Configuring security profiles
Go to Profile > Security to create transport layer security (TLS) profiles and encryption profiles.
This section includes:
- Configuring TLS security profiles
- Configuring encryption profiles
Configuring TLS security profiles
The TLS tab lets you create TLS profiles, which contain settings for TLS-secured connections.
TLS profiles, unlike other types of profiles, are applied through access control rules and message delivery rules, not policies. For more information, see “Controlling SMTP access and delivery” on page 456.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.
To view the list of TLS profiles, go to Profile > Security > TLS.
Figure 257:TLS tab
GUI item | Description |
Clone
(button) |
Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK. |
Profile Name | Displays the name of the profile. |
TLS Level | Displays the security level of the TLS connection.
• None: Disables TLS. Requests for a TLS connection will be ignored. • Preferred: Allow a simple TLS connection, but do not require it. Data is not encrypted, nor is the identity of the server validated with a certificate. • Encrypt: Requires a basic TLS connection. Failure to negotiate a TLS connection results in the connection being rejected according to the Action on failure setting. • Secure: Requires a certificate-authenticated TLS connection. CA certificates must be installed on the FortiMail unit before they can be used for secure TLS connections. For information on installing CA certificates, see “Managing certificate authority certificates” on page 354. |
Action On Failure Indicates the action the FortiMail unit takes when a TLS connection cannot be established, either:
- Temporarily Fail: Reply to the SMTP client with a code indicating temporary failure.
- Fail: Reject the email and reply to the SMTP client with SMTP reply code 550.
This option does not apply and will be empty for profiles whose TLS Level is Preferred.
(Green dot in column heading) | Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
To configure a TLS profile
- Go to Profile > Security > TLS.
A dialog appears.
Figure 258:TLS profile dialog
- Either click New to add a profile or double-click a profile to modify it.
- For a new profile, enter the name of the profile in Profile name.
- From TLS level, select the security level of the TLS profile:
- None: Disables TLS. Requests for a TLS connection will be ignored.
- Preferred: Allows a simple TLS connection, but does not require it. Data is not encrypted, nor is the identity of the server validated with a certificate.
- Encrypt: Requires a basic TLS connection. Failure to negotiate a TLS connection results in the connection being rejected according to the Action on failure
- Secure: Requires a certificate-authenticated TLS connection. CA certificates must be installed on the FortiMail unit before they can be used for secure TLS connections.
The availability of the following options varies by your selection in TLS level.
- Configure the following, as applicable:
GUI item | Description | |||
Action on failure | Select whether to fail or temporarily fail if a TLS connection with the parameters described in the TLS profile cannot be established.
This option does not appear if TLS level is Preferred. |
|||
Check CA issuer | Enable and enter a string on the CA issuer field. The FortiMail unit will compare the string in the CA issuer field with the field with that same name in the installed CA certificates.
This option appears only if TLS level is Secure. |
|||
CA issuer | Select the type of match required when the FortiMail unit compares the string in the CA Issuer field and the same field in the installed CA certificates. For more information on CA certificates, see “Managing certificate authority certificates” on page 354.
Check CA issuer must be enabled for CA issuer to have any effect. This option appears only if TLS level is Secure. |
|||
Lookup CA | To populate the CA issuer field with text from a CA certificate’s CA Issuer, select the name of a CA certificate that you have uploaded to the FortiMail unit. | |||
GUI item | Description | |||
Check certificate subject | Enable and enter a string in the Certificate subject field. The FortiMail unit will compare the string in the Certificate subject field with the field with that same name in the installed CA certificates.
This option appears only if TLS level is Secure. |
|||
Certificate subject | Select the type of match required when the FortiMail unit compares the string in the Certificate subject and the same field in the installed CA certificates.
Check certificate subject must be enabled for Certificate subject to have any effect. This option appears only if TLS level is Secure. |
|||
Check encryption strength | Enable to require a minimum level of encryption strength. Also configure Minimum encryption strength.
This option appears only if TLS level is Encrypt or Secure. |
|||
Minimum encryption strength | Enter the bit size of the encryption key. Greater key size results in stronger encryption, but requires more processing resources. |
Hi, on these instructions it states “personal black lists and white lists” on page 620.”
Where can i get the book to view page 620??
https://docs.fortinet.com/d/fortimail-5.4.0-administration-guide
That is a PDF version of the FortiMail documentation. 620 is referenced there.
Hello,
What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…
Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.
Hello,
Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.
Hello,
Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.