Tag Archives: fortimail administration guide

Troubleshooting

Troubleshooting

This section provides guidelines to help you determine why your FortiMail unit is behaving unexpectedly. It includes general troubleshooting methods and specific troubleshooting tips using both the command line interface (CLI) and the web UI. Each troubleshooting item describes both the problem and the solution.

Some CLI commands provide troubleshooting information not available through the web UI. The web UI is better suited for viewing large amounts of information on screen, reading logs and archives, and viewing status through the dashboard.

For late-breaking troubleshooting information, see the Fortinet Knowledge Base.

For additional information, see “Best practices and fine tuning” on page 697.

This section contains the following topics:

  • Establish a system baseline
  • Define the problem
  • Search for a known solution
  • Create a troubleshooting plan
  • Gather system information
  • Troubleshoot hardware issues
  • Troubleshoot GUI and CLI connection issues
  • Troubleshoot FortiGuard connection issues
  • Troubleshoot MTA issues
  • Troubleshoot antispam issues
  • Troubleshoot HA issues
  • Troubleshoot resource issues
  • Troubleshoot bootup issues
  • Troubleshoot installation issues
  • Contact Fortinet customer support for assistance

Logs, Reports, and Alerts

Logs, reports and alerts

The Log and Report menu lets you configure logging, reports, and alert email.

FortiMail units provide extensive logging capabilities for virus incidents, spam incidents and system events. Detailed log information and reports provide analysis of network activity to help you identify security issues and reduce network misuse and abuse.

Logs are useful when diagnosing problems or when you want to track actions the FortiMail unit performs as it receives and processes traffic.

This section includes:

  • About FortiMail logging
  • Configuring logging
  • Configuring report profiles and generating reports
  • Configuring alert email
  • Viewing log messages
  • Viewing generated reports

About FortiMail logging

FortiMail units can log many different email activities and traffic including:

  • system-related events, such as system restarts and HA activity
  • virus detections
  • spam filtering results
  • POP3, SMTP, IMAP and webmail events

You can select which severity level an activity or event must meet in order to be recorded in the logs. For more information, see “Log message severity levels” on page 668.

A FortiMail unit can save log messages to its hard disk or a remote location, such as a Syslog server or a Fortinet FortiAnalyzer unit. For more information, see “Configuring logging” on page 671. It can also use log messages as the basis for reports. For more information, see “Configuring report profiles and generating reports” on page 676.

Accessing FortiMail log messages

There are several ways you can access FortiMail log messages:

  • On the FortiMail web UI, you can view log messages by going to Monitor > Log. For details, see the FortiMail Administration Guide.
  • On the FortiMail web UI, under Monitor > Log, you can download log messages to your local PC and view them later.
  • You can send log messages to a FortiAnalyzer unit by going to Log and Report > Log Settings > Remote Log Settings and view them on FortiAnalyzer.
  • You can send log messages to any Syslog server by going to Log and Report > Log Settings > Remote Log Settings.

Archiving Email

Archiving email

You can archive email messages according to various criteria and reasons. For example, you may want to archive email sent by certain senders or email contains certain words.

This section contains the following topics:

  • Email archiving workflow
  • Configuring email archiving accounts
  • Configuring email archiving policies
  • Configuring email archiving exemptions

Email archiving workflow

To use the email archiving feature, you must do the following:

  1. Create email archive accounts to send archived email to. See “Configuring email archiving accounts” on page 656.

Starting from version 4.2, you can create multiple archive accounts and send different categories of email to different accounts. For the maximum number of archive accounts you can create, see “Appendix B: Maximum Values Matrix” on page 726.

  1. Create email archive policies or exemption policies to specify the archiving criteria. See “Configuring email archiving policies” on page 660 and “Configuring email archiving exemptions” on page 662. Or, when creating antispam action profiles and content action profiles, choose to archive email as one of the actions. See “Configuring antispam profiles and antispam action profiles” on page 503 and “Configuring content profiles and content action profiles” on page 526.
  2. Assign the administrator account access privilege to the email archive. See “Configuring administrator accounts and access profiles” on page 289.
  3. You can search or view the archived email as the FortiMail administrator. See “Managing archived email” on page 203. You can also access email archives remotely through IMAP. See “Configuring email archiving accounts” on page 656.

Configuring email archiving accounts

Before you can archive email, you need to set up and enable email archiving accounts, as described below. The archived emails will be stored in the archiving accounts. You can create multiple archive accounts and send different categories of email to different accounts. For the maximum number of archive accounts you can create, see “Appendix B: Maximum Values Matrix” on page 726.

When email is archived, you can view and manage the archived email messages. For more information, see “Managing archived email” on page 203. You can also access the email archive remotely through IMAP.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

Page 656

To enable and configure an email archive account

  1. Go to Email Archiving > Archive Accounts > Archive Accounts.

Figure 293:Managing email archive accounts

GUI item Description
Status Select to enable an email archiving account. Clear the check box to disable it.
Account Lists email archive accounts.
Index Type Indicates if archive indexing is in use and how much is indexed. Indexing speeds up content searches. The choices are:

•      None: email is not indexed.

•      Header: email headers are indexed.

•      Full: the entire message is indexed.

Storage Indicates the type of archive storage: Local or Remote.
(Green dot in column heading) Indicates whether the archive is currently referred to by an archive policy. If so, a red dot appears in this column and the entry cannot be deleted.
  1. Click New to create an account or double-click an account to modify it.

A multisection dialog appears.

Figure 294:Configuring email archive accounts

  1. Configure the following sections, and click Create.
    • “Configuring account settings”
    • “Configuring rotation settings”
    • “Configuring destination settings”

Configuring AntiSPAM Settings

Configuring antispam settings

The AntiSpam menu lets you configure antispam settings that are system-wide or otherwise not configured individually for each antispam profile.

Several antispam features require that you first configure system-wide, per-domain, or per-user settings in the AntiSpam menu before you can use the feature in an antispam profile. For more information on antispam profiles, see “Configuring antispam profiles and antispam action profiles” on page 503.

This section contains the following topics:

  • Configuring email quarantines and quarantine reports
  • Configuring the black lists and white lists
  • Configuring greylisting
  • Configuring bounce verification and tagging
  • Configuring endpoint reputation
  • Training and maintaining the Bayesian databases

Configuring email quarantines and quarantine reports

The Quarantine submenu lets you configure quarantine settings, and to configure system-wide settings for quarantine reports.

Using the email quarantine feature involves the following steps:

  • First, enable email quarantine when you configure antispam action profiles (see “Configuring antispam action profiles” on page 516) and content action profiles (see “Configuring content action profiles” on page 535).
  • Configure the system quarantine administrator account who can manage the system quarantine. See “Configuring the system quarantine administrator account and disk quota” on page 611.
  • Configure the quarantine control accounts, so that email users can send email to the accounts to release or delete email quarantines. See “Configuring the quarantine control accounts” on page 612.
  • Configure system-wide quarantine report settings, so that the FortiMail unit can send reports to inform email users of the mail quarantines. Then the users can decide if they want to release or delete the quarantined emails. See “Configuring global quarantine report settings” on page 602.
  • Configure domain-wide quarantine report settings for specific domains. See “Quarantine Report Setting” on page 394.
  • View and manage personal quarantines and system quarantines. See “Managing the quarantines” on page 182.
  • As the FortiMail administrator, you may also need to instruct end users about how to access their email quarantines. See “Accessing the personal quarantine and webmail” on page 720.
  • Configuring global quarantine report settings
  • Configuring the system quarantine administrator account and disk quota
  • Configuring the quarantine control accounts

Configuring Profiles

Configuring profiles

The Profile menu lets you configure many types of profiles. These are a collection of settings for antispam, antivirus, authentication, or other features.

After creating and configuring a profile, you can apply it either directly in a policy, or indirectly by inclusion in another profile that is selected in a policy. Policies apply each selected profile to all email messages and SMTP connections that the policy governs.

Creating multiple profiles for each type of policy lets you customize your email service by applying different profiles to policies that govern different SMTP connections or email users. For instance, if you are an Internet service provider (ISP), you might want to create and apply antivirus profiles only to policies governing email users who pay you to provide antivirus protection.

This section includes:

  • Configuring session profiles
  • Configuring antispam profiles and antispam action profiles
  • Configuring antivirus profiles and antivirus action profiles
  • Configuring content profiles and content action profiles
  • Configuring resource profiles (server mode only)
  • Configuring authentication profiles
  • Configuring LDAP profiles
  • Configuring dictionary profiles
  • Configuring security profiles
  • Configuring IP pools
  • Configuring email and IP groups
  • Configuring notification profiles

Configuring session profiles

Session profiles focus on the connection and envelope portion of the SMTP session. This is in contrast to other types of profiles that focus on the message header, body, or attachments.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.

To configure session profiles

  1. Go to Profile > Session > Session.
  2. Click New to add a profile or double-click a profile to modify it.

A multisection page appears.

Figure 193:Session Profile dialog

  1. For a new session profile, type the name in Profile name.
  2. Configure the following sections as needed:
  • “Configuring connection settings” on page 483
  • “Configuring sender reputation options” on page 485
  • “Configuring endpoint reputation options” on page 487
  • “Configuring sender validation options” on page 488
  • “Configuring session settings” on page 490
  • “Configuring unauthenticated session settings” on page 493
  • “Configuring SMTP limit options” on page 496
  • “Configuring error handling options” on page 497
  • “Configuring header manipulation options” on page 498
  • “Configuring list options” on page 499
  • Configuring advanced MTA control settings

Configuring Policies

Configuring policies

The Policy menu lets you create policies that use profiles to filter email.

It also lets you control who can send email through the FortiMail unit, and stipulate rules for how it will deliver email that it proxies or relays.

                                 •    What is a policy?

  • How to use policies
  • Controlling SMTP access and delivery
  • Controlling email based on recipient addresses
  • Controlling email based on IP addresses

What is a policy?

A policy defines which way traffic will be filtered. It may also define user account settings, such as authentication type, disk quota, and access to webmail.

After creating the antispam, antivirus, content, authentication, TLS, or resource profiles (see “Configuring profiles” on page 482), you need to apply them to policies for them to take effect.

FortiMail units support three types of policies:

  • Access control and delivery rules that are typical to SMTP relays and servers (see

“Controlling SMTP access and delivery” on page 456)

  • Recipient-based policies (see “Controlling email based on recipient addresses” on page 468)
  • IP-based policies (see “Controlling email based on IP addresses” on page 475)

Recipient-based policies versus IP-based policies

  • Recipient-based policies

The FortiMail unit applies these based on the recipient’s email address or the recipient’s user group. May also define authenticated webmail or POP3 access by that email user to their per-recipient quarantine. Since version 4.0, the recipient-based policies also check sender patterns.

  • IP-based policies

The FortiMail unit applies these based on the SMTP client’s IP address (server mode or gateway mode), or the IP addresses of both the SMTP client and SMTP server (transparent mode).

Page 453

Incoming versus outgoing email messages

There are two types of recipient-based policies: incoming and outgoing. The FortiMail unit applies incoming policies to the incoming mail messages and outgoing policies to the outgoing mail messages.

Whether the email is incoming or outgoing is decided by the domain name in the recipient’s email address. If the domain is a protected domain, the FortiMail unit considers the message to be incoming and applies the first matching incoming recipient-based policy. If the recipient domain is not a protected domain, the message is considered to be outgoing, and applies outgoing recipient-based policy.

To be more specific, the FortiMail unit actually matches the recipient domain’s IP address with the IP list of the protected SMTP servers where the protected domains reside. If there is an IP match, the domain is deemed protected and the email destined to this domain is considered to be incoming. If there is no IP match, the domain is deemed unprotected and the email destined to this domain is considered to be outgoing.

For more information on protected domains, see “Configuring protected domains” on page 380.

Configuring Mail Settings

Configuring mail settings

The Mail Settings menu lets you configure the basic email settings of the FortiMail unit (such as the port number of the FortiMail SMTP relay/proxy/server), plus how to handle connections and how to manage the mail queues.

This section includes:

  • Configuring the built-in MTA and mail server
  • Configuring protected domains
  • Managing the address book (server mode only)
  • Sharing calendars and address books (server mode only)
  • Migrating email from other mail servers (server mode only)
  • Configuring proxies (transparent mode only)

Configuring the built-in MTA and mail server

Go to Mail Settings > Settings to configure assorted settings that apply to the SMTP server and webmail server that are built into the FortiMail unit.

This section includes:

  • Configuring mail server settings
  • Configuring global disclaimers
  • Configuring disclaimer exclusion list
  • Selecting the mail data storage location

Configuring mail server settings

Use the mail server settings to configure SMTP server/relay settings of the System domain, which is located on the local host (that is, your FortiMail unit).

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To configure local SMTP server settings

  1. Go to Mail Settings > Settings > Mail Server Settings.

A multisection page appears.

Page 366

Figure 153:Mail Server Settings tab

  1. Configure the following sections as needed:
  • “Configuring local host settings” on page 368
  • “Configuring SMTP relay hosts” on page 373
  • “Configuring deferred message delivery” on page 371
  • “Configuring DSN options” on page 369
  • “Configuring mail queue setting” on page 370
  • “Configuring domain check options” on page 372

Configuring local host settings

Provide the name and SMTP information for the mail server.

GUI item Description
Host name Enter the host name of the FortiMail unit.

Displays the FortiMail unit’s fully qualified domain name (FQDN) is in the format:

<host-name>.<local-domain-name>

such as fortimail-400.example.com, where fortimail-400 is the Host name and example.com is the Local domain name.

Note: The FQDN of the FortiMail unit should be different from that of protected SMTP servers. If the FortiMail unit uses the same FQDN as your mail server, it may become difficult to distinguish the two devices during troubleshooting.

Note: You should use a different host name for each FortiMail unit, especially when you are managing multiple FortiMail units of the same model, or when configuring a high availability (HA) cluster. This will let you to distinguish between different members of the cluster. If the FortiMail unit is in HA mode, the FortiMail unit will add the host name to the subject line of alert email messages. For details, see “Configuring alert email” on page 682.

Local domain name Enter the local domain name to which the FortiMail unit belongs.

The local domain name is used in many features such as email quarantine, Bayesian database training, quarantine report, and delivery status notification (DSN) email messages.

Displays the FortiMail unit’s fully qualified domain name (FQDN) is in the format:

<host-name>.<local-domain-name>

such as fortimail-400.example.com, where fortimail-400 is the Host name and example.com is the Local domain name.

Note: The IP address should be globally resolvable into the FQDN of the FortiMail unit if it will relay outgoing email. If it is not globally resolvable, reverse DNS lookups of the FortiMail unit’s domain name by external SMTP servers will fail. For quarantine reports, if the FortiMail unit is operating in server mode or gateway mode, DNS records for the local domain name may need to be globally resolvable to the IP address of the FortiMail unit. If it is not globally resolvable, web and email release/delete for the per-recipient quarantines may fail. For more information on configuring required DNS records, see “Setting up the system” on page 25.

Note: The Local domain name is not required to be different from or identical to any protected domain. It can be a subdomain or different, external domain.

For example, a FortiMail unit whose FQDN is fortimail.example.com could be configured with the protected domains example.com and accounting.example.net.

SMTP server port number Enter the port number on which the FortiMail unit’s SMTP server will listen for SMTP connections. The default port number is 25.
GUI item Description
SMTP over SSL/TLS Enable to allow SSL- and TLS-secured connections from SMTP clients that request SSL/TLS.

When disabled, SMTP connections with the FortiMail unit’s built-in MTA must occur as clear text, unencrypted.

Note: This option must be enabled to receive SMTPS connections. However, it does not require them. To enforce client use of SMTPS, see “Configuring access control rules” on page 456.

SMTPS server port number Enter the port number on which the FortiMail unit’s built-in MTA listens for secure SMTP connections. The default port number is 465.

This option is unavailable if SMTP over SSL/TLS is disabled.

SMTP MSA

service

Enable let your email clients use SMTP for message submission on a separate TCP port number from deliveries or mail relay by MTAs.

For details on message submission by email clients as distinct from SMTP used by MTAs, see RFC 2476.

SMTP MSA port number Enter the TCP port number on which the FortiMail unit listens for email clients to submit email for delivery. The default port number is 587.
POP3 server port number Enter the port number on which the FortiMail unit’s POP3 server will listen for POP3 connections. The default port number is 110.

This option is available only if the FortiMail unit is operating in server mode.

Default domain for

authentication

If you set one domain as the default domain, users on the default domain only need to enter their user names without the domain part for webmail/SMTP/IMAP/POP3 authentication, such as user1. Users on the non-default domains must enter both the user name part and domain part to authentication, such as user2@example.com.

Webmail access Enable to redirect HTTP webmail access to HTTPS.

Configuring DSN options

Use this section to configure mail server delivery status notifications.

For information on failed deliveries, see “Managing the deferred mail queue” on page 179 and “Managing undeliverable mail” on page 181.

For more information on DSN, see “Managing the deferred mail queue” on page 179.

GUI item Description
DSN (NDR) email generation Enable to allow the FortiMail unit to send DSN messages to notify email users of delivery delays and/or failure.
GUI item Description
Sender displayname Displays the name of the sender, such as FortiMail administrator, as it should appear in DSN email.

If this field is empty, the FortiMail unit uses the default name of postmaster.

Sender address Displays the sender email address in DSN.

If this field is empty, the FortiMail unit uses the default sender email address of postmaster@<domain_str>, where <domain_str> is the domain name of the FortiMail unit, such as example.com.

Using High Availability

Using high availability (HA)

Go to System > High Availability to configure the FortiMail unit to act as a member of a high availability (HA) cluster in order to increase processing capacity or availability.

For the general procedure of how to enable and configure HA, see “How to use HA” on page 312.

This section contains the following topics:

  • About high availability
  • About the heartbeat and synchronization
  • About logging, alert email and SNMP in HA
  • How to use HA
  • Monitoring the HA status
  • Configuring the HA mode and group
  • Configuring service-based failover
  • Example: Failover scenarios
  • Example: Active-passive HA group in gateway mode

About high availability

FortiMail units can operate in one of two HA modes, active-passive or config-only.

Table 31:Comparison of HA modes

Active-passive HA Config-only HA
2 FortiMail units in the HA group 2-25 FortiMail units in the HA group
Typically deployed behind a switch Typically deployed behind a load balancer
Both configuration* and data synchronized Only configuration* synchronized
Only primary unit processes email All units process email

Table 31:Comparison of HA modes

No data loss when hardware fails Data loss when hardware fails
Failover protection, but no increased processing capacity Increased processing capacity, but no failover protection

* For exceptions to synchronized configuration items, see “Configuration settings that are not synchronized” on page 309.

Figure 126:Active-passive HA group operating in gateway mode

Figure 127:Config-only HA group operating in gateway mode

If the config-only HA group is installed behind a load balancer, the load balancer stops sending email to failed FortiMail units. All sessions being processed by the failed FortiMail unit must be restarted and will be re-directed by the load balancer to other FortiMail units in the config-only HA group.

You can mix different FortiMail models in the same HA group. However, all units in the HA group must have the same firmware version.

Communications between HA cluster members occur through the heartbeat and synchronization connection. For details, see “About the heartbeat and synchronization” on page 307.

To configure FortiMail units operating in HA mode, you usually connect only to the primary unit (master). The primary unit’s configuration is almost entirely synchronized to secondary units (slave), so that changes made to the primary unit are propagated to the secondary units.

Exceptions to this rule include connecting to a secondary unit in order to view log messages recorded about the secondary unit itself on its own hard disk, and connecting to a secondary unit to configure settings that are not synchronized. For details, see “Configuration settings that are not synchronized” on page 309.

To use FortiGuard Antivirus or FortiGuard Antispam with HA, license all FortiMail units in the cluster. If you license only the primary unit in an active-passive HA group, after a failover, the secondary unit cannot connect to the FortiGuard Antispam service. For FortiMail units in a config-only HA group, only the licensed unit can use the subscription services.

For instructions of how to enable and configure HA, see “How to use HA” on page 312.