Managing the deferred mail queue

The FortiMail unit prioritizes the mail queue into two types:

• Regular mail queue

When the initial attempt to deliver an email fails, the FortiMail unit moves the email to the regular mail queue.

• Slow mail queue

After another two failed delivery attempts, the FortiMail unit moves the email to the slow mail queue. This allows the FortiMail unit to resend valid email quickly, instead of keep resending invalid email (for example, email destined to an invalid MTA).

After the undelivered email remains in the deferred queue for five minutes, the mail appears under Monitor > Mail Queue > Mail Queue. This also means that email staying in the deferred queue for less than five minutes does not appear on the Mail Queue tab.

Delivery failure can be caused by temporary reasons such as interruptions to network connectivity. FortiMail units will periodically retry delivery. (Administrators can also manually initiate a retry.) If the email is subsequently sent successfully, the FortiMail unit simply removes the email from the queue. It does not notify the sender. But if delivery continues to be deferred, the FortiMail unit eventually sends an initial delivery status notification (DSN) email message to notify the sender that delivery has not yet succeeded. Finally, if the FortiMail unit cannot send the email message by the end of the time limit for delivery retries, the FortiMail unit sends a final DSN to notify the sender about the delivery failure and deletes the email message from the deferred queue. If the sender cannot receive this notification, such as if the sender’s SMTP server is unreachable or if the sender address is invalid or empty, the FortiMail unit will save a copy of the email in the dead mail folder. For more information, see “Managing undeliverable mail” on page 181.

For information on configuring the delivery retry interval, maximum amount of time that an email message can spend in a queue, and DSN timing, see “Configuring mail server settings” on page 366.

When you delete a deferred email, the FortiMail unit sends an email message, with the deleted email attached to it, to notify the sender.

To access this part of the web UI, your administrator account’s:

• Domain must be System
• access profile must have Read-Write permission to the Policy category

For details, see “About administrator account permissions and domains” on page 290.

To view, delete, or resend an email in the deferred mail queue, go to Monitor > Mail Queue > Mail Queue.

Table 14:Managing the deferred mail queue

GUI item           Description

View (button)    Select a message and click View to see its contents.

Delete (button) Click to deleted the selected item.

Resend          Mark the check boxes of the rows corresponding to the email messages that you want to immediately retry to send, then click Resend. (button)

To determine if these retries succeeded, click Refresh. If a retry succeeds, the email will no longer appear in either the deferred mail queue or the dead mail folder. Otherwise, the retry has failed.

Table 14:Managing the deferred mail queue

Managing undeliverable mail

The Dead Mail tab displays the list of email messages in the dead mail folder.

Unlike the deferred mail queue, the dead mail folder contains copies of delivery status notification (DSN) email messages, also called non-delivery reports (NDR).

DSN messages are sent from the FortiMail unit (“postmaster”) to an email’s sender when the email is considered to be more permanently undeliverable because all previous retry attempts of the deferred email message have failed. These email messages from “postmaster” include a copy of the original email message for which the DSN was generated.

If an email cannot be sent nor a DSN returned to the sender, it is usually because both the recipient and sender addresses are invalid. Such email messages are often sent by spammers who know the domain name of an SMTP server but not the names of its email users, and are attempting to send spam by guessing at valid recipient email addresses.

The FortiMail unit can automatically delete old dead mail. For details, see “Configuring mail queue setting” on page 370.

Alternatively, you can:

• To prevent dead mail to invalid recipients, enable recipient address verification to reject email with invalid recipients. Rejecting email with invalid recipients also prevents quarantine mailboxes for invalid recipients from consuming hard disk space. For details, see “Configuring recipient address verification” on page 387.

To access this part of the web UI, your administrator account’s:

• Domain must be System
• access profile must have Read-Write permission to the Policy category

For details, see “About administrator account permissions and domains” on page 290.

To view or delete undeliverable email, go to Monitor > Mail Queue > Dead Mail.

Monitoring the system

The Monitor menu displays system usage, mail queues, log messages, reports, and other status-indicating items.

It also allows you to manage the contents of the mail queue and quarantines, and the sender reputation and endpoint reputation scores.

This section includes:

• Viewing overall system statuses
• Managing the deferred mail queue
• Managing the quarantines
• Viewing the greylist statuses
• Viewing the sender reputation statuses
• Viewing the endpoint reputation statuses
• Managing archived email
• Viewing log messages
• Viewing generated reports

Viewing overall system statuses

Monitor > System Status displays system statuses, most of which pertain to the entire system, such as CPU usage and current IP sessions. It also displays items that span multiple features, such as email statistics.

This section includes:

• Viewing the dashboard
• Viewing the email statistics
• Viewing the list of current IP sessions

Viewing the dashboard

Monitor > System Status > Status displays first after you log in to the web UI. It contains a dashboard with widgets that each indicate performance level or other statistics.

By default, widgets display the serial number and current system status of the FortiMail unit, including uptime, system resource usage, alert messages, host name, firmware version, system time, and email throughput.

To access this part of the web UI, your administrator account’s:

• Domain must be System
• access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view the dashboard, go to Monitor > System Status > Status.

Page 173

Hiding, showing and moving widgets

The dashboard is customizable. You can select which widgets to display, where they are located on the tab, and whether they are minimized or maximized.

To move a widget, position your mouse cursor on the widget’s title bar, then click and drag the widget to its new location.

To show or hide a widget, in the upper left-hand corner, click Add Content, then mark the check boxes of widgets that you want to show.

Options vary slightly from widget to widget, but always include options to close or minimize/maximize the widget.

System Information widget

The System Information widget displays the serial number and basic system statuses such as the firmware version, system time, and up time and high availability (HA) status.

In addition to displaying basic system information, the System Information widget lets you configure the operation mode and to change the firmware.

To view the widget, go to Monitor > System Status > Status. If the widget is not currently shown, click Add Content, and mark the check box for the widget.

Figure 65:System Information widget

Table 12:System Information widget features

Table 12:System Information widget features

License Information widget

The License Information widget displays the last queried license statuses for FortiGuard Antispam and FortiGuard Antivirus.

If you do not want to allow the FortiMail unit to automatically download antivirus definition updates from the FortiGuard Distribution Network (FDN), you can also use the

License Information widget to manually upload an antivirus definitions update file. To upload the file, first download the antivirus definition file to your management computer from the Fortinet Technical Support web site, https://support.fortinet.com, then click Update.

If your update is a downgrade to a lower antivirus definition, you need to enable this function in the CLI. For more information, see the diag debug autoupdate command in the FortiMail CLI Reference.

Updating FortiGuard Antivirus definitions can cause a short disruption in the traffic currently being scanned while the FortiMail unit applies the new signature database. To minimize disruptions, update when traffic is light, such as during the night.

To view the widget, go to Monitor > System Status > Status. If the widget is not currently shown, click Add Content, and mark the check box for the widget.

Backing up the configuration

Once you have tested your basic installation and verified that it functions correctly, create a backup. This “clean” backup can be used to:

• troubleshoot a non-functional configuration by comparing it with this functional baseline
• rapidly restore your installation to a simple yet working point

The following procedures only produce a backup of the configuration file. If you have also configured other settings such as black/white lists, dictionaries, and the Bayesian databases, you should back them up as well. For information on how to back up other configuration settings and databases, see “Backup and restore” on page 218.

To back up the configuration file via the web UI

1. Log in to the web UI as the admin

Other administrator accounts do not have the required permissions.

2. Go to Maintenance > System > Configuraton in the advanced mode.
3. In the Backup Configuration area, select Local PC.
4. Select System Configuration (and User Configuration if you have already configured user preferences).
5. Click Backup.

If your browser prompts you, navigate to the folder where you want to save the configuration file. Click Save.

Your browser downloads the configuration file. Time required varies by the size of the configuration and the specifications of the appliance’s hardware as well as the speed of your network connection.

To back up the configuration file via the CLI

1. Log in to the CLI as the admin administrator using either the local serial console, the CLI Console widget in the web UI, or an SSH or Telnet connection.

Other administrator accounts do not have the required permissions.

2. Enter the following command:

execute backup full-config tftp <file-name_str> <server_ipv4> [<backup-password_str>]

where the variables and options are as follows:

Variable                        Description

<file-name_str>     Type the file name of the backup.

<server_ipv4>      Type the IP address or domain name of the server.

[<backup-password_s Optional. Type the password that will be used to encrypt the tr>]  backup file.

Caution: Do not lose this password. You will need to enter this same password when restoring the backup file in order for the appliance to successfully decrypt the file. If you cannot remember the password, the backup cannot be used.

For example, the following command backs up a FortiMail-3000C’s configuration file to a file named FortiMail-3000C.conf in the current directory on the TFTP server 172.16.1.10, encrypting the backup file using the password P@ssw0rd1:

FortiMail-3000C # execute backup full-config tftp

FortiMail-3000c.conf 172.16.1.10 P@ssw0rd1

Time required varies by the size of the database and the specifications of the appliance’s hardware, but could take several minutes.

Testing the installation

After completing the installation, test it by sending email between legitimate SMTP clients and servers at various points within your network topology.

If the FortiMail unit is operating in gateway mode or transparent mode, you may also wish to test access of email users to their per-recipient quarantined email.

If the FortiMail unit is operating in server mode, you may also wish to test access to FortiMail webmail, POP3, and/or IMAP.

Figure 59:Connection test paths (gateway mode)

Private                                                                                                       Public DNS Server

Gateway Mode

DNS Server

Figure 60:Connection test paths (transparent mode)

Figure 61:Connection test paths (server mode)

To verify all SMTP connections to and from your FortiMail unit, consider both internal and external recipient email addresses, as well as all possible internal and external SMTP clients and servers that will interact with your FortiMail unit, and send email messages that test the connections both to and from each of those clients and servers. For example:

1. Using an SMTP client on the local network whose MTA is the FortiMail unit or protected email server, send an email from an internal sender to an internal
2. Using an SMTP client on the local network whose MTA is the FortiMail unit or protected email server, send an email from an internal sender to an external
3. Send an email from an external sender to an internal
4. If you have remote SMTP clients such as mobile users or branch office SMTP servers, using an SMTP client on the remote network whose MTA is the FortiMail unit or protected email server, send an email from an internal sender to an internal
5. If you have remote SMTP clients such as mobile users or branch office SMTP servers, using an SMTP client on the remote network whose MTA is the FortiMail unit or protected email server, send an email from an internal sender to an external

If you cannot connect, receive error messages while establishing the connection, or the recipient does not receive the email message, verify your configuration, especially:

• routing and policy configuration of intermediary NAT devices such as firewalls or routers
• connectivity of the FortiMail unit with the Fortinet Distribution Network (FDN)
• external email servers’ connectivity with and the configuration of the public DNS server that hosts the MX records, A records, and reverse DNS records for your domain names
• the FortiMail unit’s connectivity with and the configuration of the local private DNS server (if any) that caches records for external domain names and, if the Use MX record option is enabled, hosts private MX records that refer to your protected email servers
• access control rules on your FortiMail unit
• configuration of MUAs, including the IP address/domain name of the SMTP and POP3/IMAP server, authentication, and encryption (such as SSL or TLS)

For information on tools that you can use to troubleshoot, see “Troubleshooting tools” on page 161.