Tag Archives: administration guide

RADIUS Single Sign On – FortiAuthenticator 4.0

RADIUS Single Sign-On

A FortiGate or FortiMail unit can transparently identify users who have already authenticated on an external RADIUS server by parsing RADIUS accounting records. However, this approach has potential difficulties:

  • The RADIUS server is business-critical IT infrastructure, limiting the changes that can be made to the server configuration.
  • In some cases, the server can send accounting records only to a single endpoint. Some network topologies may require multiple endpoints.

The FortiAuthenticator RADIUS Accounting Proxy overcomes these limitations by proxying the RADIUS accounting records, modifying them, and replicating them to the multiple subscribing endpoints as needed.

RADIUS accounting proxy

The FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server, transforms them, and then forwards them to multiple FortiGate or FortiMail devices for use in RADIUS Single Sign-On. This differs from the packet use of RADIUS accounting (RADIUS accounting on page 115).

The accounting proxy needs to know:

l Rule sets to define or derive the RADIUS attributes that the FortiGate unit requires, l The source of the RADIUS accounting records: the RADIUS server, l The destination(s) of the accounting records: the FortiGate units using this information for RADIUS SSO authentication.

General settings

General RADIUS accounting proxy settings can be configure by going to Fortinet SSO Methods > Accounting Proxy > General.

The following settings are available:

Log level Select Debug, Info, Warning, or Error as the minimum severity level of event to log from the drop-down list.
Group cache lifetime Enter the amount of time after which user group memberships will expire in the cache, from 1 to 10080 minutes (7 days). The default is 480 minutes.
Number of proxy retries Enter the number of times to retry proxy requests if they timeout, from 0 to 3 retries, where 0 disables retries. The default is 3 retries.
Proxy retry timeout Enter the retry period (timeout) of a proxy request, from 1 to 10 seconds.
Statistics update period Enter the time between statistics updates to the seconds debug log, from 1 to 3600 seconds (1 hour).

Select OK to apply your changes.

accounting proxy                                                                                                                 RADIUS

Rule sets

A rule set can contain multiple rules. Each rule can do one of:

l add an attribute with a fixed value l add an attribute retrieved from a user’s record on an LDAP server l rename an attribute to make it acceptable to the accounting proxy destination.

The FortiAuthenticator unit can store up to 10 rule sets. You can provide both a name and a description to each rule set to help you remember each rule set’s purpose.

Rules access RADIUS attributes of which there are both standard attributes and vendor-specific attributes (VSAs). To select a standard attribute, select the Default vendor. See RADIUS attributes on page 72.

To view the accounting proxy rule set list, go to Fortinet SSO Methods > Accounting Proxy > Rule Sets.

To add RADIUS accounting proxy rule sets:

  1. From the rule set list, select Create New. The Create New Rule Set window opens.
  2. Enter the following information:
Name Enter a name to use when selecting this rule set for an accounting proxy destination.
Description Optionally, enter a brief description of the rule’s purpose.
Rules Enter one or more rules.

Single Sign-On                                                                                      RADIUS accounting proxy

Action The action for each rule can be either Add or Modify.

Add: add either a static value or a value derived from an LDAP server.

Modify: rename an attribute.

Attribute Select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
Attribute 2 If the action is set to Modify, a second attribute may be selected. The first attribute will be renamed to the second attribute.
Value Type If the action is set to Add, select a value type from the drop-down list.

Static value: adds the attribute in the Attribute field containing the static value in the Value field.

Group names: adds attribute in the Attribute field containing “Group names” from the group membership of the Username Attribute on the remote LDAP server. l Services: adds attribute in the Attribute field containing “Services” from the group membership of the Username Attribute on the remote LDAP server.

UTM profile groups: adds attribute in the Attribute field containing “UTM profile groups” from the group membership of the Username Attribute on the remote LDAP server.

Value If the action is set to Add and Value Type is set to Static value, enter the static value.
Username

Attribute

If the action is set to Add, and Value Type is not set to Static value, specify an attribute that provides the user’s name, or select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
Remote LDAP If the attribute addition requires an LDAP server, select one from the dropdown list. See LDAP on page 88 for information on remote LDAP servers.
Description A brief description of the rule is provided.
Add another rule Select to add another rule to the rule set.
  1. Select OK to create the new rule set.
Example rule set

The incoming accounting packets contain the following fields:

  • User-Name l NAS-IP-Address l Fortinet-Client-IP-Address

The outgoing accounting packets need to have these fields:

accounting proxy                                                                                                                 RADIUS

  • User-Name l NAS-IP-Address l Fortinet-Client-IP-Address l Session-Timeout: Value is always 3600 l Fortinet-Group-Name: Value is obtained from user’s group membership on remote LDAP l Service-Type: Value is obtained from user’s group membership and SSO Group Mapping

The rule set needs three rules to add Session-Timeout, Fortinet-Group-Name, and Service-Type. The following image provides an example:

Sources

The RADIUS accounting proxy sources list can be viewed in Fortinet SSO Methods > Accounting Proxy > Sources. Sources can be added, edited, and deleted as needed.

To add a RADIUS accounting proxy source:

  1. From the source list, select Create New. The Create New RADIUS Accounting Proxy Source window opens.
  2. Enter the following information:
Name                                         Enter           the           name           of           the

This is used in FortiAuthenticator configurations.

RADIUS server.

Single Sign-On                                                                                      RADIUS accounting proxy

Source name/IP Enter the FQDN or IP address of the server.
Secret Enter the shared secret required to access the server.
Description Optionally, enter a description of the source.
  1. Select OK to add the RADIUS accounting proxy source.

Destinations

The destination of the RADIUS accounting records is the FortiGate unit that will use the records to identify users. When defining the destination, you also specify the source of the records (a RADIUS client already defined as a source) and the rule set to apply to the records.

To view the RADIUS accounting proxy destinations list, go to Fortinet SSO Methods > Accounting Proxy > Destinations.

To add a RADIUS accounting proxy destinations:

  1. From the destinations list, select Create New. The Create New RADIUS Accounting Proxy Destination window opens.
  2. Enter the following information:
Name Enter a name to identify the destination device in your configuration.
Destination name/IP Enter The FQDN or IP address of the FortiGate that will receive the RADIUS accounting records.
Secret Enter the preshared key of the destination.
Source Select a RADIUS client defined as a source from the drop-down list. See Sources on page 127.
Rule set Select an appropriate rule set from the drop-down list or select Create New to create a new rule set. See Rule sets on page 125.
  1. Select OK to add the RADIUS accounting proxy destination.

FortiAuthenticator 4.0 Authentication

Authentication

FortiAuthenticator provides an easy to configure authentication server for your users. Multiple FortiGate units can use a single FortiAuthenticator unit for remote authentication and FortiToken device management.

FortiAuthenticatorin a multiple FortiGate unit network

This chapter includes the following topics:

l What to configure l User account policies l User management l FortiToken devices and mobile apps l Self-service portal l Remote authentication servers l RADIUS service l LDAP service l FortiAuthenticator Agents

What to configure

You need to decide which elements of FortiAuthenticator configuration you need.

  • Determine the type of authentication you will use: password-based or token-based. Optionally, you can enable both types. This is called two-factor authentication.

What to configure

  • Determine the type of authentication server you will use: RADIUS, built-in LDAP, or Remote LDAP. You will need to use at least one of these server types.
  • Determine which FortiGate units or third party devices will use the FortiAuthenticator unit. The FortiAuthenticator unit must be configured on each FortiGate unit as an authentication server, either RADIUS or LDAP. For RADIUS authentication, each FortiGate unit or third party device must be configured on the FortiAuthenticator unit as an authentication client.

Password-based authentication

User accounts can be created on the FortiAuthenticator device in multiple ways:

l Administrator creates a user and specifies their username and password. l Administrator creates a username and a random password is automatically emailed to the user. l Users are created by importing either a CSV file or from an external LDAP server.

Users can self-register for password-based authentication. This reduces the workload for the system administrator. Users can choose their own passwords or have a randomly generated password provided in the browser or sent to them via email or SMS. Self-registration can be instant, or it can require administrator approval. See Self-registration on page 76.

Once created, users are automatically part of the RADIUS Authentication system and can be authenticated remotely.

See User management on page 57 for more information about user accounts.

Two-factor authentication

Two-factor authentication increases security by requiring multiple pieces of information on top of the username and password. There are generally two factors:

  • something the user knows, usually a password, l something the user has, such as a FortiToken device.

Requiring the two factors increases the difficulty for an unauthorized person to impersonate a legitimate user.

To enable two-factor authentication, configure both password-based and token-based authentication in the user’s account.

FortiAuthenticator token-based authentication requires the user to enter a numeric token at login. Two types of numerical tokens are supported:

  • Time based: TOTP (RFC 6238)

The token passcode is generated using a combination of the time and a secret key which is known only by the token and the FortiAuthenticator device. The token password changes at regular time intervals, and the FortiAuthenticator unit is able to validate the entered passcode using the time and the secret seed information for that token.

Passcodes can only be used a single time (one time passcodes) to prevent replay attacks. Fortinet has the following time based tokens:

  • FortiToken 200 l FortiToken Mobile, running on a compatible smartphone l Event based: HMAC-based One Time Password (HTOP) (RFC 4226) What to configure

The token passcode is generated using an event trigger and a secret key. Event tokens are supported using a valid email account and a mobile phone number with SMS service.

FortiToken devices, FortiToken Mobile apps, email addresses, and phone numbers must be configured in the user’s account.

Only the administrator can configure token-based authentication. See Configuring token based authentication on page 62.

Authentication servers

The FortiAuthenticator unit has built-in RADIUS and LDAP servers. It also supports the use of remote RADIUS and LDAP (which can include Windows AD servers).

The built-in servers are best used where there is no existing authentication infrastructure, or when a separate set of credentials is required. You build a user account database on the FortiAuthenticator unit. The database can include additional user information such as street addresses and phone numbers that cannot be stored in a FortiGate unit’s user authentication database. To authenticate, either LDAP or RADIUS can be used. The remote LDAP option adds your FortiGate units to an existing LDAP structure. Optionally, you can add two-factor authentication to remote LDAP.

RADIUS

If you use RADIUS, you must enable RADIUS in each user account. FortiGate units must be registered as RADIUS authentication clients in Authentication > RADIUS Service > Clients. See RADIUS service on page 91. On each FortiGate unit that will use the RADIUS protocol, the FortiAuthenticator unit must be configured as a RADIUS server in User & Device > Authentication > RADIUS Server.

Built-in LDAP

If you use built-in LDAP, you will need to configure the LDAP directory tree. You add users from the user database to the appropriate nodes in the LDAP hierarchy. See Creating the directory tree on page 96. On each FortiGate unit that will use LDAP protocol, the FortiAuthenticator unit must be configured as an LDAP server in User & Device > Authentication > LDAP Server.

Remote LDAP

Remote LDAP is used when an existing LDAP directory exists and should be used for authentication. User information can be selectively synchronised with the FortiAuthenticator unit, but the user credentials (passwords) remain on, and are validated against the LDAP directory.

To utilize remote LDAP, the authentication client (such as a FortiGate device) must connect to the

FortiAuthenticator device using RADIUS to authenticate the user information (see

User & Device > Authentication > RADIUS Server). The password is then proxied to the LDAP server for validation, while any associated token passcode is validated locally.

Machine authentication

Machine, or computer, authentication is a feature of the Windows supplicant that allows a Windows machine to authenticate to a network via 802.1X prior to user authentication.

Machine authentication is performed by the computer itself, which sends its computer object credentials before the Windows logon screen appears. User authentication is performed after the user logs in to Windows.

User account policies

Based on the computer credentials provided during machine authentication, limited access to the network can be granted. For example, access can be granted to just the Active Directory server to enable user authentication.

Following machine authentication, user authentication can take place to authenticate that the user is also valid, and to then grant further access to the network.

Machine authentication commonly occurs on boot up or log out, and not, for example, when a device awakens from hibernation. Because of this, the FortiAuthenticator caches authenticated devices based on their MAC addresses for a configurable period (see General on page 54). For more information on cached users, see Windows device logins on page 131

To configure machine authentication, see Clients on page 92.

FortiAuthenticator 4.0 System

System

The System tab enables you to manage and configure the basic system options for the FortiAuthenticator unit. This includes the basic network settings to connect the device to the corporate network, the configuration of administrators and their access privileges, managing and updating firmware for the device, and managing messaging servers and services.

The System tab provides access to the following menus and sub-menus:

Dashboard Select this menu to monitor, and troubleshoot your FortiAuthenticator device. Dashboard widgets include: l System Information widget l System Resources widget l Authentication Activity widget l User Inventory widget l HA Status l License Information widget l Disk Monitor l Top User Lockouts widget
Network Select this menu to configure your FortiAuthenticator interfaces and network settings. l Interfaces

l   DNS

l   Static routing l Packet capture

Administration Select this menu to configure administrative settings for the FortiAuthenticator device. l GUI access

l   High availability l Firmware l Automatic backup

l   SNMP

l   Licensing l FortiGuard l FTP servers l Administration

Messaging Select this menu to configure messaging servers and services for the FortiAuthenticator device. l SMTP servers l E-mail services l SMS gateways

Dashboard

When you select the System tab, it automatically opens at the System > Dashboard page.

The Dashboard page displays widgets that provide performance and status information and enable you to configure some basic system settings. These widgets appear on a single dashboard.

The following widgets are available:

System Information Displays basic information about the FortiAuthenticator system including host name, DNS domain name, serial number, system time, firmware version, architecture, system configuration, current administrator, and up time.

From this widget you can manually update the FortiAuthenticator firmware to a different release. For more information, see System Information widget on page 25.

System Resources Displays the usage status of the CPU and memory. For more information, see System Resources widget on page 29.
Authentication Activity Displays a customizable graph of the number of logins to the device. For more information, see Authentication Activity widget on page 29.
User Inventory Displays the numbers of users, groups, FortiTokens, FSSO users, and FortiClient users currently used or logged in, as well as the maximum allowed number, the number still available, and the number that are disabled.

For more information, see User Inventory widget on page 29.

HA Status Displays whether or not HA is enabled.
License Information Displays the device’s license information, as well as SMS information. For more information, see License Information widget on page 29.
Disk Monitor Displays if RAID is enabled, and the current disk usage in GB.
Top User Lockouts Displays the top user lockouts. For more information, see Top User Lockouts widget on page 30.

Customizing the dashboard

The FortiAuthenticator system settings dashboard is customizable. You can select which widgets to display, where they are located on the page, and whether they are minimized or maximized.

To move a widget

Position your mouse cursor on the widget’s title bar, then click and drag the widget to its new location.

To add a widget

In the dashboard toolbar, select Add Widget, then select the name of widget that you want to show. Multiple widgets of the same type can be added. To hide a widget, in its title bar, select the Close icon.

To see the available options for a widget

Position your mouse cursor over the icons in the widget’s title bar. Options include show/hide the widget, edit the widget, refresh the widget content, and close the widget.

The following table lists the widget options.

Show/Hide arrow Display or minimize the widget.
Widget Title The name of the widget.
Edit Select to change settings for the widget.

This option appears only in certain widgets.

Refresh Select to update the displayed information.
Close Select to remove the widget from the dashboard. You will be prompted to confirm the action. To add the widget, select Widget in the toolbar and then select the name of the widget you want to show.
To change the widget title

Widget titles can be customized by selecting the edit button in the title bar and entering a new title in the widget settings dialog box. Some widgets have more options in their respective settings dialog box.

To reset a widget title to its default name, simply leave the Custom widget title field blank.

The widget refresh interval can also be manually adjusted from this dialog box.

System Information widget

The system dashboard includes a System Information widget, which displays the current status of the FortiAuthenticator unit and enables you to configure basic system settings.

The following information is available on this widget:

Host Name The identifying name assigned to this FortiAuthenticator unit. For more information, see Changing the host name on page 26.
DNS Domain Name The DNS domain name. For more information, see Changing the DNS domain name on page 27.
Serial Number The serial number of the FortiAuthenticator unit. The serial number is unique to the FortiAuthenticator unit and does not change with firmware upgrades. The serial number is used for identification when connecting to the FortiGuard server.
System Time The current date, time, and time zone on the FortiAuthenticator internal clock or NTP server. For more information, see Configuring the system time, time zone, and date on page 27.
Firmware Version The version number and build number of the firmware installed on the FortiAuthenticator unit. To update the firmware, you must download the latest version from the Customer Service & Support portal at https://support.fortinet.com. Select Update and select the firmware image to load from your management computer.
Architecture The architecture of the device, such as 32-bit.
System Configuration The date of the last system configuration backup. Select Backup/Restore to backup or restore the system configuration. For more information, see Backing up and restoring the configuration on page 28.
Current Administrator The name of the currently logged on administrator.
Uptime The duration of time the FortiAuthenticator unit has been running since it was last started or restarted.
Shutdown/Reboot Options to shutdown or reboot the device. When rebooting or shutting down the system, you have the option to enter a message that will be added to the event log explaining the reason for the shutdown or reboot.
Changing the host name

The System Information widget will display the full host name.

To change the host name:

  1. Go to System > Dashboard.
  2. In the System Information widget, in the Host Name field, select Change. The Edit Host Name page opens.
  3. In the Host name field, type a new host name.

The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed.

  1. Select OK to save the setting.

FortiAuthenticator 4.0 Setup

Setup

For information about installing the FortiAuthenticator unit and accessing the CLI or GUI, refer to the Quick Start Guide provided with your unit.

This chapter provides basic setup information for getting started with your FortiAuthenticator device. For more detailed information about specific system options, see System on page 23.

The following topics are included in this section:

  • Initial setup l Adding a FortiAuthenticator unit to your network l Maintenance l CLI commands
  • Troubleshooting

Initial setup

The following section provides information about setting up the Virtual Machine (VM) version of the product.

FortiAuthenticator VM setup

Before using FortiAuthenticator-VM, you need to install the VMware application to host the FortiAuthenticator-VM device. The installation instructions for FortiAuthenticator-VM assume you are familiar with VMware products and terminology.

System requirements

For information on the FortiAuthenticator-VM system requirements, please see the product datasheet available at http://www.fortinet.com/products/fortiauthenticator.

FortiAuthenticator-VM has kernel support for more than 4GB of RAM in VM images. However, this support also depends on the VM player version. For more information, see: http://kb.vmware.com/selfservice/microsites/search.do?language=en_

US&cmd=displayKC&externalId=1014006

The default Hardware Version is 4 to support the widest base of VM players. However you can modify the VM Hardware Version by editing the following line in the FortiAuthenticator-VM.vmx file:

virtualHW.version = “4”

FortiAuthenticator-VM image installation and initial setup

The following procedure describes setup on VMware Fusion.

 

Initial setup

To set up the FortiAuthenticator VM image:

  1. Download the VM image ZIP file to the local computer where VMware is installed.
  2. Extract the files from the zip file into a folder.
  3. In your VMware software, go to File > Open.
  4. Navigate to the expanded VM image folder, select the FortiAuthenticator-VM.vmx file, and select Open. VMware will install and start FortiAuthenticator-VM. This process can take a minute or two to complete.
  5. At the FortiAuthenticator login prompt, enter admin and press Enter.
  6. At the password prompt, press Enter. By default, there is no password.
  7. At the CLI prompt enter the following commands:

set port1-ip 192.168.1.99/24 set default-gw 192.168.1.2

Substitute your own desired FortiAuthenticator IP address and default gateway.

You can now connect to the GUI at the IP address you set for port 1.

Suspending the FortiAuthenticator-VM can have unintended consequences. Fortinet recommends that you do not use the suspend feature of VMware. Instead, shut down the virtual FortiAuthenticator system using the GUI or CLI, and then shut down the virtual machine using the VMware console.

Administrative access

Administrative access is enabled by default on port 1. Using the GUI, you can enable administrative access on other ports if necessary.

To add administrative access to an interface:

  1. Go to System > Network > Interfaces and select the interface you need to add administrative access to. See Interfaces on page 30.
  2. In Admin access, select the types of access to allow.
  3. Select OK.
GUI access

To use the GUI, point your browser to the IP address of port 1 (192.168.1.99 by default). For example, enter the following in the URL box:

https://192.168.1.99

Enter admin as the UserName and leave the Password field blank.

HTTP access is not enabled by default. To enable access, use the set ha-mgmtaccess command in the CLI (see CLI commands on page 19), or enable HTTP access on the interface in the GUI (see Interfaces on page 30).

For security reasons, the host or domain names that the GUI responds to are restricted. The list of trusted hosts is automatically generated from the following:

Adding a FortiAuthenticator unit to your network

l Configured hostname l Configured DNS domain name l Network interface IP addresses that have HTTP or HTTPS enabled l HA management IP addresses

Additional IP addresses and host or domain names that the GUI responded to can be defined in the GUI Access settings. See GUI access on page 34

Telnet

CLI access is available using telnet to the port1 interface IP address (192.168.1.99 by default). Use the telnet -K option so that telnet does not attempt to log on using your user ID. For example:

$ telnet -K 192.168.1.99

At the FortiAuthenticator login prompt, enter admin. When prompted for password press Enter. By default there is no password. When you are finished, use the exit command to end the telnet session.

CLI access using Telnet is not enabled by default. To enable access, use the set ha-mgmt-access command in the CLI (see CLI commands on page 19), or enable Telnet access on the interface in the GUI (see Interfaces on page 30)

SSH

SSH provides secure access to the CLI. Connect to the port1 interface IP address (192.168.1.99 by default). Specify the user name admin or SSH will attempt to log on with your user name. For example:

$ ssh admin@192.168.1.99

At the password prompt press Enter. By default there is no password. When you are finished, use the exit command to end the session.

What’s New in FortiAnalyzer V5.2

What’s New in FortiAnalyzer v5.2

FortiAnalyzer v5.2 includes the following new features and enhancements.

FortiAnalyzer v5.2.0

FortiAnalyzer v5.2.0 includes the following new features and enhancements.

Event Management

  • Event Handler for local FortiAnalyzer event logs
  • FortiOS v4.0 MR3 logs are now supported.
  • Support subject customization of alert email.

FortiView

  • New FortiView module

Logging

  • Updated compact log v3 format from FortiGate • Explicit proxy traffic logging support
  • Improved FortiAnalyzer insert rate performance
  • Log filter improvements
  • FortiSandbox logging support
  • Syslog server logging support

Reports

  • Improvements to report configuration
  • Improvements to the Admin and System Events Report template
  • Improvements to the VPN Report template
  • Improvements to the Wireless PCI Compliance Report template
  • Improvements to the Security Analysis Report template
  • New Intrusion Prevention System (IPS) Report template
  • New Detailed Application Usage and Risk Report template
  • New FortiMail Analysis Report template
  • New pre-defined Application and Websites report templates
  • Macro library support
  • Option to display or upload reports in HTML format
  • FortiCache reporting support

 

Other

Installing Firmware

Installing firmware

Fortinet periodically releases FortiMail firmware updates to include enhancements and address issues. After you have registered your FortiMail unit, FortiMail firmware is available for download at http://support.fortinet.com.

Installing new firmware can overwrite antivirus and antispam packages using the versions of the packages that were current at the time that the firmware image was built. To avoid repeat updates, update the firmware before updating your FortiGuard packages.

New firmware can also introduce new features which you must configure for the first time.

For information specific to the firmware release version, see the Release Notes available with that release.

In addition to major releases that contain new features, Fortinet releases patch releases that resolve specific issues without containing new features and/or changes to existing features. It is recommended to download and install patch releases as soon as they are available.

Before you can download firmware updates for your FortiMail unit, you must first register your FortiMail unit with Fortinet Technical Support. For details, go to http://support.fortinet.com/ or contact Fortinet Technical Support.

This section includes:

  • Testing firmware before installing it
  • Installing firmware
  • Clean installing firmware

Concepts And Flow

Concepts and workflow

This section describes some basic email concepts, how FortiMail works in general, and the tools that you can use to configure your FortiMail unit.

This section includes:

  • Email protocols
  • Client-server connections in SMTP
  • The role of DNS in email delivery
  • How FortiMail processes email
  • FortiMail operation modes
  • FortiMail high availability modes
  • FortiMail management methods

Email protocols

There are multiple prevalent standard email protocols:

  • SMTP
  • POP3
  • IMAP
  • HTTP and HTTPS

SMTP

Simple Mail Transfer Protocol (SMTP) is the standard protocol for sending email between:

  • two mail transfer agents (MTA)

SMTP communications typically occur on TCP port number 25.

When an email user sends an email, their MUA uses SMTP to send the email to an MTA, which is often their email server. The MTA then uses SMTP to directly or indirectly deliver the email to the destination email server that hosts email for the recipient email user.

When an MTA connects to the destination email server, it determines whether the recipient exists on the destination email server. If the recipient email address is legitimate, then the MTA delivers the email to the email server, from which email users can then use a protocol such as POP3 or IMAP to retrieve the email. If the recipient email address does not exist, the MTA typically sends a separate email message to the sender, notifying them of delivery failure.

While the basic protocol of SMTP is simple, many SMTP servers support a number of protocol extensions for features such as authentication, encryption, multipart messages and attachments, and may be referred to as extended SMTP (ESMTP) servers.

FortiMail units can scan SMTP traffic for spam and viruses, and support several SMTP extensions.

POP3

Post Office Protocol version 3 (POP3) is a standard protocol used by email clients to retrieve email that has been delivered to and stored on an email server.

POP3 communications typically occur on TCP port number 110.

Unlike IMAP, after a POP3 client downloads an email to the email user’s computer, a copy of the email usually does not remain on the email server’s hard disk. The advantage of this is that it frees hard disk space on the server. The disadvantage of this is that downloaded email usually resides on only one personal computer. Unless all of their POP3 clients are always configured to leave copies of email on the server, email users who use multiple computers to view email, such as both a desktop and laptop, will not be able to view from one computer any of the email previously downloaded to another computer.

FortiMail units do not scan POP3 traffic for spam and viruses, but may use POP3 when operating in server mode, when an email user retrieves their email.

IMAP

Internet Message Access Protocol (IMAP) is a standard protocol used by email clients to retrieve email that has been delivered to and stored on an email server.

IMAP communications typically occur on TCP port number 143.

Unless configured for offline availability, IMAP clients typically initially download only the message header. They download the message body and attachments only when the email user selects to read the email.

Unlike POP3, when an IMAP client downloads an email to the email user’s computer, a copy of the email remains on the email server’s hard disk. The advantage of this is that it enables email users to view email from more than one computer. This is especially useful in situations where more than one person may need to view an inbox, such where all members of a department monitor a collective inbox. The disadvantage of this is that, unless email users delete email, IMAP may more rapidly consume the server’s hard disk space.

FortiMail units do not scan IMAP traffic for spam and viruses, but may use IMAP when operating in server mode, when an email user retrieves their email.

HTTP and HTTPS

Secured and non-secured HyperText Transfer Protocols (HTTP/HTTPS), while not strictly for the transport of email, are often used by webmail applications to view email that is stored remotely.

HTTP communications typically occur on TCP port number 80; HTTPS communications typically occur on TCP port number 443.

FortiMail units do not scan HTTP or HTTPS traffic for spam or viruses, but use them to display quarantines and, if the FortiMail unit is operating in server mode, FortiMail webmail.