Configuring Profiles

Configuring user authentication options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see “Configuring LDAP profiles” on page 548.

  1. Go to Profile > LDAP.
  2. Click New to create a new profile or double click on an existing profile to edit it.
  3. Click the arrow to expand the User Authentication Options

For more information on authenticating users by LDAP query, see “Controlling email based on recipient addresses” on page 468.

  1. Configure the following:

Figure 229:User Authentication Options section

GUI item                                Description

Try UPN or mail address as Select to form the user’s bind DN by prepending the user

bind DN                                name portion of the email address ($u) to the User Principle Name (UPN, such as example.com).

By default, the FortiMail unit will use the mail domain as the UPN. If you want to use a UPN other than the mail domain, enter that UPN in the field named Alternative UPN suffix. This can be useful if users authenticate with a domain other than the mail server’s principal domain name.

Try common name with base DN as bind DN Select to form the user’s bind DN by prepending a common name to the base DN. Also enter the name of the user objects’ common name attribute, such as cn or uid into the field.

This option is preconfigured and read-only if, in User Query Options, you have selected from Schema any schema style other than User Defined.

Search user and try bind

DN

Select to form the user’s bind DN by using the DN retrieved for that user by User Query Options.

Configuring user alias options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see “Configuring LDAP profiles” on page 548.

  1. Go to Profile > LDAP.
  2. Click New to create a new profile or double click on an existing profile to edit it.
  3. Click the arrow to expand the User Alias Options

Resolving aliases to real email addresses enables the FortiMail unit to send a single quarantine report and maintain a single quarantine mailbox at each user’s primary email account, rather than sending separate quarantine reports and maintaining separate quarantine mailboxes for each alias email address. For FortiMail units operating in server mode, this means that users need only log in to their primary account in order to manage their spam quarantine, rather than logging in to each alias account individually.

For more information on resolving email aliases by LDAP query, see “LDAP user alias / address mapping profile” on page 391.

  1. Configure the following: Figure 230:User Alias Options

 

GUI item Description
Schema If your LDAP directory’s user alias objects use a common schema style:

•      NisMailAlias

•      MS Active Directory

•      Lotus Domino

select the schema style. This automatically configures the query string to match that schema style.

If your LDAP server uses any other schema style, select User Defined, then manually configure the query string.

Base DN Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail will search for either alias or user objects.

User or alias objects should be child nodes of this location.

Whether you should specify the base DN of either user objects or alias objects varies by your LDAP schema style. Schema may resolve alias email addresses directly or indirectly (using references).

•      With a direct resolution, alias objects directly contain one or more email address attributes, such as mail or rfc822MailMember, whose values are user email addresses such as user@example.com, and that resolves the alias. The Base DN, such as ou=Aliases,dc=example,dc=com, should contain alias objects.

•      With an indirect resolution, alias objects do not directly contain an email address attribute that can resolve the alias; instead, in the style of LDAP group-like objects, the alias objects contain only references to user objects that are “members” of the alias “group.” User objects’ email address attribute values, such as user@example.com, actually resolve the alias. Alias objects refer to user objects by possessing one

or more “member” attributes whose value is the DN of a user object, such as uid=user,ou=People,dc=example,dc=com. The

FortiMail unit performs a first query to retrieve the distinguished names of “member” user objects, then performs a second query using those distinguished names to retrieve email addresses from each user object. The Base DN, such as ou=People,dc=example,dc=com, should contain user objects.

Bind DN Enter the bind DN, such as cn=FortiMailA,dc=example,dc=com, of an LDAP user account with permissions to query the Base DN.

This field may be optional if your LDAP server does not require the FortiMail unit to authenticate when performing queries, and if you have enabled Allow unauthenticated bind. For details, see “Allow unauthenticated bind” on page 567.

Bind password Enter the password of the Bind DN.

 

GUI item Description
Alias member attribute Enter the name of the attribute, such as mail or rfc822MailMember, whose value is an email address to which the email alias resolves, such as user@example.com.

This attribute must be present in either alias or user objects, as determined by your schema and whether it resolves aliases directly or indirectly. For more information, see “Base DN” on page 558.

This option is preconfigured and read-only if, in User Alias Options, you have selected from Schema any schema style other than User Defined.

Alias member query Enter an LDAP query filter that selects a set of either user or email alias objects, whichever object class contains the attribute you configured in Alias member attribute, from the LDAP directory.

This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined.

The query string filters the result set, and should be based upon any attributes that are common to all user/alias objects but also exclude non-user/alias objects. For details, see “Alias member query example” on page 560.

For more information on required object types and their attributes, see “Preparing your LDAP schema for FortiMail LDAP profiles” on page 568.

For details on query syntax, refer to any standard LDAP query filter reference manual.

User group expansion In advance Enable if your LDAP schema resolves email aliases indirectly. For more information on direct versus indirect resolution, see “Base DN” on page 558.

When this option is disabled, alias resolution occurs using one query. The FortiMail unit queries the LDAP directory using the Base DN and the Alias member query, and then uses the value of each Alias Member Attribute to resolve the alias.

When this option is enabled, alias resolution occurs using two queries:

•      The FortiMail unit first performs a preliminary query using the Base DN and Group member query, and uses the value of each Group member attribute as the base DN for the second query.

•      The FortiMail unit performs a second query using the distinguished names from the preliminary query (instead of the Base DN) and the Alias member query, and then uses the value of each Alias member attribute to resolve the alias.

The two-query approach is appropriate if, in your schema, alias objects are structured like group objects and contain references in the form of distinguished names of member user objects, rather than directly containing email addresses to which the alias resolves. In this case, the FortiMail unit must first “expand” the alias object into its constituent user objects before it can resolve the alias email address.

This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined.

GUI item              Description

Group member Enter the name of the attribute, such as member, whose value is the DN of attribute a user object.

This attribute must be present in alias objects only if they do not contain an email address attribute specified in Alias member attribute.

This option is preconfigured and read-only if you have selected from

Schema any schema style other than User Defined. If you have selected User Defined, this option is available only if User group expansion In advance is enabled.

Group member query Enter an LDAP query filter that selects a set of alias objects, represented as a group of member objects in the LDAP directory.

The query string filters the result set, and should be based upon any attributes that are common to all alias objects but also exclude non-alias objects.

For example, if alias objects in your directory have two distinguishing characteristics, their objectClass and proxyAddresses attributes, the query filter might be:

(&(objectClass=group) (proxyAddresses=smtp:$m))

where $m is the FortiMail variable for an email address.

This option is preconfigured and read-only if you have selected from

Schema any schema style other than User Defined. If you have selected User Defined, this option is available only if User group expansion In advance is enabled.

For details on query syntax, refer to any standard LDAP query filter reference manual.

Scope Select which level of depth to query, starting from Base DN.

•      One level: Query only the one level directly below the Base DN in the LDAP directory tree.

•      Subtree: Query recursively all levels below the Base DN in the LDAP directory tree.

Derefer Select the method to use, if any, when dereferencing attributes whose values are references.

•      Never: Do not dereference.

•      Always: Always dereference.

•      Search: Dereference only when searching.

•      Find: Dereference only when finding the base search object.

Max alias     Enter the maximum number of alias nesting levels that aliases the expansion level FortiMail unit will expand.

6 thoughts on “Configuring Profiles

  1. Steve

    Hi, on these instructions it states “personal black lists and white lists” on page 620.”

    Where can i get the book to view page 620??

    Reply
  2. Laurent

    Hello,
    What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…

    Reply
    1. Mike Post author

      Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.

      Reply
  3. Dormond

    Hello,
    Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.

    Reply
  4. Laurent

    Hello,

    Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.