Configuring Profiles

Configuring resource profiles (server mode only)

If your FortiMail unit operates in server mode, the Resource tab lets you create resource profiles, which configure miscellaneous aspects of local email user accounts, such as disk space quota.

For more information on settings that can be applied to email user accounts, see “Configuring local user accounts (server mode only)” on page 424 and “Configuring user preferences” on page 428.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.

To view and configure resource profiles

  1. Go to Profile > Resource > Resource.

Figure 220:Viewing the list of resource profiles

GUI item Description
Clone

(button)

Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.
Domain

(drop-down list)

Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.
Profile Name Displays the name of the profile.
Domain Name

(column)

Displays either System or a domain name.
(Green dot in column heading) Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.
  1. Either click New to add a profile or double-click a profile to modify it.

A dialog appears.

Figure 221:Resource Profile dialog

  1. Configure the following:
GUI item Description
Domain For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a protected domain name to apply it to that domain. You can see only the domains that are permitted by your administrator profile.
Profile name For a new profile, enter the name of the profile.
Disk quota (MB) Enter the maximum amount of FortiMail webmail disk space that you will allow to be consumed, or enter 0 to allow unlimited use.
User account status Select the check box to enable email user accounts using this resource profile.
Webmail access Select the check box to enable email users’ access to FortiMail webmail.
Mobile device access Select the check box to allow mobile users to access their email via webmail.
 User access Select if you want the webmail users to access the domain-level address book or global address book.
Email Retention:

Regular folders

(days)

Enter the number of days after which the FortiMail unit will automatically delete regular email that is locally hosted. 0 means not to delete email.
Email Retention:

Sent folder (days)

Enter the number of days after which the FortiMail unit will automatically delete the sent email. 0 means not to delete email.

Email Retention:    Enter the number of days after which the FortiMail unit will

Trash folder (days) automatically empty the trash folder. 0 means not to delete email. The default number is 14 days.

  1. Click Create.

To apply the resource profile, you must select it in a policy. For details, see “Controlling email based on recipient addresses” on page 468 and “Controlling email based on IP addresses” on page 475.

Workflow to enable and configure authentication of email users

In general, to enable and configure email user authentication, you should complete the following:

  1. If you want to require authentication for SMTP connections received by the FortiMail unit, examine the access control rules whose sender patterns match your email users to ensure that authentication is required (Authenticated) rather than optional (Any).

Additionally, verify that no access control rule exists that allows unauthenticated connections. For details, see “Configuring access control rules” on page 456.

  1. For secure (SSL or TLS) authentication:
    • Upload a local certificate. For details, see “Managing local certificates” on page 347.
    • Enable SMTP over SSL/TLS. For details, see “Configuring mail server settings” on page 366.
    • If you want to configure TLS, create a TLS profile, and select it in the access control rules. For details, see “Configuring TLS security profiles” on page 591 and “Configuring access control rules” on page 456.
    • If the email user will use a personal certificate to log in to webmail or their per-recipient quarantine, define the certificate authority (CA) and the valid certificate for that user. If OCSP is enabled, you must also configure a remote certificate revocation authority. For details, see “Configuring PKI authentication” on page 435, “Managing certificate authority certificates” on page 354, and “Managing OCSP server certificates” on page 356.
  2. If authentication will occur by querying an external authentication server rather than email user accounts locally defined on the FortiMail unit, configure the appropriate profile type, either:
    • SMTP, IMAP, or POP3 (gateway mode or transparent mode only; see “Configuring authentication profiles” on page 542)
    • LDAP (see “Configuring LDAP profiles” on page 548)
    • RADIUS (see “Configuring authentication profiles” on page 542)
  3. For server mode, configure the email users and type their password, or select an LDAP profile. Also enable webmail access in a resource profile. For details, see “Configuring local user accounts (server mode only)” on page 424 and “Configuring resource profiles (server mode only)” on page 539.
  4. For gateway mode or transparent mode, select the authentication profile in the IP-based policy or in the incoming recipient-based that matches that email user and enable Use for SMTP authentication. If the user will use PKI authentication, in the incoming recipient-based policy, also enable Enable PKI authentication for web mail spam access. For details, see “Controlling email based on recipient addresses” on page 468 and “Controlling email based on IP addresses” on page 475.

For server mode, select the resource profile in the incoming recipient-based policy, and if users authenticate using an LDAP profile, select the LDAP profile. For details, see “Controlling email based on recipient addresses” on page 468.

6 thoughts on “Configuring Profiles

  1. Steve

    Hi, on these instructions it states “personal black lists and white lists” on page 620.”

    Where can i get the book to view page 620??

    Reply
  2. Laurent

    Hello,
    What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…

    Reply
    1. Mike Post author

      Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.

      Reply
  3. Dormond

    Hello,
    Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.

    Reply
  4. Laurent

    Hello,

    Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.