Tag Archives: fortimail administration

Configuring IBE Encryption

Configuring IBE encryption

The System > Encryption > IBE Encryption submenu lets you configure the Identity Based Encryption (IBE) service. With IBE, you can send secured email through the FortiMail unit.

This section contains the following topics:

  • About IBE
  • About FortiMail IBE
  • FortiMail IBE configuration workflow
  • Configuring IBE services

About IBE

IBE is a type of public-key encryption. IBE uses identities (such as email addresses) to calculate encryption keys that can be used for encrypting and decrypting electronic messages. Compared with traditional public-key cryptography, IBE greatly simplifies the encryption process for both users and administrators. Another advantage is that a message recipient does not need any certificate or key pre-enrollment or specialized software to access the email.

About FortiMail IBE

The FortiMail unit encrypts an email message using the public key generated with the recipient’s email address. The email recipient does not need to install any software or generate a pair of keys in order to access the email.

What happens is that when an email reaches the FortiMail unit, the FortiMail unit applies its IP-based policies and recipient-based policies containing IBE-related content profiles as well as the message delivery rules to the email. If a policy or rule match is found, the FortiMail unit encrypts the email using the public key before sending a notification to the recipient. Figure 148 shows a sample notification.

The notification email contains an HTML attachment, which contains instructions and links telling the recipient how to access the encrypted email.

If this is the first time the recipient receives such a notification, the recipient must follow the instructions and links to register on the FortiMail unit before reading email.

If this is not the first time the recipient receives such a notification and the recipient has already registered on the FortiMail unit, the recipient only needs to log in to the FortiMail unit to read email.

When the recipient opens the mail on the FortiMail unit, the email is decrypted automatically. Figure  shows how FortiMail IBE works:

Figure 147:How FortiMail works with IBE

  1. The FortiMail unit applies its IBE-related IP-based policies ,

Figure 148:Sample secure message notification

FortiMail IBE configuration workflow

Follow the general steps below to use the FortiMail IBE function:

  • Configure and enable the IBE service. See “Configuring IBE services” on page 359.
  • Manage IBE users. See “Configuring IBE users” on page 447.
  • Configure an IBE encryption profile. See “Configuring encryption profiles” on page 594.

If you want to encrypt email based on the email contents:

  • Add the IBE encryption profile to the content action profile. See “Configuring content action profiles” on page 535.
  • Add the content action profile to the content profile and configure the scan criteria in the content profile, such as attachment filtering, file type filtering, and content monitor and filtering including the dictionary and action profiles. See “Configuring content profiles” on page 526.
  • Add the content profile to the IP-based and recipient-based policies to determine email that needs to be encrypted with IBE. See “Controlling email based on recipient addresses” on page 468, and “Controlling email based on IP addresses” on page 475.

For example, on the FortiMail unit, you have:

  • configured a dictionary profile that contains a pattern called “Confidential”, and enabled Search header (see “Configuring dictionary profiles” on page 586)
  • added the dictionary profile to a content profile which also includes a content action profile that has an encryption profile in it
  • included the content profile to IP and recipient policies

You then notify your email users on how to mark the email subject line and header if they want to send encrypted email.

For example, Alice wants to send an encrypted email to Bob through the FortiMail unit. She can add “Confidential” in the email subject line, or “Confidential” in the header (in MS Outlook, when compiling a new mail, go to Options > Message settings > Sensitivity, and select Confidential in the list). The FortiMail unit will apply the policies you configured to the email by checking the email’s subject line and header. If one of them matches the patterns defined in the dictionary profile, the email will be encrypted.

  • Configure IBE email storage. See “Selecting the mail data storage location” on page 376.
  • Configure log settings for IBE encryption. See “Configuring logging” on page 671.
  • View logs of IBE encryption. See “Viewing log messages” on page 206.

If you want to encrypt email using message delivery rules:

  • Configure message delivery rules using encryption profiles to determine email that need to be encrypted with IBE. See “Configuring delivery rules” on page 464.
  • Configure IBE email storage. See “Selecting the mail data storage location” on page 376.
  • Configure log settings for IBE encryption. See “Configuring logging” on page 671.
  • View logs of IBE encryption. See “Viewing log messages” on page 206.

Configuring IBE services

You can configure, enable, or disable IBE services which control how secured mail recipients use the FortiMail IBE function. For details about how to use IBE service, see “FortiMail IBE configuration workflow” on page 358.

To configure IBE service

  1. Go to System > Encryption > IBE Encryption.

Figure 149:IBE encryption tab

  1. Configure the following:

GUI item                   Description

Enable IBE service Select to enable the IBE service you configured.

IBE service name Enter the name for the IBE service. This is the name the secure mail recipients will see once they access the FortiMail unit to view the mail.
User registration expiry time (days) Enter the number of days that the secure mail recipient has to register on the FortiMail unit to view the mail before the registration expires. The starting date is the date when the FortiMail unit sends out the first notification to a mail recipient.
User inactivity expiry time (days) Enter the number of days the secure mail recipient can access the FortiMail unit without registration.

For example, if you set the value to 30 days and if the mail recipient did not access the FortiMail unit for 30 days after the user registers on the unit, the recipient will need to register again if another secure mail is sent to the user. If the recipient accessed the FortiMail unit on the 15th days, the 30-day limit will be recalculated from the 15th day onwards.

Encrypted email    Enter the number of days that the secured mail will be saved on the storage expiry time FortiMail unit. (days)

Password reset     Enter the password reset expiry time in hours. expiry time (hours)

This is for the recipients who have forgotten their login passwords and request for new ones. The secured mail recipient must reset the password within this time limit to access the FortiMail unit.

 

GUI item Description
Allow secure replying Select to allow the secure mail recipient to reply the email with encryption.
Allow secure forwarding Select to allow the secure mail recipient to forward the email with encryption.
Allow secure composing Select to allow the secure mail recipient to compose an email. The FortiMail unit will use policies and mail delivery rules to determine if this mail needs to be encrypted.

For encrypted email, the domain of the composed mail’s recipient must be a protected one, otherwise an error message will appear and the mail will not be delivered.

IBE base URL Enter the FortiMail unit URL, for example, https://192.168.100.20, on which a mail recipient can register or authenticate to access the secure mail.
“Help” content

URL

You can create a help file on how to access the FortiMail secure email and enter the URL for the file. The mail recipient can click the “Help” link from the secure mail notification to view the file.

If you leave this field empty, a default help file link will be added to the secure mail notification.

“About” content

URL

You can create a file about the FortiMail IBE encryption and enter the URL for the file. The mail recipient can click the “About” link from the secure mail notification to view the file.

If you leave this field empty, a link for a default file about the FortiMail IBE encryption will be added to the secure mail notification.

GUI item                   Description

Allow custom user control If your corporation has its own user authentication tools, enable this option and enter the URL.

“Custom user control” URL: This is the URL where you can check for user existence.

“Custom forgot password” URL: This is the URL where users get authenticated.

Notification Settings You can choose to send notification to the sender or recipient when the secure email is read or remains unread for a specified period of time.

Click the Edit link to modify the email template. For details, see “Customizing email templates” on page 288.

Depending on the IBE email access method (either PUSH or PULL) you defined in “Configuring encryption profiles” on page 594, the notification settings behave differently.

•      If the IBE message is stored on FortiMail PULL access method), the “read” notification will only be sent the first time the message is read.

•      If the IBE message is not stored on FortiMail (PUSH access method), the “read” notification will be sent every time the message is read, that is, after the user pushes the message to FortiMail and FortiMail decrypts the message.

•      There is no “unread” notification for IBE PUSH messages.

Setting Up The System

Setting up the system

These instructions in this chapter will guide you to the point where you have a simple, verifiably working installation. From there, you can begin to use optional features and fine-tune your configuration.

FortiMail initial setup involves the following steps:

  • Connecting to the Web UI or CLI
  • Choosing the operation mode
  • Running the Quick Start Wizard
  • Connecting to FortiGuard services
  • Gateway mode deployment
  • Transparent mode deployment
  • Server mode deployment
  • Initial configuration in basic mode
  • Testing the installation
  • Backing up the configuration

Connecting to the Web UI or CLI

To configure, maintain, and administer the FortiMail unit, you need to connect to it. There are three methods for these tasks:

  • using the web UI, a graphical user interface (GUI), from within a current web browser (see “Connecting to the FortiMail web UI for the first time”)
  • using the command line interface (CLI), a command line interface similar to DOS or UNIX commands, from a Secure Shell (SSH) or Telnet terminal (see “Connecting to the FortiMail CLI for the first time” on page 27)
  • using the front panel’s LCD display and control buttons available on some models (see “Using the front panel’s control buttons and LCD display” on page 29).

Connecting to the FortiMail web UI for the first time

To use the web UI for the initial configuration, you must have:

  • a computer with an Ethernet port
  • a supported web browser (Microsoft Internet Explorer 7 to 10, Firefox 3.5 to 20, Safari 4 to 5, and Chrome 6 to 26)
  • Adobe Flash Player 9 or higher plug-in to display statistic charts
  • a crossover Ethernet cable

Table 3: Default settings for connecting to the web UI

Network Interface port1
URL https://192.168.1.99/admin

 

Table 3: Default settings for connecting to the web UI

Administrator Account admin
Password (none)

To connect to the web UI

  1. Configure the management computer to be on the same subnet as the port 1 interface of the FortiMail unit.

For example, in Microsoft Windows 7, from the Windows Start menu, go to Control Panel > Network and Sharing Center > Change Adapter Settings > Local Area Connection Properties > Internet Protocol Version 4 (TCP/IPv4) Properties and change the management computer IP address to 192.168.1.2 and the netmask to 255.255.255.0.

  1. Using the Ethernet cable, connect your computer’s Ethernet port to the FortiMail unit’s port1.
  2. Start your web browser and enter the URL https://192.168.1.99/admin. (Remember to include the “s” in https:// and “/admin” at the end of the URL.)

If you are connecting to FortiMail-VM with a trial license or to a LENC version of FortiMail, you may not be able to see the logon page due to an SSL cipher error during the connection. In this case, you must configure your browser to accept low encryption. For example, in Mozilla Firefox, if you receive this error message:

ssl_error_no_cypher_overlap

you may need to enter about:config in the URL bar, then set security.ssl3.rsa.rc4_40_md5 to true.

To support HTTPS authentication, the FortiMail unit ships with a self-signed security certificate, which it presents to clients whenever they initiate an HTTPS connection to the FortiMail unit. When you connect, depending on your web browser and prior access of the FortiMail unit, your browser might display two security warnings related to this certificate:

  • The certificate is not automatically trusted because it is self-signed, rather than being signed by a valid certificate authority (CA). Self-signed certificates cannot be verified with a proper CA, and therefore might be fraudulent. You must manually indicate whether or not to trust the certificate.
  • The certificate might belong to another web site. The common name (CN) field in the certificate, which usually contains the host name of the web site, does not exactly match the URL you requested. This could indicate server identity theft, but could also simply indicate that the certificate contains a domain name while you have entered an IP address. You must manually indicate whether this mismatch is normal or not.

Both warnings are normal for the default certificate.

  1. Verify and accept the certificate, either permanently (the web browser will not display the self-signing warning again) or temporarily. You cannot log in until you accept the certificate.

For details on accepting the certificate, see the documentation for your web browser.

The Login dialog appears.

  1. In the Name field, type admin, then select Login. (In its default state, there is no password for this account.)

Login credentials entered are encrypted before they are sent to the FortiMail unit. If your login is successful, the web UI appears.