Configuring domain associations
This section does not apply to server mode.
Associated domains use the settings of the protected domain with which they are associated, and do not have separate protected domain settings of their own. Exceptions include DKIM keys, which will not be used for associated domains. For more information, see “Domain Association” on page 393.
- Go to Mail Settings > Domains > Domains.
- Either click New to create a new protected domain, or click an row to modify it.
A multisection dialog appears. Its options vary with the operation mode.
- Click the arrow to expand the domain associations section.
- To add a domain name, enter a name in the lower text box and click Create. The domain appears in the Members You can use wildcard, such as *.example.com.
- To remove a domain name, in the Members area and click Delete.
Configuring recipient address verification
This section does not apply to server mode.
Select a method of confirming that the recipient email address in the message envelope (RCPT TO:) corresponds to an email user account that actually exists on the protected email server. If the recipient address is invalid, the FortiMail unit will reject the email. This prevents quarantine email messages for non-existent accounts, thereby conserving quarantine hard disk space.
This feature can impact performance and be noticeable during peak traffic times. For a lesser performance impact, you can alternatively periodically automatically remove quarantined email messages for invalid email user accounts, rather than actively preventing them during each email message.
- Go to Mail Settings > Domains > Domains.
- Either click New to create a new protected domain, or click an row to modify it.
A multisection dialog appears. Its options vary with the operation mode.
- Click the arrow to expand the recipient address verification section.
- Configure the following:
GUI item Description
Disable Do not verify that the recipient address is an email user account that actually exists.
GUI item | Description |
Use SMTP server | Query the SMTP server using either the SMTP VRFY command or RCPT command to verify that the recipient address is an email user account that actually exists. RCPT is the default command.
If you want to query an SMTP server other than the one you have defined as the protected SMTP server, also enable Use alternative server, then enter the IP address or FQDN of the server in the field next to it. Also configure Port with the TCP port number on which the SMTP server listens, and enable Use SMTPS if you want to use SMTPS for recipient address verification connections with the server. |
Use LDAP server | Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also select the LDAP profile that will be used to query the LDAP server. For more information on configuring LDAP profiles, see “Configuring LDAP profiles” on page 549. |
Configuring transparent mode options
This section appears only when the FortiMail unit operates in transparent mode.
- Go to Mail Settings > Domains > Domains.
- Either click New to create a new protected domain, or click an row to modify it.
A multisection dialog appears. Its options vary with the operation mode.
- Click the arrow to expand the transparent mode settings section.
- Configure the following:
GUI item | Description |
This server is
on |
Select the network interface (a port) to which the protected SMTP server is connected.
Note: Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface. |
Hide the Enable to preserve the IP address or domain name of the SMTP client for transparent incoming email messages in: box
- the SMTP greeting (HELO/EHLO) in the envelope and in the Received: message headers of email messages
- the IP addresses in the IP header
This masks the existence of the FortiMail unit to the protected SMTP server.
Disable to replace the SMTP client’s IP address or domain name with that of the FortiMail unit.
For example, an external SMTP client might have the IP address 172.168.1.1, and the FortiMail unit might have the domain name fortimail.example.com. If the option is enabled, the message header would contain (difference highlighted in bold):
GUI item | Description |
Received: from 192.168.1.1 (EHLO 172.16.1.1) (192.168.1.1) by smtp.external.example.com with
SMTP; Fri, 24 Jul 2008 07:12:40 -0800 Received: from smtpa ([172.16.1.2]) by [172.16.1.1] with SMTP id kAOFESEN001901 for <user1@external.example.com>; Fri, 24 Jul 2008 15:14:28 GMT But if the option is disabled, the message headers would contain: Received: from 192.168.1.1 (EHLO fortimail.example.com) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:17:45 -0800 Received: from smtpa ([172.16.1.2]) by fortimail.example.com with SMTP id kAOFJl4j002011 for <user1@external.example.com>; Fri, 24 Jul 2008 15:19:47 GMT For more information on transparency, see “Transparency of the proxies and built-in MTA” on page 418. Note: If the protected SMTP server applies rate limiting according to IP addresses, enabling this option can improve performance. The rate limit will then be separate for each client connecting to the protected SMTP server, rather than shared among all connections handled by the FortiMail unit. Note: Unless you have enabled Take precedence over recipient based policy match in the IP-based policy, this option supsersedes the Hide this box from the mail server option in the session profile, and may prevent it from applying to incoming email messages. |
|
Use this domain’s SMTP server
to deliver the mail |
Enable to use the protected SMTP server, instead of the FortiMail built-in MTA, to deliver outgoing email messages from the SMTP clients whose sending MTA is the protected SMTP server.
For example, if the protected domain example.com has the SMTP server 192.168.1.1, and an SMTP client for user1@example.com connects to it to send email to user2@external.example.net, enabling this option would cause the FortiMail unit to pass the mail message via its built-in MTA to the protected SMTP server, which will deliver the message. Disable to relay email using the built-in MTA to either the SMTP relay defined in “Configuring SMTP relay hosts” on page 373, if any, or directly to the MTA that is the mail exchanger (MX) for the recipient email address’s (RCPT TO:) domain. The email may not actually travel through the protected SMTP server, even though it was the relay originally specified by the SMTP client. This option does not affect incoming connections containing incoming email messages, which will always be handled by the built-in MTA. For details, see “When FortiMail uses the proxies instead of the built-in MTA” on page 415. Note: This option will be ignored for email that matches an antispam or content action profile. |
Configuring removal of invalid accounts
This section does not apply to server mode.
Select a method by which to periodically remove quarantined spam for which an email user account does not actually exist on the protected email server.
If you select either Use SMTP server or Use LDAP server, the FortiMail unit queries the server daily (at 4:00 AM daily unless configured for another time in the CLI; see the FortiMail CLI Reference) to verify the existence of email user accounts. If an email user account does not currently exist, the FortiMail unit removes all spam quarantined for that email user account.
If you have also enabled Recipient Address Verification (see “Configuring recipient address verification” on page 387), the FortiMail unit does not form quarantine accounts for email user accounts that do not exist on the protected email server. In that case, invalid quarantine accounts are never formed, and this option may not be necessary, except when you delete email user accounts on the protected email server. If this is the case, you can improve the performance of the FortiMail unit by disabling this option.
- Go to Mail Settings > Domains > Domains.
- Either click New to create a new protected domain, or click an row to modify it.
A multisection dialog appears. Its options vary with the operation mode.
- Click the arrow to expand the section.
- Configure the following:
GUI item | Description |
Disable | Do not verify that the recipient address is an email user account that actually exists. |
Use SMTP server | Query the SMTP server to verify that the recipient address is an email user account that actually exists. |
Use LDAP server: | Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also select the LDAP profile that will be used to query the LDAP server. For more information on configuring LDAP profiles, see “Configuring LDAP profiles” on page 549. |
Hi,
Do you think I could use fortimail in server mode integrated with office 365?
Can i use this setup to be able to create email accounts in office 365 and some emails in fortimail?
In my case I have like 140 permanent users and 30-40 users let say “temporar users”(3-4 months/year). For them I want to create emails accounts in fortimail.
Ex: someone@testdomain.com is an office365 account, and someone2@testdomain.com to be an fortimail account.
When an email is received I want to be able to be redirected where it belongs. If an email created in office 365 to be redirected there, if was created in fortimail should be redirected to fortimail.
Is possible this setup?
Thank you
I have only ever deployed a FortiMail for Office 365 utilizing Gateway mode. I’m not sure, off hand, how one would make it work in server mode.
This is possible. Your O 365 server should relay to Fortimail if user not found on O 365
I have several associated domains in Fortimail, mainly for ease of administration. We currently have DKIM and SPF set up for O365 outbound mail but I’d like to start using Fortimail for outbound filtering. Will Fortimail just transparently relay the mail leaving the DKIM signature and SPF IP address unaltered and valid? Or will it strip them requiring me to use Fortimail for DKIM and its IP address in our SPF record? DKIM is so easy to set up in O365 so I would hate to have to redo it and split all our associated domains into dedicated domains.
Hi we Have created a user in migrated user and start to migrate mailbox from exchange after couple of minutes give connection error. We sniff on cli and get an error code 500.5.3.3 can you find whats problem thanks
I have configured the LDAP in my Outlook 2010. Is there a way to automatically sync the LDAP contacts to my local Outlook contact list, so i can search contacts even when i am offline?