Tag Archives: kalm security

Installing Firmware

Installing firmware

Fortinet periodically releases FortiMail firmware updates to include enhancements and address issues. After you have registered your FortiMail unit, FortiMail firmware is available for download at http://support.fortinet.com.

Installing new firmware can overwrite antivirus and antispam packages using the versions of the packages that were current at the time that the firmware image was built. To avoid repeat updates, update the firmware before updating your FortiGuard packages.

New firmware can also introduce new features which you must configure for the first time.

For information specific to the firmware release version, see the Release Notes available with that release.

In addition to major releases that contain new features, Fortinet releases patch releases that resolve specific issues without containing new features and/or changes to existing features. It is recommended to download and install patch releases as soon as they are available.

Before you can download firmware updates for your FortiMail unit, you must first register your FortiMail unit with Fortinet Technical Support. For details, go to http://support.fortinet.com/ or contact Fortinet Technical Support.

This section includes:

  • Testing firmware before installing it
  • Installing firmware
  • Clean installing firmware

Logs, Reports, and Alerts

Logs, reports and alerts

The Log and Report menu lets you configure logging, reports, and alert email.

FortiMail units provide extensive logging capabilities for virus incidents, spam incidents and system events. Detailed log information and reports provide analysis of network activity to help you identify security issues and reduce network misuse and abuse.

Logs are useful when diagnosing problems or when you want to track actions the FortiMail unit performs as it receives and processes traffic.

This section includes:

  • About FortiMail logging
  • Configuring logging
  • Configuring report profiles and generating reports
  • Configuring alert email
  • Viewing log messages
  • Viewing generated reports

About FortiMail logging

FortiMail units can log many different email activities and traffic including:

  • system-related events, such as system restarts and HA activity
  • virus detections
  • spam filtering results
  • POP3, SMTP, IMAP and webmail events

You can select which severity level an activity or event must meet in order to be recorded in the logs. For more information, see “Log message severity levels” on page 668.

A FortiMail unit can save log messages to its hard disk or a remote location, such as a Syslog server or a Fortinet FortiAnalyzer unit. For more information, see “Configuring logging” on page 671. It can also use log messages as the basis for reports. For more information, see “Configuring report profiles and generating reports” on page 676.

Accessing FortiMail log messages

There are several ways you can access FortiMail log messages:

  • On the FortiMail web UI, you can view log messages by going to Monitor > Log. For details, see the FortiMail Administration Guide.
  • On the FortiMail web UI, under Monitor > Log, you can download log messages to your local PC and view them later.
  • You can send log messages to a FortiAnalyzer unit by going to Log and Report > Log Settings > Remote Log Settings and view them on FortiAnalyzer.
  • You can send log messages to any Syslog server by going to Log and Report > Log Settings > Remote Log Settings.

Configuring AntiSPAM Settings

Configuring antispam settings

The AntiSpam menu lets you configure antispam settings that are system-wide or otherwise not configured individually for each antispam profile.

Several antispam features require that you first configure system-wide, per-domain, or per-user settings in the AntiSpam menu before you can use the feature in an antispam profile. For more information on antispam profiles, see “Configuring antispam profiles and antispam action profiles” on page 503.

This section contains the following topics:

  • Configuring email quarantines and quarantine reports
  • Configuring the black lists and white lists
  • Configuring greylisting
  • Configuring bounce verification and tagging
  • Configuring endpoint reputation
  • Training and maintaining the Bayesian databases

Configuring email quarantines and quarantine reports

The Quarantine submenu lets you configure quarantine settings, and to configure system-wide settings for quarantine reports.

Using the email quarantine feature involves the following steps:

  • First, enable email quarantine when you configure antispam action profiles (see “Configuring antispam action profiles” on page 516) and content action profiles (see “Configuring content action profiles” on page 535).
  • Configure the system quarantine administrator account who can manage the system quarantine. See “Configuring the system quarantine administrator account and disk quota” on page 611.
  • Configure the quarantine control accounts, so that email users can send email to the accounts to release or delete email quarantines. See “Configuring the quarantine control accounts” on page 612.
  • Configure system-wide quarantine report settings, so that the FortiMail unit can send reports to inform email users of the mail quarantines. Then the users can decide if they want to release or delete the quarantined emails. See “Configuring global quarantine report settings” on page 602.
  • Configure domain-wide quarantine report settings for specific domains. See “Quarantine Report Setting” on page 394.
  • View and manage personal quarantines and system quarantines. See “Managing the quarantines” on page 182.
  • As the FortiMail administrator, you may also need to instruct end users about how to access their email quarantines. See “Accessing the personal quarantine and webmail” on page 720.
  • Configuring global quarantine report settings
  • Configuring the system quarantine administrator account and disk quota
  • Configuring the quarantine control accounts

Configuring Profiles

Configuring profiles

The Profile menu lets you configure many types of profiles. These are a collection of settings for antispam, antivirus, authentication, or other features.

After creating and configuring a profile, you can apply it either directly in a policy, or indirectly by inclusion in another profile that is selected in a policy. Policies apply each selected profile to all email messages and SMTP connections that the policy governs.

Creating multiple profiles for each type of policy lets you customize your email service by applying different profiles to policies that govern different SMTP connections or email users. For instance, if you are an Internet service provider (ISP), you might want to create and apply antivirus profiles only to policies governing email users who pay you to provide antivirus protection.

This section includes:

  • Configuring session profiles
  • Configuring antispam profiles and antispam action profiles
  • Configuring antivirus profiles and antivirus action profiles
  • Configuring content profiles and content action profiles
  • Configuring resource profiles (server mode only)
  • Configuring authentication profiles
  • Configuring LDAP profiles
  • Configuring dictionary profiles
  • Configuring security profiles
  • Configuring IP pools
  • Configuring email and IP groups
  • Configuring notification profiles

Configuring session profiles

Session profiles focus on the connection and envelope portion of the SMTP session. This is in contrast to other types of profiles that focus on the message header, body, or attachments.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.

To configure session profiles

  1. Go to Profile > Session > Session.
  2. Click New to add a profile or double-click a profile to modify it.

A multisection page appears.

Figure 193:Session Profile dialog

  1. For a new session profile, type the name in Profile name.
  2. Configure the following sections as needed:
  • “Configuring connection settings” on page 483
  • “Configuring sender reputation options” on page 485
  • “Configuring endpoint reputation options” on page 487
  • “Configuring sender validation options” on page 488
  • “Configuring session settings” on page 490
  • “Configuring unauthenticated session settings” on page 493
  • “Configuring SMTP limit options” on page 496
  • “Configuring error handling options” on page 497
  • “Configuring header manipulation options” on page 498
  • “Configuring list options” on page 499
  • Configuring advanced MTA control settings

Configuring Policies

Configuring policies

The Policy menu lets you create policies that use profiles to filter email.

It also lets you control who can send email through the FortiMail unit, and stipulate rules for how it will deliver email that it proxies or relays.

                                 •    What is a policy?

  • How to use policies
  • Controlling SMTP access and delivery
  • Controlling email based on recipient addresses
  • Controlling email based on IP addresses

What is a policy?

A policy defines which way traffic will be filtered. It may also define user account settings, such as authentication type, disk quota, and access to webmail.

After creating the antispam, antivirus, content, authentication, TLS, or resource profiles (see “Configuring profiles” on page 482), you need to apply them to policies for them to take effect.

FortiMail units support three types of policies:

  • Access control and delivery rules that are typical to SMTP relays and servers (see

“Controlling SMTP access and delivery” on page 456)

  • Recipient-based policies (see “Controlling email based on recipient addresses” on page 468)
  • IP-based policies (see “Controlling email based on IP addresses” on page 475)

Recipient-based policies versus IP-based policies

  • Recipient-based policies

The FortiMail unit applies these based on the recipient’s email address or the recipient’s user group. May also define authenticated webmail or POP3 access by that email user to their per-recipient quarantine. Since version 4.0, the recipient-based policies also check sender patterns.

  • IP-based policies

The FortiMail unit applies these based on the SMTP client’s IP address (server mode or gateway mode), or the IP addresses of both the SMTP client and SMTP server (transparent mode).

Page 453

Incoming versus outgoing email messages

There are two types of recipient-based policies: incoming and outgoing. The FortiMail unit applies incoming policies to the incoming mail messages and outgoing policies to the outgoing mail messages.

Whether the email is incoming or outgoing is decided by the domain name in the recipient’s email address. If the domain is a protected domain, the FortiMail unit considers the message to be incoming and applies the first matching incoming recipient-based policy. If the recipient domain is not a protected domain, the message is considered to be outgoing, and applies outgoing recipient-based policy.

To be more specific, the FortiMail unit actually matches the recipient domain’s IP address with the IP list of the protected SMTP servers where the protected domains reside. If there is an IP match, the domain is deemed protected and the email destined to this domain is considered to be incoming. If there is no IP match, the domain is deemed unprotected and the email destined to this domain is considered to be outgoing.

For more information on protected domains, see “Configuring protected domains” on page 380.

Configuring IBE Encryption

Configuring IBE encryption

The System > Encryption > IBE Encryption submenu lets you configure the Identity Based Encryption (IBE) service. With IBE, you can send secured email through the FortiMail unit.

This section contains the following topics:

  • About IBE
  • About FortiMail IBE
  • FortiMail IBE configuration workflow
  • Configuring IBE services

About IBE

IBE is a type of public-key encryption. IBE uses identities (such as email addresses) to calculate encryption keys that can be used for encrypting and decrypting electronic messages. Compared with traditional public-key cryptography, IBE greatly simplifies the encryption process for both users and administrators. Another advantage is that a message recipient does not need any certificate or key pre-enrollment or specialized software to access the email.

About FortiMail IBE

The FortiMail unit encrypts an email message using the public key generated with the recipient’s email address. The email recipient does not need to install any software or generate a pair of keys in order to access the email.

What happens is that when an email reaches the FortiMail unit, the FortiMail unit applies its IP-based policies and recipient-based policies containing IBE-related content profiles as well as the message delivery rules to the email. If a policy or rule match is found, the FortiMail unit encrypts the email using the public key before sending a notification to the recipient. Figure 148 shows a sample notification.

The notification email contains an HTML attachment, which contains instructions and links telling the recipient how to access the encrypted email.

If this is the first time the recipient receives such a notification, the recipient must follow the instructions and links to register on the FortiMail unit before reading email.

If this is not the first time the recipient receives such a notification and the recipient has already registered on the FortiMail unit, the recipient only needs to log in to the FortiMail unit to read email.

When the recipient opens the mail on the FortiMail unit, the email is decrypted automatically. Figure  shows how FortiMail IBE works:

Figure 147:How FortiMail works with IBE

  1. The FortiMail unit applies its IBE-related IP-based policies ,

Figure 148:Sample secure message notification

FortiMail IBE configuration workflow

Follow the general steps below to use the FortiMail IBE function:

  • Configure and enable the IBE service. See “Configuring IBE services” on page 359.
  • Manage IBE users. See “Configuring IBE users” on page 447.
  • Configure an IBE encryption profile. See “Configuring encryption profiles” on page 594.

If you want to encrypt email based on the email contents:

  • Add the IBE encryption profile to the content action profile. See “Configuring content action profiles” on page 535.
  • Add the content action profile to the content profile and configure the scan criteria in the content profile, such as attachment filtering, file type filtering, and content monitor and filtering including the dictionary and action profiles. See “Configuring content profiles” on page 526.
  • Add the content profile to the IP-based and recipient-based policies to determine email that needs to be encrypted with IBE. See “Controlling email based on recipient addresses” on page 468, and “Controlling email based on IP addresses” on page 475.

For example, on the FortiMail unit, you have:

  • configured a dictionary profile that contains a pattern called “Confidential”, and enabled Search header (see “Configuring dictionary profiles” on page 586)
  • added the dictionary profile to a content profile which also includes a content action profile that has an encryption profile in it
  • included the content profile to IP and recipient policies

You then notify your email users on how to mark the email subject line and header if they want to send encrypted email.

For example, Alice wants to send an encrypted email to Bob through the FortiMail unit. She can add “Confidential” in the email subject line, or “Confidential” in the header (in MS Outlook, when compiling a new mail, go to Options > Message settings > Sensitivity, and select Confidential in the list). The FortiMail unit will apply the policies you configured to the email by checking the email’s subject line and header. If one of them matches the patterns defined in the dictionary profile, the email will be encrypted.

  • Configure IBE email storage. See “Selecting the mail data storage location” on page 376.
  • Configure log settings for IBE encryption. See “Configuring logging” on page 671.
  • View logs of IBE encryption. See “Viewing log messages” on page 206.

If you want to encrypt email using message delivery rules:

  • Configure message delivery rules using encryption profiles to determine email that need to be encrypted with IBE. See “Configuring delivery rules” on page 464.
  • Configure IBE email storage. See “Selecting the mail data storage location” on page 376.
  • Configure log settings for IBE encryption. See “Configuring logging” on page 671.
  • View logs of IBE encryption. See “Viewing log messages” on page 206.

Configuring IBE services

You can configure, enable, or disable IBE services which control how secured mail recipients use the FortiMail IBE function. For details about how to use IBE service, see “FortiMail IBE configuration workflow” on page 358.

To configure IBE service

  1. Go to System > Encryption > IBE Encryption.

Figure 149:IBE encryption tab

  1. Configure the following:

GUI item                   Description

Enable IBE service Select to enable the IBE service you configured.

IBE service name Enter the name for the IBE service. This is the name the secure mail recipients will see once they access the FortiMail unit to view the mail.
User registration expiry time (days) Enter the number of days that the secure mail recipient has to register on the FortiMail unit to view the mail before the registration expires. The starting date is the date when the FortiMail unit sends out the first notification to a mail recipient.
User inactivity expiry time (days) Enter the number of days the secure mail recipient can access the FortiMail unit without registration.

For example, if you set the value to 30 days and if the mail recipient did not access the FortiMail unit for 30 days after the user registers on the unit, the recipient will need to register again if another secure mail is sent to the user. If the recipient accessed the FortiMail unit on the 15th days, the 30-day limit will be recalculated from the 15th day onwards.

Encrypted email    Enter the number of days that the secured mail will be saved on the storage expiry time FortiMail unit. (days)

Password reset     Enter the password reset expiry time in hours. expiry time (hours)

This is for the recipients who have forgotten their login passwords and request for new ones. The secured mail recipient must reset the password within this time limit to access the FortiMail unit.

 

GUI item Description
Allow secure replying Select to allow the secure mail recipient to reply the email with encryption.
Allow secure forwarding Select to allow the secure mail recipient to forward the email with encryption.
Allow secure composing Select to allow the secure mail recipient to compose an email. The FortiMail unit will use policies and mail delivery rules to determine if this mail needs to be encrypted.

For encrypted email, the domain of the composed mail’s recipient must be a protected one, otherwise an error message will appear and the mail will not be delivered.

IBE base URL Enter the FortiMail unit URL, for example, https://192.168.100.20, on which a mail recipient can register or authenticate to access the secure mail.
“Help” content

URL

You can create a help file on how to access the FortiMail secure email and enter the URL for the file. The mail recipient can click the “Help” link from the secure mail notification to view the file.

If you leave this field empty, a default help file link will be added to the secure mail notification.

“About” content

URL

You can create a file about the FortiMail IBE encryption and enter the URL for the file. The mail recipient can click the “About” link from the secure mail notification to view the file.

If you leave this field empty, a link for a default file about the FortiMail IBE encryption will be added to the secure mail notification.

GUI item                   Description

Allow custom user control If your corporation has its own user authentication tools, enable this option and enter the URL.

“Custom user control” URL: This is the URL where you can check for user existence.

“Custom forgot password” URL: This is the URL where users get authenticated.

Notification Settings You can choose to send notification to the sender or recipient when the secure email is read or remains unread for a specified period of time.

Click the Edit link to modify the email template. For details, see “Customizing email templates” on page 288.

Depending on the IBE email access method (either PUSH or PULL) you defined in “Configuring encryption profiles” on page 594, the notification settings behave differently.

•      If the IBE message is stored on FortiMail PULL access method), the “read” notification will only be sent the first time the message is read.

•      If the IBE message is not stored on FortiMail (PUSH access method), the “read” notification will be sent every time the message is read, that is, after the user pushes the message to FortiMail and FortiMail decrypts the message.

•      There is no “unread” notification for IBE PUSH messages.

Managing Certificates

Managing certificates

This section explains how to manage X.509 security certificates using the FortiMail web UI. Using the Certificate submenu, you can generate certificate requests, install signed certificates, import CA root certificates and certificate revocation lists, and back up and restore installed certificates and private keys.

FortiMail uses certificates for PKI authentication in secure connections. PKI authentication is the process of determining if a remote host can be trusted with access to network resources. To establish its trustworthiness, the remote host must provide an acceptable authentication certificate by obtaining a certificate from a certification authority (CA).

You can manage the following types of certificates on FortiMail:

Table 44:Certificate types

Certificate type Usage
CA certificates FortiMail uses CA certificates to authenticate the PKI users, including administrators and web mail users. For details, see “Configuring PKI authentication” on page 435 and “Managing certificate authority certificates” on page 354.
Server certificates FortiMail must present its local server certificate for the following secure connections:

•      the web UI (HTTPS connections only)

•      webmail (HTTPS connections only)

•      secure email, such as SMTPS, IMAPS, and POP3S

For details, see “Managing local certificates” on page 347.

Personal certificates Mail users’ personal certificates are used for S/MIME encryption. For details, see “Configuring certificate bindings” on page 362.

This section contains the following topics:

  • Managing local certificates
  • Managing certificate authority certificates
  • Managing the certificate revocation list
  • Managing OCSP server certificates

Managing local certificates

System > Certificate > Local Certificate displays both the signed server certificates and unsigned certificate requests.

On this tab, you can also generate certificate signing requests and import signed certificates in order to install them for local use by the FortiMail unit.

FortiMail units require a local server certificate that it can present when clients request secure connections, including:

  • the web UI (HTTPS connections only)
  • webmail (HTTPS connections only)
  • secure email, such as SMTPS, IMAPS, and POP3S

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view local certificates

  1. Go to System > Certificate > Local Certificate.

Figure 139:Local Certificate tab

GUI item Description
Delete

(button)

Removes the selected certificate.
View

(button)

Select a certificate and click View to display its issuer, subject, and range of dates within which the certificate is valid.
Generate (button) Click to generate a local certificate request. For more information, see “Generating a certificate signing request” on page 348.
Download

(button)

Click the row of a certificate file or certificate request file in order to select it, then click this button and select either:

•      Download: Download a certificate (.cer) or certificate request (.csr) file. You can send the request to your certificate authority (CA) to obtain a signed certificate for the FortiMail unit. For more information, see “Downloading a certificate signing request” on page 351.

•      Download PKCS12 File: Download a PKCS #12 (.p12) file. For details, see

“Downloading a PKCS #12 certificate” on page 354.

GUI item Description
Set status Click the row of a certificate in order to select it, then click this button to use it as the “default” (that is, currently chosen for use) certificate. The Status column changes to indicate that the certificate is the current (Default) certificate.

This button is not available if the selected certificate is already the “default.”

Import

(button)

Click to import a signed certificate for local use. For more information, see “Importing a certificate” on page 352.
Name Displays the name of the certificate file or certificate request file.
Subject Displays the Distinguished Name (DN) located in the Subject field of the certificate.

If the certificate has not yet been signed, this field is empty.

Status Displays the status of the local certificates or certificate signing request.

•      Default: Indicates that the certificate was successfully imported, and is currently selected for use by the FortiMail unit.

•      OK: Indicates that the certificate was successfully imported, but is not selected as the certificate currently in use. To use the certificate, click the row of the certificate in order to select it, then click Set status.

•      Pending: Indicates that the certificate request has been generated, but must be downloaded, signed, and imported before it can be used as a local certificate. For details, see “Obtaining and installing a local certificate” on page 348.

Obtaining and installing a local certificate

There are two methods to obtain and install a local certificate:

  • If you already have a signed server certificate (a backup certificate, a certificate exported from other devices, and so on), you can import the certificate into FortiMail. For details, see “Importing a certificate” on page 352.
  • Generate a certificate signing request on the FortiMail unit, get the request signed by a CA ,and import the signed certificate into FortiMail.

For the second method, follow these steps:

  • Generating a certificate signing request
  • Downloading a certificate signing request
  • Submitting a certificate request to your CA for signing
  • Importing a certificate

Generating a certificate signing request

You can generate a certificate request file, based on the information you enter to identify the FortiMail unit. Certificate request files can then be submitted for verification and signing by a certificate authority (CA).

For other related steps, see “Obtaining and installing a local certificate” on page 348.

To generate a certificate request

  1. Go to System > Certificate > Local Certificate.
  2. Click Generate.

A dialog appears.

  1. Configure the following:

Figure 140:Generate Certificate Signing Request dialog

GUI item Description
Certification name Enter a unique name for the certificate request, such as fmlocal.
Subject Information Information that the certificate is required to contain in order to uniquely identify the FortiMail unit.

 

GUI item Description
ID type Select which type of identifier will be used in the certificate to identify the FortiMail unit:

•      Host IP

•      Domain name

•      E-mail

Which type you should select varies by whether or not your FortiMail unit has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate.

For example, if your FortiMail unit has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the web UI by the domain name of the FortiMail unit, you might prefer to generate a certificate based on the domain name of the FortiMail unit, rather than its IP address.

•      Host IP requires that the FortiMail unit have a static, public IP address. It may be preferable if clients will be accessing the FortiMail unit primarily by its IP address.

•      Domain name requires that the FortiMail unit have a fully-qualified domain name (FQDN). It may be preferable if clients will be accessing the FortiMail unit primarily by its domain name.

•      E-mail does not require either a static IP address or a domain name. It may be preferable if the FortiMail unit does not have a domain name or public IP address.

IP Enter the static IP address of the FortiMail unit.

This option appears only if ID Type is Host IP.

Domain name Type the fully-qualified domain name (FQDN) of the FortiMail unit.

The domain name may resolve to either a static or, if the FortiMail unit is configured to use a dynamic DNS service, a dynamic IP address. For more information, see “Configuring the network interfaces” on page 247 and “Configuring dynamic DNS” on page 259.

If a domain name is not available and the FortiMail unit subscribes to a dynamic DNS service, an unable to verify certificate message may appear in the user’s browser whenever the public IP address of the FortiMail unit changes.

This option appears only if ID Type is Domain name.

E-mail Type the email address of the owner of the FortiMail unit.

This option appears only if ID type is E-mail.

Optional Information Information that you may include in the certificate, but which is not required.
GUI item Description
Organization unit Type the name of your organizational unit, such as the name of your department. (Optional.)

To enter more than one organizational unit name, click the + icon, and enter each organizational unit separately in each field.

Organization Type the legal name of your organization. (Optional.)
Locality(City) Type the name of the city or town where the FortiMail unit is located. (Optional.)
State/Province Type the name of the state or province where the FortiMail unit is located. (Optional.)
Country Select the name of the country where the FortiMail unit is located. (Optional.)
E-mail Type an email address that may be used for contact purposes. (Optional.)
Key type Displays the type of algorithm used to generate the key.

This option cannot be changed, but appears in order to indicate that only RSA is currently supported.

Key size Select a security key size of 1024 Bit, 1536 Bit or 2048 Bit.

Larger keys are slower to generate, but provide better security.

  1. Click OK.

The certificate is generated, and can be downloaded to your management computer for submission to a certificate authority (CA) for signing. For more information, see “Downloading a certificate signing request” on page 351.

Downloading a certificate signing request

After you have generated a certificate request, you can download the request file to your management computer in order to submit the request file to a certificate authority (CA) for signing.

For other related steps, see “Obtaining and installing a local certificate” on page 348.

To download a certificate request

  1. Go to System > Certificate > Local Certificate.
  2. Click the row that corresponds to the certificate request in order to select it.
  3. Click Download, then select Download from the pop-up menu.

Your web browser downloads the certificate request (.csr) file.

Submitting a certificate request to your CA for signing

After you have download the certificate request file, you can submit the request to you CA for signing.

For other related steps, see “Obtaining and installing a local certificate” on page 348.

To submit a certificate request

  1. Using the web browser on the management computer, browse to the web site for your CA.
  2. Follow your CA’s instructions to place a Base64-encoded PKCS #12 certificate request, uploading your certificate request.
  3. Follow your CA’s instructions to download their root certificate and Certificate Revocation List (CRL), and then install the root certificate and CRL on each remote client.
  4. When you receive the signed certificate from the CA, install the certificate on the FortiMail unit. For more information, see “Importing a certificate” on page 352.

Importing a certificate

You can upload Base64-encoded certificates in either privacy-enhanced email (PEM) or public key cryptography standard #12 (PKCS #12) format from your management computer to the FortiMail unit.

  • restoring a certificate backup
  • installing a certificate that has been generated on another system
  • installing a certificate, after the certificate request has been generated on the FortiMail unit and signed by a certificate authority (CA)

If you generated the certificate request using the FortiMail unit, after you submit the certificate request to CA, the CA will verify the information and register the contact information in a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate and return it to you for installation on the FortiMail unit. To install the certificate, you must import it. For other related steps, see “Obtaining and installing a local certificate” on page 348.

If the FortiMail unit’s local certificate is signed by an intermediate CA rather than a root CA, before clients will trust the FortiMail unit’s local certificate, you must demonstrate a link with trusted root CAs, thereby proving that the FortiMail unit’s certificate is genuine. You can demonstrate this chain of trust either by:

  • installing each intermediate CA’s certificate in the client’s list of trusted CAs
  • including a signing chain in the FortiMail unit’s local certificate

To include a signing chain, before importing the local certificate to the FortiMail unit, first open the FortiMail unit’s local certificate file in a plain text editor, append the certificate of each intermediate CA in order from the intermediate CA who signed the FortiMail unit’s certificate to the intermediate CA whose certificate was signed directly by a trusted root CA, then save the certificate. For example, a local certificate which includes a signing chain might use the following structure:

—–BEGIN CERTIFICATE—-<FortiMail unit’s local server certificate>

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

<certificate of intermediate CA 1, who signed the FortiMail certificate>

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

<certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted

root CA>

—–END CERTIFICATE—–

To import a local certificate

  1. Go to System > Certificate > Local Certificate.
  2. Click Import.
  3. From Type, select the type of the import file or files:
    • Local Certificate: Select this option if you are importing a signed certificate issued by your CA. For other related steps, see “Obtaining and installing a local certificate” on page 348.
    • PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
    • Certificate: Select this option if you are importing an existing certificate whose certificate file (.cert) and key file (.key) are stored separately. The private key is password-encrypted.

The remaining fields vary by your selection in Type.

Figure 141:Uploading a local certificate

Figure 142:Uploading a PKCS12 certificate)

Figure 143:Uploading a certificate

  1. Configure the following:
GUI item Description
Certificate file Enter the location of the previously .cert or .pem exported certificate (or, for PKCS #12 certificates, the .p12 certificate-and-key file), or click Browse to locate the file.
Key file Enter the location of the previously exported key file, or click Browse to locate the file.

This option appears only when Type is Certificate.

Password Enter the password that was used to encrypt the file, enabling the FortiMail unit to decrypt and install the certificate.

This option appears only when Type is PKCS12 certificate or Certificate.

Downloading a PKCS #12 certificate

You can export certificates from the FortiMail unit to a PKCS #12 file for secure download and import to another platform, or for backup purposes.

To download a PKCS #12 file

  1. Go to System > Certificate > Local Certificate.
  2. Click the row that corresponds to the certificate in order to select it.
  3. Click Download, then select Download PKCS12 File on the pop-up menu.

A dialog appears.

  1. In Password and Confirm password, enter the password that will be used to encrypt the exported certificate file. The password must be at least four characters long.
  2. Click Download.
  3. If your browser prompts you for a location to save the file, select a location.

Your web browser downloads the PKCS #12 (.p12) file. For information on importing a PKCS #12 file, see “Importing a certificate” on page 352.

Managing certificate authority certificates

Go to System > Certificates > CA Certificate to view and import certificates for certificate authorities (CA).

Certificate authorities validate and sign other certificates in order to indicate to third parties that those other certificates may be trusted to be authentic.

CA certificates are required by connections that use transport layer security (TLS), and by S/MIME encryption. For more information, see “Configuring TLS security profiles” on page 591 and “Configuring certificate bindings” on page 362. Depending on the configuration of each PKI user, CA certificates may also be required to authenticate PKI users. For more information, see “Configuring PKI authentication” on page 435.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category For details, see “About administrator account permissions and domains” on page 290.

To view a the list of CA certificates, go to System > Certificate > CA Certificate.

Figure 144:CA Certificate tab

Table 45:Managing CA certificates

GUI item Description
Delete

(button)

Removes the selected certificate.
View

(button)

Select a certificate and click View to display certificate details including the certificate name, issuer, subject, and the range of dates within which the certificate is valid.
Download

(button)

Click the row of a certificate in order to select it, then click Download to download a copy of the CA certificate (.cer).
Import

(button)

Click to import a CA certificate.
Name Displays the name of the CA certificate.
Subject Displays the Distinguished Name (DN) located in the Subject field of the certificate.

Managing the certificate revocation list

The Certificate Revocation List tab lets you view and import certificate revocation lists.

To ensure that your FortiMail unit validates only valid (not revoked) certificates, you should periodically upload a current certificate revocation list, which may be provided by certificate authorities (CA). Alternatively, you can use online certificate status protocol (OCSP) to query for certificate statuses. For more information, see “Managing OCSP server certificates” on page 356.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view remote certificates, go to System > Certificate > Certificate Revocation List.

Figure 145:Certificate Revocation List tab

Table 46:Managing certificate revocation lists

GUI item Description
Delete

(button)

Removes the selected list.
View

(button)

Select a certificate revocation list and click View to display details.
Download

(button)

Select a certificate revocation list and click Download to download a copy of the CRL file (.cer).
Import

(button)

Click to import a certificate revocation list.
Name Displays the name of the certificate revocation list.
Subject Displays the Distinguished Name (DN) located in the Subject field of the certificate revocation list.

Managing OCSP server certificates

Go to System > Certificate > Remote to view and import the certificates of the online certificate status protocol (OCSP) servers of your certificate authority (CA).

OCSP lets you revoke or validate certificates by query, rather than by importing certificate revocation lists (CRL). For information about importing CRLs, see “Managing the certificate revocation list” on page 355.

Remote certificates are required if you enable OCSP for PKI users. For more information, see “Configuring PKI authentication” on page 435.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category For details, see “About administrator account permissions and domains” on page 290.

To view a the list of remote certificates, go to System > Certificate > Remote.

Figure 146:Remote tab

Table 47:Managing OCSP server certificates

GUI item Description
Delete

(button)

Removes the selected certificate.
View

(button)

Select a certificate and click View to display certificate details including the certificate name, issuer, subject, and the range of dates within which the certificate is valid.

Table 47:Managing OCSP server certificates

Download

(button)

Click the row of a certificate in order to select it, then click

Download to download a copy of the OCSP server certificate (.cer).

Import

(button)

Click to import an OCSP server certificate.
Name Displays the name of the OCSP server certificate.
Subject Displays the Distinguished Name (DN) located in the Subject field of the certificate.

Using High Availability

Using high availability (HA)

Go to System > High Availability to configure the FortiMail unit to act as a member of a high availability (HA) cluster in order to increase processing capacity or availability.

For the general procedure of how to enable and configure HA, see “How to use HA” on page 312.

This section contains the following topics:

  • About high availability
  • About the heartbeat and synchronization
  • About logging, alert email and SNMP in HA
  • How to use HA
  • Monitoring the HA status
  • Configuring the HA mode and group
  • Configuring service-based failover
  • Example: Failover scenarios
  • Example: Active-passive HA group in gateway mode

About high availability

FortiMail units can operate in one of two HA modes, active-passive or config-only.

Table 31:Comparison of HA modes

Active-passive HA Config-only HA
2 FortiMail units in the HA group 2-25 FortiMail units in the HA group
Typically deployed behind a switch Typically deployed behind a load balancer
Both configuration* and data synchronized Only configuration* synchronized
Only primary unit processes email All units process email

Table 31:Comparison of HA modes

No data loss when hardware fails Data loss when hardware fails
Failover protection, but no increased processing capacity Increased processing capacity, but no failover protection

* For exceptions to synchronized configuration items, see “Configuration settings that are not synchronized” on page 309.

Figure 126:Active-passive HA group operating in gateway mode

Figure 127:Config-only HA group operating in gateway mode

If the config-only HA group is installed behind a load balancer, the load balancer stops sending email to failed FortiMail units. All sessions being processed by the failed FortiMail unit must be restarted and will be re-directed by the load balancer to other FortiMail units in the config-only HA group.

You can mix different FortiMail models in the same HA group. However, all units in the HA group must have the same firmware version.

Communications between HA cluster members occur through the heartbeat and synchronization connection. For details, see “About the heartbeat and synchronization” on page 307.

To configure FortiMail units operating in HA mode, you usually connect only to the primary unit (master). The primary unit’s configuration is almost entirely synchronized to secondary units (slave), so that changes made to the primary unit are propagated to the secondary units.

Exceptions to this rule include connecting to a secondary unit in order to view log messages recorded about the secondary unit itself on its own hard disk, and connecting to a secondary unit to configure settings that are not synchronized. For details, see “Configuration settings that are not synchronized” on page 309.

To use FortiGuard Antivirus or FortiGuard Antispam with HA, license all FortiMail units in the cluster. If you license only the primary unit in an active-passive HA group, after a failover, the secondary unit cannot connect to the FortiGuard Antispam service. For FortiMail units in a config-only HA group, only the licensed unit can use the subscription services.

For instructions of how to enable and configure HA, see “How to use HA” on page 312.