Configuring Mail Settings

Configuring advanced settings

Use this section to configure LDAP compatibility, quarantine reports and schedules, and other advanced options.

  1. Go to Mail Settings > Domains > Domains.
  2. Either click New to create a new protected domain, or click an row to modify it.

A multisection dialog appears. Its options vary with the operation mode.

  1. Click the arrow to expand the section.
  2. Configure the following:

 

GUI item Description
LDAP user alias /

address mapping profile

(transparent and gateway mode only)

Select the name of an LDAP profile in which you have enabled and configured, enabling you to expand alias email addresses or replace one email address with another by using an LDAP query to retrieve alias members and/or address mappings. For more information, see “Configuring LDAP profiles” on page 549.
Mail routing LDAP profile Enable to perform mail routing, then click the arrow to expand the options and select the name of an LDAP profile in which you have enabled and configured. For more information, see “Configuring LDAP profiles” on page 549
Remove received header of outgoing email Enable to remove the Received: message headers from email whose:

•      sender email address belongs to this protected domain

•      recipient email address is outgoing (that is, does not belong to this protected domain); if there are multiple recipients, only the first recipient’s email address is used to determine whether an email is outgoing

You can alternatively remove this header from any matching email using session profiles. For details, see “Remove received header” on page 499.

Webmail language Select either Use system settings, or the language that the FortiMail unit will to display webmail and quarantine folder pages. By default, the FortiMail unit uses the same language as the web UI. For more information, see “Customizing the GUI appearance” on page 276.
Maximum message size(KB) Enable then type the limit in kilobytes (KB) of the message size. Email messages over the threshold size are rejected.

Note: When you configure session profile settings under Profile > Session, you can also set the message size limit. Here is how the two settings work together:

•      For outgoing email (for information about email directions, see “Incoming versus outgoing email messages” on page 454), only the size limit in the session profile will be matched. If there is no session profile defined or no IP-based policy matched, the default size limit of 10 MB will be used.

•      For incoming email, the size limits in both the session profile and domain settings will be checked. If there is no session profile defined or no IP-based policy matched, the default size limit of 10 MB will be compared with the size limit in the domain settings. The smaller size will be used.

 

GUI item Description
IP pool You can use a pool of IP addresses as the source IP address when sending email from this domain, or as the destination IP address when receiving email destined to this domain, or as both the source and destination IP addresses.

•      If you want to use the IP pool as the source IP address for this protected domain, according to the sender’s email address in the envelope (MAIL FROM:), select the IP pool to use and select Delivering as the Direction.

•      If you want to use the IP pool as the destination IP address (virtual host) for this protected domain, according to the recipient’s email address in the envelope (RCPT TO:), select the IP pool to use and select Receiving as the Direction. You must also configure the MX record to direct email to the IP pool addresses as well.

This feature can be used to support multiple virtual hosts on a single physical interface, so that different profiles can be applied to different host and logging for each host can be separated as well.

•      If you want to use the IP pool as both the destination and source IP address, select the IP pool to use and select Both as the Direction

Note: IP pools are skipped for email delivery between protected domains.

Each email that the FortiMail unit sends will use the next IP address in the range. When the last IP address in the range is used, the next email will use the first IP address.

If the FortiMail unit is operating in transparent mode, and you have enabled Hide the transparent box or Use client-specified SMTP server to send email, you cannot use IP pools.

For more information on IP pools, see “Configuring IP pools” on page 598.

Quarantine Report Setting Click the arrow to expand the quarantine report section. For more information, see “Quarantine Report Setting” on page 394. For information on system-wide quarantine report settings, see

“Configuring global quarantine report settings” on page 602.

Schedule Click the arrow to expand the report scheduling options. See “Quarantine Report Setting” on page 394.
DKIM

Setting

Click the arrow to expand the DKIM setting section. For more information, see “DKIM Setting” on page 397.

This option appears only when you open an existing protected domain for editing. To configure DKIM signing, create the protected domain, save it, then double-click it to modify the protected domain.

GUI item Description
Disclaimer Click the arrow to expand the disclaimer section. For more information, see “Disclaimer for a domain” on page 398.

Note: This option configures a per-domain disclaimer and is only available after you enable Allow per-domain settings when you configure system-wide disclaimer settings. For more information, see “Allow per-domain settings” on page 375.

SMTP greeting (EHLO/HELO) Select how the FortiMail unit will identify itself during the HELO or EHLO greeting of outgoing SMTP connections that it initiates.

•      Use this domain name: The FortiMail unit will identify itself using the domain name for this protected domain.

If the FortiMail unit will handle internal email messages (those for which both the sender and recipient addresses in the envelope contain the domain name of the protected domain), to use this option, you must also configure your protected SMTP server to use its host name for SMTP greetings. Failure to do this will result in dropped SMTP sessions, as both the FortiMail unit and the protected SMTP server will be using the same domain name when greeting each other.

•      Use system host name: The FortiMail unit will identify itself using its own host name.

By default, the FortiMail unit uses the domain name of the protected domain. If your FortiMail unit is protecting multiple domains and using IP pool addresses, select Use system host name instead. This setting does not apply if email is incoming, according to the sender address in the envelope, from an unprotected domain.

Domain Association

The Domain Association section that appears when configuring a protected domain lets you configure associated domains. An associated domain uses the settings of the protected domain or subdomain with which it is associated.

Domain associations can be useful for saving time when you have multiple domains, and you would otherwise need to configure multiple protected domains with identical settings. For example, if you have one SMTP server handling email for ten domains, you could:

  • Create ten separate protected domains and configure each with identical settings.
  • Create one protected domain and list the nine other domains as domain associations.

The advantage of using the second method is that you do not have to repeatedly configure the same things when creating or modifying the protected domains. This saves time and reduces chances for error. Changes to one protected domain automatically apply to all of its associated domains.

Associated domains do not re-use DKIM keys and signing settings. Domain keys are by nature tied to the exact protected domain only, and cannot be used for any other protected domain, including associated domains.

The maximum number of domain associations that you can create is separate from the maximum number of protected domains.

To configure domain associations

  1. Go to Mail Settings > Domains > Domains.
  2. Click New to create a protected domain or double-click a domain to modify it.
  3. Click the arrow to expand Domain Association.

Figure 159: Domain Association

  1. To create a domain association, in the small text box enter the fully qualified domain name

(FQDN) of a mail domain that will use the same settings as the same protected domain

  1. Click Create.

The name of the associated domain appears in the Members area.

  1. Repeat the previous steps for all domains that you want to associate with this protected domain.
  2. When done, click Create or OK.

Quarantine Report Setting

The Quarantine Report Setting section that appears when configuring a protected domain lets you configure quarantine report settings. You can choose either to use the system-wide quarantine report settings or to configure domain-wide settings.

Starting from FortiMail 4.1, domain-wide quarantine report settings are independent from the system-wide quarantine report settings.

However, in older releases, domain-wide quarantine report settings are a subset of the system-wide quarantine report settings. For example, if the system settings for schedule include only Monday and Thursday, when you are setting the schedule for the quarantine reports of the protected domain, you can select either Monday or Thursday.

For information on system-wide quarantine report settings and quarantine reports in general, see “Configuring global quarantine report settings” on page 602 and “Customizing GUI, replacement messages and email templates” on page 276.

To configure per-domain quarantine report settings

  1. Go to Mail Settings > Domains > Domains.
  2. Either click New to create a protected domain or double-click a domain to modify it.
  3. Click the arrow to expand Advanced Settings.
  4. Click the arrow to expand Quarantine Report Setting and the click the arrow to expand Schedule.
  5. Configure the following:

Figure 160:Quarantine report settings

GUI item Description
Send to  
Original recipient Enable to send the quarantine report to all recipients. For more information, see “Managing the personal quarantines” on page 182.
Other recipient Select to send the quarantine report to a recipient other than the individual recipients or group owner. For example, you might delegate quarantine reports by sending them to an administrator whose email address is not locally deliverable to the protected domain, such as admin@lab.example.com.
LDAP group Enable to send the quarantine report to a group owner, rather than owner based individual recipients, then select the name of an LDAP profile in
on LDAP

profile

which you have enabled and configured the group query options (see “Configuring group query options” on page 555.

Also configure the following two options for more granular control:

•      Only when original recipient is group

•      When group owner is found, do not send to original recipient

Schedule Click the arrow to expand the options.
Setting Select the schedule to use when sending quarantine reports.
  • Use system settings: Use the system-wide quarantine report schedule. For more information, see “Configuring global quarantine report settings” on page 602.
  • Use domain settings: Use a quarantine report schedule that is specific to this protected domain. Also configure These Hours and These Days.
These Hours Select which hours to send the quarantine report for this protected domain.

This option is available only when Setting is Use domain settings.

These Days Select which days to send the quarantine report for this protected domain.

This option is available only when Setting is Use domain settings.

Template Select an email template to use.

If you choose to use the system settings, you can view the template but cannot edit from this page. But you can edit the system-wide template by going to System > Customization > Custom Email Template.

If you choose to use the domain settings, you can click Edit to modify the template.

Replacement messages often include variables, such as the MIME type of the file that was overwritten by the replacement message.

Typically, you will customize text, but should not remove variables from the replacement message. Removing variables may result in an error message and reduced functionality. For example, removing %%SPAM_DELETE_URL%% would make users incapable of using the quarantine report to delete email individually from their personal quarantines.

  1. Click Create or OK.

DKIM Setting

The DKIM Setting section appears when configuring an existing protected domain; that is, it does not appear when configuring a new domain. It lets you create domain keys for this protected domain.

The FortiMail unit will sign outgoing email messages using the domain key for this protected domain if you have selected it when configuring sender validation in the session profile. For more information, see “Configuring session profiles” on page 482.

Because domain keys are tied to the domain name for which they are generated, FortiMail units will not use the domain key of a protected domain to sign email of an associated domain. If you require DKIM signing for an associated domain, convert it to a standard protected domain and then generate its own, separate domain key.

DKIM signing requires a public-private key pair. The private key is kept on and used by the FortiMail unit to generate the DKIM signatures for the email messages; the public key is stored on the DNS server in the DNS record for the domain name, and used by receiving parties to verify the signature.

After you generate the key pair by creating a domain key selector, you can export the DNS record that contains the public key. The following is a sample of the exported DNS record:

example_com._domainkey IN TXT “t=y; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5xvUazqp2sBovpfumPuR5xC+y DvGbfndyHZuVQdSHhwdKAdsfiyOa03iPniCfQEbuM0d+4/AoPyTXHHPFBBnChMMHkW gHYlRDm5UMjrH5J1zDT5OyFxUEur+NtfS6LF29Te+6vSS+D3asfZ85V6WJDHSI9JV0 504uwDeOOh/aewIDAQAB”

Then you can publish the public key by adding it to the DNS zone file as a text record for the domain name on the DNS server. The recipient SMTP server, if enabled to use DKIM verification, will use the public key to decrypt the signature and compare the hash values of the email message in order to verify that the hash values match.

To configure a domain key pair

  1. Go to Mail Settings > Domains > Domains.
  2. Double-click to modify an existing protected domain.
  3. Click the arrow to expand DKIM Setting.

Figure 161: DKIM Setting

  1. In the text box to the left of Create, enter a selector to use for the DKIM key, such as example_com2.
  2. Click Create.

The selector name for the key pair appears in the list of domain key selectors. The key pair is generated and public key can be exported for publication on a DNS server.

Only one key pair can be active at a time. If a new selector is generated, the FortiMail unit always signs email messages with the most recently generated key pair. To use an older domain key pair, you must delete all domain key pairs that have been more recently generated.

  1. Click to select the domain key, then click Download.

Your web browser downloads the plain text file which contains the exported DNS record

(.dkim) file.

  1. Publish the public key by inserting the exported DNS record into the DNS zone file of the DNS server that resolves this domain name. For details, see the documentation for your DNS server.
  2. Click OK.

Disclaimer for a domain

The Disclaimer section that appears when configuring a protected domain lets you configure disclaimer messages specific to this protected domain.

A disclaimer message is text that is generally attached to email to warn the recipient that the email contents may be confidential. For disclaimers added to outgoing messages, you need to configure an IP-based policy or an outgoing recipient-based policy.

Disclaimer messages can be appended for either or both incoming or outgoing email messages. For information on determining the directionality of an email message, see “Incoming versus outgoing email messages” on page 454.

If the FortiMail unit is operating in transparent mode, to use disclaimers, you must enable clients to send email using their specified SMTP server. For more information, see “Use client-specified SMTP server to send email” on page 422.

To configure a per-domain disclaimer messages

  1. Go to Mail Settings > Domains > Domains.
  2. Either click New to create a protected domain or double-click a domain to modify it.
  3. Click the arrow to expand Advanced Settings.
  4. Click the arrow to expand Disclaimer.

Figure 162:Disclaimer section of domain advanced settings

You cannot configure the domain disclaimer unless the Allow per-domain settings option is enabled on the Mail Settings > Settings > Disclaimer tab.

5. Configure the following:  
GUI item Description
Disclaimer  
Setting Select which type of disclaimer message to append.

•      Disable: Do not append disclaimer messages.

•      Use system settings: Append the system-wide disclaimer messages. For more information, see “Configuring global disclaimers” on page 374.

•      Use domain settings: Append the disclaimer messages configured specifically for this protected domain. Also configure the per-domain disclaimer messages in For Incoming Messages and For Outgoing Messages.

This option is available only if you have enabled per-domain disclaimer messages. For more information, see “Allow per-domain settings” on page 375.

Disclaimer in Enable to use append a disclaimer message to the message incoming message header of incoming messages that is specific to this protected header         domain, then enter the disclaimer message. The maximum

length is 256 characters.

This option is available only if Setting is Use domain settings.

GUI item                            Description

Disclaimer in incoming message body Enable to use append a disclaimer message to the message body of incoming messages that is specific to this protected domain, then enter the disclaimer message. The maximum length is 1024 characters.

This option is available only if Setting is Use domain settings.

Disclaimer in outgoing message header Enable to use append a disclaimer message to the message header of outgoing messages that is specific to this protected domain, then enter the disclaimer message. The maximum length is 256 characters.

This option is available only if Setting is Use domain settings.

Disclaimer in outgoing message body Enable to use append a disclaimer message to the message body of outgoing messages that is specific to this protected domain, then enter the disclaimer message. The maximum length is 1024 characters.

This option is available only if Setting is Use domain settings.

6 thoughts on “Configuring Mail Settings

  1. Viorel

    Hi,
    Do you think I could use fortimail in server mode integrated with office 365?
    Can i use this setup to be able to create email accounts in office 365 and some emails in fortimail?
    In my case I have like 140 permanent users and 30-40 users let say “temporar users”(3-4 months/year). For them I want to create emails accounts in fortimail.
    Ex: someone@testdomain.com is an office365 account, and someone2@testdomain.com to be an fortimail account.
    When an email is received I want to be able to be redirected where it belongs. If an email created in office 365 to be redirected there, if was created in fortimail should be redirected to fortimail.

    Is possible this setup?
    Thank you

    Reply
    1. Mike Post author

      I have only ever deployed a FortiMail for Office 365 utilizing Gateway mode. I’m not sure, off hand, how one would make it work in server mode.

      Reply
  2. Danny

    I have several associated domains in Fortimail, mainly for ease of administration. We currently have DKIM and SPF set up for O365 outbound mail but I’d like to start using Fortimail for outbound filtering. Will Fortimail just transparently relay the mail leaving the DKIM signature and SPF IP address unaltered and valid? Or will it strip them requiring me to use Fortimail for DKIM and its IP address in our SPF record? DKIM is so easy to set up in O365 so I would hate to have to redo it and split all our associated domains into dedicated domains.

    Reply
  3. Murat

    Hi we Have created a user in migrated user and start to migrate mailbox from exchange after couple of minutes give connection error. We sniff on cli and get an error code 500.5.3.3 can you find whats problem thanks

    Reply
  4. Conver Zafra

    I have configured the LDAP in my Outlook 2010. Is there a way to automatically sync the LDAP contacts to my local Outlook contact list, so i can search contacts even when i am offline?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.