Using S/MIME encryption
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data. The FortiMail unit supports S/MIME encryption.
You can encrypt email messages with S/MIME between two FortiMail units. For example, if you want to encrypt and send an email from FortiMail unit A to FortiMail unit B, you need to do the following:
- On FortiMail unit A:
- import the CA certificate. For details, see “Managing certificates” on page 346.
- create an external certificate binding to obtain FortiMail unit B’s public key in the certificate to encrypt the email. For details, see “Configuring certificate bindings” on page 362.
- create an S/MIME encryption profile. For details, see “Configuring encryption profiles” on page 594.
- apply the S/MIME encryption profile in a policy to trigger the S/MIME encryption by either creating a message delivery rule to use the S/MIME encryption profile (see “Configuring delivery rules” on page 464), or creating a policy to include a content profile containing a content action profile with an S/MIME encryption profile (see “Controlling email based on recipient addresses” on page 468, “Controlling email based on IP addresses” on page 475, “Configuring content action profiles” on page 535, and “Configuring content profiles” on page 526).
- On FortiMail unit B:
- import the CA certificate. For details, see “Managing certificates” on page 346.
- create an internal certificate binding and import both FortiMail unit B’s private key and certificate to decrypt the email encrypted by FortiMail unit A using FortiMail unit B’s private key.
Configuring IP pools
The Profile > IP Pool tab displays the list of IP pool profiles.
IP pools define a range of IP addresses, and can be used in multiple ways:
- To define destination IP addresses of multiple protected SMTP servers if you want to load balance incoming email between them (see “Relay type” on page 384)
- To define source IP addresses used by the FortiMail unit if you want outgoing email to originate from a range of IP addresses (see “IP pool” on page 392)
- To define destination addresses used by the FortiMail unit if you want incoming email to destine to the virtual host on a range of IP addresses (see “IP pool” on page 392)
Each email that the FortiMail unit sends will use the next IP address in the range. When the last IP address in the range is used, the next email will use the first IP address.
- An IP pool in an IP policy will be used to deliver incoming emails from FortiMail to the protected server. It will also be used to deliver outgoing emails if the sender domain doesn’t have a delivery IP pool or, although it has a delivery IP pool, Take precedence over recipient based policy match is enabled in the IP-based policy.
- An IP pool (either in an IP policy or domain settings) will NOT be used to deliver emails to the protected domain servers if the mail flow is from internal to internal domains.
- When an email message’s MAIL FROM is empty “<>”, normally the email is a NDR or DSN bounced message. FortiMail will check the IP address of the sender device against the IP list of the protected domains. If the sender IP is found in the protected domain IP list, the email flow is considered as from internal to internal and the above rule is applied (the IP pool will be skipped). FortiMail will also skip the DNS query if servers of the protected domains are configured as host names and MX record.
To access this part of the web UI, your administrator account’s:
- Domain must be System
- access profile must have Read or Read-Write permission to the Policy
For details, see “About administrator account permissions and domains” on page 290.
To manage IP pool profiles
- Go to Profile > IP Pool > IP Pool.
- Either click New to add a profile or double-click a profile to modify it.
- For a new profile, enter a name in Pool name.
The name must contain only alphanumeric characters, hyphens ( – ) and underscores ( _ ). Spaces are not allowed.
- Under IP Ranges, click New.
Fields appear beneath Start IP and Range.
- In Start IP, enter the IP address that begins the range of IP addresses that will be used for this IP pool.
- In Range, enter the total number of IP addresses in the contiguous range of the IP pool, including that of the Start IP.
For example, if Start IP is 10.0.0.3 and Range is 5, the IP pool will contain the IP addresses 10.0.0.3, 10.0.0.4, 10.0.0.5, 10.0.0.6, and 10.0.0.7.
- To include additional ranges of IP addresses in this IP pool, repeat the previous steps. To remove a range of IP addresses from this IP pool, select the range and click Delete.
- Click Create or OK.
To apply the IP pool, select it in a protected domain or IP-based policy. For details, see “Relay type” on page 384, “IP pool” on page 392, and/or “IP Pool” on page 478.
Configuring email and IP groups
The Profile > Group tab displays the list of email and IP group profiles.
To access this part of the web UI, your administrator account’s:
- Domain must be System
- access profile must have Read or Read-Write permission to the Policy
For details, see “About administrator account permissions and domains” on page 290.
Configuring email groups
Email groups include groups of email addresses that can be used when configuring access control rules. For information about access control rules, see “Configuring access control rules” on page 456.
To configure email groups
- Go to Profile > Group > Email Group.
- Either click New to add a profile or double-click a profile to modify it.
A dialog appears.
- For a new group, enter a name for this email group.
The name must contain only alphanumeric characters. Spaces are not allowed.
- In New member, enter the email address of a group member and click -> to move the address to the Current members
You can also use wildcards to enter partial patterns that can match multiple email addresses. The asterisk represents one or more characters and the question mark (?) represents any single character.
For example, the pattern ??@*.com will match any email user with a two letter email user name from any “.com” domain name.
Configuring IP groups
IP groups include groups of IP addresses that can be used when configuring access control rules. For information about access control rules, see “Configuring access control rules” on page 456.
To configure an IP group
- Go to Profile > Group > IP Group.
- Either click New to add a profile or double-click profile to modify it.
- dialog appears.
- For a new group, enter a name in Group name.
The name must contain only alphanumeric characters. Spaces are not allowed.
- Under IP Groups, click New.
- field appears under IP/Netmask.
- Enter the IP address and netmask of the group. Use the netmask, the portion after the slash (/), to specify the matching subnet.
For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.
Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.
To match any address, enter 0.0.0.0/0.
- Click Create.
Configuring notification profiles
When FortiMail takes actions against email messages, you may wan to inform email senders, recipients, or any other users of the actions, that is, what happened to the email.
To achieve this purpose, you need to create such kind of notification profiles and then use them in antispam, antivirus, and content action profiles. For details, see “Configuring antispam action profiles” on page 516, “Configuring antivirus action profiles” on page 522, and “Configuring content action profiles” on page 535.
Figure 261:Creating a notification profile
To create a notification profile
- Go to Profile > Notification. If you have created some notification profiles, you can view, clone, edit, or delete them there.
- Click New to create a profile.
- For Name, enter a profile name.
- Choose whom you want to send notification to: sender, recipient, or other users. If you choose Others, you click manage the email list by using the Add and Remove
- Select an email template to use. You can also click New to create a new template or click Edit to modify an existing template. For details about email templates, see “Customizing email templates” on page 288.
- Optionally select Include original message as attachment.
- Click OK.
Hi, on these instructions it states “personal black lists and white lists” on page 620.”
Where can i get the book to view page 620??
https://docs.fortinet.com/d/fortimail-5.4.0-administration-guide
That is a PDF version of the FortiMail documentation. 620 is referenced there.
Hello,
What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…
Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.
Hello,
Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.
Hello,
Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.