Configuring authentication profiles
The Authentication submenu lets you configure the FortiMail unit to connect to an external SMTP server in order to authenticate email users.
FortiMail units support the following authentication methods:
- SMTP
- IMAP
- POP3
- RADIUS
In addition to authenticating email users for SMTP connections, SMTP profiles can be used to authenticate email users making webmail (HTTP or HTTPS) or POP3 connections to view their per-recipient quarantine.
Depending on the mode in which your FortiMail unit is operating, you may be able to apply authentication profiles through incoming recipient-based policies, IP-based policies, and email user accounts. For more information, see “Controlling email based on recipient addresses” on page 468, “Controlling email based on IP addresses” on page 475, and “Configuring local user accounts (server mode only)” on page 424.
For the general procedure of how to enable and configure authentication, see “Workflow to enable and configure authentication of email users” on page 541.
To access this part of the web UI, your administrator account’s:
- Domain must be System
- access profile must have Read or Read-Write permission to the Policy category
For details, see “About administrator account permissions and domains” on page 290.
To view and manage the list of authentication profiles
- Go to Profile > Authentication.
The name of the tab, varies. It is Authentication in gateway and transparent mode and RADIUS server mode.
Figure 222:Viewing the list of authentication profiles
GUI item | Description |
Clone
(button) |
Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK. |
Domain
(drop-down list) |
Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile. |
Auth type
(drop-down list) |
To filter the list of authentication profiles, either select which protocol to display, or select ALL to display all authentication profiles, regardless of their protocol. Not available in server mode. |
Profile Name | Displays the name of the profile. |
Auth Type
(column) |
Displays the protocol used to connect to the authentication server, either SMTP, POP3, IMAP, or RADIUS.
Not present in server mode, which can only use RADIUS authentication profiles. |
Server or
Server Name/IP |
Displays the fully qualified domain name (FQDN) or IP address of a server that will be queried to authenticate email users if they authenticate to send email, or when they are accessing their personal quarantine. |
Server Port | Displays the port number in server mode. |
Domain Name
(column) |
Displays either System or a domain name. |
(Green dot in column heading) | Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
- Either click New to add a profile or double-click a profile to modify it.
A dialog appears that varies depending on the operation mode.
Figure 223:Configuring an authentication profile (SMTP authentication)
Figure 224:Configuring an authentication profile (RADIUS authentication)
- Configure the following:
GUI item | Description |
Domain | For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a protected domain name to apply it to that domain. You can see only the domains that are permitted by your administrator profile. |
Authentication type
(not in server mode) |
Select the protocol used to connect to the authentication server, either SMTP, POP3, IMAP, or RADIUS.
This drop-down list does not appear if the FortiMail unit is operating in server mode, which can only use RADIUS authentication profiles. |
Profile name | For a new profile, enter the name of the profile. |
Server name/IP | Enter the fully qualified domain name (FQDN) or IP address of a server that will be queried to authenticate email users if they authenticate to send email, or when they are accessing their personal quarantine.
Use generic LDAP mail host if available: For gateway and transparent mode, select this option if your LDAP server has a mail host entry for the generic user. for more information, see “Domain Lookup Query” on page 565 and “Generic mail host attribute” on page 566. If you select this option, the FortiMail unit will query the generic LDAP server first to authenticate email users. If no results are returned for the query, the FortiMail unit will query the server you entered in the Server name/IP field. |
Server port | Enter the port number on which the authentication server listens.
The default value varies by the protocol. You must change this value if the server is configured to listen on a different port number, including if the server requires use of SSL. For example, the standard port number for SMTP is 25. However, for SMTP with SSL, the default port number is 465. Similarly, IMAP is 143, while IMAP with SSL is 993; POP3 is 110, while POP3 with SSL is 995; and RADIUS is 1812. |
Protocol (for RADIUS server) | Select the authentication method for the RADIUS server. |
NAS IP/Called station ID
(for RADIUS server) |
Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiMail interface uses to communicate with the RADIUS server will be applied.
This filed appears only for RADIUS authentication profiles. |
Server secret (for RADIUS server) | Enter the secret required by the RADIUS server. It must be identical to the secret that is configured on the RADIUS server.
This field appears only for RADIUS authentication profiles. |
Server requires domain | Enable if the authentication server requires that email users authenticate using their full email address (such as user1@example.com) and not just the user name (such as user1). |
GUI item Description
Advanced Settings (for RADIUS server) | When you add a FortiMail administrator (see “Configuring administrator accounts” on page 294), you must specify an access profile (the access privileges) for the administrator. You must also specify a domain (either system or a protected domain) that the administrator is entitled to access.
If you are adding a RADIUS account, you can override the access profile and domain setting with the values of the remote attributes returned from the RADIUS server. • Enable remote access override: Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile. If there is no match, the specified access profile will still be used. • Vender ID: Enter the vender’s registered RADIUS ID for remote access permission override. The default ID is 12356, which is Fortinet. • Attribute ID: Enter the attribute ID of the above vender for remote access permission override. The attribute should hold an access profile name that exists on FortiMail. The default ID is 6, which is Fortinet-Access-Profile. • Enable remote domain override: Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain. If there is no match, the specified domain will still be used. • Vender ID: Enter the vender’s registered RADIUS ID for remote domain override. The default ID is 12356, which is Fortinet. • Attribute ID: Enter the attribute ID of the above vender for remote domain override. The attribute should hold a domain name that exists on FortiMail. The default ID is 3, which is Fortinet-Vdom-Name. |
Secure authentication | Enable if you want to use secure authentication to encrypt the passwords of email users when communicating with the server, and if the server supports it.
This option is not available for RADIUS authentication profiles. |
SSL | Enable if you want to use secure socket layers (SSL) to encrypt communications between the FortiMail unit and this server, and if the server supports it.
This option is not available for RADIUS authentication profiles. |
TLS | Enable if you want to use transport layer security (TLS) to authenticate and encrypt communications between the FortiMail unit and this server, and if the server supports it.
This option is not available for RADIUS authentication profiles. |
To apply the authentication profile, you must select it in a policy. You may also need to configure access control rules, user accounts, and certificates. For details, see “Workflow to enable and configure authentication of email users” on page 541.
Configuring LDAP profiles
The LDAP submenu lets you configure LDAP profiles which can query LDAP servers for authentication, email address mappings, and more.
Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server. When LDAP queries do not match with the server’s schema and/or contents, unintended mail processing behaviors can result, including bypassing antivirus scans. For details on preparing an LDAP directory for use with FortiMail LDAP profiles, see ““Preparing your LDAP schema for FortiMail LDAP profiles” on page 568.
LDAP profiles each contain one or more queries that retrieve specific configuration data, such as user groups, from an LDAP server. The LDAP profile list indicates which queries you have enabled in each LDAP profile.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.
To view the list of LDAP profiles, go to Profile > LDAP > LDAP.
Figure 225:Viewing the list of LDAP profiles
GUI item | Description | |||
Clone
(button) |
Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK. | |||
Profile Name | Displays the name of the profile. | |||
Server | Displays the domain name or IP address of the LDAP server. | |||
Port | Displays the listening port of the LDAP server. | |||
Group | Indicates whether Group Query Options is enabled. | |||
Auth | Indicates whether User Authentication Options is enabled. | |||
Alias | Indicates whether User Alias Options is enabled. | |||
Routing | Indicates whether Mail Routing Optionsis enabled. | |||
AS/AV | Indicates whether AS/AV On/Off Options is enabled. | |||
Address Map | Indicates whether Address Mapping Options is enabled. | |||
Domain Lookup | Indicates whether Domain Lookup Options is enabled. | |||
Webmail | Indicates whether Enable webmail password change is enabled in this profile. | |||
Cache | Indicates whether query result caching is enabled. | |||
(Green dot in column Indicates whether or not the entry is currently referred to by another item heading) in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.
You can add an LDAP profile to define a set of queries that the FortiMail unit can use with an LDAP server. You might create more than one LDAP profile if, for example, you have more than one LDAP server, or you want to configure multiple, separate query sets for the same LDAP server.
After you have created an LDAP profile, LDAP profile options will appear in other areas of the FortiMail unit’s configuration. These options let you to select the LDAP profile where you might otherwise create a reference to a configuration item stored locally on the FortiMail unit itself. These other configuration areas will only allow you to select applicable LDAP profiles — that is, those LDAP profiles in which you have enabled the query required by that feature. For example, if a feature requires a definition of user groups, you can select only from those LDAP profiles where Group Query Options are enabled.
To configure an LDAP profile
- Go to Profile > LDAP > LDAP.
- Click New to add a profile or double-click a profile to modify it.
A multisection dialog appears.
Figure 226:Configuring an LDAP profile
- Configure the following general settings:
GUI item | Description | |||
Profile name | For a new profile, enter its name. | |||
Server name/IP | Enter the fully qualified domain name (FQDN) or IP address of the LDAP server.
Port: Enter the port number where the LDAP server listens. The default port number varies by your selection in Use secure connection: port 389 is typically used for non-secure connections, and port 636 is typically used for SSL-secured (LDAPS) connections. |
|||
GUI item | Description | |||
Fallback server name/IP | Optional. Enter the fully qualified domain name (FQDN) or IP address of an alternate LDAP server that the FortiMail unit can query if the primary LDAP server is unreachable.
Port: Enter the port number where the fallback LDAP server listens. The default port number varies by your selection in Use secure connection: port 389 is typically used for non-secure connections, and port 636 is typically used for SSL-secured (LDAPS) connections. |
|||
Use secure connection | Select whether or not to connect to the LDAP servers using an encrypted connection.
• none: Use a non-secure connection. • SSL: Use an SSL-secured (LDAPS) connection. Click Test LDAP Query to test the connection. A pop-up window appears. For details, see “To verify user query options” on page 582. Note: If your FortiMail unit is deployed in server mode, and you want to enable Enable webmail password change using an LDAP server that uses a Microsoft ActiveDirectory-style schema, you must select SSL. ActiveDirectory servers require a secure connection for queries that change user passwords. |
|||
- Configure the following sections:
- “Configuring user query options” on page 551
- “Configuring group query options” on page 554
- “Configuring user authentication options” on page 556
- “Configuring user alias options” on page 557
- “Configuring mail routing” on page 561
- “Configuring antispam and antivirus options” on page 562
- “Configuring address mapping options” on page 563
- “Configuring domain lookup options” on page 564
- “Configuring advanced options” on page 566
Hi, on these instructions it states “personal black lists and white lists” on page 620.”
Where can i get the book to view page 620??
https://docs.fortinet.com/d/fortimail-5.4.0-administration-guide
That is a PDF version of the FortiMail documentation. 620 is referenced there.
Hello,
What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…
Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.
Hello,
Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.
Hello,
Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.