Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
www.fortinet.com
Contents
Contents
Introduction ...................................................................................... 11
About the FortiMail unit .................................................................................. 11
Operation mode .......................................................................................... 11
Key features ................................................................................................ 12
Configuration and management .................................................................. 14
About FortiMail antispam solutions............................................................... 15
FortiGuard-Antispam service ...................................................................... 15
FortiMail antispam techniques .................................................................... 17
About this document....................................................................................... 20
Document conventions................................................................................ 21
Typographic conventions ............................................................................ 21
FortiMail documentation ................................................................................. 21
Fortinet Tools and Documentation CD ........................................................ 22
Fortinet Knowledge Center ......................................................................... 22
Comments on Fortinet technical documentation ......................................... 22
Customer service and technical support ...................................................... 22
24
25
31
34
34
35
36
Settings............................................................................................................. 36
Config..........................................................................................................
Network .......................................................................................................
Domains ......................................................................................................
Antispam .....................................................................................................
36
40
44
47
Contents
51
51
54
56
58
59
61
62
67
68
69
83
83
83
83
84
85
89
90
90
90
Contents
108
109
110
111
113
114
114
115
115
122
123
124
125
Contents
141
143
144
145
162
171
173
176
178
181
185
193
197
Contents
209
210
211
212
217
217
217
218
218
222
224
225
230
231
Contents
236
236
237
237
238
239
239
241
241
242
243
254
256
257
259
260
262
263
263
263
Contents
273
274
277
278
279
286
286
288
289
298
298
299
299
300
303
305
305
306
306
Contents
310
313
315
317
318
Index................................................................................................ 349
10
Introduction
Introduction
This section introduces you to the FortiMail Secure Messaging Platform
(FortiMail unit) and the following topics:
FortiMail documentation
Operation mode
You can install the FortiMail unit in gateway, transparent, or server mode. For
information about setting up the FortiMail unit in each mode, see the FortiMail
Installation Guide.
Gateway mode
In gateway mode, the FortiMail unit can effectively protect your email server by
scanning the SMTP traffic for viruses and spam messages. It can also archive
email for backup and monitoring purposes. The FortiMail unit integrates into your
existing network with only minor changes to your network configuration.
You can configure your firewall or DNS server to ensure that incoming SMTP
traffic goes through the FortiMail unit before reaching the email server. Optionally,
you can configure your email server to use the FortiMail unit as the relay server
for outgoing SMTP traffic.
Transparent mode
In transparent mode, the FortiMail unit provides seamless integration into existing
network environments. You can place the FortiMail unit in front of the existing
email server without any changes to the existing network topology. This means
that all of its interfaces are on the same IP subnet and that it appears to other
devices as a bridge. Alternatively, you can configure the FortiMail unit as a
combination of a bridge and a router by assigning IP addresses to some of its
interfaces. In this case, the FortiMail interfaces can be on different subnets.
11
Introduction
The FortiMail unit in transparent mode provides a flexible and versatile SMTP
email scanning solution.
Server mode
In server mode, the FortiMail unit provides basic email server functionality by
supporting webmail, SMTP, POP3, and IMAP. In addition, the FortiMail server
provides antivirus, antispam, email archiving, and logging and reporting services.
Key features
In each mode, the FortiMail unit can scan email for viruses and spam. Its log files
record antivirus incidents, antispam incidents, and configuration changes. The
FortiMail unit can also archive incoming and outgoing email for backup or
monitoring purposes.
HA support
Per user antivirus and antispam scanning using LDAP attributes on a per
policy (domain) basis
Server mode
In server mode, the FortiMail unit provides all features listed in transparent and
gateway modes plus the following:
12
Introduction
Antivirus protection
The FortiMail unit provides the following antivirus services:
Attachment filtering
Denial-of-service protection
The FortiMail unit provides the following denial-of-service protection:
Complete email scanning: header, body, raw body, URI, and meta information
13
Introduction
Web-based manager
You can select one of two modes, basic or advanced, to configure FortiMail
settings. If you are a new administrator, use the basic management mode to
configure a limited number of essential features. Once you have gained
experience and require advanced features, use the advanced management mode
to access all configuration options. The basic management mode displays by
default to new admin users. This document details the basic management mode
in the chapter, FortiMail basic mode on page 23. All other chapters detail the
advanced management mode.
You can also use the web-based manager to monitor the status of the FortiMail
unit. Configuration changes made using the web-based manager take effect
immediately without resetting the unit or interrupting service. Once you are
satisfied with a configuration, you can download and save it. The saved
configuration can be restored at any time.
14
Introduction
FortiGuard-Antispam service
The FortiGuard-Antispam service is a Fortinet-managed service that provides a
three-phase approach to screening email messages. The first phase is a DNS
Block List (DNSBL) which is a living list of known spam origins. The second
phase is an in-depth email screening based on a Uniform Resource Identifier
(URI) contained in the message body commonly known as Spam URI Realtime
Blackhole Lists (SURBLs). The third phase is the FortiGuard-Antispam Spam
Checksum Blocklist (SHASH) feature. Using SHASH, the FortiMail unit sends a
hash of an email to the FortiGuard-Antispam server which compares the hash to
hashes of known spam messages stored in the FortiGuard-Antispam database. If
the hash results match, the email is flagged as spam.
For information on configuring the FortiGuard-Antispam service, see Using the
FortiGuard-Antispam service on page 221.
FortiGuard-Antispam DNSBL
To achieve up-to-date real-time identification, the FortiGuard-Antispam service
uses globally distributed spam probes that receive over one million spam
messages per day. The FortiGuard-Antispam service uses multiple layers of
identification processes to produce an up-to-date list of spam origins. To further
enhance the service and streamline performance, the FortiGuard-Antispam
service continuously retests each of the known identities in the list to determine
the state of the origin (active or inactive). If a known spam origin has been
decommissioned, the FortiGuard-Antispam service removes the origin from the
list, thus providing customers with both accuracy and performance.
The FortiMail FortiGuard-Antispam DNSBL scanning process works this way:
1
Upon receiving the inbound SMTP connection request, the FortiMail unit extracts
the source information (sending servers domain name and IP address).
15
Introduction
If the results identify the source as a known spam source, the FortiMail unit
acts according to its configured policy.
The cache on the FortiMail unit is checked for additional connection attempts
from the same source. The FortiMail unit does not need to contact the
FortiGuard-Antispam service if the results of a previous connection attempt are
cached.
Once the incoming connection has passed the first pass scan (DNSBL), and has
not been classified as spam, it will then go through a second pass scan (SURBL)
if the administrator has configured the service.
FortiGuard-Antispam SURBL
To detect spam based on the message body URIs (usually web sites), Fortinet
uses FortiGuard-Antispam SURBL technology. Complementing the DNSBL
component, which blocks messages based on spam origin, SURBL technology
blocks messages that have spam hosts mentioned in message bodies. By
scanning the message body, SURBL is able to determine if the message is a
known spam message regardless of origin. This augments the DNSBL technology
by detecting spam messages from spam source that may be dynamic, or a spam
source that is yet unknown to the DNSBL service. The combination of both
technologies provides a superior managed service with higher detection rates
than traditional DNSBLs or SURBLs alone.
The FortiMail FortiGuard-Antispam SURBL scanning process works this way:
1
After accepting an incoming SMTP connection (passed first pass scan), the email
message is received.
After an incoming SMTP connection has passed the DNSBL scan, the FortiMail
unit accepts delivery of email messages.
The FortiMail unit generates a signature (URI) based on the contents of the
received email message.
The FortiGuard-Antispam service checks the email signature against its SURBL
database of known signatures and sends the results back to the FortiMail unit.
If the results identify the signature as known spam email content, the FortiMail
unit acts according to its configured policy.
Additional connection requests with the same email signature do not need to
be re-classified by the FortiGuard-Antispam service, and can be checked
against the classification in the system cache.
Once the message has passed both phases (DNSBL and SURBL), it goes to the
next layer of defense the FortiMail unit that includes additional spam
classification technologies.
16
Introduction
Forged IP scanning
Greylist scanning
DNSBL scanning
SURBL scanning
Bayesian scanning
Heuristic scanning
PDF scanning
Dictionary scanning
Sender reputation
Forged IP scanning
When the FortiMail unit receives an email message, it converts the sender's IP
address to a canonical hostname. The FortiMail unit then compares all of the
officially listed IP addresses for that hostname with the sender's IP address. If the
sender's IP address is not found, the FortiMail unit considers the IP address and
hostname to be forged and treats the email as spam. For more information, see
Forged IP scan on page 164
Greylist scanning
Greylist scanning blocks spam based on the behavior of the sending server,
rather than the content of the messages. When receiving an email from an
unknown server, the FortiMail unit will temporarily reject the message. If the mail
is legitimate, the originating server will try to send it again later, at which time the
FortiMail unit will accept it. Spam senders rarely attempt a retry. For more
information, see Configuring greylist on page 240.
17
Introduction
DNSBL scanning
In addition to supporting Fortinets FortiGuard-Antispam DNSBL service, the
FortiMail unit supports administrator-defined public Realtime Block List servers.
You can enable DNSBL filtering as part of the antispam profile, and define multiple
DNSBL servers for each antispam profile. For more information, see DNSBL
scan on page 165 and Configuring DNSBL servers on page 167.
SURBL scanning
In addition to supporting Fortinets FortiGuard-Antispam SURBL service, the
FortiMail unit supports administrator-defined public Spam URI Realtime Block
Lists servers. You can specify which public SURBL servers to use as part of an
antispam profile. For more information, see SURBL scan on page 165 and
Configuring SURBL servers on page 168.
Bayesian scanning
After FortiGuard-Antispam processing, the Bayesian filters provide the most
effective method of detecting spam. Bayesian filters use databases to determine if
an email is spam. FortiMail Bayesian filters use two types of databases: personal
and group. Personal databases are associated with individual users, and the
group database applies to all users. For more information, see Training Bayesian
databases on page 222.
Heuristic scanning
The FortiMail unit includes rules the heuristic filter uses. Each rule has an
individual score used to calculate the total score for an email. An upper and lower
limit threshold for the heuristic filter is set for each antispam profile. To determine if
an email is spam, the heuristic filter examines an email message and adds the
score for each rule that applies to get a total score for that email. If the total is
greater than or equal to the upper threshold, the filter classifies the email as spam
and processes is accordingly. If the total is less than or equal to the lower
threshold, the email is not spam. If the total is between the two thresholds, then
the heuristic filter cannot determine whether the email is spam or not spam
determination. For more information, see Heuristic scan on page 166.
18
Introduction
PDF scanning
Spammers may attach a PDF file to an otherwise empty message, to get their
email messages past spam safeguards. The PDF file contains the spam
information. Since the message body contains no text, antispam scanners cannot
determine if the message is spam. However, the FortiMail units PDF scanning
option directs the heuristic, banned word, and image spam scanners to examine
the contents of PDF attachments. For more information, see PDF on page 167.
19
Introduction
Sender reputation
The FortiMail unit tracks SMTP client behavior, limiting deliveries of those clients
sending excessive spam messages, infected email, or messages to invalid
recipients. Should clients continue delivering these types of messages, their
connection attempts will be rejected entirely. Sender reputation is managed by the
FortiMail unit and requires no administration. For more information, see
Configuring sender reputation on page 243.
In server mode, the FortiMail unit is the email server. The network is configured
to allow the FortiMail unit access to and from other email servers, typically
including those out on the Internet, and from users with POP3 or webmail
access.
The advanced features of the FortiMail unit are not enabled. These features
include antispam, antivirus, email archiving, logging, and reporting.
Optionally, you can continue configuring other system-related items, such as date
and time, administrator accounts, and RAID levels. For more information, see
Configuring FortiMail system settings on page 89. At this time you might also
want to update the firmware (see Changing the FortiMail firmware on page 75)
and configure the unit for antivirus updates (see Configuring antivirus updates
from the FDN on page 80), but you can leave these tasks for later.
Once your FortiMail unit is running and you have configured the optional systemrelated items, you can start to configure the advanced features as described in
this guide. You have the flexibility to choose which features to enable and select
the options you want within each feature.
This document contains the following chapters:
20
Configuring users
Archiving email
Introduction
FortiMail documentation
Document conventions
The following document conventions are used in this guide:
In the examples, private IP addresses are used for both private and public IP
addresses.
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Typographic conventions
FortiMail documentation uses the following typographical conventions:
Convention
Example
Keyboard input
Document names
Menu commands
Program output
Welcome!
Variables
<address_ipv4>
FortiMail documentation
Information about the FortiMail unit is available from the following guides:
21
Introduction
22
Management
Management
Settings
Management
You can connect to the web-based manager and view the current status of the
FortiMail unit, including the current firmware version, the current virus definitions,
the FortiMail unit serial number, email statistics, and communication sessions.
If you log into the web-based manager using any system level account, you can:
view the FortiMail unit settings including the FortiMail unit serial number and its
uptime
The Mail Statistics page shows the number of spam email and viruses detected by
the FortiMail unit in tabular and graphical views. The Session page shows the
active communication sessions to and through the FortiMail unit.
A system administrator with read and write permissions can configure FDN
updates. Only the default system administrator, admin, can change the firmware,
back up and restore the configuration, shut down or restart the unit.
The Management section includes:
Status page
Mail statistics
Mail queues
Spam quarantine
23
Management
Status page
The Management Status page displays when you log in to the web-based
manager as a system administrator. At any other time, go to Management >
Status to view the Management Status page. If you logged in as the default
system administrator, admin, you can modify management information and
update antivirus definitions.
Figure 1: Management status
Automatic Refresh
Interval
Go
Refresh
System Status
UP Time
The time in days, hours, and minutes since the FortiMail unit
was started or rebooted.
System Time
Log Disk
Displays the capacity of the hard disk that the FortiMail unit
uses to store log messages. For more information on logging,
FortiMail logging on page 253.
Mailbox Disk
Displays the capacity of the hard disk that the FortiMail unit
uses to store archived email and quarantined spam.
Unit information
Firmware Version
24
Serial Number
Operation Mode
Management
System Settings
Settings
System Resources
CPU Usage
Memory Usage
The current log disk status indicates how much of the allocated
disk space is used. For information on log settings, see
Logging to the hard disk on page 254.
Active Sessions
History
System Command
Mail statistics
The Mail statistics page displays a summary, in tabular and graphical views, of
spam messages and viruses detected by the scanning tools of the FortiMail unit.
This page also shows actions that the unit has taken against spam and viruses.
Real-time statistics data is also available by selecting Realtime statistics data
also available here. This displays both a tabular and graphical representation of
messages sent, spam messages, and viruses in the last day and the last hour.
FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide
06-30003-0154-20080327
25
Management
For information about the FortiMail unit scanning tools, see Creating email
filtering and control profiles on page 161.
To view the mail statistics
1
Select Refresh to update the statistics. You can also select an automatic refresh
interval from 30 seconds to five minutes, and select Go.
The following information displays:
The Summary tab displays, in tabular form, spam, and virus-infected email
detected by the FortiMail unit. The table also breaks down the spam detected
by the scanning tools, including heuristic, bayesian, DNSBL, access control,
system wide black list (System List), and black list set by email users (User
List).
The History tabs display graphs showing the number of messages sent total,
and another graph showing the number of viruses detected for that period hourly, daily, weekly, or yearly.
Type the path and filename of the firmware image file, or select Browse and locate
the file.
Select OK.
The FortiMail unit uploads the firmware image file, upgrades to the new firmware
version, disconnects your session, restarts, and displays the FortiMail unit login.
This process takes a few minutes.
26
Go to Management >Status > Status and check the Firmware Version to confirm
that the firmware upgrade is successfully installed.
Management
Log into the FortiMail unit web-based manager as the admin administrative user.
Type the path and filename of the previous firmware image file, or select Browse
and locate the file.
Select OK.
The FortiMail unit uploads the firmware image file, reverts to the old firmware
version, resets the configuration, restarts, and displays the FortiMail unit login.
This process takes a few minutes.
Go to Management >Status > Status and check the Firmware Version to confirm
that the firmware is successfully installed.
10
Caution: Before performing any of these procedures, notify your email users.
Select Restart.
The FortiMail unit disconnects your session, shuts down and restarts the unit.
To shut down the FortiMail unit
27
Management
When you change the FortiMail unit from server mode to gateway mode or vice
versa, its configuration resets to factory defaults except the configuration for
the port 1 interface.
When you change the FortiMail unit from any mode to transparent mode or
vice versa, its configuration resets to factory defaults. You lose all of the
existing configuration.
Use gateway mode when you do not want your servers to be visible to users
for security reasons. You will have to make sure you modify your mail routing
policy to route incoming mail to the FortiMail unit for it to be scanned.
Use transparent mode when a network is complex and does not allow for
changes in the IP addressing scheme.
User server mode if you need a secure and reliable email server with
integrated advanced antispam and antivirus capabilities
For more information about the different operation modes, see Operation mode
on page 11.
28
Deploy the FortiMail unit in front of your mail server so incoming email is forced
to go to the FortiMail unit and be scanned.
Do not connect two ports to the same VLAN on a switch or the same hub.
Some Layer 2 switches become unstable when they detect the same MAC
address originating on more than one switch interface or from more than one
VLAN.
If the client is configured for authentication and the Use original server to
deliver mail option under For unknown Servers of SMTP proxies is NOT
enabled, the FortiMail unit needs an authentication profile configured and
applied. Also the back end mail server must be explicitly configured to allow
relay. Without the profile, the authentication will fail.
Management
Select OK.
29
Management
Select Restore.
Enter the path and filename of the system settings file, or select Browse and
locate the file.
Caution: This procedure deletes all changes that you have made to the FortiMail unit
configuration and reverts the system to its original configuration, including resetting
interface addresses.
Select OK to confirm.
The FortiMail unit restarts with the configuration that it had when it was first
powered on.
30
Management
Mail queues
The FortiMail unit stores undeliverable email in several queues:
The Deferred queue contains email that the FortiMail unit could not send.
Often the problem is temporary. For example, the destination email server was
off-line or there were network problems. See Deferred queue on page 31.
The Spam queue contains tagged spam that the FortiMail unit could not send
(For information on tagging spam, see Configuring Actions on page 170).
Often the problem is temporary. For example, the destination email server was
off-line or there were network problems. See Spam queue on page 32.
The Dead email list contains email that cannot be delivered or returned
because the recipient and sender names are both invalid. See Dead email
list on page 33.
Deferred queue
In the Deferred queue, the FortiMail unit stores email that it could not send.
Sending an email can fail for various temporary reasons such as network
problems. A notification will be sent to the sender when the email is moved to the
deferred queue. The FortiMail unit will try to resend the deferred email for five
days. You cannot configure the resending schedule.
If an email still cannot be sent by the end of the fifth day, the sender is notified of
the delivery failure and the email will be deleted. If the sender cannot be notified of
the failure, FortiMail will save a copy of the email in the Dead email list. See Dead
email list on page 33.
Go to Mail Settings > Mail Queue > Deferred Queue to delete some or all
deferred email. When you delete a deferred email, a notification message with the
deleted email attached to it will be sent to the email sender.
If the email is subsequently sent successfully, it is removed from the queue and
the sender will not be notified.
Figure 3: Deferred queue (with deferred messages)
Page up icon
Select the number of lines to display on each page: 25, 50, 100, 1000.
31
Management
Total lines
Goto Line
Enter the line number on the page that you want to see.
Go
Select
Sender
Recipient
Reason
Displays the reasons why the email has been deferred for example host
name lookup failure or connection refused.
First Processed Displays the time that the FortiMail unit first tried to send the email.
Last Processed Displays the time that the FortiMail unit last tried to send the email.
Tries
Displays the number of times that the FortiMail unit has tried to send the
email.
Check All
Uncheck All
Delete
Resend
Refresh
Spam queue
In the Spam queue, the FortiMail unit stores tagged spam that it could not send.
There could be various temporary reasons such as network problems. The
FortiMail unit will try to resend the tagged spam for five days. You cannot
configure the resending schedule.
Go to Mail Settings > Mail Queue > Spam Queue to delete some or all tagged
spam. When you delete a tagged spam, a notification message with the deleted
tagged spam attached to it will be sent to the email sender.
Figure 5: Spam queue
Page up icon
32
View nn lines
each page
Select the number of lines to display on each page: 25, 50, 100, 1000.
Total lines
Goto Line
Enter the line number on the page that you want to see.
Go
Management
Line number.
Select
Sender
Recipient
Reason
Displays the reasons why the tagged spam has been queued.
First Processed Displays the time that the FortiMail unit first tried to send the tagged
spam.
Last Processed Displays the time that the FortiMail unit last tried to send the tagged
spam.
Tries
Displays the number of times that the FortiMail unit has tried to send the
tagged spam.
Page up icon
Select the number of lines to display on each page: 5, 30, 50, 1000.
Total lines
Sort by
Delete dead emails Enter the number of days after which to delete the email from the
Dead email list.
#
Line number.
33
Management
Select
From
To
Subject
Date
Delete
sort the email by subject, from address, to address, and date, and
Select the Select All check box on the header and select Delete to delete all
the dead email.
Select the check box before a dead email and select Delete to delete an
individual dead email.
or
Backup Queue
Restore Queue
Quarantine
There are two types of quarantine available for use with the FortiMail unit.
The spam quarantine prevents incoming messages detected as spam from
reaching users. They are stored on the FortiMail unit hard drive and the user is
notified with a periodic spam report.
34
Management
Spam quarantine
The FortiMail unit can be configured to quarantine spam email on its hard drives.
The spam quarantine is enabled by default whenever antispam is enabled.
When incoming email is detected as spam, the FortiMail unit will quarantine the
email on its own hard drive and not deliver it to the recipient. Instead, a spam
report listing all the withheld messages will be sent to users. By default, the report
is sent once a day at 9am. The users can review the message details and release
any messages that are not really spam. Releasing quarantined messages is as
simple as clicking a link associated with the quarantined message in the spam
report. The released message will be delivered to the users inbox.
You can view the email addresses of the email recipients who have spam
quarantined on the FortiMail unit. You can also view the recipient mailbox size
information.
You can also view, sort, delete, or release the quarantined email.
To view the list of recipients with quarantined spam
1
Select the domain for which you want to see the quarantined spam.
A list of folders is displayed. The folders are named for the email address to which
quarantined spam was addressed.
You can select the number of lines to view on a page and sort the recipients by
email address or mailbox size.
Folders may be easily deleted. Select the check boxes for the folders you wish to
remove and select the delete icon.
Select the Expunge icon to reclaim disk space used by deleted quarantined email.
When quarantined email is deleted, the message is marked as deleted and
removed from the list of quarantined email. The message will still take up disk
space, however. Expunge will reclaim this disk space.
Select All or Selected if you want to manually send out a spam summary report to
the spam recipients. The summary will include each users spam messages listed
on the Recipients page received in the number of hours entered in the field.
To manage the quarantined email
Sort the messages by subject, sender address, date, and message number.
Select the Delete or Release check box in the header and select OK to delete or
release all the spam messages for this recipient.
35
Settings
Select the delete or release check box before a spam message and select OK to
delete or release an individual spam message.
System Quarantine
The FortiMail unit can be configured to quarantine email on its hard drives based
on the message contents. By default, the system quarantine is not used.
The system quarantine is where email caught by content monitoring and outgoing
spam detection may be held. Unlike the spam quarantine, users receive no
notification of mail held in the system quarantine. Periodic review of the mail is
required by the administrator.
To view the system quarantine (admin user)
Regular administrators can review the system quarantine at any time.
1
The folder named Inbox contains the most recently quarantined messages. When
the Inbox folder size exceeds 100 MB, it is renamed and a new Inbox folder is
created. Rotated folder names include their creation date and rotation date.
Select a folder, and the list of quarantined messages in the selected folder is
displayed.
You can select the number of lines to view on a page and sort the recipients by
any column heading by selecting it.
Click a message subject to view the message. While viewing the message, it can
be released to the user, forwarded to another address, or deleted. The full
message header can be viewed by selecting detail header.
Select Expunge to reclaim disk space used by messages deleted from the system
quarantine. When quarantined email is deleted, the message is marked as
deleted and removed from the message list. The message will still take up disk
space, however. Expunge will reclaim this disk space.
Settings
Settings contains options used to configure the system and email settings of the
FortiMail unit. Any settings used in the Wizard during setup can be found here.
Settings options include:
Config
Network
Domains
Antispam
Config
Config options allow you to change the time settings and the administrator
accounts list.
Config options include:
36
Settings
Time
Admin
Time
For effective scheduling and logging, the FortiMail system time must be accurate.
You can either manually set the FortiMail system time or you can configure the
FortiMail unit to automatically keep its system time correct by synchronizing with a
Network Time Protocol (NTP) server.
Your FortiMail unit supports the 2007 USA, Canada, and Western Australia
changes to Daylight Savings Time. In USA and Canada this includes moving the
time change from the last Sunday of March to 3 weeks earlier in March, and
moving the time change from the last Sunday of October to a week later in
November. In Western Australia this includes moving the time change from the
last Sunday of March to a week later in April.
Go to Settings > Config > Time to configure system time.
System Time
Refresh
Time Zone
Automatically adjust
clock for daylight
saving changes
Set Time
Select to set the FortiMail system date and time to the values
you set in the Year, Month, Day, Hour, Minute and Second fields.
Synchronize with NTP Select to use an NTP server to automatically set the system
date and time. You must specify the server and synchronization
Server
interval.
Server
Syn Interval
Specify how often the FortiMail unit should synchronize its time
with the NTP server. A typical Syn Interval would be 1440
minutes for the FortiMail unit to synchronize its time once a day.
Note: For security reasons, make sure the system time zone and time are correct.
Admin
By default, the FortiMail unit has one system-level administration account, admin,
with full access to all configuration options. Using this account, you can create
additional administrative accounts at both the system and domain level (see
Administrators and permission levels on page 37 and Adding an administrator
account on page 39).
37
Settings
Read Only
System Level
Domain Level
In the CLI, any account that has admin in the name cannot be changed.
In the administration GUI, any account with admin permission can change the
default admin, and they can change other user accounts. However, accounts with
admin permission cannot give other accounts more permissions, such as
changing a read-only account to read and write permission.
Managing accounts
The following accounts can manage other accounts, but they have some
limitations.
38
Settings
The default admin account has permission to do anything. This account can
manage other admins and users in any domain on your FortiMail unit.
Note: Set the password for the default admin account. By default, this account has no
password. The password should be at most 32 characters long, and for improved security
the password should be at least 6 characters long.
Admin accounts in the system domain that have admin permission can manage
the users in the system domain (accounts without admin permission) as well as all
the users of the other domains as well. However, these accounts cannot manage
other admin accounts in the system domain that have admin permission - they
cannot manage their peers.
Admin accounts in other domains can manage the users in their domain. Except
for the system domain, there is only one admin per domain.
Name
Domain
Trusted Host
Trusted Host IP address for the location from which the administrator can
log into the web-based manager.
Netmask
Netmask for the location from which the administrator can log into the
web-based manager.
Permission
Administrator account access level: none, read, write, read & write, or all.
All is only used for the super admin account.
Modify
Create New
If you are not in server mode, select a domain on which you want to create the
administrator account.
39
Settings
Optionally type a Trusted Host IP address and netmask for the location from which
the administrator can log into the web-based manager.
If you want the administrator to be able to access the FortiMail unit from any
address, set the trusted host to 0.0.0.0 and the netmask to 0.0.0.0.
To limit the administrator to only access the FortiMail unit from a specific network,
set the trusted host to the address of the network and set the netmask to the
netmask for the network. For example, to limit an administrator to accessing the
FortiMail unit from your internal network, set the trusted host to the address of
your internal network (for example, 192.168.1.0) and set the netmask to
255.255.255.0.
Select OK.
Network
Network includes system settings that affect network connectivity.
These settings include:
Interface
Configuring DNS
Configuring routing
Interface
Which model you have determines the number of ports:
FortiMail 100, 2000, 2000A, and 4000A units have four interfaces: port 1 to 4
You can use one interface to connect the unit to the network or two or more
interfaces to provide flexibility.
Go to Settings > Network > Interface to view the interface information.
Figure 9: Interface list
40
Name
IP
Netmask
Settings
Access
Status
Modify
Note: In transparent mode, the default IP and Netmask of Port 1 cannot be changed. This
port is used by the management IP.
Addressing mode
Interface Name
Do not associate
This is available only in transparent mode on all ports except
with Management IP Port 1.
Select to assign an IP address to the interface. The interface is
no longer part of the transparent bridging configuration.
Enter the IP address and netmask for the interface in the
IP/Netmask field. The IP address must be on the same subnet
as the network to which the interface connects.
Manual
IP/Netmask
41
Settings
DHCP
Retrieve default By default, the FortiMail unit retrieves both the default gateway
and DNS addresses from the DHCP server, replacing the
gateway and
DNS from server previously configured values. Disable this option if you do not
want the FortiMail unit to do this.
Connect to
Server
Status
Access
HTTPS
Ping
HTTP
SSH
SNMP
Telnet
MTU
Override default
MTU value
Configuring DNS
Go to Settings > Network > DNS to configure the IP addresses of the primary
and secondary DNS servers to which the FortiMail unit can connect. DNS server
IP addresses are usually supplied by your ISP.
Note: For improved FortiMail unit performance, the DNS server(s) should be locally placed.
42
Settings
Configuring routing
Go to Settings > Network > Routing to configure static routing on the FortiMail
unit to route the filtered email to the destination network.
Figure 12: Routing list
Destination
IP
Mask
Gateway
Modify
Create New
Route entry
Go to Settings > Network > Routing to configure routing and select Create New
to add a route. You can also select the Edit icon of an existing route to modify it.
Figure 13: Edit routing entry
Gateway
Enter the IP address of the next hop router to which this route directs
traffic. For an Internet connection, the next hop routing gateway routes
traffic to the Internet.
43
Settings
Domains
You create domains to define the email server(s) that the FortiMail unit protects.
Usually, you configure at least one domain as part of your installation. You can
add more domains or modify the settings of existing ones as needed.
It is good form to configure a local domain name that is different from the domain
name of your back end mail server. The local domain name will be used by many
FortiMail features such as email quarantine, Bayesian database training, spam
reports, and DSN notifications. A subdomain of the protected domain is
recommended for the local domain because of the domain registration savings.
Domains includes:
Domains
Local Host
Domains
Go to Settings > Domains > Domains.
Note: In gateway mode, proper MX record configuration is needed for directing the mail
destined to protected domains to this FortiMail unit.
Note: The local domain name should be globally DNS-resolvable only if the FortiMail unit is
used as an outbound relay server.
Domain
Use MX
SMTP Server
Displays the SMTP server IP address and port. The SMTP server
entry will be blank if Use MX shows a green check.
Modify
Delete icon
Delete the domain. In server mode, this also deletes the users you
have configured for this domain.
Edit icon
Create New
44
Settings
Domain FQDN
Use MX Record Select to use the record from the MX table entry to define the
domain.
When this control is enabled, SMTP Server and Fallback MX Host
are not selectable. Instead the MX entry for the FQDN for the
domain is used.
SMTP Server
Fallback MX
Host
Local Host
Go to Settings > Domains > Local Host to configure the local host on your
FortiMail unit. The local host is the system domain.
45
Settings
Local Host
Host Name
Local Domain
Name
Enter the local domain name. The FortiMail units FQDN is <Host
Name>.<Local Domain Name> .
(transparent and gateway modes only).
SMTP Server
Port Number
SMTP over
SSL/TLS
SMTPS Server
Port Number
The default port number is 465. You can change it if needed. This
allows the encrypted SMTP traffic to pass through the SMTPS
Server Port.
SMTP
Select to enable. Requires login to SMTP server when enabled.
Authentication (server mode only). Authentication for SMTP connections is
enabled by default.
Relay Server
Relay Server
Name
Relay Server
Port
If your ISP provides a relay email server, enter its port number.
Use smtps
46
Settings
Antispam
After you have integrated the FortiMail unit into your network by configuring the
network and domain settings (see Network on page 40 and Domains on
page 44), you can configure the antispam settings to take advantage of the
FortiMail antispam features to protect your backend email servers and email
users.
This section contains the following topics:
47
Settings
For each domain, a default antispam setting called Advanced and a default
antivirus settings called Advanced are applied. Select the Edit icon to modify the
antispam and antivirus setting for a domain.
AntiVirus Status
External SMTP
Server Setting
Enable and enter the information to appear in the subject line of the spam
notification email sent to the recipient by the FortiMail unit, such as, This
is spam.
If you enable this option, the FortiMail unit sends found spam to recipients
with the tag information you entered. A recipient can set up a spam folder
on his or her email client software to automatically collect the spam with
that subject line information.
You must provide the users with the subject line information before they
can set up their spam folders.
Tag Email with Enable and enter the header information to be added to the spam
notification email sent to the recipient by the FortiMail unit.
Header
If you enable this option, the FortiMail unit sends found spam to recipients
with the header information you entered.
Most email clients allow users to sort incoming email based on text
appearing in various parts of email messages, including the header. See
your email client documentation for further details.
48
Reject
Enable to have the FortiMail unit reject spam and send reject responses
to the sender.
Discard
Enable to have the FortiMail unit discard spam without sending reject
responses to the senders.
Settings
Quarantine
Enable to have the FortiMail unit redirect detected spam messages to the
spam quarantine. See Spam quarantine on page 209. The quarantine
action is only available for incoming antispam profiles.
Delete Messages: Enter the number of days you want to keep the
quarantined email. Enter a small enough value that will prevent the
size of the quarantine from exceeding the available disk space. If you
enter 0 to prevent automatic deletion of quarantined files, be sure to
periodically remove old files yourself.
Email Release: Select to activate the auto release and auto delete
functions. See Releasing and deleting quarantined spam on
page 211.
Quarantine for Enable to have the FortiMail unit redirect detected spam messages to the
system quarantine. See System Quarantine on page 219.
review
The Quarantine for review action is only available for outgoing antispam
profiles.
Allow users to
automatically
update
personal White
list from sent
emails
Enable to have the FortiMail unit collect the recipient email addresses
from a users outgoing email and add the addresses to the users white
list under the Preference tab of the FortiMail Webmail. That is, it will not
treat future incoming email from these addresses as spam.
The same option is also available on the FortiMail Webmail configuration.
This option works only if it is enabled both in the users profile and in the
users Webmail configuration.
There are three occasions when a users white list auto-updating setting
is automatically created by the system:
When a user logs into the FortiMail Webmail.
Enable to have the FortiMail unit reject the infected email and send reject
responses to the sender.
Discard
Enable to have the FortiMail unit discard the infected email without
sending reject responses to the senders.
49
Settings
For each domain, a default antispam setting called Advanced and a default
antivirus settings called Advanced are applied. Select the Edit icon to modify the
antispam and antivirus setting for a domain.
AntiVirus Status
Access Control
You can configure the FortiMail unit to allow, discard, reject, or relay
email based on the sender, recipient, client IP, or a reverse look up
of the client hostname. For details, see Configuring email access
on page 139.
50
FortiMail logging
The FortiMail unit provides detailed log information and reports in basic
management mode. The detailed log information and reports provide historical as
well as current analysis of network activity to help identify security issues and
reduce network misuse and abuse.
A FortiMail unit can log many different email activities and traffic including:
spam filtering
By default, the FortiMail unit stores all log files to the local hard disk. Log files are
accessed from Log & Report > Logging. History logs display on the System
Status page and in the Logging menu.
See the FortiMail Log Message Reference on the Fortinet Knowledge Center for
details and descriptions of log messages.
Logs
Alert Email
Reports
Viewing reports
Browsing reports
Downloading a report
Logs
Logs recorded by the FortiMail unit contain valuable information about email
events and activities that occur on your network. These logs record per recipient,
which presents log information in a very different way than most other logs do. By
recording logs per recipient, log information is presented in layers, which means
that one log file type contains the what and another log file type contains the why.
For example, a log message in the history log contains an email message that the
FortiMail unit flagged as spam (the what) and the antispam log contains why the
FortiMail unit flagged the email message as spam.
51
Logs are divided into four types: history, event, antispam, and antivirus. Each of
these four log types contains a session identification number, located in the
session ID field of each log message that is recorded by the FortiMail unit. The
session ID corresponds to each of the four log types so that the administrator can
get all the information about the event or activity that occurred on their network.
See the FortiMail Log Message Reference on the Fortinet Knowledge Center for
additional information about log messages that are recorded in FortiMail 3.0.
History logs
History logs are used to quickly determine the disposition of a message. History
logs describe what action was taken by the FortiMail unit. Administrators use the
history logs to quickly determine the status of a message for a specific recipient,
and then go to other logs with that session ID to find out why that particular action
was taken.
In the following log messages, the bolded information indicates what an
administrator looks for when using history logs to find out what action was taken,
and the antispam log to find out why the action was taken.
(Below is an example of a history log message)
2008-01-07 18:19:08 log_id=04000050100 type=statistics
subtype=n/a pri=information session_id=m07NJ62T00110
from=aabb@example.com mailer=mta
client_name=[172.16.105.99] resolved=OK
to=ccdd@example.com message_length=0 virus=
disposition=0x200 classifier=0x12 subject=accounting
information
From the disposition, 0x200, we know that the FortiMail unit deferred the delivery
of the email message. We then take the session ID number and match it within the
antispam logs, as in the following:
2008-01-07 18:19:08 log_id=0501080300 type=spam
subtype=detected pri=information session_id= m07NJ62T00110
client_name= [172.16.105.99] from=aabb@example.com
to=ccdd@example.com subject=accounting information
msg=Grey Listing sender
In the above antispam log message, we now know why the FortiMail unit deferred
the delivery because the FortiMail unit has the sender in a grey list, which is
shown in the message field.
Event logs
Event logs contain log messages that concern network or system activities and
events, such as firmware upgrades or password changes. This log type shows
what is occurring at the protocol level, as well as the TCP level.
The following is an example of an event log message:
2008-02-09 13:56:56 log_id=0100010601 log_part=00 type=event
subtype=config pri=information user=admin ui=console
module=system submodule=dns msg=DNS has been changed by
user admin via CLI (console)
52
The event log does not have the same relationship with the history log as the
antispam or antivirus log does. The event log is not necessarily used for finding
the reason why an event occurred because there may not be a corresponding
session ID number. Event logs are also usually self-explanatory, meaning they
usually give the what and why within the log message.
Antispam logs
Antispam logs provide information pertaining to email messages that are
classified as Spam or Ham messages. The antispam logs describe why they were
classified, as was shown in the example in History logs on page 52.
The following is an example of an antispam log message:
2008-02-12 11:31:29 log_id=0501016384 log_part=00 type=spam
subtype=detected pri=notice session_id="m08CNJ42P0054"
from="" to="" msg="Loaded 91 FortiGuard heuristic rules. 88
are active (v1ubtype=detected pri=information session_id=""
from="" to="" msg="Deep Header Scanner Rules Reload Finished."
Antispam log messages describe spammy URIs, black/white listed IP addresses,
or other techniques the FortiMail unit used to classify the message. Antispam log
messages may also describe message processing errors, such as not handling
email that was sent from a specific user.
Antivirus logs
Antivirus logs provide information pertaining to email messages that are classified
as virus or suspicious messages. These log messages describe what virus is
contained in the email message or in a file attached to the email message.
The following is an example of an antivirus log message:
2008-03-28 16:30:18 log_id=0200060101 log_part=00 type=virus
subtype=infected pri=information session_id=n/a
from=abba@hynj.com to=<bccb@xyn.com> src_ip=172.20.130.26
msg=The file wqdf.zip is infected with HGBYN_TEST_FILE.
Administrators use antivirus logs to determine why an attachment was stripped
from a file after someone informed them about not receiving an attachment.
Administrators may also use this log type to verify why the history log detected a
virus.
The session ID is not usually used when looking up an antivirus log message; the
time stated in the time field of the log message is usually used as well as using the
search method.
53
Description
0 - Emergency
1 - Alert
2 - Critical
Functionality is affected.
3 - Error
4 - Warning
5 - Notification
6 - Information
Empty Log
View
Download
Delete
54
Next Page
Previous Page
Go to line
Delete Selected
Items
Select the log files by clicking the checkbox in the same row. Select
Delete Selected Items to remove those items from the hard disk.
Action
The Logging menu enables you to view the log messages from a selected log file.
The columns that appear reflect the content in the log file.
When you are viewing log messages, you can also view the log message in Raw
format by moving your mouse over a number in the # column. You can also
highlight a log message by selecting the row that the log message is in.
To view log messages
1
Next Page
Previous page
Search
Select to search the log file for specific information. For more
information, see Searching log messages on page 56.
Level
Select the log severity level to view. The FortiMail unit displays the
log messages for selected level and above.
Go to Line
Type the line number of the first line you want to display and select
Go.
Choose Columns Select to add or remove log information columns to display. For more
information, see Customizing the column views on page 58.
55
Select Search and enter the appropriate information for one or all of the following:
Keyword
Enter the word or words to search for within the log file.
Subject
If you are searching for emails, enter the subject line of the email
(History Log only) contained in the email.
From
If you are searching for emails, enter the senders email address.
To
If you are searching for emails, enter the receivers email address.
Session Id
Enter the session identification of the log message you are searching
for.
Log Id
Enter the log identification number of the log message you are
searching for.
Client Name
Enter the client name of the log messages you are searching for. The
(History Log only) client name is usually an IP address, for example, 10.30.15.1.
Time within
Enter the time period of when the log message occurred. Use the
following options.
[0 day]
[12] hour(s)
[current day of
the current
month]
[current month] Select the month for the search. The default is the
current month. For example, February displays
because it is the current month.
56
[current year]
[current time]
Select Search and enter the appropriate information for one or all of the following:
Keyword
Enter the word or words to search for within the log file.
Session Id
Enter the session identification of the log message you are searching
for.
Log Id
Enter the log identification number of the log message you are
searching for.
Time within
Enter the time period of when the log message occurred. Use the
following options.
[0 day]
[12] hour(s)
[current day of
the current
month]
[current month] Select the month for the search. The default is the
current month. For example, February displays
because it is the current month.
[current year]
[current time]
Select Apply.
You can also search event logs by using the Level or Subtype drop-down list. The
Level drop-down list allows you to select a specific log severity level. The Subtype
drop-down list allows you to select a specific subtype. The following tables provide
information on what is available in the drop-down lists of Level and Subtype.
57
Alert
Critical
Error
Warning
Notification
Information
Configuration
Admin User
Web Mail
System
HA
Update Failure
Update
Success
POP3
IMAP
SMTP
OTHERS
Displays all lines that have a value other than all of the above
subtypes, from Configuration to SMTP.
58
Select a column name and do one of the following to change the views of the log
information:
Add ->
<- Remove
Select to move selected fields from the Displayed Columns list to the
Hidden Columns.
Move up
Move down
Select to move the selected field down one position in the Displayed
Columns list.
Select Apply.
59
Log files can be downloaded in one of two formats, normal format and CSV
format. If you download a log file in Normal format, the file is saved as a text
document, displaying the log messages in a text-based program such as Notepad.
If you download a log file in CSV format, the file is saved in a spreadsheet-type of
format, displaying the log messages in a program such as Microsoft Excel.
To download a log file
1
Locate the log file and select Download in the Action column.
Downloads the log file in its raw format with an extension of .log.
Download file in
CSV format
The web browser prompts you for a location to save the file.
Select the checkbox in the column header beside the Action column.
60
Select OK to continue.
Caution: Download log files before deleting them. This provides a way to recover deleted
log files in the event you require those deleted log files later on. See Downloading log files
on page 59 for more information about downloading log files.
Select Delete in the Action column for the log file you want to delete.
You can select multiple rolled log files by selecting the checkboxes of the rolled
log files you want deleted.
To delete all rolled log files
Alert Email
Alert Email enables the FortiMail unit to monitor logs for specific log messages,
and notifies you by email when they appear. For example, if you require
notification about antivirus detection activity, you can configure an alert email that
is sent whenever the FortiMail unit detects antivirus activity.
Select Apply
Verify the alert email is configured correctly by selecting Test. This sends an alert
email to the configured recipient(s).
61
Select one or more of the following event categories and select Apply:
virus incidents
critical events
disk is full
remote archiving
failures
HA events
disk quota of an
Select to send an email when the disk on the FortiMail
account is exceeded unit exceeds the quota amount in an account.
(Server mode only)
dictionary is
corrupted
system quarantine
quota
is full
deferred emails #
over(default=10000),
interval time
(default=30) minutes
Reports
The FortiMail unit can generate activity reports by analyzing the history log files
and presenting the data in a tabular and graphical format.
Reports provide valuable information, helping you to manage your network more
effectively while making more informed decisions on the administration of your
network and mail server.
The FortiMail unit provides two default pre-defined reports. These pre-defined
reports are available only when you configure basic settings using the quick start
wizard. These two predefined reports, predefined_report_yesterday and
predefined_report_last_week, do not contain a report schedule and must be
manually generated.
You can also configure and generate your own reports from Log & Report >
Reports > Config.
The FortiMail unit generates reports by two methods:
62
FortiMail also generates a Mail Statistics report in System > Status > Mail
Statistics. The Mail Statistics page displays a summary of spam messages and
viruses detected by the scanning tools of the FortiMail unit in tabular and
graphical views. This page also shows actions taken by the unit against spam and
viruses. See Viewing mail statistics on page 73 for more information.
There are no default reports, but default settings for configuring reports. For
example, when configuring domains for your report, the default is All Domains. All
Domains includes all types of domains you configured on the FortiMail unit.
Caution: Generating reports at high-traffic times may affect mail traffic coming through the
FortiMail unit. Generate reports during low traffic times, for example at night when there is
less traffic.
Configuring Reports
Reports are configured in Log & Report > Report > Config. These reports are
referred to as report profiles. Report profiles define what information appears in
the report. When you select Create, you can configure the type of report,
device(s) to include, including the time frame for specialized reports.
Figure 22: Viewing report profiles
Delete
Edit
Run Report
Config Name
Domain
Schedule
The scheduled frequency when the FortiMail unit generates the report.
Modify
Create New
63
Select the blue arrow next to the options you need to configure:
Time Period
Configure what span of time the FortiMail unit uses when looking
at the logs. See Configuring the time period for a report profile on
page 64.
Query Selection
Select the reports you want to include. See Configuring the query
selection for a report profile on page 64.
Schedule
Configure when the FortiMail unit runs the report, for example,
weekly, or monthly. See Configuring the schedule for a report
profile on page 65.
Domain
Incoming Outgoing
Output
Select the file format for the reports and add email recipients for
the report. See Configuring the output for a report profile on
page 66.
Select OK.
Time Period
Select the time period for the report. When you select, last n hours,
days or weeks, a field will appear beside the drop-down list. Enter a
number in the field, for example, eight, for the last n hours.
From Date
Select to configure the start date of the report. For example, you may
want to begin the report on May 5, 2006 at 6 pm.
To Date
Select to configure the end date of the report. For example, you may
want to end the report on May 6, at 12 am.
64
Query
Selection
Total Summary
High level breakdown Select if you want to include all top level and
summary information for all queries.
Mail by Sender
Mail by Recipient
Spam by Sender
Spam by Recipient
Virus by Sender
Virus by Recipient
Not Scheduled
Daily
These Days
Select specific days of the week that the FortiMail unit should
generate the report.
65
These Dates
Select specific days of the month to generate the report. For example,
to generate a report on the first and thirtieth of every month, enter
1,30. The comma is required for separating the days.
At Hour
Select the time of day when the FortiMail unit should generate the
report.
Remove Selected Select a domain or domains to remove them from the list.
Add
Enter a domain and select Add to add the domain to the Domain list.
Incoming
Outgoing
Incoming and
Outgoing
66
Output
Remove
Selected
Select if you want to remove the recipient so he or she will not receive
the report. Make sure the email address you want removed is
selected before selecting Remove Selected.
Add
Enter the email address of the person who will receive the report and
select Add to add the email address to the list.
Viewing reports
Generated reports display on the Browse page as a roll-up report, or individual
reports in HTML format. A roll-up report is a report that contains all individual
reports included. An individual report has the same look and functionality as the
roll-up report when viewing in HTML format but when viewing the report in one of
the alternate formats, only the right frame with the report information is included.
From Log & Report > Reports > Browse, you can select a report group from the
list in the Report files column and do one of the following:
Select the report name to view a roll up report of all individual reports
Select the plus sign to expand the individual report list, and then select to view
an individual report.
67
Figure 29: A FortiMail report showing the Mail Sender Report individual report
\
Browsing reports
You can browse through generated reports in Log & Report > Reports >
Browse. From the Browse page, you can delete reports if required, download
reports to view on another computer, or only view parts of a report.
Figure 30: Browse generated reports
Delete Selected
Delete
Download HTML
Download PDF
68
Go to Line
Type the line number you want to display and select Go.
Report Files
Indicates the date and time when the FortiMail unit completed the
generated report.
Size (bytes)
Action
Check All/Check
None
Select to select all reports for removal from the FortiMail hard disk.
Select a check box for a report name and select Delete Selected
to remove the report from the hard disk.
Downloading a report
If you require viewing a report from outside the FortiMail web-based manager, you
can download the report in either HTML or PDF.
To download a report
1
Locate the report you want to download in the Report Files column.
Select the Download icon in the Action column to download an HTML or PDF
version of the report.
Viewing reports
69
local host settings such as host name, local domain, and SMTP server settings
Note: You need to select your operation mode before running the Quick Start Wizard. For
more information, see Changing the FortiMail operation mode on page 28.
70
view the FortiMail unit settings including the FortiMail unit serial number and its
up time
The Mail Statistics page shows the number of spam email and viruses detected by
the FortiMail unit in tabular and graphical views. The Session page shows the
active communication sessions to and through the FortiMail unit.
A system administrator with read and write permission can configure FDN
updates. Only the default system administrator, admin, can change the firmware,
backup and restore the configuration, shut down or restart the unit.
This section includes:
71
Automatic Refresh
Interval
Go
Refresh
System Information
Serial Number
UP Time
The time in days, hours, and minutes since the FortiMail unit
was last started.
System Time
Firmware Version
Operation Mode
Log Disk
Displays the capacity of the hard disk that the FortiMail unit
uses to store log messages.
Mailbox Disk
Displays the capacity of the hard disk that the FortiMail unit
uses to store archived email and quarantined spam.
License information
Antivirus
72
Antispam Definitions The current install version of the FortiMail Antispam Definitions.
System Settings
Settings
System Resources
CPU Usage
Memory Usage
Active Sessions
History
System Command
History Log
73
For information about the FortiMail unit scanning tools, see Creating email
filtering and control profiles on page 161.
To view the mail statistics
1
Select Refresh to update the statistics. You can also select an automatic refresh
interval from 30 seconds to five minutes, and select Go.
The following information displays:
The Summary tab displays, in tabular form, spam, and virus-infected email
detected by the FortiMail unit. The table also breaks down the spam detected
by the scanning tools, including heuristic, bayesian, DNSBL, access control,
system wide black list (System List), and black list set by email users (User
List).
The History tabs display graphs showing the number of messages sent total,
and another graph showing the number of viruses detected for that period hourly, daily, weekly, or yearly.
Total Number of Total number of sessions currently being conducted through the
FortiMail unit.
Sessions
Page
Refresh icon
Page up icon
Page down icon Select to view the next page in the session list.
View lines each Select 25, 50, 100, or 1000 lines displayed per page.
page
74
Protocol
The service protocol of the connection. For example, udp, tcp, or icmp.
From IP
From Port
To IP
To Port
Expire(secs)
To navigate the list of sessions, select the Page Up icon or the Page Down icon.
Type the path and filename of the firmware image file, or select Browse and locate
the file.
Select OK.
The FortiMail unit uploads the firmware image file, upgrades to the new firmware
version, disconnects your session, restarts, and displays the FortiMail unit login.
This process takes a few minutes.
Go to System > Status > Status and check the Firmware Version to confirm that
the firmware upgrade is successfully installed.
75
Log into the FortiMail unit web-based manager as the admin administrative user.
Type the path and filename of the previous firmware image file, or select Browse
and locate the file.
Select OK.
The FortiMail unit uploads the firmware image file, reverts to the old firmware
version, resets the configuration, restarts, and displays the FortiMail unit login.
This process takes a few minutes.
Go to System > Status > Status and check the Firmware Version to confirm that
the firmware is successfully installed.
10
Caution: Before performing any of these procedures, notify your email users.
76
Select Restart.
The FortiMail unit disconnects your session, shuts down and restarts the unit.
To shut down the FortiMail unit
When you change the FortiMail unit from server mode to gateway mode or
vice versa, its configuration resets to factory defaults except the configuration
for the port 1 interface.
When you change the FortiMail unit from any mode to transparent mode or
vice versa, its configuration resets to factory defaults. You lose all of the
existing configuration.
Gateway mode should be used when you do not want your servers to be
visible to users for security reasons. You will have to make sure you modify
your mail routing policy to route incoming mail to the FortiMail unit for it to be
scanned.
Transparent mode should be used when a network is complex and does not
allow for changes in the IP addressing scheme.
Server mode should be used if you need a secure and reliable email server
with integrated advanced antispam and antivirus capabilities
For more information about the different operation modes, see Operation mode
on page 11.
Deploy the FortiMail unit in front of your mail server so incoming email is forced
to go to the FortiMail unit and be scanned.
77
Do not connect two ports to the same VLAN on a switch or the same hub.
Some Layer 2 switches become unstable when they detect the same MAC
address originating on more than one switch interface or from more than one
VLAN.
If the client is configured for authentication and the Use original server to
deliver mail option under For unknown Servers of SMTP proxies is NOT
enabled, the FortiMail unit needs an authentication profile configured and
applied. Also the back end mail server must be explicitly configured to allow
relay. Without the profile, the authentication will fail.
Select OK.
78
Select Restore.
Enter the path and filename of the system settings file, or select Browse and
locate the file.
Caution: This procedure deletes all changes that you have made to the FortiMail unit
configuration and reverts the system to its original configuration, including resetting
interface addresses.
79
Select OK to confirm.
The FortiMail unit restarts with the configuration that it had when it was first
powered on.
80
Manually-initiated updates,
Update status including version numbers, expiry dates, and update dates and
times,
To receive scheduled updates and push updates, you must register the FortiMail
unit on the Fortinet support web page. For your FortiMail unit to receive antivirus
updates, it must be able to connect to the FDN.
To be able to access the FortiGuard updates and to send alert email, your
FortiMail unit must have access to a valid DNS server. For more information on
configuring DNS, see Configuring DNS on page 93.
Go to System > Update to configure FDN updates.
Figure 34: Antivirus definitions update
FortiGuard Distribution
Network
Refresh
When you select Refresh, the FortiMail unit tests its connection
to the FDN. The test results are displayed at the top of the
System Update page.
Push Update
Available means that the FDN can connect to the FortiMail unit
to send push updates. You can configure the FortiMail unit to
receive push updates. See Enabling push updates on
page 85.
Not Available means that the FDN cannot connect to the
FortiMail unit to send push updates. Push updates may not be
available if you have not registered the FortiMail unit (see
Registering the FortiMail unit on page 83), or if there is a NAT
device installed between the FortiMail unit and the FDN (see
To enable push updates through a NAT device on page 86).
81
Update
Version
Expiry date
The date and time on which the FortiMail unit last attempted to
download definition and engine updates.
Use override push IP Select this check box and enter the override IP address and
port number. Override push IP addresses and ports are used
when there is a NAT device between the FortiMail Unit and the
FDN.
The FortiMail unit sends the override push IP address and Port
to the FDN. The FDN will now use this IP address and port for
push updates to the FortiMail unit on the internal network. If
the External IP Address or External Service Port changes, add
the changes to the Use override push configuration and select
Apply to update the push information on the FDN. For more
information, see To enable push updates through a NAT
device on page 86.
Scheduled Update
Every
Daily
Attempt to update once a day. You can specify the hour of the
day to check for updates. The update attempt occurs at a
randomly determined time within the selected hour.
Weekly
Attempt to update once a week. You can specify the day of the
week and the hour of the day to check for updates. The update
attempt occurs at a randomly determined time within the
selected hour.
Apply
Update Now
82
Scheduling updates
FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide
06-30003-0154-20080327
Go to System > Config > Time and make sure the time zone is set to the time
zone for the region in which your FortiMail unit is located.
Select Refresh.
The FortiMail unit tests its connection to the FDN. The test results are displayed at
the top of the System Update page.
83
Download the latest antivirus definitions update file from Fortinet and copy it to the
computer that you use to connect to the web-based manager.
Start the web-based manager and go to System > Status > Status.
Type the path and filename for the antivirus definitions update file, or select
Browse and locate the antivirus definitions update file.
Select OK to copy the antivirus definitions update file to the FortiMail unit.
The FortiMail unit updates the antivirus definitions. This takes about 1 minute.
Go to System > Status > Status to confirm that the Antivirus Definitions Version
information has updated.
Scheduling updates
The FortiMail unit can check for and download updated definitions hourly, daily, or
weekly, according to a schedule that you specify.
To enable scheduled updates
1
Hourly
Once every 1 to 23 hours. Select the number of hours and minutes between
each update request.
Daily
Once a day. You can specify the time of day to check for updates.
Weekly
Once a week. You can specify the day of the week and the time of day to
check for updates.
Select Apply.
The FortiMail unit starts the next scheduled update according to the new update
schedule.
Whenever the FortiMail unit runs a scheduled update, the event is recorded in the
FortiMail event log. See Logging and reporting on page 253.
To add an override server
If you cannot connect to the FDN, or if your organization provides antivirus
updates using their own FortiResponse server, you can use the following
procedure to add the IP address of an override FortiResponse server.
84
Select Apply.
The FortiMail unit tests the connection to the override server.
If the FortiGuard Distribution Network setting changes to available, the FortiMail
unit has successfully connected to the override server.
If the FortiGuard Distribution Network stays set to not available, the FortiMail unit
cannot connect to the override server. Check the FortiMail network configuration
for settings that would prevent the FortiMail unit connecting to the override
FortiResponse server.
Select Apply.
To enable push updates when FortiMail IP addresses change
The SETUP message that the FortiMail unit sends when you enable push updates
includes the IP address of the FortiMail port 1 interface. The FDN must be able to
connect to this IP address for your FortiMail unit to be able to receive push update
messages. If your FortiMail unit is behind a NAT device, see To enable push
updates through a NAT device on page 86.
Whenever the port 1 interface IP address changes, the FortiMail unit sends a new
SETUP message to notify the FDN of the address change. As long as the
FortiMail unit sends this SETUP message and the FDN receives it, the FDN can
maintain the most up-to-date port 1 interface IP address for the FortiMail unit.
The FortiMail unit sends the SETUP message if you change the port 1 interface IP
address manually or if you have set the port 1 interface addressing mode to
DHCP and your DHCP server changes the IP address.
85
Use the following steps to configure the FortiGate NAT device and the FortiMail
unit on the internal network so that the FortiMail unit on the internal network can
receive push updates:
1
Add a firewall policy to the FortiGate NAT device that includes the port forwarding
virtual IP.
For more information, see your FortiGate Administration Guide.
Configure the FortiMail unit on the internal network with an override push IP and
port.
Note: Before completing the following procedure, you should register the internal network
FortiMail unit so that it can receive push updates.
Set Port to the external service port added to the virtual IP.
Select Apply.
The FortiMail unit sends the override push IP address and port to the FDN. The
FDN now uses this IP address and port for push updates to the FortiMail unit on
the internal network.
If the external IP address or external service port change, add the changes to the
Use override push configuration and select Apply to update the push information
on the FDN.
86
Select Apply.
You can select Refresh to make sure that push updates work.
Push Update changes to Available.
87
88
Configuring DNS
Configuring DDNS
Configuring routing
Configuring administration
Generating a certificate
creating certificates
Network settings
The FortiMail unit must be configured to operate in your network. Like other
network devices, the FortiMail unit has network interfaces, it requires access to a
DNS server and it requires routing information to reach other networks.
If your network is not carefully planned and properly deployed, the FortiMail unit
can be bypassed. Spammers can then easily determine the lowest priority mail
server (the highest preference number in the MX record) and deliver spam to it in
an attempt to avoid the most effective spam defences on the FortiMail unit. To
ensure maximum safety you can:
Configure routing or your firewall to send all SMTP traffic to the FortiMail unit
for scanning.
Modify the DNS server to keep a single MX record entry for the FortiMail unit
for all protected domains.
89
Ensure all domains are protected by the FortiMail unit with matched policies
and proper profiles.
https://<interface IP address>
Administrative access
https://<interface IP address>/admin
Transparent mode
User access
https://<management IP address>
Administrative access
https://<management IP address>/admin
Administration
When the FortiMail unit is initially installed, it is configured with a single
administrator account with the user name admin. From this account, you can add
other system wide administrator accounts or administrator accounts for individual
email domains. You can control the access level of each of these administrator
accounts and control the IP address from which the administrator can connect to
the FortiMail unit. For detailed information, see Configuring administration on
page 96.
RAID settings
The FortiMail hard disk system uses a Redundant Array of Independent Disks
(RAID) system for enhanced performance and reliability. The default settings for
RAID should give good results, but you can modify the configuration. See
Configuring RAID levels on page 103.
Certificates
The FortiMail unit can generate digital certificate requests and import signed
certificates for added security. See Generating a certificate on page 108.
90
FortiMail 100, 2000, 2000A, and 4000A units have four interfaces: port 1 to 4
You can use one interface to connect the unit to the network or two or more
interfaces to provide flexibility.
Go to System > Network > Interface to view the interface information.
Figure 35: Interface list
Name
IP
Netmask
Access
Status
Modify
Note: In transparent mode, the default IP and Netmask of Port 1 cannot be changed. This
port is used by the management IP.
Interface settings
Go to System > Network > Interface, and select the Edit icon for the interface
that you want to configure.
For security reasons, allow management access to only the FortiMail interfaces
requiring it.
91
Addressing mode
Interface Name
Manual
DHCP
Retrieve default
By default, the FortiMail unit retrieves both the default
gateway and DNS gateway and DNS addresses from the DHCP server,
replacing the previously configured values. Disable this
from server
option if you do not want the FortiMail unit to do this.
Connect to Server Disable this option if you are configuring the interface offline
and do not want the unit to attempt to obtain addressing
information. This option applies to DNS.
Status
Access
Select the types of administrative access permitted on this interface. You should
avoid allowing administrative access for an interface connected to the Internet
unless this is required for your configuration. To improve the security of a FortiMail
unit that allows remote administration from the Internet:
92
Configuring DNS
Do not increase the system idle timeout from the default value of 5 minutes
(see Changing configuration options on page 96).
HTTPS
Ping
HTTP
SSH
SNMP
Telnet
MTU
To improve network performance, you can change the maximum transmission unit
(MTU) of the packets that the FortiMail unit transmits from any interface. Ideally,
this MTU should be the same as the smallest MTU of all the networks between
the FortiMail unit and the destination of the packets. If the packets sent by the
FortiMail unit are larger, those packets are broken up or fragmented, which slows
down transmission. You should experiment by lowering the MTU to find your MTU
size for best network performance.
Override default
MTU value
To change the MTU, select Override default MTU value (1500) and
enter the maximum packet size. For manual and DHCP addressing
mode the MTU size can be from 576 to 1500 bytes.
Configuring DNS
Go to System > Network > DNS to configure the IP addresses of the primary and
secondary DNS servers to which the FortiMail unit can connect. DNS server IP
addresses are usually supplied by your ISP.
Note: For improved FortiMail unit performance, the DNS server(s) should be locally placed.
93
Configuring DDNS
Configuring DDNS
Go to System > Network > DDNS to add DDNS server information.
When the FortiMail unit has a static domain name and a dynamic public IP
address, you can use a DDNS service to update Internet DNS servers when the
IP address for the domain changes.
Figure 38: DDNS settings
Server
Username
Password
Update Time
Configuring routing
Go to System > Network > Routing to configure static routing on the FortiMail
unit to route the filtered email to the destination network.
Figure 39: Routing list
94
Destination
IP
Mask
Gateway
Modify
Create New
Route entry
Go to System > Network > Routing to configure routing and select Create New
to add a route. You can also select the Edit icon of an existing route to modify it.
Figure 40: Edit routing entry
Gateway
Enter the IP address of the next hop router to which this route directs
traffic. For an Internet connection, the next hop routing gateway routes
traffic to the Internet.
Select Apply.
95
Refresh
Time Zone
Automatically adjust
clock for daylight
saving changes
Set Time
Select to set the FortiMail system date and time to the values
you set in the Year, Month, Day, Hour, Minute and Second fields.
Synchronize with NTP Select to use an NTP server to automatically set the system
date and time. You must specify the server and synchronization
Server
interval.
Server
Syn Interval
Specify how often the FortiMail unit should synchronize its time
with the NTP server. A typical Syn Interval would be 1440
minutes for the FortiMail unit to synchronize its time once a day.
Note: For security reasons, make sure the system time zone and time are correct.
Configuring administration
By default, the FortiMail unit has one system-level administration account, admin,
with full access to all configuration options. Using this account, you can:
set the idle timeout, choose the web-based manager language, and set a PIN
code to protect access to the LCD control panel (see Changing configuration
options on page 96)
create additional administrative accounts at both the system and domain level
(see Administrators and permission levels on page 97 and Adding an
administrator account on page 99)
96
Configuring administration
Restrict access to the control buttons and LCD by requiring a PIN (Personal
Identification Number).
Idle Timeout
Set the idle time out to control the amount of inactive time before the
administrator must log in again. The maximum is 480 minutes (8
hours).
To improve security, keep the idle timeout at the default value of 5
minutes.
Web
Administration:
Language
LCD Panel
Select the PIN Protection check box and type a 6-digit PIN.
Administrators must enter the PIN to use the control buttons and
LCD.
97
Configuring administration
Read Only
System Level
Domain Level
In the CLI, any account that has admin in the name cannot be changed.
In the administration GUI, any account with admin permission can change the
default admin, and they can change other user accounts. However, accounts with
admin permission cannot give other accounts more permissions, such as
changing a read-only account to read and write permission.
Managing accounts
The following accounts can manage other accounts, but they have some
limitations.
The default admin account has permission to do anything. This account can
manage other admins and users in any domain on your FortiMail unit.
98
Configuring administration
Note: Set the password for the default admin account. By default, this account has no
password. The password should be at most 32 characters long, and for improved security
the password should be at least 6 characters long.
Admin accounts in the system domain that have admin permission can manage
the users in the system domain (accounts without admin permission) as well as all
the users of the other domains as well. However, these accounts cannot manage
other admin accounts in the system domain that have admin permission - they
cannot manage their peers.
Note: System admin users cannot add new email users in server mode.
Admin accounts in other domains can manage the users in their domain. Except
for the system domain, there is only one admin per domain.
Name
Domain
Trusted Host
Trusted Host IP address for the location from which the administrator can
log into the web-based manager.
Netmask
Netmask for the location from which the administrator can log into the
web-based manager.
Permission
Administrator account access level: none, read, write, read & write, or all.
All is only used for the super admin account.
Modify
Create New
If you are not in server mode, select a domain on which you want to create the
administrator account.
99
Optionally type a Trusted Host IP address and netmask for the location from which
the administrator can log into the web-based manager.
If you want the administrator to be able to access the FortiMail unit from any
address, set the trusted host to 0.0.0.0 and the netmask to 0.0.0.0.
To limit the administrator to only access the FortiMail unit from a specific network,
set the trusted host to the address of the network and set the netmask to the
netmask for the network. For example, to limit an administrator to accessing the
FortiMail unit from your internal network, set the trusted host to the address of
your internal network (for example, 192.168.1.0) and set the netmask to
255.255.255.0.
Select OK.
100
SNMP Agent
Description
Location
Contact
Select the blue triangle to expand the list of traps. In this section you configure the
conditions that cause a trap to be sent if the trap type is enabled for the community.
Trap Type
Trigger
Threshold
The number of times the trigger level must be reached before a trap
is sent.
Sample Period The time period in seconds during which the SNMP Agent counts the
number of times the trigger level is reached.
The default period is 600 seconds ( ten minutes).
This value should not be lower than the sample frequency.
Sample Freq
Communities
Create New
Community
Name
Queries
Traps
Enable
101
Delete icon
Edit icon
102
Community Name
Hosts
The list of SNMP managers that can use the settings in this SNMP
community to monitor the FortiMail unit. Select Add to create a new
entry that you can edit.
FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide
06-30003-0154-20080327
IP Address
Interface
Select the name of the interface that connects to the network where
this SNMP manager is located. You need to do this if the SNMP
manager is on the Internet or behind a router.
Delete icon
Add
Select to add a new default entry to the Hosts list that you can edit as
needed. You can have up to 8 SNMP manager entries for a single
community.
Queries
Enter the Port number (161 by default) that the SNMP managers in
this community use for SNMP v1 and SNMP v2c queries to receive
configuration information from the FortiMail unit. Select the Enable
check box to activate queries for each SNMP version.
Traps
Enter the Local and Remote port numbers (162 local, 162 remote by
default) that the FortiMail unit uses to send SNMP v1 and SNMP v2c
traps to the SNMP managers in this community. Enable traps for
each SNMP version that the SNMP managers use.
SNMP Event
Enable each SNMP event for which the FortiMail unit should send
traps to the SNMP managers in this community.
RAID levels
FortiMail 400 models use software RAID (RAID 0 or 1). The log disk and mail disk
on those models can each use different RAID levels. FortiMail 2000, FortiMail
2000A, and FortiMail 4000A units use hardware RAID controllers and therefore
the log disk and mail disk on these models cannot be separated.
103
Has striping but no redundancy of data. It offers the best performance but no
fault-tolerance. If any hard drive fails, the whole RAID fails.
Also known as a striped array.
RAID 1
Consists of at least two drives that duplicate the storage of data. There is no
striping. Read performance is improved since either disk can be read at the
same time. Write performance is the same as for single disk storage. This
technique provides the best performance and the best fault-tolerance in a multiuser system. In a two hard drive RAID 1, one hard drive can fail and the RAID
will continue to function.
Also known as mirrored array.
A combination of RAID 1 with RAID 0 (see Table 6). Striped and mirrored
arrays are good for fault tolerance and high performance, such as for
high-load databases. RAID 10 requires a minimum of four drives. Adding
two additional drives will add another RAID 1.
Any RAID 1 in the array can have a hard drive failure and continue to
function, but if both hard disks in a RAID 1 fail then the whole RAID fails.
RAID 10 + hot
spare(s)
(4000A
model)
A RAID 10 configuration that has a backup hard drive installed that takes
the place of a failed RAID hard drive. The RAID 10 + hot spare(s) must at
least five drives, one spare in addition to the RAID 10 drives. To add
another RAID 1, you would need seven drives total because at least one
hot spare drive is required.
RAID 50
RAID 50 + hot A RAID 50 configuration that has a backup hard drive installed that takes
the place of a failed RAID hard drive. The RAID 50 + hot spare(s) must at
spare(s)
least seven drives, one spare in addition to the RAID 50 drives.
(4000A
model)
104
Device Details
Automatic
Select to control how often the web-based manager
Refresh Interval updates the log/mail device status display.
Go
Refresh
Name
Level
Change
State
Array Details
Resynch Status
Percentage
Done
Finished in
Speed
To configure RAID levels for FortiMail 400 log devices or mail devices
1
For Device Details, select Change to change the RAID level 0 or 1 based on your
requirements.
Caution: Changing the devices RAID level suspends temporarily all mail operations and
erases all data on the device.
105
For Array Details, if you chose the Mirrored level, do the following:
Shut down the FortiMail unit, swap the disk, and restart the FortiMail unit.
The new hard disk will appear in the Device Details section.
General RAID settings Settings that apply to all RAID controllers and disks.
Web page Refresh Select to control how often the web-based manager updates the
log device status display.
Interval
Go
Refresh now
Controller number
106
Change
Model
Driver
Firmware
Unit
Type
Status
RAID 10
RAID 10 + hot spare(s)
RAID 50
RAID 50 + hot spare(s)
Ignore ECC
Port
Part of Unit
Status
Size
Remove
Add to u(n)
Click to start
controller rescan
Select a RAID level in the Set RAID level to field and select Change.
Caution: Changing the devices RAID level temporarily suspends all mail operations and
erases all data on the device. It is recommended that you backup your data before
changing the RAID level.
For non-hot spare configurations, shut down the FortiMail unit. Hot spare
configurations do not require a shut down.
107
Generating a certificate
For non-hot spare configurations, restart the FortiMail unit. Hot spare RAID
configurations do not require a restart.
For the disk that you want to replace, select Add to.
Note: If you do not see the Add to buttons, select Click to start controller rescan.
10
Generating a certificate
A certificate request or installed server certificate is displayed in the Local
Certificate list. After you submit the request to a certificate authority (CA), the CA
will verify the information and register the contact information on a digital
certificate that contains a serial number, an expiration date, and the public key of
the CA. The CA will then sign and send the signed certificate to you to install on
the FortiMail unit.
Generating a certificate includes the following sections:
Local certificate
Local certificate
To view a certificate request or import a signed server certificate, go to System >
Certificate > Local Certificate. To view certificate details, select the View
Certificate Detail icon for the certificate.
In Figure 47, the entry corresponds to a signed server certificate.
Figure 47: Local Certificate list
Download
View a certificate
Delete
108
Generate
Import
Subject
Generating a certificate
Status
View Certificate
Detail icon
Delete icon
Download icon
109
Generating a certificate
Subject Information
Organization Unit
Organization
Locality (City)
Optionally type the name of the city or town where the FortiMail
unit is installed.
State/Province
Country
Key Type
Key Size
Select a security key size of 1024 Bit, 1536 Bit or 2048 Bit.
Larger keys are slower to generate but they provide better
security.
110
In the Local Certificate list, select the Download icon in the row that corresponds
to the generated certificate request.
Using the web browser on the management computer, browse to the CA web
site.
Generating a certificate
When you receive the signed certificate from the CA, install the certificate on the
FortiMail unit. See Importing separate server certificate and private key files on
page 111.
Certificate file
Enter the full path to and file name of the previously exported
certificate file.
Key file
Enter the full path to and file name of the previously exported key
file.
Password
111
Generating a certificate
112
Customizations
Access control
control access to email servers through the FortiMail unit for sending or
relaying of email, see Access control on page 114
Email domains
An email domain is a set of email accounts that reside on a particular email server.
The email domain name is the portion of the users email address following the
@ symbol.
113
In server mode, you define local domains, all of which reside on the FortiMail
units internal email server. You can define policies to scan incoming email
destined for the users on the local domains and to scan outgoing email to be
received by users in other domains.
For information about creating and configuring domains in server mode, see
Configuring domains (server mode) on page 136.
In gateway and transparent modes, you define a domain for each email server
that you want the FortiMail unit to protect. There is one local domain that
represents the FortiMail unit itself. You can define policies to scan incoming email
destined for the users on your domains and to scan outgoing email to be received
by users in other domains. Email destined for your domains must first be received
by the FortiMail unit and then relayed to the domain email server after scanning.
For information about creating and configuring domains in gateway or transparent
mode, see Configuring domains (transparent and gateway modes) on page 129.
In gateway mode, you must change the MX record of your email server so that it
specifies the FortiMail unit. You did this when you initially set up the FortiMail unit.
See the Setting up the FortiMail unit in gateway mode chapter of the FortiMail
Installation Guide. If you add more domains, you must change their email server
MX records, too.
In transparent mode, each network interface includes a proxy server that receives
and relays email. By default, the proxy server responds using the backend email
servers name. This masquerade hides the existence of the FortiMail unit. For
information about configuring the proxy servers, see Configuring proxies
(transparent mode) on page 147.
Access control
The FortiMail unit provides flexible control over who can send, receive or relay
email through the unit.
You can specify access rules that match incoming or outgoing email by either
email address or IP address. To match multiple senders or recipients, you can
specify a partial email address such as a domain name or an IP address prefix
such as 172.20.120. The rule specifies the access permitted as follows:
114
ACCEPT
The FortiMail unit can only receive email for local domains. These are
the FortiMail unit itself and, in server mode, the internal email server.
This is the default permission if there is no rule. If you want a different
permission level for particular senders, you need to define rules for
them.
RELAY
REJECT
DISCARD
For detailed information about these options, see Configuring advanced settings
on page 120.
115
Mail Server
116
Host Name
Authentication
Required
Note: The Local Domain Name can also be a subdomain of an internal domain as long as
the MX record on the DNS server can direct the mail destined for this subdomain to the
intended FortiMail unit.
Creating policies
117
Enter the Profile Name, the name or IP address of the RADIUS server, and the
key string of the RADIUS server. Select the Server Requires Domain control if the
RADIUS server expects user IDs to include a domain name.
Select OK.
If you want to edit the profile, select the Edit icon for the profile that you want to
edit and modify the profile as required.
Select OK.
To add and edit a RADIUS server authentication profile - CLI
set auth radius <profile_name> server
{<domain_name_str>|<ipv4_str>} secret <key_str> [domain
{enable | disable}]
To add and edit a POP3 server authentication profile - Web-based manager
Enter the Profile Name and the name or IP address of the POP3 server.
Enter the POP3 server port number. The default port number is 110.
Select the Server Requires Domain control if the POP3 server expects user IDs to
include a domain name. Enable Secure Sockets Layer (SSL) to secure message
transmission, Secure Authentication to secure email users passwords, or
Transport Layer Security (TLS) to ensure privacy between communicating
applications and their users on the Internet, as required.
Select OK.
If you want to edit the profile, select the Edit icon for the profile that you want to
edit and modify the profile as required.
Select OK.
To add and edit a POP3 server authentication profile - CLI
set auth pop3 <profile_name> server
{<domain_name_str>|<ipv4_str>} port <port_number> [option
{ssl} {secure} {tls} {domain}]
To add and edit an IMAP server authentication profile - Web-based manager
118
Enter the Profile Name and the name or IP address of the IMAP server.
Enter the IMAP server port number. The default port number is 143.
Select the Server Requires Domain control if the POP3 server expects user IDs to
include a domain name. Enable Secure Sockets Layer (SSL) to secure message
transmission, Secure Authentication to secure email users passwords, or
Transport Layer Security (TLS) to ensure privacy between communicating
applications and their users on the Internet, as required.
Select OK.
If you want to edit the profile, select the Edit icon for the profile that you want to
edit and modify the profile as required.
Select OK.
To add and edit an IMAP server authentication profile - CLI
set auth imap <profile_name> server
{<domain_name_str>|<ip_str>} port <port_number> [option
{ssl} {secure} {tls} {domain}
To add and edit an LDAP server authentication profile - Web-based manager
For detailed steps describing the creation or editing of an LDAP profile using the
web-based manager, see To add and edit an LDAP server authentication profile
on page 193
To add and edit an LDAP server authentication profile - CLI
For detailed steps describing the creation or editing of an LDAP profile using the
command-line interface, see the command set ldap_profile in the CLI chapter of
the FortiMail Administration Guide.
Creating policies
You can protect your email server and its users by connecting the server to the
FortiMail unit. You can then apply authentication profiles to email users to support
SMTP authentication.
By applying profiles to email users, you create policies.
Connect the email server(s) to the FortiMail unit to protect the servers from
unwanted attacks. You can then apply authentication profiles to the email users.
To connect and edit an email server - Web-based manager
1
Enter the Domain FQDN and SMTP server IP of your email server.
Select OK.
If you want to edit an email server, select the Modify icon of an email server.
Modify the Domain FQDN and SMTP server IP of your email server.
Select OK.
To connect and edit an email server - CLI
set policy <server_fqdn> modify ip <ipv4>
After connecting the email server(s) to the FortiMail unit, you can apply an
authentication profile to email users.
119
When applying a profile for a user, you create a policy for the user.
To create a policy for email users - Web-based manager
1
Enable Allow POP3 for SPAM access or Allow web mail for SPAM access
depending on whether users will use POP3 or web mail to access their
quarantined spam messages.
Select OK.
To create a policy for email users - CLI
set spam retrieval policy <server_fqdn> user <user_name>
auth {imap | ldap | pop3 | radius } <auth_profile> senddomain
{enable | disable}
Notifying users
After configuring profiles and creating policies, you need to notify remote users to
do the following when configuring mail accounts on their email clients:
Use their full domain names for logon account names if the FortiMail unit
supports multiple domains.
120
Deferred Oversize
Message Delivery
Sender Address
Mail Queue
Maximum time for
email in queue
Maximum time for Select the maximum number of days a delivery status notification
DSN email in queue (DSN) message can remain in the mail queues. The valid range
is from zero to ten days. The default is five days.
After the maximum time has been reached, the DSN email will be
returned as undeliverable.
If the maximum time is set to zero days, delivery will be attempted
one time and then the DSN email will be returned as
undeliverable.
Time before delay
warning
Delivery Options
121
Customizations
Disable ESMTP for Select to disable Extended Simple Mail Transfer Protocol
outgoing email
(ESMTP) for outgoing email. ESMTP email supports graphics,
sound, video, and text in various languages. ESMTP is described
in RFC 1869.
Note: For the mail queue descriptions, see Managing mail queues on page 141.
Customizations
There are several ways that you can customize the operation of your FortiMail
unit. You can:
add disclaimers to the header or body of email messages that pass through the
unit
change the product name and logos that appear on the web-based manager
and WebMail pages
Note: Disclaimer and replacement messages provided by Fortinet are examples only.
122
Customizations
Service
Name
There are three Name categories: Replacement, Reject, and Report. Within
these categories are the message names. The names are one of the
following:
virus message
suspicious message
attachment filtering
message
123
Customizations
virus message
suspicious message
spam message
attachment filtering
message
Description
Edit icon
124
Message setup
Allowed formats
Size
Reset to Default
Message box
Enter the text or HTML message and select Apply. You can use the
special tags in Table 8, Email Virus replacement message tags, on
page 125 to add information to the message.
Customizations
Description
%%EMAIL%%
%%FILE%%
The name of the file that was removed from the email.
%%FILE_TYPE%%
%%MESSAGE_ID_ALL%%
%%SPAM_DELETE_EMAIL%%
%%SPAM_RELEASE_EMAIL%%
%%VIRUS%%
125
Customizations
Product name
Bottom logo
Bottom URL
Enter the URL for which the Bottom logo is a link. You could
set this to your corporate web page, for example.
Webmail interface
Webmail Language
Webmail Language
Customization
Webmail Login
126
Enter the wording you want for this prompt on the Webmail
interface.
Default is Input your email address.
In the first column, find the section of Webmail that contains the resource you
want to change.
Delete the displayed text and enter the new text to use.
127
NAS
Local
NAS Server
Test
Select to verify the NAS server settings are correct and that the
FortiMail unit can access that location.
This control is available only when NAS server is selected.
Server IP
Server Dir
Centralized Quarantine
Disabled
Receive
quarantined
messages from
clients
128
Add
Send
quaranted
messages to
remote server
Note: The local domain name should be globally DNS-resolvable only if the FortiMail unit is
used as an outbound relay server.
Domain
Use MX
SMTP Server
Displays the SMTP server IP address and port. The SMTP server
entry will be blank if Use MX shows a green check.
Modify
Delete icon
Delete the domain. In server mode, this also deletes the users you
have configured for this domain.
129
Edit icon
Create New
130
Domain FQDN
Use MX Record Select to use the record from the MX table entry to define the
domain.
When this control is enabled, SMTP Server and Fallback MX Host
are not selectable. Instead the MX entry for the FQDN for the
domain is used.
SMTP Server
Enter the IP address, or FQDN, and the port of your SMTP server.
Select SMTPS to use a secure SMTP connection. If SMTPS is
selected, the port is the SMTPS port. The default SMTP port is 25,
and the default SMTPS port is 465.
Fallback MX
Host
131
Is Subdomain
Main Domain
Verify Recipient
Address
Select the FortiMail unit interface (port) that the email server is on.
A wrong interface will result in connection issues.
This option only available in Transparent mode.
Hide the
When enabled, this feature will use the EHLO arguments from the
transparent box sender in the email header to make the ongoing connection. Your
FortiMail unit will be hidden by spoofing the mail server's IP
address to deliver outgoing mails.
When not enabled, the FortiMail units IP address and hostname
will be added to the email header
If this feature is enabled, you must select the correct interface that
the server is on.
If this feature is enabled, the Mail Settings > Proxies option Use
original server to deliver mail must be enabled. See Configuring
proxies (transparent mode) on page 147.
If this feature is enabled you will not be able to use IP pools.
This option only available in Transparent mode.
When enabled, the FortiMail unit will relay mail to the SMTP
Use this
domains SMTP server for this email domain.
This option only available in Transparent mode.
server to
deliver the mail
Automatic Removal If enabled, quarantine user accounts are checked against an
of Invalid Quarantine SMTP or LDAP server at 4:00 AM daily. Quarantined messages to
invalid users are deleted.
Accounts
Select one of Disable, SMTP Server or LDAP Server. Selecting
the blue arrow for LDAP Server expands to allow you to select the
LDAP profile to use from a list of configured server profiles.
LDAP User Alias
profile
Select the LDAP profile to use for aliased users in this domain. For
information on configuring LDAP profiles see Creating LDAP
profiles on page 193.
Advanced Settings
Mail Routing
Spam Report
Setting
Select the blue arrow to expand the spam report section. For more
information see Spam Report Setting on page 133. For
information on system-wide spam report settings see Scheduling
spam reports on page 212.
Disclaimer
Select the blue arrow to expand the disclaimer section. For more
information see Disclaimer on page 135. For information on
system-wide disclaimer settings see Adding disclaimers to email
on page 122.
Webmail Language
132
Select the language people see when they check their email
accounts on this domain through Webmail. The default is to use
the same language as the system settings.
IP Pool to use
SMTP Greeting
Advanced AS / AV Settings
Check AS / AV
Config
Use Global
Bayesian
Database
133
Send to individual
recipients
Select to send the spam report to all recipients listed. For more
details see Anti-Spam > Quarantine > Recipients.
Send to other recipient Select to enter an email address that is not on the recipient list. If
the administrator for this domain is not part of this domain, the
administrators email address outside this domain can be
entered here.
Schedule
These Hours Select the hours to include in the spam report for this domain.
When the FortiMail unit is reset not all hours will be available.
Select the Schedule blue arrow to view this field. Set Schedule
to Use domain settings to edit this section.
These Days
Report
Select the days to include in the spam report for this domain.
When the FortiMail unit is reset, not all days will be available.
Select the Schedule blue arrow to view this field. Set Schedule
to Use domain settings to edit this section.
Select Use domain settings to customize the spam report
content. The default is Use system settings.
Report Email Select customize the spam report email body using HTML tags
Body (HTML) in the report email body.
Both HTML and text can be selected at the same time. D
Select the Report blue arrow to view this field. Set Report to
Use domain settings to edit this section.
134
Report Email Select customize the spam report email body using plain text in
Body (Text) the report email body.
Both HTML and text can be selected at the same time. D
Select the Report blue arrow to view this field. Set Report to
Use domain settings to edit this section.
Report Email Select to customize the email subject line for the spam report.
Subject (Text) Select the Report blue arrow to view this field. Set Report to
Use domain settings to edit this section.
Disclaimer
Go to Mail > Domains > Create New. Select Disclaimer blue arrow to expand the
display.
Disclaimer settings allow you to customize the disclaimer messages associated
with this domain. These disclaimers will be included with all incoming or outgoing
email (as configured) for this domain.
Figure 62: Disclaimer (transparent mode)
Disclaimer
Disclaimer in
message header
Disclaimer in
message body
Disclaimer in
message header
Disclaimer in
message body
135
Domain
Modify
Delete icon
Delete the domain. In server mode, this also deletes the users you
have configured for this domain.
Edit icon
Edit the domain settings. See Creating a new email domain (server
mode) on page 136.
Create New
136
Domain FQDN
Is Subdomain
Main Domain
Advanced Settings
Mail Routing
Spam Report Setting Select the blue arrow to expand the spam report section.
For more information see Spam Report Setting on
page 133. For information on system-wide spam report
settings see Scheduling spam reports on page 212.
Disclaimer
Webmail Language
137
IP Pool to use
SMTP Greeting
Advanced AS / AV Settings
Check AS / AV
Config
Domain
Use MX Record
Select to use the record from the MX table to define the domain.
When this control is enabled, SMTP Server and Fallback MX
Host are not selectable.
SMTP Server
Fallback MX Host Enter the IP address of your backup SMTP server. This backup
server functions in case your primary SMTP server fails.
Mail Routing
Select to enable mail routing for this email server, and select the
LDAP profile to use.
138
This section allows you to set disclaimer messages sent with the
email. If this is greyed out, this feature is not available at this
time.
Disable
Use system
settings
Use domain
settings
Sender Pattern
Recipient Pattern
Action
Modify
Create New
139
Access settings
Go to Mail Settings > Access to configure email access. Select Create New to
create an entry for any of the following:
an email address
The following examples show the FortiMail email access configuration rules:
Table 9: Example From/To definitions for email access rules
In the From/To
field, if you enter
172.20.110.21
172.20.110
172.20
FortiMail.com
Note: When creating a new access rule, no pattern can be left blank.
Sender Pattern
Recipient
Pattern
Sender
IP/Netmask
Reverse DNS
Pattern
ACCEPT
140
The FortiMail unit can only receive email for the local domains.
RELAY
REJECT
DISCARD
OK
The Deferred queue contains email that the FortiMail unit could not send.
Often the problem is temporary. For example, the destination email server was
off-line or there were network problems. See Managing the Deferred queue
on page 141.
The Spam queue contains tagged spam that the FortiMail unit could not send
(For information on tagging spam, see Configuring Actions on page 170).
Often the problem is temporary. For example, the destination email server was
off-line or there were network problems. See Managing the Spam queue on
page 143.
The Dead email list contains email that cannot be delivered or returned
because the recipient and sender names are both invalid. See Managing the
Dead email list on page 144.
141
Page up icon
Select the number of lines to display on each page: 25, 50, 100, 1000.
Total lines
Goto Line
Enter the line number on the page that you want to see.
Go
Select
Sender
Recipient
Reason
Displays the reasons why the email has been deferred for example host
name lookup failure or connection refused.
First Processed Displays the time that the FortiMail unit first tried to send the email.
Last Processed Displays the time that the FortiMail unit last tried to send the email.
Tries
Displays the number of times that the FortiMail unit has tried to send the
email.
Check All
Uncheck All
Delete
Resend
Refresh
142
Select to enable the rejection of incoming STMP requests when there is too much
email in the queue.
Enter the number of mails past which STMP requests will be rejected.
Page up icon
Select the number of lines to display on each page: 25, 50, 100, 1000.
Total lines
Goto Line
Enter the line number on the page that you want to see.
Go
Line number.
Select
Sender
Recipient
Reason
Displays the reasons why the tagged spam has been queued.
143
First Processed Displays the time that the FortiMail unit first tried to send the tagged
spam.
Last Processed Displays the time that the FortiMail unit last tried to send the tagged
spam.
Tries
Displays the number of times that the FortiMail unit has tried to send the
tagged spam.
Check All
Uncheck All
Delete
Refresh
Page up icon
Select the number of lines to display on each page: 5, 30, 50, 1000.
Total lines
Sort by
Delete dead emails Enter the number of days after which to delete the email from the
Dead email list.
#
144
Line number.
Select
From
To
Subject
Date
Delete
sort the email by subject, from address, to address, and date, and
Select the Select All check box on the header and select Delete to delete all
the dead email.
or
Select the check box before a dead email and select Delete to delete an
individual dead email.
Backup Queue
Restore Queue
145
New Contact
Export.CSV
Import.CSV
Delete Checked
Sort Last/First
Name
Name
The first and last name for the select email address if they are
present. Middle name and nickname are not displayed here.
The name of the email account for the entry in the address
book.
Modify
Select Save.
To export an address book
You can save the contacts you have added into a CVS (Comma Separated
Values) format file for backup purpose.
146
Select Open to view the contacts and then save the file in CSV format in a
desired folder.
Select Browse to find the address book file that you want to import.
Select Import.CSV.
To delete contacts
To delete all contacts in the address book, select the check boxes before the
contacts, then Delete Checked.
Select the check box before the contact, then Delete Checked.
Select the Edit icon for the contact you want to modify.
147
Incoming
Incoming
Email Sender
Outgoing
Mail Server
Internet
Outgoing
Use original server to deliver Select to relay email to the SMTP server that the email
sender specified. Otherwise, the FortiMail unit relays the
mail
email directly to the email destination domain.
This option must be enabled for Adding disclaimers to
email on page 122 to work.
The following fields configure SMTP connection options for each interface.
Port
Incoming SMTP connections Incoming SMTP traffic refers to the email traffic destined
for the email server(s) on your policy list. For information
on policy, see Creating incoming recipient-based policies
(transparent and gateway) on page 200.
are passed through
148
are dropped
are proxied
Outgoing SMTP connections Outgoing SMTP traffic refers to the email traffic destined
for the email server(s) not on your policy list. For
information on policy, see Creating outgoing recipientbased policies (transparent and gateway) on page 202.
are passed through
are dropped
are proxied
are allowed
The FortiMail unit allows the SMTP traffic that requires the
SMTP service provided by the FortiMail unit to pass
through.
Note: Use original server to deliver mail proxy option does not function if there is no
session profile specified in the IP policy.
149
150
Configuring users
Configuring users
This section describes how to add email users to the FortiMail server
configuration to create POP3, IMAP, and Webmail accounts.
Email users can only be added to the FortiMail unit if it is in server mode. Users
can send and receive email through the FortiMail server.
This section contains the following topics:
Show Users of
Domain
Allows you to select a domain to add users or show the added users in
the domain.
Export.CSV
Select to save user lists in all domains on the FortiMail server into a
CVS (Comma Separated Values) format file for backup purpose. See
To export the user list on page 152.
Import.CSV
Select to import user information into your user list on each domain.
See To import a user list on page 152.
Browse
All, 0-9, A, .. , Z
Select to only display the Mail Users with names starting with the
selected character.
151
Configuring users
View .. lines per Select the number of lines to display per page from the drop down
menu. Options include 25, 50, 100, and 1000 lines.
page
Go to line
Delete
Edit
The line number of this email user in the display. Used for navigating
the list of users.
Checkbox
User Name
The user name for an email user account. This is also the users email
address.
Display Name
The name of a user displayed in the From field of the email the user
sends.
Modify
Create New
Select Export.CSV.
Select Open to view the user list and then save the file in CSV format in a
desired folder.
Note: Before importing a user list or adding an email user, you must first configure email
domains. See Email domains on page 113.
Select Browse to find the user list file that you want to import.
Select Import.CSV.
The users on the list are added to the domains they belong to.
To add an email user
In the Show Users Of Domain field, select a domain to add the user.
152
For the email user account to change, select the Edit icon.
Configuring users
Select OK.
To change the password for multiple users
Enter the password to assign. The same password will be assigned to all
selected users.
Select LDAP, and choose the LDAP server from the list.
If you select LDAP without providing a valid server, you will get an error.
Select OK.
153
Configuring users
checkbox
User Name
Language
The language this user has selected for their Webmail interface.
By default it will be the same as the system language.
White list
Black list
Secondary Accounts A list of email accounts in sub-domains that are linked to a user on
the parent domain. For example if user1@example.com can have
that email address linked to the following secondary accounts:
user1@one.example.com, and user1@two.example.com.
Select the New or Edit icon to add accounts to the secondary
accounts for this user. Note that any accounts must first be
created before they can be added to this list.
154
Delete icon
Edit icon
Select to edit the preferences for this user. See Edit mail user
Webmail preferences (transparent mode) on page 155.
Configuring users
Default icon
Select to reset the settings for this user to their original default
values.
"The users bulk folder exists, and was changed since last domain spam report
generating time.
"The anti-spam profile used by the user has action quarantine and spam report
enabled.
"The user preference has "receiving spam report" enabled (this is the default
value).
"The user has received spam email during the previous spam report interval,
otherwise there will be nothing to report.
In server mode, users can set holiday messages to reply to messages when they
are out of the office for an extended period of time. Optionally the administrator
can set this message as well.
In server mode, users can turn out auto-forwarding to forward all their messages
to another email account. Optionally, they can leave a copy of the messages with
this email account.
Figure 79: Edit User preference (transparent and gateway)
155
Configuring users
User Name
Language
On Holiday
Set auto-reply
message
Auto Forward
Leave a copy in
mailbox
Add outgoing email Select ON to put addresses this user sends email to on the white
addresses to white list.
lists
Black/White Lists
Receive Spam Report Select ON to have this user receive information about Spam
activity to their account.
Primary Accounts
Any users who have added this user as a secondary account, will
appear as primary accounts.
Secondary Accounts Any users this user has selected as secondary accounts will
appear here as secondary accounts.
Select the list of users, or none to add users to this list.
156
Configuring users
Show Users of
Domain
Select the domain or all domains. The users displayed under Available
Users are from the selected domain.
Group Name
Available Users List of users in the selected domain. Highlight users in this list, and use
the right arrow to add them to the Members list of users.
Members
List of users in the new User Group. Highlight a user in this list, and use
the left arrow to remove that user from this list.
External Email
Address
Enter an email address that is not shown under Available Users. Select
the right arrow next to External Email address to add the address to the
Members list.
OK
Select to save this new User Group, and return to the User Group
screen.
Cancel
Select to discard these changes, and return to the User Group screen.
In the Show Users Of Domain field, select a domain of which you want to add its
users to a group.
Users in the selected domain appear.
Note: If you select all, users in all domains appear. This allows you to add users from
different domains to a group.
To add users to the user group, select a user from the Available Users list and
select the right arrow to add the user to the Members list.
Select OK.
157
Configuring users
Go to User > User Alias > User Alias to access user aliases.
Figure 82: User alias list
Alias Name
Members
Modify
Note: Members of a user alias list can include the alias address itself.
In the Show Users of Domain field, select the domain to which you want to add a
user alias.
Enter the Alias Name and select a domain. This will be the email address for the
alias.
To add local users to the alias, select a user from the Available Local Users list
and select the right arrow to add the name to the Members list.
If you want to remove a user from the Members list select that user and select the
left arrow to move them back to the Available Local Users list.
To add external users to the alias, enter a users email address in the External
Email Address field and select the right arrow to add the name to the Members
list.
Select OK.
Address Maps
Go to User > Address Map > Address Map to access the address map list.
158
Configuring users
Select a domain
Select a subdomain Select the subdomain the address map will be used for. You can
select one of the defined subdomains or selecting ALL will display all
the address maps for all the subdomains. You will not be able to
create a new address map entry if ALL subdomains is selected.
If no subdomains are defined, you will not be able to create an
address map.
Backup icon
Selecting this icon provides you with a link to download a file to your
local computer that contains the current list of address map
information.
Restore icon
Selecting this icon allows you to browse to the file on your local
computer that contains a list of address map information that was
previously backed up.
Internal Email
Address
Email address the external address is being mapped to. The internal
address may only be visible to the company intranet.
External Email
Address
Modify
Delete icon
Edit icon
Create New
Enter the internal address, for example bob.smith. You do not need to enter the
subdomain part of the email address.
Select the subdomain from the list, for example branch.fortipost.com. The
subdomain you selected on the previous screen is the one displayed, but you can
select other subdomains that are part of the domain you selected.
Enter the external address, for example support. You do not need to enter the
domain part of the email address. For example the domain would already be
shown as fortipost.com
159
Configuring users
160
What is a profile
What is a profile
What is a profile
A profile is a collection of FortiMail settings that you specify to filter incoming and
outgoing email and to control the email flow. Profiles are selected in policies and
run on any traffic the policy controls.
You can create these types of profiles:
Antispam profile
You can enable some or all of the spam scanning tools or filters that the
FortiMail unit supports. You can also specify the actions to take against spam,
including tagging, rejecting, quarantine, or forwarding the spam. See Creating
antispam profiles on page 162.
Antivirus profile
Create an antivirus profile to enable virus scanning and specify actions to take
against virus-infected files. See Creating antivirus profiles on page 171.
Content profile
Use a content profile to scan messages and take action against messages
with restricted content, or restricted attachments. See Creating content
profiles on page 178.
Session Profile
Use a session profile to control the connection and mail flow between mail
servers. See Creating session profiles on page 181.
161
Dictionary Profile
Use a dictionary profile to define words or patterns used in antispam and
content profiles. See Creating dictionary profiles on page 185.
LDAP Profile
If LDAP authentication is required, use an LDAP profile to define how the
FortiMail unit will communicate with the LDAP server. See Creating LDAP
profiles on page 193.
IP Pool
The FortiMail unit will take advantage of a range of addresses when sending
email if an IP pool is specified. IP pool profiles can be selected by domain or by
IP-based policy. See Creating IP pool profiles on page 197.
162
Go to Profile > AntiSpam > Incoming or Outgoing to view the antispam profiles.
Figure 85: Antispam profile list
Profile
Domain
Modify (Delete, Edit, Select the Delete icon to remove a profile. The Delete icon does not
appear if the profile is used in a policy. See Creating email filtering
and Copy icons)
and control policies on page 199.
Select the Edit icon to modify a profile.
Select the Copy Icon to make a copy of a profile. See To copy an
antispam profile on page 163.
Create New
Actions
Most individual spam detection methods allow the selection of an action. The
selected action determines what the FortiMail unit does with mail detected as
spam by the particular spam detection method. A default spam action can also be
selected in each antispam profile. The default action is used for spam detection
methods that do not provide an action selection, and the spam detection methods
set to the default action. For a list of actions, see Configuring Actions on
page 170.
Some spam actions require parameters. These must be set in the default action
section of the antispam profile, even if the default action is set to a different
setting. For example, if the default action is Discard, and the Image spam scan
action is set to Forward, spam caught by the image spam scan will be forwarded
to the address specified in the Forward to email address field of the default action.
If the FortiMail unit tags spam, the message recipients can use their email client
software to filter the incoming mail. If the FortiMail unit quarantines spam, the
recipients will get notice email messages. The recipients can decide to have the
quarantined email released or deleted. For information about how email recipients
can deal with the spam, see FortiMail User Guide.
To create an antispam profile
1
For the profile you want to copy, select the copy icon.
163
Select OK.
A copy of the profile is created. You can modify it to create a new profile.
To apply changes to selected profiles
If you have made changes in a profile and want to apply the changes to other
profiles, you can save time by applying the changes to other profiles all at once
instead of editing the profiles one by one.
For the profile you want to change, select the Edit icon.
Select Change Profile if you want to make further changes. Otherwise select
Select Profiles.
Select the profiles to which you want to apply the changes and select ->.
Note: Select the current profile if you also want to apply the changes to it.
Select OK.
A message tells you if the changes are applied successfully.
164
DNSBL scan
Select to allow the FortiMail unit to communicate with DNSBL (DNS Block
List) servers to check the IP address of the mail server that delivered the
message.
If the Black IP scan option under Deep header scan is also enabled,
DNSBL scan will check all IP addresses in the message header. If a
match is found, the FortiMail unit treats the message as spam.
IP addresses defined as private network addresses by RFC 1918 are not
checked.
For configuration information, see Configuring DNSBL servers on
page 167.
Deep header
scan
Select to allow the FortiMail unit to communicate with SURBL (Spam URI
Realtime Block List) servers to check every URI in the message body. If a
match is found, the FortiMail unit treats the message as spam.
For configuration information, see Configuring SURBL servers on
page 168.
Bayesian scan Select to allow the FortiMail unit to scan email using the spam information
contained in one of the FortiMail units Bayesian databases.
For more information, see Bayesian scanning on page 18. For
information on configuring Bayesian scanning, see Configuring Bayesian
scanning on page 168.
For incoming profiles, the group Bayesian database for the recipient
domain is used unless the domain is configured to use the global
Bayesian database If enabled, user Bayesian databases will be used,
with the global or group database taking over if the user database is not
yet mature.
For outgoing profiles, the global Bayesian database is used.
Use personal
database
Accept training
messages from
users
165
Use other
techniques for
auto training
Heuristic scan Select to allow the FortiMail unit to examine messages for patterns
common to spam messages.
The heuristic scores are based on rules. For example, if the email header
contains As seen on national TV!, it gets a certain score toward being
likely a spam email. The heuristic rules require no administrator
modification or updating. A default rule set is provided and it is updated
through the FortiGuard service as needed. New rules are added and rule
scores are adjusted for maximum advantage.
You can fine-tune the threshold values to meet your specific needs. If
your email systems false positive ratio is high, increase the upper level
threshold value until you achieve a satisfactory ratio. If your spam catch
rate is too low, reduce the lower level threshold value until you achieve a
satisfactory rate. The FortiMail default threshold values are
recommended as only a starting point.
Note: Heuristic scanning is resource intensive. If spam detection rates are
acceptable without heuristic scanning, consider disabling it or limiting its
use to policies dealing with problem hosts.
For more information, see Heuristic scanning on page 18.
Dictionary
Scan
Select to allow the FortiMail unit scan messages for words defined in the
selected dictionary profile. Messages containing words in the dictionary
profile are treated as spam.
When dictionary scanning is activated and a message is found to contain
a dictionary word, X-FEAS-DICTIONARY: is added to the message
header followed by the dictionary word discovered in the message. This
header is added regardless of the spam action applied.
To configure a dictionary profile, see Creating dictionary profiles on
page 185
Banned word
scan
166
Image spam
scan
Enable to allow the FortiMail unit to identify spam messages in which the
message body is an embedded graphics file rather than text. Scanning
methods designed to examine the text of spam email fail with image spam
because there is no message text to examine. The image spam scanner
is equipped to examine GIF, JPEG, and PNG graphics.
Aggressive scan Select to have the FortiMail unit be more critical in
determining whether email messages containing
images are spam.
This option will also force the examination of image
file attachments in addition to embedded images. The
additional scanning workload could affect
performance with traffic containing image files.
Enable to have the FortiMail unit classify email messages with viruses as
Treat
messages with spam and treat them accordingly.
viruses as
spam
Scan
conditions
Max message
size to perform
antispam scan
Bypass scan on Select if you want the FortiMail unit to bypass spam
scanning for email that has been authenticated.
SMTP
Spam mail servers wont authenticate so not scanning
authentication
mail delivered in authenticated sessions will result in
performance benefits. Care must be taken to confirm
trusted servers will not relay spam, however.
PDF
Actions
167
Select the Delete icon to remove an DNSBL server, Edit icon to modify a
DNSBL server, and Move icon to change the position of a DNSBL server
in the list.
New
Select to add a new DNSBL server. You can only use domain names to
specify DNSBL servers.
Save
Select to close the pop-up window and save the antispam profile
configuration.
Close
Select to close the pop-up window without saving the antispam profile
configuration. You must then choose OK at the bottom of the Antispam
Profile window to save the changes made to the profile, including the
DNSBL servers, before navigating away to another part of the FortiMail
unit GUI.
Select the Delete icon to remove an SURBL server, Edit icon to modify an
SURBL server, and Move icon to change the order of an SURBL server in
the list.
New
Select to add a new SURBL server. You can only use domain names to
add SURBL servers.
Save
Select to save the SURBL server configuration and close the pop-up
window.
Close
Select to close the pop-up window without saving the SURBL server
configuration.
168
Accept training Select for the FortiMail unit to process control messages from users.
messages from Control messages are used to train or correct results in Bayesian
database.
users
Control messages will be discarded if this option is deselected.
Use other
Select to use the other enabled spam detection methods to train a user
techniques for Bayesian database that does not have 200 non-spam email entries and
100 spam entries and is therefore not ready to classify email.
auto training
Enable Banned The banned words you have entered. Wildcards are not supported.
Word Filtering
Subject
Body
Modify
Select the Delete icon to remove a banned word, Edit icon to modify a
banned word, and Move icon to change the order of a banned word in the
list.
New
Save
Select to close the banned word pop-up window, save the antispam
profile and return to the profile list.
Close
Select to close the banned word pop-up window and return to the open
antispam profile. Before leaving the antispam profile, it must be saved or
any banned word changes will be lost.
Enable
The whitelist words you have entered. Wildcards are not supported.
Whitelist Word
Filtering
Subject
169
Body
Modify
Select the Delete icon to remove a whitelist word, Edit icon to modify a
whitelist word or toggle the subject/body options, and Move icon to
change the position of a whitelist word in the list.
New
Save
Select to close the whitelist word pop-up window, save the antispam
profile and return to the profile list.
Close
Select to close the whitelist word pop-up window and return to the open
antispam profile. Before leaving the antispam profile, it must be saved or
any whitelist word changes will be lost.
Configuring Actions
You can select the action(s) you want to take against spam.
Tag Email in
subject line
Enable and enter the information to appear in the subject line of the spam
notification email sent to the recipient by the FortiMail unit, such as, This
is spam.
If you enable this option, the FortiMail unit sends found spam to recipients
with the tag information you entered. A recipient can set up a spam folder
on his or her email client software to automatically collect the spam with
that subject line information.
You must provide the users with the subject line information before they
can set up their spam folders.
Tag Email with Enable and enter the header information to be added to the spam
notification email sent to the recipient by the FortiMail unit.
Header
If you enable this option, the FortiMail unit sends found spam to recipients
with the header information you entered.
Most email clients allow users to sort incoming email based on text
appearing in various parts of email messages, including the header. See
your email client documentation for further details.
Header lines are composed of a key and a value, separated by a colon. If
the header tag you enter does not include a colon, a colon will be
appended to the end and the entire tag will be the key. Take care not to
use spaces in the key. RFC 2822 forbids spaces in header keys.
170
Reject
Enable to have the FortiMail unit reject spam and send reject responses
to the sender.
Discard
Enable to have the FortiMail unit discard spam without sending reject
responses to the senders.
Quarantine
Enable to have the FortiMail unit redirect detected spam messages to the
spam quarantine. See Spam quarantine on page 209. The quarantine
action is only available for incoming antispam profiles.
Delete Messages: Enter the number of days you want to keep the
quarantined email. Enter a small enough value that will prevent the
size of the quarantine from exceeding the available disk space. If you
enter 0 to prevent automatic deletion of quarantined files, be sure to
periodically remove old files yourself.
Email Release: Select to activate the auto release and auto delete
functions. See Releasing and deleting quarantined spam on
page 211.
Quarantine for Enable to have the FortiMail unit redirect detected spam messages to the
system quarantine. See System Quarantine on page 219.
review
The Quarantine for review action is only available for outgoing antispam
profiles.
Allow users to
automatically
update
personal White
list from sent
emails
Enable to have the FortiMail unit collect the recipient email addresses
from a users outgoing email and add the addresses to the users white
list in the Preference tab of FortiMail webmail. Future messages from
these addresses will not be treated as spam.
The same option is also available in the FortiMail webmail configuration.
This option works only if it is enabled both in the users profile and in the
users webmail configuration.
There are three occasions when a users white list auto-updating setting
is automatically created by the system:
When a user logs into FortiMail webmail.
171
If you have made changes in a profile and want to apply the changes to other
profiles, you can save time by applying the changes to other profiles all at once
instead of editing the profiles one by one.
To view the list of virus files, go to Profile > AntiVirus > Virus List. The FortiMail
unit treats these files as viruses.
If a virus is found, the FortiMail unit deletes the file that contains the virus and
replaces the file with a message notifying the user the infected file has been
deleted.
Figure 90: Antivirus profile list
Profile
Domain
Modify
Select the Delete icon to remove a profile. The Delete icon does not
appear if the profile is used in a policy. See Creating email filtering
and control policies on page 199.
Select the Edit icon to modify a profile.
Select the Copy icon to make a copy of a profile. For procedure, see
To copy an antispam profile on page 163.
Create New
For the profile you want to copy, select the copy icon.
Select OK.
A copy of the profile is created. You can modify it to create a new profile.
To apply changes to selected profiles
If you have made changes in a profile and want to apply the changes to other
profiles, you can save time by applying the changes to other profiles all at once
instead of editing the profiles one by one.
For the profile you want to change, select the Edit icon.
Select Change Profile if you want to make further changes. Otherwise select
Select Profiles.
Select the profiles to which you want to apply the changes and select ->.
Note: Select the current profile if you also want to apply the changes to it.
172
Select OK.
A message tells you if the changes are applied successfully.
Expand Actions and select one of the following options, then select OK.
Reject
Select to allow the FortiMail unit to reject the email and send a reject
response to the sender.
Discard
Select to allow the FortiMail unit to discard the email without sending a
reject response to the sender.
Note: Replace Virus Body is selected by default. This option allows the FortiMail unit to
replace the attachment of a virus email with a message (See Configuring custom
replacement messages on page 123) that provides information about the virus and source
of the email.
This option is invalid if you select either the Reject or Discard option.
173
Profile
Domain
Server
Modify
Select the Delete icon to remove a profile, and the Edit icon to
modify a profile.
The Delete icon does not appear if the profile is used in a policy.
See Creating email filtering and control policies on page 199.
Create New
Type the Profile Name, the name or IP address of the Radius server, and the key
string of the Radius server.
If the server requires the domain name in addition to the user ID, select Server
Requires Domain.
Select OK.
If you want to edit the profile, select the Edit icon for the profile you want to edit
and modify the profile as required.
Select OK.
174
Profile
Domain
Server
Modify
Select the Delete icon to remove a profile, and the Edit icon to
modify a profile.
The Delete icon does not appear if the profile is used in a policy. See
Creating email filtering and control policies on page 199.
Create New
Type the Profile Name and the name or IP address of the POP3 server.
Type the POP3 server port number. The default port number is 110.
If the server requires the domain name in addition to the user ID, select Server
Requires Domain.
Select OK.
If you want to edit the profile, select the Edit icon for the profile you want to edit
and modify the profile as required.
Select OK.
Profile
Domain
Server
Modify
Select the Delete icon to remove a profile, and the Edit icon to
modify a profile.
The Delete icon does not appear if the profile is used in a policy. See
Creating email filtering and control policies on page 199.
Create New
Type the Profile Name and the name or IP address of the IMAP server.
Type the IMAP server port number. The default port number is 143.
175
Select OK.
If you want to edit the profile, select the Edit icon for the profile you want to edit
and modify the profile as required.
Select OK.
Profile
Domain
Server
Modify
Select the Delete icon to remove a profile, and the Edit icon to
modify a profile.
The Delete icon does not appear if the profile is used in a policy. See
Creating email filtering and control policies on page 199.
Create New
Type the Profile Name and the name or IP address of the SMTP server.
Type the SMTP server port number. The default port number is 25.
Select OK.
If you want to edit the profile, select the Edit icon for the profile you want to edit
and modify the profile as required.
Select OK.
176
Profile
Modify
Select the Delete icon to remove a profile, and the Edit icon to
modify a profile.
Create New
For the profile you want to copy, select the copy icon.
Select OK.
A copy of the profile is created. You can modify it to create a new profile.
To apply changes to selected profiles
If you have made changes in a profile and want to apply the changes to other
profiles, you can save time by applying the changes to other profiles all at once
instead of editing the profiles one by one.
For the profile you want to change, select the Edit icon.
Select Change Profile if you want to make further changes. Otherwise select
Select Profiles.
Select the profiles to which you want to apply the changes and select ->.
Note: Select the current profile if you also want to apply the changes to it.
Select OK.
A message tells you if the changes are applied successfully.
177
Select OK.
Profile
Domain
Modify
Select the Delete icon to remove a profile, and the Edit icon to
modify a profile.
The Delete icon does not appear if the profile is used in a policy. See
Creating email filtering and control policies on page 199.
Select the Copy Icon to make a copy of a profile. For procedure, see
To copy an antispam profile on page 163.
Create New
For the profile you want to copy, select the copy icon.
Select OK.
A copy of the profile is created. You can modify it to create a new profile.
To apply changes to selected profiles
If you have made changes in a profile and want to apply the changes to other
profiles, you can save time by applying the changes to other profiles all at once
instead of editing the profiles one by one.
For the profile you want to change, select the Edit icon.
178
Select Change Profile if you want to make further changes. Otherwise select
Select Profiles.
Select the profiles to which you want to apply the changes and select ->.
Note: Select the current profile if you also want to apply the changes to it.
Select OK.
A message tells you if the changes are applied successfully.
If you want to add a file extension to the default attachment name list, expand
Attachment Filtering, type the file extension you want to filter, and select New.
The new file extension appears in the attachment name list.
If you want to delete a file extension from the attachment name list, expand
Attachment Filtering and select the Delete check box after the file extension
name.
If you want to filter a file type, expand File Type Filtering and select the Enable
check box for the file type to be filtered. The last file type, application/other, is all
the file types not included in the other six choices.
Set the size limit for the FortiMail unit to defer processing large
email messages. This option is available for incoming email only.
Expand Action and select an action that you want to take against the email with
the file extension or file type that you selected.
Treat as Spam
Reject
Discard
Replace
Select to have the FortiMail unit remove the email and send a note
to inform the recipient.
Quarantine
Forward to
179
10
Enable
When selected, the monitor profile is active and will check mail
against the specified dictionary, and carry out the specified action
against matching messages.
Delete
To add a new monitor profile select New Profile. To edit an existing monitor profile,
select the edit icon of the monitor profile to be changed.
Select
Select the dictionary profile containing the words and word patterns the mail is
Dictionary to be checked against. Messages with matches will be subjected to the
selected action.
Profile
Actions
Tag Email in subject line Select to add text to the subject line of messages
matching the monitor profile checks. The text to
be added is entered in the With field.
Tag Email with Header
No action
Treat As Spam
Reject
Discard
Replace
Quarantine
Quarantine to Review
Forward to:
11
12
Select OK.
Note: To save a new or edited content monitor profile, you must selecting Apply to close
the Content Monitor Profile window and then select OK in the Content Profile window. Simply selecting Apply to close the Content Monitor Profile window will not save any changes
made.
180
Profile
Modify
Select the Delete icon to remove a profile, or the Edit icon to modify
a profile. The Delete icon does not appear if the profile is currently
used in a policy.
Drop connections after n seconds The inactivity timer is used to control clean up of
inactive sessions.
of client inactivity
Do not let client connect to
blacklisted SMTP servers
(transparent mode only)
Note: The settings and limits in a session profile only apply to traffic controlled by the policy
to which the profile is applied.
181
If the senders reputation score exceeds the set value, the number
of messages the FortiMail unit will accept from the sender is limited
to the larger of the next two values:
Restrict number of emails Enter the number of messages per
hour accepted from a throttled sender.
per hour to
Restrict email to n percent Enter the number of messages per
hour accepted from a throttled sender,
of the previous hour
as a percentage of the number of
messages they sent in the previous
hour.
Temporarily fail
client at n
Reject client at n
182
Prevent encryption of the session Select to block TLS/MD5 commands so that email
must pass unencrypted. The FortiMail unit can scan
(transparent mode only)
the email for viruses and spam.
Clear to pass TLS/MD5 commands, allowing
encrypted email to pass. The FortiMail unit cannot
scan encrypted email for viruses and spam.
Allow pipelining for the session
(transparent mode only)
ACK EOM before AntiSpam check Acknowledge End of Message signal immediately.
If not enabled, the antispam check is run on the
message before acknowledgement is sent. The
sending server could time-out while waiting for
EOM acknowledgement.
Send DSN to sender when spam is Send a delivery status notification to sender when
spam is detected. The delivery status notification is
detected
described in RFC1891
183
Reject if recipient and helo domain This check detects a technique spammers are
known to use.
match but sender domain is
different
10
The first non-free error will incur a Set delay time for the first error after the number of
free errors is reached.
delay of n seconds
184
11
Expand Lists
Sender and recipient addresses can be back or white listed. The black and white
lists in each session profile are maintained separately, and only apply to traffic
controlled by the IP policy to which the session profile is applied.
See Black and white list hierarchy on page 239 for details of how blacklisted
messages are handled.
All black and white list entries are listed in alphabetical order.
Enable sender white list checking Enable or edit session-level sender white list.
Enable sender black list checking Enable or edit session-level sender black list.
Allow recipients on this list
Modify
FortiMail dictionaries are user-defined lists of words and word patterns. When
created, dictionaries are assigned a category, a language, and a domain.
Create dictionaries and later group them into dictionary profiles by selecting
common domains, categories, or languages, or simply by choosing individual
dictionaries. A dictionary profile is then selected in antispam and content profiles
to filter mail based on words in the dictionary profile.
Definitions of the components of dictionary profiles:
Categories
A user-defined tag attached to a dictionary. Categories are used for
organizational purposes and do not influence how a dictionary functions. A
category must be specified when creating a dictionary.
Dictionaries
A list of patterns and/or words. Patterns are constructed with regular
expressions. Dictionaries can be incorporated into group items and dictionary
profiles.
Dictionary profiles
Any number of individual dictionaries and dictionary groups can be assigned to
a dictionary profile. To make tailoring profiles easier, specific dictionaries and
groups can also be excluded.
When complete, dictionary profiles can be selected in antispam profiles and
content profiles to define the content being searched for in mail traffic.
Groups
A collection of group items. A group can contain multiple group items of both
types.
185
Group item
Each group item specifies one or more dictionaries. A type 1 group item allows
selection of a domain, category, and language. Any dictionaries sharing these
three attributes is part of the group item. As dictionaries are removed, added,
or modified, type 1 group items are automatically updated. Type 2 group items
include dictionaries the user selects from a list of all dictionaries assigned to a
single domain.
Languages
A user-defined tag attached to a dictionary. Like categories, languages are
used in organizing dictionaries and do not limit how it is applied. A language
must be specified when creating a dictionary.
Profile Name
Domain
Description
Modify
Select the Delete icon to remove a profile, or the Edit icon to modify
a profile. The Delete icon does not appear if the dictionary profile is
used in an antispam or content profile.
Create language and category items. A new dictionary requires the selection of a
category and a language. See To create a category on page 187 and To create
a language on page 188.
Add words and patterns to your new dictionary. See To add words and patterns to
a dictionary on page 189.
Separate dictionaries can be grouped for easy selection. Even when grouped,
dictionaries can be individually selected. A group is created first, then group items
created within the group. The group items specify the dictionaries to be included in
the group. See Creating a dictionary group on page 190
186
Creating a category
Selection of a category is required during the creation of a dictionary. Categories
are used only for identification and selection during dictionary grouping. For
example, if you select a category named Spam, there is no restriction against
using the dictionary in a content profile.
Figure 99: Dictionary category list
Category Name
Domain
Description
Modify
To create a category
1
Select OK.
Creating a language
Selection of a language is required during the creation of a dictionary. Languages
are used only for identification and selection during dictionary grouping. For
example, if you select French as a language, there is no restriction against adding
English words and using the dictionary with German email. Language names are
not limited to actual languages.
187
Lang Name
Description
Modify
To create a language
1
Select OK.
Creating a dictionary
The basic component of all dictionary profiles is the dictionary. Each dictionary is
simply a list of words or patterns. Patterns are constructed with regular
expressions.
Figure 101:Dictionary list
Dictionary Name
Domain
Language
Category
Description
Modify
To create a dictionary
1
188
Select a language.
Select a category.
Select OK.
To add words and patterns to a dictionary
If one or more domains have been defined in Mail Settings > Domains, a domain
selection will be available. Choose the domain associated with the dictionary
youre interested in.
In the Dictionary Name column, select the dictionary to which you want to add
words. The dictionary pattern list is displayed.
Figure 102:Dictionary pattern list
Pattern:
x of x domain
The name of the dictionary and the domain its associated with is
displayed.
PG up/PG down
These icons will move to the next/previous page if there are too
many patterns to be displayed in a single page.
view x lines
Total:
Displays the current page and the total number of patterns in the
current dictionary.
Pattern
Modify
Enter a new pattern in the pattern field. Plain text or regular expressions are both
accepted.
Select Create New and the new pattern appears at the end of the pattern list.
189
New Item
Select Domain:
Create New
Group Name
Domain
Description
Modify
190
Select OK.
The group is created, but it is empty. To add dictionaries, group items have to be
created within the group.
To create a type 1 dictionary group item
To create a type 1 dictionary group item, go to Profile > Dictionary > Groups.
Select Type 1.
Click OK.
The item is created and defaults to include dictionaries of the current domain, all
categories, and all languages. Select the edit icon of the group item to change the
default settings.
To create a type 2 dictionary group item
To create a type 2 dictionary group item, go to Profile > Dictionary > Groups.
Select Type 2.
Click OK.
The item is created and is empty by default. Select the edit icon of the group item
to add dictionaries.
Select OK. The new dictionary profile appears in the profile list but is empty by
default.
To add dictionaries and dictionary groups to a dictionary profile
Choose the dictionary profile you wish to edit by selecting its name.
Figure 104:Edit dictionary profile contents
191
Add groups or group items by selecting the New Item icon at the end of the
appropriate row. Choose from the available dictionaries or groups in the list that
appears. Select OK to approve your selection.
Figure 105:An added dictionary appears in the dictionary profile contents
Maintaining dictionaries
In Profile > Dictionary > Maintenance there are tools to back up and restore the
dictionary configuration. In addition, the FortiMail reports the status of the
dictionary database and is able to make repairs in case of problems.
Figure 106:Dictionary database maintenance
Database Status
Recover Database
Backup
Restore Dictionary Restores saved dictionary profile configuration. Select browse and
choose saved backup file to be restored. Select OK to begin
restoration. Any configuration in dictionary profiles is overwritten.
192
Profile
Server Name/IP
Port
User
Group
Auth
Alias
Routing
AS/AV
Webmail Pwd
Cache
Modify
Select the Delete icon to remove a profile, and the Edit icon to
modify a profile.
The Delete icon does not appear if the profile is used in a policy.
See Creating email filtering and control policies on page 199.
Create New
193
194
Enter the profile name and the name or IP address of the LDAP server for which
you want to create an authentication profile.
Enter the LDAP server port number. The default port number is 389 for a
non-secure connection and 636 for a secure connection.
Enter the fallback LDAP server name or IP address. If the server defined in the
Server Name/IP field is unreachable and a fallback server is defined, the FortiMail
unit will connect to the fallback server to submit its query.
Expand User Query Options to change how the FortiMail unit will query the LDAP
server.
Test
Selecting this link will query the LDAP server to test the
configuration data entered. If any configuration information
is changed or added, you must select OK or Apply before
running a test.
Schema
Base DN
Browse
Scope
Derefer
Selecting this link will query the LDAP server to test the
configuration data entered. If any configuration information
is changed or added, you must select OK or Apply before
running a test.
Select this option to specify any LDAP tree node. Any node
that falls under the specified tree node will be considered a
member of the group. Since the specified node isnt
defined as a group in the LDAP database, the FortiMail
unit sees it as a sort of virtual group.
Enter the user attribute that defines the groups the user
belongs to. For example, this attribute is memberOf for
Active Directory servers.
Use Group Name with Base When selected, the two following fields become available.
With the appropriate information entered, the admin need
DN as Group DN
only enter the LDAP group name when creating a
recipient-based policy, for example. If this option is
disabled, the group name attribute, group name, and group
base DN must be specified in the policy.
Group Base DN
Expand User Auth Options to change the way users are authenticated.
Test
Selecting this link will query the LDAP server to test the
configuration data entered. If any configuration information
is changed or added, you must select OK or Apply before
running a test.
Try UPN or Mail Address as Type an alternate User Principle Name suffix. If no domain
Bind DN
is entered, the mail domain is used.
10
Expand User Alias Options if required. Many of the settings here also appear in
User Query Options because aliases may be configured differently on the LDAP
server. This duplication allows settings to be tailored separately for each.
Test
Selecting this link will query the LDAP server to test the
configuration data entered. If any configuration information
is changed or added, you must select OK or Apply before
running a test.
195
Schema
Base DN
Select to expand the User Group query result list first, then
use each item returned in the Alias Member Query.
Group Member Query String Enter a query to be used for finding the members of the
group in the LDAP directory.
11
12
13
Scope
Derefer
Expand Mail Routing Options if each users LDAP profile contains mail routing
information.
Test
Selecting this link will query the LDAP server to test the
configuration data entered. If any configuration information
is changed or added, you must select OK or Apply before
running a test.
Expand AS/AV On/Off Options if each users LDAP profile contains antispam and
antivirus information.
Test
Selecting this link will query the LDAP server to test the
configuration data entered. If any configuration information
is changed or added, you must select OK or Apply before
running a test.
196
Protocol Version
14
Enable Cache
TTL
15
Select OK.
To create an IP Pool
1
197
Select the Start IP address for the range of IP addresses in this IP pool.
Select the Range Size. This is the number of available IP addresses starting with
the Start IP address.
For example if you specify 10.0.0.3 as the start IP and enter a range size of 5, the
IP pool will contain the addresses 10.0.03, 10.0.0.4, 10.0.0.5, 10.0.0.6, and
10.0.0.7.
198
Select Ok.
What is a policy
What is a policy
What is a policy
After creating the antispam, antivirus, content, authentication, or misc profiles, you
can apply them to policies. Recipient-based policies are run on messages sent to
a user or user group specified in a policy. IP-based policies are run when the IP
address matches the client address specified in the policy in gateway and server
modes, or both IP addresses match the client and server addresses specified in
the policy in transparent mode.
Policies determine if and how incoming and outgoing email is scanned for spam,
viruses, and attachment types. Also, policies can determine user account settings,
such as authentication type, disk quota, and access to webmail. For more
information about profiles, see Creating email filtering and control profiles on
page 161.
199
This is how all aspects of the policies are applied with the exception of the session
profile and the antivirus profile.
Recipient-based policies do not allow the selection of a session profile. If an
IP-based policy matches the connection, the session profile will be applied in
addition to other profiles specified in a matching recipient-based policy.
Single messages with multiple recipients are treated as multiple messages, each
with a single recipient, when recipient-based policies apply their profiles. This
allows a fine degree of control, but also means some recipients will not receive the
same message another recipient will receive.
In the case of the antivirus profile however, a message with multiple recipients is
treated as a single message. The FortiMail unit will check the recipients for a
recipient-based policy match and when the first match is found, the antivirus
profile from the matching recipient-based policy is run on the message. No further
checks are made for recipient matches. If no recipient-based policies match the
message, the antivirus profile from the IP-based policy is applied. If no recipientbased policies match the message, and no IP-based policy matches the session,
no antivirus profile is applied to the message.
Caution: Add, deleted, and modify policies with care. Any changes made to the policy
configuration take effect immediately.
200
Select a domain
User Name
Recipients matching the specified user name will have the policy
settings applied to their email.
AntiSpam
AntiVirus
Content
Authentication
Modify
Select the Delete icon to remove a policy, the Edit icon to modify a
policy, and the Move icon to change the order of a user in the list.
Create New
Profiles listed in the policy table appear as linked text. To quickly modify profile
settings, select the required profile. A window opens with the policy settings. After
making the required changes, select OK to save the settings.
To create an incoming recipient-based policy
1
Select a domain (mail server) that contains the users to whom you want to apply
policies.
For information on creating domains, see Configuring domains (transparent and
gateway modes) on page 129.
The user or group the policy applies to can be defined in three ways:
Select User Name and enter the users name. The user name you type must
match the same users name on the email server. For example, the user name
for the address user1@example.com is user1. Do not include the domain
portion. You can also use an asterisk to represent all users on a domain.
Select Local Group Name and enter the name of a group defined in User >
User Group. See Creating user groups on page 156.
Select LDAP Group Name and enter an LDAP group name that includes all of
the users. Select the LDAP profile configured to connect to the server and
retrieve the group information.
Select the Antispam profile, Antivirus profile, and Content profile for the user.
For Authentication, select the authentication server type and a profile for the user.
Radius, POP3, IMAP, and SMTP authentication profiles are created and modified
in Profile > Authentication. LDAP authentication profiles are created and
modified in Profile > LDAP.
201
For Auth Requires Domain, if the selected authentication server requires domain
names for authentication, select Requires Domain.
Select Allow Different Sender Identity if you allow email that have different
authentication identities and from addresses to pass through.
This option only activates if you have enabled SMTP AUTH in step 8.
10
For Spam Access Methods, select POP3 or Web Mail to access the quarantined
spam on the FortiMail unit.
11
Select OK.
User Name
AntiSpam
AntiVirus
Content
Modify
Select the Delete icon to remove a policy, the Edit icon to modify a
policy, and the Move icon to change the order of a user in the list.
Create New
Profiles listed in the policy table appear as linked text. To quickly modify profile
settings, select the required profile. A window opens with the policy settings. After
making the required changes, select OK to save the settings.
To create an outgoing recipient-based policy
1
202
Select the Antispam profile, Antivirus profile, and Content profiles for the user.
Select OK.
User Name
Antispam
AntiVirus
Content
Misc
The misc profile selected for the user. This is available for the
incoming option only.
Modify
Select the Delete icon to remove a policy, the Edit icon to modify a
policy, and the Move icon to change the order of a policy in the list.
Profiles listed in the policy table appear as linked text. To quickly modify profile
settings, select the required profile. A window opens with the policy settings. After
making the required changes, select OK to save the settings.
To create a recipient-based policy
1
203
For incoming policies, the user or group can be defined in three ways:
Select User Name and enter the users name. The user name you type must
match the same users name on the email server. For example, the user name
for the address user1@example.com is user1. Do not include the domain
portion. You can also use an asterisk to represent all users on a domain.
Select Local Group Name and enter the name of a group defined in User >
User Group. See Creating user groups on page 156.
Select LDAP Group Name and enter an LDAP group name that includes all of
the users. Select the LDAP profile configured to connect to the server and
retrieve the group information.
If this policy is for a users incoming email, select the Antispam profile, Antivirus
profile, Content profile, and Misc profile for the user.
If this policy is for a users outgoing email, select the Antispam profile, Antivirus
profile, and Content profile for the user.
Select OK.
Note: If no policy is added to a user, the following default values apply: disk quota = 0; user
account status = enable; webmail access = enable.
Caution: Add, deleted, and modify policies with care. Any changes made to the policy
configuration take effect immediately.
204
Match
The IP address of the client to apply this policy to. The address will
appear in blue when If this policy matches then don't check for a
recipient match is selected in the policys Misc Settings.
Session
AntiSpam
AntiVirus
Content
IP Pool
The IP pool profile selected for the client. The IP pool profile will
be ignored if the If this policy matches then don't check for a
recipient match option is not enabled.
Authentication
Edit icon
Delete icon
Move icon
Select the Move icon to change the order of a policy in the list.
Create New
Profiles listed in the policy table appear as linked text. To quickly modify profile
settings, select the required profile. A window opens with the policy settings. After
making the required changes, select OK to save the settings.
To create an IP-based policy
1
Type the IP address of a client computer or enter a subnet. The policy being
created will apply to all connection attempts initiated from the address/subnet
specified.
If the policy is to simply deny connections from the specified IP address, select
Reject connections with this match.
If required, expand Profile Settings and select the Session profile, Antispam
profile, Antivirus profile, IP pool profile, and Content profile to be used by the
profile during the session initiated by the client computer.
205
To use the authentication type and profile for SMTP sessions, select Use for
SMTP Authentication.
Select Allow Different Sender Identity if you allow email messages that have
different authentication identities and from addresses to pass through. This
option is only available if Use for SMTP Authentication is selected.
Select If this policy matches then don't check for a recipient match to have
checking for recipient-based policy matches disabled while this IP-based profile is
in effect. The IP-based profile will be applied and recipient-based profiles ignored.
Match
The IP address of the client to apply this policy to. The address will
appear in blue when If this policy matches then don't check for a
recipient match is selected in the policys Misc Settings.
Session
AntiSpam
AntiVirus
Content
IP Pool
The IP pool profile selected for the client. The IP pool profile will be
ignored if the If this policy matches then don't check for a recipient
match option is not enabled.
Edit icon
Delete icon
Move icon
Select the Move icon to change the order of a policy in the list.
Create New
Profiles listed in the policy table appear as linked text. To quickly modify profile
settings, select the required profile. A window opens with the policy settings. After
making the required changes, select OK to save the settings.
To create an IP-based policy
206
Type the IP address of a client computer or enter a subnet. The policy being
created will apply to all connection attempts initiated from the address/subnet
specified.
If the policy is to simply deny connections from the specified IP address, select
Reject connections with this match.
If required, expand Profile Settings and select the Session profile, Antispam
profile, Antivirus profile, Content profile, and IP pool profile to be used by the
profile during the session initiated by the client computer.
Select If this policy matches then don't check for a recipient match to have
checking for recipient-based policy matches disabled while this IP-based profile is
in effect. The IP-based profile will be applied and recipient-based profiles ignored.
Match
The IP address of the client and the server the policy will apply to.
The client address is displayed first, followed by the server. The
addresses will appear in blue when If this policy matches then
don't check for a recipient match is selected in the policys Misc
Settings.
Session
AntiSpam
AntiVirus
Content
IP Pool
The IP pool profile selected for the policy. The IP pool profile will
be ignored if the If this policy matches then don't check for a
recipient match option is not enabled.
Authentication
Edit icon
Delete icon
Move icon
Select the Move icon to change the order of a policy in the list.
Create New
207
Profiles listed in the policy table appear as linked text. To quickly modify profile
settings, select the required profile. A window opens with the policy settings. After
making the required changes, select OK to save the settings.
To create an IP-based policy
208
Type the IP address of the client computer or enter a subnet. Type the IP address
of the server computer or enter a subnet. The policy being created will apply to all
connection attempts initiated from the client address/subnet to the server
address/subnet.
If the policy is to simply deny connections from the client to server, select Reject
connections with this match.
If required, expand Profile Settings and select the Session profile, Antispam
profile, Antivirus profile, Content profile, and IP pool profile to be used by the
profile during the session initiated by the client computer.
To use the authentication type and profile for SMTP sessions, select Use for
SMTP Authentication.
Select Allow Different Sender Identity if you allow email messages that have
different authentication identities and from addresses to pass through. This
option is only available if Use for SMTP Authentication is selected.
Select If this policy matches then don't check for a recipient match to have
checking for recipient-based policy matches disabled while this IP-based profile is
in effect. The IP-based profile will be applied and recipient-based profiles ignored.
Quarantine settings allow you to specify how the FortiMail unit deals with the
quarantined email messages. See Managing the spam quarantine on
page 209.
Bayesian settings allow you to train the Bayesian databases to make the
antispam email scanning more accurate. See Training Bayesian databases
on page 222.
Black/White List settings allow you to block or allow email from the email
addresses or domains you specify. See Configuring black and white lists on
page 235.
Configuring greylist
Spam quarantine
You can set up the FortiMail unit auto release and auto delete accounts so that
users can request the FortiMail unit to release (that is, send the email messages
to the back-end server then from there, to the email recipients) or delete email to
them that the FortiMail caught as spam. See Releasing and deleting quarantined
spam on page 211.
209
You need to enable the quarantine function when configuring antispam profiles for
the FortiMail unit to quarantine spam. See To create an antispam profile on
page 163.
You can view the email addresses of the email recipients who have spam
quarantined on the FortiMail unit. You can also view the recipient mailbox size
information.
You can also view, sort, delete, or release the quarantined email.
To view the quarantined spam recipient information
1
Select the domain for which you want to see the quarantined spam recipients.
A list of folders is displayed. The folders are named for the email addresses the
spam was sent to.
You can select the number of lines to view on a page and sort the recipients by
email address and mailbox size.
Folders may be easily deleted. Select the check boxes for the folders you wish to
remove and select the delete icon.
Select Expunge to reclaim disk space used by deleted quarantined email. When
quarantined email is deleted, the message is marked as deleted and removed
from the list of quarantined email. The message will still take up disk space,
however. Expunge will reclaim this disk space.
Select Send Summary if you want to manually send out a spam summary report to
the spam recipients. The summary will include each users spam messages listed
on the Recipients page received in the last 24 hours. You can also set up a spam
report schedule to automatically send spam reports to the corresponding email
recipients. For details, see Scheduling spam reports on page 212.
To manage the quarantined email
Sort the messages by subject, sender address, date, and ticket number.
Select the Delete or Release check box in the header and select OK to delete or
release all the spam messages for this recipient.
Select the delete or release check box before a spam message and select OK to
delete or release an individual spam message.
210
Expand the New Search Task heading to reveal the search parameter options.
FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide
06-30003-0154-20080327
Enter values in the content fields you will use to search. The search will match all
the entered parameters. Messages matching only some of the entered
parameters will not be included in the search results.
Use the Time settings to limit the search to a particular period ending on the date
and hour set. By default, the current date and hour is automatically set as the
period end.
In the Recipient section, the domains configured on the FortiMail unit are listed in
the left field. Select the domains you wish to include in the search and select the
right-arrow button to move them to the right field.
Optionally, enter a user ID in the User field to limit the search results to messages
sent to the specified user IP on the domains in the right field.
Select OK to save and execute the search. The search will appear under the
Search Result heading, labeled with the date and time it was created.
To view quarantine search results
Select the View Result icon, or the date of a search to view a list of the messages
matching the search parameters.
To copy a quarantine search
Select the Copy to New icon for the search you want to copy.
The New Search Task heading expands revealing the search fields with all the
search parameters of the search you are copying.
Select the Delete icon for the search you want to delete.
211
When you enter the auto release and auto delete account names, the FortiMail
unit automatically adds its local domain name after the account names to turn the
account names into email addresses and adds the addresses into the spam
summary report. This way, email users can send requests to release or delete
quarantined email to the FortiMail unit when they receive the spam summary
reports.
To configure the auto release and auto delete accounts
1
Type auto release account name in the Release User field and auto delete
account name in the Delete User field.
Select OK.
Note: If you have more than one FortiMail unit, the auto release and auto delete account
names you enter must be unique to each FortiMail unit.
These Hours provides 24 check boxes, one for each hour of the day. Select each
hour you want the FortiMail unit to generate a spam report.
These Days provides 7 check boxes, one for each day of the week. Select each
day you want the FortiMail unit to generate spam reports.
Select Apply.
Once the hours and days have been selected, the FortiMail unit will generate
spam reports on each selected hour during each selected day.
To configure webmail access
The FortiMail unit can allow access to a user quarantine directly from a spam
report, without the user having to enter a username and password.
212
Select Time Limited Access Without Authentication to allow users to access their
quarantine without having to log in. A link on their spam report will include a URL
to allow this access. If this feature is disabled, the link will require the user to enter
their username and password.
Enter the number of hours the spam report link will allow the user to access their
quarantine without entering a username and password. If the link is used after the
configured number of hours, the users will be informed the link has expired and
redirected to the quarantine login page.
If secure quarantine access is required, select Using HTTPS. When the user
selects a release link in a HTML formatted spam quarantine report, the request
will be transmitted using the HTTPS protocol. The Using HTTPS selection has no
effect on email release requests.
A secondary function of the Using HTTPS option is to redirect all HTTP attempts
to connect to the FortiMail webmail interface to HTTPS. For example, if a user
enters http://mail.example.com to log in to webmail, theyll be automatically
redirected to https://mail.example.com when Use HTTPS is enabled.
Note: For this HTTP to HTTPS redirection to function properly, the administrator must allow
access to both HTTP and HTTPS protocols on the FortiMail interface to which the user is
connecting.
If the Local Domain Name for the mail server specified in Mail Settings >
Settings > Local Host is not resolvable from everywhere users will receive their
mail, specify an alternate resolvable host name in the Web Release Hostname/IP
field.
If the Web Release Hostname/IP field is left blank in gateway mode, the HTTP
release link in the spam quarantine report will use the mail server name specified
in the Local Domain Name field in Mail Settings > Settings > Local Host.
If the Web Release Hostname/IP field is left blank in transparent mode, the HTTP
release link in the spam quarantine report will use the FortiMail units
management IP address.
If the Web Release Hostname/IP field is left blank in server mode, the HTTP
release link in the spam quarantine report will use the first domain listed in
Mail Settings > Domains > Domains.
Select Apply.
To configure the spam report recipient
By default, each user received a spam report listing all of the messages in their
own quarantine. To configure the FortiMail unit to deliver a single spam report
including all the quarantined items to a single user, follow these steps:
Select Apply.
213
To:
user1@example.com
From:
release-ctrl@fm3.example.com
Subject: Quarantine Summary: [3 message(s) quarantined from Wed, 11 Jul 2007 11:00:01
to Wed, 11 Jul 2007 12:00:01]
Date:
Wed, 11 Jul 2007 12:00:01 -0400
Date:
Subject:
From:
Message-Id:
Date:
Subject:
From:
Message-Id:
Date:
Subject:
From:
Message-Id:
Actions:
o) Release a message:
Send an email to <release-ctrl@fm3.example.com> with subject line set to
user1@example.com:Message-Id.
o) Delete a message:
Send an email to <delete-ctrl@fm3.example.com> with subject line set to
user1@example.com:Message-Id.
o) Delete all messages:
Send an email to <delete-ctrl@fm3.example.com> with subject line set to
delete_all:user1@example.com:ea809095:ac146004:05737c7c111d68d0111d68d0111d68d0.
Report content
Report
Header
To: user1@example.com
From: release-ctrl@fm3.example.com
Sent: Wed, 11 Jul 2007 12:00:01 -0400
Subject: Quarantine Summary: [3 message(s) quarantined from Wed, 11
Jul 2007 11:00:01 to Wed, 11 Jul 2007 12:00:01]
Spam
information
Spam
information
Spam
information
Instructions
214
215
Report content
Report
Header
Spam
message
information
Spam
message
information
Spam
message
information
Global
Instructions
216
Workflow
Workflow
You can configure the FortiMail unit to quarantine spam to the local drive. The
FortiMail unit has a spam quarantine folder for each email user in which it stores
the spam email sent to the user. You can set up the FortiMail unit to allow users to
release or delete their quarantined email.
If youre creating a new profile, select Create New and enter a profile name. If
youre editing an existing profile, select the Edit icon of the profile to be edited.
Expand Actions.
For Delete Messages, enter the number of days that you want to keep the
quarantined email on the FortiMail unit.
Select Send spam report to have a report of the quarantined spam automatically
generated and sent to each user.
Select Email Release to allow users to release or delete spam messages from
their quarantine using email.
Select Web Release to allow users to release or delete spam messages from their
quarantine using HTML mail.
Select OK.
Select the domain from the drop down list to which you want to add policies for
email users.
Select OK.
217
In gateway mode, the links in the spam report will use the local domain
specified in Mail Settings > Settings > Settings.
In server mode, the links in the spam report will use the first domain listed in
Mail Settings > Domains.
In transparent mode, the links in the spam report will use the management IP
address.
218
In gateway mode, the email addresses in the spam report will use the local
domain specified in Mail Settings > Settings > Settings.
In server mode, the email addresses in the spam report will use the first
domain listed in Mail Settings > Domains.
In transparent mode, the email addresses in the spam report will use the
management IP address.
Enter account names in the Release User and Delete User fields.
Select OK.
System Quarantine
The system quarantine is where email caught by content monitoring and outgoing
spam detection may be held. Unlike the spam quarantine, users receive no
notification of mail held in the system quarantine.
Periodic review of the mail is required because no notification listing the system
quarantined messages is sent. A regular admin user can review the system
quarantine as described in To view the system quarantine (admin user) on
page 220.
A special-purpose admin user account also exists for checking the system
quarantine. This system quarantine admin logs into the same GUI interface as
regular administrators, but only has access to the system quarantine. This way,
the administrator of the FortiMail unit can assign the periodic review of the system
quarantine to someone else without allowing them administrator access to all the
FortiMail unit settings. For access instructions, see To view the system
quarantine (system quarantine admin user) on page 221. For configuration
details, see To configure the system quarantine admin user on page 220.
219
Specify the user name and password credentials for the system
quarantine admin user. IMAP, POP3, and web access is available
to this user for reviewing the messages held in the system
quarantine. Web access is permitted by logging in to the admin
GUI, not webmail.
Forward To
Mailbox rotation size Specify mailbox rotation size. When the mailbox reaches the
rotation size or time threshold, the mailbox (mbox file) will be
renamed and backed up. A new mailbox file will be generated, into
which the new email is saved. Permitted rotation size is from 10 to
200 megabytes.
Mailbox rotation time Specify mailbox rotation time. Permitted rotation time is from 1 to
365 days.
Disk Quota
Quarantine options
Specify the action taken as new messages arrive in the system
when disk quota is full quarantine when it has reached its disk quota. Select Overwrite to
replace the oldest messages in the system quarantine with new
messages. Select Do Not Quarantine to prevent any new
messages from being quarantined. Note however that Do Not
Quarantine will still prevent messages from being delivered. Since
theyre not quarantined, theyre simply deleted.
Access Address Book Select to add or delete email addresses. These addresses are
available when forwarding messages from the system quarantine.
The address book can also be backed up or restored.
Under Account settings, enter the system quarantine admin user account name
and password.
220
The folder named Inbox contains the most recently quarantined messages. When
the Inbox folder exceeds the Mailbox Rotation Size set in AntiSpam >
Quarantine > System quarantine Setting, it is renamed and a new Inbox folder
is created. Rotated folder names include their creation date and rotation date.
Select a message subject to view the message. While viewing the message, it
can be released to the user, forwarded to another address, or deleted. The
messages full header can be viewed by selecting detail header.
Select Expunge to reclaim disk space used by messages deleted from the system
quarantine. When quarantined email is deleted, the message is marked as
deleted and removed from the message list. The message will still take up disk
space, however. Expunge will reclaim this disk space.
To view the system quarantine (system quarantine admin user)
The system quarantine admin user is a special admin account limited to system
quarantine access only.
Open the admin GUI login window in your browser using either the IP address or
the host name of the FortiMail unit. For example, https://192.168.1.1/admin.
Log in to the FortiMail unit admin GUI using the system quarantine admin account
name and password.
221
Select Check status to make sure the FortiMail unit can access the
FortiGuard-Antispam server.
After a moment, the FortiGuard-Antispam status should change from Unknown to
Available. If the FortiGuard-Antispam service status is unavailable, wait and try
again.
Enter an IP or URI and select Query FortiGuard to determine the address status in
the FortiGuard system. The result will be displayed on the line below.
Select Apply.
You can now enable FortiGuard-Antispam service for any antispam profile you
create.
Once you select Apply, the FortiGuard-Antispam license type and expiration date
appear.
Global
The global Bayesian database can be used to scan any or all mail sent and
received by the FortiMail unit. If separate by-domain Bayesian databases are not
required, the global database is the ideal choice because there is only one
database to maintain.
There is only one global Bayesian database on a FortiMail unit.
222
The global database is also used for all Bayesian scans enabled in outgoing
antispam profiles. Since only outgoing antispam profiles are available for selection
in IP-based policies, all Bayesian scanning triggered by IP-based policies use
only the global Bayesian database.
Group
The group Bayesian databases are maintained on a per-protected-domain basis.
This allows the flexibility of a database tailored to filter the mail to each domain.
Mail messages sent to all protected domains, and matching recipient-based
policies, use group Bayesian databases by default when Bayesian scanning is
enabled.
Because group databases are domain-based, a separate group database is
maintained for each protected domain.
User
The user Bayesian databases are maintained on a per-user basis for each
protected domain. This allows the user Bayesian database to be fine-tuned to only
the mail traffic the user receives.
Each user on each protected domain has a separate Bayesian database stored
on the FortiMail unit. Therefore, if example.com and example.org are defined as
protected domains, user1@example.com and user1@example.org will have
separate user Bayesian databases even if both accounts belong to the same
person.
User Bayesian databases are unique in that they can work with either the group or
global database, whichever is active for the domain. If a user database is mature,
it will be used by the Bayesian scan to determine if an incoming message is spam.
The global and group Bayesian databases are not used.
A user Bayesian database is considered mature and able to scan mail with an
acceptable level of accuracy when it has been trained with a minimum of 100
spam messages and 200 non-spam messages. Until a user database is mature,
the Bayesian scanner will refer to either the global or group database, whichever
is enabled for the recipient domain, when the user database does not contain the
information required for the scan.
To more quickly train user databases to a mature state, the Use other techniques
for auto training option can be enabled in incoming antispam profiles. This option
takes incoming mail and uses it to train the user Bayesian database in either of
these two circumstances:
Once the user database matures however, the global and group databases are no
longer referenced, and no automatic training occurs.
To change the database type a domain uses
1
Go to Mail Settings > Domains, and select the Edit icon of the domain you want
to configure.
223
Enable Using Global Bayesian to have the current domain use the global
Bayesian database. Disable Using Global Bayesian to have the current domain
use its own group Bayesian database.
Select OK.
The administrator trains the global database. This ensures the Bayesian scanner
has a database to use for all Bayesian scans on outgoing mail, mail handled by
IP-based policies, and for incoming mail to domains configured to use the global
database.
The global database can be left untrained if these conditions are both true:
The administrator trains the group database for each protected domain. This
ensures the Bayesian scanner has a database to use for Bayesian scans on mail
handled by incoming recipient-based policies to domains not configured to use the
global database.
The group database for a protected domain can be left untrained if either of these
conditions are true:
If the Accept training messages from users option is enabled in any antispam
profile, the administrator notifies email users about the email training accounts
and their use.
If user Bayesian databases are enabled, training messages are applied to the
senders database. In addition, training messages are also applied to either the
global Bayesian database or the group Bayesian database, whichever is enabled
for the senders domain.
If user Bayesian databases are disabled, training messages are applied to either
the global Bayesian database or the group Bayesian database, whichever is
enabled for the senders domain.
Training messages matching a policy in which the antispam profile has user
training disabled are discarded without notifying the sender.
224
If user databases are enabled, email users train their individual databases by
forwarding undetected spam and the good email incorrectly detected as spam to
the FortiMail unit.
Until users build up a mature database (100 spam, and 200 non-spam email
messages) with their own message submissions, the Bayesian scanner will refer
to either the global or group database, whichever is enabled for the recipient
domain, when the user database does not contain the information required for the
scan.
In addition, the option Use other techniques for auto training can be enabled in
incoming antispam profiles to help each users database reach a mature state
more quickly.
Use the following procedures to configure Bayesian training and accounts.
If the domain is set to Global Bayesian, the username field is not displayed.
If the selected domain is configured to use the global Bayesian database, the
training options are not displayed, and the training summary totals are shown
to be zero.
225
Select a domain Select Global Bayesian to manage the global Bayesian database, or
select a domain to manage its group Bayesian database.
For information on creating domains in gateway and transparent
modes, see Configuring domains (transparent and gateway modes)
on page 129.
For information on creating domains in server modes, see Creating a
new email domain (server mode) on page 136.
Summary
Operations
Username
Enter a user name and select OK to view the status of a user Bayesian
database.
This option is not available for the global Bayesian database.
Enter an email user ID in the Username field and select OK to see additional user
options and information:
226
User
Summary
Operations
To train the global database, choose Global Bayesian in the domain drop down
menu and select the link named Train global bayesian database with mbox
files.
To train a group database, choose the domain associated with the group
database in the domain drop down menu and select the link named Train
group bayesian database with mbox files.
A window opens allowing you to specify the mbox files containing spam and
non-spam message.
For the Innocent Mailbox, select Browse to find the mbox file containing non-spam
email.
For the Spam Mailbox, select Browse to find the mbox file containing spam email.
Select OK.
The database training begins. Depending on the size of the mailbox files, this
process may take a few minutes.
To back up a global or group Bayesian database
Depending on the type of database you will back up, follow the appropriate step:
To back up the global database, choose Global Bayesian in the domain drop
down menu and select the link named Backup global bayesian database.
To back up a group database, choose the domain associated with the group
database in the domain drop down menu and select the link named Backup
group bayesian database.
Select the location to which the database backup file will be written. Change the
file name if required.
227
Select OK.
The database backup file is saved.
To restore a global or group Bayesian database
Depending on the type of database you will restore, follow the appropriate step:
To restore the global database, choose Global Bayesian in the domain drop
down menu and select the link named Restore global bayesian database.
To restore a group database, choose the domain associated with the group
database in the domain drop down menu and select the link named Restore
group bayesian database.
In the new window, select browse and find the backup file to be restored.
Select OK.
The database backup file is restored. Select Browse to find the saved group
Bayesian data file.
Select OK. Depending on the size of the backup file, this process may take a few
minutes.
The selected database backup file is restored.
To reset a global or group Bayesian database
Caution: Resetting a group database deletes all the training information stored in the
database.
Depending on the type of database you will reset, follow the appropriate step:
To reset the global database, choose Global Bayesian in the domain drop
down menu and select the link named Reset global bayesian database.
To reset a group database, choose the domain associated with the group
database in the domain drop down menu and select the link named Reset
group bayesian database.
A confirmation window appears. If you are sure you want to reset the database,
select OK.
The database is reset. Depending on the size of the database, this process may
take a few minutes.
To view an email users Bayesian database
In the domain drop down menu, select the domain the users account belongs to
Select OK.
The users database summary and database operation options are displayed.
To train the user Bayesian database
228
In the domain drop down menu, select the domain the users account belongs to
FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide
06-30003-0154-20080327
Select OK.
For the Innocent Mailbox field, select Browse to find the mailbox file containing
non-spam email.
For the Spam Mailbox field, select Browse to find the mailbox file containing spam
email.
Select OK.
The user database training begins. Depending on the size of the mailbox files, this
process may take a few minutes.
To back up a user Bayesian database
In the domain drop down menu, select the domain the users account belongs to.
Select OK.
Select the location to which the database backup file will be written. Change the
file name if required.
Select OK.
The database backup file is saved.
To restore a user Bayesian database
In the domain drop down menu, select the domain the users account belongs to.
Select OK.
In the new window, select browse and find the backup file to be restored.
Select OK.
The selected database backup file is restored.
To reset a user Bayesian database
In the domain drop down menu, select the domain the users account belongs to.
Select OK.
229
A confirmation window appears. If you are sure you want to reset the database,
select OK.
The database is reset. Depending on the size of the database, this process may
take a few minutes.
If these conditions are not both true, training messages will be silently discarded
without being used for training.
If training messages are accepted, two factors determine which database or
databases benefit from Bayesian database training.
When the FortiMail unit receives a training message, it examines the message to
determine the senders domain. It then checks the domain configuration to see
whether the senders domain is configured to use the global or group Bayesian
database. The message is then used to train the database the domain is
configured to use. If user Bayesian databases are enabled, the message is also
used to train the users Bayesian database. The user is determined by the sender
address.
There are four training accounts. Two are used to correct misdiagnosed
messages that have already been processed by the FortiMail units Bayesian
routines. The other two accounts are used to train the Bayesian databases with
new messages not processed by the FortiMail units Bayesian routines.
Correction accounts:
Is Really Spam
account.
Default name:
is-spam
Training accounts:
Learn Is Spam
account
Default name:
learn-is-spam
230
If users have any mail that was not examined by the FortiMail unit,
they can send known spam to the Learn Is Spam account to train
the Bayesian database.
If users have any mail that was not examined by the FortiMail unit,
they can send known non-spam to the Learn Is Not Spam account
to train the Bayesian database.
Training Group
user ID
Enter the Bayesian training account names into the five user name fields.
Select OK.
Users will need to be informed of these account names and their usage so they
can send the four types of messages as required.
The account names are only part of the email address to which users will forward
training messages. They must append FortiMail units local domain name to the
end of the account name. For example, if the FortiMail units local domain name is
example.com and the is really spam user account name is is-spam,
the email address the users will send missed spam to is
is-spam@example.com.
Select OK.
To repair the Bayesian databases
Select OK.
231
Select OK.
Example company
Example company
Company X has set up a FortiMail unit to protect its email server by blocking spam
email. With over 1 000 email users, Company X plans to enable the FortiMail unit
Bayesian scanning capability. You, the system administrator, have been asked to
configure the FortiMail unit Bayesian training for the company.
Company X has divided its email users into three user groups and associated the
groups with three domains:
User Group
Domains
Group1
example1.com
Group2
example2.com
Group3
example3.com
232
For each domain, enter the corresponding user group information and select OK.
Field
Group1
Group2
Group3
FQDN
example1.com
example2.com
example3.com
IP Address
192.168.150.1
192.168.150.2
192.168.150.3
For each domain, enter the corresponding user group information and select OK.
Field
Group1
Group2
Group3
FQDN
example1.com
example2.com
example3.com
Select example1.com.
For Innocent Mailbox, select Browse to find the mailbox file that contains good
email.
For Spam Mailbox, select Browse to find the mailbox file that contains spam email.
Select OK.
The group training starts. Depending on the size of the mailbox files, this process
may take a few minutes.
Repeat these steps for example2.com and example3.com to train the Bayesian
databases for all three domains.
To train user groups databases - email
You can also use the control accounts (see To inform the users of the account
control addresses on page 234) to train the user group databases by sending
email containing confirmed spam to the Learn Is Spam account and good email
to the Learn Is Not Spam account.
233
<account user name> is the Bayesian control account name, such as the
default is-spam.
The complete control account email address is formed by the control account
name, the at sign, and finally the users account domain. For example,
user1@example2.com would use these control account addresses if the default
account names were not modified:
is-spam@example2.com
is-not-spam@example2.com
learn-is-spam@example2.com
learn-is-not-spam@example2.com
Send the users an email message to notify them of the user-based account user
name addresses and their usage, similar to the following:
All employees,
This message describes how to train your FortiMail Bayesian
database.
If you receive spam that has not been caught and tagged by
the FortiMail unit, forward these missed spam messages to
is-spam@example2.com from your company email account. This
will ensure any similar email will be caught by the
FortiMail unit in the future.
If you receive email that the FortiMail unit has
incorrectly tagged as spam, forward these messages to
is-not-spam@example2.com from your company email account.
This will ensure any similar email will not be tagged as
spam by the FortiMail unit in the future.
234
To perform group database training without training any user databases at the
same time, send training messages to the same control account addresses, but
configure your mail client to use one of these from addresses, depending on the
group database to be trained:
default-grp@example1.com
default-grp@example2.com
default-grp@example3.com
Now, you can send confirmed spam to the Learn Is Spam account or non-spam
to the Learn Is Not Spam account using one of the three addresses. For
example, using default-grp@example1.com as the From address will train
only the group database for the example1.com domain.
All black and white list entries are listed in alphabetical order.
You can add a maximum of 512 black or white list entries at each of the system,
domain, and personal levels, and 512 black or white list entries in each session
profile.
235
Enter the email address, domain, or IP address that you want to block or allow.
Select Backup.
Select Browse to find the black or white list that you want to restore.
Select Restore.
The selected black or white list is restored.
236
To block email, select the Black List icon for the required domain.
To allow email, select the White List icon for the required domain.
Enter the email address, domain, or IP address that you want to block or allow.
Select the black or white list icon associated with the domain containing the
address you want to remove.
Select the black or white list icon associated with the domain you want to back up.
Select Backup.
Select the black or white list icon associated with the domain you want to restore.
Select Browse to find the black or white list backup file you want to restore.
Select Restore.
The selected black or while list backup file is restored.
Select the domain of the SMTP server that has the user for whom you want to
configure the black or white list.
For information on creating domains, see Configuring domains (transparent and
gateway modes) on page 129.
Enter the username and select OK. If the user does not exist, a new user will be
created.
Turn on Add outgoing email addresses to White list if you want the FortiMail unit to
treat email sent from these addresses as non-spam email in the future.
Enter the email address, domain, or IP address that you want to block or allow.
237
Select Add to add the address or domain to the black or white list.
To delete an email address or domain from a personal black or white list
Select the domain of the SMTP server that has the user for whom you want to
modify the black or white list.
Select the domain of the SMTP server that has the user for whom you want to
backup the black or white list.
Select Backup.
Select the domain of the SMTP server that has the user for whom you want to
restore the black or white list.
Select Browse to find the black or white list that you want to restore.
Select Restore.
238
In the window that appears, select Download Black/White list backup file.
In the window that appears, select Browse, choose the back up file to be restored,
and select Open.
The path and filename of the selected file appears in the Black White list file field.
Caution: Restoring the black and white lists in this manner overwrites all of the existing
system, domain, and user black and white list contents.
Message sender
Accept message
Message sender
Message sender
Accept message
Message sender
Message recipient
Message recipient
Message sender
Message sender
Message sender
Message sender
Discard message
239
Configuring greylist
If the message sender is being examined for a match, email addresses and
domains in list are compared to the messages envelope-from. IP addresses are
compared to the address of the client delivering the message, also known as the
last hop address.
If the message recipient is being examined for a match, email addresses and
domains in the list are compared to the messages recipient address. An IP
address in a recipient white or black list is not a valid entry because no IP
addresses are checked.
Configuring greylist
Greylisting is a means of reducing spam in a relatively low maintenance manner.
There are no IP address lists, email lists, or word lists to keep up to date. The only
required list is automatically maintained by the FortiMail unit.
When examining an email message, the greylist routine checks three message
attributes: the sender address, the recipient address, and the address of the
server delivering the message. More specifically, the greylist routine examines the
envelope from (Mail From:), the envelope recipient (Rctp to:), and the IP subnet
address of the mail server delivering the message.
While the envelope from and envelope recipient values must match exactly, only
the /24 subnet of the system attempting delivery of the message is checked. For
example, if the message is delivered by a server at 192.168.1.99, any IP address
starting with 192.168.1 will be considered a match. If the envelope from and
envelope recipient values also match, a new entry in the greylist database will be
created displaying the 192.168.1.0 subnet address.
This is because some large organizations use many mail servers with IP
addresses in the same subnet. If the first attempt to deliver mail gets a temp fail
message, the second attempt will be made by a separate server with another
address. This second address would be seen as a new delivery attempt unrelated
to the first. Depending on the configuration of the mail server farm, the message
may never be delivered properly. Allowing all addresses in the subnet solves this
problem.
If the greylist routine doesnt have a record of a message with the same sender,
recipient, and IP address subnet, the message is refused and a temporary error is
reported to the server attempting delivery.
Because a temporary error is reported, the delivering server should attempt to
send the message again at a later time. If another delivery is attempted within four
hours of the temporary error and after the grey listing period, the message is
accepted. The FortiMail unit stores the recipient address, the sender address, and
the IP address subnet of the delivering mail server so any subsequent messages
with these same three values are immediately accepted. If the sender address
and the server IP subnet are the same but the from address is different, the
message is unrecognized and not delivered until the mail server attempts to
resend. All three values must match.
Note: The four hour deadline for resending the message can be changed using CLI. For
more information, see the CLI command set as greylist
initial_expiry_period in the FortiMail CLI Reference.
240
Configuring greylist
Mail servers following specifications (RFC 821) will attempt to retry deliveries that
fail with expected error codes. Most spam mail is not delivered by standard mail
servers, but rather by applications designed specifically for spam distribution.
These applications typically attempt delivery and ignore any failures or errors.
Therefore, greylisting will prevent delivery of these messages.
Note: Greylist checking is bypassed in three circumstances:
The client appears in the access list with relay permission. See Configuring
email access on page 139 for more information about the access list.
The client appears in the greylist exempt list. The exempt list is located in
Anti-Spam > Greylist > Exempt.
Spam detection scans are not run on mail stopped by greylisting. This can
save significant processing and storage resources.
Even if spammers begin to take greylisting into account and resend their
messages, the delay imposed by the greylist feature can be an advantage.
The greylist period can allow time for FortiGuard-Antispam and DNSBL
systems to discover the spam and blacklist the source. This way, when the
spam message is finally delivered, the FortiMail unit is more likely to recognize
it as spam.
The time to live setting determines how long each to/from/IP data
entry will be retained in the FortiMail units greylist. When the entry
expires, it is removed and new messages are again rejected until
the sending server attempts delivery the message again.
Once recognized by the greylist, any message sent with the same
to/from/IP address information will reset the TTL count. For
example, if the TTL value is 36 days, a senders greylist entry will
never expire if they send a message every 30 days. Every time the
greylist routine recognizes their to/from/IP address combination,
their TTL count is reset and starts counting down from 36 days.
Select a value between 1 and 60 days. The default value is 10 days.
Enter the length of time the FortiMail unit will continue to reject
messages with an unknown to/from/IP. After this time expires, any
resend attempts will have the to/from/IP data added to the greylist
and subsequent messages will be delivered immediately.
Select a value between 1 and 120 minutes. The default value is
20 minutes.
241
Configuring greylist
Select the search icon and the Greylist search window appears.
Enter search parameters in the Sender, Recipient, and IP address fields. Use
wildcard character to enter partial patterns. Blank fields will match any value.
Regex is not supported.
Select Accept to execute the search and list entries matching all the search
parameters.
From
Delete
Select the delete icon to remove an entry from the exempt list.
Create New
The different types of acceptable address input for the exempt list are handled in
different ways.
Subnet: Enter a partial IP address and any address matching the entered
portion will be exempt from the greylist routine.
For example, if you enter 172.22 as an exempt address, every address starting
with 172.22 will be exempt.
242
Email address: The message envelope email address is compared to the email
addresses in the exempt list. A match allows the message to bypass the
greylist routine. The sender address in the message header is not compared to
the addresses in the exempt list.
IP
Sender
Recipient
Expire
The expiration details when the entry in the greylist will be removed.
It is determined by adding the TTL value to the time the message
was received.
The FortiMail unit then determines a senders reputation score primarily using two
ratios. First, the number of good messages is compared to the number of bad
messages (spam or mail with viruses or worms). Second, the total number of
recipients is compared to the number of bad recipients. The sender reputation
score uses email information up to twelve hours old, and recent mail influences
the score calculation more than older mail. The score itself ranges from 0 to 100,
with 0 representing a very well behaved sender, and 100 being the type of sender
youd rather avoid.
The sender reputation score is compared to three thresholds, as defined in the
active session profile. If the sender is well behaved, their score will fall below the
first threshold. They can connect and deliver mail with no sender reputation
restrictions.
Throttle is the first threshold. A sender reputation score above this value will
limit the number of messages accepted per hour. The session profile includes
a field where the admin can enter the maximum number of messages, and a
second field where the admin can enter the percentage of the number of
messages received in the last hour. The throttle limit will be larger of these two.
Temporary fail is the second threshold. With a sender reputation score above
this value, the FortiMail unit will not allow a connection from the client,
returning a temporary fail error.
Reject is the final threshold. With a sender reputation score above this value,
the FortiMail unit will not allow a connection from the client, returning a reject
message.
243
If more than 12 hours pass without a mail delivery from a client, the clients sender
reputation record is deleted. If a client delivers mail after their score is deleted,
they are treated as a new client.
For details on enabling sender reputation and a description of the settings in the
antispam profile, see Expand Sender reputation on page 182
Search icon
View Lines
Total Lines
Edit state
The default of Disable locks the state of all the sender reputation
records. Selecting Enable allows the admin to choose any records
state regardless of the clients sender reputation score.
IP
Score
State
Last Modified
244
Score Controlled
Throttled
Blacklisted
Whitelisted
The time and date the sender reputation score was most recently
modified.
Note: Although client sender reputation records are only valid for 12 hours after last
contact, the record may still appear in the sender reputation table after that time. Visible
entries older than 12 hours are considered invalid until they are removed or replaced.
245
246
Archiving email
Archiving email
The FortiMail unit can archive incoming or outgoing email according to the
archiving policies you specify.
This section describes how to configure the email archiving settings and policies
and search for archived email.
This section contains the following topics:
Specify mailbox rotation size. When the mailbox reaches the rotation size or
time, whichever is the first, the mailbox file (mbx file) will be renamed and
backed up. A new mailbox file will be generated, into which the new archived
email are saved. All the rotated mailboxes are still accessible when you search
the email in them.
Enter an email archiving account name and password. The default account name
is archive and the default password is also archive.
Enter an email address in the Forward to field if youd like a copy of all email
messages forwarded to an email address of your choice as theyre being
archived. If forwarding is not required, leave the field empty. Specifying an email
address here will not forward previously archived email.
Select Apply.
247
Archiving email
If you want to archive email to the local disk, select Archive to local disk and set
the disk quota.
If you want to archive email to a remote server, select Archive to remote host and
configure the following:
Protocol
Select the protocol of the remote host. The FortiMail unit supports SFTP
and FTP protocols.
IP address
User name
Password
Remote
directory
Local cache
quota
Set the FortiMail unit cache quota. Email archived on a remote host are
also cached by the FortiMail unit. When you view or search for email, the
cached email are viewed or searched more quickly.
Remote disk
quota
Set the disk quota for the remote host to archive email.
Select Apply.
Export
Send
Train bayesian Select to use the selected messages to train the Bayesian databases.
See To train Bayesian databases with archived mail on page 249.
database
248
New Search
Mark
Select message check boxes and then select Mark to mark messages for
further operations. This allows messages across multiple pages to be
marked at the same time.
Unmark
Archiving email
To search for email, type or select the search parameters to search by content
or time frame, then select Search.
Note: You can search archived email in the current mailbox and the rotated mailboxes
whether email is archived on the local disk or remote host. You can only view the archived
email in the current mailbox on the local disk.
Select the check boxes of all the messages in the current window you want
exported. It all messages are to be exported, selecting the check box above the
first message will automatically select the check boxes of all the messages on the
current page.
Once the appropriate messages have been selected, select the Mark button. A
red check mark will appear in the status column for all the previously selected
messages. If a message is mistakenly marked, select the check box and choose
Unmark to remove the red check mark from a message.
A new window opens. To start a new search without exporting, select New
Search. To initiate the download, select Click to download the exported mbx file.
You can choose the mbx filename and location.
To train Bayesian databases with archived mail
Select the messages you want to use to train the Bayesian databases. It all
messages are to be used for training, selecting the check box above the first
message will automatically select the check boxes of all the messages on the
current page.
Once the appropriate messages have been selected, select the Mark button. A
red check mark will appear in the status column for all the previously selected
messages. If a message is mistakenly marked, select the check box and choose
Unmark to remove the red check mark from a message.
Indicate whether you want to use the messages to the Bayesian database as
spam or innocent (non-spam) email.
249
Archiving email
If group training is required, select the domain in the drop down menu.
If user training is required, select the domain in the drop down menu, and enter
of the name of the user.
Select OK.
ID
Type
The policy type. The five types are pre-defined. See step 3 of To set
archiving policies on page 250.
Pattern
Status
Modify
Icons for deleting and modifying policies, or changing the order of policies
in the list.
For Policy Type, select a policy type and enter a pattern based on the selected
policy type.
The five types include:
Note: The Pattern field can contain wildcard (*) if the policy type is Sender address,
Recipient address, or Attachment file name.
For example, if you select Sender address as the policy type and enter
*@example.com as the pattern, all email from the example.com domain will be
archived.
250
Archiving email
Select OK.
ID
Type
The policy type. The three types are pre-defined. See step 3 of To set
exempt policies on page 251.
Pattern
Status
Modify
Icons for deleting and modifying policies, or changing the order of policies
in the list.
For Policy Type, select a policy type and enter the policy pattern based on the
selected policy type.
The three types include:
For example, if you select Sender address as the policy type and enter
top20deals@email7.example.com as the pattern, all email from this address will
not be archived.
Note: The Pattern field can contain wildcard (*) if the policy type is Sender address or
Recipient address. If the policy type is Spam email, the Pattern field will be ignored.
Select OK.
251
252
Archiving email
FortiMail logging
FortiMail logging
Storing logs
Logs
Alert Email
Reports
FortiMail logging
A FortiMail unit can log many different email activities and traffic including:
spam filtering
You can customize the level that the FortiMail unit logs these events at and where
the FortiMail unit stores the logs. The level that the FortiMail unit logs these
events at, or the log severity level, is defined where you configure the logging
location. There are six severity levels to choose from. See Log message levels
on page 254 for more information.
The FortiMail unit is able to save log messages to its hard disk, or to a remote
location such as a Syslog server or FortiAnalyzer unit. You can view the log
messages available on the hard disk using the web-based manager.
Customizable filters enable you to easily locate specific information within the log
files.
See the FortiMail Log Message Reference on the Fortinet Knowledge Center for
details and descriptions of log messages.
253
Description
0 - Emergency
1 - Alert
2 - Critical
Functionality is affected.
3 - Error
4 - Warning
5 - Notification
6 - Information
Storing logs
The FortiMail unit can store logs in various locations, depending on your office
environment and configuration. You can configure the FortiMail unit to log to its
hard disk, a FortiAnalyzer unit, or a Syslog server. The FortiMail unit can also be
configured to log to different logging locations. For example, information logs go to
a Syslog server, while error log messages are stored on the hard disk.
You can also configure the FortiMail unit to log to multiple FortiAnalyzer units and
Syslog servers. Logging to multiple logging devices provides redundancy,
ensuring logs are available at all times.
When configuring the logging location, you also need to configure what type of
FortiMail features you want to log. These log types include email traffic
information, spam detection events, as well as system activity events. You can
enable these log types when configuring the logging location.
254
Storing logs
Enter the maximum number of days before the current log file rolls, in the Log time
field.
Select to log all management activity and events, such as administration and
HA activity.
When
configuration has
changed
POP3 server event Select to log all POP3 events. This is available only if
(server mode)
the FortiMail unit is in server mode.
IMAP server event Select to log all POP3 events. This is available only if
(server mode)
the FortiMail unit is in server mode.
SMTP server event Select to log all SMTP server events.
Failed update
Virus Log
HA activity
Webmail event
Select OK.
Do not log Select to stop log messages going to the FortiMail hard disk
or other logging devices when the maximum log disk space is
reached.
255
Storing logs
10
Select Apply.
Enter the IP address and port number of the remote computer running the syslog
software.
Select to log all management activity and events, such as administration and
HA activity.
When
configuration has
changed
POP3 server event Select to log all POP3 events. This is available only if
(server mode)
the FortiMail unit is in server mode.
IMAP server event Select to log all POP3 events. This is available only if
(server mode)
the FortiMail unit is in server mode.
SMTP server event Select to log all SMTP server events.
Failed update
256
Storing logs
Webmail event
Virus Log
Select OK.
10
11
Enable the CSV format if you want to save log messages in comma delimited text
format.
12
Select Apply.
Select the blue arrow to expand the Log to Remote Host options.
Select to log all management activity and events, such as administration and
HA activity.
When
configuration has
changed
POP3 server event Select to log all POP3 events. This is available only if
(server mode)
the FortiMail unit is in server mode.
IMAP server event Select to log all POP3 events. This is available only if
(server mode)
the FortiMail unit is in server mode.
SMTP server event Select to log all SMTP server events.
Failed update
257
Storing logs
Virus Log
HA activity
Webmail event
Select OK.
10
11
Enable the CSV format if you want to save log messages in comma delimited text
format.
12
Select Apply.
After configuring the log settings on the FortiMail unit, you or the FortiAnalyzer
administrator must configure the FortiAnalyzer unit to receive logs sent from the
FortiMail unit. The following procedure is provided if you are configuring a
FortiAnalyzer unit to received logs instead of the FortiAnalyzer administrator.
To configure a FortiAnalyzer unit to receive logs from the FortiMail unit
258
Device Name
Device ID
Description
Allocated Disk
Space (MB)
When Allocated
Disk Space is All
Used
Storing logs
Select the group or groups where you want to include the Syslog server, and
select the right arrow button to add the Syslog servers to the group.
10
Select OK.
Select the blue arrow to expand the Log to Remote Host options.
Select to log all management activity and events, such as administration and
HA activity.
When
configuration has
changed
POP3 server event Select to log all POP3 events. This is available only if
(server mode)
the FortiMail unit is in server mode.
IMAP server event Select to log all POP3 events. This is available only if
(server mode)
the FortiMail unit is in server mode.
259
Storing logs
Virus Log
HA activity
Webmail event
10
Select OK.
11
Select Apply.
12
13
14
15
260
Enter the maximum number of days before the current log file rolls, in the Log time
field.
Storing logs
Event log
activities
Select to log all management activity and events, such as administration and
HA activity.
When
configuration has
changed
POP3 server event Select to log all POP3 events. This is available only if
(server mode)
the FortiMail unit is in server mode.
IMAP server event Select to log all POP3 events. This is available only if
(server mode)
the FortiMail unit is in server mode.
SMTP server event Select to log all SMTP server events.
Failed update
Virus Log
HA activity
Webmail event
Select OK.
Do not log Select to stop log messages going to the FortiMail hard disk
or other logging devices when the maximum log disk space is
reached.
10
Select the blue arrow to expand the Log to Remote Host options.
11
12
13
14
15
16
17
18
Select Apply.
261
Logs
Logs
Logs recorded by the FortiMail unit contain valuable information about email
events and activities that occur on your network. These logs record per recipient,
which presents log information in a very different way than most other logs do. By
recording logs per recipient, log information is presented in layers, which means
that one log file type contains the what and another log file type contains the why.
For example, a log message in the history log contains an email message that the
FortiMail unit flagged as spam (the what) and the antispam log contains why the
FortiMail unit flagged the email message as spam.
Logs are divided into four types: history, event, antispam, and antivirus. Each of
these four log types contains a session identification number, located in the
session ID field of each log message that is recorded by the FortiMail unit. The
session ID corresponds to each of the four log types so that the administrator can
get all the information about the event or activity that occurred on their network.
See the FortiMail Log Message Reference on the Fortinet Knowledge Center for
additional information about log messages that are recorded in FortiMail 3.0 as
well as examples of log messages.
History logs
History logs are used to quickly determine the disposition of a message. History
logs describe what action was taken by the FortiMail unit. Administrators use the
history logs to quickly determine the status of a message for a specific recipient,
and then go to other logs with that session ID to find out why that particular action
was taken.
In the following log messages, the bolded information indicates what an
administrator looks for when using history logs to find out what action was taken,
and the antispam log to find out why the action was taken.
(Below is an example of a history log message)
2008-01-07 18:19:08 log_id=04000050100 type=statistics
subtype=n/a pri=information session_id=m07NJ62T00110
from=aabb@example.com mailer=mta
client_name=[172.16.105.99] resolved=OK
to=ccdd@example.com message_length=0 virus=
disposition=0x200 classifier=0x12 subject=accounting
information
From the disposition, 0x200, we know that the FortiMail unit deferred the delivery
of the email message. We then take the session ID number and match it within the
antispam logs, as in the following:
2008-01-07 18:19:08 log_id=0501080300 type=spam
subtype=detected pri=information session_id= m07NJ62T00110
client_name= [172.16.105.99] from=aabb@example.com
to=ccdd@example.com subject=accounting information
msg=Grey Listing sender
In the above antispam log message, we now know why the FortiMail unit deferred
the delivery because the FortiMail unit has the sender in a grey list, which is
shown in the message field.
262
Logs
Event logs
Event logs contain log messages that concern network or system activities and
events, such as firmware upgrades or password changes. This log type shows
what is occurring at the protocol level, as well as the TCP level.
The following is an example of an event log message:
2008-02-09 13:56:56 log_id=0100010601 log_part=00 type=event
subtype=config pri=information user=admin ui=console
module=system submodule=dns msg=DNS has been changed by
user admin via CLI (console)
The event log does not have the same relationship with the history log as the
antispam or antivirus log does. The event log is not necessarily used for finding
the reason why an event occurred because there may not be a corresponding
session ID number. Event logs are also usually self-explanatory, meaning they
usually give the what and why within the log message.
Antispam logs
Antispam logs provide information pertaining to email messages that are
classified as Spam or Ham messages. The antispam logs describe why they were
classified, as was shown in the example in History logs on page 262.
The following is an example of an antispam log message:
2008-02-12 11:31:29 log_id=0501016384 log_part=00 type=spam
subtype=detected pri=notice session_id="m08CNJ42P0054"
from="" to="" msg="Loaded 91 FortiGuard heuristic rules. 88
are active (v1ubtype=detected pri=information session_id=""
from="" to="" msg="Deep Header Scanner Rules Reload Finished."
Antispam log messages describe spammy URIs, black/white listed IP addresses,
or other techniques the FortiMail unit used to classify the message. Antispam log
messages may also describe message processing errors, such as not handling
email that was sent from a specific user.
Antivirus logs
Antivirus logs provide information pertaining to email messages that are classified
as virus or suspicious messages. These log messages describe what virus is
contained in the email message or in a file attached to the email message.
The following is an example of an antivirus log message:
2008-03-28 16:30:18 log_id=0200060101 log_part=00 type=virus
subtype=infected pri=information session_id=n/a
from=abba@hynj.com to=<bccb@xyn.com> src_ip=172.20.130.26
msg=The file wqdf.zip is infected with HGBYN_TEST_FILE.
Administrators use antivirus logs to determine why an attachment was stripped
from a file after someone informed them about not receiving an attachment.
Administrators may also use this log type to verify why the history log detected a
virus.
The session ID is not usually used when looking up an antivirus log message; the
time stated in the time field of the log message is usually used as well as using the
search method.
263
Delete Selected
Items
Empty Log
View
Download
Delete
264
Next Page
Previous Page
Search
Select the number of rows of log entries to display per page from the
drop-down list.
Total lines:
Displays the amount of lines on the page. For example, if there are
only two lines on the page, the number is 2.
Go to line:
Delete Selected
Items
Select the log files by clicking the checkbox in the same row. Select
Delete Selected Items to remove those items from the hard disk.
Action
The Logging menu enables you to view the log messages from a selected log file.
The columns that appear reflect the content in the log file.
To view log messages
1
Next Page
Previous page
Level
Select the log level to view. The FortiMail unit displays the log
messages for selected level and above.
Subtype
Select the subtype to view. The FortiMail unit displays the log
(Event logs only) messages for that log subtype. This is available only when viewing
event logs.
View n lines per
page
Select the number of lines of log messages from the drop-down list to
display on each page.
Go to Line
Type the line number of the first line you want to display and select
Go.
Choose Columns Select to add or remove log information columns to display. For more
information see Customizing the column views on page 269.
265
When you are viewing log messages, you can also view the log message in Raw
format by moving your mouse over a number in the number column (#), as shown
in Figure 114. You can also highlight a log message by selecting the row that the
log message is in.
To view history log messages on the Status page
1
Select Search and enter the appropriate information for one or all of the following:
Keyword
Enter the word or words to search for within the log file.
Subject
If you are searching for emails, enter the subject line of the email
(History Log only) contained in the email.
From
If you are searching for emails, enter the senders email address.
To
If you are searching for emails, enter the receivers email address.
Session Id
Enter the session identification of the log message you are searching
for.
Log Id
Enter the log identification number of the log message you are
searching for.
Client Name
Enter the client name of the log messages you are searching for. The
(History Log only) client name is usually an IP address, for example, 10.30.15.1.
Time
Enter the time period of when the log message occurred. Use the
following options.
[0 day]
266
[12] hour(s)
[current day of
the current
month]
[current month] Select the month for the search. The default is the
current month. For example, February displays
because it is the current month.
[current year]
[current time]
Select Apply.
To search event logs
Select Search and enter the appropriate information for one or all of the following:
Keyword
Enter the word or words to search for within the log file.
Session Id
Enter the session identification of the log message you are searching
for.
Log Id
Enter the log identification number of the log message you are
searching for.
Time
Enter the time period of when the log message occurred. Use the
following options.
[0 day]
[12] hour(s)
[current day of
the current
month]
[current month] Select the month for the search. The default is the
current month. For example, February displays
because it is the current month.
267
[current year]
[current time]
Select Apply.
You can also search event logs by using the Level or Subtype drop-down list,
which is available when viewing log messages. The Level drop-down list allows
you to select a specific log severity level. The Subtype drop-down list allows you
to select a specific subtype. The following tables provide information on what is
available in the drop-down lists of Level and Subtype.
Table 14: Level drop-down list options
Emergency
Alert
Critical
Error
Warning
Notification
Information
268
ALL
Configuration
Admin User
Web Mail
System
HA
Update Failure
Update
Success
POP3
IMAP
SMTP
OTHERS
Displays all lines that have a value other than all of the above
subtypes, from Configuration to SMTP.
Select a column name and do one of the following to change the views of the log
information:
Add ->
<- Remove
Select to move selected fields from the Displayed Columns list to the
Hidden Columns.
Move up
Move down
Select to move the selected field down one position in the Displayed
Columns list.
Select Apply.
269
Locate the log file and select Download in the Action column.
Downloads the log file in its raw format with an extension of .log.
Download file in
CSV format
The web browser prompts you for a location to save the file.
5
Select the checkbox in the column header beside the Action column.
270
Select OK.
Caution: Download log files before deleting them. This provides a way to recover deleted
log files in the event you require those deleted log files later on. See Downloading log files
on page 270 for more information about downloading log files.
Select Delete in the Action column for the log file you want to delete.
You can select multiple rolled log files by selecting the checkboxes of the rolled
log files you want deleted.
To delete all rolled log files
Alert Email
Alert Email enables the FortiMail unit to monitor logs for specific log messages,
and notifies you by email when they appear. For example, if you require
notification about antivirus detection activity, you can configure an alert email that
is sent whenever the FortiMail unit detects antivirus activity.
271
Alert Email
Select Apply
Verify the alert email is configured correctly by selecting Test. This sends an alert
email to the configured recipients.
Select one or more of the following event categories and select Apply:
virus incidents
critical events
disk is full
remote archiving/NAS
failures
HA events
disk quota of an
account is exceeded
(Server mode only)
272
system quarantine
quota
is full
deferred emails #
over(default=10000),
interval time
(default=30) minutes
Reports
Reports
The FortiMail unit can generate activity reports by analyzing the history log files
and presenting the data in a tabular and graphical format.
Reports provide valuable information, helping you to manage your network more
effectively while making more informed decisions on the administration of your
network and mail server.
FortiMail enables you to generate reports by configuring an on demand report or a
report scheduled at specified intervals.
The FortiMail unit generates reports by two methods:
FortiMail also generates a Mail Statistics report in System > Status > Mail
Statistics. The Mail Statistics page displays a summary of spam messages and
viruses detected by the scanning tools of the FortiMail unit in tabular and
graphical views. This page also shows actions taken by the unit against spam and
viruses. See Viewing mail statistics on page 73 for more information.
You can also configure your own reports. There are default settings for all reports;
for example, when configuring domains for your report, the default is All Domains.
All Domains includes all types of domains you configured on the FortiMail unit.
Caution: Generating reports at high-traffic times may affect mail traffic coming through the
FortiMail unit. Generate reports during low traffic times, for example at night.
Note: Predefined reports are available only when configuring basic settings in the quick
start wizard, in the basic management mode.
Configuring Reports
Reports are configured in Log & Report > Report > Config. These reports are
referred to as report profiles. Report profiles define what information appears in
the report. When you select Create, you can configure the type of report,
device(s) to include, including the time frame for specialized reports.
Figure 125:Viewing report profiles
Delete
Edit
Run Report
Config Name
Domain
Schedule
The scheduled frequency when the FortiMail unit generates the report.
273
Reports
Modify
Create New
Select the blue arrow next to the options you need to configure:
Time Period
Configure what span of time the FortiMail unit uses when looking
at the logs. See Configuring time period on page 274.
Query Selection
Select the reports you want to include. See Configuring the query
selection on page 275.
Schedule
Configure when the FortiMail unit runs the report, for example,
weekly, or monthly. See Configuring the schedule on page 275.
Domain
Incoming Outgoing
Output
Select the file format for the reports and add email recipients for
the report. See Configuring output on page 277.
Select OK.
Time Period
274
Select the time period for the report. When you select, last n hours,
days or weeks, a field will appear beside the drop-down list. Enter a
number in the field, for example, eight, for the last n hours.
Reports
From Date
Select to configure the start date of the report. For example, you may
want to begin the report on May 5, 2006 at 6 pm.
To Date
Select to configure the end date of the report. For example, you may
want to end the report on May 6, at 12 am.
Query
Selection
Total Summary
High level breakdown Select if you want to include all top level and
summary information for all queries.
Mail by Sender
Mail by Recipient
Spam by Sender
Spam by Recipient
Virus by Sender
Virus by Recipient
275
Reports
Not Scheduled
Daily
These Days
Select specific days of the week that the FortiMail unit should
generate the report.
These Dates
Select specific days of the month to generate the report. For example,
to generate a report on the first and thirtieth of every month, enter
1,30. The comma is required for separating the days.
At Hour
Select the time of day when the FortiMail unit should generate the
report.
Remove Selected Select a domain or domains to remove them from the list.
Add
Enter a domain and select Add to add the domain to the Domain list.
276
Reports
Incoming
Outgoing
Incoming and
Outgoing
Configuring output
Select what type of file format you want the report to be, either HTML or PDF. You
can also add email addresses of recipients for receiving the generated report.
Figure 131:Report output
Output
Remove
Selected
Select if you want to remove the recipient so he or she will not receive
the report. Make sure the email address you want removed is
selected before selecting Remove Selected.
Add
Enter the email address of the person who will receive the report and
select Add to add the email address to the list.
Viewing reports
Generated reports display on the Browse page as a roll-up report, or individual
reports in HTML format. A roll-up report is a report that contains all individual
reports included. An individual report has the same look and functionality as the
roll-up report when viewing in HTML format but when viewing the report in one of
the alternate formats, only the right frame with the report information is included.
From Log & Report > Reports > Browse, you can select a report group from the
list in the Report files column and do one of the following:
Select the report name to view a roll up report of all individual reports
Select the plus sign to expand the individual report list, and then select to view
an individual report.
277
Reports
Figure 132:A FortiMail report showing the Mail Sender Report individual report
\
Browsing reports
You can browse through generated reports in Log & Report > Reports >
Browse. From the Browse page, you can delete reports if required, download
reports to view on another computer, or view only parts of a report.
Figure 133:Browse generated reports
Delete Selected
Delete
Download HTML
Download PDF
278
Reports
Total lines
Go to line
Type the line number you want to display and select Go.
Report Files
Indicates the date and time when the FortiMail unit completed the
generated report.
Size (bytes)
Action
Check All/Check
None
Select to select all reports for removal from the FortiMail hard disk.
Select a check box for a report name and select Delete Selected
to remove the report from the hard disk.
Downloading a report
If you require viewing a report from outside the FortiMail web-based manager, you
can download the report in either HTML or PDF.
To download a report
1
Locate the report you want to download in the Report Files column.
Select the Download icon in the Action column to download an HTML or PDF
version of the report.
279
Reports
280
FortiMail active-passive HA
FortiMail active-passive HA
Configuring HA options
HA failover scenarios
FortiMail active-passive HA
FortiMail supports active-passive high availability (HA) with full FortiMail
configuration and mail data synchronization between two FortiMail units. Mail data
consists of the FortiMail system mail directory, user home directories, and MTA
spool directories.
A FortiMail high availability (HA) group consists of two FortiMail units, one
functioning as a primary FortiMail unit (also called the master) and the other as a
backup FortiMail unit (also called the slave). The FortiMail units in the HA group
do not have to be the same FortiMail model but must be running the same
firmware build. The primary and backup units are configured separately and then
joined together to form the FortiMail HA group.
281
Both FortiMail units in the group have the same configuration except for the
FortiMail unit host name, SNMP system information, and some HA settings. For
details about how configuration synchronization works and about what is
synchronized and what is not, see Synchronizing the FortiMail configuration on
page 286.
You can include different FortiMail models in an active-passive HA group. For
details, see Mixing FortiMail models in a FortiMail HA group on page 284.
The primary unit performs all email processing including special FortiMail services
such as sending spam reports to email users. Email users connect to the primary
unit to download email, manage quarantined email, and to use FortiMail Webmail.
To configure and manage the FortiMail HA group, administrators connect to the
primary unit web-based manager or CLI.
Figure 134:Example FortiMail active-passive HA group operating in gateway mode
Internal
network
Mail Server
Internet
Switch
HA Group
Administrators can also manage the backup FortiMail unit. The backup unit
monitors the primary unit to make sure that the primary unit is operating correctly.
If the backup unit determines that the primary unit has failed, the backup unit
becomes the primary unit without interrupting mail processing.
FortiMail HA is supported for FortiMail gateway mode, transparent mode, and
server mode. HA configuration and operating procedures are similar in all three
FortiMail operating modes.
282
Other system names such as the local domain name and the spam report host
name
Some HA settings
For details about how configuration synchronization works and about what is
synchronized and what is not, see Synchronizing the FortiMail configuration on
page 286/
You can include different FortiMail models in a config only HA group. For details,
see Mixing FortiMail models in a FortiMail HA group on page 284.
Email users connect to any FortiMail unit to download email, manage quarantined
email, and to use FortiMail Webmail. For most HA group configuration and
management operations administrators connect to the primary unit web-based
manager or CLI. However, Administrators must connect to each FortiMail unit in
the HA group to configure interface IP addresses and some HA settings for that
FortiMail unit.
A config only HA group can function as a mail server farm for a large organization.
You can also install a FortiMail config only HA group behind a load balancer. The
load balancer can balance the mail processing load to all of the FortiMail units in
the config only HA group, improving mail processing capacity.
To set up a FortiMail config only HA group you configure one of the FortiMail units
as the config primary (or config master) and the other FortiMail units (up to 24) as
config backup units (also called config slaves or peer systems). Every
configuration change made to the config master is synchronized to all of the
config backup units.
FortiMail configuration HA does not synchronize mail data between the FortiMail
units in the config only HA group. As well, FortiMail config only HA does not
provide failover protection. If a FortiMail unit in a config only HA group fails, mail
data on the unit is lost (unless the unit can be restarted) and the functioning of the
failed FortiMail unit will not be resumed by other FortiMail units in the config only
HA group.
If the config primary unit fails the config backup units will continue to operate
normally. However, with no config primary unit configuration, changes to the
configuration are no longer synchronized. You can manually switch one of the
remaining config backup units to operate as the config primary unit. Then you can
make configuration changes to this config primary unit and have the configuration
changes synchronized to the remaining config backup units.
You cannot configure service monitoring for a config only HA group.
283
Mail Server
Internet
Load balancer
If the config only HA group is installed behind a load balancer, the load balancer
stops sending email to the failed FortiMail unit. All sessions being processed by
the failed FortiMail unit must be restarted and will be re-directed by the load
balancer to other FortiMail units in the config only HA group.
Also a FortiMail unit operating in config only HA cannot also be part of a FortiMail
HA group operating in active-passive HA.
Config only HA uses the same configuration synchronization mechanism as
active-passive HA. The only difference is that a config only HA group can have up
to 24 peers. Part of configuring HA involves adding the IP addresses of all of the
peers to the config only primary HA configuration.
You must give each backup unit a peer IP address that is the same as one of the
peer IP addresses added to the primary unit. The backup unit configuration also
includes the IP address of the primary unit.
284
If you mix FortiMail models in a FortiMail HA group you should make sure that the
configuration settings that you add can be supported on all of the models in the
HA group. For example, in the FortiMail-400 and FortiMail-100 HA group
described above you are limited by the capacity of the FortiMail-100 unit.
According to the FortiMail 3.0 Maximum Values Matrix on the Fortinet Knowledge
Center you can add 50 domains to a FortiMail-100 unit and 500 domains to a
FortiMail-400 unit. So in a HA group consisting of a FortiMail-400 and a FortiMail100 you should only add 50 domains. For a complete list of configuration
limitations for all FortiMail models, see the FortiMail v3.0 Maximum Values Matrix.
285
Caution: Using the same FortiMail network interface for user data and HA synchronization
is not supported.
286
Interface
configuration
Transparent mode
Management IP
address
SNMP system
information
Main HA
configuration
287
HA Daemon
configuration
HA service
monitoring
configuration
288
System mail directory Contains quarantined email messages and archived email
messages stored on the FortiMail unit hard drives. The system
mail directory may contain a relatively large amount of data.
However, this data does not usually change rapidly so
synchronizing the system mail directory does not usually require a
large amount of bandwidth or processing time. The system mail
directory should be synchronized because it could be difficult to
recover from a failed FortiMail unit.
User home
directories
MTA spool directories Contain the FortiMail mail queues including the outgoing mail
queue, the deferred queue, the spam queue, the failed queue, and
the dead mail queue. (See Managing mail queues on page 141
for more information about these mail queues.) The MTA spool
directories may contain a large amount of data that changes
rapidly. Synchronizing large amounts of data that changes rapidly
may take considerable bandwidth and processing time; both of
which may affect the performance of the FortiMail unit. Also, if the
primary unit fails, when it is restarted it becomes a backup unit
and synchronizes all MTA spool directories to the new primary unit
(see FortiMail MTA spool directory synchronization after a
failover on page 289 for more information). Because of this
synchronization, the data in the MTA spool directories is usually
recovered after failover.
If the primary unit experiences a hardware failure and cannot be
restarted you might not be able to recover mail in the MTA spool
directories. Synchronizing the MTA spool directories means that
you will not lose mail in the MTA spool directories if the primary
unit experiences a hardware failure.
See HA daemon configuration options on page 313 to configuring how often the
HA group synchronizes mail data, to change the TCP port used for synchronizing
data across the heartbeat link, and to select the types of mail data to synchronize.
You can also manually synchronize mail data. See Forcing the HA group to
synchronize configuration and mail data on page 305.
You should disable mail data synchronization if the HA group stores mail data on a
remote NAS server. See HA and storing FortiMail mail data on a NAS Server on
page 300.
Stored on the primary unit the system mail directory, the user home directories,
or the MTA spool directories (which includes the outgoing mail directory).
289
When a failover occurs, the network connections between the sender and the
primary unit and are cut off. From the senders point of view, the email send
attempt fails, and the sender attempts to re-send the email message.
Usually you should configure HA to synchronize the system mail directory and the
user home directory so that no email messages in these directories are lost when
a failover occurs.
Email messages stored on the primary unit MTA spool directories are either being
stored or sent by the primary unit. When a failover occurs, email being sent is
stopped, but the stored message remains in a primary unit MTA mail directory.
The FortiMail MTA spool directories are always synchronized by the FortiMail HA
group after a failover. Synchronizing the MTA spool directories after a failover
means that even if you choose not to configure the HA group to synchronize MTA
spool directories during normal operation, the email in the MTA directories on the
failed primary unit can still be delivered after a failover as long as the failed
primary unit can be restarted.
Even if the HA group synchronizes MTA spool directories, because the
synchronization is periodic, there is a chance that some of the email in these
directories will not be synchronized when a failover occurs. This is especially true
for the outgoing mail queue, the content of which changes very rapidly.
FortiMail HA uses the following mechanism to make sure that after a failover
occurs, email messages in the failed primary unit MTA spool directories are not
lost.
Note: If failed primary unit effective operating mode is FAILED a sequence similar to the
following occurs automatically when the problem that caused the failure is corrected.
After a failover the former backup unit operates as the new primary unit.
The primary unit that failed starts up again, detects the presence of the new
primary unit, and becomes a backup unit.
Note: You may have to manually restart the failed primary unit.
The new backup unit synchronizes its MTA spool directories with the new primary
unit MTA spool directories.
This synchronization takes place over the heartbeat link between the primary and
backup FortiMail units. Synchronizing the MTA spool directories prevents
duplicate email messages from getting into the primary unit MTA spool directories.
290
The new primary unit continues to deliver the email messages in its MTA spool
directories, including the email messages synchronized from the new backup unit.
Mail Server
Internet
Network
Switch
HA Group
Primary unit
Switch for
port1 interfaces
Primary
Heartbeat
Link
Backup unit
291
For mail sessions to continue to be processed by the new primary unit after a
failover, the new primary unit must have the same IP addresses as the original
primary unit. In most HA configurations you would use FortiMail HA virtual IP
address to make this happen. When a FortiMail HA group is operating, network
interfaces that send and receive email or that users connect to for Webmail
access are configured with HA virtual IP addresses. All email transactions and
Webmail connections use these virtual IP addresses.
When the HA group is operating, the virtual IP addresses are associated with
primary unit network interfaces. As a result all email is processed by the primary
unit. After a failover, the virtual IP addresses are associated with the new primary
unit interfaces. As a result, after a failover all email is processed by the new
primary unit (originally the backup unit).
292
Set the IP address of the primary unit port1 network interface to a new IP address
(for example, 172.16.5.10).
Set the IP address of the backup unit port1 network interface to another new IP
address (for example, 172.16.5.11).
Enable HA on the primary unit and add a virtual IP/netmask to the port1 network
interface. Set the virtual IP address to 172.16.5.2.
Note: Because of this virtual IP address configuration, port1 of the primary unit can receive
packets sent to IP address 172.16.5.10 and 172.16.5.2. All packets sent from the primary
unit port1 interface will have a source IP address of 172.16.5.2 (the virtual IP address).
After a failover, all packets sent from the backup unit port1 interface will have a source IP
address of 172.16.5.2.
293
DNS
Server
Internal
network
DNS record
examplegw.com=172.16.5.2
MX record
fortimail.examplegw.com=172.16.5.2
Internet
Network
Switch
port1 virtual IP: 172.16.5.2
port1 IP: 172.16.5.10
Primary unit
Heartbeat
Link
Switch for
port1 interfaces
HA Group
Backup unit
294
DNS
Server
Internal
network
Internet
Network
Switch
Primary unit
Load balancer for
port1 interfaces
Backup unit 1
Backup
peer 1 IP: 10.0.0.2
Switch for
Heartbeat
Link
Backup unit 2
Backup
peer 2 IP: 10.0.0.3
Go to System > Network > Interface and set the IP address of the port1
interface to 172.16.5.1
295
Set the Master Configuration IP address to the local IP address of the primary
unit (10.0.0.1).
Go to System > Network > Interface and set the IP address of the port1
interface to 172.16.5.2.
296
Set the Master Configuration IP address to the local IP address of the primary
unit (10.0.0.1).
Go to System > Network > Interface and set the IP address of the port1
interface to 172.16.5.3.
297
See Restarting the HA processes on a stopped primary unit on page 306 for
sample HA log message and alert email.
Recording HA log messages on the primary and backup unit hard disks
Recording HA log messages on the primary and backup unit hard disks
Use the following steps to configure the primary and backup units in an HA group
to record HA log messages on their hard disks. This configuration is synchronized
to all FortiMail units in the HA group. Any of the units in the HA group will record a
log message when that unit detects an HA event.
To record HA log messages on the primary and backup unit hard disks
1
Select Event Log and under Event log select HA activity event.
Change the Port if your syslog server receives log messages on a custom TCP
port.
The most commonly used TCP port number for syslog messages is 514.
298
Select Event Log and under Event log select HA activity event.
Add email addresses of the system administrators who should receive HA alert
email messages.
Select Apply.
You can select Test to confirm that the primary unit can successfully send alert
email messages to your addresses. You can also log into the backup unit
web-based manager and select Test to confirm that the backup unit can
successfully send alert email messages to your addresses.
Select HA events.
Select OK.
Add a new community or edit a community that has already been added.
Select HA event.
Select OK.
Repeat these steps for all the backup units in the HA group.
299
Description
fortimail.mib
fmlHAEventId
fmlHAUnitIp
fmlHAEventReason
fmlHAMode
300
301
If you are operating a config only HA group, you can repeat steps 3 and 4 for each
backup unit.
302
The HA operating mode that the unit is currently operating in. The
effective operating mode matches the configured operating mode
unless a failure has occurred.
During normal operation the configured and effective operating modes of each
FortiMail unit in the HA group match. If a failover occurs, the configured and
effective operating modes may not match. For example, after a failover, the
backup unit becomes the primary unit. The effective operating mode of the new
primary unit is changed to MASTER (primary), but the configured operating mode
is SLAVE (backup).
Depending on the On Failure setting the failed primary unit effective operating
mode could be OFF or FAILED. If the effective operating mode is FAILED, after
the problem that caused the failure is corrected the effective operating mode
could change to BACKUP or MASTER depending on the On Failure setting. See
HA Main configuration options on page 310 for more information about setting
On Failure.
If the failed primary unit restarts, the failed primary unit will find the new primary
unit and switch to operating as the new backup unit. So, after a failure the
effective operating mode of a restarted primary unit is SLAVE (backup) while the
configured operating mode of this unit is MASTER (primary). See Table 17 for
more examples of configured and effective operating modes.
303
304
Configured Effective
Operating Operating
mode
Mode
Description
MASTER
MASTER
SLAVE
SLAVE
MASTER
OFF
SLAVE
OFF
MASTER
FAILED
MASTER
SLAVE
SLAVE
MASTER
MASTER
CONFIG
N/A
SLAVE
CONFIG
N/A
Monitor
The time at which the backup unit HA daemon will check to make sure that
the primary unit is operating correctly. This checking takes place across
the heartbeat link between the primary and backup units. If the heartbeat
link becomes disconnected, the next time the backup unit checks for the
primary unit, the primary unit will not respond, so the backup unit will
assume that the primary unit has failed and become the primary unit.
Change monitor timing using the HA Daemon Heartbeat setting. See HA
daemon configuration options on page 313.
Configuration The time at which the backup unit HA daemon will synchronize the
FortiMail configuration from the primary unit to the backup unit.
Change configuration synchronization timing using the HA Daemon
Configuration setting. See HA daemon configuration options on
page 313.
The message slave unit is currently synchronizing is displayed when the
HA daemon is synchronizing the configuration.
Data
The time at which the backup unit HA daemon will synchronize mail data
from the primary unit to the backup unit.
Change data synchronization timing using the HA Daemon Data setting.
See HA daemon configuration options on page 313.
The message slave unit is currently synchronizing is displayed when the
HA daemon is synchronizing data.
From either the primary or backup unit web-based manager, go to System > HA >
Status.
305
306
Configuring HA options
You can use the following steps to restart the HA processes on the primary unit.
Before restarting the HA processes on the primary unit you should find and
resolve the problem that caused the failure. If local service monitoring detects a
failure the primary unit sends alert email and records log messages with
information about the problem.
For example, if local service monitoring detects that port2 failed, the primary unit
records a log message similar to the following.
date=2005-11-18 time=18:20:31 device_id=FE-4002905500194
log_id=0107000000 type=event subtype=ha pri=notice user=ha
ui=ha action=unknown status=success msg="monitord: local
problem detected (port2), shutting down"
The primary unit (with host name primary-host-name) also sends an alert email
with the following content:
Subject: monitord: local problem detected (port2), shutting
down [primary-host-name]
This is the FortiMail HA unit at 10.0.0.1.
A local problem (port2) has been detected, telling remote to
take over and shutting down.
Figure 145:Status page after local service monitoring detected a failure
Configuring HA options
Go to System > HA > Configuration to set HA configuration options. To
configure a FortiMail HA group you must set the HA configuration separately on
the primary unit and on the backup unit. The configuration of both units is very
similar except that you set the mode of operation of the primary unit to master and
the mode of operation of the backup unit to slave.
Config only HA options are similar to active-passive HA configuration options.
This section describes both active-passive HA options and config only HA
options.
FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide
06-30003-0154-20080327
307
Configuring HA options
308
Configuring HA options
Figure 148:Config only HA example: primary unit with three backup units
309
Configuring HA options
Mode of Operation
Primary Heartbeat
Mode of Operation
Set the HA configured operating mode of the FortiMail unit. The FortiMail unit
switches to operating in the HA configured operating mode immediately after you
enter this command. The configured operating mode can be:
310
config master if the FortiMail unit is the primary unit in a config only HA group.
config slave if the FortiMail unit is a backup unit in a config only HA group.
Configuring HA options
Switch OFF, the FortiMail unit effective operating mode changes to OFF. The
FortiMail unit will not process mail or join the HA group until you manually
change the FortiMail unit effective operating mode to MASTER (primary) or
SLAVE (backup).
wait for recovery then restore original role, similar to the wait for recovery and
then assume slave role, the FortiMail unit effective operating mode changes to
FAILED when remote service monitoring detects a failure. However, in this
case on recovery the failed FortiMail unit effective operating mode switches
back to its configured operating mode. This behavior may be useful in some
scenarios but may cause problems in others.
wait for recovery and then assume slave role, the FortiMail unit effective
operating mode changes to FAILED when remote service or local network
interface service monitoring detects a failure. In FAILED mode the FortiMail
unit uses remote service monitoring to attempt to connect to the other FortiMail
unit in the HA group (which should be operating as the primary unit with
effective operating mode of MASTER). If you fix the problem that caused the
failure the failed FortiMail unit recovers by changing its effective operating
mode to SLAVE. The failed FortiMail unit then synchronizes the content of its
MTA spool directories to the FortiMail unit operating as the primary unit. The
primary unit can then deliver this email.
See Table 17 on page 304 for information about configured and effective
operating modes including OFF and FAILED. See Configuring active-passive HA
service monitoring on page 318 for information about local and remote service
monitoring.
Primary Heartbeat
Select the network interface to be used as the primary heartbeat interface. The
primary heartbeat interface is the primary heartbeat link between the units in the
HA group. The primary heartbeat link is used for the HA heartbeat and for HA
synchronization. The default primary heartbeat interface is the network interface
with the highest number. In most cases you would not have to select a different
network interface.
Note: The primary heartbeat interface configuration in master mode is set to do nothing
and this setting cannot be changed.
For information about the heartbeat interface and about HA heartbeat and HA
synchronization, see Configuring the HA heartbeat and synchronization
interface on page 286.
311
Configuring HA options
Caution: Using the same FortiMail network interface for user data and HA synchronization
is not supported.
Note: Isolate heartbeat interfaces from your user networks. Heartbeat and synchronization
packets contain sensitive configuration information and can consume considerable network
bandwidth. For an active-passive or a config only HA group consisting of only two FortiMail
units, directly connect the heartbeat interfaces using a crossover cable. For a config only
HA group consisting of more than two FortiMail units, connect the heartbeat interfaces to a
switch and do not connect this switch to your user networks.
The local IP is the primary heartbeat IP address for this FortiMail unit. When the
FortiMail unit is operating in HA mode, the primary heartbeat local IP appears on
the System > Network > Interface list for the heartbeat interface.
For the primary heartbeat you must configure the local IP and peer IP as follows:
The local IP of the primary unit must match the peer IP of the backup unit.
Normally you would set the local IP of the primary unit to 10.0.0.1.
The local IP of the backup unit must match the peer IP of the primary unit. In
an active-passive HA group you would normally set the local IP on the backup
unit to 10.0.0.2.
For an active passive HA group the peer IP is the local IP of the other FortiMail
unit in the HA group. This is the IP address that the FortiMail unit expects to be
able to connect to using the primary heartbeat to find the other FortiMail unit in
the HA group.
The peer IP of the primary unit must match the local IP of the backup unit.
Normally you would set the peer IP of the primary unit to 10.0.0.2.
The peer IP of the backup unit must match the local IP of the primary unit.
Normally you would set the peer IP address of the backup unit to 10.0.0.1.
312
Configuring HA options
Note: The secondary heartbeat interface configuration in master mode is set to do nothing
and this setting cannot be changed.
313
Configuring HA options
Heartbeat
Set options used by the HA daemon for sending HA heartbeat
(active-passive HA) packets. Set the following options:
The TCP port used for HA heartbeat communications. The default
TCP port is 20000.
The time between which the FortiMail units in the HA group send
HA heartbeat packets. The default test interval between HA
heartbeat packets is 5 seconds. The test interval range is 2 to 60
seconds. Heartbeat packets are sent at regular intervals so that
each FortiMail unit in an active-passive HA group can confirm that
the other unit in the group is functioning. If the primary unit detects
that the backup unit has failed the primary unit continues to
operate normally. If the backup unit detects that the primary unit
has failed, the HA effective operating mode of the backup unit
changes to MASTER and the back up unit becomes the primary
unit.
The number of consecutive times the HA heartbeat detects a
failure before a FortiMail unit in an active-passive HA unit decides
that the primary unit has failed. The number of times the check
fails range is 1 to a very high number. Set the number of times the
check fails to 0 to disable interface monitoring or hard drive
monitoring.
In most cases you do not have to change heartbeat settings. The
default settings mean that if the primary unit fails, the backup unit
switches to being the primary unit after 3 x 5 or about 15 seconds;
resulting in a failure detection time of 15 seconds.
If the failure detection time is too long the primary unit could fail and a
delay in detecting the failure could mean that email is delayed or lost.
Decrease the failure detection time if email is delayed or lost because
of an HA failover.
If the failure detection time is too short the backup unit may detect a
failure when none has occurred. For example, if the primary unit is
very busy processing email it may not respond to HA heartbeat
packets in time. In this situation, the backup unit may assume that the
primary unit has failed when the primary unit is actually just busy.
Increase the failure detection time to prevent the backup unit from
detecting a failure when none has occurred.
Configuration
314
Set the TCP port and time interval for synchronizing the configuration.
Set the following:
The TCP port used for synchronizing the configuration of the
primary unit to the backup unit. The default TCP port is 20001.
How often HA synchronizes the configuration. The default
configuration synchronization time is 60 minutes. The
configuration synchronization time range 15 to 999 minutes.
Set the configuration synchronization time to 0 to disable
configuration synchronization.
In most cases you do not have to change the default settings.
However if you are making a lot of configuration changes, you may
want to reduce the time between synchronizations so that changes
are not lost if a failover occurs. During normal operation,
synchronizing the configuration every 60 minutes is usually sufficient.
You can also synchronize the configuration manually. See Forcing
the HA group to synchronize configuration and mail data on
page 305.
For more information about how FortiMail HA synchronizes the
configuration and about what is synchronized and what is not
synchronized, see Synchronizing the FortiMail configuration on
page 286.
Configuring HA options
Data
Set the TCP port and time interval for synchronizing mail data. Set the
(active-passive HA) following:
The TCP port used for synchronizing mail data. The default TCP
port is 20002.
How often the synchronization occurs. The default data
synchronization time is every 30 minutes. The data
synchronization range is 15 to 999 minutes. Set the data
synchronization time to 0 to disable data synchronization.
The type of mail data to synchronize. You can synchronize the
system mail directory, the user home directories, and the MTA
spool directories. See Synchronizing FortiMail mail data on
page 288 for more information about what to consider before
configuring mail data synchronization. Synchronization of all three
types of mail data is disabled by default.
In most cases you do not have to change the default settings except
to select the data to synchronize. You might also want to reduce the
synchronization time if you find you are losing mail data during a
failover. Also, synchronizing large amounts of mail data may cause
processing delays. Reducing how often mail data is synchronized may
alleviate this problem. During normal operation, synchronizing data
once every 30 minutes is usually sufficient.
You can also synchronize mail data manually. See Forcing the HA
group to synchronize configuration and mail data on page 305.
You should disable mail data synchronization if the HA group stores
mail data on a remote NAS server. See HA and storing FortiMail mail
data on a NAS Server on page 300.
315
Configuring HA options
316
do nothing
The default setting for all network interfaces. Select this option if you
do not want to apply special functionality to a network interface when
operating in HA mode.
See Removing an interface from an HA group on page 294 for more
information about the do nothing interface configuration option. See
Gateway mode active-passive HA configuration on page 320 for a
FortiMail configuration example that uses the do nothing option.
set interface
IP/netmask
Configuring HA options
add virtual
IP/netmask
add to bridge
317
Known Peers
The list of backup unit IP addresses that have been added to the
primary unit HA configuration. The primary unit only synchronizes with
backup units that have IP addresses in the known peers list. You can
select the delete icon for any IP address in the known peers list to
remove the IP address of this backup unit from the primary unit HA
configuration.
New Peer
Add the IP address of a backup unit and select add to add the backup
unit IP address to the known peers list. You can add up to 24 backup
units or peers.
318
Configuring the backup unit to monitor remote services on the primary unit
Configuring the backup unit to monitor remote services on the primary unit
Connect to the backup unit and go to System > HA > Services and configure
remote service monitoring so that the backup unit monitors the primary unit to
verify that the primary unit can accept SMTP service, POP service (POP3), and
Web service (HTTP) connections.
For each service you can enter the IP address and TCP port number to check.
You can enter the same IP address or different IP addresses for each service.
Remote service monitoring is an effective way to make sure that both FortiMail
units in the HA group are connected to your network. If the primary unit becomes
disconnected from the network, the FortiMail HA group can no longer process
email. If this happens and remote service monitoring is configured the backup unit
detects that the primary unit network connection has failed.
Normally you would set remote monitoring to monitor the IP address of the
primary unit interface that processes email. For example, if the primary unit uses
port1 for email traffic, set the remote service monitoring IP address to the port1 IP
address of the primary unit.
If you set the remote service monitoring IP address to the IP address of the
primary heartbeat interface or the secondary heartbeat interface of the primary
unit, checking takes place over the heartbeat link.
For each protocol you must specify the check time interval in minutes to wait
between checks and the response wait time in seconds to wait for a response.
You must also specify how many times the check fails before the backup unit
decides that the primary unit has failed and a failover occurs.
The check time interval range is 1 to 60 minutes. Set the time interval to 0 to
disable remote service monitoring. The response wait time range is 1 to a very
high number of seconds. Set the response wait time to 0 to disable remote service
monitoring.
FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide
06-30003-0154-20080327
319
The number of times the check fails range is 1 to a very high number. Set the
number of times the check fails to 0 to disable interface monitoring or hard drive
monitoring.
You must specify an IP address and port number and configure all settings for
each protocol.
If the backup unit detects a remote service failure, the backup unit HA effective
operating mode changes to MASTER. The backup unit becomes the new primary
unit. The primary unit effective operating mode changes to OFF or FAILED
depending on the on failure setting. See HA Main configuration options on
page 310 for information about setting on failure.
320
IP address
setting
Used for
port1
172.20.2.10
Not connected.
port5
172.16.5.2
port6
Default IP.
Not connected.
DNS
Server
Internal
network
DNS record
examplegw.com=172.16.5.2
MX record
fortimail.examplegw.com=172.16.5.2
Network
Switch
Internet
port5
IP: 172.16.5.2
port1
IP: 172.20.2.10 Administrators
When operating as an HA group, DNS and MX records should target the port5
interface of the primary FortiMail-400 unit. As well, administrators should be able
to administrator the HA group by connecting to port1 of the primary unit.
FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide
06-30003-0154-20080327
321
If a failover occurs, port5 of the backup unit should become the DNS and MX
record target. As well, administrators should be able to connect to port1 of the
backup unit using the same administration IP address.
Additionally, all connections to port5 should only use the 172.16.5.2 IP address
and during normal HA group operation users should not be able to connect to
port5 of the backup unit. But administrators should be able to connect to port1 of
the backup unit at any time.
The network configuration shown in Table 19 supports these requirements for the
primary unit.
Table 19: Example primary unit HA network interface configuration
FortiMail IP address
interface setting
HA Network Interface
configuration in master
mode
Setting
port1
port2 to
port4
Default IP.
do nothing
port5
Default IP.
set interface
IP/netmask
port6
Default IP.
do nothing
IP address
Description
172.20.2.10
172.16.5.2
FortiMail IP address
interface setting
322
HA Network Interface
configuration in master
mode
Setting
IP address
Description
Enable HTTPS, SSH, and ping
access. Administrative access to
this interface using IP address
172.20.2.30.
port1
172.20.2.30 N/A
N/A
port2 to
port5
Default IP.
N/A
N/A
port6
Default IP.
N/A
N/A
DNS
Server
DNS record
examplegw.com=172.16.5.2
MX record
fortimail.examplegw.com=172.16.5.2
Internal
network
Network
Switch
Internet
Primary unit
Port 6
Primary
Heartbeat
Administrators
Backup unit
HA Group
Reconnect to the primary unit and go to System > Network > Interface.
172.20.2.20/255.255.255.0
Access
323
Select OK.
master
On Failure
Primary Heartbeat
Use
Local IP
10.0.0.1
Peer IP
10.0.0.2
Secondary Heartbeat
Use
disabled
Daemon Configuration
Shared Password
PassW0rd
Heartbeat
Configuration
Data
port5
Note: The backup unit HA daemon configuration settings control how the HA daemon
operates. For the initial configuration of the primary unit there is no need to change these
settings. However, after the HA group is operating you might want to change the primary
unit HA daemon configuration settings to control how the primary unit operates when it
becomes the new backup unit after a failover.
10
324
Optionally go to System > HA > Status to confirm that the primary unit configured
and effective operating modes are both set to MASTER. See Viewing and
changing HA status on page 302.
11
Reconnect to the backup unit and go to System > Network > Interface.
172.20.2.30/255.255.255.0
Access
Select OK.
slave
Primary Heartbeat
Use
Local IP
10.0.0.2
Peer IP
10.0.0.1
Secondary Heartbeat
Use
disabled
Daemon Configuration
Shared Password
Heartbeat
Configuration
Data
325
10
Optionally go to System > HA > Status to confirm that the backup unit configured
operating mode is SLAVE. See Viewing and changing HA status on page 302.
Because the heartbeat interfaces are not connected, the backup unit cannot
connect to the primary unit so the backup unit assumes that the primary unit has
failed and switches the effective operating mode to MASTER.
Figure 154:Backup unit status page
11
Connect the port1 interfaces of the primary and backup FortiMail units to a switch
and connect the switch to the network that administrators would use to connect to
the HA group.
The port1 interface is used for administrator connections to the FortiMail unit.
Connect the port5 interfaces of the primary and backup FortiMail units to a switch
and connect the switch to the network that connects the FortiMail unit to the
Internet and to your email users.
The port5 interface is used for mail processing connections to the FortiMail unit.
326
HA failover scenarios
Connect the port6 primary heartbeat interface of the primary and backup FortiMail
units together using a crossover ethernet cable.
You can also use two regular ethernet cables and a switch.
Configure the HA group in the same way as you would configure a standalone
FortiMail unit.
All configuration changes made to the primary unit are synchronized to the
backup unit.
Connect to the web-based manager of the backup unit by browsing to the actual
IP address of the backup unit port1 interface (https://172.20.2.30).
HA failover scenarios
This section describes some basic FortiMail active-passive HA failover scenarios.
For each scenario you can refer to the HA group shown in Figure 155. To simplify
the descriptions of these scenarios:
P1 identifies the FortiMail unit configured to be the primary unit (also called the
master) in the HA group.
B2 identifies the FortiMail unit configured to be the backup unit (also called the
slave) in the HA group.
327
HA failover scenarios
HA Group
port1 virtual IP: 172.16.5.2
port1 IP: 172.16.5.10
Heartbeat
Link
Failover scenario: Network connection between primary and backup units fails
(remote service monitoring detects a failure)
The B2 primary heartbeat test detects that P1 (the primary unit) has failed.
How soon this happens depends on the HA daemon configuration of B2.
B2 sends an alert email similar to the following indicating that B2 has determined
that P1 has failed and that B2 is switching its effective operating mode to
MASTER.
Date sent:
From:
Subject:
To:
328
HA failover scenarios
B2 records the following event log messages (among others) indicating that B2
has determined that P1 has failed and that B2 is switching its effective operating
mode to MASTER.
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=notice user=ha ui=ha action=unknown status=success
msg="monitord: peer stop responding (heartbeat), assuming
MASTER role"
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: main loop stopping"
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="backupd: main loop stopping"
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="configd: main loop stopping"
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="configd: main loop starting, entering master mode"
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="backupd: main loop starting, entering master mode"
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: main loop starting, entering MASTER mode"
329
HA failover scenarios
Turn off the P1 power switch, reconnect the power cable and then turn the power
switch back on.
P1 starts up and finds B2 operating as a primary unit. P1 switches its effective
operating mode to SLAVE.
P1 records the following log messages (among others) as this happens.
2009-11-30 16:02:08 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="configd: main loop starting, entering master mode"
2009-11-30 16:02:08 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="backupd: main loop starting, entering master mode"
2009-11-30 16:02:13 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: starting pre-amble"
2009-11-30 16:02:13 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: ** response from peer, setting to SLAVE mode"
The configured operating mode of P1 is MASTER and the effective operating
mode of P1 is SLAVE.
The configured operating mode of B2 is SLAVE and the effective operating mode
of B2 is MASTER.
P1 synchronizes the content of its MTA spool directories to B2. Email in these
directories can now be delivered by B2.
Connect to the B2 web-based manager, go to System > HA > Status and select
click HERE to restore configured operating mode.
Connect to the P1 web-based manager, go to System > HA > Status and select
click HERE to restore configured operating mode.
P1 should return to operating as the primary unit and B2 should return to
operating as the backup unit. You may have to repeat steps 4 and 5 a few times.
P1 and B2 synchronize their MTA spool directories again. All of the email in these
directories can now be delivered by P1.
330
HA failover scenarios
The primary unit (P1) continues to operate as a primary unit. In fact P1 is not
aware that HA communication has been disrupted.
Two primary units connected to the same network may cause address conflicts on
your network because matching interfaces will have the same IP addresses. As
well, because the heartbeat link is interrupted the units in the HA group cannot
synchronize configuration changes or mail data changes.
Even after reconnecting the heartbeat link, both units will continue operating as
primary units. To return the HA group to normal operation you must connect to the
B2 web-based manager to restore B2 to operate as the backup unit.
1
The B2 HA heartbeat test detects that the primary unit has failed.
How soon this happens depends on the HA daemon configuration of B2.
B2 sends an alert email similar to the following indicating that B2 has determined
that P1 has failed and that B2 is switching its effective operating mode to
MASTER.
Date sent:
From:
Subject:
To:
331
HA failover scenarios
B2 records the following event log messages (among others) indicating that B2
has determined that P1 has failed and that B2 is switching its effective operating
mode to MASTER.
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=notice user=ha ui=ha action=unknown status=success
msg="monitord: peer stop responding (heartbeat), assuming
MASTER role"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: main loop stopping"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="backupd: main loop stopping"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="configd: main loop stopping"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="backupd:mainloopstarting,enteringmastermode"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="configd:mainloopstarting,enteringmastermode"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: main loop starting, entering MASTER mode"
P1 sends an alert email similar to the following indicating that P1 has stopped
operating in HA mode.
Date sent:
From:
Subject:
To:
332
HA failover scenarios
Connect to the B2 web-based manager, go to System > HA > Status and select
click HERE to restore configured operating mode.
The HA group should return to normal operation. P1 records the following log
message (among others) indicating that B2 asked P1 to return to operating as the
primary unit.
2005-11-30 18:10:00 log_id=0107000000 type=event subtype=ha
pri=notice user=ha ui=ha action=unknown status=success
msg="monitord: being asked to assume original role"
P1 and B2 synchronize their MTA spool directories. All of the email in these
directories can now be delivered by P1.
333
HA failover scenarios
The power cable for the switch between P1 and P2 is accidently disconnected.
334
HA failover scenarios
B2 sends an alert email similar to the following indicating that B2 has determined
that P1 has failed and that B2 is switching its effective operating mode to
MASTER.
Date sent:
From:
Subject:
To:
B2 records the following event log messages (among others) indicating that B2
has determined that P1 has failed and that B2 is switching its effective operating
mode to MASTER.
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=notice user=ha ui=ha action=unknown status=success
msg="monitord: peer stop responding (heartbeat), assuming
MASTER role"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: main loop stopping"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="backupd: main loop stopping"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="configd: main loop stopping"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="backupd:mainloopstarting,enteringmastermode"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="configd:mainloopstarting,enteringmastermode"
2005-01-30 16:27:18 log_id=0107000000 type=event subtype=ha
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: main loop starting, entering MASTER mode"
335
HA failover scenarios
P1 sends an alert email similar to the following indicating that P1 has stopped
operating in HA mode.
Date sent:
From:
Subject:
To:
336
HA failover scenarios
P1 synchronizes the content of its MTA spool directories to B2. Email in these
directories can now be delivered by B2.
The HA group can continue to operate with B2 as the primary unit and P1 as the
backup unit. However, you can use the following steps to restore each unit to its
configured operating mode.
Connect to the B2 web-based manager, go to System > HA > Status and select
click HERE to restore configured operating mode.
Connect to the P1 web-based manager, go to System > HA > Status and select
click HERE to restore configured operating mode.
P1 should return to operating as the primary unit and B2 should return to
operating as the backup unit. You may have to repeat steps 4 and 5 a few times.
P1 and B2 synchronize their MTA spool directories again. All of the email in these
directories can now be delivered by P1.
337
HA failover scenarios
338
End-users are unlikely to even know their network has a FortiMail unit, much
less where to get documentation for it.
End-users will not know the mode in which the FortiMail unit is operating.
Administrators may not enable all the documented features (e.g. Bayesian
scanning, spam quarantine) leading to confusion when users try to access a
disabled feature
Administrators know their end-users and may wish to tailor the information to
their end-users needs.
For all these reasons, the basic end-user information is provided here so the
administrator can deliver what the end-user needs to know in a form best suited to
their situation.
These topics are included:
339
Introduction
Introduction
To maximize the services provided by the FortiMail unit, the end-user needs to be
aware of the following features:
340
If you have collected non-spam email and want to train your personal Bayesian
database on the FortiMail unit, forward them to learn-is-not-spam@example.com from
your company email account. This ensures that similar email will not be tagged as
spam by the FortiMail unit in the future.
If you receive spam email that has not been caught and tagged by the FortiMail unit,
forward them to is-spam@yourcompany.com from your company email account to
ensure that similar email will be caught by the FortiMail unit in the future.
If you receive email that the FortiMail unit has incorrectly tagged as spam, forward
them to is-not-spam@yourcompany.com from your company email account to ensure
that similar email will not be tagged as spam by the FortiMail unit in the future.
If you belong to an email alias and receive a spam message sent to the alias address,
forward it to the FortiMail "is-spam" Bayesian account to train the database of the alias
address. Remember to enter the alias address in the "From" field instead of your own
email address.
341
To:
user1@example.com
From:
release-ctrl@fm3.example.com
Subject: Quarantine Summary: [3 message(s) quarantined from Wed, 11 Jul 2007 11:00:01
to Wed, 11 Jul 2007 12:00:01]
Date:
Wed, 11 Jul 2007 12:00:01 -0400
Date:
Subject:
From:
Message-Id:
Date:
Subject:
From:
Message-Id:
Date:
Subject:
From:
Message-Id:
Actions:
o) Release a message:
Send an email to <release-ctrl@fm3.example.com> with subject line set to
"user1@example.com:Message-Id".
o) Delete a message:
Send an email to <delete-ctrl@fm3.example.com> with subject line set to
"user1@example.com:Message-Id".
o) Delete all messages:
Send an email to <delete-ctrl@fm3.example.com> with subject line set to
"delete_all:user1@example.com:ea809095:ac146004:05737c7c111d68d0111d68d0111d68d0".
get the FortiMail unit host name or IP address from the administrator to set
your email gateway as the POP3 server.
get your FortiMail login user name and password from the administrator.
342
343
344
End-users are unlikely to even know their network has a FortiMail unit, much
less where to get documentation for it.
End-users will not know the mode in which the FortiMail unit is operating.
Administrators may not enable all the documented features (e.g. Bayesian
scanning, spam quarantine) leading to confusion when users try to access a
disabled feature
Administrators know their end-users and may wish to tailor the information to
their end-users needs.
For all these reasons, the basic end-user information is provided here so the
administrator can deliver what the end-user needs to know in a form best suited to
their situation.
These topics are including:
345
Introduction
Introduction
To maximize the services provided by the FortiMail unit, the end-user needs to be
aware of the following features:
If you have collected non-spam email and want to train your personal Bayesian
database on the FortiMail unit, forward them to learn-is-not-spam@example.com from
your company email account. This ensures that similar email will not be tagged as
spam by the FortiMail unit in the future.
If you receive spam email that has not been caught and tagged by the FortiMail unit,
forward them to is-spam@yourcompany.com from your company email account to
ensure that similar email will be caught by the FortiMail unit in the future.
If you receive email that the FortiMail unit has incorrectly tagged as spam, forward
them to is-not-spam@yourcompany.com from your company email account to ensure
that similar email will not be tagged as spam by the FortiMail unit in the future.
If you belong to an email alias and receive a spam message sent to the alias address,
forward it to the FortiMail "is-spam" Bayesian account to train the database of the alias
address. Remember to enter the alias address in the "From" field instead of your own
email address.
346
get the FortiMail unit host name or IP address from the administrator to set
your email gateway as the POP3 or IMAP server.
get your FortiMail login user name and password from the administrator.
347
348
Index
Index
A
access
discard 115, 141
access control
description 114
Access Control List (ACL) 29, 78
action 163
automatically update white list 49, 171
configuring 170
discard 48, 170
forward to email address 49, 171
quarantine 49, 171
quarantine for review 49, 171
reject 48, 170
tag email in header 48, 170
tag email in subject 48, 170
active-passive
HA 281
add to bridge
HA interface option 317
add virtual IP/netmask
HA interface option 317
address book
adding an 145
address book, global 145
address map 147, 158
creating 159
address verification 114
admin 38, 98
administrator
server mode 38, 97
administrator account
adding and editing 37, 96
advanced protection settings
description 115
advanced settings
configuring 120
description 115
alert email 61, 271
configuring 61, 272
example message 307
HA 297
selecting event categories 62, 272
sending for HA events 299
alert email, logging 61, 271
alias 147
antispam
banned word scan 19
Bayesian scan 18
black/white list 19
deep header scan 165
DKIM 182
DNSBL 18
DomainKeys 182
forged IP 17
FortiGuard Antispam 15
greylist 17
heuristic scan 18
PDF scan 245
profile 162
sender reputation 20
SHASH 15
spam quarantine 35, 209
SPF 182
SURBL 18
system quarantine 36, 219
whitelist word scan 19
antispam profile 162
antivirus
profile 171
update 80
antivirus definitions
HA 287
manually initiating updates 83
update 83
update from a file 83
antivirus update 80
appearance, web-based manager 125
archive 247
exempting spam from 251
policies 250
archived email
exporting 249
HA synchronization 289
using for Bayesian training 249
authentication
IMAP 175
LDAP 193
POP3 174
profile 173
Radius 174
SMTP 176
B
back up
Bayesian databases
all databases 231
global or group 227
user 229
black/white lists
domain 237
personal 238
system 236
dictionaries 192
mail queues 34, 145
system settings 29, 78
backup unit 281
banned word scan 19
349
Index
basic 23
Bayesian accounts
configuring 230
Bayesian database training 44, 129
Bayesian databases
back up
all databases 231
global or group 227
user 229
repairing 231
reset
all databases 232
global or group 228
user 229
restore
all users 231
global or group 228
user 229
train
from archived email 249
global or group 227
user 228
training example 232
types 222
Bayesian scan 18
black/white list 19
action 238
backing up
domain 237
personal 238
system 236
configuring 235
hierarchy 239
restoring
domain 237
personal 238
system 236
blacklist action 238
bridge
add to bridge HA interface option 317
browsing reports 68, 278
C
CA 108
category
logging 62, 272
certificate
options 109
certificate authority 108
certificate request
downloading and submitting 110
clear
Bayesian databases
all databases 232
global or group 228
user 229
CLI 14
command line interface 14
config master
HA mode 310
350
config only
HA 281, 282
config slave
HA mode 310
configuration 291
HA Daemon status 305
HA synchronization 286
configuration example
HA 320
configured HA operating mode
using SNMP 300
configured operating mode
HA 303
content
profile 178
content monitor
profile 180
quarantine 36, 219
controller card 106
CPU Usage 25, 73
CSV 146
custom messages 123
customer service 22
customizing column views 58, 269
customizing the display of log messages 58, 269
CVS (Comma Separated Values) 151
D
daemon
HA 288, 313
HA daemon status 305
daily
update schedule 84
data
HA Daemon status 305
data striping 104
date and time
setting 96
Daylight Savings Time 37, 96
DDNS 44, 92
dead email list
managing 33, 144
dead mail queue
HA 289
deep header scan
Black IP scan 165
Header analysis 165
deferred queue
HA 289
managing 31, 141
definition
updating antivirus 83
deleting log files 61, 271
delivery status notification (DSN) 33, 115, 121, 144
delivery status notification email 33, 144
DHCP 42, 85, 92
dictionary profile 185
category 187
creation steps 186
dictionary 188
Index
E
effective HA operating mode
using SNMP 300
effective operating mode
HA 303
email
HA alert email 297
how FortiMail handles 113
email access
configuring 139
email access control
description 114
email address map 158
creating 159
email archiving
configuring settings 247
policies 250
setting exempt policies 251
email domains
description 113
email routing
configuring 43, 94
email settings 113
email users
creating 151
emptying a log file 60, 270
end-user guide
gateway and transparent modes 339
server mode 345
Error Correcting Code (ECC) 107
event log 54, 264
expire
system status 74
export
archived email 249
Extended Simple Mail Transfer Protocol (ESMTP) 122
F
factory defaults 27, 30, 76, 79
failed queue
HA 289
managing 33
failover
email data 289
HA 285, 327
failover messages 100
FDN 95
connecting to 83
testing connection to 83
firmware
changing the firmware on an operating cluster 301
upgrading to a new version 75
firmware version
reverting to a previous 76
upgrading 75
forged IP 17
FortiAnalyzer unit
logging 257
FortiGuard Antispam 15
HA 287
FortiGuard Antivirus
HA 287
FortiGuard Distribution Network 80
FortiGuard Distribution Network (FDN) 80, 83
FortiGuard Distribution Server 80
FortiGuard-Antispam
configuring 221
FortiMail
configuration and management 14
key features 12
FortiMail 2000 40, 91, 103
FortiMail 2000A 40, 91
FortiMail 400 40, 91, 103
FortiMail 4000 103
FortiMail 4000A 40, 91
FortiMail firmware 26, 75
installing 26, 75
FortiMail SMTP server 46, 117
FortiMail unit
registering 83
351
Index
G
gateway mode 28, 77
MX record 114
global address book 145
greylist 17
configuring 240
search 241
H
HA 281, 289, 320
active-passive 281
active-passive configuration synchronization 282
adding an IP address to an interface 291
alert email 297
alert email for HA events 299
antivirus definitions 287
archived email synchronization 288
backup unit 281
backup unit configuration 325
backup unit monitors remote services 319
changing an interface IP address in HA mode 294
changing FortiMail firmware 301
changing status 302
config only 281, 282
config only configuration synchronization 282
config only HA heartbeat and synchronization 285
config only HA interface configuration 291, 295
config only interface configuration 287
config only master configuration options 318
config only operating mode 302
config only overview 282
config only peer systems options 317
configuration 314
configuration not synchronized 287
configuration options 307
configuration synchronization 286, 314, 327
configuration synchronization options 314
configured operating mode 303
configuring an HA group 327
connecting an HA group to your network 326
daemon options 288, 313
daemon status 305
data synchronization 288
dead mail queue 289
deferred queue 289
effective operating mode 303
example 320
example alert email 307
example log message 307
example virtual IP configuration 293
failed queue 289
failover 285
failover email data 289
352
Index
I
image spam scan 167
IMAP
server authentication 175
interface
configuring 91
configuring for HA 291
DHCP 85
HA heartbeat 286
interface address
resetting 30, 79
interface configuration
K
key size
certification 110
key type
certificate 110
known peers
HA config only option 318
L
language
web-based manager 97
layer 2 bridge 40, 91
LCD control pane 96
LDAP
profile 193
user profiles 137
LDAP server 132
local certificate
options 109
local hard drive monitoring
HA 320
local IP
HA 312
local network interface monitoring
HA 320
log
message levels 53, 254
messages 55, 265
log files
downloading 59, 270
log message
example 307
log messages
accessing 55, 265
searching 56, 266
logging
alert email 61, 271
alert email, selecting event categories 62, 272
category 62, 272
customizing column view 58, 269
customizing column views 58, 269
deleting log files 61, 271
downloading a report 69, 279
downloading log files 59, 270
emptying a log file 60, 270
FortiAnalyzer unit 257
HA 297
hard disk 254
log information about history, event, antispam, and
antivirus 262
353
Index
M
mail data
HA synchronization 288
mail directory
system 289, 315
mail queues
back up and restore 34, 145
dead email 33, 144
deferred 31, 141
failed 33
spam 32, 143
mail settings 113
configuring 113
mail statistics
viewing 25, 73
mail user
adding 152
change 152
display name 152
maintenance
Bayesian database back up
all databases 231
global or group 227
user 229
Bayesian database restore
all databases 231
global or group 228
user 229
black/white list back up
domain 237
personal 238
system 236
black/white list restore
domain 237
personal 238
system 236
dictionary back up and restore 192
mail queue back up and restore 34, 145
management access 41, 91
management IP 41, 91
configuring 95
manual
virus definition updates 83
354
master
HA mode 310
master configuration
HA config only 318
master unit 281
matched policies 90
maximum transmission unit (MTU) 42, 93
messages with viruses
treating as spam 167
messages, log 55, 265
mgmt
HA interface option 315
mirrored array 104
misc profile 176
mode of operation
HA 310
mode status
HA 303
monitor
HA 285
HA Daemon status 305
monitoring services
for HA 288, 318
MTA spool directories
synchronizing 289, 315
MX record 44, 89, 114, 129
preference number 89
MX record configuration 44, 129
N
NAS server 128
NAS server for mail data
HA 300
NAT device 86
network 89
configuring 94
Network Attached Storage (NAS) 127
network configuration
config only HA mode 295
network deployment 89
network interface
configuring for HA 291
Network Time Protocol (NTP) 37, 96
network utilization 25, 73
new peer
HA config only option 318
next hop router 43, 95
NFS 127
O
off
HA mode 310
on failure
HA 311
on HA failure
switch off 311
wait for recovery and then assume slave role 311
wait for recovery then restore original role 311
operating mode
changing 28, 77
Index
P
password
shared HA password 313
PDF scan 245
configuring 167
peer IP
HA 312
peer systems
HA config only 317
PIN (Personal Identification Number) 97
pipelining 183
policy
archive 250
defined 199
IP-based 204
IP-based, gateway mode 204
IP-based, server mode 206
IP-based, transparent mode 207
recipient-based 200
recipient-based, server mode 203
recipient-based, transparent and gateway modes
incoming 200
outgoing 202
POP service
monitoring for HA 318
POP3
monitoring for HA 318
server authentication 174
port 8890 80
port 9443 80, 86
primary heartbeat
HA 311
primary unit 281
product logo 122
profile 161
antispam 162
antivirus 171
authentication 173
content 178
content monitor 180
dictionary 185
IP pool 197
LDAP 193
misc 176
session 181
protocol
system status 74
proxy
configuring 147
push update
enabling 85
FortiMail IP addresses change 85
through a NAT device 86
push updates
enabling 85
Q
quarantine
spam 35, 209
system 36, 219
quarantine to review. See quarantine, system
quarantined email
HA synchronization 289
managing 209
managing in basic mode 34
R
Radius
server authentication 174
RAID 90
configuring 103
mirrored array 104
striped array 104
RAID 0 104
RAID 1 104
RAID 10 103, 104
RAID 10 + hot spare 104
RAID 5 104
RAID 50 104
RAID 50 + hot spare 104
RAID controller card 106
RAID levels 89, 103
read & write
administrator 38, 39, 98, 99
read & write access level
administrator account 37, 82, 96
read only
administrator 38, 39, 98, 99
read only access level
administrator account 37, 96
reading log messages 55, 265
recipient address verification 114
recipient-based policy 200
in server mode 203
in transparent and gateway modes
incoming 200
outgoing 202
Redundant Array of Independent Disks (RAID) 90
register
FortiMail Server 83
reject
domain access 115, 141
relay
domain access 31, 32, 33, 115, 141, 142, 143, 144
relay email 114
remote administration 92
remote service monitoring
HA 319
remote services
monitored by the HA backup unit 319
355
Index
repair
Bayesian databases 231
replacement messages 115, 123
custom 123
report
spam
HTML format 215
text format 213
reports
browsing 68, 278
browsing reports 68, 278
configuring a report profile, domains 66, 276
configuring a report profile, incoming&outgoing 66,
276
configuring a report profile, output 66, 277
configuring a report profile, query selection 64, 275
configuring a report profile, schedule 65, 275
configuring a report profile, time period 64, 274
configuring reports 63, 273
downloading 69, 279
on demand 63, 273
roll up 69, 279
viewing reports 67, 277
reset
Bayesian databases
all databases 232
global or group 228
user 229
restart
primary unit 306
restore
Bayesian databases
all users 231
global or group 228
user 229
black/white lists
domain 237
personal 238
system 236
factory defaults 30, 79
mail queues 34, 145
system settings 30, 79
RFC 1869 122
routing
static 43, 94
S
scheduled updates
enable 84
secondary heartbeat
HA 312
secured SMTP (SMTPS) 45
send alert email for HA events 299
send SNMP trap for HA event 299
sender reputation 243
sender validation
DKIM 182
DomainKeys 182
SPF 182
server mode 28, 41, 77, 92
email user 152
356
Index
status
HA 302
viewing and changing HA status 302
STMP requests, incoming 142
storing mail data on a NAS server
HA 300
striped array 104
subdomain 44, 129, 159
subject information
certificate 110
support
customer service and technical 22
SURBL 18
switch off
on HA failure 311
syn interval 37, 96
synchronization
HA 288
synchronization interface
HA 286, 311
syslog server
disk space 258
logging to 256
system
changing options 96
setting date and time 96
status 71
system date and time
setting 96
system mail directory
synchronizing 289, 315
system options
changing 96
system settings
backing up 29, 78
restoring 30, 79
restoring to factory defaults 30, 79
system status 83
system update 83
T
technical support 22
time and date
setting 96
time zone 37, 96
to IP
system status 74
to port
system status 74
train
Bayesian databases
global or group 227
user 228
transparent mode 28, 41, 77, 91, 95
treat remote services as heartbeat
HA 313
trusted host 40, 100
U
unknown servers
configuring SMTP options for 148, 183
update
antivirus 80
antivirus definitions 83
antivirus definitions, from a file 83
enabling push updates 85
enabling push updates through a NAT device 86
hourly 84
logging 84
manual virus definition update 83
weekly 84
upgrade
firmware 75
upgrading firmware
on an HA cluster 301
user alias
creating 157
user groups
creating 156
user guide
gateway and transparent modes 339
server mode 345
user home directories
synchronizing 289, 315
user name 152
group 157
V
verification of recipient addresses 114
viewing 58, 269
viewing reports 67, 277
virtual IP
DNS settings 292
example HA virtual IP configuration 293
firewall settings 292
HA 291
outgoing traffic 292
virus definition
manual update 83
virus status
view 74
W
wait for recovery and then assume slave role
on HA failure 311
wait for recovery then restore original role
on HA failure 311
web service
monitoring for HA 318
web-based manager
customizing appearance 125
introduction 14
language 97
weekly
update 84
Whitelist word scan 19
357
Index
358
www.fortinet.com
www.fortinet.com