enter their user names without the domain part for webmail/SMTP/IMAP/POP3 authentication, such as user1. Users on the non-default domains must enter both the user name part and domain part to authentication, such as user2@example.com.

Webmail access Enable to redirect HTTP webmail access to HTTPS.

Configuring DSN options

Use this section to configure mail server delivery status notifications.

For information on failed deliveries, see “Managing the deferred mail queue” on page 179 and “Managing undeliverable mail” on page 181.

For more information on DSN, see “Managing the deferred mail queue” on page 179.

GUI item	Description
DSN (NDR) email generation	Enable to allow the FortiMail unit to send DSN messages to notify email users of delivery delays and/or failure.
GUI item	Description
Sender displayname	Displays the name of the sender, such as FortiMail administrator, as it should appear in DSN email. If this field is empty, the FortiMail unit uses the default name of postmaster.

Sender address Displays the sender email address in DSN.

If this field is empty, the FortiMail unit uses the default sender email address of postmaster@<domain_str>, where <domain_str> is the domain name of the FortiMail unit, such as example.com.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7 8 9 10 11

Configuring IBE Encryption

2 Replies

Configuring IBE encryption

The System > Encryption > IBE Encryption submenu lets you configure the Identity Based Encryption (IBE) service. With IBE, you can send secured email through the FortiMail unit.

This section contains the following topics:

About IBE
About FortiMail IBE
FortiMail IBE configuration workflow
Configuring IBE services

About IBE

IBE is a type of public-key encryption. IBE uses identities (such as email addresses) to calculate encryption keys that can be used for encrypting and decrypting electronic messages. Compared with traditional public-key cryptography, IBE greatly simplifies the encryption process for both users and administrators. Another advantage is that a message recipient does not need any certificate or key pre-enrollment or specialized software to access the email.

About FortiMail IBE

The FortiMail unit encrypts an email message using the public key generated with the recipient’s email address. The email recipient does not need to install any software or generate a pair of keys in order to access the email.

What happens is that when an email reaches the FortiMail unit, the FortiMail unit applies its IP-based policies and recipient-based policies containing IBE-related content profiles as well as the message delivery rules to the email. If a policy or rule match is found, the FortiMail unit encrypts the email using the public key before sending a notification to the recipient. Figure 148 shows a sample notification.

The notification email contains an HTML attachment, which contains instructions and links telling the recipient how to access the encrypted email.

If this is the first time the recipient receives such a notification, the recipient must follow the instructions and links to register on the FortiMail unit before reading email.

If this is not the first time the recipient receives such a notification and the recipient has already registered on the FortiMail unit, the recipient only needs to log in to the FortiMail unit to read email.

When the recipient opens the mail on the FortiMail unit, the email is decrypted automatically. Figure shows how FortiMail IBE works:

Figure 147:How FortiMail works with IBE

The FortiMail unit applies its IBE-related IP-based policies ,

Figure 148:Sample secure message notification

FortiMail IBE configuration workflow

Follow the general steps below to use the FortiMail IBE function:

Configure and enable the IBE service. See “Configuring IBE services” on page 359.
Manage IBE users. See “Configuring IBE users” on page 447.
Configure an IBE encryption profile. See “Configuring encryption profiles” on page 594.

If you want to encrypt email based on the email contents:

Add the IBE encryption profile to the content action profile. See “Configuring content action profiles” on page 535.
Add the content action profile to the content profile and configure the scan criteria in the content profile, such as attachment filtering, file type filtering, and content monitor and filtering including the dictionary and action profiles. See “Configuring content profiles” on page 526.
Add the content profile to the IP-based and recipient-based policies to determine email that needs to be encrypted with IBE. See “Controlling email based on recipient addresses” on page 468, and “Controlling email based on IP addresses” on page 475.

For example, on the FortiMail unit, you have:

configured a dictionary profile that contains a pattern called “Confidential”, and enabled Search header (see “Configuring dictionary profiles” on page 586)
added the dictionary profile to a content profile which also includes a content action profile that has an encryption profile in it
included the content profile to IP and recipient policies

You then notify your email users on how to mark the email subject line and header if they want to send encrypted email.

For example, Alice wants to send an encrypted email to Bob through the FortiMail unit. She can add “Confidential” in the email subject line, or “Confidential” in the header (in MS Outlook, when compiling a new mail, go to Options > Message settings > Sensitivity, and select Confidential in the list). The FortiMail unit will apply the policies you configured to the email by checking the email’s subject line and header. If one of them matches the patterns defined in the dictionary profile, the email will be encrypted.

Configure IBE email storage. See “Selecting the mail data storage location” on page 376.
Configure log settings for IBE encryption. See “Configuring logging” on page 671.
View logs of IBE encryption. See “Viewing log messages” on page 206.

If you want to encrypt email using message delivery rules:

Configure message delivery rules using encryption profiles to determine email that need to be encrypted with IBE. See “Configuring delivery rules” on page 464.
Configure IBE email storage. See “Selecting the mail data storage location” on page 376.
Configure log settings for IBE encryption. See “Configuring logging” on page 671.
View logs of IBE encryption. See “Viewing log messages” on page 206.

Configuring IBE services

You can configure, enable, or disable IBE services which control how secured mail recipients use the FortiMail IBE function. For details about how to use IBE service, see “FortiMail IBE configuration workflow” on page 358.

To configure IBE service

Go to System > Encryption > IBE Encryption.

Figure 149:IBE encryption tab

Configure the following:

GUI item Description

Enable IBE service Select to enable the IBE service you configured.

IBE service name

Enter the name for the IBE service. This is the name the secure mail recipients will see once they access the FortiMail unit to view the mail.

User registration expiry time (days)

Enter the number of days that the secure mail recipient has to register on the FortiMail unit to view the mail before the registration expires. The starting date is the date when the FortiMail unit sends out the first notification to a mail recipient.

User inactivity expiry time (days)

Enter the number of days the secure mail recipient can access the FortiMail unit without registration.

For example, if you set the value to 30 days and if the mail recipient did not access the FortiMail unit for 30 days after the user registers on the unit, the recipient will need to register again if another secure mail is sent to the user. If the recipient accessed the FortiMail unit on the 15th days, the 30-day limit will be recalculated from the 15th day onwards.

Encrypted email Enter the number of days that the secured mail will be saved on the storage expiry time FortiMail unit. (days)

Password reset Enter the password reset expiry time in hours. expiry time (hours)

This is for the recipients who have forgotten their login passwords and request for new ones. The secured mail recipient must reset the password within this time limit to access the FortiMail unit.

GUI item	Description
Allow secure replying	Select to allow the secure mail recipient to reply the email with encryption.
Allow secure forwarding	Select to allow the secure mail recipient to forward the email with encryption.
Allow secure composing	Select to allow the secure mail recipient to compose an email. The FortiMail unit will use policies and mail delivery rules to determine if this mail needs to be encrypted. For encrypted email, the domain of the composed mail’s recipient must be a protected one, otherwise an error message will appear and the mail will not be delivered.
IBE base URL	Enter the FortiMail unit URL, for example, https://192.168.100.20, on which a mail recipient can register or authenticate to access the secure mail.
“Help” content URL	You can create a help file on how to access the FortiMail secure email and enter the URL for the file. The mail recipient can click the “Help” link from the secure mail notification to view the file. If you leave this field empty, a default help file link will be added to the secure mail notification.
“About” content URL	You can create a file about the FortiMail IBE encryption and enter the URL for the file. The mail recipient can click the “About” link from the secure mail notification to view the file. If you leave this field empty, a link for a default file about the FortiMail IBE encryption will be added to the secure mail notification.

GUI item Description

Allow custom user control

If your corporation has its own user authentication tools, enable this option and enter the URL.

“Custom user control” URL: This is the URL where you can check for user existence.

“Custom forgot password” URL: This is the URL where users get authenticated.

Notification Settings

You can choose to send notification to the sender or recipient when the secure email is read or remains unread for a specified period of time.

Click the Edit link to modify the email template. For details, see “Customizing email templates” on page 288.

Depending on the IBE email access method (either PUSH or PULL) you defined in “Configuring encryption profiles” on page 594, the notification settings behave differently.

• If the IBE message is stored on FortiMail PULL access method), the “read” notification will only be sent the first time the message is read.

• If the IBE message is not stored on FortiMail (PUSH access method), the “read” notification will be sent every time the message is read, that is, after the user pushes the message to FortiMail and FortiMail decrypts the message.

• There is no “unread” notification for IBE PUSH messages.

Pages: 1 2

Managing Certificates

Leave a reply

Managing certificates

This section explains how to manage X.509 security certificates using the FortiMail web UI. Using the Certificate submenu, you can generate certificate requests, install signed certificates, import CA root certificates and certificate revocation lists, and back up and restore installed certificates and private keys.

FortiMail uses certificates for PKI authentication in secure connections. PKI authentication is the process of determining if a remote host can be trusted with access to network resources. To establish its trustworthiness, the remote host must provide an acceptable authentication certificate by obtaining a certificate from a certification authority (CA).

You can manage the following types of certificates on FortiMail:

Table 44:Certificate types

Certificate type	Usage
CA certificates	FortiMail uses CA certificates to authenticate the PKI users, including administrators and web mail users. For details, see “Configuring PKI authentication” on page 435 and “Managing certificate authority certificates” on page 354.
Server certificates	FortiMail must present its local server certificate for the following secure connections: • the web UI (HTTPS connections only) • webmail (HTTPS connections only) • secure email, such as SMTPS, IMAPS, and POP3S For details, see “Managing local certificates” on page 347.
Personal certificates	Mail users’ personal certificates are used for S/MIME encryption. For details, see “Configuring certificate bindings” on page 362.

This section contains the following topics:

Managing local certificates
Managing certificate authority certificates
Managing the certificate revocation list
Managing OCSP server certificates

Managing local certificates

System > Certificate > Local Certificate displays both the signed server certificates and unsigned certificate requests.

On this tab, you can also generate certificate signing requests and import signed certificates in order to install them for local use by the FortiMail unit.

FortiMail units require a local server certificate that it can present when clients request secure connections, including:

the web UI (HTTPS connections only)
webmail (HTTPS connections only)
secure email, such as SMTPS, IMAPS, and POP3S

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view local certificates

Go to System > Certificate > Local Certificate.

Figure 139:Local Certificate tab

GUI item	Description
Delete (button)	Removes the selected certificate.
View (button)	Select a certificate and click View to display its issuer, subject, and range of dates within which the certificate is valid.
Generate (button)	Click to generate a local certificate request. For more information, see “Generating a certificate signing request” on page 348.
Download (button)	Click the row of a certificate file or certificate request file in order to select it, then click this button and select either: • Download: Download a certificate (.cer) or certificate request (.csr) file. You can send the request to your certificate authority (CA) to obtain a signed certificate for the FortiMail unit. For more information, see “Downloading a certificate signing request” on page 351. • Download PKCS12 File: Download a PKCS #12 (.p12) file. For details, see “Downloading a PKCS #12 certificate” on page 354.
GUI item	Description
Set status	Click the row of a certificate in order to select it, then click this button to use it as the “default” (that is, currently chosen for use) certificate. The Status column changes to indicate that the certificate is the current (Default) certificate. This button is not available if the selected certificate is already the “default.”
Import (button)	Click to import a signed certificate for local use. For more information, see “Importing a certificate” on page 352.
Name	Displays the name of the certificate file or certificate request file.
Subject	Displays the Distinguished Name (DN) located in the Subject field of the certificate. If the certificate has not yet been signed, this field is empty.
Status	Displays the status of the local certificates or certificate signing request. • Default: Indicates that the certificate was successfully imported, and is currently selected for use by the FortiMail unit. • OK: Indicates that the certificate was successfully imported, but is not selected as the certificate currently in use. To use the certificate, click the row of the certificate in order to select it, then click Set status. • Pending: Indicates that the certificate request has been generated, but must be downloaded, signed, and imported before it can be used as a local certificate. For details, see “Obtaining and installing a local certificate” on page 348.

Obtaining and installing a local certificate

There are two methods to obtain and install a local certificate:

If you already have a signed server certificate (a backup certificate, a certificate exported from other devices, and so on), you can import the certificate into FortiMail. For details, see “Importing a certificate” on page 352.
Generate a certificate signing request on the FortiMail unit, get the request signed by a CA ,and import the signed certificate into FortiMail.

For the second method, follow these steps:

Generating a certificate signing request
Downloading a certificate signing request
Submitting a certificate request to your CA for signing
Importing a certificate

Generating a certificate signing request

You can generate a certificate request file, based on the information you enter to identify the FortiMail unit. Certificate request files can then be submitted for verification and signing by a certificate authority (CA).

For other related steps, see “Obtaining and installing a local certificate” on page 348.

To generate a certificate request

Go to System > Certificate > Local Certificate.
Click Generate.

A dialog appears.

Configure the following:

Figure 140:Generate Certificate Signing Request dialog

GUI item	Description
Certification name	Enter a unique name for the certificate request, such as fmlocal.
Subject Information	Information that the certificate is required to contain in order to uniquely identify the FortiMail unit.

GUI item	Description
ID type	Select which type of identifier will be used in the certificate to identify the FortiMail unit: • Host IP • Domain name • E-mail Which type you should select varies by whether or not your FortiMail unit has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate. For example, if your FortiMail unit has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the web UI by the domain name of the FortiMail unit, you might prefer to generate a certificate based on the domain name of the FortiMail unit, rather than its IP address. • Host IP requires that the FortiMail unit have a static, public IP address. It may be preferable if clients will be accessing the FortiMail unit primarily by its IP address. • Domain name requires that the FortiMail unit have a fully-qualified domain name (FQDN). It may be preferable if clients will be accessing the FortiMail unit primarily by its domain name. • E-mail does not require either a static IP address or a domain name. It may be preferable if the FortiMail unit does not have a domain name or public IP address.
IP	Enter the static IP address of the FortiMail unit. This option appears only if ID Type is Host IP.
Domain name	Type the fully-qualified domain name (FQDN) of the FortiMail unit. The domain name may resolve to either a static or, if the FortiMail unit is configured to use a dynamic DNS service, a dynamic IP address. For more information, see “Configuring the network interfaces” on page 247 and “Configuring dynamic DNS” on page 259. If a domain name is not available and the FortiMail unit subscribes to a dynamic DNS service, an unable to verify certificate message may appear in the user’s browser whenever the public IP address of the FortiMail unit changes. This option appears only if ID Type is Domain name.
E-mail	Type the email address of the owner of the FortiMail unit. This option appears only if ID type is E-mail.
Optional Information	Information that you may include in the certificate, but which is not required.
GUI item	Description
Organization unit	Type the name of your organizational unit, such as the name of your department. (Optional.) To enter more than one organizational unit name, click the + icon, and enter each organizational unit separately in each field.
Organization	Type the legal name of your organization. (Optional.)
Locality(City)	Type the name of the city or town where the FortiMail unit is located. (Optional.)
State/Province	Type the name of the state or province where the FortiMail unit is located. (Optional.)
Country	Select the name of the country where the FortiMail unit is located. (Optional.)
E-mail	Type an email address that may be used for contact purposes. (Optional.)
Key type	Displays the type of algorithm used to generate the key. This option cannot be changed, but appears in order to indicate that only RSA is currently supported.
Key size	Select a security key size of 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate, but provide better security.

Click OK.

The certificate is generated, and can be downloaded to your management computer for submission to a certificate authority (CA) for signing. For more information, see “Downloading a certificate signing request” on page 351.

Downloading a certificate signing request

After you have generated a certificate request, you can download the request file to your management computer in order to submit the request file to a certificate authority (CA) for signing.

For other related steps, see “Obtaining and installing a local certificate” on page 348.

To download a certificate request

Go to System > Certificate > Local Certificate.
Click the row that corresponds to the certificate request in order to select it.
Click Download, then select Download from the pop-up menu.

Your web browser downloads the certificate request (.csr) file.

Submitting a certificate request to your CA for signing

After you have download the certificate request file, you can submit the request to you CA for signing.

For other related steps, see “Obtaining and installing a local certificate” on page 348.

To submit a certificate request

Using the web browser on the management computer, browse to the web site for your CA.
Follow your CA’s instructions to place a Base64-encoded PKCS #12 certificate request, uploading your certificate request.
Follow your CA’s instructions to download their root certificate and Certificate Revocation List (CRL), and then install the root certificate and CRL on each remote client.
When you receive the signed certificate from the CA, install the certificate on the FortiMail unit. For more information, see “Importing a certificate” on page 352.

Importing a certificate

You can upload Base64-encoded certificates in either privacy-enhanced email (PEM) or public key cryptography standard #12 (PKCS #12) format from your management computer to the FortiMail unit.

restoring a certificate backup
installing a certificate that has been generated on another system
installing a certificate, after the certificate request has been generated on the FortiMail unit and signed by a certificate authority (CA)

If you generated the certificate request using the FortiMail unit, after you submit the certificate request to CA, the CA will verify the information and register the contact information in a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate and return it to you for installation on the FortiMail unit. To install the certificate, you must import it. For other related steps, see “Obtaining and installing a local certificate” on page 348.

If the FortiMail unit’s local certificate is signed by an intermediate CA rather than a root CA, before clients will trust the FortiMail unit’s local certificate, you must demonstrate a link with trusted root CAs, thereby proving that the FortiMail unit’s certificate is genuine. You can demonstrate this chain of trust either by:

installing each intermediate CA’s certificate in the client’s list of trusted CAs
including a signing chain in the FortiMail unit’s local certificate

To include a signing chain, before importing the local certificate to the FortiMail unit, first open the FortiMail unit’s local certificate file in a plain text editor, append the certificate of each intermediate CA in order from the intermediate CA who signed the FortiMail unit’s certificate to the intermediate CA whose certificate was signed directly by a trusted root CA, then save the certificate. For example, a local certificate which includes a signing chain might use the following structure:

—–BEGIN CERTIFICATE—-<FortiMail unit’s local server certificate>

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

<certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted

root CA>

—–END CERTIFICATE—–

To import a local certificate

Go to System > Certificate > Local Certificate.
Click Import.
From Type, select the type of the import file or files:
- Local Certificate: Select this option if you are importing a signed certificate issued by your CA. For other related steps, see “Obtaining and installing a local certificate” on page 348.
- PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
- Certificate: Select this option if you are importing an existing certificate whose certificate file (.cert) and key file (.key) are stored separately. The private key is password-encrypted.

The remaining fields vary by your selection in Type.

Figure 141:Uploading a local certificate

Figure 142:Uploading a PKCS12 certificate)

Figure 143:Uploading a certificate

Configure the following:

GUI item	Description
Certificate file	Enter the location of the previously .cert or .pem exported certificate (or, for PKCS #12 certificates, the .p12 certificate-and-key file), or click Browse to locate the file.
Key file	Enter the location of the previously exported key file, or click Browse to locate the file. This option appears only when Type is Certificate.
Password	Enter the password that was used to encrypt the file, enabling the FortiMail unit to decrypt and install the certificate. This option appears only when Type is PKCS12 certificate or Certificate.

Downloading a PKCS #12 certificate

You can export certificates from the FortiMail unit to a PKCS #12 file for secure download and import to another platform, or for backup purposes.

To download a PKCS #12 file

Go to System > Certificate > Local Certificate.
Click the row that corresponds to the certificate in order to select it.
Click Download, then select Download PKCS12 File on the pop-up menu.

A dialog appears.

In Password and Confirm password, enter the password that will be used to encrypt the exported certificate file. The password must be at least four characters long.
Click Download.
If your browser prompts you for a location to save the file, select a location.

Your web browser downloads the PKCS #12 (.p12) file. For information on importing a PKCS #12 file, see “Importing a certificate” on page 352.

Managing certificate authority certificates

Go to System > Certificates > CA Certificate to view and import certificates for certificate authorities (CA).

Certificate authorities validate and sign other certificates in order to indicate to third parties that those other certificates may be trusted to be authentic.

CA certificates are required by connections that use transport layer security (TLS), and by S/MIME encryption. For more information, see “Configuring TLS security profiles” on page 591 and “Configuring certificate bindings” on page 362. Depending on the configuration of each PKI user, CA certificates may also be required to authenticate PKI users. For more information, see “Configuring PKI authentication” on page 435.

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read or Read-Write permission to the Others category For details, see “About administrator account permissions and domains” on page 290.

To view a the list of CA certificates, go to System > Certificate > CA Certificate.

Figure 144:CA Certificate tab

Table 45:Managing CA certificates

GUI item	Description
Delete (button)	Removes the selected certificate.
View (button)	Select a certificate and click View to display certificate details including the certificate name, issuer, subject, and the range of dates within which the certificate is valid.
Download (button)	Click the row of a certificate in order to select it, then click Download to download a copy of the CA certificate (.cer).
Import (button)	Click to import a CA certificate.
Name	Displays the name of the CA certificate.
Subject	Displays the Distinguished Name (DN) located in the Subject field of the certificate.

Managing the certificate revocation list

The Certificate Revocation List tab lets you view and import certificate revocation lists.

To ensure that your FortiMail unit validates only valid (not revoked) certificates, you should periodically upload a current certificate revocation list, which may be provided by certificate authorities (CA). Alternatively, you can use online certificate status protocol (OCSP) to query for certificate statuses. For more information, see “Managing OCSP server certificates” on page 356.

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view remote certificates, go to System > Certificate > Certificate Revocation List.

Figure 145:Certificate Revocation List tab

Table 46:Managing certificate revocation lists

GUI item	Description
Delete (button)	Removes the selected list.
View (button)	Select a certificate revocation list and click View to display details.
Download (button)	Select a certificate revocation list and click Download to download a copy of the CRL file (.cer).
Import (button)	Click to import a certificate revocation list.
Name	Displays the name of the certificate revocation list.
Subject	Displays the Distinguished Name (DN) located in the Subject field of the certificate revocation list.

Managing OCSP server certificates

Go to System > Certificate > Remote to view and import the certificates of the online certificate status protocol (OCSP) servers of your certificate authority (CA).

OCSP lets you revoke or validate certificates by query, rather than by importing certificate revocation lists (CRL). For information about importing CRLs, see “Managing the certificate revocation list” on page 355.

Remote certificates are required if you enable OCSP for PKI users. For more information, see “Configuring PKI authentication” on page 435.

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read or Read-Write permission to the Others category For details, see “About administrator account permissions and domains” on page 290.

To view a the list of remote certificates, go to System > Certificate > Remote.

Figure 146:Remote tab

Table 47:Managing OCSP server certificates

GUI item

Description

Delete

(button)

Removes the selected certificate.

View

(button)

Select a certificate and click View to display certificate details including the certificate name, issuer, subject, and the range of dates within which the certificate is valid.

Table 47:Managing OCSP server certificates

Download (button)	Click the row of a certificate in order to select it, then click Download to download a copy of the OCSP server certificate (.cer).
Import (button)	Click to import an OCSP server certificate.
Name	Displays the name of the OCSP server certificate.
Subject	Displays the Distinguished Name (DN) located in the Subject field of the certificate.

Using High Availability

Leave a reply

Using high availability (HA)

Go to System > High Availability to configure the FortiMail unit to act as a member of a high availability (HA) cluster in order to increase processing capacity or availability.

For the general procedure of how to enable and configure HA, see “How to use HA” on page 312.

This section contains the following topics:

About high availability
About the heartbeat and synchronization
About logging, alert email and SNMP in HA
How to use HA
Monitoring the HA status
Configuring the HA mode and group
Configuring service-based failover
Example: Failover scenarios
Example: Active-passive HA group in gateway mode

About high availability

FortiMail units can operate in one of two HA modes, active-passive or config-only.

Table 31:Comparison of HA modes

Active-passive HA	Config-only HA
2 FortiMail units in the HA group	2-25 FortiMail units in the HA group
Typically deployed behind a switch	Typically deployed behind a load balancer
Both configuration* and data synchronized	Only configuration* synchronized
Only primary unit processes email	All units process email

Table 31:Comparison of HA modes

No data loss when hardware fails	Data loss when hardware fails
Failover protection, but no increased processing capacity	Increased processing capacity, but no failover protection

* For exceptions to synchronized configuration items, see “Configuration settings that are not synchronized” on page 309.

Figure 126:Active-passive HA group operating in gateway mode

Figure 127:Config-only HA group operating in gateway mode

If the config-only HA group is installed behind a load balancer, the load balancer stops sending email to failed FortiMail units. All sessions being processed by the failed FortiMail unit must be restarted and will be re-directed by the load balancer to other FortiMail units in the config-only HA group.

You can mix different FortiMail models in the same HA group. However, all units in the HA group must have the same firmware version.

Communications between HA cluster members occur through the heartbeat and synchronization connection. For details, see “About the heartbeat and synchronization” on page 307.

To configure FortiMail units operating in HA mode, you usually connect only to the primary unit (master). The primary unit’s configuration is almost entirely synchronized to secondary units (slave), so that changes made to the primary unit are propagated to the secondary units.

Exceptions to this rule include connecting to a secondary unit in order to view log messages recorded about the secondary unit itself on its own hard disk, and connecting to a secondary unit to configure settings that are not synchronized. For details, see “Configuration settings that are not synchronized” on page 309.

To use FortiGuard Antivirus or FortiGuard Antispam with HA, license all FortiMail units in the cluster. If you license only the primary unit in an active-passive HA group, after a failover, the secondary unit cannot connect to the FortiGuard Antispam service. For FortiMail units in a config-only HA group, only the licensed unit can use the subscription services.

For instructions of how to enable and configure HA, see “How to use HA” on page 312.

Pages: 1 2 3 4 5 6 7 8

Configuring RAID

Leave a reply

Configuring RAID

Go to System > RAID to configure a redundant array of independent disks (RAID) for the FortiMail hard disks that are used to store logs and email.

Most FortiMail models can be configured to use RAID with their hard disks. The default RAID level should give good results, but you can modify the configuration to suit your individual requirements for enhanced performance and reliability. For more information, see “Configuring RAID for FortiMail 400B/400C/5002B models” on page 299 or “Configuring RAID on FortiMail 1000D/2000A/2000B/3000C/3000D/4000A models” on page 301.

You can configure the RAID levels for the local disk partitions used for storing email files or log files (in the case of FortiMail-400/400B/400C), depending on your requirements for performance, resiliency, and cost.

RAID events can be logged and reported with alert email. These events include disk full and disk failure notices. For more information, see “About FortiMail logging” on page 665, and “Configuring alert email” on page 682.

About RAID levels

Supported RAID levels vary by FortiMail model.

FortiMail 400B, 400C, and 5002B models use software RAID controllers which support RAID levels 0 or 1. You can configure the log disk with a RAID level that is different from the email disk.

FortiMail 1000D, 2000A, 2000B, 3000C, 3000D and 4000A models use hardware RAID controllers that require that the log disk and mail disk use the same RAID level.

FortiMail 100C, 200D, and 5001A models do not support RAID.

The available RAID levels depend on the number of hard drives installed in the FortiMail unit and different FortiMail models come with different number of factory-installed hard drives. You can added more hard drives if required. For details, see “Replacing a RAID disk” on page 304.

The following tables describe RAID levels supported by each FortiMail model.

Table 30:FortiMail supported RAID levels

Number of Installed Hard Drives	Available RAID Levels	Default RAID Level
1	0	0
2	0, 1	1
3	0, 1 + hot spare, 5	5
4	5 + hot spare, 10	10
5	5 + hot spare, 10 + hot spares	10 + hot spares
6	10, 50	10
7 or more	10, 10 + hot spares, 50, 50 + hot spares	50 + hot spares

Hot spares

FortiMail models with a hardware RAID controller have a hot spare RAID option. This feature consists of one or more disks that are pre-installed with the other disks in the unit. The hot spare disk is idle until an active hard disk in the RAID fails. Then the RAID immediately puts the hot spare disk into service and starts to rebuild the data from the failed disk onto it. This rebuilding may take up to several hours depending on system load and amount of data stored on the RAID, but the RAID continues without interruption during the process.

The hot spare feature has one or more extra hard disks installed with the RAID. A RAID 10 configuration requires two disks per RAID 1, and has only one hot spare disk. A RAID 50 configuration requires three disks per RAID 5, and can have up to two hot spare disks.

Configuring RAID for FortiMail 400B/400C/5002B models

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view and configure RAID levels

Go to System > RAID > RAID System.

Figure 124:RAID System tab (FortiMail-400)

GUI item	Description
Device	Displays the name of the RAID unit. This indicates whether it is used for log message data or for mailboxes, mail queues, and other email-related data. This is hard-coded and not configurable.
Unit	Displays the internal mount point of the RAID unit. This is hard-coded and not configurable.
Level	Displays the RAID level that indicates whether it is configured for optimal speed, failure tolerance, or both. For more information on RAID levels, see “About RAID levels” on page 298.
Resync Action	Displays the status of the RAID device. • idle: The RAID is idle, with no data being written to or read from the RAID disks. • dirty: Data is currently buffered, waiting to be written to disk. • clean: No data is currently buffered, waiting to be written to the RAID unit. • errors: Errors were detected on the RAID unit. • no-errors: No errors were detected on the RAID unit. • dirty no-errors: Data is currently buffered, waiting to be written to the RAID unit, and there are currently no detected RAID errors. For a FortiMail unit in active use, this is the expected setting. • clean no-errors: No data is currently buffered, waiting to be written to the RAID unit, and there are currently no RAID errors. For a FortiMail unit with an unmounted array that is not in active use, this is the expected setting.
Resync Status	If the RAID unit is not synchronized and you have clicked Click here to check array to cause it to rebuild itself, such as after a hard disk is replaced in the RAID unit, a progress bar indicates rebuild progress. The progress bar appears only when Click here to check array has been clicked and the status of the RAID is not clean no-errors.
Speed	Displays the average speed in kilobytes (KB) per second of the data transfer for the resynchronization. This is affected by the disk being in use during the resynchronization.
GUI item	Description
Apply (button)	Click to save changes.
Refresh (button)	Click to manually initiate the tab’s display to refresh itself with current information.
ID/Port	Indicates the identifier of each hard disk visible to the RAID controller.
Part of Unit	Indicates the RAID unit to which the hard disk belongs, if any. To be usable by the FortiMail unit, you must add the hard disk to a RAID unit.
Status	Indicates the hardware viability of the hard disk.
Size	Indicates the capacity of the hard disk, in gigabytes (GB).
Delete (button)	Click to unmount a hard disk before swapping it. After replacing the disk, add it to a RAID unit, then click Re-scan.

Back up data on the disk before beginning this procedure. Changing the device’s RAID level temporarily suspends all mail processing and erases all data on the hard disk. For more information on creating a backup, see “Backup and restore” on page 218.

In the Level column, click the row corresponding to the RAID device whose RAID level you want to change.

The Level field changes to a drop-down menu.

Select RAID level 0 or 1.
Click Apply.

A warning message appears.

Click Yes to confirm the change.

Configuring RAID on FortiMail 1000D/2000A/2000B/3000C/3000D/4000A models

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To configure RAID

Go to System > RAID > RAID System.

Figure 125:RAID System tab (FortiMail-2000A/2000B/3000C/4000A)

GUI item	Description
Model	Displays the model of the hardware RAID controller.
Driver	Displays the version of the RAID controller’s driver software.
Firmware	Displays the version of the RAID controller’s firmware.
Set RAID level	Select the RAID level, then click Change. For more information about RAID levels, see “About RAID levels” on page 298.
Change (button)	From Set RAID level, select the RAID style, then click this button to apply the RAID level.
Re-scan (button)	Click to rebuild the RAID unit with disks that are currently a member of it, or detect newly added hard disks, and start a diagnostic check.

List of RAID units in the array

Unit	Indicates the identifier of the RAID unit, such as u0.
Type	Indicates the RAID level currently in use. For more information, see “About RAID levels” on page 298. To change the RAID level, use Set RAID level.
GUI item	Description
Status	Indicates the status of the RAID unit. • OK: The RAID unit is operating normally. • Warning: The RAID controller is currently performing a background task (rebuilding, migrating, or initializing the RAID unit). Caution: Do not remove hard disks while this status is displayed. Removing active hard disks can cause hardware damage. • Error: The RAID unit is degraded or inoperable. Causes vary, such as when too many hard disks in the unit fail and the RAID unit no longer has the minimum number of disks required to operate in your selected RAID level. To correct such a situation, replace the failed hard disks. • No Units: No RAID units are available. Note: If both Error and Warning conditions exist, the status appears as Error.
Size	Indicates the total disk space, in gigabytes (GB), available for the RAID unit. Available space varies by your RAID level selection. Due to some space being consumed to store data required by RAID, available storage space will not equal the sum of the capacities of hard disks in the unit.
Ignore ECC	Click turn on to ignore the Error Correcting Code (ECC). This option is off by default. Ignoring the ECC can speed up building the RAID, but the RAID will not be as fault-tolerant. This option is not available on FortiMail-2000B/3000C models.

List of hard disks in the array

ID/Port	Indicates the identifier of each hard disk visible to the RAID controller.
Part of Unit	Indicates the RAID unit to which the hard disk belongs, if any. To be usable by the FortiMail unit, you must add the hard disk to a RAID unit.
Status	Indicates the hardware viability of the hard disk. • OK: The hard disk is operating normally. • UNKNOWN: The viability of the hard disk is not known. Causes vary, such as the hard disk not being a member of a RAID unit. In such a case, the RAID controller does not monitor its current status.
Size	Indicates the capacity of the hard disk, in gigabytes (GB).
Delete (button)	Click to unmount a hard disk before swapping it. After replacing the disk, add it to a RAID unit, then click Re-scan.

To change RAID levels

Go to System > RAID > RAID System.
From Set RAID level, select a RAID level.
Click Change.

The FortiMail unit changes the RAID level and reboots.

Replacing a RAID disk

When replacing a disk in the RAID array, the new disk must have the same or greater storage capacity than the existing disks in the array. If the new disk has a larger capacity than the other disks in the array, only the amount equal to the smallest hard disk will be used. For example, if the RAID has 400 GB disks, and you replace one with a 500 GB disk, to be consistent with the other disks, only 400 GB of the new disk will be used.

FortiMail units support hot swap; shutting down the FortiMail unit during hard disk replacement is not required.

To replace a disk in the array

Go to System > RAID > RAID System.
In the row corresponding to the hard disk that you want to replace (for example, p4), select the hard disk and click Delete.

The RAID controller removes the hard disk from the list.

Protect the FortiMail unit from static electricity by using measures such as applying an antistatic wrist strap.
Physically remove the hard disk that corresponds to the one you removed in the web UI from its drive bay on the FortiMail unit.

On a FortiMail-2000A or FortiMail-4000A, press in the tab, then pull the drive handle to remove the dive. On a FortiMail-2000B or FortiMail-3000C, press the button to eject the drive.

To locate the correct hard disk to remove on a FortiMail-2000A, refer to the following diagram.

Drive 1 (p0)	Drive 4 (p3)
Drive 2 (p1)	Drive 5 (p4)
Drive 3 (p2)	Drive 6 (p5)

To locate the correct hard disk to remove on a FortiMail-2000B or 3000C, refer to the following diagram.

Drive 1 (p0)	Drive 3 (p2)	Drive 5 (p4)
Drive 2 (p1)	Drive 4 (p3)	Drive 6 (p5)

To locate the correct hard disk to remove on a FortiMail-4000A, look for the failed disk. (Disk drive locations vary by the RAID controller model.)

Replace the hard disk with a new hard disk, inserting it into its drive bay on the FortiMail unit.
Click Re-scan.

The RAID controller will scan for available hard disks and should locate the new hard disk. Depending on the RAID level, the FortiMail unit may either automatically add the new hard disk to the RAID unit or allocate it as a spare that will be automatically added to the array if one of the hard disks in the array fails.

The FortiMail unit rebuilds the RAID array with the new hard disk. Time required varies by the size of the array.

Configuring Administrator Accounts and Access Profiles

Leave a reply

Configuring administrator accounts and access profiles

The Administrator submenu configures administrator accounts and access profiles.

This topic includes:

About administrator account permissions and domains
Configuring administrator accounts
Configuring access profiles

About administrator account permissions and domains

Depending on the account that you use to log in to the FortiMail unit, you may not have complete access to all CLI commands or areas of the web UI.

Access profiles and domain assignments together control which commands and areas an administrator account can access. Permissions result from an interaction of the two.

The domain to which an administrator is assigned is one of:

System

The administrator can access areas regardless of whether an item pertains to the FortiMail unit itself or to a protected domain. Every administrator’s permissions are restricted only by their access profile.

a protected domain

The administrator can only access areas that are specifically assigned to that protected domain. With a few exceptions, the administrator cannot access system-wide settings, files or statistics, nor most settings that can affect other protected domains, regardless of whether access to those items would otherwise be allowed by the administrator’s access profile. The administrator cannot access the CLI, nor the basic mode of the web UI. (For more information on the display modes of the GUI, see “Basic mode versus advanced mode” on page 24.)

There are exceptions. Domain administrators can configure IP-based policies, the global black list, the global white list, the blacklist action, and the global Bayesian database. If you do not want to allow this, do not provide Read-Write permission to those categories in domain administrators’ access profiles.

Table 28:Areas of the GUI that domain administrators cannot access

Maintenance

Monitor except for the Personal quarantine tab

System except for the Administrator tab

Mail Settings except for the domain, its subdomains, and associated domains

User > User > PKI User

Policy > Access Control > Receive

Policy > Access Control > Delivery

Profile > Authentication

AntiSpam except for AntiSpam > Bayesian > User and AntiSpam > Black/White List

Email Archiving

Log and Report

Access profiles assign either read, read/write, or no access to each area of the FortiMail software. To view configurations, you must have read access. To make changes, you must have write access. For more information on configuring an administrator access profile, see “Configuring access profiles” on page 297.

Table 29:Areas of control in access profiles

Access control area name		Grants access to (For each config command, there is an equivalent get/show command, unless otherwise noted. config access requires write permission. get/show access requires read permission.)
In the web UI	In the CLI
Black/White List	black-whit e-lis t	Monitor > Endpoint Reputation > Auto Blacklist Maintenance > AntiSpam > Black/White List Maintenance AntiSpam > Black/White List …
		N/A
Quarantine	quarantine	Monitor > Quarantine … AntiSpam > Quarantine > Quarantine Report AntiSpam > Quarantine > System Quarantine Setting AntiSpam > Quarantine > Control Account
		config antispam quarantine-report config mailsetting systemquarantine
Policy	policy	Monitor > Mail Queue … Monitor > Greylist … Monitor > Sender Reputation > Display Mail Settings > Domains > Domains Mail Settings > Proxies > Proxies User > User … Policy … Profile … AntiSpam > Greylist … AntiSpam > Bounce Verification > Settings AntiSpam > Endpoint Reputation … AntiSpam > Bayesian …
		config antispam greylist exempt config antispam bounce-verification key config antispam settings config domain config mailsetting proxy-smtp config policy … config profile … config user …

Table 29:Areas of control in access profiles

Archive	archive	Email Archiving Monitor > Archive
		config archive
Greylist	greylist	Monitor > Greylist … AntiSpam > Greylist …
		config antispam greylist… get antispam greylist …
Others	others	Monitor > System Status … Monitor > Archive > Email Archives Monitor > Log … Monitor > Report … Maintenance … except the Black/White List Maintenance tab System … Mail Settings > Settings … Mail Settings > Address Book > Address Book User > User Alias > User Alias User > Address Map > Address Map Email Archiving … Log and Report …
		config archive … config log … config mailsetting relayserver config mailsetting storage config report config system … config user alias config user map diagnose … execute … get system status

About the “admin” account

Unlike other administrator accounts whose access profile is super_admin_prof and domain is System, the admin administrator account exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. Its name, permissions, and assignment to the System domain cannot be changed.

The admin administrator account always has full permission to view and change all FortiMail configuration options, including viewing and changing all other administrator accounts. It is the only administrator account that can reset another administrator’s password without having to enter the existing password. As such, it is the only account that can reset another administrator’s password if the existing password is unknown or forgotten. (Other administrators can change an administrator’s password if they know the current password.

About the “remote_wildcard” account

In previous FortiMail releases (older than v5.1), when you add remote RADIUS or LDAP accounts to FortiMail for account authentication purpose, you must add them one by one on FortiMail. Starting from FortiMail v5.1, you can use the wildcard to add RADIUS accounts (LDAP accounts will be supported in future releases) all at once.

To achieve this, you can enable the preconfigured “remote_wildcard” account and specify which RADIUS profile to use. Then every account on the RADIUS server will be able to log on to FortiMail.

To add all accounts on a RADIUS server to FortiMail

Go to System > Administrator > Administrator.
Double click the built-in “remote_wildcard” account.
Configure the following and click OK.

GUI item	Description
Enable	Select it to enable the wildcard account.
Administrator	The default name is remote_wildcard and it is not editable.
Domain	Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned. For more information on protected domain assignments, see “About administrator account permissions and domains” on page 290. Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI. Note: If you enable domain override in the RADIUS profile, this setting will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain. For details, see “Configuring authentication profiles” on page 542.
Access profile	Select the name of an access profile that determines which functional areas the administrator account may view or affect. Click New to create a new profile or Edit to modify the selected profile. For details, see “Configuring access profiles” on page 297. Note: If you enable remote access override in the RADIUS profile, this access profile will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile. For details, see “Configuring authentication profiles” on page 542.
Authentication type	For the v5.1 release, only RADIUS is supported. For details, see “Configuring authentication profiles” on page 542.
GUI item	Description
Trusted hosts	Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts. If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0. Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0. Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network. Note: For information on restricting administrative access protocols that can be used by these hosts, see “Editing network interfaces” on page 248.
Language	Select this administrator account’s preference for the display language of the web UI.
Theme	Select this administrator account’s preference for the display theme or click Use Current to choose the theme currently in effect. The administrator may switch the theme at any time during a session by clicking Next Theme.

Configuring administrator accounts

The Administrator tab displays a list of the FortiMail unit’s administrator accounts and the trusted host IP addresses administrators use to log in (if configured).

By default, FortiMail units have a single administrator account, admin. For more granular control over administrative access, you can create additional administrator accounts that are restricted to a specific protected domain and with restricted permissions. For more information, see “About administrator account permissions and domains” on page 290.

Depending on the permission and assigned domain of your account, this list may not display all administrator accounts. For more information, see “About administrator account permissions and domains” on page 290.

If you configured a system quarantine administrator account, this account does not appear in the list of standard FortiMail administrator accounts. For more information on the system quarantine administrator account, see “Configuring the system quarantine administrator account and disk quota” on page 611.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Others category.

For details, see “About administrator account permissions and domains” on page 290.

To configure administrator accounts

Go to System > Administrator > Administrator.
Either click New to add an account or double-click an account to modify it.

A dialog appears.

Figure 121:New Administrator dialog

Configure the following and then click Create:

GUI item	Description
Enable	Select it to enable the new account. If disabled, the account will not be able to access FortiMail.
Administrator	Enter the name for this administrator account. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), hyphens ( – ), and underscores ( _ ). Other special characters and spaces are not allowed.
Domain	Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned. For more information on protected domain assignments, see “About administrator account permissions and domains” on page 290. Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI.
Access profile	Select the name of an access profile that determines which functional areas the administrator account may view or affect. Click New to create a new profile or Edit to modify the selected profile. For details, see “Configuring access profiles” on page 297.

GUI item	Description
Authentication type	Select the local or remote type of authentication that the administrator will use: • Local • RADIUS • PKI • LDAP Note: RADIUS, LDAP and PKI authentication require that you first configure a RADIUS authentication profile, LDAP authentication profile, or PKI user. For more information, see “Configuring authentication profiles” on page 542 and “Configuring PKI authentication” on page 435.
Password	If you select Local as the authentication type, enter a secure password for this administrator account. The password can contain any character except spaces. This field does not appear if Authentication type is not Local or RADIUS+Local.
Confirm password	Enter this account’s password again to confirm it. This field does not appear if Authentication type is not Local or RADIUS+Local.
LDAP profile	If you choose to use LDAP authentication, select an LDAP profile you want to use.
RADIUS profile	If you choose to use RADIUS or RADIUS + Local authentication, select a RADIUS profile you want to use.
PKI profile	If you choose to use PKI authentication, select a PKI profile you want to use.
Trusted hosts	Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts. If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0. Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0. Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network. Note: For information on restricting administrative access protocols that can be used by these hosts, see “Editing network interfaces” on page 248.
GUI item	Description
Language	Select this administrator account’s preference for the display language of the web UI.
Theme	Select this administrator account’s preference for the display theme or click Use Current to choose the theme currently in effect. The administrator may switch the theme at any time during a session by clicking Next Theme.

Pages: 1 2

Configuring System Settings

Leave a reply

Configuring system settings

The System menu lets you administrator accounts, and configure network settings, system time, SNMP, RAID, high availability (HA), certificates, and more.

This section includes:

Configuring network settings
Configuring system time, configuration options, SNMP, and FortiSandbox
Customizing GUI, replacement messages and email templates
Configuring administrator accounts and access profiles
Configuring RAID
Using high availability (HA)
Managing certificates
Configuring IBE encryption
Configuring certificate bindings

Pages: 1 2 3 4 5 6 7 8 9 10 11

Configuring FortiGuard Updates and AntiSPAM Queries

Leave a reply

Configuring FortiGuard updates and antispam queries

The Maintenance > FortiGuard > Update tab displays the most recent updates to

FortiGuard Antivirus engines, antivirus definitions, and FortiGuard antispam definitions

(antispam heuristic rules). You can also configure how the FortiMail unit will retrieve updates.

FortiGuard AntiSpam packages for FortiMail units are not the same as those provided to FortiGate units. To support FortiMail’s more full-featured antispam scans, FortiGuard AntiSpam packages for FortiMail contain platform-specific additional updates.

For example, FortiGuard AntiSpam packages for FortiMail contain heuristic antispam rules used by the a heuristic scan. Updates add to, remove from, and re-order the list of heuristic rules so that the current most common methods spammers use are ranked highest in the list. As a result, even if you configure a lower percentage of heuristic rules to be used by that scan, with regular updates, the heuristic scan automatically adjusts to use whichever heuristic rules are currently most effective. This helps to achieve an effective spam catch rate, while both reducing administrative overhead and improving performance by using the least necessary amount of FortiMail system resources.

FortiMail units receive updates from the FortiGuard Distribution Network (FDN), a world-wide network of FortiGuard Distribution Servers (FDS). FortiMail units connect to the FDN by connecting to the FDS nearest to the FortiMail unit by its configured time zone.

In addition to manual update requests, FortiMail units support two kinds of automatic update mechanisms:

scheduled updates, by which the FortiMail unit periodically polls the FDN to determine if there are any available updates
push updates, by which the FDN notifies FortiMail units when updates become available

For information on configuring scheduled updates, see “Configuring scheduled updates” on page 240. For information on configuring push updates, see “Configuring push updates” on page 241.

You may want to configure both scheduled and push updates. In this way, if the network experiences temporary problems such as connectivity issues that interfere with either method, the other method may still provide your FortiMail unit with updated protection. You can alternatively manually update the FortiMail unit by uploading an update file. For more information on uploading updates, see “License Information widget” on page 176.

For FortiGuard Antispam and FortiGuard Antivirus update connectivity requirements and troubleshooting information, see “Troubleshoot FortiGuard connection issues” on page 707.

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view or change the currently installed FortiGuard status

Go to Maintenance > FortiGuard > Update.

Figure 95:Update tab

Configure the following:

GUI item	Description
FortiGuard Service Status
Name	The name of the updatable item, such as Anti Virus Definition.
Version	The version number of the item currently installed on the FortiMail unit.
Expiry Date	The expiry date of the license for the item.
Last Update Attempt	The date and time when the FortiMail unit last attempted to download an update.
Last Update Status	The result of the last update attempt. • No updates: Indicates the last update attempt was successful but no new updates are available. • Installed updates: Indicates the last update attempt was successful and new updates were installed. • Other messages, such as Network Error, indicate that the FortiMail unit could not connect to the FDN, or other error conditions. For more information, see “Troubleshoot FortiGuard connection issues” on page 707.
Included signatures	Displays the total number of the virus and spam signatures.
FortiGuard distribution network	The result of the previous scheduled update (TCP 443) connection attempt to the FortiGuard Distribution Network (FDN) or, if enabled and configured, the override server. • Available: Indicates that the FortiMail unit successfully connected to the FDN. • Unavailable: Indicates that the FortiMail unit could not connect to the FDN. For more information, see “Verifying connectivity with FortiGuard services” on page 237. • Unknown: Indicates that the FortiMail unit has not yet attempted to connect to the FDN. To test the connection, click Refresh.
Push update	The result of the previous push update (UDP 9443) connection attempt from the FDN. • Available: Indicates that the FDN successfully connected to the FortiMail unit to send push updates. For more information, see “Configuring push updates” on page 241. • Unavailable: Indicates that the FDN could not connect to the FortiMail unit. For more information, see “Troubleshoot FortiGuard connection issues” on page 707. • Unknown: Indicates that the FortiMail unit has not yet attempted to connect to the FDN. To test the connection, click Refresh.
GUI item	Description
Refresh (button)	Click to test the scheduled (TCP 443) and push (UDP 9443) update connection of the FortiMail unit to the FDN or, if enabled, the IP address configured in Use override server address. When the test completes, the tab refreshes and results beside FortiGuard distribution network. Time required varies by the speed of the FortiMail unit’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiMail unit determines that it cannot connect. Note: This does not test the connection for FortiGuard Antispam rating queries, which occurs over a different connection and must be tested separately. For details, see “Configuring FortiGuard updates and antispam queries” on page 233.
Use override server address	Enable to override the default FortiGuard Distribution Server (FDS) to which the FortiMail unit connects for updates, then enter the IP address of the override public or private FDS. For more information, see “Verifying connectivity with FortiGuard services” on page 237.
Allow push update	Enable to allow the FortiMail unit to accept push notifications (UDP 9443). If the FortiMail unit is behind a NAT device, you may also need to enable and configure Use override push IP. For details, see “Configuring push updates” on page 241. Push notifications only notify the FortiMail unit that an update is available. They do not transmit the update itself. After receiving a push notification, the FortiMail unit then initiates a separate TCP 443 connection, similar to scheduled updates, in order to the FDN to download the update.

Use override push Enable to override the IP address and default port number to which

IP the FDN sends push notifications.

When enabled, the FortiMail unit notifies the FDN to send push updates to the IP address and port number that you enter (for example, a virtual IP/port forward on a NAT device that will forward push notifications to the FortiMail unit).
When disabled, the FortiMail unit notifies the FDN to send push updates to the FortiMail unit’s IP address, using the default port number (UDP 9443). This is useful only if the FortiMail unit has a public network IP address.

For more information, see “Configuring push updates” on page 241.

This option is available only if Allow push update is enabled.

GUI item	Description
Scheduled update	Enable to perform updates according to a schedule, then select one of the following as the frequency of update requests. When the FortiMail unit requests an update at the scheduled time, results appear in Last Update Status. • Every: Select to request to update once every 1 to 23 hours, then select the number of hours between each update request. • Daily: Select to request to update once a day, then select the hour of the day to check for updates. • Weekly: Select to request to update once a week, then select the day of the week, the hour, and the minute of the day to check for updates. If you select 00 minutes, the update request occurs at a randomly determined time within the selected hour.
Apply (button)	Click to save configuration changes on this tab and, if you have enabled Allow push update, notify the FDN of the destination IP address and port number for push notifications to this FortiMail unit.
Update Now (button)	Click to manually initiate a FortiGuard Antivirus and FortiGuard Antispam engine and definition update request. Results will appear in Last Update Status. Time required varies by the availability of updates, size of the updates, and speed of the FortiMail unit’s network connection.

Pages: 1 2 3 4