Configuring address mapping options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see “Configuring LDAP profiles” on page 548.
- Go to Profile > LDAP.
- Click New to create a new profile or double click on an existing profile to edit it.
- Click the arrow to expand the Address Mapping Options
Mappings usually should not translate an email address into one that belongs to an unprotected domain. However, unlike locally defined address mappings, this restriction is not enforced for mappings defined on an LDAP server.
After configuring a profile with this query, you must select it in order for the FortiMail unit to use it. For details, see “LDAP user alias / address mapping profile” on page 391.
Alternatively, you can configure email address mappings on the FortiMail unit itself. For details, see “Configuring address mappings” on page 444.
- Configure the following:
Figure 233:Address Mapping Options section
GUI item | Description |
Internal address attribute | Enter the name of the LDAP attribute, such as
internalAddress, whose value is an email address in the same or another protected domain. This email address will be rewritten into the value of the external address attribute according to the match conditions and effects described in Table 51 on page 445. The name of this attribute may vary by the schema of your LDAP directory. |
External address attribute Enter the name of the attribute, such as externalAddress, whose value is an email address in the same or another protected domain.
This email address will be rewritten into the value of the internal address attribute according to the match conditions and effects described in Table 51 on page 445.
The name of this attribute may vary by the schema of your LDAP directory.
Configuring domain lookup options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see “Configuring LDAP profiles” on page 548.
- Go to Profile > LDAP.
- Click New to create a new profile or double click on an existing profile to edit it.
- Click the arrow to expand the AS/AV On/Off Options
Organizations with multiple domains may maintain a list of domains on the LDAP server. The FortiMail unit can query the LDAP server to verify the domain portion of a recipient’s email address.
For this option to work, your LDAP directory should contain a single generic user for each domain such as generic@dom1.com because the FortiMail unit will only look at the domain portion of the generic user’s mail address, such as dom1.com.
When an SMTP session is processed, the FortiMail unit will query the LDAP server for the domain portion retrieved from the recipient email address. If the LDAP server finds a user entry, it will reply with the domain objects defined in the LDAP directory, including parent domain attribute, generic mail host attribute, generic antispam attribute, and generic antivirus attribute. The FortiMail unit will remember the mapping domain, mail routing, and antispam and antivirus profiles information to avoid querying the LDAP server again for the same domain portion retrieved from a recipient email address in the future.
If there are no antispam and antivirus profiles for the user, the FortiMail unit will use the antispam and antivirus profiles from the matching IP policy.
If the LDAP server does not find a user matching the domain, the user is considered as unknown, and the mail will be rejected unless it has a specific access list entry.
- Configure the following:
Figure 234:Domain Lookup Options section
GUI item | Description | |||
Domain Lookup Query | Enter an LDAP query filter that selects a set of domain objects, whichever object class contains the attribute you configured for this option, from the LDAP directory.
For details on query syntax, refer to any standard LDAP query filter reference manual. For this option to work, your LDAP directory should contain a single generic user for each domain. The user entry should be configured with attributes to represent the following: • parent domain from which a domain inherits the specific RCPT check settings and quarantine report settings. For example, parentDomain=parent.com For information on parent domain, see “Configuring protected domains” on page 380. • IP address of the backend mail server hosting the mailboxes of the domain. For example, mailHost=192.168.1.105 • antispam profile assigned to the domain. For example, genericAntispam=parentAntispam • antivirus profile assigned to the domain. For example, genericAntivirus=parentAntivirus |
|||
Parent domain attribute | Enter the name of the attribute, such as parentDomain, whose value is the name of the parent domain from which a domain inherits the specific RCPT check settings and quarantine report settings.
The name of this attribute may vary by the schema of your LDAP directory. |
|||
Generic mail host attribute | Enter the name of the attribute, such as mailHost, whose value is the IP address of the backend mail server hosting the mailboxes of the domain.
The name of this attribute may vary by the schema of your LDAP directory. |
|||
Generic AntiSpam attribute | Enter the name of the attribute, such as genericAntispam, whose value is the name of the antispam profile assigned to the domain.
The name of this attribute may vary by the schema of your LDAP directory. If you do not specify this attribute at all (that is, leave this field blank), the antispam profile in the matched recipient-based policy will be used. |
|||
Generic AntiVirus attribute | Enter the name of the attribute, such as genericAntivirus, whose value is the name of the antivirus profile assigned to the domain.
The name of this attribute may vary by the schema of your LDAP directory. If you do not specify this attribute at all (that is, leave this field blank), the antivirus profile in the matched recipient-based policy will be used. |
|||
Configuring advanced options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see “Configuring LDAP profiles” on page 548.
- Go to Profile > LDAP.
- Click New to create a new profile or double click on an existing profile to edit it.
- Click the arrow to expand the AS/AV On/Off Options
- Configure the following:
Figure 235:Advanced Options section
GUI item | Description | |||
Timeout | Enter the maximum amount of time in seconds that the FortiMail unit will wait for query responses from the LDAP server. | |||
Protocol version | Select the LDAP protocol version used by the LDAP server. | |||
Allow unauthenticated bind | Enable to perform queries in this profile without supplying a bind DN and password for the directory search.
Many LDAP servers require LDAP queries to be authenticated using a bind DN and password. However, if your LDAP server does not require the FortiMail unit to authenticate before performing queries, you may enable this option. |
|||
Enable cache | Enable to cache LDAP query results.
Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiMail unit begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently. If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of 0 effectively disables caching. |
|||
TTL | Enter the amount of time, in minutes, that the FortiMail unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiMail unit to query the LDAP server, refreshing the cache.
The default TTL value is 1440 minutes (one day). The maximum value is 10080 minutes (one week). Entering a value of 0 effectively disables caching. This option is applicable only if Enable cache is enabled. |
|||
Enable webmail password change | Enable if you want to allow FortiMail webmail users to change their password. | |||
Password schema | Select your LDAP server’s user schema style, either Openldap or Active Directory. | |||
Bypass recipient verification if server unavailable | If you have selected using LDAP server to verify recipient address in Mail Settings > Domains and your LDAP server is down, selecting this option abandons recipient address verification and the FortiMail unit will continue relaying email.
For more information about recipient address verification, see “Configuring recipient address verification” on page 387. |
|||
The LDAP profile appears in the LDAP profile list. To apply it, select the profile in features that support LDAP queries, such as protected domains and policies.
Before using the LDAP profile in other areas of the configuration, verify the configuration of each query that you have enabled in the LDAP profile. Incorrect query configuration can result in unexpected mail processing behavior. For information on testing queries, see “Testing LDAP profile queries” on page 576.
Hi, on these instructions it states “personal black lists and white lists” on page 620.”
Where can i get the book to view page 620??
https://docs.fortinet.com/d/fortimail-5.4.0-administration-guide
That is a PDF version of the FortiMail documentation. 620 is referenced there.
Hello,
What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…
Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.
Hello,
Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.
Hello,
Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.