FortiMail Administration Guide 06 30003 0154 20080327

ADMINISTRATION GUIDE
FortiMail Secure Messaging Platform

Version 3.0 MR3
www.fortinet.com
FortiMail Secure Messaging Platform Administration Guide

Version 3.0 MR3
27 March 2008
06-30003-0154-20080327
Copyright 2008 Fortinet, Inc. All rights reserved. No part of this
publication including text, examples, diagrams or illustrations may be
reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose,
without prior written permission of Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC,
FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGuard, FortiGuardAntispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web,
FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect,
FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are
trademarks of Fortinet, Inc. in the United States and/or other countries.
The names of actual companies and products mentioned herein may be
the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type.

Dispose of Used Batteries According to the Instructions.
Contents
Contents
Introduction ...................................................................................... 11
About the FortiMail unit .................................................................................. 11
Operation mode .......................................................................................... 11
Key features ................................................................................................ 12
Configuration and management .................................................................. 14
About FortiMail antispam solutions............................................................... 15
FortiGuard-Antispam service ...................................................................... 15
FortiMail antispam techniques .................................................................... 17
About this document....................................................................................... 20
Document conventions................................................................................ 21
Typographic conventions ............................................................................ 21
FortiMail documentation ................................................................................. 21
Fortinet Tools and Documentation CD ........................................................ 22
Fortinet Knowledge Center ......................................................................... 22
Comments on Fortinet technical documentation ......................................... 22
Customer service and technical support ...................................................... 22
FortiMail basic mode ....................................................................... 23

Management..................................................................................................... 23
Status page .................................................................................................
Mail statistics ...............................................................................................
Mail queues.................................................................................................
Backing up and restoring mail queues ........................................................
Quarantine ..................................................................................................
Spam quarantine.........................................................................................
System Quarantine .....................................................................................
24
25
31
34
34
35
36
Settings............................................................................................................. 36
Config..........................................................................................................
Network .......................................................................................................
Domains ......................................................................................................
Antispam .....................................................................................................
FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide

06-30003-0154-20080327
36
40
44
47
Contents
Log & Report.................................................................................................... 51

FortiMail logging..........................................................................................
Logs ............................................................................................................
Viewing log messages ................................................................................
Searching log messages.............................................................................
Customizing the column views....................................................................
Managing log files .......................................................................................
Alert Email...................................................................................................
Reports .......................................................................................................
Viewing reports ...........................................................................................
Browsing reports .........................................................................................
Downloading a report..................................................................................
51
51
54
56
58
59
61
62
67
68
69
Quick Start Wizard........................................................................................... 69
FortiMail unit status and maintenance .......................................... 71

Viewing the Status page ................................................................................. 72
Viewing mail statistics .................................................................................... 73
Viewing the session list .................................................................................. 74
Changing the FortiMail firmware.................................................................... 75
Upgrading to a new firmware version ......................................................... 75
Reverting to a previous firmware version.................................................... 76
Restarting and shutting down the FortiMail unit.......................................... 76
Changing the FortiMail operation mode........................................................ 77
Determining the best operation mode ......................................................... 77
Important configuration tips for FortiMail transparent mode ....................... 77
Backing up and restoring the configuration................................................. 78
Backing up system settings ........................................................................ 78
Restoring system settings ........................................................................... 79
Restoring system settings to factory defaults ............................................. 79
Configuring antivirus updates from the FDN................................................ 80
Registering the FortiMail unit ......................................................................
Connecting to the FortiGuard Distribution Network ....................................
Manually initiating antivirus definitions updates ..........................................
Updating antivirus definitions from a file .....................................................
Scheduling updates ....................................................................................
Enabling push updates ...............................................................................
83
83
83
83
84
85
Configuring FortiMail system settings .......................................... 89

What are system settings ............................................................................... 89
Network settings .........................................................................................
Administration .............................................................................................
RAID settings ..............................................................................................
Certificates ..................................................................................................
89
90
90
90

06-30003-0154-20080327
Contents
Configuring the interfaces .............................................................................. 91

Interface settings......................................................................................... 91
Configuring DNS.............................................................................................. 93
Configuring DDNS .......................................................................................... 94
Configuring routing ........................................................................................ 94
Route entry.................................................................................................. 95
Configuring management IP (transparent mode) ........................................ 95
Management IP (transparent and gateway)................................................... 95
Setting system date and time ......................................................................... 96
Configuring administration............................................................................. 96
Changing configuration options................................................................... 96
Administrators and permission levels.......................................................... 97
Adding an administrator account................................................................. 99
Configuring the SNMP Agent ....................................................................... 100
Configuring an SNMP Community ............................................................ 102
Configuring RAID levels................................................................................ 103
RAID levels ............................................................................................... 103
Configuring RAID for a FortiMail-400 unit ................................................. 104
Configuring RAID for FortiMail-2000, FortiMail-2000A, or FortiMail-4000A units
106
Generating a certificate................................................................................. 108
Local certificate .........................................................................................
Generating a certificate request ................................................................
Downloading and submitting a certificate request.....................................
Importing separate server certificate and private key files ........................
108
109
110
111
Configuring Mail Settings.............................................................. 113

How the FortiMail unit handles email .......................................................... 113
Email domains...........................................................................................
Recipient address verification ...................................................................
Access control...........................................................................................
Customizing messages and appearance ..................................................
Advanced protection settings ....................................................................
113
114
114
115
115
Configuring basic email server settings ..................................................... 116

SMTP Authentication (gateway and transparent modes).......................... 117
Notifying users .......................................................................................... 120
Configuring advanced settings .................................................................... 120
Customizations .............................................................................................. 122
Adding disclaimers to email ......................................................................
Configuring custom replacement messages .............................................
Editing the custom replacement message ................................................
Customizing FortiMail web pages .............................................................

06-30003-0154-20080327
122
123
124
125
Contents
Configuring storage settings ....................................................................... 127

Configuring domains (transparent and gateway modes) .......................... 129
Creating a new email domain (transparent and gateway modes)............. 130
Configuring domains (server mode)............................................................ 136
Creating a new email domain (server mode) ............................................ 136
Editing an existing email domain (server mode) ....................................... 138
Configuring email access ............................................................................. 139
Access settings ......................................................................................... 140
Managing mail queues .................................................................................. 141
Managing the Deferred queue ..................................................................
Managing the Spam queue.......................................................................
Managing the Dead email list....................................................................
Backing up and restoring mail queues ......................................................
141
143
144
145
Adding address books (server mode) ......................................................... 145

Configuring proxies (transparent mode)..................................................... 147
Configuring SMTP proxy settings ............................................................. 148
Configuring users .......................................................................... 151

Creating email users (server mode) ............................................................ 151
Webmail user preferences............................................................................ 154
Edit mail user Webmail preferences (transparent mode).......................... 155
Creating user groups ................................................................................ 156
Creating user aliases .................................................................................... 157
Creating address maps................................................................................. 158
Address Maps ........................................................................................... 158
Creating an Address Map ......................................................................... 159
Creating email filtering and control profiles ............................... 161

What is a profile............................................................................................. 161
How to use profiles ....................................................................................... 162
How to create profiles ................................................................................... 162
Creating antispam profiles ........................................................................
Creating antivirus profiles .........................................................................
Creating authentication profiles (transparent and gateway modes)..........
Creating misc profiles (server mode) ........................................................
Creating content profiles ...........................................................................
Creating session profiles...........................................................................
Creating dictionary profiles .......................................................................
Creating LDAP profiles .............................................................................
Creating IP pool profiles............................................................................
162
171
173
176
178
181
185
193
197
Creating email filtering and control policies ............................... 199

What is a policy ............................................................................................. 199

06-30003-0154-20080327
Contents
How to use policies ....................................................................................... 199

How to create recipient-based email policies ............................................. 200
Creating incoming recipient-based policies (transparent and gateway).... 200
Creating outgoing recipient-based policies (transparent and gateway) .... 202
Creating recipient-based policies for email users (server mode) .............. 203
How to create IP-based email policies......................................................... 204
Creating IP-based policies (gateway mode) ............................................. 204
Creating IP-based policies (server mode) ................................................. 206
Creating IP-based policies (transparent mode)......................................... 207
Configuring antispam settings ..................................................... 209

Managing the spam quarantine.................................................................... 209
Spam quarantine.......................................................................................
Searching the quarantined spam ..............................................................
Releasing and deleting quarantined spam ................................................
Scheduling spam reports ..........................................................................
209
210
211
212
Example: FortiMail spam release and delete .............................................. 216

Workflow ...................................................................................................
Enabling spam quarantine ........................................................................
Applying antispam profiles ........................................................................
Configuring web release ...........................................................................
Configuring email release .........................................................................
217
217
217
218
218
Managing the system quarantine................................................................. 219

System Quarantine ................................................................................... 219
Using the FortiGuard-Antispam service...................................................... 221
Configuring the FortiGuard-Antispam service ........................................... 221
Training Bayesian databases ....................................................................... 222
Bayesian database types ..........................................................................
Initial training of the Bayesian databases..................................................
Managing Bayesian databases .................................................................
Configuring Bayesian control accounts .....................................................
Maintaining Bayesian databases ..............................................................
222
224
225
230
231
Example: FortiMail Bayesian training.......................................................... 232

Example company..................................................................................... 232
Training user groups ................................................................................. 232
Setting up Bayesian control accounts ....................................................... 234

06-30003-0154-20080327
Contents
Configuring black and white lists ................................................................ 235

Configuring system black and white lists ..................................................
Configuring domain black and white lists ..................................................
Configuring session black and white lists .................................................
Configuring personal black and white lists................................................
Configuring the black list action ................................................................
Maintaining black and white lists...............................................................
Black and white list hierarchy....................................................................
236
236
237
237
238
239
239
Configuring greylist ...................................................................................... 240

Configuring greylist settings ......................................................................
Searching greylist entries..........................................................................
Configuring greylist exempt entries...........................................................
Viewing the greylist ...................................................................................
241
241
242
243
Configuring sender reputation..................................................................... 243

Viewing the sender reputation table.......................................................... 244
Configuring PDF scanning ........................................................................... 245
Archiving email .............................................................................. 247

Configuring email archiving settings .......................................................... 247
Managing archived email .......................................................................... 248
Setting archiving policies ............................................................................. 250
Setting exempt policies ................................................................................ 251
Logging and reporting................................................................... 253

FortiMail logging............................................................................................ 253
Log message levels....................................................................................... 254
Storing logs.................................................................................................... 254
Logging to the hard disk............................................................................
Logging to a Syslog server .......................................................................
Logging to a FortiAnalyzer unit .................................................................
Logging to multiple logging devices ..........................................................
Logging to different devices ......................................................................
254
256
257
259
260
Logs ................................................................................................................ 262

History logs ...............................................................................................
Event logs .................................................................................................
Antispam logs ...........................................................................................
Antivirus logs.............................................................................................
262
263
263
263
Viewing log messages .................................................................................. 264

Searching log messages .............................................................................. 266
Customizing the column views .................................................................... 269
Downloading log files ................................................................................... 270
Emptying a log file......................................................................................... 270

06-30003-0154-20080327
Contents
Deleting log files ............................................................................................ 271

Alert Email ...................................................................................................... 271
Configuring alert email .............................................................................. 272
Selecting event categories ........................................................................ 272
Reports ........................................................................................................... 273
Configuring Reports ..................................................................................
Configuring a report profile........................................................................
Viewing reports .........................................................................................
Browsing reports .......................................................................................
Downloading a report ................................................................................
273
274
277
278
279
Configuring and operating FortiMail HA...................................... 281

FortiMail active-passive HA .......................................................................... 281
FortiMail config only HA ............................................................................... 282
Mixing FortiMail models in a FortiMail HA group ....................................... 284
HA heartbeat and synchronization .............................................................. 285
Configuring the HA heartbeat and synchronization interface....................
Synchronizing the FortiMail configuration .................................................
Synchronizing FortiMail mail data .............................................................
FortiMail MTA spool directory synchronization after a failover..................
286
286
288
289
HA network interface configuration in master mode ................................. 291

Adding an IP address to an HA group interface using HA virtual IP addresses
291
Changing the IP address of an HA group interface................................... 294
Removing an interface from an HA group ................................................. 294
Example config only HA network interface configuration .......................... 295
HA log messages, alert email, and SNMP ................................................... 297
Recording HA log messages on the primary and backup unit hard disks .
Sending HA log messages to a remote syslog server ..............................
Sending alert email for HA events.............................................................
Sending SNMP traps for HA events ..........................................................
Getting the HA information using SNMP ...................................................
298
298
299
299
300
HA and storing FortiMail mail data on a NAS Server ................................. 300

Active-passive HA and storing mail data on a NAS server ....................... 301
Config only HA and storing mail data on a NAS server ............................ 301
Changing the FortiMail firmware for an operating HA group .................... 301
Viewing and changing HA status ................................................................. 302
Viewing HA mode status ...........................................................................
Viewing HA Daemon status ......................................................................
Forcing the HA group to synchronize configuration and mail data............
Resetting a FortiMail unit to its configured HA operating mode ................
Restarting the HA processes on a stopped primary unit ...........................

06-30003-0154-20080327
303
305
305
306
306
Contents
Configuring HA options ................................................................................ 307

HA Main configuration options ..................................................................
HA daemon configuration options.............................................................
HA interface configuration in master mode options (active-passive HA) ..
HA peer systems options (config only HA primary unit)............................
HA master configuration options (config only HA backup units) ...............
310
313
315
317
318
Configuring active-passive HA service monitoring ................................... 318

Configuring the backup unit to monitor remote services on the primary unit ...
319
Configuring HA primary unit local services monitoring to monitor network
interfaces and hard drives......................................................................... 320
FortiMail HA configuration examples .......................................................... 320
Gateway mode active-passive HA configuration ...................................... 320
HA failover scenarios.................................................................................... 327
Failover scenario: Temporary failure of the primary unit........................... 328
Failover scenario: primary heartbeat link fails........................................... 330
Failover scenario: Network connection between primary and backup units fails
(remote service monitoring detects a failure) ............................................ 334
End-user guide (GW & TP modes) ............................................... 339

Introduction.................................................................................................... 340
Accessing quarantined email....................................................................... 341
Using FortiMail webmail ............................................................................ 341
Using the daily spam summary report ...................................................... 341
Setting up a POP3 user account............................................................... 342
Managing tagged spam................................................................................. 342
Sending email remotely through the FortiMail unit.................................... 343
End-user guide (server mode) ...................................................... 345

Introduction.................................................................................................... 346
Accessing quarantined email....................................................................... 347
Using FortiMail webmail ............................................................................ 347
Setting up POP3/IMAP user account........................................................ 347
Receiving tagged email through the inbox................................................ 347
Index................................................................................................ 349
10

06-30003-0154-20080327
Introduction
About the FortiMail unit
Introduction
This section introduces you to the FortiMail Secure Messaging Platform
(FortiMail unit) and the following topics:
About FortiMail antispam solutions
About this document
FortiMail documentation
Customer service and technical support

The FortiMail unit is an integrated hardware and software solution that provides
powerful and flexible logging and reporting, antispam, antivirus, and email
archiving capabilities to incoming and outgoing email traffic. The FortiMail unit has
reliable and high performance features for detecting and blocking spam
messages and malicious attachments. Built on Fortinets FortiOS, the FortiMail
antivirus technology extends full content inspection capabilities to detect the most
advanced email threats.
Operation mode
You can install the FortiMail unit in gateway, transparent, or server mode. For
information about setting up the FortiMail unit in each mode, see the FortiMail
Installation Guide.
Gateway mode
In gateway mode, the FortiMail unit can effectively protect your email server by
scanning the SMTP traffic for viruses and spam messages. It can also archive
email for backup and monitoring purposes. The FortiMail unit integrates into your
existing network with only minor changes to your network configuration.
You can configure your firewall or DNS server to ensure that incoming SMTP
traffic goes through the FortiMail unit before reaching the email server. Optionally,
you can configure your email server to use the FortiMail unit as the relay server
for outgoing SMTP traffic.
Transparent mode
In transparent mode, the FortiMail unit provides seamless integration into existing
network environments. You can place the FortiMail unit in front of the existing
email server without any changes to the existing network topology. This means
that all of its interfaces are on the same IP subnet and that it appears to other
devices as a bridge. Alternatively, you can configure the FortiMail unit as a
combination of a bridge and a router by assigning IP addresses to some of its
interfaces. In this case, the FortiMail interfaces can be on different subnets.

06-30003-0154-20080327
11
Introduction
The FortiMail unit in transparent mode provides a flexible and versatile SMTP
email scanning solution.
Server mode
In server mode, the FortiMail unit provides basic email server functionality by
supporting webmail, SMTP, POP3, and IMAP. In addition, the FortiMail server
provides antivirus, antispam, email archiving, and logging and reporting services.
Key features
In each mode, the FortiMail unit can scan email for viruses and spam. Its log files
record antivirus incidents, antispam incidents, and configuration changes. The
FortiMail unit can also archive incoming and outgoing email for backup or
monitoring purposes.
Gateway and transparent modes

In gateway and transparent modes, the FortiMail unit provides:
Multiple email domain support
Tiered administration accounts
HA support
SMTP mail gateway for existing email servers
Integrated policy-based email routing and queue management
Outbound mail relay for improved email security
Granular layered detection policies for spam and viruses
Antivirus replacement messages for notification
Spam quarantine and spam tagging
Spam management (accept, relay, reject or discard) based on email

addresses, IP addresses, or domains
Per user antivirus and antispam scanning using LDAP attributes on a per
policy (domain) basis
LDAP-based email routing
Spam quarantine access with webmail and POP3
Periodic quarantine summaries
Policy-based email archiving of inbound and outbound messages with backup

support for remote storage
Comprehensive email monitoring, logging, and reporting
Mail queue support for failed, deferred, and undeliverable email
SMTP authentication support through LDAP, RADIUS, POP3 or IMAP
Per user automatic white list
Server mode
In server mode, the FortiMail unit provides all features listed in transparent and
gateway modes plus the following:
12
POP3, SMTP, and IMAP email services
SMTP over SSL support
Disk quota policy support for user accounts

06-30003-0154-20080327
Introduction
Secure webmail client access
User, group, and alias list support
Local account and LDAP authentication
Bulk folder support for spam
Antivirus protection
The FortiMail unit provides the following antivirus services:
SMTP message virus scanning
Compressed attachment and nested archive support
Infected files quarantine
Replacement message notification
File size block
Attachment filtering
Denial-of-service protection
The FortiMail unit provides the following denial-of-service protection:
Denial of service (mail bombing)
Recipient address attack
Email rate limit
Reverse DNS check (anti-spoofing)
FortiMail virus and spam detection

The FortiMail unit uses the following virus and spam detection technologies:
FortiClient antivirus engine and signatures, including legacy virus detection
Automatic update of antivirus and attack signatures through FortiGuard global

network
Complete email scanning: header, body, raw body, URI, and meta information
Advanced spam detection and filtering methods:
Access policy filtering

Content filtering
Greylisting message senders
Image spam scanning
PDF attachment scanning
System, domain, and user black/white list filtering
DNS Block List (DNSBL) filtering
Sender reputation throttling and filtering
Spam URI Realtime Block List (SURBL)
FortiGuard-Antispam filtering (advanced multi-layered black list technology)
Per unit, per domain, and per user Bayesian filtering
Heuristic filtering (over 5000 rules)
DKIM signing and checking and DomainKeys checking
Sender Policy Framework (SPF) checking
FortiMail logging and reporting

The FortiMail unit provides the following logging and reporting capabilities:
06-30003-0154-20080327
13
Introduction
Configuration change and management event logging
Antivirus incident logging
Antispam activity logging
External or local syslog server support
Expanded central reporting with FortiReporter support
Critical events and virus incident alerting
Comprehensive reporting with over 140 reports in seven categories
Scheduled report generation
Configuration and management

Once you set up the FortiMail unit, you can configure and manage it with the
web-based manager or the command line interface (CLI). For information about
connecting and setting up the FortiMail unit, see the FortiMail Installation Guide,
or the FortiMail QuickStart Guide.
Web-based manager
You can select one of two modes, basic or advanced, to configure FortiMail
settings. If you are a new administrator, use the basic management mode to
configure a limited number of essential features. Once you have gained
experience and require advanced features, use the advanced management mode
to access all configuration options. The basic management mode displays by
default to new admin users. This document details the basic management mode
in the chapter, FortiMail basic mode on page 23. All other chapters detail the
advanced management mode.
You can also use the web-based manager to monitor the status of the FortiMail
unit. Configuration changes made using the web-based manager take effect
immediately without resetting the unit or interrupting service. Once you are
satisfied with a configuration, you can download and save it. The saved
configuration can be restored at any time.
Command line interface

You can access the FortiMail CLI by connecting a management computer serial
port to the FortiMail unit console connector. You can also use Telnet or a secure
SSH connection to connect to the CLI from any network that is connected to the
FortiMail unit, including the Internet.
The CLI supports the same configuration and monitoring functionality as the
web-based manager. In addition, you can use the CLI for advanced configuration
options that are not available from the web-based manager.
See the FortiMail CLI Reference for complete details and command descriptions.
14

06-30003-0154-20080327
Introduction

Spam detection is a key feature of the FortiMail unit. The feature is based on two
tiers of spam defense: Fortinets FortiGuard-Antispam service and FortiMail
antispam techniques. Each tier plays an important role in separating spam from
legitimate email. FortiGuard-Antispam delivers a highly-tuned managed service
for the classification of spam while the FortiMail unit offers superior antispam
detection and control technologies.
For information about how the FortiMail unit uses antispam techniques, see
Creating email filtering and control profiles on page 161 and Configuring
antispam settings on page 209.
FortiGuard-Antispam service
The FortiGuard-Antispam service is a Fortinet-managed service that provides a
three-phase approach to screening email messages. The first phase is a DNS
Block List (DNSBL) which is a living list of known spam origins. The second
phase is an in-depth email screening based on a Uniform Resource Identifier
(URI) contained in the message body commonly known as Spam URI Realtime
Blackhole Lists (SURBLs). The third phase is the FortiGuard-Antispam Spam
Checksum Blocklist (SHASH) feature. Using SHASH, the FortiMail unit sends a
hash of an email to the FortiGuard-Antispam server which compares the hash to
hashes of known spam messages stored in the FortiGuard-Antispam database. If
the hash results match, the email is flagged as spam.
For information on configuring the FortiGuard-Antispam service, see Using the
FortiGuard-Antispam service on page 221.
FortiGuard-Antispam DNSBL
To achieve up-to-date real-time identification, the FortiGuard-Antispam service
uses globally distributed spam probes that receive over one million spam
messages per day. The FortiGuard-Antispam service uses multiple layers of
identification processes to produce an up-to-date list of spam origins. To further
enhance the service and streamline performance, the FortiGuard-Antispam
service continuously retests each of the known identities in the list to determine
the state of the origin (active or inactive). If a known spam origin has been
decommissioned, the FortiGuard-Antispam service removes the origin from the
list, thus providing customers with both accuracy and performance.
The FortiMail FortiGuard-Antispam DNSBL scanning process works this way:
1
Incoming email (SMTP) connections are directed to the FortiMail unit.
Upon receiving the inbound SMTP connection request, the FortiMail unit extracts
the source information (sending servers domain name and IP address).
The FortiMail unit transmits the extracted source information to Fortinets

FortiGuard-Antispam service using a secure communication method.
The FortiGuard-Antispam service checks the senders source information against

its DNSBL database of known spam sources and sends the results back to the
FortiMail unit.

06-30003-0154-20080327
15
Introduction
The results are cached on the FortiMail unit.
If the results identify the source as a known spam source, the FortiMail unit
acts according to its configured policy.
The cache on the FortiMail unit is checked for additional connection attempts
from the same source. The FortiMail unit does not need to contact the
FortiGuard-Antispam service if the results of a previous connection attempt are
cached.
Additional connection requests from the same source do not need to be

submitted to the FortiGuard-Antispam service again because the classification
is stored in the system cache.
Once the incoming connection has passed the first pass scan (DNSBL), and has
not been classified as spam, it will then go through a second pass scan (SURBL)
if the administrator has configured the service.
FortiGuard-Antispam SURBL
To detect spam based on the message body URIs (usually web sites), Fortinet
uses FortiGuard-Antispam SURBL technology. Complementing the DNSBL
component, which blocks messages based on spam origin, SURBL technology
blocks messages that have spam hosts mentioned in message bodies. By
scanning the message body, SURBL is able to determine if the message is a
known spam message regardless of origin. This augments the DNSBL technology
by detecting spam messages from spam source that may be dynamic, or a spam
source that is yet unknown to the DNSBL service. The combination of both
technologies provides a superior managed service with higher detection rates
than traditional DNSBLs or SURBLs alone.
The FortiMail FortiGuard-Antispam SURBL scanning process works this way:
1
After accepting an incoming SMTP connection (passed first pass scan), the email
message is received.
After an incoming SMTP connection has passed the DNSBL scan, the FortiMail
unit accepts delivery of email messages.
The FortiMail unit generates a signature (URI) based on the contents of the
received email message.
The FortiMail unit transmits the signature to the FortiGuard-Antispam service.
The FortiGuard-Antispam service checks the email signature against its SURBL
database of known signatures and sends the results back to the FortiMail unit.
The results are cached on the FortiMail unit.
If the results identify the signature as known spam email content, the FortiMail
unit acts according to its configured policy.
Additional connection requests with the same email signature do not need to
be re-classified by the FortiGuard-Antispam service, and can be checked
against the classification in the system cache.
Additional messages with the same signature do not need to be submitted to

the FortiGuard-Antispam service again because the signature classification is
stored in the system cache.
Once the message has passed both phases (DNSBL and SURBL), it goes to the
next layer of defense the FortiMail unit that includes additional spam
classification technologies.
16

06-30003-0154-20080327
Introduction
FortiMail antispam techniques

The FortiMail unit uses multiple sophisticated antispam technologies that
compliment the Fortinet FortiGuard-Antispam service, substantially minimizing
and neutralizing threats generated from spam. The FortiMail unit can operate as a
stand-alone antispam system, or as the second layer of Fortinets multi-layered
antispam solution, to screen both incoming and outgoing email.
By scanning outgoing email, the FortiMail unit can eliminate the possibility of an
employee or a compromised system sending spam email, to avoid the blacklisting
of the organization by DNSBL services.
The FortiMail antispam techniques for incoming email include:
Forged IP scanning
Greylist scanning
DNSBL scanning
Deep header scanning
SURBL scanning
Bayesian scanning
Heuristic scanning
Image spam scanning
PDF scanning
Locally-administered black/white lists
Banned word scanning
Dictionary scanning
Whitelist word scanning
Sender reputation
Forged IP scanning
When the FortiMail unit receives an email message, it converts the sender's IP
address to a canonical hostname. The FortiMail unit then compares all of the
officially listed IP addresses for that hostname with the sender's IP address. If the
sender's IP address is not found, the FortiMail unit considers the IP address and
hostname to be forged and treats the email as spam. For more information, see
Forged IP scan on page 164
Greylist scanning
Greylist scanning blocks spam based on the behavior of the sending server,
rather than the content of the messages. When receiving an email from an
unknown server, the FortiMail unit will temporarily reject the message. If the mail
is legitimate, the originating server will try to send it again later, at which time the
FortiMail unit will accept it. Spam senders rarely attempt a retry. For more
information, see Configuring greylist on page 240.

06-30003-0154-20080327
17
Introduction
DNSBL scanning
In addition to supporting Fortinets FortiGuard-Antispam DNSBL service, the
FortiMail unit supports administrator-defined public Realtime Block List servers.
You can enable DNSBL filtering as part of the antispam profile, and define multiple
DNSBL servers for each antispam profile. For more information, see DNSBL
scan on page 165 and Configuring DNSBL servers on page 167.
Deep header scanning

Deep header scanning involves two separate checks. Black IP checking examines
the Received fields of the email header. The FortiMail unit then extracts any
URIs or IPs from the header and passes them to the FortiGuard-Antispam service,
DNSBL, or SURBL servers for spam checking. Header analysis examines the
entire message header for spam characteristics. For more information, see Deep
header scan on page 165.
SURBL scanning
In addition to supporting Fortinets FortiGuard-Antispam SURBL service, the
FortiMail unit supports administrator-defined public Spam URI Realtime Block
Lists servers. You can specify which public SURBL servers to use as part of an
antispam profile. For more information, see SURBL scan on page 165 and
Configuring SURBL servers on page 168.
Bayesian scanning
After FortiGuard-Antispam processing, the Bayesian filters provide the most
effective method of detecting spam. Bayesian filters use databases to determine if
an email is spam. FortiMail Bayesian filters use two types of databases: personal
and group. Personal databases are associated with individual users, and the
group database applies to all users. For more information, see Training Bayesian
databases on page 222.
Heuristic scanning
The FortiMail unit includes rules the heuristic filter uses. Each rule has an
individual score used to calculate the total score for an email. An upper and lower
limit threshold for the heuristic filter is set for each antispam profile. To determine if
an email is spam, the heuristic filter examines an email message and adds the
score for each rule that applies to get a total score for that email. If the total is
greater than or equal to the upper threshold, the filter classifies the email as spam
and processes is accordingly. If the total is less than or equal to the lower
threshold, the email is not spam. If the total is between the two thresholds, then
the heuristic filter cannot determine whether the email is spam or not spam
determination. For more information, see Heuristic scan on page 166.
18

06-30003-0154-20080327
Introduction
Image spam scanning

Spammers attempt to get their email messages past spam safeguards by
replacing the message body with an image file. This image file displays a graphic
of the desired text. Since the message body contains no real text, scanners
designed to examine the message body find nothing to work with. However, the
FortiMail units image spam scan is equipped to examine and identify GIF, JPEG,
and PNG graphics used in image spam. For more information, see Image spam
scan on page 167.
PDF scanning
Spammers may attach a PDF file to an otherwise empty message, to get their
email messages past spam safeguards. The PDF file contains the spam
information. Since the message body contains no text, antispam scanners cannot
determine if the message is spam. However, the FortiMail units PDF scanning
option directs the heuristic, banned word, and image spam scanners to examine
the contents of PDF attachments. For more information, see PDF on page 167.
Locally-administered black/white lists

The FortiMail unit supports four levels of black/white lists: system, domain,
session, and personal. Addresses added to blacklists usually consist of those
known to be used for sending spam. Whitelisted addresses include any non-spam
producing address that may have been improperly marked as a spam sender in
the past, or addresses that you do not want marked as spam in the future. By
using the FortiMail black/white lists, you can add sources that may be unclassified
or misclassified from the managed DNSBL services by specifying email
addresses, domains, and IP addresses. For more information on global
black/white lists, see Configuring system black and white lists on page 236. For
more information on session black/white lists, see Expand Lists on page 185.
For more information on personal black/white lists, see Configuring personal
black and white lists on page 237.
Banned word scanning

You can specify a list of banned words as part of an antispam profile. If the
FortiMail unit detects any of the banned words in the email body or header, it flags
the email as spam. For more information, see Configuring banned word
scanning on page 169.
Whitelist word scanning

You can specify a white list of words as part of an antispam profile. If the FortiMail
unit detects a whitelist word, it treats the message as non-spam and cancels
further antispam scanning. For more information, see Configuring whitelist word

06-30003-0154-20080327
19
About this document
Introduction
Sender reputation
The FortiMail unit tracks SMTP client behavior, limiting deliveries of those clients
sending excessive spam messages, infected email, or messages to invalid
recipients. Should clients continue delivering these types of messages, their
connection attempts will be rejected entirely. Sender reputation is managed by the
FortiMail unit and requires no administration. For more information, see
Configuring sender reputation on page 243.
About this document

This document explains how to use the FortiMail unit once you have successfully
installed the FortiMail unit by following the instructions in the FortiMail Installation
Guide. At this stage:
The FortiMail unit is integrated into your network.
In transparent or gateway modes, the network is configured so incoming and

outgoing email passes through the FortiMail unit for examination.
In server mode, the FortiMail unit is the email server. The network is configured
to allow the FortiMail unit access to and from other email servers, typically
including those out on the Internet, and from users with POP3 or webmail
access.
The advanced features of the FortiMail unit are not enabled. These features
include antispam, antivirus, email archiving, logging, and reporting.
Optionally, you can continue configuring other system-related items, such as date
and time, administrator accounts, and RAID levels. For more information, see
Configuring FortiMail system settings on page 89. At this time you might also
want to update the firmware (see Changing the FortiMail firmware on page 75)
and configure the unit for antivirus updates (see Configuring antivirus updates
from the FDN on page 80), but you can leave these tasks for later.
Once your FortiMail unit is running and you have configured the optional systemrelated items, you can start to configure the advanced features as described in
this guide. You have the flexibility to choose which features to enable and select
the options you want within each feature.
This document contains the following chapters:
20
FortiMail unit status and maintenance
Configuring FortiMail system settings
Configuring Mail Settings
Creating email filtering and control profiles
Creating email filtering and control policies
Configuring antispam settings
Configuring users
Archiving email
Logging and reporting
Configuring and operating FortiMail HA
End-user guide (GW & TP modes)
End-user guide (server mode)

06-30003-0154-20080327
Introduction
Document conventions
The following document conventions are used in this guide:
In the examples, private IP addresses are used for both private and public IP
addresses.
To avoid publication of public IP addresses that belong to Fortinet or any other

organization, the IP addresses used in Fortinet technical documentation are
fictional and follow the documentation guidelines specific to Fortinet. The
addresses used are from the private IP address ranges defined in RFC 1918:
Address Allocation for Private Internets, available at
http://ietf.org/rfc/rfc1918.txt?number-1918.
Notes and cautions are used to provide important information:
Note: Highlights useful additional information.
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Typographic conventions
FortiMail documentation uses the following typographical conventions:
Convention
Example
Keyboard input
To navigate the list of sessions, select the Page Up icon or

the Page Down icon.
CLI command syntax
execute restore config <filename_str>
Document names
FortiMail Administration Guide
Menu commands
Go to System > Network > Interface to view the interface

information.
Program output
Welcome!
Variables
<address_ipv4>
Information about the FortiMail unit is available from the following guides:
FortiMail QuickStart Guides

Provides basic information about connecting and installing a FortiMail unit. A
separate guide is available for each FortiMail model.
FortiMail Administration Guide

This document. Introduces the product and describes how to configure and
manage a FortiMail unit, including how to create profiles and policies,
configure antispam and antivirus filters, create user accounts, configure email
archiving, and set up logging and reporting.
FortiMail CLI Reference

Describes how to use the FortiMail CLI and contains a reference of all
FortiMail CLI commands.

06-30003-0154-20080327
21
Introduction
FortiMail Log Message Reference

Describes the structure of FortiMail log messages and provides information
about the log messages that are generated by FortiMail units. Available
exclusively from the Fortinet Knowledge Center.
FortiMail Installation Guide

Describes how to set up the FortiMail unit in transparent, gateway, or server
mode.
FortiMail online help

Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the web-based manager as you work.
FortiMail Webmail online help

Describes how to use the FortiMail web-based email client, including: how to
send and receive email; how to add, import, and export addresses; how to
configure message display preferences; and how to manage quarantined
email.
FortiMail User Guides

Provides information that the FortiMail end users need to know in order to take
advantage of the services provided by the FortiMail unit. These guides are
included as chapters in the FortiMail Administration Guide, allowing the
administrator to provide information on only the enabled features. For details,
see End-user guide (GW & TP modes) on page 339 and End-user guide
(server mode) on page 345.
Fortinet Tools and Documentation CD

All Fortinet documentation is available on the Fortinet Tools and Documentation
CD shipped with your Fortinet product. The documents on this CD are current at
shipping time. For up-to-date versions of Fortinet documentation visit the Fortinet
Technical Documentation web site at http://docs.forticare.com.
Fortinet Knowledge Center

Additional Fortinet technical documentation is available from the Fortinet
Knowledge Center. The knowledge center contains troubleshooting and how-to
articles, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge
Center at http://kc.forticare.com.
Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@fortinet.com.

Fortinet Technical Support provides services designed to make sure your Fortinet
systems install quickly, configure easily, and operate reliably as part of your
network.
Please visit the Fortinet Technical Support web site at http://support.fortinet.com
to learn about the technical support services Fortinet provides.
22

06-30003-0154-20080327
FortiMail basic mode
Management

FortiMail units have two web-based manager administration modes: basic mode
and advanced mode.
Basic mode presents a reduced set of menu options for easy navigation, that
allow for standard FortiMail unit configurations. This mode includes the Quick
Start wizard. The basic mode appears by default when you log on, unless
otherwise specified. Basic mode is explained in this chapter.
Advanced mode presents additional, useful menu options, which you may require
in more complex configurations. Advanced mode is explained in the chapters that
follow.
The Quick Start Wizard leads you through a series of screens to help you set up
your FortiMail unit. It is intended for first-time users doing initial configuration, and
is available only in basic mode.
Menu options in Basic mode include:
Management
Settings
Log & Report
Quick Start Wizard
Management
You can connect to the web-based manager and view the current status of the
FortiMail unit, including the current firmware version, the current virus definitions,
the FortiMail unit serial number, email statistics, and communication sessions.
If you log into the web-based manager using any system level account, you can:
view the FortiMail unit settings including the FortiMail unit serial number and its
uptime
view the Mail Statistics page
view the Session page
The Mail Statistics page shows the number of spam email and viruses detected by
the FortiMail unit in tabular and graphical views. The Session page shows the
active communication sessions to and through the FortiMail unit.
A system administrator with read and write permissions can configure FDN
updates. Only the default system administrator, admin, can change the firmware,
back up and restore the configuration, shut down or restart the unit.
The Management section includes:
Status page
Mail statistics
Mail queues
Spam quarantine

06-30003-0154-20080327
23
Management
Status page
The Management Status page displays when you log in to the web-based
manager as a system administrator. At any other time, go to Management >
Status to view the Management Status page. If you logged in as the default
system administrator, admin, you can modify management information and
update antivirus definitions.
Figure 1: Management status
Automatic Refresh
Interval
Select to control how often the web-based manager updates

the system status display.
Go
Select to set the selected automatic refresh interval.
Refresh
Select to manually update the management status display.
System Status
UP Time
The time in days, hours, and minutes since the FortiMail unit
was started or rebooted.
System Time
The current time according to the FortiMail unit internal clock.
Log Disk
Displays the capacity of the hard disk that the FortiMail unit
uses to store log messages. For more information on logging,
FortiMail logging on page 253.
Mailbox Disk
uses to store archived email and quarantined spam.
Unit information
Firmware Version
The version of the firmware installed on the FortiMail unit.

Select Update to change the firmware (see Upgrading to a
new firmware version on page 75).
Antivirus Definitions The current installed version of the FortiMail Antivirus

Definitions. Select Update to manually update the definitions
(see Updating antivirus definitions from a file on page 83).
For information about configuring automatic updates, see
Configuring antivirus updates from the FDN on page 80.
24
Serial Number
The serial number of the FortiMail unit. The serial number is

unique to the FortiMail unit and does not change with firmware
upgrades.
Operation Mode
The operation mode of the FortiMail unit. Select Change to

switch modes (see Changing the FortiMail operation mode on
page 28).

06-30003-0154-20080327
Management
System Settings
Settings
Displays options to back up or restore system settings, or to

restore system settings to factory defaults. See Backing up
and restoring the configuration on page 29.
System Resources
CPU Usage
The current CPU status. The web-based manager displays

CPU usage for core processes only. CPU usage for
management processes (for example, for HTTPS connections
to the web-based manager) is excluded.
Memory Usage
The current memory status. The web-based manager displays

memory usage for core processes only. Memory usage for
Log Disk Usage
The current log disk status indicates how much of the allocated
disk space is used. For information on log settings, see
Logging to the hard disk on page 254.
Mailbox Disk Usage
The current mailbox disk status indicates how much of the

allocated disk space is used.
Active Sessions
Shows the number of administrators/users logged into the

FortiMail unit.
History
Select History to view a graphical representation of the last

minute of CPU, memory, sessions, and network usage.
CPU Usage History: CPU usage for the previous minute.
System Command
Memory Usage History: Memory usage for the previous

minute.
Session History: Session history for the previous minute.
Network Utilization History: Network utilization for the

previous minute.
Displays the buttons to restart or shut down the FortiMail unit.
Figure 2: Sample system resources history
Mail statistics
The Mail statistics page displays a summary, in tabular and graphical views, of
spam messages and viruses detected by the scanning tools of the FortiMail unit.
This page also shows actions that the unit has taken against spam and viruses.
Real-time statistics data is also available by selecting Realtime statistics data
also available here. This displays both a tabular and graphical representation of
messages sent, spam messages, and viruses in the last day and the last hour.
06-30003-0154-20080327
25
Management
For information about the FortiMail unit scanning tools, see Creating email
filtering and control profiles on page 161.
To view the mail statistics
1
Go to Management > Status > Mail Statistics.
Select Refresh to update the statistics. You can also select an automatic refresh
interval from 30 seconds to five minutes, and select Go.
The following information displays:
The Summary tab displays, in tabular form, spam, and virus-infected email
detected by the FortiMail unit. The table also breaks down the spam detected
by the scanning tools, including heuristic, bayesian, DNSBL, access control,
system wide black list (System List), and black list set by email users (User
List).
The History tabs display graphs showing the number of messages sent total,
and another graph showing the number of viruses detected for that period hourly, daily, weekly, or yearly.
Changing the FortiMail firmware

Only the default FortiMail system administrator, admin, can change the FortiMail
firmware. Firmware changes are either an upgrade to a newer version or a
reversion to an earlier version.
It is strongly recommended that you always upgrade to the most recent firmware
available for your FortiMail unit. This will ensure you have the most up-to-date bug
fixes, new features, Antivirus engine, and Antispam engine.
Follow the appropriate procedure for the firmware change you want to perform.
To upgrade the firmware using the web-based manager
Note: Installing firmware replaces the current antivirus definitions with the definitions
included with the firmware release that you are installing. After you install the new firmware,
use the procedure Manually initiating antivirus definitions updates on page 83 to make
sure that your antivirus definitions are up to date.
Copy the firmware image file to your management computer.
Log into the web-based manager as the admin administrative user.
Go to Management >Status > Status.
Select Update beside Firmware Version.
Type the path and filename of the firmware image file, or select Browse and locate
the file.
Select OK.
The FortiMail unit uploads the firmware image file, upgrades to the new firmware
version, disconnects your session, restarts, and displays the FortiMail unit login.
This process takes a few minutes.
26
Log into the web-based manager.
Go to Management >Status > Status and check the Firmware Version to confirm
that the firmware upgrade is successfully installed.
Update antivirus definitions. For information about antivirus definitions, see

Manually initiating antivirus definitions updates on page 83.

06-30003-0154-20080327
Management
To revert to a previous firmware version using the web-based manager

Before beginning this procedure you can back up the FortiMail unit configuration.
For information, see Backing up system settings on page 29.
The following procedures revert the FortiMail unit to its factory default
configuration and delete all configuration on the unit.
sure that antivirus definitions are up to date.
Log into the FortiMail unit web-based manager as the admin administrative user.
Type the path and filename of the previous firmware image file, or select Browse
and locate the file.
Select OK.
The FortiMail unit uploads the firmware image file, reverts to the old firmware
version, resets the configuration, restarts, and displays the FortiMail unit login.
Go to Management >Status > Status and check the Firmware Version to confirm
that the firmware is successfully installed.
Restore your configuration.

For information about restoring your configuration, see Restoring system
settings on page 30.
10

Restarting and shutting down the FortiMail unit

The default FortiMail system administrator, admin, can restart or shut down the
FortiMail unit.
Caution: Before performing any of these procedures, notify your email users.
To restart the FortiMail unit

1
Select Restart.
The FortiMail unit disconnects your session, shuts down and restarts the unit.
To shut down the FortiMail unit

06-30003-0154-20080327
27
Management
Select Shut Down.

The FortiMail unit shuts down. You can now turn off the power. The unit will restart
when you turn on the power.
Changing the FortiMail operation mode

The default FortiMail system administrator, admin, can change the FortiMail unit
from one mode to another. Note that you will need to reconfigure almost all of your
settings afterwards.
When you change the FortiMail unit from server mode to gateway mode or vice
versa, its configuration resets to factory defaults except the configuration for
the port 1 interface.
When you change the FortiMail unit from any mode to transparent mode or
vice versa, its configuration resets to factory defaults. You lose all of the
existing configuration.
You need to re-login after changing the mode.
Determining the best operation mode

Each operation mode is best suited for a specific situation. A brief explanation
follows.
Use gateway mode when you do not want your servers to be visible to users
for security reasons. You will have to make sure you modify your mail routing
policy to route incoming mail to the FortiMail unit for it to be scanned.
Use transparent mode when a network is complex and does not allow for
changes in the IP addressing scheme.
User server mode if you need a secure and reliable email server with
integrated advanced antispam and antivirus capabilities
For more information about the different operation modes, see Operation mode
on page 11.
Important configuration tips for FortiMail transparent mode

FortiMail transparent mode is best used when a network is complex and does not
allow for changes in the IP addressing scheme. The following are configuration
tips if you use the transparent operation mode.
28
Deploy the FortiMail unit in front of your mail server so incoming email is forced
to go to the FortiMail unit and be scanned.
The management IP address and all the IP addresses connecting to your

FortiMail units bridged (default) interfaces should be on the same IP subnet.
Do not connect two ports to the same VLAN on a switch or the same hub.
Some Layer 2 switches become unstable when they detect the same MAC
address originating on more than one switch interface or from more than one
VLAN.
If the client is configured for authentication and the Use original server to
deliver mail option under For unknown Servers of SMTP proxies is NOT
enabled, the FortiMail unit needs an authentication profile configured and
applied. Also the back end mail server must be explicitly configured to allow
relay. Without the profile, the authentication will fail.

06-30003-0154-20080327
Management
There are additional advanced options when configuring protected domains in

transparent mode. See Creating a new email domain (transparent and
gateway modes) on page 130.
To change the FortiMail operation mode

1
For Operation Mode, select Change.
Select the operation mode you want.
Select OK.
Backing up and restoring the configuration

The default FortiMail system administrator, admin, can back up the FortiMail units
configuration to a file so that you restore that configuration at some later time. You
can also, if needed, reset the FortiMail unit to its factory default configuration.
Backing up the FortiMail units configuration does not backup Bayesian database,
and dictionaries. These must all be backed up separately. For more information
see Managing Bayesian databases on page 225, Maintaining dictionaries on
page 192.
Backing up the FortiMail units configuration does include all black/white lists,
custom messages, Access Control List (ACL), and user preferences. For more
information see Configuring system black and white lists on page 236,
Customizing messages and appearance on page 115, and Webmail user
preferences on page 154.
Follow the appropriate procedure for the operation you want to perform:
Backing up system settings
Restoring system settings
Restoring system settings to factory defaults

You can back up system settings by downloading them to a text file on the
management computer. You can also download a debug log file or debug trace file
and send it to Fortinet technical support or development for systems analysis
purposes. The trace log file is in a binary format that contains information
additional to the debug log file.
To back up system settings
1
Select System Settings > Backup.
Select Backup system settings.
Save the file to the management computer.
Select Return to go back to the Status page.

To download debug log
Select Download debug log.

06-30003-0154-20080327
29
Management

To download trace log
Select Download trace log.

You can restore system settings by uploading a previously downloaded system
settings text file.
To restore system settings
1
Select Restore.
Enter the path and filename of the system settings file, or select Browse and
locate the file.
Select OK to restore the system settings file to the FortiMail unit.

The FortiMail unit restarts, loading the new system settings.
Reconnect to the web-based manager and review your configuration to confirm

that the uploaded system settings have taken effect.

Use the following procedure to restore system settings to the values set at the
factory. This procedure does not change the firmware version or the antivirus
definitions.
Caution: This procedure deletes all changes that you have made to the FortiMail unit
configuration and reverts the system to its original configuration, including resetting
interface addresses.
To restore system settings to factory defaults

1
Select Restore Factory Defaults.
Select OK to confirm.
The FortiMail unit restarts with the configuration that it had when it was first
powered on.
Reconnect to the web-based manager and review the system configuration to

confirm that it has been reset to the default settings.
For information about restoring system settings, see Restoring system settings
on page 30.
30

06-30003-0154-20080327
Management
Mail queues
The FortiMail unit stores undeliverable email in several queues:
The Deferred queue contains email that the FortiMail unit could not send.
Often the problem is temporary. For example, the destination email server was
off-line or there were network problems. See Deferred queue on page 31.
The Spam queue contains tagged spam that the FortiMail unit could not send
(For information on tagging spam, see Configuring Actions on page 170).
off-line or there were network problems. See Spam queue on page 32.
The Dead email list contains email that cannot be delivered or returned
because the recipient and sender names are both invalid. See Dead email
list on page 33.
Deferred queue
In the Deferred queue, the FortiMail unit stores email that it could not send.
Sending an email can fail for various temporary reasons such as network
problems. A notification will be sent to the sender when the email is moved to the
deferred queue. The FortiMail unit will try to resend the deferred email for five
days. You cannot configure the resending schedule.
If an email still cannot be sent by the end of the fifth day, the sender is notified of
the delivery failure and the email will be deleted. If the sender cannot be notified of
the failure, FortiMail will save a copy of the email in the Dead email list. See Dead
email list on page 33.
Go to Mail Settings > Mail Queue > Deferred Queue to delete some or all
deferred email. When you delete a deferred email, a notification message with the
deleted email attached to it will be sent to the email sender.
If the email is subsequently sent successfully, it is removed from the queue and
the sender will not be notified.
Figure 3: Deferred queue (with deferred messages)
Figure 4: Deferred queue (empty)
Page up icon
View previous page.
Page down icon View next page.

View nn lines
each page
Select the number of lines to display on each page: 25, 50, 100, 1000.

06-30003-0154-20080327
31
Management
Total lines
The number of lines in the queue.
Goto Line
Enter the line number on the page that you want to see.
Go
Select to go to the line you entered.
Displays the line numbers on the page.
Select
Displays checkboxes for you to select or deselect the deferred email.
Sender
Displays the sender of the deferred email.
Recipient
Displays the intended recipient of the deferred email.
Reason
Displays the reasons why the email has been deferred for example host
name lookup failure or connection refused.
First Processed Displays the time that the FortiMail unit first tried to send the email.
Last Processed Displays the time that the FortiMail unit last tried to send the email.
Tries
Displays the number of times that the FortiMail unit has tried to send the
email.
Check All
Select to check all messages in the deferred queue.
Uncheck All
Select to uncheck all messages in the deferred queue.
Delete
Select to delete a selected deferred email.
Resend
Select to attempt to resend all selected messages now.
Refresh
Select to refresh the list of deferred messages, especially after

attempting to resend messages.
Spam queue
In the Spam queue, the FortiMail unit stores tagged spam that it could not send.
There could be various temporary reasons such as network problems. The
FortiMail unit will try to resend the tagged spam for five days. You cannot
configure the resending schedule.
Go to Mail Settings > Mail Queue > Spam Queue to delete some or all tagged
spam. When you delete a tagged spam, a notification message with the deleted
tagged spam attached to it will be sent to the email sender.
Figure 5: Spam queue
Page up icon
View previous page.
32
View nn lines
each page
Total lines
Goto Line
Go

06-30003-0154-20080327
Management
Line number.
Select
Displays checkboxes for you to select or deselect the tagged spam.
Sender
Displays the senders of the tagged spam.
Recipient
Displays the recipients of the tagged spam.
Reason
Displays the reasons why the tagged spam has been queued.
First Processed Displays the time that the FortiMail unit first tried to send the tagged
spam.
Last Processed Displays the time that the FortiMail unit last tried to send the tagged
spam.
Tries
tagged spam.
Dead email list

In the Dead email list, the FortiMail unit stores email that cannot be sent or
returned to the sender. This is usually due to both the recipient and sender
addresses being invalid. Such messages are often sent by spammers who only
know the domain name of an email server.
If you are operating in server mode, you can create a local email account named
postmaster for these messages, or create an alias named postmaster to an
existing email account, instead of using the Dead email list. The Admin can
manually delete emails from the Dead email list, or configure auto deletion for
dead email after a set number of days.
The Dead email list also includes copies of notification messages from the
FortiMail unit (postmaster) to senders of undeliverable email. These messages
include a "postmaster" copy of Delivery Status Notification (DSN) email for failing
to deliver the email. This copy contains the original email.
Figure 6: Dead email list
Page up icon
View previous page.
Page down icon
View next page.
View nn lines each

page
Total lines
Total number of email messages in the Dead email list.
Sort by
Select how to sort the list: Subject, From, To, or Date.
Delete dead emails Enter the number of days after which to delete the email from the
Dead email list.
#
Line number.

06-30003-0154-20080327
33
Management
Select
Displays checkboxes for you to select or deselect the email.

Enable Select All to select all lines.
From
Email sender address.
To
Email recipient address.
Subject
Email subject field.
Date
Date and time of the email.
Delete
Delete selected email.
To view dead email

Go to Mail Settings > Mail Queue > Dead Mail to view dead email From and To
addresses, Subjects, and Dates.
You can also
select the number of lines to view on a page,
sort the email by subject, from address, to address, and date, and
set an expiry date to automatically delete the email.
To manage dead email

Go to Mail Settings > Mail Queue > Dead Mail.
Select the Select All check box on the header and select Delete to delete all
the dead email.
Select the check box before a dead email and select Delete to delete an
individual dead email.
or
Backing up and restoring mail queues

You can back up the contents of the mail queues to a file and restore them later.
This can be useful if you need to change or reformat the mailbox disk.
Go to Mail Settings > Mail Queue > Queue Maintenance to back up or restore
mail queues.
Figure 7: Queue Maintenance
Backup Queue
Back up the email queues. Save the backup file on the

management computer.
Restore Queue
Restore the email queues from a backup file on the management

computer. Enter the path and filename of the backup file or select
Browse and locate the file. Select OK.
Quarantine
There are two types of quarantine available for use with the FortiMail unit.
The spam quarantine prevents incoming messages detected as spam from
reaching users. They are stored on the FortiMail unit hard drive and the user is
notified with a periodic spam report.
34

06-30003-0154-20080327
Management
The system quarantine is used to prevent outgoing messages detected as spam

from reaching recipients. Unlike the spam quarantine, no report is sent and the
administrator must review the quarantined messages to decide if they should be
released or deleted.
Advanced users can also configure content profiles to capture email based on
message content for later examination in the system quarantine. For details, see
Creating content profiles on page 178 for additional information.
Spam quarantine
The FortiMail unit can be configured to quarantine spam email on its hard drives.
The spam quarantine is enabled by default whenever antispam is enabled.
When incoming email is detected as spam, the FortiMail unit will quarantine the
email on its own hard drive and not deliver it to the recipient. Instead, a spam
report listing all the withheld messages will be sent to users. By default, the report
is sent once a day at 9am. The users can review the message details and release
any messages that are not really spam. Releasing quarantined messages is as
simple as clicking a link associated with the quarantined message in the spam
report. The released message will be delivered to the users inbox.
You can view the email addresses of the email recipients who have spam
quarantined on the FortiMail unit. You can also view the recipient mailbox size
information.
You can also view, sort, delete, or release the quarantined email.
To view the list of recipients with quarantined spam
1
Go to Management > Quarantine > Recipients.
Select the domain for which you want to see the quarantined spam.
A list of folders is displayed. The folders are named for the email address to which
quarantined spam was addressed.
You can select the number of lines to view on a page and sort the recipients by
email address or mailbox size.
Folders may be easily deleted. Select the check boxes for the folders you wish to
remove and select the delete icon.
Select the Expunge icon to reclaim disk space used by deleted quarantined email.
When quarantined email is deleted, the message is marked as deleted and
removed from the list of quarantined email. The message will still take up disk
space, however. Expunge will reclaim this disk space.
Select All or Selected if you want to manually send out a spam summary report to
the spam recipients. The summary will include each users spam messages listed
on the Recipients page received in the number of hours entered in the field.
To manage the quarantined email
Select the recipients email address.

All quarantined messages for the selected recipient are displayed.
Select the number of lines to view on each page.
Sort the messages by subject, sender address, date, and message number.
Select the Delete or Release check box in the header and select OK to delete or
release all the spam messages for this recipient.

06-30003-0154-20080327
35
Settings
Select the delete or release check box before a spam message and select OK to
delete or release an individual spam message.
System Quarantine
The FortiMail unit can be configured to quarantine email on its hard drives based
on the message contents. By default, the system quarantine is not used.
The system quarantine is where email caught by content monitoring and outgoing
spam detection may be held. Unlike the spam quarantine, users receive no
notification of mail held in the system quarantine. Periodic review of the mail is
required by the administrator.
To view the system quarantine (admin user)
Regular administrators can review the system quarantine at any time.
1
Go to Management > Quarantine > System quarantine.

The system quarantine folders are displayed.
The folder named Inbox contains the most recently quarantined messages. When
the Inbox folder size exceeds 100 MB, it is renamed and a new Inbox folder is
created. Rotated folder names include their creation date and rotation date.
Select a folder, and the list of quarantined messages in the selected folder is
displayed.
any column heading by selecting it.
Click a message subject to view the message. While viewing the message, it can
be released to the user, forwarded to another address, or deleted. The full
message header can be viewed by selecting detail header.
Select Expunge to reclaim disk space used by messages deleted from the system
quarantine. When quarantined email is deleted, the message is marked as
deleted and removed from the message list. The message will still take up disk
Settings
Settings contains options used to configure the system and email settings of the
FortiMail unit. Any settings used in the Wizard during setup can be found here.
Settings options include:
Config
Network
Domains
Antispam
Config
Config options allow you to change the time settings and the administrator
accounts list.
Config options include:
36

06-30003-0154-20080327
Settings
Time
Admin
Time
For effective scheduling and logging, the FortiMail system time must be accurate.
You can either manually set the FortiMail system time or you can configure the
FortiMail unit to automatically keep its system time correct by synchronizing with a
Network Time Protocol (NTP) server.
Your FortiMail unit supports the 2007 USA, Canada, and Western Australia
changes to Daylight Savings Time. In USA and Canada this includes moving the
time change from the last Sunday of March to 3 weeks earlier in March, and
moving the time change from the last Sunday of October to a week later in
November. In Western Australia this includes moving the time change from the
last Sunday of March to a week later in April.
Go to Settings > Config > Time to configure system time.
System Time
The current FortiMail system date and time.
Refresh
Select Refresh to update the display of the current FortiMail

system date and time.
Time Zone
Select the appropriate time zone for your region.
Automatically adjust
clock for daylight
saving changes
Select if you want the FortiMail system clock to be adjusted

automatically when your time zone changes to daylight saving
time and back to standard time.
Set Time
Select to set the FortiMail system date and time to the values
you set in the Year, Month, Day, Hour, Minute and Second fields.
Synchronize with NTP Select to use an NTP server to automatically set the system
date and time. You must specify the server and synchronization
Server
interval.
Server
Enter the IP address or domain name of an NTP server. To find

an NTP server that you can use, see http://www.ntp.org.
Syn Interval
Specify how often the FortiMail unit should synchronize its time
with the NTP server. A typical Syn Interval would be 1440
minutes for the FortiMail unit to synchronize its time once a day.
Note: For security reasons, make sure the system time zone and time are correct.
Admin
By default, the FortiMail unit has one system-level administration account, admin,
with full access to all configuration options. Using this account, you can create
additional administrative accounts at both the system and domain level (see
Administrators and permission levels on page 37 and Adding an administrator
account on page 39).
Administrators and permission levels

There are three administration account access levels. There can be no more than
five administrator accounts per domain.
There can be only one administrator account with admin permission per domain
other than the system domain.

06-30003-0154-20080327
37
Settings
Note: Administrators cannot be associated with domains in server mode.
Table 1: Administrator permission levels

Permissions
Administrator
or all
Read & Write
Read Only
System Level
Can view, add, edit, and

delete administrator accounts
of all levels.
Can view and change all parts

of the FortiMail unit
configuration.
Domain Level
Can create admin users in its

own domain with
Read & Write and Read Only
permissions.
Can view and change

settings of its own domain,
including profiles and
policies.
Can manually update

firmware, antivirus definitions,
Can download or upload

system settings, restore the
FortiMail unit to factory
defaults, restart the FortiMail
unit, and shut down the
FortiMail unit.
Can view profiles and policies

created by the system level
administrator.
Can view administrator

accounts.
Can view and change the

FortiMail unit configuration at
the system and domain levels.
Can release and delete

quarantined messages in its
own domain.
Can view settings for its own

domain.

administrator.
Can view settings of its own

domain.

administrator.
Can change own

administrator account
password.

quarantined messages for all
domains.
Can view the FortiMail unit

configuration at the system
and domain levels.
Can only execute writing

operations in ACL, managing
mail queues and maintenance
In the CLI, any account that has admin in the name cannot be changed.
In the administration GUI, any account with admin permission can change the
default admin, and they can change other user accounts. However, accounts with
admin permission cannot give other accounts more permissions, such as
changing a read-only account to read and write permission.
Managing accounts
The following accounts can manage other accounts, but they have some
limitations.
38

06-30003-0154-20080327
Settings
The default admin account has permission to do anything. This account can
manage other admins and users in any domain on your FortiMail unit.
Note: Set the password for the default admin account. By default, this account has no
password. The password should be at most 32 characters long, and for improved security
the password should be at least 6 characters long.
Admin accounts in the system domain that have admin permission can manage
the users in the system domain (accounts without admin permission) as well as all
the users of the other domains as well. However, these accounts cannot manage
other admin accounts in the system domain that have admin permission - they
cannot manage their peers.
Admin accounts in other domains can manage the users in their domain. Except
for the system domain, there is only one admin per domain.
Adding an administrator account

Go to Settings > Config > Admin to configure administrator accounts.
For security reasons, create additional system and domain administrators with
limited access rights for less-demanding management tasks.
Figure 8: Administrator account list
Name
The login name for the Administrator account.
Domain
The domain to which an administrator belongs.

This option is not available in server mode.
Trusted Host
Trusted Host IP address for the location from which the administrator can
log into the web-based manager.
Netmask
Netmask for the location from which the administrator can log into the
web-based manager.
Permission
Administrator account access level: none, read, write, read & write, or all.
All is only used for the super admin account.
Modify
Delete, edit or change the password of an administrator account.
Create New
Opens the New Administrator page.
To add an administrator account

1
Go to Settings > Config > Admin.
Select Create New to add an administrator account.
Type a login name for the administrator account.

The login name can contain numbers (0-9), uppercase and lowercase letters
(A-Z, a-z), and the special characters - and _. Other special characters and
spaces are not allowed.
If you are not in server mode, select a domain on which you want to create the
administrator account.

06-30003-0154-20080327
39
Settings
Type and confirm a password for the administrator account.

For improved security, the password should be at least 6 characters long. The
password can contain any characters except spaces.
Optionally type a Trusted Host IP address and netmask for the location from which
the administrator can log into the web-based manager.
If you want the administrator to be able to access the FortiMail unit from any
address, set the trusted host to 0.0.0.0 and the netmask to 0.0.0.0.
To limit the administrator to only access the FortiMail unit from a specific network,
set the trusted host to the address of the network and set the netmask to the
netmask for the network. For example, to limit an administrator to accessing the
FortiMail unit from your internal network, set the trusted host to the address of
your internal network (for example, 192.168.1.0) and set the netmask to
255.255.255.0.
Set the Permission level for the administrator.
Select OK.
Network
Network includes system settings that affect network connectivity.
These settings include:
Interface
Configuring DNS
Configuring routing
Interface
Which model you have determines the number of ports:
FortiMail 400 units have six interfaces: port 1 to 6
FortiMail 100, 2000, 2000A, and 4000A units have four interfaces: port 1 to 4
You can use one interface to connect the unit to the network or two or more
interfaces to provide flexibility.
Go to Settings > Network > Interface to view the interface information.
Figure 9: Interface list
40
Name
Name of the FortiMail unit interfaces.
IP
The IP addresses of the FortiMail unit interfaces.

In transparent mode, the default IP is Bridging, which means the interface
works as a layer 2 bridge. You can assign an IP to the interface for user
access.
Netmask
The netmasks of the FortiMail unit interfaces.

works as a layer 2 bridge.

06-30003-0154-20080327
Settings
Access
The management access configured for the interface.
Status
The administrative status for the interface

If the administrative status is a green arrow, the interface is up and can
accept network traffic. If the administrative status is a red arrow, the interface
is down and cannot accept traffic.
Select Bring Up to start an interface that is down.
To bring down an interface, open the command line interface (CLI) and enter
the command
set system interface <intf_str> config status down
where <intf_str> is the name of the interface.
Modify
Select the Modify icon to edit an interface configuration.
Note: In transparent mode, the default IP and Netmask of Port 1 cannot be changed. This
port is used by the management IP.
Editing interface settings

Go to Settings > Network > Interface, and select the Edit icon for the interface
that you want to configure.
For security reasons, allow management access to only the FortiMail interfaces
requiring it.
Figure 10: Interface settings in Gateway mode
Addressing mode
Interface Name
Displays the name of the interface (such as port2) and the

MAC address associated with this interface.
Do not associate
This is available only in transparent mode on all ports except
with Management IP Port 1.
Select to assign an IP address to the interface. The interface is
no longer part of the transparent bridging configuration.
Enter the IP address and netmask for the interface in the
IP/Netmask field. The IP address must be on the same subnet
as the network to which the interface connects.
Manual
IP/Netmask
Use a static IP address. Enter the IP address and netmask for

the interface in the IP/Netmask field. Two interfaces cannot
have IP addresses on the same subnet.
Enter the IP address and netmask for the interface.
The IP address must be on the same subnet as the network to
which the interface connects.
In gateway or server mode, you must select Manual.
In transparent mode, you must select the Do not associate with
management IP check box.

06-30003-0154-20080327
41
Settings
DHCP
Use a dynamic IP address obtained using DHCP.

This is not available in transparent mode.
Retrieve default By default, the FortiMail unit retrieves both the default gateway
and DNS addresses from the DHCP server, replacing the
gateway and
DNS from server previously configured values. Disable this option if you do not
want the FortiMail unit to do this.
Connect to
Server
Disable this option if you are configuring the interface offline

and do not want the unit to attempt to obtain addressing
information. This option applies to DNS.
Status
Displays status messages as the FortiMail unit connects to the

DHCP server and gets addressing information. Select Status to
refresh the status message.
Access
HTTPS
Allow secure HTTPS connections to the web-based manager

through this interface.
Ping
Interface responds to pings. Use this setting to verify your

installation and for testing.
HTTP
Allow HTTP connections to the web-based manager through

this interface. HTTP connections are not secure and can be
intercepted by a third party.
SSH
Allow SSH connections to the CLI through this interface.
SNMP
Allow SNMP access through this interface.
Telnet
Allow Telnet connections to the CLI through this interface.

Telnet connections are not secure and can be intercepted by a
third party.
MTU
Override default
MTU value
To improve network performance, you can change the

maximum transmission unit (MTU) of the packets that
the FortiMail unit transmits from any interface.
To change the MTU, select Override default MTU value (1500)
and enter the maximum packet size. For manual and DHCP
addressing mode the MTU size can be from 576 to 1500 bytes.
Note: Avoid allowing administrative access for an interface connected to the

Internet unless this is required. To improve the security of this configuration use
secure administrative user passwords, change these passwords regularly, enable
secure administrative access to this interface using only HTTPS or SSH, and do
not increase the system idle timeout from the default value of 5 minutes.
Configuring DNS
Go to Settings > Network > DNS to configure the IP addresses of the primary
and secondary DNS servers to which the FortiMail unit can connect. DNS server
IP addresses are usually supplied by your ISP.
Note: For improved FortiMail unit performance, the DNS server(s) should be locally placed.
42

06-30003-0154-20080327
Settings
Figure 11: DNS settings (Transparent and Gateway modes)
Primary DNS Server
Enter the primary DNS server IP address.
Secondary DNS Server Enter the secondary DNS server IP address.
Configuring routing
Go to Settings > Network > Routing to configure static routing on the FortiMail
unit to route the filtered email to the destination network.
Figure 12: Routing list
Destination
IP
Displays the destination network IP address to which the FortiMail unit

routes email.
Mask
Displays the netmask for the route.
Gateway
Displays the gateway IP address for the route.
Modify
Allows you to delete or edit the routing information.
Create New
Open the New Routing Entry page to create a new route.
Route entry
Go to Settings > Network > Routing to configure routing and select Create New
to add a route. You can also select the Edit icon of an existing route to modify it.
Figure 13: Edit routing entry
Destination IP Enter the destination IP address for this route.

To create a default route, set the Destination IP to 0.0.0.0.
Mask
Enter the netmask for this route.

To create a default route, set the mask to 0.0.0.0.
Gateway
Enter the IP address of the next hop router to which this route directs
traffic. For an Internet connection, the next hop routing gateway routes
traffic to the Internet.

06-30003-0154-20080327
43
Settings
Domains
You create domains to define the email server(s) that the FortiMail unit protects.
Usually, you configure at least one domain as part of your installation. You can
add more domains or modify the settings of existing ones as needed.
It is good form to configure a local domain name that is different from the domain
name of your back end mail server. The local domain name will be used by many
FortiMail features such as email quarantine, Bayesian database training, spam
reports, and DSN notifications. A subdomain of the protected domain is
recommended for the local domain because of the domain registration savings.
Domains includes:
Domains
Local Host
Domains
Go to Settings > Domains > Domains.
Note: In gateway mode, proper MX record configuration is needed for directing the mail
destined to protected domains to this FortiMail unit.
Note: The local domain name should be globally DNS-resolvable only if the FortiMail unit is
used as an outbound relay server.
In transparent or gateway mode, go to Mail Settings > Domains to view your

domains.
Figure 14: Domain list (Transparent and Gateway modes)
Domain
Displays the domain names of the mail servers.

A + next to a domain entry indicates it has a subdomain that will be
displayed if you select the +. Normally a - will be displayed.
Use MX
A green check indicates that MX record is used for this domain.

A red X indicates that SMTP server and port are used instead of MX.
SMTP Server
Displays the SMTP server IP address and port. The SMTP server
entry will be blank if Use MX shows a green check.
Modify
Delete icon
Delete the domain. In server mode, this also deletes the users you
have configured for this domain.
Edit icon
Edit the domain settings. See Creating an email domain

(transparent and gateway modes) on page 45.
Create New
44
Create a new domain. See Creating an email domain (transparent

and gateway modes) on page 45.

06-30003-0154-20080327
Settings
Creating an email domain (transparent and gateway modes)

In transparent or gateway mode, go to Mail Settings > Domains > Domains.
Select Create New to create email domains.
When editing an email domain, you are not able to change the domain name. All
other settings can be changed.
You have the option of using secured SMTP (SMTPS) instead of just SMTP. This
provides more security to your mail actions.
Figure 15: Add email domain (gateway mode)
Domain FQDN
Enter the fully-qualified domain name of your server.
Use MX Record Select to use the record from the MX table entry to define the
domain.
When this control is enabled, SMTP Server and Fallback MX Host
are not selectable. Instead the MX entry for the FQDN for the
domain is used.
SMTP Server
Enter the IP address, or FQDN, and the port of your server.

If you want to use SMTPS instead of SMTP, select Use smtps.
Fallback MX
Host
Enter the IP address, or FQDN, and port of your backup SMTP

server. This backup server functions in case your primary SMTP
server fails.
If you want to use SMTPS instead of SMTP, select Use smtps.
Local Host
Go to Settings > Domains > Local Host to configure the local host on your
FortiMail unit. The local host is the system domain.

06-30003-0154-20080327
45
Settings
Figure 16: Local Host (gateway mode)
Local Host
Host Name
Enter the host name of the FortiMail unit.

Use a different host name for each FortiMail unit when you are
managing multiple FortiMail units of the same model or when
configuring a FortiMail HA group.
A FortiMail unit operating in HA mode displays the host name in
the status bar at the bottom of the web-based manager and adds
the host name to the subject line of alert email messages.
Local Domain
Name
Enter the local domain name. The FortiMail units FQDN is <Host
Name>.<Local Domain Name> .
(transparent and gateway modes only).
SMTP Server
Port Number
The default port number is 25. You can change it if needed.
SMTP over
SSL/TLS
Enable to accept SSL/TLS encrypted email from servers that have

enabled the Use SSL/TLS option if available. Otherwise, the
FortiMail SMTP server receives plain text email.
This option must be enabled to use SMTPS.
SMTPS Server
Port Number
The default port number is 465. You can change it if needed. This
allows the encrypted SMTP traffic to pass through the SMTPS
Server Port.
SMTP
Select to enable. Requires login to SMTP server when enabled.
Authentication (server mode only). Authentication for SMTP connections is
enabled by default.
Relay Server
Relay Server
Name
If your ISP provides a relay email server, enter its name.
Relay Server
Port
If your ISP provides a relay email server, enter its port number.
Use smtps
Select to use secured SMTP (SMTPS) with this relay server.
Authentication Select if the Relay server requires authentication.

Required
When selected, enter the User Name, Password, and select the
authentication type as one of AUTO, PLAIN, LOGIN, DIGESTMD5, or CRAM-MD5.
46

06-30003-0154-20080327
Settings
Antispam
After you have integrated the FortiMail unit into your network by configuring the
network and domain settings (see Network on page 40 and Domains on
page 44), you can configure the antispam settings to take advantage of the
FortiMail antispam features to protect your backend email servers and email
users.
This section contains the following topics:
Incoming vs outgoing email
Configuring antispam and AV settings for incoming email
Configuring antispam and AV actions for incoming email
Configuring antispam and AV settings for outgoing email
Configuring antispam and AV actions for outgoing email
Incoming vs outgoing email

Incoming email are those messages sent to the protected email servers behind
the FortiMail unit. For example, if the email domain configured and protected by
the FortiMail unit is example.com, all messages sent to example.com are treated
as incoming email by the FortiMail unit. For information about configuring mail
domains, see Domains on page 44.
Outgoing email are those messages sent to the recipients on the domains that are
not configured on the FortiMail unit. For example, the email domain
othercompany.com is not configured and protected by the FortiMail unit, all
messages sent to othercompany.com will be treated as outgoing email.
Incoming antispam and antivirus settings in the basic configuration cover both the
recipient-based and IP-based policies in the advanced configuration. For details,
see Creating email filtering and control policies on page 199.
Configuring antispam and AV settings for incoming email

After you have created a mail domain, a default incoming antispam and antivirus
policy will be applied to the domain.
You can configure the default policies.
Figure 17: Incoming antispam and antivirus settings

06-30003-0154-20080327
47
Settings
To configure the incoming antispam and antivirus settings for a domain

1
Go to Settings > AntiSpam > Incoming.
For each domain, a default antispam setting called Advanced and a default
antivirus settings called Advanced are applied. Select the Edit icon to modify the
antispam and antivirus setting for a domain.
Configure the following settings and select OK.

AntiSpam Level
Select one of the following:

Off: No antispam scanning.
Low: Good spam detection rate.
Medium: Better spam detection rate with a small impact on system
performance.
High: Best spam detection rate with an additional impact on system
performance.
AntiVirus Status
Select either Disabled or Enabled.
External SMTP
Server Setting
Configure the SMTP server settings for user authentication. For

details, see Configuring SMTP server authentication on page 176.
Configuring antispam and AV actions for incoming email

You can select the action(s) you want to take against spam and virus-infected
incoming email.
To configure the actions
1
Go to Settings > AntiSpam > Incoming Action.
Configure the following actions and select Apply.

AntiSpam Action options
Tag Email in
subject line
Enable and enter the information to appear in the subject line of the spam
notification email sent to the recipient by the FortiMail unit, such as, This
is spam.
If you enable this option, the FortiMail unit sends found spam to recipients
with the tag information you entered. A recipient can set up a spam folder
on his or her email client software to automatically collect the spam with
that subject line information.
You must provide the users with the subject line information before they
can set up their spam folders.
Tag Email with Enable and enter the header information to be added to the spam
notification email sent to the recipient by the FortiMail unit.
Header
with the header information you entered.
Most email clients allow users to sort incoming email based on text
appearing in various parts of email messages, including the header. See
your email client documentation for further details.
48
Reject
Enable to have the FortiMail unit reject spam and send reject responses
to the sender.
Discard
Enable to have the FortiMail unit discard spam without sending reject
responses to the senders.

06-30003-0154-20080327
Settings
Quarantine
Enable to have the FortiMail unit redirect detected spam messages to the
spam quarantine. See Spam quarantine on page 209. The quarantine
action is only available for incoming antispam profiles.
Delete Messages: Enter the number of days you want to keep the
quarantined email. Enter a small enough value that will prevent the
size of the quarantine from exceeding the available disk space. If you
enter 0 to prevent automatic deletion of quarantined files, be sure to
periodically remove old files yourself.
Send Spam Report: Select to send daily summary reports to email

users about their quarantined email.
Email Release: Select to activate the auto release and auto delete
functions. See Releasing and deleting quarantined spam on
page 211.
Web Release: Select to enable the ability to release spam by selecting

the Release links in the HTML quarantine report. See Understanding
the HTML formatted spam report on page 215
Add the sender of a released message to personal white list: Select to

automatically have the sender of message released from quarantine
added to the users personal white list.
Quarantine for Enable to have the FortiMail unit redirect detected spam messages to the
system quarantine. See System Quarantine on page 219.
review
The Quarantine for review action is only available for outgoing antispam
profiles.
Allow users to
automatically
update
personal White
list from sent
emails
Enable to have the FortiMail unit collect the recipient email addresses
from a users outgoing email and add the addresses to the users white
list under the Preference tab of the FortiMail Webmail. That is, it will not
treat future incoming email from these addresses as spam.
The same option is also available on the FortiMail Webmail configuration.
This option works only if it is enabled both in the users profile and in the
users Webmail configuration.
There are three occasions when a users white list auto-updating setting
is automatically created by the system:
When a user logs into the FortiMail Webmail.
When you configure a users black/white list (See Configuring

personal black and white lists on page 237).
When a user sends email out through the FortiMail unit.

In all three occasions, the FortiMail unit first checks if the white list
auto-updating setting has been created for a particular user. If it is
created, the FortiMail unit adopts the setting for the user. If it is not
created, the FortiMail unit looks for the users policy to check the users
antispam profile. If the use has a policy, the FortiMail unit adopts the
setting from the policy. If the user has no policy, the FortiMail unit uses the
default setting - disable.
This option is available for incoming option only.
Forward to
Enable and enter an email address so that the FortiMail unit can forward
email address spam to this address.
AntiVirus Action options
Reject
Enable to have the FortiMail unit reject the infected email and send reject
responses to the sender.
Discard
Enable to have the FortiMail unit discard the infected email without
sending reject responses to the senders.
Configuring antispam and AV settings for outgoing email

After you have created a mail domain, a default outgoing antispam and antivirus
policy will be applied to the domain.

06-30003-0154-20080327
49
Settings
You can configure the default policies.

Figure 18: Outgoing antispam and antivirus settings
To configure the outgoing antispam and antivirus settings for a domain

1
Go to Settings > AntiSpam > Outgoing.
For each domain, a default antispam setting called Advanced and a default
antivirus settings called Advanced are applied. Select the Edit icon to modify the
antispam and antivirus setting for a domain.
Configure the following settings and select OK.

AntiSpam Level

Off: No antispam scanning.
Low: Good spam detection rate.
Medium: Better spam detection rate with a small impact on system
performance.
High: Best spam detection rate with an additional impact on system
performance.
AntiVirus Status
Select either Disabled or Enabled.
Access Control
You can configure the FortiMail unit to allow, discard, reject, or relay
email based on the sender, recipient, client IP, or a reverse look up
of the client hostname. For details, see Configuring email access
on page 139.
Configuring antispam and AV actions for outgoing email

You can select the action(s) you want to take against spam and virus-infected
email.
For the outgoing email, the actions are similar to the actions for incoming email.
For details, see Configuring antispam and AV actions for incoming email on
page 48.
50

06-30003-0154-20080327
Log & Report
Log & Report

The FortiMail unit provides extensive logging capabilities for virus incidents, spam
incidents and system event functions. Detailed log information and reports provide
historical as well as current analysis of network activity to help identify security
issues and reduce network misuse and abuse. This section provides information
on how to enable logging, view log files and reports available through the
web-based manager.
FortiMail logging
The FortiMail unit provides detailed log information and reports in basic
management mode. The detailed log information and reports provide historical as
well as current analysis of network activity to help identify security issues and
reduce network misuse and abuse.
A FortiMail unit can log many different email activities and traffic including:
system-related events including system restarts and HA activity
antivirus infection and blocking
spam filtering
POP3, SMTP, IMAP and WebMail events.
By default, the FortiMail unit stores all log files to the local hard disk. Log files are
accessed from Log & Report > Logging. History logs display on the System
Status page and in the Logging menu.
See the FortiMail Log Message Reference on the Fortinet Knowledge Center for
details and descriptions of log messages.
Logs
Viewing log messages
Searching log messages
Customizing the column views
Managing log files
Alert Email
Reports
Viewing reports
Browsing reports
Downloading a report
Logs
Logs recorded by the FortiMail unit contain valuable information about email
events and activities that occur on your network. These logs record per recipient,
which presents log information in a very different way than most other logs do. By
recording logs per recipient, log information is presented in layers, which means
that one log file type contains the what and another log file type contains the why.
For example, a log message in the history log contains an email message that the
FortiMail unit flagged as spam (the what) and the antispam log contains why the
FortiMail unit flagged the email message as spam.

06-30003-0154-20080327
51
Log & Report
Logs are divided into four types: history, event, antispam, and antivirus. Each of
these four log types contains a session identification number, located in the
session ID field of each log message that is recorded by the FortiMail unit. The
session ID corresponds to each of the four log types so that the administrator can
get all the information about the event or activity that occurred on their network.
additional information about log messages that are recorded in FortiMail 3.0.
History logs
History logs are used to quickly determine the disposition of a message. History
logs describe what action was taken by the FortiMail unit. Administrators use the
history logs to quickly determine the status of a message for a specific recipient,
and then go to other logs with that session ID to find out why that particular action
was taken.
In the following log messages, the bolded information indicates what an
administrator looks for when using history logs to find out what action was taken,
and the antispam log to find out why the action was taken.
(Below is an example of a history log message)
2008-01-07 18:19:08 log_id=04000050100 type=statistics
subtype=n/a pri=information session_id=m07NJ62T00110
from=aabb@example.com mailer=mta
client_name=[172.16.105.99] resolved=OK
to=ccdd@example.com message_length=0 virus=
disposition=0x200 classifier=0x12 subject=accounting
information
From the disposition, 0x200, we know that the FortiMail unit deferred the delivery
of the email message. We then take the session ID number and match it within the
antispam logs, as in the following:
2008-01-07 18:19:08 log_id=0501080300 type=spam
subtype=detected pri=information session_id= m07NJ62T00110
client_name= [172.16.105.99] from=aabb@example.com
to=ccdd@example.com subject=accounting information
msg=Grey Listing sender
In the above antispam log message, we now know why the FortiMail unit deferred
the delivery because the FortiMail unit has the sender in a grey list, which is
shown in the message field.
Event logs
Event logs contain log messages that concern network or system activities and
events, such as firmware upgrades or password changes. This log type shows
what is occurring at the protocol level, as well as the TCP level.
The following is an example of an event log message:
2008-02-09 13:56:56 log_id=0100010601 log_part=00 type=event
subtype=config pri=information user=admin ui=console
module=system submodule=dns msg=DNS has been changed by
user admin via CLI (console)
52

06-30003-0154-20080327
Log & Report
The event log does not have the same relationship with the history log as the
antispam or antivirus log does. The event log is not necessarily used for finding
the reason why an event occurred because there may not be a corresponding
session ID number. Event logs are also usually self-explanatory, meaning they
usually give the what and why within the log message.
Antispam logs
Antispam logs provide information pertaining to email messages that are
classified as Spam or Ham messages. The antispam logs describe why they were
classified, as was shown in the example in History logs on page 52.
The following is an example of an antispam log message:
2008-02-12 11:31:29 log_id=0501016384 log_part=00 type=spam
subtype=detected pri=notice session_id="m08CNJ42P0054"
from="" to="" msg="Loaded 91 FortiGuard heuristic rules. 88
are active (v1ubtype=detected pri=information session_id=""
from="" to="" msg="Deep Header Scanner Rules Reload Finished."
Antispam log messages describe spammy URIs, black/white listed IP addresses,
or other techniques the FortiMail unit used to classify the message. Antispam log
messages may also describe message processing errors, such as not handling
email that was sent from a specific user.
Antivirus logs
Antivirus logs provide information pertaining to email messages that are classified
as virus or suspicious messages. These log messages describe what virus is
contained in the email message or in a file attached to the email message.
The following is an example of an antivirus log message:
2008-03-28 16:30:18 log_id=0200060101 log_part=00 type=virus
subtype=infected pri=information session_id=n/a
from=abba@hynj.com to=<bccb@xyn.com> src_ip=172.20.130.26
msg=The file wqdf.zip is infected with HGBYN_TEST_FILE.
Administrators use antivirus logs to determine why an attachment was stripped
from a file after someone informed them about not receiving an attachment.
Administrators may also use this log type to verify why the history log detected a
virus.
The session ID is not usually used when looking up an antivirus log message; the
time stated in the time field of the log message is usually used as well as using the
search method.
Log message severity levels

Log messages contain severity levels. A severity level indicates important and/or
critical events that occur on your network. When a severity level is selected, the
FortiMail unit records all log messages at and above that logging severity level.
For example, if you select Error, the FortiMail unit logs Error, Critical, Alert and
Emergency level messages.

06-30003-0154-20080327
53
Log & Report
Table 2: Log severity levels

Levels
Description
0 - Emergency
The system has become unusable.
1 - Alert
Immediate action is required.
2 - Critical
Functionality is affected.
3 - Error
An error condition exists and functionality could be affected.
4 - Warning
Functionality could be affected.
5 - Notification
Information about normal events.
6 - Information
General information about system operations.

You can view log messages in Log & Report > Logging. Each tab within the
Logging menu displays log messages for that log type. The log types are History,
Event, Antispam, and Antivirus. For example, by selecting the Event tab, you can
view all log messages that recorded system events and activities. The Logging
menu also provides navigational features, such as customizing column settings.
You can view history logs from either the System Status page or the Logging
page.
The Logging menu also enables you to view rolled log files. A rolled log file is a log
file that has reached its specified maximum size and starts a new log file.
Rolled log files appear by time period, not by rolled log file name. For example, the
event log rolled; that rolled event log displays as 2008-03-05 Wed 15:11:12 200803-10 06:30:55 Mon, instead of elog.log1. The current log appears at the top of
the list, and rolled logs appear below. A current log file contains only recent log
messages.
Figure 19: Viewing the log file list
Next Page/Previous Page
Empty Log
Delete Selected Items
View
Download
Delete
54
Next Page
Previous Page
Select to move through the pages of log files.
View per page
Select the number of rows of log entries to display per page.
Go to line
Enter a line number and select Go to jump to the specified line.

06-30003-0154-20080327
Log & Report
Delete Selected
Items
Select the log files by clicking the checkbox in the same row. Select
Delete Selected Items to remove those items from the hard disk.
Action
Select from the following actions:

Select Empty Log to clear the current log file of all messages.
Select View to open the log file and view the log messages.
Select Download to save the log file to a local or network drive.
Select Delete to remove the selected log file from the hard disk.
The Logging menu enables you to view the log messages from a selected log file.
The columns that appear reflect the content in the log file.
When you are viewing log messages, you can also view the log message in Raw
format by moving your mouse over a number in the # column. You can also
highlight a log message by selecting the row that the log message is in.
To view log messages
1
Go to Log & Report > Logging.
Select the log type tab of the log file to view.
Locate the log file.
Select the view icon from the Action column.

Figure 20: Viewing log data

Search
Next Page
Previous page
Select to move through the pages of log messages.
Search
Select to search the log file for specific information. For more
information, see Searching log messages on page 56.
Level
Select the log severity level to view. The FortiMail unit displays the
log messages for selected level and above.
View lines per

page
Select the number of log messages displayed on each page.
Go to Line
Type the line number of the first line you want to display and select
Go.
Choose Columns Select to add or remove log information columns to display. For more
information, see Customizing the column views on page 58.

06-30003-0154-20080327
55
Log & Report

Searching provides a way to quickly find specific log information, such as subtype
and type, or time the log message occurred. The search method uses keywords
as well as log identification (session ID or Log ID), to find the log message you
require. The search method searches through all log files to find a specific log file
or a log file containing a specific word or phrase.
To search log messages
1
Select a log type tab.
Select View in the Action column for a log file.
Select Search and enter the appropriate information for one or all of the following:
Keyword
Enter the word or words to search for within the log file.
Subject
If you are searching for emails, enter the subject line of the email
(History Log only) contained in the email.
From
If you are searching for emails, enter the senders email address.
To
If you are searching for emails, enter the receivers email address.
Session Id
Enter the session identification of the log message you are searching
for.
Log Id
Enter the log identification number of the log message you are
searching for.
Client Name
Enter the client name of the log messages you are searching for. The
(History Log only) client name is usually an IP address, for example, 10.30.15.1.
Time within
Enter the time period of when the log message occurred. Use the
following options.
[0 day]
In the first line, select from the drop-down list, one

of the following:
0 day default
One day day of specified date and time
One week week starting before specified date

and time
Two weeks two week period starting before

specified date and time
One month month time period starting before

[12] hour(s)
Select the number of hours from the drop-down list.

The list provides numbers in the 24 hour format, 023. The default is 12.
[current day of
the current
month]
Select the date for the search. The default is the

current day of the current month. For example, 26
displays because it is February 26, 2008.
[current month] Select the month for the search. The default is the
current month. For example, February displays
because it is the current month.
56

06-30003-0154-20080327
Log & Report
[current year]
Select the year for the search. The default is the

current year. For example, 2008, because 2008 is
the current year.
[current time]
Select the time for the search. The default is the

current time. The format is hour only and is in the 24
hour format. For example, the time that displays is
10 because it is 10 am.
To search event logs

1
Select the Event log type tab.
Select View in the Action column.
Keyword
Session Id
for.
Log Id
searching for.
Time within
following options.
[0 day]

of the following:
0 day default

and time


[12] hour(s)

[current day of
the current
month]

[current year]

the current year.
[current time]

Select Apply.
You can also search event logs by using the Level or Subtype drop-down list. The
Level drop-down list allows you to select a specific log severity level. The Subtype
drop-down list allows you to select a specific subtype. The following tables provide
information on what is available in the drop-down lists of Level and Subtype.

06-30003-0154-20080327
57
Log & Report
Table 3: Level drop-down list options

Emergency
Displays log messages containing only the Emergency severity level.
Alert
Displays log messages containing only the Alert severity level.
Critical
Displays log messages containing only the Critical severity level.
Error
Displays log messages containing only the Error severity level.
Warning
Displays log messages containing only the Warning severity level.
Notification
Displays log messages containing only the Notification severity level.
Information
Displays log messages containing only the Information severity level.
Table 4: Subtype drop-down list options

ALL
Displays no filtering on the subtype column.
Configuration
Displays log messages containing only configuration in the

subtype field.
Admin User
Displays log messages containing only admin user in the subtype

field.
Web Mail
Displays log messages containing only webmail in the subtype

field.
System
Displays log messages containing only system in the subtype

field.
HA
Displays log messages containing only HA in the subtype field.
Update Failure
Displays log messages containing only Update Failure in the

subtype field.
Update
Success
Displays log messages containing only Update Success in the

subtype field.
POP3
Displays log messages containing only POP3 in the subtype field.
IMAP
Displays log messages containing only IMAP in the subtype field.
SMTP
Displays log messages containing only SMTP in the subtype field.
OTHERS
Displays all lines that have a value other than all of the above
subtypes, from Configuration to SMTP.

Each log type has unique column settings that are specific to that log type. You
can customize how these columns display by using the Column Settings icon to
view the information you need within the log messages.
You can also use the column settings feature as a method of filtering log
messages. By adding or removing certain columns, you can view only the parts of
the log messages you want to view. For example, you can remove all columns
except for the subtype, type and message to view only that information for
antispam logs.
58

06-30003-0154-20080327
Log & Report
Figure 21: Column settings for viewing log messages
To customize the columns

1
Select Choose Columns.
Select a column name and do one of the following to change the views of the log
information:
Add ->
Select to move selected fields from Hidden Columns list to the

Displayed Columns list.
<- Remove
Select to move selected fields from the Displayed Columns list to the
Hidden Columns.
Move up
Select to move the selected field up one position in the Displayed

Columns list.
Move down
Select to move the selected field down one position in the Displayed
Columns list.
Select Apply.
Managing log files

Log files stored on the local disk require regular maintenance. Regular
maintenance ensures that the FortiMail unit is performing well and that the local
disk has plenty of space for new logs.
You can download, empty, or delete log files from the Logging menu. The
following provides procedures and information about downloading, emptying or
deleting log files from the local disk.
Downloading log files

Downloading log files enables you to view them on another computer, while also
providing additional archiving of older log files. Downloading log files also creates
more available space for log files currently being generated by the FortiMail unit.

06-30003-0154-20080327
59
Log & Report
Log files can be downloaded in one of two formats, normal format and CSV
format. If you download a log file in Normal format, the file is saved as a text
document, displaying the log messages in a text-based program such as Notepad.
If you download a log file in CSV format, the file is saved in a spreadsheet-type of
format, displaying the log messages in a program such as Microsoft Excel.
To download a log file
1
Select the log type tab.
Locate the log file and select Download in the Action column.
Select one of the following ASCII text formats:

Download file in
normal format
Downloads the log file in its raw format with an extension of .log.
Download file in
CSV format
Downloads the log format as a commas separated file with an

extension of .csv. Each data element is separated by a comma.
The web browser prompts you for a location to save the file.
Select Return to return to the previous page.

To download all log files
Select the checkbox in the column header beside the Action column.
Select Download in the Action column of the first log file.

Download file in Downloads the log file in its raw format with an extension of .log.
normal format
Download file in Downloads the log format as a commas separated file with an
CSV format
Select OK to save the file to your management computer.
Emptying a log file

When emptying a current log file, all log messages within the log file are deleted,
not the log file itself. Emptying a log file formats the log disk, increases
performance, and helps with troubleshooting.
Note: If you are unsure about emptying a log file, download the log file first. This ensures
you have the log messages in the event you require those log messages later on.
To empty a current log file
60

06-30003-0154-20080327
Log & Report
Select the Empty Log icon in the Action column.

The following message appears:
Are you sure want to delete: <log_type>?
Select OK to continue.
Deleting log files

Deleting log files provides more available space on the FortiMail hard disk. You
can only delete rolled log files.
Caution: Download log files before deleting them. This provides a way to recover deleted
log files in the event you require those deleted log files later on. See Downloading log files
on page 59 for more information about downloading log files.
To delete rolled log files

1
Select Delete in the Action column for the log file you want to delete.
You can select multiple rolled log files by selecting the checkboxes of the rolled
log files you want deleted.
To delete all rolled log files
Select the checkbox in the checkbox column heading.
Select Delete Selected Items.
Alert Email
Alert Email enables the FortiMail unit to monitor logs for specific log messages,
and notifies you by email when they appear. For example, if you require
notification about antivirus detection activity, you can configure an alert email that
is sent whenever the FortiMail unit detects antivirus activity.
Configuring alert email

You need to configure at least one DNS server is required before configuring alert
email. The FortiMail unit uses the SMTP server name to connect to the email
server, and must look up this name on your DNS server. You can configure DNS
servers in System > Network > DNS. See Configuring FortiMail system settings
on page 89 for more information about configuring DNS servers.
To configure alert email
1
Go to Log & Report > Alert Email > Configuration.
Enter up to three email addresses in the fields provided.
Select Apply
Verify the alert email is configured correctly by selecting Test. This sends an alert
email to the configured recipient(s).

06-30003-0154-20080327
61
Log & Report
Selecting event categories

Before the FortiMail unit can send an alert email, you need to enable the event, or
events, that will trigger the FortiMail unit to send an alert email.
To select the events
1
Go to Log & Report > Alert Email > Categories.
Select one or more of the following event categories and select Apply:
virus incidents
Select to send an email when viruses are detected.
critical events
Select to send an email when the FortiMail unit detects

a system error that may affect its operation.
disk is full
Select to send an email when the hard disk on the

FortiMail unit is full.
remote archiving
failures
Select to send an email when the remote archiving

feature encounters a failure or more than one failure.
HA events
Select to send an email when any high availability (HA)

event occurs. When a FortiMail unit is operating in HA
mode, the subject line of the alert email includes the
FortiMail unit host name. This host name is included to
easily identify which FortiMail unit in the HA group sent
the email. See HA log messages, alert email, and
SNMP on page 297 for more information.
disk quota of an
Select to send an email when the disk on the FortiMail
account is exceeded unit exceeds the quota amount in an account.
(Server mode only)
dictionary is
corrupted
Select to send an email when a dictionary is corrupt.
system quarantine
quota
is full
Select to send an email when the systems quarantine

quota is full.
deferred emails #
over(default=10000),
interval time
(default=30) minutes
Select to send alert emails if the deferred email query is

over a defined value. Enter a number between 1 and
10000 for the number of emails that are over the
deferred query amount.
Enter the time duration between alert email messages if
the number of email size remains over the set limit.
Reports
The FortiMail unit can generate activity reports by analyzing the history log files
and presenting the data in a tabular and graphical format.
Reports provide valuable information, helping you to manage your network more
effectively while making more informed decisions on the administration of your
network and mail server.
The FortiMail unit provides two default pre-defined reports. These pre-defined
reports are available only when you configure basic settings using the quick start
wizard. These two predefined reports, predefined_report_yesterday and
predefined_report_last_week, do not contain a report schedule and must be
manually generated.
You can also configure and generate your own reports from Log & Report >
Reports > Config.
The FortiMail unit generates reports by two methods:
62

06-30003-0154-20080327
Log & Report
Reports on demand are reports generated immediately after they are

configured
Schedule reports are reports generated at a certain day(s) or time(s). These

reports are configured with a specific time or day, even a certain year, day and
time.
FortiMail also generates a Mail Statistics report in System > Status > Mail
Statistics. The Mail Statistics page displays a summary of spam messages and
viruses detected by the scanning tools of the FortiMail unit in tabular and
graphical views. This page also shows actions taken by the unit against spam and
viruses. See Viewing mail statistics on page 73 for more information.
There are no default reports, but default settings for configuring reports. For
example, when configuring domains for your report, the default is All Domains. All
Domains includes all types of domains you configured on the FortiMail unit.
Caution: Generating reports at high-traffic times may affect mail traffic coming through the
FortiMail unit. Generate reports during low traffic times, for example at night when there is
less traffic.
Configuring Reports
Reports are configured in Log & Report > Report > Config. These reports are
referred to as report profiles. Report profiles define what information appears in
the report. When you select Create, you can configure the type of report,
device(s) to include, including the time frame for specialized reports.
Figure 22: Viewing report profiles
Delete
Edit
Run Report
Config Name
The name of the report profile.
Domain
The mail domain within the report.
Schedule
The scheduled frequency when the FortiMail unit generates the report.
Modify
Select Delete to remove the report profile from the list.

Select Edit to modify the report profile.
Select Run Report to create a report on demand outside of the
scheduled time.
Create New
Select to add a new report profile.
Configuring a report profile

A report profile provides the log information that the FortiMail unit requires for
compiling and generating a report. Configuring a report profile includes
determining what log data information should be in the report, including who
receives the report after it is generated.
To configure a report profile
1
Go to Log & Report > Report > Config.

06-30003-0154-20080327
63
Log & Report
Select Create New.
Enter a report name, without spaces, in the Report Name field.
Select the blue arrow next to the options you need to configure:
Time Period
Configure what span of time the FortiMail unit uses when looking
at the logs. See Configuring the time period for a report profile on
page 64.
Query Selection
Select the reports you want to include. See Configuring the query
selection for a report profile on page 64.
Schedule
Configure when the FortiMail unit runs the report, for example,
weekly, or monthly. See Configuring the schedule for a report
profile on page 65.
Domain
Select the domains to include in the report. See Configuring the

domain(s) for a report profile on page 66.
Incoming Outgoing
Select if the information includes incoming email, outgoing email

or both. See Configuring incoming and outgoing for a report
profile on page 66.
Output
Select the file format for the reports and add email recipients for
the report. See Configuring the output for a report profile on
page 66.
Select OK.
Configuring the time period for a report profile

Select the time period you want the report to cover. The time period includes all
log information for only the length of time specified.
Figure 23: Report time period
Time Period
Select the time period for the report. When you select, last n hours,
days or weeks, a field will appear beside the drop-down list. Enter a
number in the field, for example, eight, for the last n hours.
From Date
Select to configure the start date of the report. For example, you may
want to begin the report on May 5, 2006 at 6 pm.
To Date
Select to configure the end date of the report. For example, you may
want to end the report on May 6, at 12 am.
Configuring the query selection for a report profile

Select the query or queries you want included in the report. For example, if you
only want to include log files that concern spam, only the Spam by Sender and
Spam by Recipient queries are selected.
64

06-30003-0154-20080327
Log & Report
Figure 24: Report query selection
Query
Selection
Select to include or not include log information based on the following

queries. Select the plus sign to expand the query and select the individual
queries. Select the checkbox to include all individual queries.
Mail Statistics
Select to include mail statistical information by

day, week, or month.
Total Summary
Select to include only summary information of all
High level breakdown Select if you want to include all top level and
summary information for all queries.
Mail by Sender
Select to include only mail messages sent by

sender
Mail by Recipient

recipient
Spam by Sender
Select to include only spam messages sent by

sender
Spam by Recipient

recipient
Virus by Sender
Select to include only virus messages sent by

sender
Virus by Recipient
Select to include only virus messages send by

recipient.
Configuring the schedule for a report profile

Select to set a schedule for when the FortiMail unit should generate the report.
You can choose from a daily schedule, or specify certain days of the week and/or
hours.
Figure 25: Report schedule
Not Scheduled
Select if you do not want the report on a schedule.
Daily
Select to generate the report every day at the same time.
These Days
Select specific days of the week that the FortiMail unit should
generate the report.

06-30003-0154-20080327
65
Log & Report
These Dates
Select specific days of the month to generate the report. For example,
to generate a report on the first and thirtieth of every month, enter
1,30. The comma is required for separating the days.
At Hour
Select the time of day when the FortiMail unit should generate the
report.
Configuring the domain(s) for a report profile

Select to remove or add a domain(s) for the report. You can specify a specific
domain for the report. The default, All Domains, includes all domains configured
on the FortiMail unit.
Figure 26: Report domains
Remove Selected Select a domain or domains to remove them from the list.
Add
Enter a domain and select Add to add the domain to the Domain list.
Configuring incoming and outgoing for a report profile

Select to include what type of mail messages, incoming or outgoing (or both), to
include in the report.
Figure 27: Report incoming and outgoing mail messages
Incoming
Select to only include incoming email messages from senders.
Outgoing
Select to only include outgoing email messages from recipients.
Incoming and
Outgoing
Select to include both incoming email messages from senders and

outgoing email messages from recipients.
Configuring the output for a report profile

Select what type of file format you want the report to be, either HTML or PDF. You
can also add email addresses of recipients for receiving the generated report.
66

06-30003-0154-20080327
Log & Report
Figure 28: Report output
Output
Select what type of format you want the report to be when it is

generated. You can select HTML report or PDF report.
Remove
Selected
Select if you want to remove the recipient so he or she will not receive
the report. Make sure the email address you want removed is
selected before selecting Remove Selected.
Add
Enter the email address of the person who will receive the report and
select Add to add the email address to the list.
Viewing reports
Generated reports display on the Browse page as a roll-up report, or individual
reports in HTML format. A roll-up report is a report that contains all individual
reports included. An individual report has the same look and functionality as the
roll-up report when viewing in HTML format but when viewing the report in one of
the alternate formats, only the right frame with the report information is included.
From Log & Report > Reports > Browse, you can select a report group from the
list in the Report files column and do one of the following:
Select the report name to view a roll up report of all individual reports
Select the plus sign to expand the individual report list, and then select to view
an individual report.

06-30003-0154-20080327
67
Log & Report
Figure 29: A FortiMail report showing the Mail Sender Report individual report
\
Browsing reports
You can browse through generated reports in Log & Report > Reports >
Browse. From the Browse page, you can delete reports if required, download
reports to view on another computer, or only view parts of a report.
Figure 30: Browse generated reports
Delete Selected
Delete
Download HTML
Download PDF
68

06-30003-0154-20080327
Quick Start Wizard
Previous page icon
View to the previous page.
Next page icon
View to the next page.
View lines per page
Select the number of reports displayed on each page.
Go to Line
Type the line number you want to display and select Go.
Report Files
Displays the generated reports. Select the report name to view a

roll up of all reports in HTML format.
The report appears in the reports list with the report name, date
and time the report was generated.
For example, a report name of Report 1-2007-03-31-2112, is a
report called Report 1, generated on March 31, 2007 at 9:12pm.
Select the plus sign to expand the report to view the individual
reports in HTML format.
Last Access Time
Indicates the date and time when the FortiMail unit completed the
generated report.
Size (bytes)
The file size of the report in HTML format.
Action
Select Delete to remove the report or report group from the

FortiMail hard disk.
Select Download HTML to save the reports on a local hard disk.
The FortiMail unit downloads the report ins TGZ compressed
format.
Select Download PDF to save a PDF version of the report on a
local hard disk.
Check All/Check
None
Select to select all reports for removal from the FortiMail hard disk.
Select a check box for a report name and select Delete Selected
to remove the report from the hard disk.
If you require viewing a report from outside the FortiMail web-based manager, you
can download the report in either HTML or PDF.
To download a report
1
Go to Log & Report > Reports > Browse.
Locate the report you want to download in the Report Files column.
Select the Download icon in the Action column to download an HTML or PDF
version of the report.
Viewing reports
Quick Start Wizard

The Quick Start Wizard leads you through a series of screens to help you set up
your FortiMail unit. It is intended for first time users doing initial configuration, and
is available only in basic mode. All settings in the Quick Start Wizard can also be
found in the basic and advanced web-based manager interfaces, however the
Quick Start wizard has additional descriptions of the settings that are not included
with the other interfaces.
Areas you configure with the Quick Start Wizard include:
changing the admin password
system configuration settings such as IP address, netmask, DNS, and

gateway

06-30003-0154-20080327
69
Quick Start Wizard
local host settings such as host name, local domain, and SMTP server settings
configuring one or more protected domains
setting the level of incoming and outgoing AntiSpam controls
turning incoming and outgoing AntiVirus scanning on or off
Note: You need to select your operation mode before running the Quick Start Wizard. For
more information, see Changing the FortiMail operation mode on page 28.
Selecting Quick Start >> starts the Quick Start Wizard.

For more information on setting up your FortiMail unit, see the FortiMail
Installation Guide.
70

06-30003-0154-20080327
FortiMail unit status and

maintenance
You can connect to the web-based manager and view the current system status of
the FortiMail unit. The status information that is displayed includes the current
firmware version, the current virus definitions, the FortiMail unit serial number,
email statistics, and communication sessions.
If you log into the web-based manager using any system level account, you can:
view the FortiMail unit settings including the FortiMail unit serial number and its
up time
view the Mail Statistics page
view the Session page
The Mail Statistics page shows the number of spam email and viruses detected by
the FortiMail unit in tabular and graphical views. The Session page shows the
active communication sessions to and through the FortiMail unit.
A system administrator with read and write permission can configure FDN
updates. Only the default system administrator, admin, can change the firmware,
backup and restore the configuration, shut down or restart the unit.
This section includes:
Viewing the Status page
Viewing mail statistics
Viewing the session list
Configuring antivirus updates from the FDN

06-30003-0154-20080327
71

The System Status page displays first when you log in to the web-based manager
as a system administrator. At any other time, go to System > Status to view the
System Status page. If you logged in as the default system administrator, admin,
you can modify system information and update antivirus definitions.
Figure 31: System status
Automatic Refresh
Interval
Select to control how often the web-based manager updates

the system status display.
Go
Refresh
Select to manually update the system status display.
System Information
Serial Number
The serial number of the current FortiMail unit. The serial

number is specific to the FortiMail unit and does not change
with firmware upgrades.
UP Time
The time in days, hours, and minutes since the FortiMail unit
was last started.
System Time
The current time according to the FortiMail unit internal clock.
Firmware Version
The version of the firmware installed on the current FortiMail

unit.
Select Update to change the firmware (see Upgrading to a
new firmware version on page 75).
Operation Mode
The current operation mode of the FortiMail unit.

Select Change to switch modes (see Changing the FortiMail
operation mode on page 77).
Log Disk
uses to store log messages.
Mailbox Disk
uses to store archived email and quarantined spam.
License information
Antivirus
The current installed version of the FortiMail Antivirus Engine.
Antivirus Definitions The current installed version of the FortiMail Antivirus

Definitions.
Select Update to manually update the definitions (see
Updating antivirus definitions from a file on page 83).
For information about configuring automatic updates, see
Configuring antivirus updates from the FDN on page 80.
Antispam
72
The current install version of the FortiMail Antispam Engine.

06-30003-0154-20080327
Antispam Definitions The current install version of the FortiMail Antispam Definitions.
System Settings
Settings
Displays options to backup or restore system settings, or to

restore system settings to factory defaults. See Backing up
and restoring the configuration on page 78.
System Resources
CPU Usage
The current CPU status. The web-based manager displays

CPU usage for core processes only. CPU usage for
Memory Usage
The current memory status. The web-based manager displays

memory usage for core processes only. Memory usage for
Log Disk Usage
The current log disk status.
Mailbox Disk Usage
The current mailbox disk status.
Active Sessions
The number of communications sessions being processed by

the FortiMail unit.
History
Select History to view a graphical representation of the last

minute of CPU, memory, sessions, and network usage. See
Sample system resources history on page 73.
CPU Usage History: CPU usage for the previous minute.
Memory Usage History: Memory usage for the previous

minute.
Session History: Session history for the previous minute.
Network Utilization History: Network utilization for the

previous minute.
System Command
Displays the buttons to restart or shut down the FortiMail unit.
History Log
Displays a pop-up window containing recent log entries. See
Figure 32: Sample system resources history

Mail statistics displays a summary of spam messages and viruses detected by the
scanning tools of the FortiMail unit in tabular and graphical views.

06-30003-0154-20080327
73
For information about the FortiMail unit scanning tools, see Creating email
filtering and control profiles on page 161.
To view the mail statistics
1
Go to Management > Status > Mail Statistics.
Select Refresh to update the statistics. You can also select an automatic refresh
interval from 30 seconds to five minutes, and select Go.
The following information displays:
The Summary tab displays, in tabular form, spam, and virus-infected email
detected by the FortiMail unit. The table also breaks down the spam detected
by the scanning tools, including heuristic, bayesian, DNSBL, access control,
system wide black list (System List), and black list set by email users (User
List).
The History tabs display graphs showing the number of messages sent total,
and another graph showing the number of viruses detected for that period hourly, daily, weekly, or yearly.

The session list displays information about the communications sessions currently
being processed by the FortiMail unit.
Figure 33: System Session screen
Total Number of Total number of sessions currently being conducted through the
FortiMail unit.
Sessions
Page
The current page of total number of pages of sessions.
Refresh icon
Select to update the session list.
Page up icon
Select to view previous page in the session list.
Page down icon Select to view the next page in the session list.
View lines each Select 25, 50, 100, or 1000 lines displayed per page.
page
74
Protocol
The service protocol of the connection. For example, udp, tcp, or icmp.
From IP
The source IP address of the connection.
From Port
The source port of the connection.
To IP
The destination IP address of the connection.
To Port
The destination port of the connection.
Expire(secs)
The time, in seconds, before the connection expires.

06-30003-0154-20080327
To view the session list

1
Go to System > Status > Session.

The web-based manager displays the active FortiMail sessions.
To navigate the list of sessions, select the Page Up icon or the Page Down icon.
Select the Refresh icon to update the session list.

The default FortiMail system administrator, admin, can change the FortiMail
firmware. Firmware changes are either an upgrade to a newer version or a
reversion to an earlier version.
It is strongly recommended that you always upgrade to the most recent firmware
available for your FortiMail unit.
Follow the appropriate procedure for the firmware change you want to perform:
Upgrading to a new firmware version
Reverting to a previous firmware version
Upgrading to a new firmware version

Use the following procedures to upgrade the FortiMail unit to a newer firmware
version.
To upgrade the firmware using the web-based manager
sure that your antivirus definitions are up to date.
Log into the web-based manager as the admin administrative user.
Go to System > Status > Status.
Type the path and filename of the firmware image file, or select Browse and locate
the file.
Select OK.
The FortiMail unit uploads the firmware image file, upgrades to the new firmware
version, disconnects your session, restarts, and displays the FortiMail unit login.
Go to System > Status > Status and check the Firmware Version to confirm that
the firmware upgrade is successfully installed.


06-30003-0154-20080327
75
Reverting to a previous firmware version

Use the following procedures to revert your FortiMail unit to a previous firmware
version.
Before beginning this procedure you can back up the FortiMail unit configuration.
For information, see Backing up system settings on page 78.
To revert to a previous firmware version using the web-based manager
The following procedures revert the FortiMail unit to its factory default
configuration and delete all configuration on the unit.
sure that antivirus definitions are up to date.
Log into the FortiMail unit web-based manager as the admin administrative user.
Type the path and filename of the previous firmware image file, or select Browse
and locate the file.
Select OK.
The FortiMail unit uploads the firmware image file, reverts to the old firmware
version, resets the configuration, restarts, and displays the FortiMail unit login.
Go to System > Status > Status and check the Firmware Version to confirm that
the firmware is successfully installed.
Restore your configuration.

For information about restoring your configuration, see Restoring system
settings on page 79.
10


The default FortiMail system administrator, admin, can restart or shut down the
FortiMail unit.
Caution: Before performing any of these procedures, notify your email users.
To restart the FortiMail unit

1
76

06-30003-0154-20080327
Select Restart.
The FortiMail unit disconnects your session, shuts down and restarts the unit.
To shut down the FortiMail unit
Select Shut Down.

The FortiMail unit shuts down. You can now turn off the power. The unit will restart
when you turn on the power.

The FortiMail units operation mode has three possible settings - Gateway mode,
Transparent mode, or Server mode.
The default FortiMail system administrator, admin, can change the FortiMail unit
from one mode to another. Note that you will need to reconfigure almost all of your
settings afterwards.
When you change the FortiMail unit from server mode to gateway mode or
vice versa, its configuration resets to factory defaults except the configuration
for the port 1 interface.
When you change the FortiMail unit from any mode to transparent mode or
vice versa, its configuration resets to factory defaults. You lose all of the
existing configuration.
You need to re-login after changing the mode.
Determining the best operation mode

Each operating mode is best suited for a specific situation. A brief explanation
follows.
Gateway mode should be used when you do not want your servers to be
visible to users for security reasons. You will have to make sure you modify
your mail routing policy to route incoming mail to the FortiMail unit for it to be
scanned.
Transparent mode should be used when a network is complex and does not
allow for changes in the IP addressing scheme.
Server mode should be used if you need a secure and reliable email server
with integrated advanced antispam and antivirus capabilities
For more information about the different operation modes, see Operation mode
on page 11.
Important configuration tips for FortiMail transparent mode

FortiMail transparent mode is best used when a network is complex and does not
allow for changes in the IP addressing scheme. The following are configuration
tips if you use the transparent operation mode.
Deploy the FortiMail unit in front of your mail server so incoming email is forced
to go to the FortiMail unit and be scanned.
The management IP address and all the IP addresses connecting to your

FortiMail units bridged (default) interfaces should be on the same IP subnet.

06-30003-0154-20080327
77
Do not connect two ports to the same VLAN on a switch or the same hub.
Some Layer 2 switches become unstable when they detect the same MAC
address originating on more than one switch interface or from more than one
VLAN.
If the client is configured for authentication and the Use original server to
deliver mail option under For unknown Servers of SMTP proxies is NOT
enabled, the FortiMail unit needs an authentication profile configured and
applied. Also the back end mail server must be explicitly configured to allow
relay. Without the profile, the authentication will fail.
To change the FortiMail operation mode

1
For Operation Mode, select Change.
Select the operation mode you want.
Select OK.

As the default FortiMail system administrator, admin, can back up the FortiMail
units configuration to a file so that configuration can be restored at a later time.
You can also, if needed, reset the FortiMail unit to its factory default configuration.
Backing up the FortiMail units configuration does not backup Bayesian database,
and dictionaries. These must all be backed up separately. For more information
see Managing Bayesian databases on page 225, Maintaining dictionaries on
page 192.
Backing up the FortiMail units configuration does include all black/white lists,
custom messages, Access Control List (ACL), and user preferences. For more
information see Configuring system black and white lists on page 236,
Customizing messages and appearance on page 115, and Webmail user
preferences on page 154.
Follow the appropriate procedure for the operation you want to perform:

You can back up system settings by downloading them to a text file on the
management computer. You can also download a debug log file or debug trace file
and send it to Fortinet technical support or development for systems analysis
purposes. The trace log file is in a binary format that contains information
additional to the debug log file.
To back up system settings
78
Under System Settings, select Backup.
Select Backup system settings.

06-30003-0154-20080327
To download debug log

1
Select Download debug log.

To download trace log
Select Download trace log.

You can restore system settings by uploading a previously downloaded system
settings text file.
To restore system settings
1
Select Restore.
Enter the path and filename of the system settings file, or select Browse and
locate the file.
Select OK to restore the system settings file to the FortiMail unit.

The FortiMail unit restarts, loading the new system settings.
Reconnect to the web-based manager and review your configuration to confirm

that the uploaded system settings have taken effect.

Use the following procedure to restore system settings to the values set at the
factory. This procedure does not change the firmware version or the antivirus
definitions.
Caution: This procedure deletes all changes that you have made to the FortiMail unit
configuration and reverts the system to its original configuration, including resetting
interface addresses.
To restore system settings to factory defaults

1
Select Restore Factory Defaults.

06-30003-0154-20080327
79
Select OK to confirm.
The FortiMail unit restarts with the configuration that it had when it was first
powered on.
Reconnect to the web-based manager and review the system configuration to

confirm that it has been reset to the default settings.
For information about restoring system settings, see Restoring system settings
on page 79.

Any FortiMail system administrator with read and write permission can configure
the FortiMail unit to connect to the FortiGuard Distribution Network (FDN) to
update the latest antivirus definitions and antivirus engine.
It is recommended that you configure both scheduled and push updates of
antivirus and attack definitions. If there are any temporary problems with one
method, the other will still be functioning to provide your FortiMail unit with
updated protection.
Dynamic heuristic rules are updated through the FDN. Previously, static heuristic
rules were available under Antispam > Rules where the administrator could
change them. With dynamic heuristic rules, the rules are updated through FDN
and their order is updated as well to ensure that the most common spam methods
are the highest ranking and will be included even if a low percentage of the rules is
used. This allows the most effective antispam scanning while using the least
resources on your FortiMail unit. The dynamic heuristic rule updates are
automatically performed as part of the regular updates.
Before the FortiMail unit can receive antivirus updates, it must be able to connect
to the FortiGuard Distribution Network (FDN). The FortiMail unit uses HTTPS on
port 8890 to connect to the FDN. The FortiMail unit must be able to route packets
to the Internet using port 8890. For information about configuring scheduled
updates, see Scheduling updates on page 84.
You can also configure the FortiMail unit to allow push updates. Push updates are
provided to the FortiMail unit from the FDN using HTTPS on UDP port 9443. To
receive push updates, the FDN must be able to route packets to the FortiMail unit
using UDP port 9443. For information about configuring push updates, see
Enabling push updates on page 85.
The FDN is a world-wide network of FortiGuard Distribution Servers (FDSs).
When the FortiMail unit connects to the FDN it connects to the nearest FDS. To do
this, all FortiMail units are programmed with a list of FDS addresses sorted by
nearest time zone according to the time zone configured for the FortiMail unit.
The FortiMail unit supports the following antivirus definitions update features:
80
Manually-initiated updates,
Hourly, daily, or weekly scheduled antivirus definition and antivirus engine

updates from the FDN,
Push updates from the FDN,
Update status including version numbers, expiry dates, and update dates and
times,
Push updates through a NAT device.

06-30003-0154-20080327
To receive scheduled updates and push updates, you must register the FortiMail
unit on the Fortinet support web page. For your FortiMail unit to receive antivirus
updates, it must be able to connect to the FDN.
To be able to access the FortiGuard updates and to send alert email, your
FortiMail unit must have access to a valid DNS server. For more information on
configuring DNS, see Configuring DNS on page 93.
Go to System > Update to configure FDN updates.
Figure 34: Antivirus definitions update
FortiGuard Distribution
Network
The status of the connection to the FortiGuard Distribution

Network (FDN).
Available means that the FortiMail unit can connect to the
FDN. You can configure the FortiMail unit for scheduled
updates. See Scheduling updates on page 84.
Unknown means that the FortiMail unit cannot connect to the
FDN. Check your configuration. For example, you may need to
add routes to the FortiMail routing table or configure your
network to allow the FortiMail unit to use HTTPS on port 8890
to connect to the Internet. You may also have to connect to an
override FortiGuard server to receive updates. See To add an
override server on page 84.
Refresh
When you select Refresh, the FortiMail unit tests its connection
to the FDN. The test results are displayed at the top of the
System Update page.
Push Update
Available means that the FDN can connect to the FortiMail unit
to send push updates. You can configure the FortiMail unit to
receive push updates. See Enabling push updates on
page 85.
Not Available means that the FDN cannot connect to the
FortiMail unit to send push updates. Push updates may not be
available if you have not registered the FortiMail unit (see
Registering the FortiMail unit on page 83), or if there is a NAT
device installed between the FortiMail unit and the FDN (see
To enable push updates through a NAT device on page 86).

06-30003-0154-20080327
81
Use override server

address
If you cannot connect to the FDN or if your organization

provides antivirus updates using their own FortiGuard server,
you can configure an override server.
Select the Use override server address check box and enter
the IP address of a FortiGuard server.
If after applying the override server address, the FortiGuard
Distribution Network setting changes to available, the FortiMail
unit has successfully connected to the override server. If the
FortiGuard Distribution Network stays set to Unknown, the
FortiMail unit cannot connect to the override server. Check the
FortiMail configuration and the network configuration to make
sure you can connect to the override FortiGuard server from
the FortiMail unit.
Update
The antivirus definition and engine for which update

information is displayed.
Version
The version numbers of the definition file and engine currently

installed on the FortiMail unit.
Expiry date
The expiry date of your license for definition and engine

updates.
Last update attempt
The date and time on which the FortiMail unit last attempted to
download definition and engine updates.
Last update status
The result of the last update attempt. No updates means the

last update attempt was successful but no new updates were
available. Installed updates means the last update attempt was
successful and new updates were installed. Other messages
can indicate that the FortiMail unit was not able to connect to
the FDN and other error conditions.
Allow Push Update
Select this check box to allow automatic updates of the

FortiMail unit.
Use override push IP Select this check box and enter the override IP address and
port number. Override push IP addresses and ports are used
when there is a NAT device between the FortiMail Unit and the
FDN.
The FortiMail unit sends the override push IP address and Port
to the FDN. The FDN will now use this IP address and port for
push updates to the FortiMail unit on the internal network. If
the External IP Address or External Service Port changes, add
the changes to the Use override push configuration and select
Apply to update the push information on the FDN. For more
information, see To enable push updates through a NAT
device on page 86.
Scheduled Update
Select this check box to enable scheduled updates.
Every
Attempt to update once every 1 to 23 hours. Select the number

of hours between each update request.
Daily
Attempt to update once a day. You can specify the hour of the
day to check for updates. The update attempt occurs at a
randomly determined time within the selected hour.
Weekly
Attempt to update once a week. You can specify the day of the
week and the hour of the day to check for updates. The update
attempt occurs at a randomly determined time within the
selected hour.
Apply
Select Apply to save update settings.
Update Now
Select Update Now to manually initiate an update.
82
Registering the FortiMail unit
Connecting to the FortiGuard Distribution Network
Manually initiating antivirus definitions updates
Scheduling updates
06-30003-0154-20080327
Enabling push updates
Registering the FortiMail unit

After purchasing and installing a new FortiMail unit, you can register it by using a
web browser to connect to http://support.fortinet.com and selecting Product
Registration.
Register your FortiMail unit by entering your contact information and the serial
numbers of the FortiMail units that you or your organization purchased. You can
register multiple FortiMail units in a single session without re-entering your contact
information.
Connecting to the FortiGuard Distribution Network

Use the following procedures to configure the FortiMail unit to connect to the
FortiGuard Distribution Network (FDN) to update the antivirus definition and
engine.
To make sure the FortiMail unit can connect to the FDN
1
Go to System > Config > Time and make sure the time zone is set to the time
zone for the region in which your FortiMail unit is located.
Go to System > Update.
Select Refresh.
The FortiMail unit tests its connection to the FDN. The test results are displayed at
the top of the System Update page.
Manually initiating antivirus definitions updates

Use the following procedure to update the antivirus definitions at any time. The
FortiMail unit must be able to connect to the FDN or to an override FortiResponse
server.
To update antivirus definitions
1
Select Update Now to update the antivirus definitions.

If the connection to the FDN or override server is successful, the web-based
manager displays a message similar to the following:
Your update request has been sent. Your database will be
updated in a few minutes. Please check your update page for
the status of the update.
After a few minutes, if an update is available, the System Update page lists new
version information for antivirus definitions, or the antivirus engine. The System
Status page also displays new dates and version numbers for antivirus definitions.
Messages are recorded to the event log indicating whether the update was
successful or not.
Updating antivirus definitions from a file

An alternative to updating virus definitions through the FDN is to download an
antivirus definitions file and update the unit from it.

06-30003-0154-20080327
83
To update antivirus definitions from a file

1
Download the latest antivirus definitions update file from Fortinet and copy it to the
computer that you use to connect to the web-based manager.
Start the web-based manager and go to System > Status > Status.
In the Unit Information section, select Update under Antivirus Definitions.
Type the path and filename for the antivirus definitions update file, or select
Browse and locate the antivirus definitions update file.
Select OK to copy the antivirus definitions update file to the FortiMail unit.
The FortiMail unit updates the antivirus definitions. This takes about 1 minute.
Go to System > Status > Status to confirm that the Antivirus Definitions Version
information has updated.
Scheduling updates
The FortiMail unit can check for and download updated definitions hourly, daily, or
weekly, according to a schedule that you specify.
To enable scheduled updates
1
Select the Scheduled Update check box.
Select one of the following to check for and download updates.
Hourly
Once every 1 to 23 hours. Select the number of hours and minutes between
each update request.
Daily
Once a day. You can specify the time of day to check for updates.
Weekly
Once a week. You can specify the day of the week and the time of day to
check for updates.
Select Apply.
The FortiMail unit starts the next scheduled update according to the new update
schedule.
Whenever the FortiMail unit runs a scheduled update, the event is recorded in the
FortiMail event log. See Logging and reporting on page 253.
To add an override server
If you cannot connect to the FDN, or if your organization provides antivirus
updates using their own FortiResponse server, you can use the following
procedure to add the IP address of an override FortiResponse server.
84
Select the Use override server address check box.
Type the IP address of a FortiResponse server.

06-30003-0154-20080327
Select Apply.
The FortiMail unit tests the connection to the override server.
If the FortiGuard Distribution Network setting changes to available, the FortiMail
unit has successfully connected to the override server.
If the FortiGuard Distribution Network stays set to not available, the FortiMail unit
cannot connect to the override server. Check the FortiMail network configuration
for settings that would prevent the FortiMail unit connecting to the override
FortiResponse server.
Enabling push updates

The FDN can push updates to FortiMail units to provide the fastest possible
response to critical situations. You must register the FortiMail unit before it can
receive push updates. See Registering the FortiMail unit on page 83.
When you configure a FortiMail unit to allow push updates, the FortiMail unit
sends a SETUP message to the FDN. The next time a new antivirus engine, or
new antivirus definitions are released, the FDN notifies all FortiMail units that are
configured for push updates that a new update is available. Within 60 seconds of
receiving a push notification, the FortiMail unit requests an update from the FDN.
When the network configuration permits, configuring push updates is
recommended in addition to configuring scheduled updates. On average the
FortiMail unit receives new updates sooner through push updates than if the
FortiMail unit receives only scheduled updates. However, scheduled updates
make sure that the FortiMail unit receives the latest updates.
Enabling push updates is not recommended as the only method for obtaining
updates. The FortiMail unit might not receive the push notification. Also, when the
FortiMail unit receives a push notification it makes only one attempt to connect to
the FDN and download updates.
To enable push updates
1
Select Allow Push Update.
Select Apply.
To enable push updates when FortiMail IP addresses change
The SETUP message that the FortiMail unit sends when you enable push updates
includes the IP address of the FortiMail port 1 interface. The FDN must be able to
connect to this IP address for your FortiMail unit to be able to receive push update
messages. If your FortiMail unit is behind a NAT device, see To enable push
updates through a NAT device on page 86.
Whenever the port 1 interface IP address changes, the FortiMail unit sends a new
SETUP message to notify the FDN of the address change. As long as the
FortiMail unit sends this SETUP message and the FDN receives it, the FDN can
maintain the most up-to-date port 1 interface IP address for the FortiMail unit.
The FortiMail unit sends the SETUP message if you change the port 1 interface IP
address manually or if you have set the port 1 interface addressing mode to
DHCP and your DHCP server changes the IP address.

06-30003-0154-20080327
85
To enable push updates through a NAT device

If the FDN can connect to the FortiMail unit only through a NAT device, you must
configure port forwarding on the NAT device and add the port forwarding
information to the push update configuration. Using port forwarding, the FDN
connects to the FortiMail unit using either port 9443 or an override push port that
you specify.
Note: You cannot receive push updates through a NAT device if the external IP address of
the NAT device is dynamic (for example, set using DHCP).
The following example describes how to configure a FortiGate NAT device to

forward push updates to a FortiMail unit installed on its internal network. For the
FortiMail unit on the internal network to receive push updates, the FortiGate NAT
device must be configured with a port forwarding virtual IP. This virtual IP maps
the IP address of the external interface of the FortiGate NAT device and a custom
port to the IP address of the FortiMail unit on the internal network.
Note: This example describes the configuration for a FortiGate NAT device. However, you
can use any NAT device with a static external IP address that can be configured for port
forwarding.
Use the following steps to configure the FortiGate NAT device and the FortiMail
unit on the internal network so that the FortiMail unit on the internal network can
receive push updates:
1
Add a port forwarding virtual IP to the FortiGate NAT device.

For more information, see your FortiGate Administration Guide.
Add a firewall policy to the FortiGate NAT device that includes the port forwarding
virtual IP.
For more information, see your FortiGate Administration Guide.
Configure the FortiMail unit on the internal network with an override push IP and
port.
Note: Before completing the following procedure, you should register the internal network
FortiMail unit so that it can receive push updates.
To configure the FortiMail unit with an override push IP and port

1
Select the Allow Push Update check box.
Select the Use override push check box.
Set IP to the external IP address added to the virtual IP.
Set Port to the external service port added to the virtual IP.
Select Apply.
The FortiMail unit sends the override push IP address and port to the FDN. The
FDN now uses this IP address and port for push updates to the FortiMail unit on
the internal network.
If the external IP address or external service port change, add the changes to the
Use override push configuration and select Apply to update the push information
on the FDN.
86

06-30003-0154-20080327
Select Apply.
You can select Refresh to make sure that push updates work.
Push Update changes to Available.

06-30003-0154-20080327
87
88

06-30003-0154-20080327
What are system settings
Configuring FortiMail system

settings
After installation, you might want to adjust some of your network settings or create
additional administrator accounts. Optionally, you can customize some user
messages and the WebMail interface.
Configuring the interfaces
Configuring DNS
Configuring DDNS
Configuring routing
Setting system date and time
Configuring administration
Configuring the SNMP Agent
Configuring RAID levels
Generating a certificate

System settings is a broad category that includes
network settings, including interfaces, DNS settings and routing
system date and time
administration options and accounts
adjustment of FortiMail RAID levels
creating certificates
Network settings
The FortiMail unit must be configured to operate in your network. Like other
network devices, the FortiMail unit has network interfaces, it requires access to a
DNS server and it requires routing information to reach other networks.
If your network is not carefully planned and properly deployed, the FortiMail unit
can be bypassed. Spammers can then easily determine the lowest priority mail
server (the highest preference number in the MX record) and deliver spam to it in
an attempt to avoid the most effective spam defences on the FortiMail unit. To
ensure maximum safety you can:
Configure routing or your firewall to send all SMTP traffic to the FortiMail unit
for scanning.
Modify the DNS server to keep a single MX record entry for the FortiMail unit
for all protected domains.

06-30003-0154-20080327
89
Ensure all domains are protected by the FortiMail unit with matched policies
and proper profiles.
You configured network settings as part of installation (see the FortiMail

Installation Guide), but you might need to modify these settings if you make
changes to your network or configuration. For example, if you add a new domain
to protect an email server that is on a remote network, you might need to add a
route so that the FortiMail unit can communicate with that network.
The FortiMail unit also provides IP addresses for administrator access to the webbased manager and for user access to WebMail. In transparent mode, you specify
a management IP address. In gateway and server modes, the IP address of the
interface serves this purpose. If the interface is configured to allow administrative
access, you can also use this IP address to access the web-based manager. The
administrative and user access URLs are as follows:
Gateway or server mode
User access
https://<interface IP address>
Administrative access
https://<interface IP address>/admin
Transparent mode
User access
https://<management IP address>
Administrative access
https://<management IP address>/admin
See the following sections to configure network settings:
Configuring the interfaces on page 91
Configuring DNS on page 93
Configuring routing on page 94
Administration
When the FortiMail unit is initially installed, it is configured with a single
administrator account with the user name admin. From this account, you can add
other system wide administrator accounts or administrator accounts for individual
email domains. You can control the access level of each of these administrator
accounts and control the IP address from which the administrator can connect to
the FortiMail unit. For detailed information, see Configuring administration on
page 96.
RAID settings
The FortiMail hard disk system uses a Redundant Array of Independent Disks
(RAID) system for enhanced performance and reliability. The default settings for
RAID should give good results, but you can modify the configuration. See
Configuring RAID levels on page 103.
Certificates
The FortiMail unit can generate digital certificate requests and import signed
certificates for added security. See Generating a certificate on page 108.
90

06-30003-0154-20080327

Which model you have determines the number of ports:
FortiMail 400 units have six interfaces: port 1 to 6
FortiMail 100, 2000, 2000A, and 4000A units have four interfaces: port 1 to 4
You can use one interface to connect the unit to the network or two or more
interfaces to provide flexibility.
Go to System > Network > Interface to view the interface information.
Figure 35: Interface list
Name
Name of the FortiMail unit interfaces.
IP
The IP addresses of the FortiMail unit interfaces.

works as a layer 2 bridge. You can assign an IP to the interface for user
access.
Netmask
The netmasks of the FortiMail unit interfaces.

works as a layer 2 bridge.
Access
The management access configured for the interface.
Status
The administrative status for the interface

If the administrative status is a green arrow, the interface is up and can
accept network traffic. If the administrative status is a red arrow, the interface
is down and cannot accept traffic.
Select Bring Up to start an interface that is down.
To bring down an interface, open the command line interface (CLI) and enter
the command
set system interface <intf_str> config status down
where <intf_str> is the name of the interface.
Modify
Select the Modify icon to edit an interface configuration.
Note: In transparent mode, the default IP and Netmask of Port 1 cannot be changed. This
port is used by the management IP.
Interface settings
Go to System > Network > Interface, and select the Edit icon for the interface
that you want to configure.
For security reasons, allow management access to only the FortiMail interfaces
requiring it.

06-30003-0154-20080327
91
Figure 36: Interface settings in Gateway mode
Addressing mode
Interface Name
Displays the name of the interface (such as port2) and the

MAC address associated with this interface.
Do not associate with

Management IP
This is available only in transparent mode on all ports except

Port 1.
Select to assign an IP address to the interface. The interface
is no longer part of the transparent bridging configuration.
Enter the IP address and netmask for the interface in the
IP/Netmask field. The IP address must be on the same
subnet as the network to which the interface connects.
Manual
Use a static IP address. Enter the IP address and netmask

for the interface in the IP/Netmask field. Two interfaces
cannot have IP addresses on the same subnet.
IP/Netmask
DHCP
Enter the IP address and netmask for the interface.

The IP address must be on the same subnet as the network
to which the interface connects.
In gateway or server mode, you must select Manual.
In transparent mode, you must select the Do not associate
with management IP check box.
Use a dynamic IP address obtained using DHCP.
This is not available in transparent mode.
Retrieve default
By default, the FortiMail unit retrieves both the default
gateway and DNS gateway and DNS addresses from the DHCP server,
replacing the previously configured values. Disable this
from server
option if you do not want the FortiMail unit to do this.
Connect to Server Disable this option if you are configuring the interface offline
and do not want the unit to attempt to obtain addressing
information. This option applies to DNS.
Status
Displays status messages as the FortiMail unit connects to

the DHCP server and gets addressing information. Select
Status to refresh the status message.
Access
Select the types of administrative access permitted on this interface. You should
avoid allowing administrative access for an interface connected to the Internet
unless this is required for your configuration. To improve the security of a FortiMail
unit that allows remote administration from the Internet:
92
Use secure administrative user passwords,
Change these passwords regularly,

06-30003-0154-20080327
Configuring DNS
Enable secure administrative access to this interface using only HTTPS or

SSH,
Do not increase the system idle timeout from the default value of 5 minutes
(see Changing configuration options on page 96).
HTTPS
Allow secure HTTPS connections to the web-based manager

through this interface.
Ping
Interface responds to pings. Use this setting to verify your installation

and for testing.
HTTP
Allow HTTP connections to the web-based manager through this

interface. HTTP connections are not secure and can be intercepted
by a third party.
SSH
Allow SSH connections to the CLI through this interface.
SNMP
Allow SNMP access through this interface.
Telnet
Allow Telnet connections to the CLI through this interface. Telnet

connections are not secure and can be intercepted by a third party.
MTU
To improve network performance, you can change the maximum transmission unit
(MTU) of the packets that the FortiMail unit transmits from any interface. Ideally,
this MTU should be the same as the smallest MTU of all the networks between
the FortiMail unit and the destination of the packets. If the packets sent by the
FortiMail unit are larger, those packets are broken up or fragmented, which slows
down transmission. You should experiment by lowering the MTU to find your MTU
size for best network performance.
Override default
MTU value
To change the MTU, select Override default MTU value (1500) and
enter the maximum packet size. For manual and DHCP addressing
mode the MTU size can be from 576 to 1500 bytes.
Configuring DNS
Go to System > Network > DNS to configure the IP addresses of the primary and
secondary DNS servers to which the FortiMail unit can connect. DNS server IP
addresses are usually supplied by your ISP.
Note: For improved FortiMail unit performance, the DNS server(s) should be locally placed.
Figure 37: DNS settings
Primary DNS Server
Enter the primary DNS server IP address.
Secondary DNS Server Enter the secondary DNS server IP address.

06-30003-0154-20080327
93
Configuring DDNS
Configuring DDNS
Go to System > Network > DDNS to add DDNS server information.
When the FortiMail unit has a static domain name and a dynamic public IP
address, you can use a DDNS service to update Internet DNS servers when the
IP address for the domain changes.
Figure 38: DDNS settings
Server
Select the DDNS provider server from the list.
Username
Enter your username for this DDNS server.
Password
Enter your password for this DDNS server.
Update Time
Enter the interval in hours after which your FortiMail unit

will contact the DDNS server to reaffirm your IP address.
Configuring routing
Go to System > Network > Routing to configure static routing on the FortiMail
unit to route the filtered email to the destination network.
Figure 39: Routing list
94
Destination
IP
Displays the destination network IP address to which the FortiMail unit

routes email.
Mask
Displays the netmask for the route.
Gateway
Displays the gateway IP address for the route.
Modify
Allows you to delete or edit the routing information.
Create New
Open the New Routing Entry page to create a new route.

06-30003-0154-20080327
Management IP (transparent and gateway)
Route entry
Go to System > Network > Routing to configure routing and select Create New
to add a route. You can also select the Edit icon of an existing route to modify it.
Figure 40: Edit routing entry
Destination IP Enter the destination IP address for this route.

To create a default route, set the Destination IP to 0.0.0.0.
Mask
Enter the netmask for this route.

To create a default route, set the mask to 0.0.0.0.
Gateway
Enter the IP address of the next hop router to which this route directs
traffic. For an Internet connection, the next hop routing gateway routes
traffic to the Internet.
Configuring management IP (transparent mode)

Configure the management interface to set the management IP address of the
FortiMail unit. Administrators connect to this IP address to administer the FortiMail
unit. The FortiMail unit also uses this IP address to connect to the FDN for
antivirus updates (see Configuring antivirus updates from the FDN on page 80).
To configure the management interface
1
Go to System > Network > Management IP.
Change the management IP and Netmask as required.

The IP address must be valid for the network from which you manage the unit.
Select Apply.
Management IP (transparent and gateway)

Go to System > Network > Management IP to set the management IP and
netmask.
This is only available in transparent and gateway operation modes.

06-30003-0154-20080327
95

For effective scheduling and logging, the FortiMail system time must be accurate.
You can either manually set the FortiMail system time or you can configure the
FortiMail unit to automatically keep its system time correct by synchronizing with a
Network Time Protocol (NTP) server.
Your FortiMail unit supports the 2007 USA, Canada, and Western Australia
changes to Daylight Savings Time. In USA and Canada this includes moving the
time change from the last Sunday of March to 3 weeks earlier in March, and
moving the time change from the last Sunday of October to a week later in
November. In Western Australia this includes moving the time change from the
last Sunday of March to a week later in April.
Go to System > Config > Time to configure system time.
System Time
The current FortiMail system date and time.
Refresh
Select Refresh to update the display of the current FortiMail

system date and time.
Time Zone
Select the appropriate time zone for your region.
Automatically adjust
clock for daylight
saving changes
Select if you want the FortiMail system clock to be adjusted

automatically when your time zone changes to daylight saving
time and back to standard time.
Set Time
Select to set the FortiMail system date and time to the values
you set in the Year, Month, Day, Hour, Minute and Second fields.
Synchronize with NTP Select to use an NTP server to automatically set the system
date and time. You must specify the server and synchronization
Server
interval.
Server
Enter the IP address or domain name of an NTP server. To find

an NTP server that you can use, see http://www.ntp.org.
Syn Interval
Specify how often the FortiMail unit should synchronize its time
with the NTP server. A typical Syn Interval would be 1440
minutes for the FortiMail unit to synchronize its time once a day.
Note: For security reasons, make sure the system time zone and time are correct.
By default, the FortiMail unit has one system-level administration account, admin,
with full access to all configuration options. Using this account, you can:
set the idle timeout, choose the web-based manager language, and set a PIN
code to protect access to the LCD control panel (see Changing configuration
options on page 96)
create additional administrative accounts at both the system and domain level
(see Administrators and permission levels on page 97 and Adding an
administrator account on page 99)
Changing configuration options

Under System > Config > Options you can:
96
Set the system idle timeout.

06-30003-0154-20080327
Select the language for the web-based manager.
Restrict access to the control buttons and LCD by requiring a PIN (Personal
Identification Number).
Figure 41: Configuring system options
Idle Timeout
Set the idle time out to control the amount of inactive time before the
administrator must log in again. The maximum is 480 minutes (8
hours).
To improve security, keep the idle timeout at the default value of 5
minutes.
Web
Administration:
Language
Select a language for the web-based manager to use. Choose from

English, Simplified Chinese, Japanese, Korean, or Traditional
Chinese.
LCD Panel
Select the PIN Protection check box and type a 6-digit PIN.
Administrators must enter the PIN to use the control buttons and
LCD.
Administrators and permission levels

There are three administration account access levels. There can be no more than
five administrator accounts per domain.
There can be only one administrator account with admin permission per domain
other than the system domain.
Note: Administrators cannot be associated with domains in server mode.

06-30003-0154-20080327
97
Table 5: Administrator permission levels

Permissions
Administrator
or all
Read & Write
Read Only
System Level
Can view, add, edit, and

delete administrator accounts
of all levels.
Can view and change all parts

of the FortiMail unit
configuration.
Domain Level
Can create admin users in its

own domain with
Read & Write and Read Only
permissions.
Can view and change

settings of its own domain,
including profiles and
policies.
Can manually update

firmware, antivirus definitions,
Can download or upload

system settings, restore the
FortiMail unit to factory
defaults, restart the FortiMail
unit, and shut down the
FortiMail unit.

administrator.
Can view administrator

accounts.
Can view and change the

FortiMail unit configuration at
the system and domain levels.

quarantined messages in its
own domain.
Can view settings for its own

domain.

administrator.
Can view settings of its own

domain.

administrator.
Can change own

password.

quarantined messages for all
domains.
Can view the FortiMail unit

configuration at the system
and domain levels.
Can only execute writing

operations in ACL, managing
mail queues and maintenance
In the CLI, any account that has admin in the name cannot be changed.
In the administration GUI, any account with admin permission can change the
default admin, and they can change other user accounts. However, accounts with
admin permission cannot give other accounts more permissions, such as
changing a read-only account to read and write permission.
Managing accounts
The following accounts can manage other accounts, but they have some
limitations.
The default admin account has permission to do anything. This account can
manage other admins and users in any domain on your FortiMail unit.
98

06-30003-0154-20080327
Note: Set the password for the default admin account. By default, this account has no
password. The password should be at most 32 characters long, and for improved security
the password should be at least 6 characters long.
Admin accounts in the system domain that have admin permission can manage
the users in the system domain (accounts without admin permission) as well as all
the users of the other domains as well. However, these accounts cannot manage
other admin accounts in the system domain that have admin permission - they
cannot manage their peers.
Note: System admin users cannot add new email users in server mode.
Admin accounts in other domains can manage the users in their domain. Except
for the system domain, there is only one admin per domain.
Adding an administrator account

Go to System > Config > Admin to configure administrator accounts.
For security reasons, create additional system and domain administrators with
limited access rights for less-demanding management tasks.
Figure 42: Administrator account list
Name
The login name for the Administrator account.
Domain
The domain to which an administrator belongs.

This option is not available in server mode.
Trusted Host
Trusted Host IP address for the location from which the administrator can
log into the web-based manager.
Netmask
Netmask for the location from which the administrator can log into the
web-based manager.
Permission
Administrator account access level: none, read, write, read & write, or all.
All is only used for the super admin account.
Modify
Delete, edit or change the password of an administrator account.
Create New
Opens the New Administrator page.
To add an administrator account

1
Go to System > Config > Admin.
Select Create New to add an administrator account.
Type a login name for the administrator account.

The login name can contain numbers (0-9), uppercase and lowercase letters
(A-Z, a-z), and the special characters - and _. Other special characters and
spaces are not allowed.
If you are not in server mode, select a domain on which you want to create the
administrator account.

06-30003-0154-20080327
99
Type and confirm a password for the administrator account.

For improved security, the password should be at least 6 characters long. The
password can contain any characters except spaces.
Optionally type a Trusted Host IP address and netmask for the location from which
the administrator can log into the web-based manager.
If you want the administrator to be able to access the FortiMail unit from any
address, set the trusted host to 0.0.0.0 and the netmask to 0.0.0.0.
To limit the administrator to only access the FortiMail unit from a specific network,
set the trusted host to the address of the network and set the netmask to the
netmask for the network. For example, to limit an administrator to accessing the
FortiMail unit from your internal network, set the trusted host to the address of
your internal network (for example, 192.168.1.0) and set the netmask to
255.255.255.0.
Set the Permission level for the administrator.
Select OK.

In the System Settings module, go to Config > SNMP v1/v2c to configure the
SNMP Agent.
One use of SNMP is to monitor an HA cluster for failover messages. These alert
messages may aid in quick discovery and diagnosis of network problems.
Some FortiMail 2000A and 4000 models have monitored power supplies and
RAID controllers which can be monitored by SNMP. When a monitored power
supply or a RAID controller is removed or added, it generates logs, alert emails
and SNMP traps if those are configured.
Note: You can download the SNMP MIB for FortiMail units from the Fortinet Support
webbiest.
100

06-30003-0154-20080327
Figure 43: SNMP configuration
SNMP Agent
Select to enable the FortiMail SNMP agent. This must be enabled to

accept queries or send traps from the FortiMail unit.
Description
Enter a descriptive name for the FortiMail unit.
Location
Optionally, enter the location of the FortiMail unit.
Contact
Optionally, enter administrator contact information.
Select the blue triangle to expand the list of traps. In this section you configure the
conditions that cause a trap to be sent if the trap type is enabled for the community.
Trap Type
The type of trap you are configuring.
Trigger
Where applicable, the level that defines a condition that can be

trapped.
Threshold
The number of times the trigger level must be reached before a trap
is sent.
Sample Period The time period in seconds during which the SNMP Agent counts the
number of times the trigger level is reached.
The default period is 600 seconds ( ten minutes).
This value should not be lower than the sample frequency.
Sample Freq
Communities
The interval in seconds between measurements of the trap

condition. You will not receive traps faster than this rate, depending
on the selected sample period.
The default frequency is 30 seconds.
The list of SNMP communities added to the FortiMail configuration.
Create New
Select Create New to add a new SNMP community.

See Configuring an SNMP Community on page 102.
Community
Name
The name of the SNMP community. SNMP Manager client must be

configured with this name.
Queries
A green checkmark icon indicates that queries are enabled.
Traps
A green checkmark icon indicates that traps are enabled.
Enable
Select to enable or unselect to disable this SNMP community.

06-30003-0154-20080327
101
Delete icon
Select to remove the SNMP community.
Edit icon
Select to edit the SNMP community.
Configuring an SNMP Community

An SNMP community is a grouping of equipment for network administration
purposes. Add SNMP communities so that SNMP managers can connect to the
FortiMail unit to view system information and receive SNMP traps. You can add up
to three SNMP communities. Each community can have a different configuration
for SNMP traps and can be configured to monitor different events. You can add
the IP addresses of up to 8 SNMP managers to each community.
You must enable SNMP access on the ports that SNMP clients use to access the
FortiMail unit. See Interface settings on page 91.
In the System Settings module, go to Config > SNMP v1/v2c, configure the
SNMP agent and select Create New to configure an SNMP community.
Figure 44: FortiMail SNMP Community
102
Community Name
Enter a name to identify the SNMP community. If you are editing an

existing community, you will be unable to change the name.
Hosts
The list of SNMP managers that can use the settings in this SNMP
community to monitor the FortiMail unit. Select Add to create a new
entry that you can edit.
06-30003-0154-20080327
IP Address
Enter the IP address of an SNMP manager. By default, the IP

address is 0.0.0.0, so that any SNMP manager can use this SNMP
community.
Interface
Select the name of the interface that connects to the network where
this SNMP manager is located. You need to do this if the SNMP
manager is on the Internet or behind a router.
Delete icon
Select to remove this SNMP manager.
Add
Select to add a new default entry to the Hosts list that you can edit as
needed. You can have up to 8 SNMP manager entries for a single
community.
Queries
Enter the Port number (161 by default) that the SNMP managers in
this community use for SNMP v1 and SNMP v2c queries to receive
configuration information from the FortiMail unit. Select the Enable
check box to activate queries for each SNMP version.
Traps
Enter the Local and Remote port numbers (162 local, 162 remote by
default) that the FortiMail unit uses to send SNMP v1 and SNMP v2c
traps to the SNMP managers in this community. Enable traps for
each SNMP version that the SNMP managers use.
SNMP Event
Enable each SNMP event for which the FortiMail unit should send
traps to the SNMP managers in this community.

You can configure the RAID levels for the FortiMail unit local disk partitions used
for storing mail files or log files (in the case of FortiMail 400), depending on your
requirements for performance, resiliency, and cost.
RAID events can be logged and can be reported with alert email. These events
include disk full, or disk failure notices. See FortiMail logging on page 253, and
Alert Email on page 271.
RAID levels
FortiMail 400 models use software RAID (RAID 0 or 1). The log disk and mail disk
on those models can each use different RAID levels. FortiMail 2000, FortiMail
2000A, and FortiMail 4000A units use hardware RAID controllers and therefore
the log disk and mail disk on these models cannot be separated.
Hot Spare option

FortiMail 4000A units have a hot spare RAID option. The hot spare disk is not part
of the RAID. It will not normally be in use. If a hard disk in the RAID fails, the hot
spare disk will take its place in the RAID. The RAID immediately puts the hot
spare disk into service and starts to rebuild the data from the failed disk onto the
new disk. This rebuilding takes a long time, but the RAID continues during the
process.
The hot spare feature has one or more extra hard disks installed with the RAID. A
RAID 10 configuration requires two disks per RAID 1, and can have only one hot
spare disk. A RAID 50 configuration requires three disks per RAID 5, and can
have up to two hot spare disks.
FortiMail RAID levels

The following tables describe the RAID levels used by the FortiMail units:

06-30003-0154-20080327
103
Table 6: FortiMail 400

RAID 0
Has striping but no redundancy of data. It offers the best performance but no
fault-tolerance. If any hard drive fails, the whole RAID fails.
Also known as a striped array.
RAID 1
Consists of at least two drives that duplicate the storage of data. There is no
striping. Read performance is improved since either disk can be read at the
same time. Write performance is the same as for single disk storage. This
technique provides the best performance and the best fault-tolerance in a multiuser system. In a two hard drive RAID 1, one hard drive can fail and the RAID
will continue to function.
Also known as mirrored array.
Table 7: FortiMail 2000, FortiMail 2000A, and FortiMail 4000A

RAID 10
A combination of RAID 1 with RAID 0 (see Table 6). Striped and mirrored
arrays are good for fault tolerance and high performance, such as for
high-load databases. RAID 10 requires a minimum of four drives. Adding
two additional drives will add another RAID 1.
Any RAID 1 in the array can have a hard drive failure and continue to
function, but if both hard disks in a RAID 1 fail then the whole RAID fails.
RAID 10 + hot
spare(s)
(4000A
model)
A RAID 10 configuration that has a backup hard drive installed that takes
the place of a failed RAID hard drive. The RAID 10 + hot spare(s) must at
least five drives, one spare in addition to the RAID 10 drives. To add
another RAID 1, you would need seven drives total because at least one
hot spare drive is required.
RAID 50
A combination of RAID 5 with RAID 0 (see Table 6). RAID 5 provides

data striping at the byte level and also stripe error correction information.
This results in excellent performance and good fault tolerance.
The RAID 50 array type provides fault tolerance and high performance. It
requires a minimum of six drives. To add another RAID 5 requires an
additional three hard drives.
RAID 50 + hot A RAID 50 configuration that has a backup hard drive installed that takes
the place of a failed RAID hard drive. The RAID 50 + hot spare(s) must at
spare(s)
least seven drives, one spare in addition to the RAID 50 drives.
(4000A
model)
Configuring RAID for a FortiMail-400 unit

Go to System > RAID > Log Device or Mail Device to configure RAID settings.
The screen for each Log Device and Mail Device tabs are the same format.
Figure 45: RAID-Log and Mail Device (FortiMail 400)
104

06-30003-0154-20080327
Device Details
Automatic
Select to control how often the web-based manager
Refresh Interval updates the log/mail device status display.
Go
Refresh
Select to manually update the log device status display.
Name
Name of the RAID device. This is hard-coded and not

configurable.
Level
Level of the current RAID device.
Change
Select to change the RAID level.
State
Status of the RAID device.

dirty: On a normal system the array will be in a dirty
state, which means that the RAID device has
information that needs to be written to disk.
clean: When the information on the RAID device is

written to disk, the array will be marked clean.
errors: Error were detected on the array.
no-errors: Error were not detected on the array.
dirty no-errors: For normal operation, this is the

expected setting.
clean no-errors: For a system with an unmounted RAID

array, this is the expected setting.
Array Details
Allows to remove or recover disks for the array. See step 3

in the following procedure.
Resynch Status
Displays how well synched the RAID drive is. If it is not

synched, then the system is rebuilding itself for some
reason.
This section is displayed only when [click here to check
array] has been selected and the status of the raid is
anything but clean with no errors.
Percentage
Displays the percentage of resynch that remains to be

done.
Done
Displays the amount of the resynch that has been

completed, including as a percentages and as the number
of kilobytes completed and the size of the disk.
Finished in
Display the time in hours, minutes, seconds until the

currently running resynch is complete.
Speed
Displays the average speed of the data transfer for the

resynch. This is affected by the disk being in use during the
resynch.
[click here to check array]
Select to start a diagnostic check on this RAID. The

progress is displayed in the Resynch Status section.
No check will be run if the status of the RAID is clean and
no errors.
To configure RAID levels for FortiMail 400 log devices or mail devices
1
Go to System > RAID > Log Device or Mail Device.
For Device Details, select Change to change the RAID level 0 or 1 based on your
requirements.
Caution: Changing the devices RAID level suspends temporarily all mail operations and
erases all data on the device.

06-30003-0154-20080327
105
For Array Details, if you chose the Mirrored level, do the following:
Select Remove to start the removal process for a disk.
Shut down the FortiMail unit, swap the disk, and restart the FortiMail unit.
The new hard disk will appear in the Device Details section.
Configuring RAID for FortiMail-2000, FortiMail-2000A, or FortiMail-4000A units

Go to System > RAID to configure RAID settings. The Model, Driver and
Firmware fields are useful for troubleshooting.
Figure 46: RAID-Log and Mail Device (FortiMail 2000, 2000A, and 4000A)
General RAID settings Settings that apply to all RAID controllers and disks.
Web page Refresh Select to control how often the web-based manager updates the
log device status display.
Interval
Go
Select to set the selected Web page refresh interval.
Refresh now
Select to manually update the log device status display.
Controller number
106
The RAID controller number. The following fields apply to this

controller.
Set RAID level to
Select the RAID level desired. RAID level 10 and 50 are

available for both FortiMail-2000, FortiMail-2000A, and
FortiMail-4000A models. Hot spare(s) are only available on
FortiMail-4000A models.
Change
Select to apply the RAID level indicated.
Model
The model of the hardware RAID controller.
Driver
The version of the RAID controller software driver.
Firmware
The version of the RAID controller firmware.
Unit
List of RAID units.

06-30003-0154-20080327
Type
List of RAID types. Valid types include:
Status
RAID 10
RAID 10 + hot spare(s)
RAID 50
RAID 50 + hot spare(s)
Status of the RAID units.

OK: The RAID controller operates well.
Warning: A background task is currently being performed

(rebuilding, migrating, or initializing).
Error: A controller is degraded or inoperable.
No Units: No RAID controllers are available.

Note that if both Error and Warning conditions exist, the status
will appear as Error.
Size (GB)
Size of the RAID units.
Ignore ECC
Select to turn Ignore Error Correcting Code (ECC) on or off. This

option is turned off by default. Ignoring ECC can speed up the
RAID, but the RAID will not be as fault-tolerant.
Port
List of ports connecting to the hard disks.
Part of Unit
The RAID unit to which the port belongs.
Status
Status of the hard disk.
Size
Size of the hard disk.
Remove
Select to swap a hard disk.
Add to u(n)
Select to add a hard disk to the specified unit.

This button only appears after a disk has been deleted by the
system.
Click to start
controller rescan
Select to update unit information after adding or removing a hard

disk.
To change RAID levels for a FortiMail-2000, 2000A, or 4000A controller

1
Go to System > RAID.
Select a RAID level in the Set RAID level to field and select Change.
Caution: Changing the devices RAID level temporarily suspends all mail operations and
erases all data on the device. It is recommended that you backup your data before
changing the RAID level.
The system will reboot after the RAID level changes.

To replace a disk in the RAID array (FortiMail-2000, 2000A, or 4000A)
When replacing a disk in the RAID array, the new disk must have the same
storage capacity or more than the existing disks in the array. If the new disk has a
larger capacity than the other disks in the array, only part of the new disk will be
used. For example if the RAID has 400 G disks, and you replace one with a 500 G
disk only 400 G will be used on the new disk - to match the other disks.
3
Select remove for the disk that you want to replace.
For non-hot spare configurations, shut down the FortiMail unit. Hot spare
configurations do not require a shut down.
Replace the disk.

06-30003-0154-20080327
107
For non-hot spare configurations, restart the FortiMail unit. Hot spare RAID
configurations do not require a restart.
For the disk that you want to replace, select Add to.
Note: If you do not see the Add to buttons, select Click to start controller rescan.
10
Select Click to start controller rescan.
A certificate request or installed server certificate is displayed in the Local
Certificate list. After you submit the request to a certificate authority (CA), the CA
will verify the information and register the contact information on a digital
certificate that contains a serial number, an expiration date, and the public key of
the CA. The CA will then sign and send the signed certificate to you to install on
the FortiMail unit.
Generating a certificate includes the following sections:
Local certificate
Generating a certificate request
Downloading a certificate request
Importing a signed server certificate
Local certificate
To view a certificate request or import a signed server certificate, go to System >
Certificate > Local Certificate. To view certificate details, select the View
Certificate Detail icon for the certificate.
In Figure 47, the entry corresponds to a signed server certificate.
Figure 47: Local Certificate list
Download
View a certificate
Delete
108
Generate
Select to generate a local certificate request. See Generating a

certificate request on page 109.
This is available only if a certificate request is not pending or there is no
existing local certificate.
Import
Select to import a signed local certificate. See Importing separate

server certificate and private key files on page 111.
This control is not accessible if the certificate request has not been
generated.
Subject
The Distinguished Names (DNs) of local signed certificates.

06-30003-0154-20080327
Status
The status of the local certificate. PENDING designates the certificate

request needs to be downloaded and signed.
View Certificate
Detail icon
Select to display certificate details such as the certificate name, issuer,

subject, and valid certificate dates.
Delete icon
Select to delete the selected certificate request or installed server

certificate from the FortiMail configuration.
Download icon
Select to save a copy of the certificate request to a local computer.

Send the request to your CA to obtain a signed server certificate for the
FortiMail unit.
Generating a certificate request

The FortiMail unit generates a certificate request based on the information you
enter to identify the FortiMail unit. Generated requests are displayed in the Local
Certificates list with a status of PENDING. After you generate a certificate request,
you can download the request to a computer that has management access to the
FortiMail unit and then forward the request to a CA.
To fill out a certificate request, go to System > Certificate > Local Certificate
and select Generate. To download and send the certificate request to a CA, see
Downloading and submitting a certificate request on page 110.
Figure 48: Generate Certificate Signing Request

06-30003-0154-20080327
109
Subject Information
Enter the information needed to identify the FortiMail unit:

If the FortiMail unit has a static IP address, select Host IP and
enter the public IP address of the FortiMail unit. If the
FortiMail unit does not have a public IP address, use an email
address (or domain name if available) instead.
If the FortiMail unit has a static IP address and subscribes to

a dynamic DNS service, use a domain name if available to
identify the FortiMail unit. If you select Domain Name, enter
the fully qualified domain name of the FortiMail unit. Do not
include the protocol specification (http://) or any port number
or path names. If a domain name is not available and the
FortiMail unit subscribes to a dynamic DNS service, an
unable to verify certificate message may be displayed in the
users browser whenever the public IP address of the
FortiMail unit changes.
If you select E-mail, enter the email address of the owner of

the FortiMail unit.
Organization Unit
Optionally type the name of your department.
Organization
Optionally type the legal name of your company or organization.
Locality (City)
Optionally type the name of the city or town where the FortiMail
unit is installed.
State/Province
Optionally type the name of the state or province where the

FortiMail unit is installed.
Country
Optionally select the country where the FortiMail unit is installed.
e-mail
Optionally type the contact email address.
Key Type
Only RSA is supported.
Key Size
Select a security key size of 1024 Bit, 1536 Bit or 2048 Bit.
Larger keys are slower to generate but they provide better
security.
Downloading and submitting a certificate request

You have to fill out a certificate request and generate the request before you can
submit the results to a CA. For more information, see Generating a certificate
request on page 109.
To download and submit a certificate request
110
Go to System > Certificate > Local Certificate.
In the Local Certificate list, select the Download icon in the row that corresponds
to the generated certificate request.
In the File Download dialog box, select Save.
Name the file and save it to your local file system.
Submit the request to your CA as follows:
Using the web browser on the management computer, browse to the CA web
site.
Follow the CA instructions to place a base-64 encoded PKCS#10 certificate

request and upload your certificate request.
Follow the CA instructions to download their root certificate and Certificate

Revocation List (CRL), and then install the root certificate and CRL on each
remote client (refer to the browser documentation).

06-30003-0154-20080327
When you receive the signed certificate from the CA, install the certificate on the
FortiMail unit. See Importing separate server certificate and private key files on
page 111.
Importing separate server certificate and private key files

Use the Upload Certificate dialog box to import a server certificate and the
associated private key file when the server certificate request and private key
were not generated by the FortiMail unit. The two files to import must be available
on the management computer.
Figure 49: Upload Certificate
Certificate file
Enter the full path to and file name of the previously exported
certificate file.
Key file
Enter the full path to and file name of the previously exported key
file.
Password
If a password is required to upload and open the files, type the

password.

06-30003-0154-20080327
111
112

06-30003-0154-20080327
How the FortiMail unit handles email

This section introduces how to configure the FortiMail unit email system settings.
Configuring basic email server settings
Configuring advanced settings
Customizations
Configuring storage settings
Configuring domains (transparent and gateway modes)
Configuring domains (server mode)
Access control
Managing mail queues
Adding address books (server mode)
Configuring proxies (transparent mode)

The FortiMail unit receives email for defined email domains and controls relaying
of email to other domains. Email passing through the FortiMail unit is scanned to
isolate viruses and spam. Policies and profiles govern how the FortiMail unit
scans email and what it does with email messages containing viruses or spam.
For information about policies, see the Creating email filtering and control
policies on page 199. For information about profiles, see Creating email filtering
and control profiles on page 161.
The FortiMail unit can also
verify recipient addresses, see Recipient address verification on page 114
control access to email servers through the FortiMail unit for sending or
relaying of email, see Access control on page 114
customize messages and appearance, see Customizing messages and

appearance on page 115
apply advanced protection techniques to discourage spammers, see

Advanced protection settings on page 115
map or alias email addresses, see Address Maps on page 158.
Email domains
An email domain is a set of email accounts that reside on a particular email server.
The email domain name is the portion of the users email address following the
@ symbol.

06-30003-0154-20080327
113
In server mode, you define local domains, all of which reside on the FortiMail
units internal email server. You can define policies to scan incoming email
destined for the users on the local domains and to scan outgoing email to be
received by users in other domains.
For information about creating and configuring domains in server mode, see
Configuring domains (server mode) on page 136.
In gateway and transparent modes, you define a domain for each email server
that you want the FortiMail unit to protect. There is one local domain that
represents the FortiMail unit itself. You can define policies to scan incoming email
destined for the users on your domains and to scan outgoing email to be received
by users in other domains. Email destined for your domains must first be received
by the FortiMail unit and then relayed to the domain email server after scanning.
For information about creating and configuring domains in gateway or transparent
mode, see Configuring domains (transparent and gateway modes) on page 129.
In gateway mode, you must change the MX record of your email server so that it
specifies the FortiMail unit. You did this when you initially set up the FortiMail unit.
See the Setting up the FortiMail unit in gateway mode chapter of the FortiMail
Installation Guide. If you add more domains, you must change their email server
MX records, too.
In transparent mode, each network interface includes a proxy server that receives
and relays email. By default, the proxy server responds using the backend email
servers name. This masquerade hides the existence of the FortiMail unit. For
information about configuring the proxy servers, see Configuring proxies
(transparent mode) on page 147.
Recipient address verification

Recipient address verification ensures that email with invalid recipients is rejected
and not scanned or sent to the backend email server. This can reduce the load on
the FortiMail unit when a spammer tries to send messages to every possible
recipient name on the email server.
If you want to use recipient address verification, you need to choose whether to
verify email recipient addresses using the email server or using an LDAP server.
Usually you can use the email server to perform address verification. This works
with most email servers that provide a user unknown response to invalid
addresses.
You configure recipient address verification as part of the domain settings. See
Creating a new email domain (transparent and gateway modes) on page 130.
Recipient address verification is not available in server mode.
Access control
The FortiMail unit provides flexible control over who can send, receive or relay
email through the unit.
You can specify access rules that match incoming or outgoing email by either
email address or IP address. To match multiple senders or recipients, you can
specify a partial email address such as a domain name or an IP address prefix
such as 172.20.120. The rule specifies the access permitted as follows:
114

06-30003-0154-20080327
ACCEPT
The FortiMail unit can only receive email for local domains. These are
the FortiMail unit itself and, in server mode, the internal email server.
This is the default permission if there is no rule. If you want a different
permission level for particular senders, you need to define rules for
them.
RELAY
The FortiMail unit can relay email to or from this domain.

Relay permission is automatically configured for the domains that the
FortiMail unit protects and you cannot change it. This allows the
FortiMail unit to relay email to and from the backend email server.
REJECT
The FortiMail unit rejects email received from or to be sent to this

domain. The FortiMail unit sends a reject response to the server or
client attempting to send the email message.
DISCARD
The FortiMail unit discards email received from or to be sent to this

domain. The FortiMail unit does not send a response to the server or
For information about configuring access control, see Access settings on

page 140.
Customizing messages and appearance

The FortiMail unit allows you to customize both the disclaimer messages and
replacement messages. Also the appearance of the FortiMail unit interface can be
customized.
The disclaimer message is attached to all email, generally warning the recipient
the contents may be confidential. For more information about disclaimer
messages, see Adding disclaimers to email on page 122
The replacement messages are messages recipients receive instead of their
email. These can include warnings about messages sent and incoming messages
that are spam or infected with a virus. For more information about replacement
messages, see Configuring custom replacement messages on page 123 and
Editing the custom replacement message on page 124.
The appearance of the FortiMail unit web pages that mail administrators see can
be customized to better match a company look and feel. For more information
about changing the appearance of FortiMail, see Customizing FortiMail web
pages on page 125.
Advanced protection settings

Processing email takes time. This can cause delays that result in client and server
timeouts. To reduce this problem, there are two advanced settings on FortiMail
units:
Process large email at a time when traffic is expected to be light.
Sending delivery status notifications (DSN)
For detailed information about these options, see Configuring advanced settings
on page 120.

06-30003-0154-20080327
115

Go to Mail Settings > Settings to configure the FortiMail unit basic email system
settings, including host name and domain name. Usually, you configure these
settings as part of installation. You can modify them later if needed.
Relay Server settings are the same for all operation modes.
Figure 50: Mail server settings (Transparent and Gateway modes)
Figure 51: Mail server settings (Server mode)
Mail Server
116
Host Name
Enter the host name of the FortiMail unit.

Use a different host name for each FortiMail unit when
you are managing multiple FortiMail units of the same
model or when configuring a FortiMail HA group.
A FortiMail unit operating in HA mode displays the host
name in the status bar at the bottom of the web-based
manager and adds the host name to the subject line of
alert email messages.
Local Domain Name
Enter the local domain name. The FortiMail units FQDN

is <Host Name>.<Local Domain Name> .
(transparent and gateway modes only).

06-30003-0154-20080327
POP3 Server Port

Number
The default port number is 110. You can change it if

needed.
This is only available in server mode.
SMTP Server Port

Number

needed.
SMTP over SSL/TLS
Enable to accept SSL/TLS encrypted email from servers

that have enabled the Use SSL/TLS option if available.
Otherwise, the FortiMail SMTP server receives plain text
email.
This option must be enabled to use SMTPS.
SMTPS Server Port

Number

needed. This allows the encrypted SMTP traffic to pass
through the SMTPS Server Port.
SMTP Authentication Select to enable. Requires login to SMTP server when

enabled. (server mode only). Authentication for SMTP
connections is enabled by default.
Relay Server
Relay Server Name
If your ISP provides a relay email server, enter its name.
Relay Server Port
If your ISP provides a relay email server, enter its port

number.
Authentication
Required
Select if the Relay server requires authentication.

When selected, enter the User Name, Password, and
select the authentication type as one of AUTO, PLAIN,
LOGIN, DIGEST-MD5, or CRAM-MD5.
Note: The Local Domain Name can also be a subdomain of an internal domain as long as
the MX record on the DNS server can direct the mail destined for this subdomain to the
intended FortiMail unit.
SMTP Authentication (gateway and transparent modes)

SMTP authentication is an SMTP service extension that provides an additional
layer of security to email transactions. An SMTP client indicates an authentication
mechanism to the server, and then performs an authentication protocol exchange.
Optionally, the client can negotiate a security layer for subsequent protocol
interactions.
With SMTP authentication, you allow legitimate users to send email through the
server from any place in the world, while at the same time preventing spammers
and unauthorized users from using your SMTP server. SMTP authentication also
allows remote email users to send email through the FortiMail unit.
Configuring authentication profile
Creating policies
Configuring authentication profile

The FortiMail unit supports SMTP authentication by applying authentication
settings. These settings are called profiles. A number of different profiles applied
to email users is a policy.
Because the FortiMail unit has no local user accounts, it uses external server
authentication. Supported external server types include RADIUS, LDAP, POP3,
and IMAP. You need to configure the authentication profile for your authentication
server.

06-30003-0154-20080327
117
To add and edit a RADIUS server authentication profile - Web-based

manager
1
Go to Profile > Authentication > Radius.
Select Create New.
Enter the Profile Name, the name or IP address of the RADIUS server, and the
key string of the RADIUS server. Select the Server Requires Domain control if the
RADIUS server expects user IDs to include a domain name.
Select OK.
If you want to edit the profile, select the Edit icon for the profile that you want to
edit and modify the profile as required.
Select OK.
To add and edit a RADIUS server authentication profile - CLI
set auth radius <profile_name> server
{<domain_name_str>|<ipv4_str>} secret <key_str> [domain
{enable | disable}]
To add and edit a POP3 server authentication profile - Web-based manager
Go to Profile > Authentication > POP3.
Select Create New.
Enter the Profile Name and the name or IP address of the POP3 server.
Enter the POP3 server port number. The default port number is 110.
Select the Server Requires Domain control if the POP3 server expects user IDs to
include a domain name. Enable Secure Sockets Layer (SSL) to secure message
transmission, Secure Authentication to secure email users passwords, or
Transport Layer Security (TLS) to ensure privacy between communicating
applications and their users on the Internet, as required.
Select OK.
Select OK.
To add and edit a POP3 server authentication profile - CLI
set auth pop3 <profile_name> server
{<domain_name_str>|<ipv4_str>} port <port_number> [option
{ssl} {secure} {tls} {domain}]
To add and edit an IMAP server authentication profile - Web-based manager
118
Go to Profile > Authentication > IMAP.
Select Create New.
Enter the Profile Name and the name or IP address of the IMAP server.
Enter the IMAP server port number. The default port number is 143.

06-30003-0154-20080327
Select the Server Requires Domain control if the POP3 server expects user IDs to
include a domain name. Enable Secure Sockets Layer (SSL) to secure message
transmission, Secure Authentication to secure email users passwords, or
Transport Layer Security (TLS) to ensure privacy between communicating
applications and their users on the Internet, as required.
Select OK.
Select OK.
To add and edit an IMAP server authentication profile - CLI
set auth imap <profile_name> server
{<domain_name_str>|<ip_str>} port <port_number> [option
{ssl} {secure} {tls} {domain}
To add and edit an LDAP server authentication profile - Web-based manager
For detailed steps describing the creation or editing of an LDAP profile using the
web-based manager, see To add and edit an LDAP server authentication profile
on page 193
To add and edit an LDAP server authentication profile - CLI
For detailed steps describing the creation or editing of an LDAP profile using the
command-line interface, see the command set ldap_profile in the CLI chapter of
the FortiMail Administration Guide.
Creating policies
You can protect your email server and its users by connecting the server to the
FortiMail unit. You can then apply authentication profiles to email users to support
SMTP authentication.
By applying profiles to email users, you create policies.
Connect the email server(s) to the FortiMail unit to protect the servers from
unwanted attacks. You can then apply authentication profiles to the email users.
To connect and edit an email server - Web-based manager
1
Go to Mail Settings> Domains.
Select Create New.
Enter the Domain FQDN and SMTP server IP of your email server.
Select OK.
If you want to edit an email server, select the Modify icon of an email server.
Modify the Domain FQDN and SMTP server IP of your email server.
Select OK.
To connect and edit an email server - CLI
set policy <server_fqdn> modify ip <ipv4>
After connecting the email server(s) to the FortiMail unit, you can apply an
authentication profile to email users.

06-30003-0154-20080327
119
When applying a profile for a user, you create a policy for the user.
To create a policy for email users - Web-based manager
1
Go to Policy > Recipient Based.
Select the domain for which you want to add a policy.
Select Create New.
Enter the User Name.

The user name you enter must match the same users name on the email server.
Normally it is in the format of an email address. You can also use an asterisk to
represent a group of users, for example, *@example.com.
Expand Authentication and Access
Select your authentication server type and a profile.
Enable Allow POP3 for SPAM access or Allow web mail for SPAM access
depending on whether users will use POP3 or web mail to access their
quarantined spam messages.
Enable SMTP authentication. This requires users authenticate before sending

mail.
Select OK.
To create a policy for email users - CLI
set spam retrieval policy <server_fqdn> user <user_name>
auth {imap | ldap | pop3 | radius } <auth_profile> senddomain
{enable | disable}
Notifying users
After configuring profiles and creating policies, you need to notify remote users to
do the following when configuring mail accounts on their email clients:
Enable SMTP authentication.
Use their full domain names for logon account names if the FortiMail unit
supports multiple domains.

Go to Mail Settings > Settings > Advanced Settings to configure advanced
settings.
120

06-30003-0154-20080327
Figure 52: Advanced settings
Deferred Oversize
Message Delivery
Configure this option to allow the FortiMail unit to defer

processing an email larger than a configurable size.
You can set the time to start and stop delivering these large
messages.
DSN (Delivery Status Notification)

Sender Display
Name
The name displayed to indicate the sender of the notification.

Leaving this field empty will use the default setting of postmaster.
Sender Address
The address displayed to indicate the sender of the notification

Leaving this field empty will use the default setting of
postmaster@domain.com where domain.com is your domain.
Mail Queue
Maximum time for
email in queue
Select the maximum number of days an email can remain in a

mail queue. The valid range is from one to ten days. The default
is five days.
After the maximum time has been reached, the email will be
returned as undeliverable.
Maximum time for Select the maximum number of days a delivery status notification
DSN email in queue (DSN) message can remain in the mail queues. The valid range
is from zero to ten days. The default is five days.
After the maximum time has been reached, the DSN email will be
returned as undeliverable.
If the maximum time is set to zero days, delivery will be attempted
one time and then the DSN email will be returned as
undeliverable.
Time before delay
warning
Select the number of hours before a warning is sent to the sender

notifying them the message has been deferred. The valid range is
from 1 to 24 hours. The default is 4 hours.
Time interval for

retry
Select the number of minutes between delivery retries for

queues. The valid range is from 10 to 120 minutes. The default is
27 minutes.
Adjusting this value lower will help deliver messages faster.
Delivery Options

06-30003-0154-20080327
121
Customizations
Disable ESMTP for Select to disable Extended Simple Mail Transfer Protocol
outgoing email
(ESMTP) for outgoing email. ESMTP email supports graphics,
sound, video, and text in various languages. ESMTP is described
in RFC 1869.
Note: For the mail queue descriptions, see Managing mail queues on page 141.
Customizations
There are several ways that you can customize the operation of your FortiMail
unit. You can:
add disclaimers to the header or body of email messages that pass through the
unit
modify replacement messages sent to users when an email or attachment is

blocked
change the product name and logos that appear on the web-based manager
and WebMail pages
change the language displayed on the WebMail pages
Note: Disclaimer and replacement messages provided by Fortinet are examples only.
Adding disclaimers to email

Go to Mail Settings > Settings > Disclaimer to configure disclaimers for the
FortiMail unit to add to incoming and outgoing email going through the unit.
For disclaimers added to outgoing messages, you are required to configure an IP
based policy or an outgoing recipient based policy.
Note: In transparent mode, for disclaimers to work you must enable the Mail Settings >
Proxies option Use original server to deliver mail. For more information see Configuring
proxies (transparent mode) on page 147.
Figure 53: Disclaimer configuration
122

06-30003-0154-20080327
Customizations
Allow per-domain settings
Select to allow separate disclaimers for each mail

server domain. This page defines system
disclaimer settings.
For incoming messages

Disclaimer in message header
Select Enable and type the disclaimer that you

want to add in the message header. Maximum
length 256 characters.
Disclaimer in message body

want to add in the message body. Maximum
For outgoing messages

Disclaimer in message header

want to add in the message header. Maximum
Disclaimer in message body

want to add in the message body. Maximum
Configuring custom replacement messages

When FortiMail detects a virus in an email attachment, it replaces the attachment
with a message that provides information about the virus and source of the email.
Optionally, FortiMail can send a replacement message to the recipient when it
blocks an email as spam or due to content filtering.
Go to Mail Settings > Settings > Custom Messages to configure custom
replacement messages.
Note: If you customize a message you may change the text and the formatting, but all the
original variables must be part of the new message. Removing variables from the message
may result in an error message and reduced functionality.
Figure 54: Custom messages list
Service
Mail is the only FortiMail service with replacement messages.
Name
There are three Name categories: Replacement, Reject, and Report. Within
these categories are the message names. The names are one of the
following:
virus message
Replacement for an infected attachment.
suspicious message
Replacement for suspicious email

attachments.
attachment filtering
message
Replacement for an email whose attachment

is blocked by filtering.

06-30003-0154-20080327
123
Customizations
content filtering message Replacement for an email blocked by content

filtering.
content filtering subject
Replacement for a subject of email blocked by

content filtering.
virus message
Reject message for email containing a virus
suspicious message
Reject message for email containing

suspicious contents.
spam message
Reject message for a spam email.
attachment filtering
message
Reject message for email containing banned

attachments
content filtering message Reject message for email containing sensitive

contents.
spam report (HTML)
Header of HTML spam report.
spam report (Text)
Header of text spam report.
spam report Subject
Subject line for the email containing the Spam

Report Emails
Description
Description of the message indicating why it is

sent.
Edit icon
Edit the message.
Editing the custom replacement message

Go to Mail Settings > Settings > Custom Messages to configure custom
replacement messages. Select the Edit icon for the message that you want to
modify.
Figure 55: Editing a custom message
124
Message setup
The name of the custom message you are editing.
Allowed formats
The allowed message format: Text or Text/HTML.
Size
The maximum length of the message in characters.
Reset to Default
Select to return to the factory default replacement message.
Message box
Enter the text or HTML message and select Apply. You can use the
special tags in Table 8, Email Virus replacement message tags, on
page 125 to add information to the message.

06-30003-0154-20080327
Customizations
Table 8: Email Virus replacement message tags

Tag
Description
%%EMAIL%%
The user's email address.
%%FILE%%
The name of the file that was removed from the email.
%%FILE_TYPE%%
The MIME-type of file that was blocked. (Content

blocking only)
%%MESSAGE_ID_ALL%%
Message ID to indicate all messages when using

control addresses.
%%SPAM_DELETE_EMAIL%%
Spam delete control address, for example

delete-ctr-srv@examplemail.com.
%%SPAM_RELEASE_EMAIL%%
Spam release control address, for example

release-ctrl-srv@examplemail.com.
%%VIRUS%%
The name of the virus that the antivirus system found.

%%VIRUS%% can be used in the virus message.
Customizing FortiMail web pages

Go to Mail Settings > Settings > Appearance to customize the default FortiMail
web-based manager and WebMail pages with your own product name, product
logo, and corporate logo.
You can customize the language used to display the FortiMail web pages. Beyond
selecting one of the FortiMail unit system languages, you can upload new
language files to the FortiMail unit using the CLI. Once installed, you can edt the
language resource file, or upload a new resource file in its place.

06-30003-0154-20080327
125
Customizations
Figure 56: Customizing the web appearance of FortiMail
Product name
Enter a new name to appear on the Login page preceding

Administrator Login.
Web administration interface

Top logo
Select change to upload a new logo to appear at the top of

all web-based manager pages.
Bottom logo
Select change to upload a new logo to appear at the left

edge of the web-based manager status bar. This logo is a
link to the Bottom URL.
Bottom URL
Enter the URL for which the Bottom logo is a link. You could
set this to your corporate web page, for example.
Webmail interface
Webmail Language
Select the language to be displayed in Webmail. The default

is to use the same language as the FortiMail unit. For
system language settings see Changing configuration
options on page 96.
Webmail Language
Customization
Displays the list of languages installed on the FortiMail unit,

including the language names in English, and in their own
language. For each language you can select:
Edit - to change the language name displayed, and
Webmail labels. See To edit a Webmail language on
page 127.
Webmail Login
126
Download webmail language - to save the language

resource file for this language on a local computer
Upload - to update the language resource file for this

language from a local computer to the FortiMail unit.
Enter the Webmail Login page title.

06-30003-0154-20080327
Input your email

address
Enter the wording you want for this prompt on the Webmail
interface.
Default is Input your email address.
Web mail flash logo
Select change to upload a new logo to appear at the top left

of the FortiMail WebMail Login page.
Web mail top logo
Select change to upload a new logo to appear at the top of

the FortiMail WebMail pages.
To edit a Webmail language

Once a resource file is in place for a language, you can change resources within
it. This allows you to change how you refer to different resources, possibly using
regional terms within a language. For example England and the United States
both use the English language, but may use different words to describe the same
resource in Webmail.
1
Go to Mail Settings > Settings > Appearance.
Select Edit for an installed language.
In the first column, find the section of Webmail that contains the resource you
want to change.
In the second column, find the resource you want to change.
Delete the displayed text and enter the new text to use.
At the bottom of the page select OK.

The FortiMail unit can store email either locally or remotely. Your FortiMail unit
supports NFS storage on a Network Attached Storage (NAS) server, and a
Centralized Quarantine.
A NAS has the benefits of remote storage which include ease of backing up the
mail data, flexible storage limits, and if your FortiMail unit loses connection you
can still access the mail data on the NAS server.
A centralized quarantine server allows up to 10 client FortiMail units to send all
their quarantined spam emails or system quarantined emails to one high end
remote FortiMail unit quarantine server. This offloads quarantine related
processing and disk storage from the clients to the server. A centralized
quarantine server can only be a FortiMail 2000 or 4000 model. Any FortiMail unit
can be a client.
Select Mail Settings > Settings > Storage to configure Storage settings.
Note: If you are using an NAS server in HA mode, you should disable mail data
synchronization. Otherwise, both FortiMail units will write the same data to the same
location wasting CPU cycles and network bandwidth.

06-30003-0154-20080327
127
Figure 57: Storage - 2000 and 4000 series models
Figure 58: Centralized Quarantine - low end models
NAS
Local
Select to store email on the FortiMail unit local disk. This is

selected by default.
NAS Server
Select to store email on a remote Network Attached Storage

(NAS) server.
Test
Select to verify the NAS server settings are correct and that the
FortiMail unit can access that location.
This control is available only when NAS server is selected.
Server IP
Enter the IP address of the NAS server
Server Dir
Enter the directory to store the FortiMail email in on the NAS

server.
Centralized Quarantine
Disabled
Select to use local storage for quarantine.
Receive
quarantined
messages from
clients
Select to be a centralized quarantine server. Other FortiMail

units listed will be clients and send all their quarantined
messages to this FortiMail unit.
The list of configured clients includes the following information:
Name - the name of the client
IP - the IP address of the client
Delete - Select to remove this client from the list

This option is only available on FortiMail-2000 and FortiMail4000 series models.
128

06-30003-0154-20080327
Add
Select to add a blank client entry to the client list.

This option is only available on FortiMail-2000 and FortiMail4000 series models.
Send
quaranted
messages to
remote server
Select to be a centralized quarantine client. All quarantined

messages will be saved on the centralized quarantine server.
When selected, enter the following information:
Name - a name to identify this client
Host - the IP address of the server

You create domains to define the email server(s) that the FortiMail unit protects.
Usually, you configure at least one domain as part of your installation. You can
add more domains or modify the settings of existing ones as needed.
It is good form to configure a local domain name that is different from the domain
name of your back end mail server. The local domain name will be used by many
FortiMail features such as email quarantine, Bayesian database training, spam
reports, and DSN notifications. A subdomain of the protected domain is
recommended for the local domain because of the domain registration savings.
Note: In gateway mode, proper MX record configuration is needed for directing the mail
destined to protected domains to this FortiMail unit.
Note: The local domain name should be globally DNS-resolvable only if the FortiMail unit is
used as an outbound relay server.
In transparent or gateway mode, go to Mail Settings > Domains to view your

domains.
Figure 59: Domain list (Transparent and Gateway modes)
Domain
Displays the domain names of the mail servers in alphabetical order.

Use MX
A green check indicates that MX record is used for this domain.

A red X indicates that SMTP server and port are used instead of MX.
SMTP Server
Displays the SMTP server IP address and port. The SMTP server
entry will be blank if Use MX shows a green check.
Modify
Delete icon

06-30003-0154-20080327
129
Edit icon
Create New
Edit the domain settings. See Creating a new email domain

Create a new domain. See Creating a new email domain
Creating a new email domain (transparent and gateway modes)

In transparent or gateway mode, go to Mail Settings > Domains. There you can
either select Create New to create email domains and subdomains, or select the
edit icon for an existing domain or subdomain.
The Create New and Edit screens are the same except that in the Edit screen, the
domain name cannot be changed. In transparent operation mode, there is an
added section of transparent related options.
The Verify Recipient Address option and the Automatic Removal of Invalid
Quarantine Accounts option provide two methods to get the same result preventing the Fortimail unit from saving invalid email. Invalid email is any email
sent to non-existent accounts. Using these two methods together is not
necessary, and will consume more system resources.
Verify Recipient Address prevents the invalid mail from being saved, and when
email quarantine for large amounts of email is enabled it can prevent storing many
emails unnecessarily. However, the additional processing required may cause a
problem on FortiMail units operating near their limits during peak periods. The
hostname is not validated as part of this process.
Automatic Removal of Invalid Quarantine Accounts frees up system
resources used when email is being received, and instead cleans up those invalid
emails once a day at 4am. You cannot change the time of the removal runs.
If spam quarantine is enabled, and neither of the Verify Recipient Address
option and the Automatic Removal of Invalid Quarantine Accounts option are
enabled, performance will suffer and could potentially cause the FortiMail unit to
refuse SMTP connections if it is subject to extremely heavy mail traffic.
Spam reports and Disclaimers can be customized for each domain. Each domain
can either use the FortiMail unit system-wide settings for each, or customize the
settings.
IP pools and the HELO domain setting are used only for outgoing mail from a
domain configured on the FortiMail unit. This is done by checking only the
envelope from address. If the envelope from address indicates the message is
from a locally configured domain, the domain configuration is checked for IP pools
and the HELO domain settings. The appropriate actions are taken based on these
settings.
130

06-30003-0154-20080327
Figure 60: Create email domain (transparent mode)
Domain FQDN
Use MX Record Select to use the record from the MX table entry to define the
domain.
When this control is enabled, SMTP Server and Fallback MX Host
are not selectable. Instead the MX entry for the FQDN for the
domain is used.
SMTP Server
Enter the IP address, or FQDN, and the port of your SMTP server.
Select SMTPS to use a secure SMTP connection. If SMTPS is
selected, the port is the SMTPS port. The default SMTP port is 25,
and the default SMTPS port is 465.
Fallback MX
Host
Enter the IP address, or FQDN, and port of your backup SMTP

server. Select SMTPS to use a secure SMTP connection. If
SMTPS is selected, the port is the SMTPS port. The default SMTP
port is 25, and the default SMTPS port is 465.
This backup server functions in case your primary SMTP or
STMPS server fails.

06-30003-0154-20080327
131
Is Subdomain
Select to indicate the domain you are creating is a subdomain of

an existing domain.
This control is accessible only when a domain is already
configured.
Main Domain
Select the main domain from the list of configured domains.

This control is accessible only when subdomain is selected and a
main domain is already configured.
Verify Recipient
Address
Select one of Disable, SMTP Server or LDAP Server. Selecting

the blue arrow for LDAP Server expands to allow you to select the
LDAP profile to use.
Transparent Mode Options

This server is
on
Select the FortiMail unit interface (port) that the email server is on.
A wrong interface will result in connection issues.
This option only available in Transparent mode.
Hide the
When enabled, this feature will use the EHLO arguments from the
transparent box sender in the email header to make the ongoing connection. Your
FortiMail unit will be hidden by spoofing the mail server's IP
address to deliver outgoing mails.
When not enabled, the FortiMail units IP address and hostname
will be added to the email header
If this feature is enabled, you must select the correct interface that
the server is on.
If this feature is enabled, the Mail Settings > Proxies option Use
original server to deliver mail must be enabled. See Configuring
proxies (transparent mode) on page 147.
If this feature is enabled you will not be able to use IP pools.
When enabled, the FortiMail unit will relay mail to the SMTP
Use this
domains SMTP server for this email domain.
server to
deliver the mail
Automatic Removal If enabled, quarantine user accounts are checked against an
of Invalid Quarantine SMTP or LDAP server at 4:00 AM daily. Quarantined messages to
invalid users are deleted.
Accounts
Select one of Disable, SMTP Server or LDAP Server. Selecting
the blue arrow for LDAP Server expands to allow you to select the
LDAP profile to use from a list of configured server profiles.
LDAP User Alias
profile
Select the LDAP profile to use for aliased users in this domain. For
information on configuring LDAP profiles see Creating LDAP
profiles on page 193.
Advanced Settings
Mail Routing
Select to enable mail routing based on the selected LDAP profile.
Spam Report
Setting
Select the blue arrow to expand the spam report section. For more
information see Spam Report Setting on page 133. For
information on system-wide spam report settings see Scheduling
spam reports on page 212.
Disclaimer
Select the blue arrow to expand the disclaimer section. For more
information see Disclaimer on page 135. For information on
system-wide disclaimer settings see Adding disclaimers to email
on page 122.
Webmail Language
132
Select the language people see when they check their email
accounts on this domain through Webmail. The default is to use
the same language as the system settings.

06-30003-0154-20080327
IP Pool to use
Select a pool of IP addresses to use for outgoing connections from

this domain.
Use IP pool profiles if you want outgoing email to originate from a
configured range of IP addresses. Each sent message will use the
next IP address in the range. When the last IP address in the
range is used, the next message will use the first IP address.
If the FortiMail unit is in transparent mode, and you have enabled
the feature Hide this transparent box, you can not use IP pools.
To create a pool of IP addresses, go to Profile > IP Pool > IP Pool
Lists. See Creating IP pool profiles on page 197.
SMTP Greeting
Select the helo/ehlo greeting to use on outgoing connections. By

default the domain name is used. Use the system host name if
your FortiMail unit is hosting multiple domains and using IP pool
addresses.
Advanced AS / AV Settings
Check AS / AV
Config
Select to enable checking of Antispam and Antivirus configuration

based on the selected LDAP profile.
Use Global
Bayesian
Database
Select to use the global Bayesian database instead of this

domain's group database. Each domain defined in Mail Settings
> Domains can be set individually.
If Bayesian databases do not need to be tailored to the traffic
received by some or all defined domains, the global Bayesian
database can be used by multiple domains to centralize database
training and maintenance. This will simplify management.
Spam Report Setting

Go to Mail > Domains > Create New. Select Spam Report Setting blue arrow to
expand the display.
Spam report settings allow you to customize the spam reports for this domain. The
spam report settings for a domain are a subset of the system-wide spam settings.
For example if the system settings for schedule only include Monday and
Thursday, when you are setting the schedule for the domain spam reports you will
only be able to select Monday and Thursday.
For more information on the system settings for the spam report see Scheduling
spam reports on page 212.
Note: The Report body and subject sections include markup tags by default. If you edit
these sections to customize them, do not delete these tags. If you accidently delete the
tags, go to the CLI and unset that message, and it will return to the factory default
message.

06-30003-0154-20080327
133
Figure 61: Spam Report Settings (transparent mode)
Send to individual
recipients
Select to send the spam report to all recipients listed. For more
details see Anti-Spam > Quarantine > Recipients.
Send to other recipient Select to enter an email address that is not on the recipient list. If
the administrator for this domain is not part of this domain, the
administrators email address outside this domain can be
entered here.
Schedule
Select Use domain settings to customize the spam report

schedule. The default is Use system settings.
Note: If you change the system-wide spam report schedule, it
will clear any domain spam report schedules. You will have to
edit the domain and set the schedule with the new available
settings.
These Hours Select the hours to include in the spam report for this domain.
When the FortiMail unit is reset not all hours will be available.
Select the Schedule blue arrow to view this field. Set Schedule
to Use domain settings to edit this section.
These Days
Report
Select the days to include in the spam report for this domain.
When the FortiMail unit is reset, not all days will be available.
Select the Schedule blue arrow to view this field. Set Schedule
to Use domain settings to edit this section.
Select Use domain settings to customize the spam report
content. The default is Use system settings.
Report Email Select customize the spam report email body using HTML tags
Body (HTML) in the report email body.
Both HTML and text can be selected at the same time. D
Select the Report blue arrow to view this field. Set Report to
Use domain settings to edit this section.
134

06-30003-0154-20080327
Report Email Select customize the spam report email body using plain text in
Body (Text) the report email body.
Both HTML and text can be selected at the same time. D
Select the Report blue arrow to view this field. Set Report to
Report Email Select to customize the email subject line for the spam report.
Subject (Text) Select the Report blue arrow to view this field. Set Report to
Disclaimer
Go to Mail > Domains > Create New. Select Disclaimer blue arrow to expand the
display.
Disclaimer settings allow you to customize the disclaimer messages associated
with this domain. These disclaimers will be included with all incoming or outgoing
email (as configured) for this domain.
Figure 62: Disclaimer (transparent mode)
Disclaimer
For Incoming Messages
Select one of:

Disable - Do not use disclaimers
Use System Settings - Use the FortiMail unit system

settings for disclaimers. For these settings see
Use Domain Settings - Use the settings you establish

for this domain. This setting enables customizing the
incoming and outgoing messages.
To enable or customize incoming messages, set Disclaimer

to Use Domain Settings.
Disclaimer in
message header
Select to enable. Enter a new disclaimer message to

customize the message.
Disclaimer in
message body

For Outgoing Messages
To enable or customize outgoing messages, set Disclaimer

to Use Domain Settings.
Disclaimer in
message header

Disclaimer in
message body


06-30003-0154-20080327
135

You create local domains to define the email server(s) that the FortiMail unit
protects. Usually, you configure at least one domain as part of your installation.
You can add more domains or modify the settings of existing ones as needed.
In server mode, go to Mail Settings > Domains to view your domains.
Figure 63: Domain list (Server mode)
Domain
Displays the domain names of the mail servers in alphabetical order.

Modify
Delete icon
Edit icon
Edit the domain settings. See Creating a new email domain (server
mode) on page 136.
Create New
Create a new domain. See Creating a new email domain

Creating a new email domain (server mode)

In server mode, go to Mail Settings > Domains and select Create New to create
email domains and subdomains.
IP pools and the HELO domain setting are used only for outgoing mail from a
domain configured on the FortiMail unit. This is done by checking only the
envelope from address. If the envelope from address indicates the message is
from a locally configured domain, the domain configuration is checked for IP pools
and the HELO domain settings. The appropriate actions are taken based on these
settings.
136

06-30003-0154-20080327
Figure 64: Create new email domain
Domain FQDN
Is Subdomain
Select to indicate the domain you are creating is a

subdomain of an existing domain.
Main Domain
LDAP User Profile
Select the main domain from the list of existing domains.

This control is accessible only when subdomain is
selected.
Select the profile from the available configured LDAP user
profiles.
Advanced Settings
Mail Routing
Select to enable mail routing based on the selected LDAP

profile.
Spam Report Setting Select the blue arrow to expand the spam report section.
For more information see Spam Report Setting on
page 133. For information on system-wide spam report
settings see Scheduling spam reports on page 212.
Disclaimer
Select the blue arrow to expand the disclaimer section. For

more information see Disclaimer on page 135. For
information on system-wide disclaimer settings see
Adding disclaimers to email on page 122.
Webmail Language
Select the language people see when they check their

email accounts on this domain through Webmail. The
default is to use the same language as the system settings.

06-30003-0154-20080327
137
IP Pool to use
Select a pool of IP addresses to use for outgoing

connections from this domain.
Use IP pool profiles if you want outgoing email to originate
from a configured range of IP addresses. Each sent
message will use the next IP address in the range. When
the last IP address in the range is used, the next message
will use the first IP address.
To create a pool of IP addresses, go to Profile > IP Pool >
IP Pool Lists. See Creating IP pool profiles on page 197.
SMTP Greeting
Select the helo/ehlo greeting to use on outgoing

connections. By default the domain name is used. Use the
system host name if your FortiMail unit is hosting multiple
domains and using IP pool addresses.
Advanced AS / AV Settings
Check AS / AV
Config
Select to enable checking of Antispam and Antivirus

configuration based on the selected LDAP profile.
Editing an existing email domain (server mode)

In server mode, go to Mail Settings > Domains and select the edit icon of an
existing domain or subdomain to modify its settings.
Figure 65: Edit domain or subdomain settings
Domain
The domain or subdomain name used when the entry was

created. If it is a subdomain, the main domain is also indicated.
LDAP User Profile
Select the profile from the available configured LDAP user

profiles.
Use MX Record
Select to use the record from the MX table to define the domain.
When this control is enabled, SMTP Server and Fallback MX
Host are not selectable.
SMTP Server
Enter the IP address of your SMTP server.
Fallback MX Host Enter the IP address of your backup SMTP server. This backup
server functions in case your primary SMTP server fails.
Mail Routing
Select to enable mail routing for this email server, and select the
LDAP profile to use.
Check AS / AV Config Select to enable the checking of Antispam and Antivirus

configurations, and select the LDAP profile to use.
Disclaimer
138
This section allows you to set disclaimer messages sent with the
email. If this is greyed out, this feature is not available at this
time.

06-30003-0154-20080327
Configuring email access
Disable
Do not add disclaimers to email from this server.
Use system
settings
Use the settings specified in Mail Settings > Settings >

Disclaimer.
Use domain
settings
Select to specify the disclaimer settings for this domain.

When selected, this control enables defining custom incoming
and outgoing disclaimers.

Go to Mail Settings > Access to configure email access. You can configure the
FortiMail unit to allow, deny, or relay email from an IP address, part of an IP
address, a domain name, part of a domain name, or an email address.
Figure 66: Email server access list
The position of the rule in the list
Sender Pattern
A complete or partial sender address to match for this rule.
Recipient Pattern
A complete or partial recipient address to match for this rule.
Sender IP/Netmask The IP and netmask of the sender.

Reverse DNS
Pattern
A complete or partial DNS entry to match for this rule.
Action
The action taken when this rule has a match.

Valid actions are: accept, relay, reject, and discard.
Modify
Select edit, delete or move for this rule.

Move allows you to change the order of the rules in the list. The first
rule in the list is attempted to be matched first, then the second,
until this is either a match or the end of the list is reached.
Create New
Create a new email access item. See Access settings on

page 140.

06-30003-0154-20080327
139
Access settings
Go to Mail Settings > Access to configure email access. Select Create New to
create an entry for any of the following:
a full or partial IP address
a full or partial domain name
an email address
The following examples show the FortiMail email access configuration rules:
Table 9: Example From/To definitions for email access rules
In the From/To
field, if you enter
You want to configure email access
172.20.110.21
from IP address 172.20.110.21.
172.20.110
from IP address 172.20.110.xxx.
172.20
from IP address 172.20.xxx.xxx.
FortiMail.com
to xxx@FortiMail.com (or any email address ending with this

domain) or from the IP address with this domain name.
jdoe@example.com for email to or from this address.
Note: When creating a new access rule, no pattern can be left blank.
Figure 67: Create new access rule
Sender Pattern
A complete or partial sender address to match for this rule.

Select Regular Expression to use regular expression markup as part of
the Sender Pattern entry.
Recipient
Pattern
A complete or partial recipient address to match for this rule.

the Recipient Pattern entry.
Sender
IP/Netmask
The IPv4 address and netmask of the sender.
Reverse DNS
Pattern
A complete or partial DNS entry to match for this rule.

the Reverse DNS Pattern entry.
ACCEPT
140
The FortiMail unit can only receive email for the local domains.

06-30003-0154-20080327
RELAY
The FortiMail unit can relay email from this domain.
REJECT
The FortiMail unit rejects email received from or to be sent to this

domain. The FortiMail unit sends a reject response to the server or
DISCARD
The FortiMail unit discards email received from or to be sent to this

domain. The FortiMail unit does not send a response to the server or
OK
Select OK to complete your new access rule.

If there are any errors in your rule, you will be prompted to fix them
before the new rule is accepted and you are returned to the Email
Server Access list screen.

The FortiMail unit stores undeliverable email in several queues:
The Deferred queue contains email that the FortiMail unit could not send.
off-line or there were network problems. See Managing the Deferred queue
on page 141.
The Spam queue contains tagged spam that the FortiMail unit could not send
(For information on tagging spam, see Configuring Actions on page 170).
off-line or there were network problems. See Managing the Spam queue on
page 143.
The Dead email list contains email that cannot be delivered or returned
because the recipient and sender names are both invalid. See Managing the
Dead email list on page 144.
To change mail queue parameters, see Configuring advanced settings on

page 120.
Managing the Deferred queue

In the Deferred queue, the FortiMail unit stores email that it could not send.
Sending an email can fail for various temporary reasons such as network
problems. A notification will be sent to the sender when the email is moved to the
deferred queue. The FortiMail unit will try to resend the deferred email for five
days. You cannot configure the resending schedule.
If an email still cannot be sent by the end of the fifth day, the sender is notified of
the delivery failure and the email will be deleted. If the sender cannot be notified of
the failure, FortiMail will save a copy of the email in the Dead email list. See
Managing the Dead email list on page 144.
Go to Mail Settings > Mail Queue > Deferred Queue to delete some or all
deferred email. When you delete a deferred email, a notification message with the
deleted email attached to it will be sent to the email sender.
Email in the deferred queue will be attempted to resend, normally every 27
minutes. An administrator can select messages to attempt to resend manually by
selecting the Resend control. This can be useful if a temporary problem has been
fixed, or certain messages are high priority.
If the email is subsequently sent successfully, it is removed from the queue and
the sender will not be notified.
06-30003-0154-20080327
141
Figure 68: Deferred queue (with deferred messages)
Figure 69: Deferred queue (empty)
Page up icon
View previous page.

View nn lines
each page
Total lines
Goto Line
Go
Displays the line numbers on the page.
Select
Displays checkboxes for you to select or deselect the deferred email.
Sender
Displays the sender of the deferred email.
Recipient
Displays the intended recipient of the deferred email.
Reason
Displays the reasons why the email has been deferred for example host
name lookup failure or connection refused.
First Processed Displays the time that the FortiMail unit first tried to send the email.
Last Processed Displays the time that the FortiMail unit last tried to send the email.
Tries
email.
Check All
Select to check all messages in the deferred queue.
Uncheck All
Select to uncheck all messages in the deferred queue.
Delete
Select to delete a selected deferred email.
Resend
Select to attempt to resend all selected messages now.
Refresh
Select to refresh the list of deferred messages, especially after

attempting to resend messages.
Managing the level of deferred emails

When email delivery is deferred, the emails are stored on the FortiMail unit. If this
continues, the FortiMail unit may run into disk space issues before the deferred
emails are delivered.
You can configure the maximum number of emails the deferred queue can hold.
Any additional incoming STMP requests above this number will be rejected.
142

06-30003-0154-20080327
Figure 70: Mail Queue
To manage the level of deferred emails

1
Go to System > Monitor > Mail Queue.
Select to enable the rejection of incoming STMP requests when there is too much
email in the queue.
Enter the number of mails past which STMP requests will be rejected.
Select Apply to save your changes.
Managing the Spam queue

In the Spam queue, the FortiMail unit stores tagged spam that it could not send.
There could be various temporary reasons such as network problems. The
FortiMail unit will try to resend the tagged spam for five days. You cannot
configure the resending schedule.
Go to Mail Settings > Mail Queue > Spam Queue to delete some or all tagged
spam. When you delete a tagged spam, a notification message with the deleted
tagged spam attached to it will be sent to the email sender.
Figure 71: Spam queue
Page up icon
View previous page.

View nn lines
each page
Total lines
Goto Line
Go
Line number.
Select
Displays checkboxes for you to select or deselect the tagged spam.
Sender
Displays the senders of the tagged spam.
Recipient
Displays the recipients of the tagged spam.
Reason
Displays the reasons why the tagged spam has been queued.

06-30003-0154-20080327
143
First Processed Displays the time that the FortiMail unit first tried to send the tagged
spam.
Last Processed Displays the time that the FortiMail unit last tried to send the tagged
spam.
Tries
tagged spam.
Check All
Select to check all checkboxes for the tagged spam.
Uncheck All
Select to deselect all checkboxes for the tagged spam.
Delete
Select to delete a selected tagged spam.
Refresh
Select to update the Spam Queue page.
Managing the Dead email list

In the Dead email list, the FortiMail unit stores email that cannot be sent or
returned to the sender. This is usually due to both the recipient and sender
addresses being invalid. Such messages are often sent by spammers who only
know the domain name of an email server.
If you are operating in server mode, you can create a local email account named
postmaster for these messages, or create an alias named postmaster to an
existing email account, instead of using the Dead email list. The Admin can
manually delete emails from the Dead email list, or configure auto deletion for
dead email after a set number of days.
The Dead email list also includes copies of notification messages from the
FortiMail unit (postmaster) to senders of undeliverable email. These messages
include a "postmaster" copy of Delivery Status Notification (DSN) email for failing
to deliver the email. This copy contains the original email.
Figure 72: Dead email list
Page up icon
View previous page.
Page down icon
View next page.
View nn lines each

page
Total lines
Total number of email messages in the Dead email list.
Sort by
Select how to sort the list: Subject, From, To, or Date.
Delete dead emails Enter the number of days after which to delete the email from the
Dead email list.
#
144
Line number.

06-30003-0154-20080327
Select
Displays checkboxes for you to select or deselect the email.

Enable Select All to select all lines.
From
Email sender address.
To
Email recipient address.
Subject
Email subject field.
Date
Date and time of the email.
Delete
Delete selected email.
To view dead email

Go to Mail Settings > Mail Queue > Dead Mail to view dead email From and To
addresses, Subjects, and Dates.
You can also
select the number of lines to view on a page,
sort the email by subject, from address, to address, and date, and
set an expiry date to automatically delete the email.
To manage dead email

Go to Mail Settings > Mail Queue > Dead Mail.
Select the Select All check box on the header and select Delete to delete all
the dead email.
or
Select the check box before a dead email and select Delete to delete an
individual dead email.
Backing up and restoring mail queues

You can back up the contents of the mail queues to a file and restore them later.
This can be useful if you need to change or reformat the mailbox disk.
Go to Mail Settings > Mail Queue > Queue Maintenance to back up or restore
mail queues.
Figure 73: Queue Maintenance
Backup Queue
Back up the email queues. Save the backup file on the

management computer.
Restore Queue
Restore the email queues from a backup file on the management

computer. Enter the path and filename of the backup file or select
Browse and locate the file. Select OK.

You can set up a global address book for all FortiMail Webmail users. Webmail
users can also customize the address book. The address book is only available in
server mode.

06-30003-0154-20080327
145
Figure 74: Mail Server access settings
New Contact
Select to add a new account to the address book.
Export.CSV
Select to export the address book as a CSV formatted file text

file. You will be prompted to save the exported file locally.
Import.CSV
Select to import an existing address book that is a CSV

formatted file. Use the browse button to locate the file to
import.
Delete Checked
Select to remove the checked accounts from the address book.
Sort Last/First
Name
Select to rearrange the list of email accounts by the last name.

If accounts are sorted by last name, the option will be to sort by
first name.
For any accounts that have either no or the same last name,
they are ordered by the first name.
Name
The first and last name for the select email address if they are
present. Middle name and nickname are not displayed here.
Email
The name of the email account for the entry in the address
book.
Modify
Select delete to remove the entry, or modify to change

information for that entry.
To add new contacts

1
Go to Mail Settings > Address Book > New Contact.
Add the contact information.
Select Save.
To export an address book
You can save the contacts you have added into a CVS (Comma Separated
Values) format file for backup purpose.
146
Go to Mail Settings > Address Book > Export .CSV.
Do one of the following:
Select Save to save the file in a desired folder.
Select Open to view the contacts and then save the file in CSV format in a
desired folder.

06-30003-0154-20080327
To import an address book

You can import an existing address book to use as a global one.
1
Go to Mail Settings > Address Book > Import .CSV.
Select Browse to find the address book file that you want to import.
Select Import.CSV.
To delete contacts
Go to Mail Settings > Address Book.
To delete all contacts in the address book, select the check boxes before the
contacts, then Delete Checked.
To delete a single contact, do one of the following:
Select the check box before the contact, then Delete Checked.
Select the Delete icon for the contact.
Select Delete for the confirmation message.

To sort contacts
Select Sort Last Name.

To modify contacts
Select the Edit icon for the contact you want to modify.
Select Save after the modification.

In transparent mode, the SMTP proxy settings determine whether email is
dropped, passed through, or proxied. These settings apply to all email except
those destined for the FortiMail unit itself, such as email from users requesting
deletion or release of quarantined email.
Email can be scanned only if they are proxied. The FortiMail unit receives the
email, scans it and (if the email passes the scan) relays it to the email server.
You configure proxy operation separately for incoming and outgoing email traffic.
Regardless of the destination email address, email passing from the network to
the backend email server is considered incoming and email passing from the
backend email server to the network is considered outgoing.

06-30003-0154-20080327
147
Figure 75: FortiMail unit in Transparent mode
Incoming
Incoming
Email Sender
Outgoing
Mail Server
Internet
Outgoing
Mail Server (Unknown server)
Configuring SMTP proxy settings

You can go to Mail Settings > Proxies > SMTP to configure proxy settings
separately for incoming and outgoing mail. You can also choose whether to allow
the FortiMail unit to act as an SMTP server for local users.
This menu option is only available in transparent mode.
Figure 76: SMTP proxy settings
Use original server to deliver Select to relay email to the SMTP server that the email
sender specified. Otherwise, the FortiMail unit relays the
mail
email directly to the email destination domain.
This option must be enabled for Adding disclaimers to
email on page 122 to work.
The following fields configure SMTP connection options for each interface.
Port
The FortiMail network interface.
Incoming SMTP connections Incoming SMTP traffic refers to the email traffic destined
for the email server(s) on your policy list. For information
on policy, see Creating incoming recipient-based policies
(transparent and gateway) on page 200.
are passed through
148
The FortiMail unit passes SMTP traffic destined for the

email server in the policy list without scanning it.

06-30003-0154-20080327
are dropped
The FortiMail unit blocks SMTP traffic destined for the

email server in the policy list.
are proxied
The FortiMail unit filters SMTP traffic destined for the

email server in the policy list through proxy servers.
Outgoing SMTP connections Outgoing SMTP traffic refers to the email traffic destined
for the email server(s) not on your policy list. For
information on policy, see Creating outgoing recipientbased policies (transparent and gateway) on page 202.
are passed through
The FortiMail unit passes SMTP traffic destined for email

servers not in the policy list without scanning it.
are dropped
The FortiMail unit blocks SMTP traffic destined for email

servers not in the policy list.
are proxied
The FortiMail unit filters SMTP traffic destined for email

servers not in the policy list through proxy servers.
Local SMTP connections

are not allowed
The FortiMail unit blocks the SMTP traffic that requires

the SMTP service provided by the FortiMail unit.
are allowed
The FortiMail unit allows the SMTP traffic that requires the
SMTP service provided by the FortiMail unit to pass
through.
Note: Use original server to deliver mail proxy option does not function if there is no
session profile specified in the IP policy.

06-30003-0154-20080327
149
150

06-30003-0154-20080327
Configuring users
Creating email users (server mode)
Configuring users
This section describes how to add email users to the FortiMail server
configuration to create POP3, IMAP, and Webmail accounts.
Email users can only be added to the FortiMail unit if it is in server mode. Users
can send and receive email through the FortiMail server.
Webmail user preferences
Creating user groups
Creating user aliases
Creating address maps

Use the following procedures to export user lists, import user lists, and add email
users, also called email accounts, to the FortiMail server.
Multiple users can either be deleted or have their passwords reassigned. Use the
checkbox for each user to add them to the list of selected users. When the
passwords are reassigned, each selected user will have the same password or
LDAP setting.
This menu option is only available in server mode.
Figure 77: Mail user list
Show Users of
Domain
Allows you to select a domain to add users or show the added users in
the domain.
Export.CSV
Select to save user lists in all domains on the FortiMail server into a
CVS (Comma Separated Values) format file for backup purpose. See
To export the user list on page 152.
Import.CSV
Select to import user information into your user list on each domain.
See To import a user list on page 152.
Browse
Select to choose a file to upload to the FortiMail unit.
All, 0-9, A, .. , Z
Select to only display the Mail Users with names starting with the
selected character.

06-30003-0154-20080327
151
Configuring users
View .. lines per Select the number of lines to display per page from the drop down
menu. Options include 25, 50, 100, and 1000 lines.
page
Go to line
Enter the line number you wish to jump to.
Delete
Select to delete multiple users at once.
Edit
Select to reassign passwords for multiple at once.
The line number of this email user in the display. Used for navigating
the list of users.
Checkbox
Select checkbox to add this user to the selected user list.

The list of multiple users can be deleted or have their passwords
reassigned as a group using the Edit or Delete controls.
User Name
The user name for an email user account. This is also the users email
address.
Display Name
The name of a user displayed in the From field of the email the user
sends.
Modify
Icons to delete, edit or perform maintenance on the local domain

information.
Create New
Select to create a new user.
To export the user list

1
Go to User > Mail User.
Select Export.CSV.
Select Save to save the file in a desired folder.
Select Open to view the user list and then save the file in CSV format in a
desired folder.
Note: Before importing a user list or adding an email user, you must first configure email
domains. See Email domains on page 113.
To import a user list

1
Select Browse to find the user list file that you want to import.
Select Import.CSV.
The users on the list are added to the domains they belong to.
To add an email user
In the Show Users Of Domain field, select a domain to add the user.
Select Create New.
Enter the email user account information.
Select OK to save the email user account information.

To change an email user configuration
152
For the email user account to change, select the Edit icon.
Edit the account as required.

06-30003-0154-20080327
Configuring users
Select OK to save your changes.

To delete multiple users
Select the checkbox next to each user to be deleted.
Select the Delete control above the list of users.

You will see a caution message.
Select OK.
To change the password for multiple users
Select the checkbox next to each user to be deleted.
Select the Edit control above the list of users.
Enter the password to assign. The same password will be assigned to all
selected users.
Select LDAP, and choose the LDAP server from the list.
If you select LDAP without providing a valid server, you will get an error.
Select OK.

06-30003-0154-20080327
153
Configuring users

Go to User > User > User Preferences. A list of users Webmail preferences for
the current domain is shown in tabular format. The list can be ordered
alphabetically by the username.
The Mail users preferences list has the same navigation controls as the Mail user
list. For more information, see Creating email users (server mode) on page 151.
Figure 78: Mail user preferences list
The number of the mail user in this table.
checkbox
Select multiple users checkboxes to perform actions on groups of

users at one time.
For example, select the checkbox for 5 users, then select delete
icon for one of them. All 5 users will be deleted.
User Name
The user names displayed in alphabetical order. Select the arrow

icon or the title for this column to reverse the order of the user
names.
Language
The language this user has selected for their Webmail interface.
By default it will be the same as the system language.
White list
A white list is a list of email addresses and IP addresses that are

trusted. Email from these sources will not be checked for spam.
There are 2 states for the white list.
The New icon indicates the white list for this user is empty.
Selecting the New icon will allow you to add email accounts and or
IP addressees to this users white list.
The Edit icon indicates this user has an existing white list.
Selecting the Edit icon will allow you to add or delete email
accounts and or IP addresses to or from this users white list.
You will also be able to backup or restore the white list in either
state by selecting either backup, or browsing to the file you want to
restore and selecting restore.
Black list
A black list is a list of email addresses and IP addresses that are

never trusted. Email from these sources will be dropped.
The New and Edit icons are the same for the Black list as for the
White list.
Secondary Accounts A list of email accounts in sub-domains that are linked to a user on
the parent domain. For example if user1@example.com can have
that email address linked to the following secondary accounts:
user1@one.example.com, and user1@two.example.com.
Select the New or Edit icon to add accounts to the secondary
accounts for this user. Note that any accounts must first be
created before they can be added to this list.
154
Add outgoing email

addresses to the
White list
This feature is currently disabled.
Delete icon
Select to delete this user, or if multiple users are checked delete

multiple users.
Edit icon
Select to edit the preferences for this user. See Edit mail user
Webmail preferences (transparent mode) on page 155.

06-30003-0154-20080327
Configuring users
Default icon
Select to reset the settings for this user to their original default
values.
Edit mail user Webmail preferences (transparent mode)

Go to User > User > User Preferences. Select Edit for a user.
If spam reporting for this domain is turned on, users have the option of receiving
spam reports. This does not include manual reports, just automatically generated
spam reports. When system and domain scheduled spam report generating
occurs, the users spam report will be generated and delivered only when all
following conditions are met:
"The users bulk folder exists, and was changed since last domain spam report
generating time.
"The anti-spam profile used by the user has action quarantine and spam report
enabled.
"The user preference has "receiving spam report" enabled (this is the default
value).
"The user has received spam email during the previous spam report interval,
otherwise there will be nothing to report.
In server mode, users can set holiday messages to reply to messages when they
are out of the office for an extended period of time. Optionally the administrator
can set this message as well.
In server mode, users can turn out auto-forwarding to forward all their messages
to another email account. Optionally, they can leave a copy of the messages with
this email account.
Figure 79: Edit User preference (transparent and gateway)

06-30003-0154-20080327
155
Configuring users
Figure 80: Edit User preference (server)
User Name
The mail address for this user and this domain.
Language
Select the preferred language for this user in Webmail. Languages

available by default include:
English, Chinese Traditional, Chinese Simplified, Korean,
Japanese, French, German, Italian, Hebrew,
Spanish, Polish, Portuguese, Turkish
Additional languages can be added to Webmail using CLI
commands.
On Holiday
Select ON to have an auto-respond message sent indicating this

user is away on holiday. The default setting is OFF.
Only available in server mode.
Set auto-reply
message
Select to enter the auto-reply message sent when On Holiday is

set to ON. This value can be set by the user or the admin.
Auto Forward
Select ON to automatically forward messages sent to this account.

When ON is selected, enter the email address where messages
will be forwarded. The default setting is OFF.
Leave a copy in
mailbox
Select to leave a copy of all messages in this mailbox when

automatically forwarding messages to another email address.
Add outgoing email Select ON to put addresses this user sends email to on the white
addresses to white list.
lists
Black/White Lists
Select Black or White to edit the corresponding list
Receive Spam Report Select ON to have this user receive information about Spam
activity to their account.
Primary Accounts
Any users who have added this user as a secondary account, will
appear as primary accounts.
Secondary Accounts Any users this user has selected as secondary accounts will
appear here as secondary accounts.
Select the list of users, or none to add users to this list.
Creating user groups

User groups are used to group related email user accounts for easy management.
The User group list displays the Group name, Members in each group, and the
option to modify the group. Select Create New to configure a new User group.
156

06-30003-0154-20080327
Configuring users
Figure 81: New User Group
Show Users of
Domain
Select the domain or all domains. The users displayed under Available
Users are from the selected domain.
Group Name
Enter the name for this user group.
Available Users List of users in the selected domain. Highlight users in this list, and use
the right arrow to add them to the Members list of users.
Members
List of users in the new User Group. Highlight a user in this list, and use
the left arrow to remove that user from this list.
External Email
Address
Enter an email address that is not shown under Available Users. Select
the right arrow next to External Email address to add the address to the
Members list.
OK
Select to save this new User Group, and return to the User Group
screen.
Cancel
Select to discard these changes, and return to the User Group screen.
To add a user group

1
Go to User > User Group.
Select Create New.
In the Show Users Of Domain field, select a domain of which you want to add its
users to a group.
Users in the selected domain appear.
Note: If you select all, users in all domains appear. This allows you to add users from
different domains to a group.
Enter a Group Name to identify the user group.
To add users to the user group, select a user from the Available Users list and
select the right arrow to add the user to the Members list.
Select OK.

A user alias is an email profile that uses a single address to send email to a group
of users.
06-30003-0154-20080327
157
Configuring users
Go to User > User Alias > User Alias to access user aliases.
Figure 82: User alias list
Alias Name
Name of a user alias.
Members
Displays member users in a user alias.
Modify
Allows you to delete or edit a user alias entrys information.
Note: Members of a user alias list can include the alias address itself.
To add a user alias

1
Go to User > User Alias.

All user aliases appear.
Select Create New.
In the Show Users of Domain field, select the domain to which you want to add a
user alias.
Enter the Alias Name and select a domain. This will be the email address for the
alias.
To add local users to the alias, select a user from the Available Local Users list
and select the right arrow to add the name to the Members list.
If you want to remove a user from the Members list select that user and select the
left arrow to move them back to the Available Local Users list.
To add external users to the alias, enter a users email address in the External
Email Address field and select the right arrow to add the name to the Members
list.
Select OK.

Email address maps are used to manage email re-directing.
Address maps are a one-to-one relationship that allows the hiding of internal
domains and addresses, for example preventing direct addressing of the HR
department.
Address Maps
Go to User > Address Map > Address Map to access the address map list.
158

06-30003-0154-20080327
Configuring users
Figure 83: Address Map list
Select a domain
Select a domain from the list of defined email domains.
Select a subdomain Select the subdomain the address map will be used for. You can
select one of the defined subdomains or selecting ALL will display all
the address maps for all the subdomains. You will not be able to
create a new address map entry if ALL subdomains is selected.
If no subdomains are defined, you will not be able to create an
address map.
Backup icon
Selecting this icon provides you with a link to download a file to your
local computer that contains the current list of address map
information.
Restore icon
Selecting this icon allows you to browse to the file on your local
computer that contains a list of address map information that was
previously backed up.
Internal Email
Address
Email address the external address is being mapped to. The internal
address may only be visible to the company intranet.
External Email
Address
Email address that is mapped to the internal address. The external

address is the email address visible to the internet.
Modify
Delete icon
Select to delete the selected address map.
Edit icon
Select to modify the settings for the selected address map.
Create New
Select to configure a new address map entry.

You must select a single subdomain before selecting Create New.
Creating an Address Map

Email address maps are used to redirect external email addresses to related
internal email addresses.
To create a new address map
1
Go to User > Address Map > Address Map.
Select the main domain, and subdomain.
Select Create New.
Enter the internal address, for example bob.smith. You do not need to enter the
subdomain part of the email address.
Select the subdomain from the list, for example branch.fortipost.com. The
subdomain you selected on the previous screen is the one displayed, but you can
select other subdomains that are part of the domain you selected.
Enter the external address, for example support. You do not need to enter the
domain part of the email address. For example the domain would already be
shown as fortipost.com

06-30003-0154-20080327
159
Configuring users
Select OK to create the new address map entry.

You will now have an address map entry that maps the email address
support@fortipost.com to bob.smith@branch.fortipost.com.
Figure 84: Alias list
160

06-30003-0154-20080327
What is a profile
Creating email filtering and control

profiles
This section describes how to configure antispam, antivirus, authentication,
content, and other settings to filter email and email attachments and to control
email account settings.
What is a profile
How to use profiles
How to create profiles
What is a profile
A profile is a collection of FortiMail settings that you specify to filter incoming and
outgoing email and to control the email flow. Profiles are selected in policies and
run on any traffic the policy controls.
You can create these types of profiles:
Antispam profile
You can enable some or all of the spam scanning tools or filters that the
FortiMail unit supports. You can also specify the actions to take against spam,
including tagging, rejecting, quarantine, or forwarding the spam. See Creating
antispam profiles on page 162.
Antivirus profile
Create an antivirus profile to enable virus scanning and specify actions to take
against virus-infected files. See Creating antivirus profiles on page 171.
Authentication profile (gateway and transparent modes)

You can also use IMAP, POP3, Radius, or SMTP authentication to control
access to the FortiMail unit. See Creating authentication profiles (transparent
and gateway modes) on page 173. LDAP authentication is also supported
using LDAP profiles.
Misc profile (server mode)

Use a misc profile to set the user disk quota, enable or disable a user account,
and enable or disable webmail access. See Creating misc profiles (server
mode) on page 176.
Content profile
Use a content profile to scan messages and take action against messages
with restricted content, or restricted attachments. See Creating content
Session Profile
Use a session profile to control the connection and mail flow between mail
servers. See Creating session profiles on page 181.

06-30003-0154-20080327
161
Dictionary Profile
Use a dictionary profile to define words or patterns used in antispam and
content profiles. See Creating dictionary profiles on page 185.
LDAP Profile
If LDAP authentication is required, use an LDAP profile to define how the
FortiMail unit will communicate with the LDAP server. See Creating LDAP
IP Pool
The FortiMail unit will take advantage of a range of addresses when sending
email if an IP pool is specified. IP pool profiles can be selected by domain or by
IP-based policy. See Creating IP pool profiles on page 197.
How to use profiles

After you create the profiles, you apply them to users and user groups to
create email filtering and control policies. For information about policies, see
Creating email filtering and control policies on page 199.
To customize your email service, you can apply different profiles to different users
or user groups. For instance, if you are an Internet Service Provider (ISP), you can
create and apply antivirus profiles only to the users who pay for the antivirus
service.

For each type of profile, you can specify the settings and save the settings under a
profile name.
After you create a profile, you can copy it by giving it a different name.
If you have made changes in a profile and want to apply the changes to other
profiles, you can save time by applying the changes to other profiles all at once
instead of editing the profiles one by one.
Note: With the exception of authentication, LDAP, and dictionary profiles, a default profile
with preconfigured settings is provided for each profile type. You can modify and copy the
default profiles, but you cannot remove them.
Note: The Quick Start Wizard uses a number of antispam, antivirus, and content profiles
for its preset selections. You cannot modify or delete these profiles but you can copy them.
You can identify these profiles by the word predefined appearing in the profile name.
Creating antispam profiles

The FortiMail unit uses various spam detection methods, such as
FortiGuard-Antispam service, DNSBL scan, Bayesian scan, and heuristic scan.
For details, see To create an antispam profile on page 163.
To create an antispam profile, you must configure the antispam settings first.
Some of the antispam settings are directly under Profile > AntiSpam, while many
of them are under AntiSpam. See Configuring antispam settings on page 209.
To save time, if you want to create a new profile that is only slightly different from
an existing one, you can simply copy the existing one and modify it.
162

06-30003-0154-20080327
Go to Profile > AntiSpam > Incoming or Outgoing to view the antispam profiles.
Figure 85: Antispam profile list
Profile
Displays the antispam profile names.
Domain
The domain to which a profile belongs.

This is for incoming email only.
Modify (Delete, Edit, Select the Delete icon to remove a profile. The Delete icon does not
appear if the profile is used in a policy. See Creating email filtering
and Copy icons)
and control policies on page 199.
Select the Edit icon to modify a profile.
Select the Copy Icon to make a copy of a profile. See To copy an
antispam profile on page 163.
Create New
Select to create an antispam profile.
Actions
Most individual spam detection methods allow the selection of an action. The
selected action determines what the FortiMail unit does with mail detected as
spam by the particular spam detection method. A default spam action can also be
selected in each antispam profile. The default action is used for spam detection
methods that do not provide an action selection, and the spam detection methods
set to the default action. For a list of actions, see Configuring Actions on
page 170.
Some spam actions require parameters. These must be set in the default action
section of the antispam profile, even if the default action is set to a different
setting. For example, if the default action is Discard, and the Image spam scan
action is set to Forward, spam caught by the image spam scan will be forwarded
to the address specified in the Forward to email address field of the default action.
If the FortiMail unit tags spam, the message recipients can use their email client
software to filter the incoming mail. If the FortiMail unit quarantines spam, the
recipients will get notice email messages. The recipients can decide to have the
quarantined email released or deleted. For information about how email recipients
can deal with the spam, see FortiMail User Guide.
To create an antispam profile
1
Go to Profile > AntiSpam > Incoming or Outgoing.
Select Create New.
Enter a name for the profile.
Configure the antispam settings and select OK.

To copy an antispam profile
Go to Profile > AntiSpam > Incoming/Outgoing.
For the profile you want to copy, select the copy icon.
In the To field, type the new profile name.

06-30003-0154-20080327
163
Select OK.
A copy of the profile is created. You can modify it to create a new profile.
To apply changes to selected profiles
Go to Profile > AntiSpam > Incoming.
For the profile you want to change, select the Edit icon.
Make the changes.
Select Apply To Profiles.

The changes you made are listed.
Select Change Profile if you want to make further changes. Otherwise select
Select Profiles.
Select the profiles to which you want to apply the changes and select ->.
Note: Select the current profile if you also want to apply the changes to it.
Select OK.
A message tells you if the changes are applied successfully.
Select Return to go back to the antivirus profile list.

Note: Select a check box to enable a setting or deselect a check box to disable a setting.
Some settings may require further configurations after being enabled.
Some of the settings are not available for outgoing profiles.
FortiGuardEnable to activate the Fortinet FortiGuard-Antispam service. Any URI
Antispam scan appearing in the message body is checked against the FortiGuard list of
spam producers. If a match is found, the FortiMail unit treats the message
as spam.
Optionally enable the Black IP scan to check the IP address of the server
delivering the message against the IP address list of known spammers
maintained by the Fortinet FortiGuard-Antispam service. If Deep header
Black IP scan is also enabled, Black IP scan will check all IP addresses in
the message header. If a match is found, the FortiMail unit treats the
message as spam.
IP addresses defined as private network addresses by RFC 1918 are not
checked.
Before enabling this service, you must configure the FortiGuard-Antispam
service. See Using the FortiGuard-Antispam service on page 221.
For more information, see FortiGuard-Antispam service on page 15.
Forged IP scan Select to have the FortiMail unit convert the message sender's IP address
to a canonical hostname and compare the IP addresses returned from a
DNS lookup of the hostname to the sender's IP address. If the sender's IP
address is not found, the FortiMail unit treats the email message as spam.
See Forged IP scanning on page 17.
Forged IP scanning is only available for incoming antispam profiles.
Greylist scan
164
Select to enable greylisting. For more information, see Configuring

greylist on page 240.

06-30003-0154-20080327
DNSBL scan
Select to allow the FortiMail unit to communicate with DNSBL (DNS Block
List) servers to check the IP address of the mail server that delivered the
message.
If the Black IP scan option under Deep header scan is also enabled,
DNSBL scan will check all IP addresses in the message header. If a
match is found, the FortiMail unit treats the message as spam.
IP addresses defined as private network addresses by RFC 1918 are not
checked.
For configuration information, see Configuring DNSBL servers on
page 167.
Deep header
scan
Enable to allow the selection of Black IP scan and Header analysis.

See Deep header scanning on page 18.
Black IP scan
Enable to have all IP addresses appearing in the

Received header lines checked with configured
DNSBL servers.
If FortiGuard-Antispam Black IP scan is also enabled,
the IP addresses are also checked against the
FortiGuard-Antispam black list.
If the Black IP scan option is disabled, only the SMTP
client IP address is checked.
IP addresses defined as private network addresses by
RFC 1918 are not checked.
Headers analysis Enable to have all of the email header information

analyzed for known spam characteristics.
As spam evolves, the FortiGuard-Antispam service
will update the information used by the headers
analysis feature.
SURBL scan
Select to allow the FortiMail unit to communicate with SURBL (Spam URI
Realtime Block List) servers to check every URI in the message body. If a
match is found, the FortiMail unit treats the message as spam.
For configuration information, see Configuring SURBL servers on
page 168.
Bayesian scan Select to allow the FortiMail unit to scan email using the spam information
contained in one of the FortiMail units Bayesian databases.
For more information, see Bayesian scanning on page 18. For
information on configuring Bayesian scanning, see Configuring Bayesian
For incoming profiles, the group Bayesian database for the recipient
domain is used unless the domain is configured to use the global
Bayesian database If enabled, user Bayesian databases will be used,
with the global or group database taking over if the user database is not
yet mature.
For outgoing profiles, the global Bayesian database is used.
Use personal
database
Enable to allow each mail recipients own user

database to be used for Bayesian scanning of their
incoming mail. If disabled, either the global or group
Bayesian database will be used, depending on how
the domain is configured.
Accept training
messages from
users
Enable to allow users to submit training messages to

the control accounts to train Bayesian databases.
If user databases are enabled, submitted training
messages will be used to train the users Bayesian
database, and either the global or group database,
depending on the configuration of the users domain.
If user databases are disabled, submitted training
messages will be used to train only the global or group
Bayesian database, depending on the configuration of
the users domain.
If disabled, training messages from users are
discarded.

06-30003-0154-20080327
165
Use other
techniques for
auto training
Enable to allow other spam filters to train a users not

yet mature Bayesian database.
If a users Bayesian database is not mature,
messages detected as spam by FortiGuard or SURBL
scans will be used as samples of spam to
automatically train the user Bayesian database.
Similarly, if a users Bayesian database is not mature,
messages matching entries in the user white list or
system white list will be used as samples of non-spam
to automatically train the user Bayesian database.
Once a user database is mature, having been trained
with 100 spam and 200 non-spam messages,
automatic training will no longer occur.
Heuristic scan Select to allow the FortiMail unit to examine messages for patterns
common to spam messages.
The heuristic scores are based on rules. For example, if the email header
contains As seen on national TV!, it gets a certain score toward being
likely a spam email. The heuristic rules require no administrator
modification or updating. A default rule set is provided and it is updated
through the FortiGuard service as needed. New rules are added and rule
scores are adjusted for maximum advantage.
You can fine-tune the threshold values to meet your specific needs. If
your email systems false positive ratio is high, increase the upper level
threshold value until you achieve a satisfactory ratio. If your spam catch
rate is too low, reduce the lower level threshold value until you achieve a
satisfactory rate. The FortiMail default threshold values are
recommended as only a starting point.
Note: Heuristic scanning is resource intensive. If spam detection rates are
acceptable without heuristic scanning, consider disabling it or limiting its
use to policies dealing with problem hosts.
For more information, see Heuristic scanning on page 18.
Dictionary
Scan
Select to allow the FortiMail unit scan messages for words defined in the
selected dictionary profile. Messages containing words in the dictionary
profile are treated as spam.
When dictionary scanning is activated and a message is found to contain
a dictionary word, X-FEAS-DICTIONARY: is added to the message
header followed by the dictionary word discovered in the message. This
header is added regardless of the spam action applied.
To configure a dictionary profile, see Creating dictionary profiles on
page 185
Banned word
scan
Select to enable banned word scanning.

Message text will be examined for words appearing in the banned word
list. The message will be considered spam if any match is found.
When banned word scanning is activated and a message is found to
contain a banned word, X-FEAS-BANNEDWORD: is added to the message
header followed by the banned word discovered in the message. This
header is added regardless of the configured spam action.
For more information, see Banned word scanning on page 19. For
information on configuring banned word scanning, see Configuring
banned word scanning on page 169.
Whitelist word Select to enable whitelist word scanning.

scan
The message text and/or subject will be examined for words appearing in
the whitelist word list. The message will be considered non-spam if any
match is found and further spam scanning will be cancelled.
Whitelist word scanning occurs before banned word scanning. A
message with both a whitelist word and a banned word will be passed as
non-spam. No message header information is added to a message in
which a whitelist word is found.
For more information, see Whitelist word scanning on page 19. For
information on configuring whitelist word scanning, see Configuring
whitelist word scanning on page 169.
166

06-30003-0154-20080327
Image spam
scan
Enable to allow the FortiMail unit to identify spam messages in which the
message body is an embedded graphics file rather than text. Scanning
methods designed to examine the text of spam email fail with image spam
because there is no message text to examine. The image spam scanner
is equipped to examine GIF, JPEG, and PNG graphics.
Aggressive scan Select to have the FortiMail unit be more critical in
determining whether email messages containing
images are spam.
This option will also force the examination of image
file attachments in addition to embedded images. The
additional scanning workload could affect
performance with traffic containing image files.
Enable to have the FortiMail unit classify email messages with viruses as
Treat
messages with spam and treat them accordingly.
viruses as
spam
Scan
conditions
Max message
size to perform
antispam scan
Enter the maximum message size, in bytes, the

FortiMail unit will scan for spam. Messages larger than
the maximum message size will not be scanned for
spam.
The resource requirements for scanning messages
increase with the size of the messages so if the spam
you receive tends not to be larger than a certain size,
not scanning larger messages could result in a
significant performance benefit.
Enter 0 to disable the size limit. All messages will be
scanned, regardless of size.
Bypass scan on Select if you want the FortiMail unit to bypass spam
scanning for email that has been authenticated.
SMTP
Spam mail servers wont authenticate so not scanning
authentication
mail delivered in authenticated sessions will result in
performance benefits. Care must be taken to confirm
trusted servers will not relay spam, however.
PDF
Actions
Enable to allow the FortiMail unit scan the first page of

PDF attachments. The PDF option allows the
heuristic, banned word, and image spam scanning
techniques to examine the contents of PDF files.
If none of these three scanners are enabled, the PDF
option will have no effect.
For more information, see Configuring PDF scanning
on page 245
See Configuring Actions on page 170.
Configuring DNSBL servers

Go to Profile > AntiSpam, choose Incoming or Outgoing, select the Edit icon for
the profile to be modified, and select the Config link beside DNSBL scan to specify
DNSBL servers.
In newly created antispam profiles, the DNSBL server list is preconfigured with the
sbl-xbl.spamhaus.org DNSBL server.
Figure 86: DNSBL server list

06-30003-0154-20080327
167
The DNSBL server order numbers.
Enable DNSBL The domain names of the DNSBL servers added.

Filtering
Modify
Select the Delete icon to remove an DNSBL server, Edit icon to modify a
DNSBL server, and Move icon to change the position of a DNSBL server
in the list.
New
Select to add a new DNSBL server. You can only use domain names to
specify DNSBL servers.
Save
Select to close the pop-up window and save the antispam profile
configuration.
Close
Select to close the pop-up window without saving the antispam profile
configuration. You must then choose OK at the bottom of the Antispam
Profile window to save the changes made to the profile, including the
DNSBL servers, before navigating away to another part of the FortiMail
unit GUI.
Configuring SURBL servers

the profile to be modified, and select the Config link beside SURBL scan to specify
SURBL servers.
In newly created antispam profiles, the SURBL server list is preconfigured with the
multi.surbl.org SURBL server.
Figure 87: SURBL server list
The SURBL server order numbers.
Enable SURBL The domain names of the SURBL servers added.

Filtering
Modify
Select the Delete icon to remove an SURBL server, Edit icon to modify an
SURBL server, and Move icon to change the order of an SURBL server in
the list.
New
Select to add a new SURBL server. You can only use domain names to
add SURBL servers.
Save
Select to save the SURBL server configuration and close the pop-up
window.
Close
Select to close the pop-up window without saving the SURBL server
configuration.
Configuring Bayesian scanning

Go to Profile > AntiSpam > Bayesian scan to configure Bayesian scanning.
Use personal
database
168
Select to enable individual Bayesian databases for each user. If this

option is deselected, Bayesian scans will use the global or group
Bayesian databases to classify email.
A personal database provides better individual results because it is
trained by a user and contains statistics derived exclusively from the
user's messages.

06-30003-0154-20080327
Accept training Select for the FortiMail unit to process control messages from users.
messages from Control messages are used to train or correct results in Bayesian
database.
users
Control messages will be discarded if this option is deselected.
Use other
Select to use the other enabled spam detection methods to train a user
techniques for Bayesian database that does not have 200 non-spam email entries and
100 spam entries and is therefore not ready to classify email.
auto training
Configuring banned word scanning

To configure banned word scanning, go to Profile > AntiSpam > Banned word
scan and select the Config link beside Banned word scan.
the profile to be modified, and select the Config link beside Banned word scan to
specify banned words and whether the message subject, the message body, or
both will be examined for banned word matches.
Figure 88: Banned word list
The banned word order number.
Enable Banned The banned words you have entered. Wildcards are not supported.
Word Filtering
Subject
The message subject will be examined for the banned word.
Body
The message body will be examined for the banned word.
Modify
Select the Delete icon to remove a banned word, Edit icon to modify a
banned word, and Move icon to change the order of a banned word in the
list.
New
Select to add a new banned word.
Save
Select to close the banned word pop-up window, save the antispam
profile and return to the profile list.
Close
Select to close the banned word pop-up window and return to the open
antispam profile. Before leaving the antispam profile, it must be saved or
any banned word changes will be lost.
Configuring whitelist word scanning

To configure whitelist word scanning, go to Profile > AntiSpam > Whitelist word
scan and select the Config link beside Whitelist word scan.
Figure 89: Whitelist word list
The whitelist word order numbers.
Enable
The whitelist words you have entered. Wildcards are not supported.
Whitelist Word
Filtering
Subject
The message subject will be examined for the whitelist word.

06-30003-0154-20080327
169
Body
The message subject will be examined for the whitelist word.
Modify
Select the Delete icon to remove a whitelist word, Edit icon to modify a
whitelist word or toggle the subject/body options, and Move icon to
change the position of a whitelist word in the list.
New
Select to add a new whitelist word.
Save
Select to close the whitelist word pop-up window, save the antispam
profile and return to the profile list.
Close
Select to close the whitelist word pop-up window and return to the open
antispam profile. Before leaving the antispam profile, it must be saved or
any whitelist word changes will be lost.
Configuring Actions
You can select the action(s) you want to take against spam.
Tag Email in
subject line
Enable and enter the information to appear in the subject line of the spam
notification email sent to the recipient by the FortiMail unit, such as, This
is spam.
with the tag information you entered. A recipient can set up a spam folder
on his or her email client software to automatically collect the spam with
that subject line information.
You must provide the users with the subject line information before they
can set up their spam folders.
Tag Email with Enable and enter the header information to be added to the spam
notification email sent to the recipient by the FortiMail unit.
Header
with the header information you entered.
Most email clients allow users to sort incoming email based on text
appearing in various parts of email messages, including the header. See
your email client documentation for further details.
Header lines are composed of a key and a value, separated by a colon. If
the header tag you enter does not include a colon, a colon will be
appended to the end and the entire tag will be the key. Take care not to
use spaces in the key. RFC 2822 forbids spaces in header keys.
170
Reject
Enable to have the FortiMail unit reject spam and send reject responses
to the sender.
Discard
Enable to have the FortiMail unit discard spam without sending reject
responses to the senders.

06-30003-0154-20080327
Quarantine
Enable to have the FortiMail unit redirect detected spam messages to the
spam quarantine. See Spam quarantine on page 209. The quarantine
action is only available for incoming antispam profiles.
Delete Messages: Enter the number of days you want to keep the
quarantined email. Enter a small enough value that will prevent the
size of the quarantine from exceeding the available disk space. If you
enter 0 to prevent automatic deletion of quarantined files, be sure to
periodically remove old files yourself.
Send Spam Report: Select to send daily summary reports to email

users about their quarantined email.
Email Release: Select to activate the auto release and auto delete
functions. See Releasing and deleting quarantined spam on
page 211.
Web Release: Select to enable the ability to release spam by selecting

the Release links in the HTML quarantine report. See Understanding
the HTML formatted spam report on page 215
Add the sender of a released message to personal white list: Select to

automatically have the sender of message released from quarantine
added to the users personal white list.
Quarantine for Enable to have the FortiMail unit redirect detected spam messages to the
system quarantine. See System Quarantine on page 219.
review
The Quarantine for review action is only available for outgoing antispam
profiles.
Allow users to
automatically
update
personal White
list from sent
emails
Enable to have the FortiMail unit collect the recipient email addresses
from a users outgoing email and add the addresses to the users white
list in the Preference tab of FortiMail webmail. Future messages from
these addresses will not be treated as spam.
The same option is also available in the FortiMail webmail configuration.
This option works only if it is enabled both in the users profile and in the
users webmail configuration.
There are three occasions when a users white list auto-updating setting
is automatically created by the system:
When a user logs into FortiMail webmail.
When you configure a users black/white list (See Configuring

personal black and white lists on page 237).
When a user sends email out through the FortiMail unit.

In all three occasions, the FortiMail unit first checks if the white list
auto-updating setting has been created for a particular user. If it is
created, the FortiMail unit adopts the setting for the user. If it is not
created, the FortiMail unit looks for the users policy to check the users
antispam profile. If the use has a policy, the FortiMail unit adopts the
setting from the policy. If the user has no policy, the FortiMail unit uses
the default setting - disable.
This option is available for incoming option only.
Forward to
Enable and enter an email address so that the FortiMail unit can forward
email address spam to this address.
Creating antivirus profiles

Create an antivirus profile to scan email for viruses. FortiMail units update virus
signatures online from Fortinets update servers around the world. For information
on updating the antivirus definition, see Updating antivirus definitions from a file
on page 83.
To create a new profile that is slightly different than an existing one, you can save
time by simply copying the existing one and modifying it.

06-30003-0154-20080327
171
To view the list of virus files, go to Profile > AntiVirus > Virus List. The FortiMail
unit treats these files as viruses.
If a virus is found, the FortiMail unit deletes the file that contains the virus and
replaces the file with a message notifying the user the infected file has been
deleted.
Figure 90: Antivirus profile list
Profile
Displays the antivirus profile names.
Domain
The domain to which a profile belongs.
Modify
Select the Delete icon to remove a profile. The Delete icon does not
appear if the profile is used in a policy. See Creating email filtering
and control policies on page 199.
Select the Edit icon to modify a profile.
Select the Copy icon to make a copy of a profile. For procedure, see
To copy an antispam profile on page 163.
Create New
Select to create an antivirus profile.
To copy an antivirus profile

1
Go to Profile > AntiVirus.
Select OK.
Make the changes.

Select Profiles.
172

06-30003-0154-20080327
Select OK.

To create an antivirus profile
Select Create New.
Enter the antivirus Profile Name.
Select Virus Scanning.
Expand Actions and select one of the following options, then select OK.
Reject
Select to allow the FortiMail unit to reject the email and send a reject
response to the sender.
Discard
Select to allow the FortiMail unit to discard the email without sending a
reject response to the sender.
Note: Replace Virus Body is selected by default. This option allows the FortiMail unit to
replace the attachment of a virus email with a message (See Configuring custom
replacement messages on page 123) that provides information about the virus and source
of the email.
This option is invalid if you select either the Reject or Discard option.
Heuristic scanning is disabled by default because of the danger of false positives.

The Reject, Discard, and Replace Virus Body options function for heuristics as
they do for Actions.
Creating authentication profiles (transparent and gateway modes)

Authentication profiles are used to authenticate email users, to send email
through the FortiMail unit to any destination, and retrieve the quarantined email
from the FortiMail unit hard drive through webmail or POP3.
You authenticate email users by creating and applying authentication profiles to
them.
The FortiMail unit supports:
Radius server authentication
POP3 server authentication
IMAP server authentication
SMTP server authentication
LDAP authentication is supported through LDAP profiles. See Creating LDAP

profiles on page 193

06-30003-0154-20080327
173
Configuring Radius server authentication

You can configure the FortiMail unit to support Radius server authentication by
creating Radius server authentication profiles.
Figure 91: Radius authentication profile list
Profile
Displays the Radius authentication profile names.
Domain
Displays the administration domain level at which you are.
Server
Displays the names or IP addresses of the Radius servers.
Modify
Select the Delete icon to remove a profile, and the Edit icon to
modify a profile.
The Delete icon does not appear if the profile is used in a policy.
See Creating email filtering and control policies on page 199.
Create New
Select to create a Radius authentication profile.
To add and edit a Radius server authentication profile

1
Go to Profile > Authentication > Radius.
Select Create New.
Type the Profile Name, the name or IP address of the Radius server, and the key
string of the Radius server.
If the server requires the domain name in addition to the user ID, select Server
Requires Domain.
Select OK.
If you want to edit the profile, select the Edit icon for the profile you want to edit
and modify the profile as required.
Select OK.
Configuring POP3 server authentication

Go to Profile > Authentication > POP3 to configure the FortiMail unit to support
POP3 server authentication by creating POP3 server authentication profiles.
Figure 92: POP3 authentication profile list
174
Profile
Displays the POP3 authentication profile names.
Domain
Server
Displays the names or IP addresses of the POP3 servers.
Modify
modify a profile.
The Delete icon does not appear if the profile is used in a policy. See
Create New
Select to create a POP3 authentication profile.

06-30003-0154-20080327
To add and edit a POP3 server authentication profile

1
Go to Profile > Authentication > POP3.
Select Create New.
Type the Profile Name and the name or IP address of the POP3 server.
Type the POP3 server port number. The default port number is 110.
If the server requires the domain name in addition to the user ID, select Server
Requires Domain.
Enable Secure Sockets Layer (SSL) to secure message transmission, Secure

Authentication to secure email users passwords, or Transport Layer Security
(TLS) to ensure privacy between communicating applications and their users on
the Internet, as required.
If you enable SSL, change the POP3 server port number to 995.
Select OK.
Select OK.
Configuring IMAP server authentication

You can configure the FortiMail unit to support IMAP server authentication by
creating IMAP server authentication profiles.
Figure 93: IMAP authentication profile list
Profile
Displays the IMAP authentication profile names.
Domain
Server
Displays the names or IP addresses of the IMAP servers.
Modify
modify a profile.
Create New
Select to create an IMAP authentication profile.
To add and edit an IMAP server authentication profile

1
Go to Profile > Authentication > IMAP.
Select Create New.
Type the Profile Name and the name or IP address of the IMAP server.
Type the IMAP server port number. The default port number is 143.

If you enable SSL, change the IMAP server port number to 993.

06-30003-0154-20080327
175
Select OK.
Select OK.
Configuring SMTP server authentication

You can configure the FortiMail unit to support SMTP server authentication by
creating SMTP server authentication profiles.
Figure 94: SMTP authentication profile list
Profile
Displays the SMTP authentication profile names.
Domain
Server
Displays the names or IP addresses of the SMTP servers.
Modify
modify a profile.
Create New
Select to create an SMTP authentication profile.
To add and edit an SMTP server authentication profile

1
Go to Profile > Authentication > SMTP.
Select Create New.
Type the Profile Name and the name or IP address of the SMTP server.
Type the SMTP server port number. The default port number is 25.

If you enable SSL, change the POP3 server port number to 465.
Select OK.
Select OK.
Creating misc profiles (server mode)

Create misc profiles to configure disk quota, email user account, and webmail
access.
176

06-30003-0154-20080327
Figure 95: Misc profile list
Profile
Displays the misc profile names.
Modify
modify a profile.
Create New
Select to create a misc profile.
To copy a misc profile

1
Go to Profile > Misc.
Select OK.
Make the changes.

Select Profiles.
Select OK.

To create a misc profile
Select Create New.
Enter the Profile Name.

06-30003-0154-20080327
177
Set the Disk Quota.

This is to set the amount of disk space available on the FortiMail server hard disk
for storing email for an email account. Set disk quota from 0 to 4000 MBytes. A
disk quota of 0 is unlimited.
Enable User Account Status as required.

This is to control a users email account status.
Enable Webmail Access as required.

This is to control a users access to use FortiMail webmail.
Select OK.
Creating content profiles

Create content profiles to filter email by content and attachments.
Figure 96: Content profile list
Profile
Displays the content profile names.
Domain
Modify
modify a profile.
Select the Copy Icon to make a copy of a profile. For procedure, see
To copy an antispam profile on page 163.
Create New
Select to create an SMTP authentication profile.
To copy a content profile

1
Go to Profile > Content > Incoming/Outgoing.
Select OK.
Make the changes.

178

06-30003-0154-20080327
Select Profiles.
Select OK.

To create a content profile
Select Create New.
Type the Profile Name.
If you want to add a file extension to the default attachment name list, expand
Attachment Filtering, type the file extension you want to filter, and select New.
The new file extension appears in the attachment name list.
If you want to delete a file extension from the attachment name list, expand
Attachment Filtering and select the Delete check box after the file extension
name.
If you want to filter a file type, expand File Type Filtering and select the Enable
check box for the file type to be filtered. The last file type, application/other, is all
the file types not included in the other six choices.
Expand Scan Conditions.

Bypass scan on
Select if you want the FortiMail unit to skip scanning email that has
SMTP authentication been authenticated.
Defer messages
over
Set the size limit for the FortiMail unit to defer processing large
email messages. This option is available for incoming email only.
Expand Action and select an action that you want to take against the email with
the file extension or file type that you selected.
Treat as Spam
Select to have matching messages treated as spam. Messages will

be handled according to the Actions setting of the antispam profile
in the policy the messages are subject to.
Reject
Select enable to have the FortiMail unit reject messages.
Discard
Select enable to have the FortiMail unit discard messages without

notifying the sender.
Replace
Select to have the FortiMail unit remove the email and send a note
to inform the recipient.
Quarantine
Select to have the FortiMail unit quarantine messages in the

recipient (spam) quarantine. This option is available for incoming
mail only.
Forward to
Select to have the FortiMail unit forward messages to the email

address you provide.
Expand Content Monitor and Filtering to add or edit monitor profiles.

New Profile
Select if you want to add a new monitor profile.

06-30003-0154-20080327
179
10
Enable
When selected, the monitor profile is active and will check mail
against the specified dictionary, and carry out the specified action
against matching messages.
Delete
Select to have the monitor profile deleted when selecting OK.
To add a new monitor profile select New Profile. To edit an existing monitor profile,
select the edit icon of the monitor profile to be changed.
Select
Select the dictionary profile containing the words and word patterns the mail is
Dictionary to be checked against. Messages with matches will be subjected to the
selected action.
Profile
Actions
Tag Email in subject line Select to add text to the subject line of messages
matching the monitor profile checks. The text to
be added is entered in the With field.
Tag Email with Header
Select to add text to the header of messages

matching the monitor profile checks. The text to
be added is entered in the With field.
No action
Select to have messages matching the monitor

profile delivered unchanged. No action will be
taken to quarantine or redirect.
Treat As Spam

profile treated as spam. Messages will be handled
according to the Actions setting of the antispam
profile in the policy the messages are subject to.
Reject

profile rejected. The sender receives notification.
Discard

profile rejected. The sender does not receive
notification.
Replace
Select to have the offending messages body

replaced with the sensitive information filtering
text defined in Mail Settings > Settings > Custom
Messages. If the subject line also contains
matching text, it will be replaced with the sensitive
information filtering subject text.
Quarantine

profile stopped and placed into the recipient
quarantine.
Quarantine to Review

profile stopped and placed into the system
quarantine. These messages are not included in
the spam report sent to users. Rather, an
administrator must release or delete these
messages after reviewing them.
Forward to:

profile forwarded to the specified address.
11
Select Apply if youve edited or created a content profile.
12
Select OK.
Note: To save a new or edited content monitor profile, you must selecting Apply to close
the Content Monitor Profile window and then select OK in the Content Profile window. Simply selecting Apply to close the Content Monitor Profile window will not save any changes
made.
180

06-30003-0154-20080327
Creating session profiles

Create session profiles to control the connection and mail flow between mail
servers. Because of the control allowed by the session profile settings,
connections from servers attempting to deliver spam messages can be limited.
For this purpose, sender reputation, session limiting, and error handling are
particularly useful.
Figure 97: Session profile list
Profile
Displays the name of the session profile.
Modify
Select the Delete icon to remove a profile, or the Edit icon to modify
a profile. The Delete icon does not appear if the profile is currently
used in a policy.
To create a session profile

1
Go to Profile > Session > Session Configuration.
Select Create New.
Type the Profile Name.
Expand Connection Settings.

Use connection settings options to limit connections to the FortiMail unit and to
make your email server less accessible to spammers. When any of these limits
are exceeded, the FortiMail unit blocks further connections. Setting any of these
values to 0 disables the limit.
Hide this box from the mail server When this option enabled, no information will be
added to email headers to indicate the FortiMail
(transparent mode only)
unit has intercepted, examined, and processed the
message.
Restrict the number of
connections per client to x per n
minutes
Limit the number of connections per user IP

address in a defined period of time.
Each client can only connect n

times concurrently
Limit the number of simultaneous connections per

client.
Limit the total number of

connections to n
Limit the total number of simultaneous connections

from all sources.
Drop connections after n seconds The inactivity timer is used to control clean up of
inactive sessions.
of client inactivity
Do not let client connect to
blacklisted SMTP servers
Do not relay email to blacklisted servers. Antispam

profiles and the FortiGuard service (if enabled)
determine blacklisting.
Note: The settings and limits in a session profile only apply to traffic controlled by the policy
to which the profile is applied.

06-30003-0154-20080327
181
Expand Sender reputation

The sender reputation settings provide a maintenance-free means to prevent
server overload from a glut of spam, mail with invalid recipients, or infected
messages. All SMTP mail delivered can be controlled with the sender reputation
feature, including both mail deliveries from other mail servers, and users sending
messages from desktop email software.
Enable sender
Select to enable sender reputation score calculation and actions for
reputation checking the current profile.
Throttle client at n
If the senders reputation score exceeds the set value, the number
of messages the FortiMail unit will accept from the sender is limited
to the larger of the next two values:
Restrict number of emails Enter the number of messages per
hour accepted from a throttled sender.
per hour to
Restrict email to n percent Enter the number of messages per
hour accepted from a throttled sender,
of the previous hour
as a percentage of the number of
messages they sent in the previous
hour.
Temporarily fail
client at n
If a senders reputation score exceeds the set value, the FortiMail

unit return a temporary fail error when the sender attempts to
initiate a connection.
Reject client at n
If a senders reputation score exceeds the set value, the FortiMail

unit will return a reject error when the sender attempts to initiate a
connection.
Expand Sender Validation

The sender validation options allow confirmation of sender and message validity.
DomainKeys Identified Mail (DKIM) requires that the sender domain DNS entry be
modified to include a DKIM key. The FortiMail unit uses this key with a signature in
each message to verify the message itself has not been modified.
Sender Policy Framework (SPF) requires that the domain DNS record be modified
to include the IP addresses of the servers permitted to send mail from the domain.
The FortiMail unit checks the domain DNS record for this information, and if
present, the client IP address is compared to the addresses listed as being valid
senders.
DomainKeys validation is a predecessor of SPF and works in the same way.
Because some domains still use DomainKeys validation, it is provided for
backward compatibility.
A validation failure for any of these checks doesnt necessarily indicate spam, just
as a successful validation doesnt guarantee a message is not spam. The
validation results are used to adjust the sender reputation scores and deep
header scans.
Expand Session Settings

Use session settings to make your email server less accessible and usable for
spammers.
182

06-30003-0154-20080327
Reject EHLO/HELO commands

with invalid characters in the
domain
Reject invalid sender domain name. Some

spammers generate a random string as their
domain name. If invalid characters are used in the
sender domain name, SMTP reply code 501 is
returned to the sender.
Rewrite EHLO/HELO domain to

[n.n.n.n] IP string of the client
address
Use the IP address of the client as the senders

domain. This prevents domain name spoofing.
Prevent encryption of the session Select to block TLS/MD5 commands so that email
must pass unencrypted. The FortiMail unit can scan
the email for viruses and spam.
Clear to pass TLS/MD5 commands, allowing
encrypted email to pass. The FortiMail unit cannot
scan encrypted email for viruses and spam.
Allow pipelining for the session
Select to enable SMTP command pipelining. If this

option is not selected, the FortiMail will accept only
a single command at a time during an SMTP
session. If selected, multiple SMTP commands will
be accepted and processed at one time, increasing
performance over high-latency connections.
Enforce strict RFC compliance

Select this option to limit pipelining support to strict

compliance with RFC-2920.
This option appears only when pipelining is
enabled.
Perform strict syntax checking
Return a syntax error if SMTP commands are not in

the order EHLO/HELO, MAIL FROM, RCPT TO
(can be multiple), DATA. The commands AUTH,
STARTTLS, RSET, NOOP can arrive at any time.
Other commands return a syntax error.
Switch to SPLICE mode after n

seconds/kilobytes
Enable splice mode. Type a threshold value based

on time (seconds) or data size (kilobytes).
Splice mode enables the FortiMail unit to
simultaneously scan an email and send it to the
SMTP server. This increases throughput and
reduces the risk of a server timeout.
If the FortiMail unit detects a spam or virus, it
terminates the server connection and returns an
error message to the sender, listing the spam or
virus name and infected file name.
ACK EOM before AntiSpam check Acknowledge End of Message signal immediately.
If not enabled, the antispam check is run on the
message before acknowledgement is sent. The
sending server could time-out while waiting for
EOM acknowledgement.
Send DSN to sender when spam is Send a delivery status notification to sender when
spam is detected. The delivery status notification is
detected
described in RFC1891
Expand For Unauthenticated Sessions

Select additional security checks to be performed on connections that are not
authenticated.
Check HELO/EHLO domain
The existence of the domain reported in the clients

HELO command is checked by looking up both the
MX record and A record.
If the HELO domain does not exist, SMTP code 501
is returned to the client.

06-30003-0154-20080327
183
Check sender domain
The existence of the sender domain is checked by

looking up both the MX record and A record.
If the sender domain does not exist, SMTP code
421 is returned to the sender.
Check recipient domain
The existence of the recipient domain is checked

by looking up both the MX record and A record. If
the recipient domain does not exist, SMTP code
550 is returned to the sender.
Reject empty domains
Reject the email if the recipient does not include a

domain name. If enabled, SMTP error code 553 is
returned to the sender.
Prevent open relaying

Check that the sender is not an open relay.
Reject if recipient and helo domain This check detects a technique spammers are
known to use.
match but sender domain is
different
Expand SMTP Limits

Use Miscellaneous limits on use of the SMTP server. Setting any of these values
to 0 disables the limit.
10
Restrict number of EHLO/HELOs

per session to n
This check makes it more difficult for spammers to

probe the email server for vulnerabilities.
Restrict number of emails per

session to n
Limit the number of email messages per session to

prevent mass mailing.
Restrict number of recipients per

email to n
Limit the number of recipients to prevent mass

mailing.
Cap message size at n kilobytes
Limit message size. If enabled, messages over the

threshold size are rejected.
Cap header size at n kilobytes
Limit size of message header. If enabled,

messages with headers over the threshold size are
rejected.
Drop connection after n NOOPs
Some spammers use NOOP commands to keep a

long session alive. Legitimate sessions should
require few NOOPs.
Drop connection after n RSETs
Some spammers use RSET commands to try again

after receiving error messages such as unknown
recipient. Legitimate sessions should require few
RSETs.
Expand Error Handling

Errors sometimes indicate attempts to misuse the server. You can impose delays
or drop connections if there are errors. Setting any of these values to 0 disables
the limit.
Client is allowed n free errors.
Permit the specified number of errors without

imposing a delay. By default, five free errors are
permitted.
The first non-free error will incur a Set delay time for the first error after the number of
free errors is reached.
delay of n seconds
184
Subsequent error delays will

increment by n seconds
After the first error for which a delay is imposed,

increase the delay for each subsequent error by the
specified number of seconds.
The connection will drop after n

errors
Set the total number of errors the FortiMail unit will

accept before dropping the connection.

06-30003-0154-20080327
11
Expand Lists
Sender and recipient addresses can be back or white listed. The black and white
lists in each session profile are maintained separately, and only apply to traffic
controlled by the IP policy to which the session profile is applied.
See Black and white list hierarchy on page 239 for details of how blacklisted
messages are handled.
All black and white list entries are listed in alphabetical order.
Enable sender white list checking Enable or edit session-level sender white list.
Enable sender black list checking Enable or edit session-level sender black list.
Allow recipients on this list
Enable or edit session-level recipient white list.
Disallow recipients on this list
Enable or edit session-level recipient black list.
Creating dictionary profiles

Profile
Displays the name of the session profile.
Modify
Select the Delete icon to remove a profile, or the Edit

icon to modify a profile. The Delete icon does not
appear if the profile is currently used in a policy.
FortiMail dictionaries are user-defined lists of words and word patterns. When
created, dictionaries are assigned a category, a language, and a domain.
Create dictionaries and later group them into dictionary profiles by selecting
common domains, categories, or languages, or simply by choosing individual
dictionaries. A dictionary profile is then selected in antispam and content profiles
to filter mail based on words in the dictionary profile.
Definitions of the components of dictionary profiles:
Categories
A user-defined tag attached to a dictionary. Categories are used for
organizational purposes and do not influence how a dictionary functions. A
category must be specified when creating a dictionary.
Dictionaries
A list of patterns and/or words. Patterns are constructed with regular
expressions. Dictionaries can be incorporated into group items and dictionary
profiles.
Dictionary profiles
Any number of individual dictionaries and dictionary groups can be assigned to
a dictionary profile. To make tailoring profiles easier, specific dictionaries and
groups can also be excluded.
When complete, dictionary profiles can be selected in antispam profiles and
content profiles to define the content being searched for in mail traffic.
Groups
A collection of group items. A group can contain multiple group items of both
types.

06-30003-0154-20080327
185
Group item
Each group item specifies one or more dictionaries. A type 1 group item allows
selection of a domain, category, and language. Any dictionaries sharing these
three attributes is part of the group item. As dictionaries are removed, added,
or modified, type 1 group items are automatically updated. Type 2 group items
include dictionaries the user selects from a list of all dictionaries assigned to a
single domain.
Languages
A user-defined tag attached to a dictionary. Like categories, languages are
used in organizing dictionaries and do not limit how it is applied. A language
must be specified when creating a dictionary.
Figure 98: Dictionary profile list
Profile Name
Displays the profile name.
Domain
Displays the domain the profile is assigned to.
Description
Displays an optional description of the profile.
Modify
Select the Delete icon to remove a profile, or the Edit icon to modify
a profile. The Delete icon does not appear if the dictionary profile is
used in an antispam or content profile.
Overview of creating a dictionary profile

The creation of a dictionary profile involves a number of operations. These are
listed with links to detailed instructions.
1
Create language and category items. A new dictionary requires the selection of a
category and a language. See To create a category on page 187 and To create
a language on page 188.
Create a dictionary. This involves only a name, an optional description, and

choosing a category and language. See To create a dictionary on page 188.
Add words and patterns to your new dictionary. See To add words and patterns to
a dictionary on page 189.
Separate dictionaries can be grouped for easy selection. Even when grouped,
dictionaries can be individually selected. A group is created first, then group items
created within the group. The group items specify the dictionaries to be included in
the group. See Creating a dictionary group on page 190
Create a dictionary profile. Only a name is required when creating a dictionary

profile. See Creating a dictionary profile on page 191
Add dictionaries or dictionary groups to the dictionary profile. See To add

dictionaries and dictionary groups to a dictionary profile on page 191
Once the dictionary profile is created, it can be selected as part of an antispam
profile or a content profile.
186

06-30003-0154-20080327
Creating a category
Selection of a category is required during the creation of a dictionary. Categories
are used only for identification and selection during dictionary grouping. For
example, if you select a category named Spam, there is no restriction against
using the dictionary in a content profile.
Figure 99: Dictionary category list
Category Name
Displays the category name.
Domain
Displays the domain the category was created for.
Description
Displays an optional description of the category.
Modify
Select the Delete icon to remove a category, or the Edit icon to

modify a category. The Delete icon does not appear if the category
is currently used in a dictionary.
To create a category
1
To add category items, go to Profile > Dictionary > Category.
Select a domain. This will only be available if domains are defined in

Mail Settings > Domains. If no domains have been defined, all categories will
default to the system domain.
If one or more domains have been defined, categories can be created for
particular domains and will not be available to dictionaries created for other
domains. The exception is categories created for the system domain. These are
available to dictionaries created for any domain.
Select Create New.
Enter the category name.
Optionally, enter a description.
Select OK.
Creating a language
Selection of a language is required during the creation of a dictionary. Languages
are used only for identification and selection during dictionary grouping. For
example, if you select French as a language, there is no restriction against adding
English words and using the dictionary with German email. Language names are
not limited to actual languages.

06-30003-0154-20080327
187
Figure 100:Dictionary language list
Lang Name
Displays the language name.
Description
Displays an optional description of the language.
Modify
Select the Delete icon to remove a language, or the Edit icon to

modify a language. The Delete icon does not appear if the language
is used in a dictionary.
To create a language
1
To add category items, go to Profile > Dictionary > Language.
Select Create New.
Enter the language name.
Select OK.
Creating a dictionary
The basic component of all dictionary profiles is the dictionary. Each dictionary is
simply a list of words or patterns. Patterns are constructed with regular
expressions.
Figure 101:Dictionary list
Dictionary Name
Displays the dictionary name. Select the dictionary name to add,

delete, or modify dictionary contents.
Domain
Select to view the dictionaries created for each domain.
Language
Displays the language selected for the dictionary.
Category
Displays the category selected for the dictionary.
Description
Displays an optional description of the dictionary.
Modify
Select the Delete icon to remove a dictionary, or the Edit icon to

modify dictionary properties. The Delete icon does not appear if the
dictionary is used in a dictionary profile or type 2 group item. Select
Download to save the current dictionarys contents to a backup file.
Select Restore to append the contents of a dictionary backup file to
the current dictionary.
To create a dictionary
1
188
To add category items, go to Profile > Dictionary > Dictionaries.

06-30003-0154-20080327

Mail Settings > Domains. If no domains have been defined, all dictionaries will
default to the system domain.
If one or more domains have been defined, dictionaries created for particular
domains will be available for inclusion in all dictionary profiles.
Enter the dictionary name.
Select a language.
Select a category.
Select OK.
To add words and patterns to a dictionary
To add words to a dictionary, go to Profile > Dictionary > Dictionaries.
If one or more domains have been defined in Mail Settings > Domains, a domain
selection will be available. Choose the domain associated with the dictionary
youre interested in.
In the Dictionary Name column, select the dictionary to which you want to add
words. The dictionary pattern list is displayed.
Figure 102:Dictionary pattern list
Pattern:
Enter a pattern, using plain text or regular expressions, and select

Create New to create the pattern.
x of x domain
The name of the dictionary and the domain its associated with is
displayed.
PG up/PG down
These icons will move to the next/previous page if there are too
many patterns to be displayed in a single page.
view x lines
The number of patterns to be displayed per page. Choose from 25,

50, 100, or 1000 patterns.
x cols per page
The number of columns to be displayed per page. Choose from 1, 2,

or 3.
Total:
Displays the current page and the total number of patterns in the
current dictionary.
Pattern
The patterns in the current dictionary are displayed. Select a pattern

to edit it.
Modify
Select the Delete icon to remove a pattern, or the Insert Pattern

Before icon to add a new pattern before the current pattern.
Enter a new pattern in the pattern field. Plain text or regular expressions are both
accepted.
Select Create New and the new pattern appears at the end of the pattern list.

06-30003-0154-20080327
189
Creating a dictionary group

While dictionaries can be added to dictionary profiles by selecting each individual
dictionary, dictionaries can also be combined into groups for easy selection.
Groups are built from group items. Each item defines one or more dictionaries on
one of two ways. When a group is selected in a dictionary profile, all the
dictionaries specified by all of the items in a group are included.
There are two group item types:
Type 1 group items involve incorporation of dictionaries with common attributes.
Domain, category, and language are the three attributes available for selection. All
dictionaries matching the attributes you specify are automatically part of the group
item. For example, you may specify all domains, the Technical category, and
English as the language. All dictionaries defined as Technical and English from all
domains will be included in this group item. Type 1 group items are dynamic in
that if a new dictionary is created with attributes matching those specified in the
group item, it is automatically included. Similarly, if a matching dictionary is
deleted or changed so it no longer matches, it is no longer included.
Type 2 group items are made up of dictionaries you choose. When defining a
type 2 group, all available dictionaries are listed and you can select the ones to be
included in the group item. Newly created dictionaries can added manually, and
existing dictionaries must be removed before they can be deleted.
In this way, you can build a group of the required dictionaries from multiple group
items with great flexibility.
To create a dictionary group
1
To create a dictionary group, go to Profile > Dictionary > Groups.

Figure 103:Dictionary group list
New Item
Select Domain:
The dictionaries displayed will be for the domain selected here.
Create New
Create a new dictionary group for the selected domain.
Group Name
Displays the name of the group.
Domain
The domain the dictionary was created for.
Description
An optional description of the dictionary.
Modify
Select the appropriate icon to modify or delete the dictionary, or add

a new item.

Mail Settings > Domains. If no domains have been defined, all dictionaries will
default to the system domain and domain selection will not appear.
If one or more domains have been defined, groups created for particular domains
will be available for inclusion in all dictionary profiles.
190
Select Create New.

06-30003-0154-20080327
Enter the group name. The description is optional.
Select OK.
The group is created, but it is empty. To add dictionaries, group items have to be
created within the group.
To create a type 1 dictionary group item
To create a type 1 dictionary group item, go to Profile > Dictionary > Groups.
Select the New Item icon.
Enter the name of the new group item.
Select Type 1.
Click OK.
The item is created and defaults to include dictionaries of the current domain, all
categories, and all languages. Select the edit icon of the group item to change the
default settings.
To create a type 2 dictionary group item
To create a type 2 dictionary group item, go to Profile > Dictionary > Groups.
Select the New Item icon.
Enter the name of the new group item.
Select Type 2.
Click OK.
The item is created and is empty by default. Select the edit icon of the group item
to add dictionaries.
Creating a dictionary profile

Dictionary profiles are selected in antispam and content profiles to filter mail
based on words in the dictionary profile. Add dictionaries and dictionary groups to
profiles to include all the words and patterns required.
To create a dictionary profile
1
To create a dictionary profile, go to Profile > Dictionary > Profiles.
Enter the dictionary name.
Select OK. The new dictionary profile appears in the profile list but is empty by
default.
To add dictionaries and dictionary groups to a dictionary profile
Go to Profile > Dictionary > Profiles.
Choose the dictionary profile you wish to edit by selecting its name.
Figure 104:Edit dictionary profile contents

06-30003-0154-20080327
191
Add groups or group items by selecting the New Item icon at the end of the
appropriate row. Choose from the available dictionaries or groups in the list that
appears. Select OK to approve your selection.
Figure 105:An added dictionary appears in the dictionary profile contents
For maximum flexibility, dictionaries and groups can also be specified as

exclusions. For example, if all but one dictionary in a group is required for a
profile, a new dictionary group does not have to be constructed. Simply add the
existing group, and also add the unneeded dictionary as an excluded dictionary.
In this way, a combination of individual dictionaries and dictionary groups can be
added to quickly assemble a dictionary profile. Theres no need to manually
assemble all the required dictionaries, or construct groups, for every dictionary
profile.
Maintaining dictionaries
In Profile > Dictionary > Maintenance there are tools to back up and restore the
dictionary configuration. In addition, the FortiMail reports the status of the
dictionary database and is able to make repairs in case of problems.
Figure 106:Dictionary database maintenance
Database Status
Displays the status of the dictionary database.
Recover Database
Repairs most errors if database status reports problems.
Backup
Backs up entire dictionary profile configuration. Everything set in

Profile > Dictionary is included.
Restore Dictionary Restores saved dictionary profile configuration. Select browse and
choose saved backup file to be restored. Select OK to begin
restoration. Any configuration in dictionary profiles is overwritten.
192

06-30003-0154-20080327
Creating LDAP profiles

LDAP authentication profiles are used to authenticate email users, to send email
through the FortiMail unit to any destination, and retrieve the quarantined email
from the FortiMail unit hard drive through webmail or POP3.
Figure 107:The LDAP profile list
Profile
Displays the LDAP authentication profile names.
Server Name/IP
Displays the name/IP address of the LDAP server.
Port
Displays the port used to communicate with the LDAP server.
User
User Query Options are always enabled. Since LDAP verification

and authentication are based on the settings in the User Query
Option, it cannot be disabled.
Group
Displays whether LDAP group queries are enabled in this profile.
Auth
Displays whether user authentication options are enabled in this

profile.
Alias
Displays whether user alias options are enabled in this profile.
Routing
Displays whether mail routing options are enabled in this profile.
AS/AV
Displays whether user antispam/antivirus options are enabled in

this profile.
Webmail Pwd
Displays whether webmail password options are enabled in this

profile. This option appears only in server mode.
Cache
Displays whether the FortiMail unit is caching LDAP queries.
Modify
modify a profile.
The Delete icon does not appear if the profile is used in a policy.
See Creating email filtering and control policies on page 199.
Create New
Select to create an LDAP authentication profile.
To add and edit an LDAP server authentication profile

1
Go to Profile > LDAP.
Select Create New.

06-30003-0154-20080327
193
Figure 108:New LDAP Profile window
194
Enter the profile name and the name or IP address of the LDAP server for which
you want to create an authentication profile.
Enter the LDAP server port number. The default port number is 389 for a
non-secure connection and 636 for a secure connection.
Enter the fallback LDAP server name or IP address. If the server defined in the
Server Name/IP field is unreachable and a fallback server is defined, the FortiMail
unit will connect to the fallback server to submit its query.
Select whether to use a secure (SSL) or non-secure (none) connection to the

LDAP server. The default is a non-secure connection.
Expand User Query Options to change how the FortiMail unit will query the LDAP
server.
Test
Selecting this link will query the LDAP server to test the
configuration data entered. If any configuration information
is changed or added, you must select OK or Apply before
running a test.
Schema
Select a predefined directory schema depending on your

LDAP server type. If you select any schema but User
Defined, the LDAP Query to Find User field is
automatically populated.
Base DN
Type the distinguished name (DN) that will be the default

point from which LDAP directory lookups will occur.
Bind DN, Bind Password
Enter a bind DN and bind password of an account with the

rights to complete the required LDAP queries.
Browse
Selecting the Browse link will assist in entering some

server-specific information fields. For example, if the
Base DN is unknown, browsing can help determine it.
The server IP is required, and depending on the LDAP
server configuration, server port, use secure connection,
Bind DN, Bind Password, and protocol version may have
to be correctly set before Browse will function.
LDAP Query to Find User
Enter the query to be used for finding a user in the LDAP

directory. For example, userPrincipalName=$m. $m
stands for a user's email address.
This field is read-only if you select any schema but User
Defined.

06-30003-0154-20080327
Scope
Select the search scope. This setting determines the depth

of search.
Derefer
Specify how alias dereferencing is done. The values are

Never, Always, Search, or Find to specify respectively that
aliases are never dereferenced, always dereferenced,
dereferenced when searching, or dereferenced only when
finding the base object for the search.
Expand Group Query Options to define real or virtual LDAP groups.

Test
running a test.
Use LDAP Tree Node as

Group
Select this option to specify any LDAP tree node. Any node
that falls under the specified tree node will be considered a
member of the group. Since the specified node isnt
defined as a group in the LDAP database, the FortiMail
unit sees it as a sort of virtual group.
Member Of Group Attribute
Enter the user attribute that defines the groups the user
belongs to. For example, this attribute is memberOf for
Active Directory servers.
Use Group Name with Base When selected, the two following fields become available.
With the appropriate information entered, the admin need
DN as Group DN
only enter the LDAP group name when creating a
recipient-based policy, for example. If this option is
disabled, the group name attribute, group name, and group
base DN must be specified in the policy.
Group Base DN
Enter the group base DN if Use Group Name with Base DN

as Group DN is enabled.
Group Name Attribute
Enter the group name attribute if Use Group Name with

Base DN as Group DN is enabled.
Expand User Auth Options to change the way users are authenticated.
Test
running a test.
Try UPN or Mail Address as Type an alternate User Principle Name suffix. If no domain
Bind DN
is entered, the mail domain is used.
10
Try Common Name with

Base DN as Bind DN
Type the LDAP servers common name. This field is

read-only if you select any schema but User Defined.
Search User and Try Bind

DN
Select this option to search the user information to get the

user's DN, and bind it to the LDAP server to authenticate.
The bind DN set in User query Option will search for the
user information based on user's email address and get its
DN. Then it will bind the user's DN along with its password
to the LDAP server.
Expand User Alias Options if required. Many of the settings here also appear in
User Query Options because aliases may be configured differently on the LDAP
server. This duplication allows settings to be tailored separately for each.
Test
running a test.

06-30003-0154-20080327
195
Schema
Select a predefined directory schema depending on your

LDAP server type. If you select any schema but User
Defined, the Alias Member Attribute, Alias Member Query
String, User Group Expansion In Advance, Group Member
Attribute, and Group Member Query String fields are
automatically populated.
Base DN
Type the distinguished name (DN) that will be the default

point from which LDAP directory lookups will occur.
Bind DN, Bind Password
Enter a bind DN and bind password of an account with the

rights to complete the LDAP query.
Alias Member Attribute
Enter the attribute containing the alias member.
Alias Member Query String
Enter a query to be used for finding an alias member in the

LDAP directory.
User Group Expansion In

Advance
Select to expand the User Group query result list first, then
use each item returned in the Alias Member Query.
Group Member Attribute
Enter the attribute containing the group member.
Group Member Query String Enter a query to be used for finding the members of the
group in the LDAP directory.
11
12
13
Scope
Select the search scope. This setting determines the depth

of search.
Derefer
Specify how alias dereferencing is done. The values are

Never, Always, Search, or Find to specify respectively that
aliases are never dereferenced, always dereferenced,
dereferenced when searching, or dereferenced only when
finding the base object for the search.
Max alias expansion level
Specify how many levels of nested aliases will be

expanded.
Expand Mail Routing Options if each users LDAP profile contains mail routing
information.
Test
running a test.
Mail Host Attribute
Enter the attribute containing the mail host. Using this

information, the FortiMail can obtain the mail host
information for each user.
Mail Routing Address

Attribute
Enter the attribute containing the mail routing address.
Expand AS/AV On/Off Options if each users LDAP profile contains antispam and
antivirus information.
Test
running a test.
AntiSpam On/Off Attribute
Enter the attribute containing the antispam information.

Using this, the FortiMail can apply its antispam features to
only those users whose profiles call for it.
AntiVirus On/Off Attribute
Enter the attribute containing the antivirus information.
Expand Advanced Options

Timeout
196
Type the time limit in seconds for an LDAP search to be

completed.

06-30003-0154-20080327
Protocol Version
Select the LDAP protocol version used by the server.
Allow unauthenticated ldap Select to allow unauthenticated LDAP binds.

bind
14
Enable Cache
Select to enable the LDAP cache. The FortiMail unit will

cache LDAP queries to reduce the amount of network traffic
by eliminating redundant queries. Select Clear Cache to
clear the LDAP queries the FortiMail unit has saved.
TTL
Enter the amount of time, in minutes, the FortiMail unit will

cache LDAP queries. When the configured time elapses
after the query is submitted, the saved query is cleared
from the cache.
Expand Webmail Password Options to define a schema.

Select the correct schema for LDAP webmail password authentication. The
Webmail Password Options only appear if the FortiMail unit is operating in server
mode.
15
Select OK.
Creating IP pool profiles

Use IP pool profiles if you want outgoing email to originate from a configured
range of IP addresses. Each sent message will use the next IP address in the
range. When the last IP address in the range is used, the next message will use
the first IP address
IP pool profiles can be specified for each domain configured in Mail Settings >
Domains > Domains. Any email sent from a domain configured on the FortiMail
unit will use the IP addresses specified in the IP pool profile. See Configuring
domains (transparent and gateway modes) on page 129 or Configuring domains
(server mode) on page 136 for details on how to configure domains on the
FortiMail unit.
IP pool profiles can also be specified in each IP-based policy. The IP pool policy
specified in the domain configuration will override the IP pool policy specified in an
IP-based policy unless If this policy matches then don't check for a recipient
match is enabled in the IP-based policy. See How to create IP-based email
policies on page 204 for details on how to create and configure IP-based policies.
An email message will use IP pool addresses only if the sender domain is
configured on the FortiMail unit and the recipient domain is not. Messages from
unknown domains and messages between known domains will not use IP pool
addresses.
Figure 109:A newly created IP Pool profile
To create an IP Pool
1
Go to Profile > IP Pool > IP Pool Lists.
Select Create New.

06-30003-0154-20080327
197
Enter a name for this IP pool.

The name can only contain letters and spaces. - and _ are not allowed.
Select the Start IP address for the range of IP addresses in this IP pool.
Select the Range Size. This is the number of available IP addresses starting with
the Start IP address.
For example if you specify 10.0.0.3 as the start IP and enter a range size of 5, the
IP pool will contain the addresses 10.0.03, 10.0.0.4, 10.0.0.5, 10.0.0.6, and
10.0.0.7.
If you want to include a number of different ranges of IP addresses in this IP pool,

select Create New and repeat steps 4 and 5 for each additional range of
addresses you add.
If you want to remove a range of IP addresses from this IP pool select Delete for
that range.
198
Select Ok.

06-30003-0154-20080327
What is a policy
Creating email filtering and control

policies
This section describes how to use FortiMail policies to filter the incoming and
outgoing email and control the email accounts.
What is a policy
How to use policies
How to create recipient-based email policies
How to create IP-based email policies
What is a policy
After creating the antispam, antivirus, content, authentication, or misc profiles, you
can apply them to policies. Recipient-based policies are run on messages sent to
a user or user group specified in a policy. IP-based policies are run when the IP
address matches the client address specified in the policy in gateway and server
modes, or both IP addresses match the client and server addresses specified in
the policy in transparent mode.
Policies determine if and how incoming and outgoing email is scanned for spam,
viruses, and attachment types. Also, policies can determine user account settings,
such as authentication type, disk quota, and access to webmail. For more
information about profiles, see Creating email filtering and control profiles on
page 161.
How to use policies

Recipient-based policies allow you to define which policies are run on individual
messages based on who the message is sent to. In server and gateway modes,
IP-based policies are run on connections initiated by a computer specified by the
IP address specified in the policy. In transparent mode, IP-based policies are run
on connections between two computers, both specified by IP address in the
policy.
Depending on your needs, you can create different recipient-based policies for
different email recipients. For example, if you are an ISP, you can create and
apply antispam and antivirus profiles only if the customers have paid for those
services.
In all operating modes, you can create incoming and outgoing recipient-based
email policies to protect both the local and remote email recipients.

06-30003-0154-20080327
199
The IP-based policy matching the session is determined as soon as the

connection is made. It is not immediately applied however, because
recipient-based policies take priority. Since any given message can only have one
policy applied to it, the FortiMail unit holds the IP-based policy match in reserve
and checks each message for recipient-based policy matches. If a match is found,
the recipient-based policy is applied. If no recipient-based policies match, the
IP-based policy is applied.
Note: If no recipient-based policy matches the message and no IP-based policy matches
the session, no policies are applied and the mail is delivered.
This is how all aspects of the policies are applied with the exception of the session
profile and the antivirus profile.
Recipient-based policies do not allow the selection of a session profile. If an
IP-based policy matches the connection, the session profile will be applied in
addition to other profiles specified in a matching recipient-based policy.
Single messages with multiple recipients are treated as multiple messages, each
with a single recipient, when recipient-based policies apply their profiles. This
allows a fine degree of control, but also means some recipients will not receive the
same message another recipient will receive.
In the case of the antivirus profile however, a message with multiple recipients is
treated as a single message. The FortiMail unit will check the recipients for a
recipient-based policy match and when the first match is found, the antivirus
profile from the matching recipient-based policy is run on the message. No further
checks are made for recipient matches. If no recipient-based policies match the
message, the antivirus profile from the IP-based policy is applied. If no recipientbased policies match the message, and no IP-based policy matches the session,
no antivirus profile is applied to the message.

You can create policies by applying profiles to users. For both incoming and
outgoing SMTP email, you apply profiles to the email recipients.
Caution: Add, deleted, and modify policies with care. Any changes made to the policy
configuration take effect immediately.
Creating incoming recipient-based policies (transparent and gateway)

You can create and apply policies to incoming email to protect the email recipients
on the domains configured on the FortiMail unit.
Arrange policies in the policy list from most specific at the top to more general at
the bottom. Policy matches are checked from the top of the list, downward. For
example, a policy created with an asterisk (*) entered for the user name is the
most general policy possible because it will match all users in the domain. When
you create more specific policies, you must add them to the policy list above the
general policy.
200

06-30003-0154-20080327
Figure 110:Incoming recipient-based policy list
Select a domain
Select a domain to show its recipient-based policy list.
The order number of the recipient-based policies.
User Name
Recipients matching the specified user name will have the policy
settings applied to their email.
AntiSpam
The antispam profile selected for the matching recipients.
AntiVirus
The antivirus profile selected for the matching recipients.
Content
The content profile selected for the matching recipients.
Authentication
The authentication profile selected for the matching recipients.
Modify
Select the Delete icon to remove a policy, the Edit icon to modify a
policy, and the Move icon to change the order of a user in the list.
Create New
Select to create a policy.
Profiles listed in the policy table appear as linked text. To quickly modify profile
settings, select the required profile. A window opens with the policy settings. After
making the required changes, select OK to save the settings.
To create an incoming recipient-based policy
1
Go to Policy > Incoming.
Select a domain (mail server) that contains the users to whom you want to apply
policies.
For information on creating domains, see Configuring domains (transparent and
Select Create New.
The user or group the policy applies to can be defined in three ways:
Select User Name and enter the users name. The user name you type must
match the same users name on the email server. For example, the user name
for the address user1@example.com is user1. Do not include the domain
portion. You can also use an asterisk to represent all users on a domain.
Select Local Group Name and enter the name of a group defined in User >
User Group. See Creating user groups on page 156.
Select LDAP Group Name and enter an LDAP group name that includes all of
the users. Select the LDAP profile configured to connect to the server and
retrieve the group information.
Select the Antispam profile, Antivirus profile, and Content profile for the user.
For Authentication, select the authentication server type and a profile for the user.
Radius, POP3, IMAP, and SMTP authentication profiles are created and modified
in Profile > Authentication. LDAP authentication profiles are created and
modified in Profile > LDAP.

06-30003-0154-20080327
201
For Auth Requires Domain, if the selected authentication server requires domain
names for authentication, select Requires Domain.
Enable SMTP AUTH as required.

This enables users to access the quarantined spam on the FortiMail unit. It also
enables roaming users to send email through the FortiMail unit.
Select Allow Different Sender Identity if you allow email that have different
authentication identities and from addresses to pass through.
This option only activates if you have enabled SMTP AUTH in step 8.
10
For Spam Access Methods, select POP3 or Web Mail to access the quarantined
spam on the FortiMail unit.
11
Select OK.
Creating outgoing recipient-based policies (transparent and gateway)

You can create and apply policies to outgoing email to protect the email recipients
on all domains not configured on the FortiMail unit.
Figure 111:Outgoing recipient-based policy list
The order number of user policies.
User Name
The names of email recipient.
AntiSpam
The antispam profile selected for the user.
AntiVirus
The antivirus profile selected for the user.
Content
The content profile selected for the user
Modify
policy, and the Move icon to change the order of a user in the list.
Create New
To create an outgoing recipient-based policy
1
Go to Policy > Outgoing.
Select Create New.

The user name you type must match the same users name on the recipient email
server. The user name should include the domain portion, such as
jdoe@example.com. You can also use a wildcard plus a domain name to
represent all users on that server. For example, *@example.com.
202
Select the Antispam profile, Antivirus profile, and Content profiles for the user.
Select OK.

06-30003-0154-20080327
Creating recipient-based policies for email users (server mode)

You can use antispam, antivirus, or misc profiles to control a users incoming or
outgoing email to protect the user and the recipients.
example, a policy created with an asterisk (*) entered for the user name is the
most general policy possible because it will match all users in the domain. When
you create more specific policies, you must add them to the policy list above the
general policy.
Figure 112:Incoming recipient-based policy list
Figure 113:Outgoing recipient-based policy list
The order number of policies.
User Name
The name of email recipient.
Antispam
The antispam profile selected for the user.
AntiVirus
The antivirus profile selected for the user.
Content
The content profile selected for the user.
Misc
The misc profile selected for the user. This is available for the
incoming option only.
Modify
policy, and the Move icon to change the order of a policy in the list.
To create a recipient-based policy
1
Go to Policy > Incoming or Outgoing.
Select Create New.

06-30003-0154-20080327
203
For incoming policies, the user or group can be defined in three ways:
Select User Name and enter the users name. The user name you type must
match the same users name on the email server. For example, the user name
for the address user1@example.com is user1. Do not include the domain
portion. You can also use an asterisk to represent all users on a domain.
Select Local Group Name and enter the name of a group defined in User >
User Group. See Creating user groups on page 156.
Select LDAP Group Name and enter an LDAP group name that includes all of
the users. Select the LDAP profile configured to connect to the server and
retrieve the group information.
For outgoing recipient-based policies, enter an email address.

The address should also include the domain, such as jdoe@example.com. You
can also use an asterisk (wild card) to represent all users on a domain. For
example, *@example.com applies to all users on the example.com domain.
If this policy is for a users incoming email, select the Antispam profile, Antivirus
profile, Content profile, and Misc profile for the user.
If this policy is for a users outgoing email, select the Antispam profile, Antivirus
profile, and Content profile for the user.
Select OK.
Note: If no policy is added to a user, the following default values apply: disk quota = 0; user
account status = enable; webmail access = enable.

You can create policies by applying profiles to SMTP connections. In gateway and
server modes, you specify an address for the client. In transparent mode, you
specify IP addresses for the client and the server.
The client is the computer initiating the connection and the server is the computer
receiving the connection. For example, if system A opened a connection to
system B to deliver mail, A is the client and B is the server. If system B later
opened a connection to system A to deliver a response, B is now the client and A
is the server.
Caution: Add, deleted, and modify policies with care. Any changes made to the policy
configuration take effect immediately.
Creating IP-based policies (gateway mode)

You can create and apply policies to SMTP traffic to protect both inside and
outside email recipients.
example, a policy created for 0.0.0.0/0 is the most general policy possible
because it will match all IP addresses. When you create more specific policies,
you must add them to the policy list above the general policy.
204

06-30003-0154-20080327
Figure 114:Gateway mode IP-based Policy list
Match
The IP address of the client to apply this policy to. The address will
appear in blue when If this policy matches then don't check for a
recipient match is selected in the policys Misc Settings.
Session
The session profile selected for the client.
AntiSpam
The antispam profile selected for the client.
AntiVirus
The antivirus profile selected for the client.
Content
The content profile selected for the client.
IP Pool
The IP pool profile selected for the client. The IP pool profile will
be ignored if the If this policy matches then don't check for a
recipient match option is not enabled.
Authentication
Authorization profile selected for the client.
Edit icon
Select the Edit icon to modify a policy.
Delete icon
Select the Delete icon to remove a policy.
Move icon
Select the Move icon to change the order of a policy in the list.
Create New
To create an IP-based policy
1
Go to Policy > IP Based.
Select Create New.
Type the IP address of a client computer or enter a subnet. The policy being
created will apply to all connection attempts initiated from the address/subnet
specified.
If the policy is to simply deny connections from the specified IP address, select
Reject connections with this match.
If required, expand Profile Settings and select the Session profile, Antispam
profile, Antivirus profile, IP pool profile, and Content profile to be used by the
profile during the session initiated by the client computer.
If required, expand Authentication, select the authentication server type and a

profile for the policy. Radius, POP3, IMAP, and SMTP authentication profiles are
created and modified in Profile > Authentication. LDAP authentication profiles
are created and modified in Profile > LDAP.

06-30003-0154-20080327
205
To use the authentication type and profile for SMTP sessions, select Use for
SMTP Authentication.
Select Allow Different Sender Identity if you allow email messages that have
different authentication identities and from addresses to pass through. This
option is only available if Use for SMTP Authentication is selected.
Select If this policy matches then don't check for a recipient match to have
checking for recipient-based policy matches disabled while this IP-based profile is
in effect. The IP-based profile will be applied and recipient-based profiles ignored.
Creating IP-based policies (server mode)

outside email recipients.
example, a policy created for 0.0.0.0/0 is the most general policy possible
because it will match all IP addresses. When you create more specific policies,
you must add them to the policy list above the general policy.
Figure 115:Server mode IP-based Policy list
Match
The IP address of the client to apply this policy to. The address will
appear in blue when If this policy matches then don't check for a
recipient match is selected in the policys Misc Settings.
Session
The session profile selected for the client.
AntiSpam
The antispam profile selected for the client.
AntiVirus
The antivirus profile selected for the client.
Content
The content profile selected for the client.
IP Pool
The IP pool profile selected for the client. The IP pool profile will be
ignored if the If this policy matches then don't check for a recipient
match option is not enabled.
Edit icon
Delete icon
Move icon
Create New
206
Select Create New.

06-30003-0154-20080327
Type the IP address of a client computer or enter a subnet. The policy being
created will apply to all connection attempts initiated from the address/subnet
specified.
If the policy is to simply deny connections from the specified IP address, select
Reject connections with this match.
profile, Antivirus profile, Content profile, and IP pool profile to be used by the
Creating IP-based policies (transparent mode)

outside email recipients. Policies are parsed from top to bottom. The clients IP
address and the servers IP address are compared against those specified in the
policy and a match activates the policy. Since both the client and server
addresses are specified, you can even define different policies for connections
between the same two computers depending on which machine initiates contact.
Figure 116:Transparent mode IP-based Policy list
Match
The IP address of the client and the server the policy will apply to.
The client address is displayed first, followed by the server. The
addresses will appear in blue when If this policy matches then
don't check for a recipient match is selected in the policys Misc
Settings.
Session
The session profile selected for the policy.
AntiSpam
The antispam profile selected for the policy.
AntiVirus
The antivirus profile selected for the policy.
Content
The content profile selected for the policy.
IP Pool
The IP pool profile selected for the policy. The IP pool profile will
be ignored if the If this policy matches then don't check for a
recipient match option is not enabled.
Authentication
Authorization profile selected for the policy.
Edit icon
Delete icon
Move icon
Create New

06-30003-0154-20080327
207
208
Select Create New.
Type the IP address of the client computer or enter a subnet. Type the IP address
of the server computer or enter a subnet. The policy being created will apply to all
connection attempts initiated from the client address/subnet to the server
address/subnet.
If the policy is to simply deny connections from the client to server, select Reject
connections with this match.
profile, Antivirus profile, Content profile, and IP pool profile to be used by the
If required, expand Authentication, select the authentication server type and a

profile for the policy. Radius, POP3, IMAP, and SMTP authentication profiles are
created and modified in Profile > Authentication. LDAP authentication profiles
are created and modified in Profile > LDAP.
To use the authentication type and profile for SMTP sessions, select Use for
SMTP Authentication.
Select Allow Different Sender Identity if you allow email messages that have
different authentication identities and from addresses to pass through. This
option is only available if Use for SMTP Authentication is selected.

06-30003-0154-20080327
Managing the spam quarantine

When you create an antispam profile, you can configure some of the antispam
settings on Profiles > AntiSpam page. For details, see Creating antispam
profiles on page 162. However, the following system-wide antispam settings are
available separately on the AntiSpam page. Before you can use these settings in
a profile, you must configure them.
Quarantine settings allow you to specify how the FortiMail unit deals with the
quarantined email messages. See Managing the spam quarantine on
page 209.
FortiGuard-Antispam settings allow you to enable the FortiGuard-Antispam

service so that you can use it in the antispam profiles. See Using the
FortiGuard-Antispam service on page 221.
Bayesian settings allow you to train the Bayesian databases to make the
antispam email scanning more accurate. See Training Bayesian databases
on page 222.
Black/White List settings allow you to block or allow email from the email
addresses or domains you specify. See Configuring black and white lists on
page 235.
Example: FortiMail spam release and delete
Managing the system quarantine
Using the FortiGuard-Antispam service
Training Bayesian databases
Example: FortiMail Bayesian training
Configuring black and white lists
Configuring greylist
Configuring sender reputation
Configuring PDF scanning

The FortiMail unit can be configured to quarantine spam email on its hard drives.
Any FortiMail unit can be configured to store its quarantined messages in a
centralized quarantine hosted on a FortiMail-2000 or larger. See Configuring
storage settings on page 127 for details.
Spam quarantine
You can set up the FortiMail unit auto release and auto delete accounts so that
users can request the FortiMail unit to release (that is, send the email messages
to the back-end server then from there, to the email recipients) or delete email to
them that the FortiMail caught as spam. See Releasing and deleting quarantined
spam on page 211.

06-30003-0154-20080327
209
You need to enable the quarantine function when configuring antispam profiles for
the FortiMail unit to quarantine spam. See To create an antispam profile on
page 163.
You can view the email addresses of the email recipients who have spam
quarantined on the FortiMail unit. You can also view the recipient mailbox size
information.
You can also view, sort, delete, or release the quarantined email.
To view the quarantined spam recipient information
1
Go to AntiSpam > Quarantine > Recipients.
Select the domain for which you want to see the quarantined spam recipients.
A list of folders is displayed. The folders are named for the email addresses the
spam was sent to.
email address and mailbox size.
Folders may be easily deleted. Select the check boxes for the folders you wish to
remove and select the delete icon.
Select Expunge to reclaim disk space used by deleted quarantined email. When
quarantined email is deleted, the message is marked as deleted and removed
from the list of quarantined email. The message will still take up disk space,
however. Expunge will reclaim this disk space.
Select Send Summary if you want to manually send out a spam summary report to
the spam recipients. The summary will include each users spam messages listed
on the Recipients page received in the last 24 hours. You can also set up a spam
report schedule to automatically send spam reports to the corresponding email
recipients. For details, see Scheduling spam reports on page 212.
To manage the quarantined email
Select the recipients email address.

All quarantined messages for the selected recipient are displayed.
Select the number of lines to view on each page.
Sort the messages by subject, sender address, date, and ticket number.
Select the Delete or Release check box in the header and select OK to delete or
release all the spam messages for this recipient.
Select the delete or release check box before a spam message and select OK to
delete or release an individual spam message.
Searching the quarantined spam

The quarantine search allows the administrator to search the spam quarantine for
messages based on message content and message recipient, across any or all
domains configured on the FortiMail unit.
To define a quarantine search
210
Select Search, beside the domain drop down menu.
Expand the New Search Task heading to reveal the search parameter options.
06-30003-0154-20080327
Enter values in the content fields you will use to search. The search will match all
the entered parameters. Messages matching only some of the entered
parameters will not be included in the search results.
Use the Time settings to limit the search to a particular period ending on the date
and hour set. By default, the current date and hour is automatically set as the
period end.
In the Recipient section, the domains configured on the FortiMail unit are listed in
the left field. Select the domains you wish to include in the search and select the
right-arrow button to move them to the right field.
Optionally, enter a user ID in the User field to limit the search results to messages
sent to the specified user IP on the domains in the right field.
Select OK to save and execute the search. The search will appear under the
Search Result heading, labeled with the date and time it was created.
To view quarantine search results
Expand the Search Result heading to reveal the saved searches.
Select the View Result icon, or the date of a search to view a list of the messages
matching the search parameters.
To copy a quarantine search
Select the Copy to New icon for the search you want to copy.
The New Search Task heading expands revealing the search fields with all the
search parameters of the search you are copying.
Modify the search parameters as required.
Select OK to save the new search.

To delete a quarantine search
Select the Delete icon for the search you want to delete.
Releasing and deleting quarantined spam

The FortiMail unit uses two control accounts, one auto release account and one
auto delete account, to release or delete quarantined email.

06-30003-0154-20080327
211
When you enter the auto release and auto delete account names, the FortiMail
unit automatically adds its local domain name after the account names to turn the
account names into email addresses and adds the addresses into the spam
summary report. This way, email users can send requests to release or delete
quarantined email to the FortiMail unit when they receive the spam summary
reports.
To configure the auto release and auto delete accounts
1
Go to AntiSpam > Quarantine > Control Account.
Type auto release account name in the Release User field and auto delete
account name in the Delete User field.
Select OK.
Note: If you have more than one FortiMail unit, the auto release and auto delete account
names you enter must be unique to each FortiMail unit.
Scheduling spam reports

You can set the time for the FortiMail unit to send spam reports to email users. If
no spam messages are received in the specified report period, no report will be
sent. Depending on the email client software settings, the spam report can be
displayed in either text or HTML format.
Spam report scheduling and settings can be configured separately for each
domain. See Spam Report Setting on page 133 for details.
To schedule delivery of spam reports
1
Go to AntiSpam > Quarantine > Spam Report.
These Hours provides 24 check boxes, one for each hour of the day. Select each
hour you want the FortiMail unit to generate a spam report.
These Days provides 7 check boxes, one for each day of the week. Select each
day you want the FortiMail unit to generate spam reports.
Select Apply.
Once the hours and days have been selected, the FortiMail unit will generate
spam reports on each selected hour during each selected day.
To configure webmail access
The FortiMail unit can allow access to a user quarantine directly from a spam
report, without the user having to enter a username and password.
212
Expand the Webmail Access Setting heading.
Select Time Limited Access Without Authentication to allow users to access their
quarantine without having to log in. A link on their spam report will include a URL
to allow this access. If this feature is disabled, the link will require the user to enter
their username and password.
Enter the number of hours the spam report link will allow the user to access their
quarantine without entering a username and password. If the link is used after the
configured number of hours, the users will be informed the link has expired and
redirected to the quarantine login page.

06-30003-0154-20080327
If secure quarantine access is required, select Using HTTPS. When the user
selects a release link in a HTML formatted spam quarantine report, the request
will be transmitted using the HTTPS protocol. The Using HTTPS selection has no
effect on email release requests.
A secondary function of the Using HTTPS option is to redirect all HTTP attempts
to connect to the FortiMail webmail interface to HTTPS. For example, if a user
enters http://mail.example.com to log in to webmail, theyll be automatically
redirected to https://mail.example.com when Use HTTPS is enabled.
Note: For this HTTP to HTTPS redirection to function properly, the administrator must allow
access to both HTTP and HTTPS protocols on the FortiMail interface to which the user is
connecting.
If the Local Domain Name for the mail server specified in Mail Settings >
Settings > Local Host is not resolvable from everywhere users will receive their
mail, specify an alternate resolvable host name in the Web Release Hostname/IP
field.
If the Web Release Hostname/IP field is left blank in gateway mode, the HTTP
release link in the spam quarantine report will use the mail server name specified
in the Local Domain Name field in Mail Settings > Settings > Local Host.
If the Web Release Hostname/IP field is left blank in transparent mode, the HTTP
release link in the spam quarantine report will use the FortiMail units
management IP address.
If the Web Release Hostname/IP field is left blank in server mode, the HTTP
release link in the spam quarantine report will use the first domain listed in
Mail Settings > Domains > Domains.
Select Apply.
To configure the spam report recipient
By default, each user received a spam report listing all of the messages in their
own quarantine. To configure the FortiMail unit to deliver a single spam report
including all the quarantined items to a single user, follow these steps:
Expand the Spam Report Recipient Setting heading.
Every domain configured on the FortiMail unit is listed. By default, each is

configured to deliver a spam report to each user.
To have a single spam report message including all quarantined messages

delivered to one user, select Send to Other Recipient for the domain to be
changed.
Enter the destination email address in the field.
Select Apply.
Understanding the text formatted spam report

The following sample report in text format informs email users of how many
messages they have in quarantine, how to delete all quarantined messages, and
how to release or delete individual messages. The subject line and sender
information of each message is included to help the user decide whether to
release, delete, or do nothing with each quarantined message.

06-30003-0154-20080327
213
To:
user1@example.com
From:
release-ctrl@fm3.example.com
Subject: Quarantine Summary: [3 message(s) quarantined from Wed, 11 Jul 2007 11:00:01
to Wed, 11 Jul 2007 12:00:01]
Date:
Wed, 11 Jul 2007 12:00:01 -0400
Date:
Subject:
From:
Message-Id:
Wed, 11 Jul 2007 11:11:25

Sign up for FREE offers!!!
Spam Sender <spamsender@example.org>
1184166681.l6BFAj510009380000@fm3.example.com
Date:
Subject:
From:
Message-Id:
Wed, 11 Jul 2007 11:14:16

Buy cheap stuff!
1184166854.l6BFDchG0009440000@fm3.example.com
Date:
Subject:
From:
Message-Id:
Wed, 11 Jul 2007 11:15:46

Why pay more?
1184166944.l6BFF7HI0009460000@fm3.example.com
Actions:
o) Release a message:
Send an email to <release-ctrl@fm3.example.com> with subject line set to
user1@example.com:Message-Id.
o) Delete a message:
Send an email to <delete-ctrl@fm3.example.com> with subject line set to
user1@example.com:Message-Id.
o) Delete all messages:
delete_all:user1@example.com:ea809095:ac146004:05737c7c111d68d0111d68d0111d68d0.
Table 10: Sample text spam report breakdown

Annotation
Report content
Report
Header
To: user1@example.com
From: release-ctrl@fm3.example.com
Sent: Wed, 11 Jul 2007 12:00:01 -0400
Subject: Quarantine Summary: [3 message(s) quarantined from Wed, 11
Jul 2007 11:00:01 to Wed, 11 Jul 2007 12:00:01]
Spam
information
Date: Wed, 11 Jul 2007 11:11:25

Subject: Sign up for FREE offers!!!
From: Spam Sender <spamsender@example.org>
Message-Id: 1184166681.l6BFAj510009380000@fm3.example.com
Spam
information
Date: Wed, 11 Jul 2007 11:14:16

Subject: Buy cheap stuff!
Message-Id: 1184166854.l6BFDchG0009440000@fm3.example.com
Spam
information
Date: Wed, 11 Jul 2007 11:15:46

Subject: Why pay more?
Message-Id: 1184166944.l6BFF7HI0009460000@fm3.example.com
Instructions
214
Send an email to release-ctrl@example.com with subject line set to

the message id to release the message.
Send an email to delete-ctrl@example.com with subject line set to

the message id to erase the message.
Send an email to delete-ctrl@example.com with subject line set to

"delete_all" to delete all messages.

06-30003-0154-20080327
Understanding the HTML formatted spam report

The following sample report in HTML format informs email users of how many
messages they have in quarantine, how to delete all quarantined messages, and
how to release or delete individual messages. The subject line and sender
information of each message is included to help the user decide whether to
release, delete, or do nothing with each quarantined message.
Email release differs from web release in that email release opens an email
message ready to be sent to release the message in question. Web release
sends a release request using the HTTP protocol. If Using HTTPS is selected in
AntiSpam > Quarantine > Spam Report, the release request is instead sent
using the HTTPS protocol. Web release is only available if the report is displayed
in HTML format.
Figure 117:Sample HTML spam report

06-30003-0154-20080327
215
Table 11: Sample HTML spam report break-down

Annotation
Report content
Report
Header
Subject: Quarantine Summary [3 message(s) quarantined from Wed, 11

Jul 2007 11:00:01 to Wed, 11 Jul 2007 12:00:01]
From: release-ctrl@fm3.example.com
Date: 2007-07-11 12:00 PM
To: user1@example.com
Spam
message
information
Date: Wed, 11 Jul 2007 11:11:25

Subject: Sign up for FREE offers!!!
Web Actions: Release Delete
Email actions: Release Delete
Spam
message
information
Date: Wed, 11 Jul 2007 11:14:16

Subject: Buy cheap stuff!
From: "Spam Sender" <spamsender@example.org>]
Spam
message
information
Date: Wed, 11 Jul 2007 11:15:46

Subject: Why pay more?
From: "Spam Sender" <spamsender@example.org>]
Global
Instructions
Select delete_all by web to erase all messages by having an HTTP

request sent. Once delete_all is selected, no further user input is
required.
Select delete_all by mail to have a completed delete_all email

message created. If the user sends the message, all of the users
quarantined mail will be deleted.
Select Click Here to log in to the FortiMail webmail interface.

The FortiMail unit can be configured to quarantine spam to the internal hard drive.
Each email user will have a quarantine directory automatically created, where the
spam messages sent to them will be stored. You can set up the FortiMail unit to
allow users to release or delete their quarantined messages by email or web.
This section will describe how to enable the spam quarantine and configure both
types of spam release.
216
Workflow
Enabling spam quarantine
Applying antispam profiles
Configuring web release
Configuring email release

06-30003-0154-20080327
Workflow
You can configure the FortiMail unit to quarantine spam to the local drive. The
FortiMail unit has a spam quarantine folder for each email user in which it stores
the spam email sent to the user. You can set up the FortiMail unit to allow users to
release or delete their quarantined email.
Enabling spam quarantine

Enable spam quarantine when configuring antispam profiles.
To enable spam quarantine - Web-based manager
1
Go to Profile > AntiSpam.
If youre creating a new profile, select Create New and enter a profile name. If
youre editing an existing profile, select the Edit icon of the profile to be edited.
Expand Actions.
Select and expand Quarantine.
For Delete Messages, enter the number of days that you want to keep the
quarantined email on the FortiMail unit.
Select Send spam report to have a report of the quarantined spam automatically
generated and sent to each user.
Select Email Release to allow users to release or delete spam messages from
their quarantine using email.
Select Web Release to allow users to release or delete spam messages from their
quarantine using HTML mail.
Select OK.
Applying antispam profiles

When configuring policies for email users, add an antispam profile with spam
quarantine enabled.
To configure a policy - Web-based manager
1
Go to Policy > Recipient-based.
Select the domain from the drop down list to which you want to add policies for
email users.
Select Create New.

The user name you enter must match the same users name on the email server.
Normally it is in the format of an email ID. You can also use an asterisk to
represent all users of the selected domain.
Select an antispam profile with spam quarantine enabled.
Select OK.

06-30003-0154-20080327
217
Configuring web release

Web release is the simplest means for users to release or delete their quarantined
mail. With web release, spam reports are HTML-formatted messages containing a
release and delete link for each message. The user can click the appropriate link
to trigger the action.
Using web release requires an email client capable of displaying HTML
messages.
Configuring the network for web release

Depending on the operating mode, the links included in the spam report will be
generated using different FortiMail settings:
In gateway mode, the links in the spam report will use the local domain
specified in Mail Settings > Settings > Settings.
In server mode, the links in the spam report will use the first domain listed in
Mail Settings > Domains.
In transparent mode, the links in the spam report will use the management IP
address.
If these domains or IP addresses is cannot be resolved by all users receiving

spam reports, you can specify an alternate domain or IP address. Go to
Anti-Spam > Quarantine > Spam Report and enter the alternate domain/IP in
the Web Release Host Name/IP field.
Sample HTML spam summary report

See Understanding the HTML formatted spam report on page 215 for a
description of the contents of a spam report configured to use web release.
Configuring email release

Email release requires the user to send an email message to the FortiMail unit to
release or delete quarantined spam. The spam report contains the text that must
be used in the subject of the message.
If the users mail client is capable of displaying HTML mail, release and delete
links will be provided for each quarantined message. Selecting the appropriate
link will open a blank message with the required information in the subject. The
user only has to send the message. No modification is required.
If the users mail client is capable of displaying only text mail, each quarantine
message will have message ID, uniquely identifying it. The appropriate message
ID must be copied and pasted into the subject of a new message. The message
must then be addressed to either the release or delete account on the FortiMail
unit and sent. When the message is received, the FortiMail unit will release or
delete the specified message. For the users convenience, the release and delete
email addresses and the required formatting of the subject line are provided in
each spam report.
Configuring the network for email release

Depending on the operating mode, the email addresses given in the spam report
will be generated using different FortiMail settings:
218

06-30003-0154-20080327
In gateway mode, the email addresses in the spam report will use the local
domain specified in Mail Settings > Settings > Settings.
In server mode, the email addresses in the spam report will use the first
domain listed in Mail Settings > Domains.
In transparent mode, the email addresses in the spam report will use the
management IP address.
Configuring auto release and auto delete accounts

Configure the auto release and auto delete account names so that the FortiMail
unit can add them to the spam reports for the email users.
To configure auto release accounts - Web-based manager
1
Go to AntiSpam > Quarantine > Control Account.
Enter account names in the Release User and Delete User fields.
Select OK.
Sample text spam summary report

See Understanding the text formatted spam report on page 213 for a description
of the contents of a spam report configured to use email release.

The FortiMail unit can be configured to quarantine email on its hard drives based
on the message contents.
Any FortiMail unit can be configured to store its quarantined messages in a
centralized quarantine hosted on a FortiMail-2000 or larger. See Configuring
storage settings on page 127 for details.
System Quarantine
The system quarantine is where email caught by content monitoring and outgoing
spam detection may be held. Unlike the spam quarantine, users receive no
notification of mail held in the system quarantine.
Periodic review of the mail is required because no notification listing the system
quarantined messages is sent. A regular admin user can review the system
quarantine as described in To view the system quarantine (admin user) on
page 220.
A special-purpose admin user account also exists for checking the system
quarantine. This system quarantine admin logs into the same GUI interface as
regular administrators, but only has access to the system quarantine. This way,
the administrator of the FortiMail unit can assign the periodic review of the system
quarantine to someone else without allowing them administrator access to all the
FortiMail unit settings. For access instructions, see To view the system
quarantine (system quarantine admin user) on page 221. For configuration
details, see To configure the system quarantine admin user on page 220.

06-30003-0154-20080327
219
To manage the system quarantine

1
Go to AntiSpam > Quarantine > System quarantine Setting.
Configure the following settings.

Account Name and
Password
Specify the user name and password credentials for the system
quarantine admin user. IMAP, POP3, and web access is available
to this user for reviewing the messages held in the system
quarantine. Web access is permitted by logging in to the admin
GUI, not webmail.
Forward To
Specify an email address to which a copy of each system

quarantined message will be forwarded.
Mailbox rotation size Specify mailbox rotation size. When the mailbox reaches the
rotation size or time threshold, the mailbox (mbox file) will be
renamed and backed up. A new mailbox file will be generated, into
which the new email is saved. Permitted rotation size is from 10 to
200 megabytes.
Mailbox rotation time Specify mailbox rotation time. Permitted rotation time is from 1 to
365 days.
Disk Quota
Specify the maximum amount of disk space the system quarantine

will be permitted to use. This total includes rotated mailbox files.
The maximum permitted disk quota depends on available disk
capacity.
Quarantine options
Specify the action taken as new messages arrive in the system
when disk quota is full quarantine when it has reached its disk quota. Select Overwrite to
replace the oldest messages in the system quarantine with new
messages. Select Do Not Quarantine to prevent any new
messages from being quarantined. Note however that Do Not
Quarantine will still prevent messages from being delivered. Since
theyre not quarantined, theyre simply deleted.
Access Address Book Select to add or delete email addresses. These addresses are
available when forwarding messages from the system quarantine.
The address book can also be backed up or restored.
To configure the system quarantine admin user

1
Go to AntiSpam > Quarantine > System quarantine Setting.
Under Account settings, enter the system quarantine admin user account name
and password.
Select Apply to enable changes.

To view the system quarantine (admin user)
Regular administrators can review the system quarantine at any time.
Go to AntiSpam > Quarantine > System quarantine.

The system quarantine folders are displayed.
220
The folder named Inbox contains the most recently quarantined messages. When
the Inbox folder exceeds the Mailbox Rotation Size set in AntiSpam >
Quarantine > System quarantine Setting, it is renamed and a new Inbox folder
is created. Rotated folder names include their creation date and rotation date.

06-30003-0154-20080327
Select a folder, and a list of quarantined messages in the selected folder is

displayed.
any column heading by selecting it.
Select a message subject to view the message. While viewing the message, it
can be released to the user, forwarded to another address, or deleted. The
messages full header can be viewed by selecting detail header.
Select Expunge to reclaim disk space used by messages deleted from the system
quarantine. When quarantined email is deleted, the message is marked as
deleted and removed from the message list. The message will still take up disk
To view the system quarantine (system quarantine admin user)
The system quarantine admin user is a special admin account limited to system
quarantine access only.
Open the admin GUI login window in your browser using either the IP address or
the host name of the FortiMail unit. For example, https://192.168.1.1/admin.
Log in to the FortiMail unit admin GUI using the system quarantine admin account
name and password.
After successfully logging in, the system quarantine page is immediately

displayed. This is the only part of the FortiMail unit the system quarantine admin is
allowed access to.
The messages in the system quarantine can also be reviewed using POP3 or
IMAP clients. Use the system quarantine admin account name and password,
with the FortiMail units address as the mail server.

FortiGuard-Antispam service is an antispam system from Fortinet that uses an IP
address black list and a URI domain black list. The actions to take against
messages identified as spam are defined in the antispam profile assigned to each
email user. See Creating email filtering and control profiles on page 161.
For more information about FortiGuard-Antispam service, see FortiGuardAntispam service on page 15.
Configuring the FortiGuard-Antispam service

If you have ordered FortiGuard-Antispam service through Fortinet technical
support or are using the free 30-day trial, you only need to enable the service to
start using the FortiGuard-Antispam service.
To configure the FortiGuard-Antispam service
1
Go to AntiSpam > FortiGuard-Antispam.

Select Enable Service to activate the FortiGuard-Antispam service.

06-30003-0154-20080327
221
Select Check status to make sure the FortiMail unit can access the
FortiGuard-Antispam server.
After a moment, the FortiGuard-Antispam status should change from Unknown to
Available. If the FortiGuard-Antispam service status is unavailable, wait and try
again.
Enter an IP or URI and select Query FortiGuard to determine the address status in
the FortiGuard system. The result will be displayed on the line below.
Enable and set a TTL (Time To Live) for the cache.

This sets the number of seconds to store the results of antispam queries from the
FortiGuard servers. If the cache is enabled, locally cached antispam query
information will be checked before contacting the FortiGuard service, possibly
reducing network bandwidth use.
Select Apply.
You can now enable FortiGuard-Antispam service for any antispam profile you
create.
Once you select Apply, the FortiGuard-Antispam license type and expiration date
appear.

Bayesian analysis is used to evaluate the header and content of an email
message to determine the probability that it is spam. Bayesian analysis is an
extension of the work of the 18th-century English mathematician Thomas Bayes.
Bayesian filters recognize spam messages by looking at the words (or tokens)
they contain. The Bayesian filter starts with two collections of email, one of known
spam and one of known non-spam email. For every word in these email
messages, it calculates the probability of a scanned message being spam based
on the proportion of spam occurrences.
However, spammers are constantly trying to invent new ways to defeat spam
filters. Certain words, commonly identified as characteristic of spam, can be
altered by the insertion of symbols such as periods, or by the use of nonstandard
but readable characters such as , , , or . Therefore, the Bayesian database
still needs to be trained to incorporate new data to maintain accuracy.
Bayesian database types

The FortiMail unit can maintain three types of Bayesian databases: global, group,
and user. They all work in the same way with the Bayesian scanning engine, but
each is designed for a different application.
Global
The global Bayesian database can be used to scan any or all mail sent and
received by the FortiMail unit. If separate by-domain Bayesian databases are not
required, the global database is the ideal choice because there is only one
database to maintain.
There is only one global Bayesian database on a FortiMail unit.
222

06-30003-0154-20080327
The global database is also used for all Bayesian scans enabled in outgoing
antispam profiles. Since only outgoing antispam profiles are available for selection
in IP-based policies, all Bayesian scanning triggered by IP-based policies use
only the global Bayesian database.
Group
The group Bayesian databases are maintained on a per-protected-domain basis.
This allows the flexibility of a database tailored to filter the mail to each domain.
Mail messages sent to all protected domains, and matching recipient-based
policies, use group Bayesian databases by default when Bayesian scanning is
enabled.
Because group databases are domain-based, a separate group database is
maintained for each protected domain.
User
The user Bayesian databases are maintained on a per-user basis for each
protected domain. This allows the user Bayesian database to be fine-tuned to only
the mail traffic the user receives.
Each user on each protected domain has a separate Bayesian database stored
on the FortiMail unit. Therefore, if example.com and example.org are defined as
protected domains, user1@example.com and user1@example.org will have
separate user Bayesian databases even if both accounts belong to the same
person.
User Bayesian databases are unique in that they can work with either the group or
global database, whichever is active for the domain. If a user database is mature,
it will be used by the Bayesian scan to determine if an incoming message is spam.
The global and group Bayesian databases are not used.
A user Bayesian database is considered mature and able to scan mail with an
acceptable level of accuracy when it has been trained with a minimum of 100
spam messages and 200 non-spam messages. Until a user database is mature,
the Bayesian scanner will refer to either the global or group database, whichever
is enabled for the recipient domain, when the user database does not contain the
information required for the scan.
To more quickly train user databases to a mature state, the Use other techniques
for auto training option can be enabled in incoming antispam profiles. This option
takes incoming mail and uses it to train the user Bayesian database in either of
these two circumstances:
the message is detected as spam by the FortiGuard or SURBL scans
the message is exempted from antispam scanning because of a system white

list or user white list match
Once the user database matures however, the global and group databases are no
longer referenced, and no automatic training occurs.
To change the database type a domain uses
1
Go to Mail Settings > Domains, and select the Edit icon of the domain you want
to configure.
Expand the Advanced AS/AV Settings.

06-30003-0154-20080327
223
Enable Using Global Bayesian to have the current domain use the global
Bayesian database. Disable Using Global Bayesian to have the current domain
use its own group Bayesian database.
Select OK.
Initial training of the Bayesian databases

The FortiMail unit uses an account system (See Configuring Bayesian control
accounts on page 230) to train its Bayesian filters so mail scanning is more
efficient and accurate. How the administrator trains the Bayesian databases when
initially configuring the FortiMail unit depends on which databases will be used.
The initial Bayesian training is typically carried out as follows:
1
The administrator trains the global database. This ensures the Bayesian scanner
has a database to use for all Bayesian scans on outgoing mail, mail handled by
IP-based policies, and for incoming mail to domains configured to use the global
database.
The global database can be left untrained if these conditions are both true:
no outgoing antispam profiles have Bayesian scanning enabled
no domains are configured to use the global Bayesian database
The administrator trains the group database for each protected domain. This
ensures the Bayesian scanner has a database to use for Bayesian scans on mail
handled by incoming recipient-based policies to domains not configured to use the
global database.
The group database for a protected domain can be left untrained if either of these
conditions are true:
the domain is configured to use the global Bayesian database
no incoming recipient-based policies are used with the domain
If the Accept training messages from users option is enabled in any antispam
profile, the administrator notifies email users about the email training accounts
and their use.
If user Bayesian databases are enabled, training messages are applied to the
senders database. In addition, training messages are also applied to either the
global Bayesian database or the group Bayesian database, whichever is enabled
for the senders domain.
If user Bayesian databases are disabled, training messages are applied to either
the global Bayesian database or the group Bayesian database, whichever is
enabled for the senders domain.
Training messages matching a policy in which the antispam profile has user
training disabled are discarded without notifying the sender.
224

06-30003-0154-20080327
If user databases are enabled, email users train their individual databases by
forwarding undetected spam and the good email incorrectly detected as spam to
the FortiMail unit.
Until users build up a mature database (100 spam, and 200 non-spam email
messages) with their own message submissions, the Bayesian scanner will refer
to either the global or group database, whichever is enabled for the recipient
domain, when the user database does not contain the information required for the
scan.
In addition, the option Use other techniques for auto training can be enabled in
incoming antispam profiles to help each users database reach a mature state
more quickly.
Use the following procedures to configure Bayesian training and accounts.
Configuring Bayesian control accounts
Maintaining Bayesian databases
Managing Bayesian databases

If you set up separate mbox files containing spam and non-spam email messages,
you can use these files to train global, group, and user Bayesian databases. This
is an especially efficient method of training an empty Bayesian database.
Bayesian databases can also be backed up and the backup file restored to
another user, domain, or even another FortiMail unit.
You can also view the status of all three types of Bayesian databases by going to
AntiSpam > Bayesian > User.
Global database and group databases

To manage and view the status of the global and group Bayesian databases, go to
AntiSpam > Bayesian > User. In the domain drop down, select Global Bayesian
to view statistics for the global database, or select the domain of your choice.
Whether Global Bayesian or a domain of your choice is selected, the available
options are similar, with a few exceptions:
If the domain is set to Global Bayesian, the username field is not displayed.
If the selected domain is configured to use the global Bayesian database, the
training options are not displayed, and the training summary totals are shown
to be zero.

06-30003-0154-20080327
225
Figure 118:Group database options
Select a domain Select Global Bayesian to manage the global Bayesian database, or
select a domain to manage its group Bayesian database.
For information on creating domains in gateway and transparent
modes, see Configuring domains (transparent and gateway modes)
on page 129.
For information on creating domains in server modes, see Creating a
new email domain (server mode) on page 136.
Summary
Operations
Username
Displays the status of Bayesian database training on the selected

domain.
If the Summary values are 0, the group database for this domain has
not been trained. Summary values will also display as 0 for domains
configured to use the global Bayesian database.
Select Train global bayesian database with mbox files or Train

group bayesian database with mbox files to open the Bayesian
training page. See To train a global or group Bayesian
database on page 227.
Select Backup global bayesian database or Backup group

bayesian database to open the Backup bayesian group
database page. See To back up a global or group Bayesian
Select Restore global bayesian database or Restore group

bayesian database to open the Restore the group DB page. See
To restore a global or group Bayesian database on page 228.
Select Reset group bayesian database to reset the Bayesian

group database. See To reset a global or group Bayesian
Enter a user name and select OK to view the status of a user Bayesian
database.
This option is not available for the global Bayesian database.
Enter an email user ID in the Username field and select OK to see additional user
options and information:
226

06-30003-0154-20080327
User
Summary
Operations
Displays the status of Bayesian training on a users

database.
If the Summary values are 0, the specified users database
on this domain has not been trained.
The Alert message shows if the users Bayesian database
has reached the required threshold (100 spam messages
and 200 non-spam messages) to accurately detect spam.
Select Train user bayesian database with mbox files

to open the Bayesian user training page. See To train
the user Bayesian database on page 228.
Select Backup user bayesian database to open the

Backup bayesian user database page. See To back
up a user Bayesian database on page 229.
Select Restore user bayesian database to open the

Restore the user DB page. See To restore a user
Bayesian database on page 229.
Select Reset user bayesian database to reset the

Bayesian user database. See To reset a user
Bayesian database on page 229.
To train a global or group Bayesian database

1
2
Go to AntiSpam > Bayesian > User.

Depending on the type of database you will train, follow the appropriate step:
To train the global database, choose Global Bayesian in the domain drop down
menu and select the link named Train global bayesian database with mbox
files.
To train a group database, choose the domain associated with the group
database in the domain drop down menu and select the link named Train
group bayesian database with mbox files.
A window opens allowing you to specify the mbox files containing spam and
non-spam message.
For the Innocent Mailbox, select Browse to find the mbox file containing non-spam
email.
For the Spam Mailbox, select Browse to find the mbox file containing spam email.
Select OK.
The database training begins. Depending on the size of the mailbox files, this
process may take a few minutes.
To back up a global or group Bayesian database
Depending on the type of database you will back up, follow the appropriate step:
To back up the global database, choose Global Bayesian in the domain drop
down menu and select the link named Backup global bayesian database.
To back up a group database, choose the domain associated with the group
database in the domain drop down menu and select the link named Backup
group bayesian database.
Select the location to which the database backup file will be written. Change the
file name if required.

06-30003-0154-20080327
227
Select OK.
The database backup file is saved.
To restore a global or group Bayesian database
Depending on the type of database you will restore, follow the appropriate step:
To restore the global database, choose Global Bayesian in the domain drop
down menu and select the link named Restore global bayesian database.
To restore a group database, choose the domain associated with the group
database in the domain drop down menu and select the link named Restore
In the new window, select browse and find the backup file to be restored.
Select OK.
The database backup file is restored. Select Browse to find the saved group
Bayesian data file.
Select OK. Depending on the size of the backup file, this process may take a few
minutes.
The selected database backup file is restored.
To reset a global or group Bayesian database
Caution: Resetting a group database deletes all the training information stored in the
database.
Depending on the type of database you will reset, follow the appropriate step:
To reset the global database, choose Global Bayesian in the domain drop
down menu and select the link named Reset global bayesian database.
To reset a group database, choose the domain associated with the group
database in the domain drop down menu and select the link named Reset
A confirmation window appears. If you are sure you want to reset the database,
select OK.
The database is reset. Depending on the size of the database, this process may
take a few minutes.
To view an email users Bayesian database
In the domain drop down menu, select the domain the users account belongs to
Enter the user ID in the Username field.
Select OK.
The users database summary and database operation options are displayed.
To train the user Bayesian database
228
In the domain drop down menu, select the domain the users account belongs to
06-30003-0154-20080327
Select OK.
Select Train user bayesian database with mbox files.
For the Innocent Mailbox field, select Browse to find the mailbox file containing
non-spam email.
For the Spam Mailbox field, select Browse to find the mailbox file containing spam
email.
Select OK.
The user database training begins. Depending on the size of the mailbox files, this
process may take a few minutes.
To back up a user Bayesian database
In the domain drop down menu, select the domain the users account belongs to.
Select OK.
Select Backup user bayesian database.
Select the location to which the database backup file will be written. Change the
file name if required.
Select OK.
The database backup file is saved.
To restore a user Bayesian database
Select OK.
Select Restore user bayesian database.
In the new window, select browse and find the backup file to be restored.
Select OK.
The selected database backup file is restored.
To reset a user Bayesian database
Caution: Resetting a user database deletes the database.
Select OK.
Select Reset user bayesian database.

06-30003-0154-20080327
229
A confirmation window appears. If you are sure you want to reset the database,
select OK.
The database is reset. Depending on the size of the database, this process may
take a few minutes.
Configuring Bayesian control accounts

The FortiMail unit has five pre-defined control accounts for Bayesian database
training. Email users send spam information to these accounts to train the
databases used in Bayesian scanning.
For the FortiMail unit to accept training messages, these conditions must both be
true:
The training messages must match a recipient-based policy.
The matching recipient-based policy must specify an antispam profile in which

the Accept training messages from users option is enabled.
If these conditions are not both true, training messages will be silently discarded
without being used for training.
If training messages are accepted, two factors determine which database or
databases benefit from Bayesian database training.
Whether the senders domain is configured to use the global or group

Bayesian database.
Whether user Bayesian databases are enabled in the antispam profile

specified in the policy matching the training message.
When the FortiMail unit receives a training message, it examines the message to
determine the senders domain. It then checks the domain configuration to see
whether the senders domain is configured to use the global or group Bayesian
database. The message is then used to train the database the domain is
configured to use. If user Bayesian databases are enabled, the message is also
used to train the users Bayesian database. The user is determined by the sender
address.
There are four training accounts. Two are used to correct misdiagnosed
messages that have already been processed by the FortiMail units Bayesian
routines. The other two accounts are used to train the Bayesian databases with
new messages not processed by the FortiMail units Bayesian routines.
Correction accounts:
Is Really Spam
account.
Default name:
is-spam
Email examined by the FortiMail unit will sometime contain spam

that was not detected. Users can inform the FortiMail unit of its
mistake by forwarding the missed spam message to the Is Really
Spam control account.
Is Not Really Spam

account
Default name:
is-not-spam
Email examined by the FortiMail unit will sometime contain

non-spam that was incorrectly detected as spam. Users can inform
the FortiMail unit of its mistake by forwarding the non-spam
message to the Is Not Really Spam control account.
Training accounts:
Learn Is Spam
account
Default name:
learn-is-spam
230
If users have any mail that was not examined by the FortiMail unit,
they can send known spam to the Learn Is Spam account to train
the Bayesian database.

06-30003-0154-20080327
Learn Is Not Spam

account
Default name:
learn-is-not-spam
If users have any mail that was not examined by the FortiMail unit,
they can send known non-spam to the Learn Is Not Spam account
to train the Bayesian database.
Training Group
user ID
The administrator can uses this domain-based account name as the

from address to send confirmed spam to the Learn Is Spam user
account and good email to the Learn Is Not Spam user account to
train the global or group database, whichever the domain is
configured to use. No user databases are trained.
An administrator can also his or her own user account to train the
global or group database, but this procedure would also train their
user database if it is enabled in the antispam profile. Using the
training group user account name will limit the training to only the
global or group database.
To configure Bayesian accounts

1
Go to AntiSpam > Bayesian > Control Account.
Enter the Bayesian training account names into the five user name fields.
Select OK.
Users will need to be informed of these account names and their usage so they
can send the four types of messages as required.
The account names are only part of the email address to which users will forward
training messages. They must append FortiMail units local domain name to the
end of the account name. For example, if the FortiMail units local domain name is
example.com and the is really spam user account name is is-spam,
the email address the users will send missed spam to is
is-spam@example.com.
Maintaining Bayesian databases

You can backup, restore, or clear your Bayesian databases. These database
operations affect the global database, and all group and user databases for the
domains defined on the FortiMail unit. For more selective operations, see
Managing Bayesian databases on page 225.
To backup the Bayesian databases
1
Go to AntiSpam > Bayesian > DB Maintenance.
Select Backup Bayesian database.
Save the database.

To restore the Bayesian databases
Select Restore Bayesian database.
Browse to find the saved database.
Select OK.
To repair the Bayesian databases
Select Repair Bayesian database.
Select OK.

06-30003-0154-20080327
231
To reset the Bayesian databases

1
Select Reset Bayesian database.
Select OK.
Caution: Resetting the Bayesian databases deletes all the databases.

This section introduces an example FortiMail Bayesian configuration and
describes how it is set up at the system administration level.
Example company
Training user groups
Setting up Bayesian control accounts
Example company
Company X has set up a FortiMail unit to protect its email server by blocking spam
email. With over 1 000 email users, Company X plans to enable the FortiMail unit
Bayesian scanning capability. You, the system administrator, have been asked to
configure the FortiMail unit Bayesian training for the company.
Company X has divided its email users into three user groups and associated the
groups with three domains:
User Group
Domains
Group1
example1.com
Group2
example2.com
Group3
example3.com
The local domain name of Company Xs FortiMail unit is example.com.
Training user groups

You need to train the three user groups first to ensure that Bayesian filtering works
for all email users before they start training their own databases.
Because the group database is domain-based, you need to set up the domains for
the email users on the FortiMail unit.
To set up domains in gateway and transparent modes - Web-based manager
232
Go to Mail Settings > Domains.
Select Create New.
For each domain, enter the corresponding user group information and select OK.
Field
Group1
Group2
Group3
FQDN
example1.com
example2.com
example3.com

06-30003-0154-20080327
IP Address
192.168.150.1
192.168.150.2
192.168.150.3
To set up domains in gateway and transparent modes - CLI

set policy example1.com modify ip 192.168.150.1
To set up domains in server mode - Web-based manager
1
Go to Mail Settings > Domains.
For each domain, enter the corresponding user group information and select OK.
Field
Group1
Group2
Group3
FQDN
example1.com
example2.com
example3.com
To set up domains in server mode - CLI

set mailserver localdomain example1.com
To train user group databases - Web-based manager
You need to generate two mailbox files (.mbx) with your email client to train the
user group databases. One file is for good email and the other for spam email. For
information on generating mailbox files, see your email client documentation.
User group training cannot be performed with CLI.
1
Select example1.com.
Select Train group bayesian database with mbox files.
For Innocent Mailbox, select Browse to find the mailbox file that contains good
email.
For Spam Mailbox, select Browse to find the mailbox file that contains spam email.
Select OK.
The group training starts. Depending on the size of the mailbox files, this process
may take a few minutes.
Repeat these steps for example2.com and example3.com to train the Bayesian
databases for all three domains.
To train user groups databases - email
You can also use the control accounts (see To inform the users of the account
control addresses on page 234) to train the user group databases by sending
email containing confirmed spam to the Learn Is Spam account and good email
to the Learn Is Not Spam account.

06-30003-0154-20080327
233
Setting up Bayesian control accounts

To allow email users to forward spam messages to the Bayesian accounts, you
need to configure the Bayesian control account names on the FortiMail unit. You
then inform the email users of the control account addresses. Later, when an
email user forwards a spam training message to one of the control accounts using
the address you provide, the FortiMail unit will automatically set up a Bayesian
database for the user based on the users email address.
To configure Bayesian control account names - Web-based manager
1
Go to AntiSpam > Bayesian > Control Account.
If you accept the default account user names, select OK.

The account user names are configurable.
To configure Bayesian control account names - CLI
set as control bayesian <account> <account user name>
<account> is the Bayesian control account type, such as is really spam.
<account user name> is the Bayesian control account name, such as the
default is-spam.
To inform the users of the account control addresses

1
The complete control account email address is formed by the control account
name, the at sign, and finally the users account domain. For example,
user1@example2.com would use these control account addresses if the default
account names were not modified:
is-spam@example2.com
is-not-spam@example2.com
learn-is-spam@example2.com
learn-is-not-spam@example2.com
Send the users an email message to notify them of the user-based account user
name addresses and their usage, similar to the following:
All employees,
This message describes how to train your FortiMail Bayesian
database.
If you receive spam that has not been caught and tagged by
the FortiMail unit, forward these missed spam messages to
is-spam@example2.com from your company email account. This
will ensure any similar email will be caught by the
FortiMail unit in the future.
If you receive email that the FortiMail unit has
incorrectly tagged as spam, forward these messages to
is-not-spam@example2.com from your company email account.
This will ensure any similar email will not be tagged as
spam by the FortiMail unit in the future.
234

06-30003-0154-20080327
If you have collected spam email that has not been

examined by the FortiMail Bayesian scanner and want to
train your personal Bayesian database on the FortiMail
unit, forward them to learn-is-spam@example2.com from your
company email account. This ensures that any similar email
will be tagged as spam by the FortiMail unit in the
future.
If you have collected non-spam email that has not been
examined by the FortiMail Bayesian scanner and want to
train your personal Bayesian database on the FortiMail
unit, forward them to learn-is-not-spam@example2.com from
your company email account. This ensures that any similar
email will not be tagged as spam by the FortiMail unit in
the future.
3
To perform group database training without training any user databases at the
same time, send training messages to the same control account addresses, but
configure your mail client to use one of these from addresses, depending on the
group database to be trained:
default-grp@example1.com
Now, you can send confirmed spam to the Learn Is Spam account or non-spam
to the Learn Is Not Spam account using one of the three addresses. For
example, using default-grp@example1.com as the From address will train
only the group database for the example1.com domain.

The FortiMail unit, at the system, domain, session, and personal levels, can block
or allow messages from the email addresses, domains, or IP addresses you
specify. You add the email addresses, domains, or IP addresses that you want to
block in the black list, and those that you allow to pass in the white list.
Mail examined by the FortiMail unit will be checked against the system, domain,
and user lists whenever the mail matches any policy, whether recipient-based or
IP-based. Mail will be checked against session lists only when lists are enabled in
a session profile specified in an IP-based policy that matches the message traffic,
whether or not a recipient-based policy also matches.
If no policies match, no black or white lists will be checked.
Note: Use black and white lists with caution. They are simple and efficient tools for fighting
spam and enhancing performance, but can also cause false positives and false negatives if
not used carefully. For example, a white list entry of *.edu would allow all mail from the .edu
top level domain to bypass the FortiMail unit's antispam scanning.
All black and white list entries are listed in alphabetical order.
You can add a maximum of 512 black or white list entries at each of the system,
domain, and personal levels, and 512 black or white list entries in each session
profile.

06-30003-0154-20080327
235
Configuring system black and white lists

Use the following procedures to add or modify the system black and white lists.
To block or allow email
1
Go to AntiSpam > Black/White List > System.
Choose one of the following:
To block email, select Black List.
To allow email, select White List.
Enter the email address, domain, or IP address that you want to block or allow.
Select Add to add it to the black or white list.

To delete an email address or domain from the black or white list
Select Black List or White List.
Select the email address, domain, or IP address you want to delete.
Select Remove Selected.

To backup a system black or white list
Select Backup.
Save the file.

The current black or white list is saved.
To restore a system black or white list
Select Browse to find the black or white list that you want to restore.
Select Restore.
The selected black or white list is restored.
Configuring domain black and white lists

Use the following procedures to add or modify the black or white list of a domain
defined on the FortiMail unit.
236
Go to AntiSpam > Black/White List > Domain.
To block email, select the Black List icon for the required domain.
To allow email, select the White List icon for the required domain.
Select Add to add the address to the black or white list.

06-30003-0154-20080327
To delete an address from a domain black or white list

1
Select the black or white list icon associated with the domain containing the
address you want to remove.
Select the address you want to delete.

To backup a domain black or white list
Select the black or white list icon associated with the domain you want to back up.
Select Backup.
Save the file.

To restore a domain black or white list
Select the black or white list icon associated with the domain you want to restore.
Select Browse to find the black or white list backup file you want to restore.
Select Restore.
The selected black or while list backup file is restored.
Configuring session black and white lists

Session black and white lists are configured in session profiles. See Creating
session profiles on page 181 for details.
Configuring personal black and white lists

Use the following procedures to add or modify email users black/white list in the
Preference tab in FortiMail webmail. Email users can use or modify the list you
configure when they use FortiMail webmail.
1
Go to AntiSpam > Black/White List > Personal.
Select the domain of the SMTP server that has the user for whom you want to
configure the black or white list.
For information on creating domains, see Configuring domains (transparent and
Enter the username and select OK. If the user does not exist, a new user will be
created.
Turn on Add outgoing email addresses to White list if you want the FortiMail unit to
treat email sent from these addresses as non-spam email in the future.
To block email, select Black List.
To allow email, select White List.

06-30003-0154-20080327
237
Select Add to add the address or domain to the black or white list.
To delete an email address or domain from a personal black or white list
modify the black or white list.
Type the users Username and select OK.
Select the email address, domain, or IP address you want to delete.

To backup a personal black or white list
backup the black or white list.
Select Backup.
Save the file.

To restore a personal black or white list
restore the black or white list.
Select Browse to find the black or white list that you want to restore.
Select Restore.
Configuring the black list action

If a message arrives from a blacklisted domain, email address, or IP address, the
action taken is configurable using the Blacklist Action setting. Mail matching all
three levels of black lists are affected by this setting: system, session, and user.
To set the blacklist action.
1
Go to AntiSpam > Black/White List > Blacklist Action.
Choose how a message matching a black list entry should be handled.

Reject refuses delivery of the message and returns an error to the sending
system. Discard accepts the message and immediately discards it without
notifying the sending system. The Use AntiSpam Profile Settings option has
blacklisted mail treated the same way as spam, according to the setting in the
antispam profile for the message matching the black list entry.
238

06-30003-0154-20080327
Maintaining black and white lists

Black and white list maintenance allows the easy backup and restore of the
system and all user black and white lists.
To backup all black and white lists
1
Go to AntiSpam > Black/White List > Black/White List Maintenance.
Select Backup Black/White List.
In the window that appears, select Download Black/White list backup file.
Save the file.

All of the system, domain, and user black and white lists are saved in a single
backup file.
To restore all black and white lists
Go to AntiSpam > Black/White List > Black/White List Maintenance.
Select Restore Black/White List.
In the window that appears, select Browse, choose the back up file to be restored,
and select Open.
The path and filename of the selected file appears in the Black White list file field.
Select OK to begin the restore process.

All of the system, domain, and user black and white lists are restored.
Caution: Restoring the black and white lists in this manner overwrites all of the existing
system, domain, and user black and white list contents.
Black and white list hierarchy

Black and white list checking is one of the first steps taken to detect spam. The
lists are checked in the sequence shown in Table 12, from top to bottom. If a
match is discovered, the listed action is taken and further list checking stops for
the matching message. Also, any remaining antispam checks for the matching
message are cancelled.
Table 12: Black and white list sequence
List
Check for match of
Action taken if match discovered
System white list
Message sender
Accept message
System black list
Message sender
Invoke black list action
Domain white list
Message sender
Accept message
Domain black list
Message sender
Session recipient white list
Message recipient
Accept message for matching

recipients
Session recipient black list
Message recipient
Session sender white list
Message sender
Accept message for all recipients
Session sender black list
Message sender
User white list
Message sender
Accept message for this recipient
User black list
Message sender
Discard message

06-30003-0154-20080327
239
If the message sender is being examined for a match, email addresses and
domains in list are compared to the messages envelope-from. IP addresses are
compared to the address of the client delivering the message, also known as the
last hop address.
If the message recipient is being examined for a match, email addresses and
domains in the list are compared to the messages recipient address. An IP
address in a recipient white or black list is not a valid entry because no IP
addresses are checked.
Greylisting is a means of reducing spam in a relatively low maintenance manner.
There are no IP address lists, email lists, or word lists to keep up to date. The only
required list is automatically maintained by the FortiMail unit.
When examining an email message, the greylist routine checks three message
attributes: the sender address, the recipient address, and the address of the
server delivering the message. More specifically, the greylist routine examines the
envelope from (Mail From:), the envelope recipient (Rctp to:), and the IP subnet
address of the mail server delivering the message.
While the envelope from and envelope recipient values must match exactly, only
the /24 subnet of the system attempting delivery of the message is checked. For
example, if the message is delivered by a server at 192.168.1.99, any IP address
starting with 192.168.1 will be considered a match. If the envelope from and
envelope recipient values also match, a new entry in the greylist database will be
created displaying the 192.168.1.0 subnet address.
This is because some large organizations use many mail servers with IP
addresses in the same subnet. If the first attempt to deliver mail gets a temp fail
message, the second attempt will be made by a separate server with another
address. This second address would be seen as a new delivery attempt unrelated
to the first. Depending on the configuration of the mail server farm, the message
may never be delivered properly. Allowing all addresses in the subnet solves this
problem.
If the greylist routine doesnt have a record of a message with the same sender,
recipient, and IP address subnet, the message is refused and a temporary error is
reported to the server attempting delivery.
Because a temporary error is reported, the delivering server should attempt to
send the message again at a later time. If another delivery is attempted within four
hours of the temporary error and after the grey listing period, the message is
accepted. The FortiMail unit stores the recipient address, the sender address, and
the IP address subnet of the delivering mail server so any subsequent messages
with these same three values are immediately accepted. If the sender address
and the server IP subnet are the same but the from address is different, the
message is unrecognized and not delivered until the mail server attempts to
resend. All three values must match.
Note: The four hour deadline for resending the message can be changed using CLI. For
more information, see the CLI command set as greylist
initial_expiry_period in the FortiMail CLI Reference.
240

06-30003-0154-20080327
Mail servers following specifications (RFC 821) will attempt to retry deliveries that
fail with expected error codes. Most spam mail is not delivered by standard mail
servers, but rather by applications designed specifically for spam distribution.
These applications typically attempt delivery and ignore any failures or errors.
Therefore, greylisting will prevent delivery of these messages.
Note: Greylist checking is bypassed in three circumstances:
The client appears in the access list with relay permission. See Configuring
email access on page 139 for more information about the access list.
The client establishes an authenticated session.
The client appears in the greylist exempt list. The exempt list is located in
Anti-Spam > Greylist > Exempt.
The greylist feature has three compelling attributes:
Extremely low administrator maintenance.
Spam detection scans are not run on mail stopped by greylisting. This can
save significant processing and storage resources.
Even if spammers begin to take greylisting into account and resend their
messages, the delay imposed by the greylist feature can be an advantage.
The greylist period can allow time for FortiGuard-Antispam and DNSBL
systems to discover the spam and blacklist the source. This way, when the
spam message is finally delivered, the FortiMail unit is more likely to recognize
it as spam.
For these reasons, the greylist feature is a recommended performance tuning

option.
Configuring greylist settings

Go to AntiSpam > Greylist > Settings to configure greylist settings.
TTL
The time to live setting determines how long each to/from/IP data
entry will be retained in the FortiMail units greylist. When the entry
expires, it is removed and new messages are again rejected until
the sending server attempts delivery the message again.
Once recognized by the greylist, any message sent with the same
to/from/IP address information will reset the TTL count. For
example, if the TTL value is 36 days, a senders greylist entry will
never expire if they send a message every 30 days. Every time the
greylist routine recognizes their to/from/IP address combination,
their TTL count is reset and starts counting down from 36 days.
Select a value between 1 and 60 days. The default value is 10 days.
Grey listing period
Enter the length of time the FortiMail unit will continue to reject
messages with an unknown to/from/IP. After this time expires, any
resend attempts will have the to/from/IP data added to the greylist
and subsequent messages will be delivered immediately.
Select a value between 1 and 120 minutes. The default value is
20 minutes.
Searching greylist entries

Greylist entries are listed in order by IP address. You can search for entries based
on sender, recipient, and IP address.
To search greylist entries
1
Go to AntiSpam > Greylist > Display.

06-30003-0154-20080327
241
Select the search icon and the Greylist search window appears.
Enter search parameters in the Sender, Recipient, and IP address fields. Use
wildcard character to enter partial patterns. Blank fields will match any value.
Regex is not supported.
Select Accept to execute the search and list entries matching all the search
parameters.
Configuring greylist exempt entries

Go to AntiSpam > Greylist > Exempt to view or modify greylist exemptions.
#
Exempt list entry number.
From
Enter the from address to be exempted from greylist scanning. Valid

input value can be an IP address, a subnet, a domain name, or an
email address.
Examples: 172.20.110.23, 172.20, mail.example.com,
example.com, and user1@example.com
Delete
Select the delete icon to remove an entry from the exempt list.
Create New
Select Create New to add a new entry to the exempt list.
The different types of acceptable address input for the exempt list are handled in
different ways.
IP address: If a complete IP address is entered, all addresses in the /24 subnet

of the address will be exempt. For example, if you enter 192.168.1.99 as an
exempt address, any IP address starting with 192.168.1 will be exempt from
the greylist routine. The exempt list itself will display 192.168.1.99, but as soon
as any message from the addresss subnet is received, a new entry in the
greylist database will be created displaying the 192.168.1.0 subnet address.
Subnet: Enter a partial IP address and any address matching the entered
portion will be exempt from the greylist routine.
For example, if you enter 172.22 as an exempt address, every address starting
with 172.22 will be exempt.
Domain name: Because domain names are so easily spoofed, extra

processing is done to confirm the legitimacy of messages from exempted
domains. If a message from a greylist exempt domain is delivered, a reverse
lookup is done on the IP address of the system delivering the message. If the
domain returned from the lookup matches the domain in the message, the
message bypasses the greylist routine.
If the domain returned by the lookup does not match, the greylist routine
activates resulting in the message not being accepted and a temp fail error
returned to the sending system. If the delivery is repeated after the greylist
period, it will be accepted.
242
Email address: The message envelope email address is compared to the email
addresses in the exempt list. A match allows the message to bypass the
greylist routine. The sender address in the message header is not compared to
the addresses in the exempt list.

06-30003-0154-20080327
Viewing the greylist

Go to AntiSpam > Greylist > Display to view the greylist.
#
Greylist entry number.
IP
The subnet of the mail server that delivered the message.
Sender
The email message senders email address.
Recipient
The email message recipients email address.
Expire
The expiration details when the entry in the greylist will be removed.
It is determined by adding the TTL value to the time the message
was received.

Sender reputation is an antispam measure requiring no maintenance or attention.
If a sender delivers mail including spam and/or viruses, or a large number of
invalid users, the sender reputation feature will automatically take measures
against them.
The sender reputation feature records the IP address of each client delivering
mail. For each client IP address, additional details are recorded:
the total number of messages delivered
the number of messages detected as spam
the number of messages infected with viruses or worms
the total number of recipients
the number of invalid recipients
The FortiMail unit then determines a senders reputation score primarily using two
ratios. First, the number of good messages is compared to the number of bad
messages (spam or mail with viruses or worms). Second, the total number of
recipients is compared to the number of bad recipients. The sender reputation
score uses email information up to twelve hours old, and recent mail influences
the score calculation more than older mail. The score itself ranges from 0 to 100,
with 0 representing a very well behaved sender, and 100 being the type of sender
youd rather avoid.
The sender reputation score is compared to three thresholds, as defined in the
active session profile. If the sender is well behaved, their score will fall below the
first threshold. They can connect and deliver mail with no sender reputation
restrictions.
Throttle is the first threshold. A sender reputation score above this value will
limit the number of messages accepted per hour. The session profile includes
a field where the admin can enter the maximum number of messages, and a
second field where the admin can enter the percentage of the number of
messages received in the last hour. The throttle limit will be larger of these two.
Temporary fail is the second threshold. With a sender reputation score above
this value, the FortiMail unit will not allow a connection from the client,
returning a temporary fail error.
Reject is the final threshold. With a sender reputation score above this value,
the FortiMail unit will not allow a connection from the client, returning a reject
message.

06-30003-0154-20080327
243
If more than 12 hours pass without a mail delivery from a client, the clients sender
reputation record is deleted. If a client delivers mail after their score is deleted,
they are treated as a new client.
For details on enabling sender reputation and a description of the settings in the
antispam profile, see Expand Sender reputation on page 182
Viewing the sender reputation table

All clients with a render reputation score are listed in the sender reputation display.
Go to AntiSpam > Sender Reputation, to view the sender reputation display.
Page up icon
Select to view the previous page.
Page down icon
Select to view the next page.
Search icon
Select to search for sender reputation records based on IP address,

sender reputation score, and/or time.
View Lines
Choose the number of sender reputation records displayed per page.
Total Lines
The total number of sender reputation records in the list.
Edit state
The default of Disable locks the state of all the sender reputation
records. Selecting Enable allows the admin to choose any records
state regardless of the clients sender reputation score.
The sender reputation entry number.
IP
The IP address of the client.
Score
The clients current sender reputation score.
State
If Edit state is enabled, the admin can force a client to be throttled,

blacklisted, or whitelisted regardless of the clients current sender
reputation score. This applies the selected threshold condition until the
clients record expires and is deleted from the table.
The default value, Score controlled, uses the senders reputation score
to determine what action is taken, if any.
Last Modified
244
Score Controlled
When the state is set to Score Controlled, the

FortiMail unit will compare the sender reputation
score to the thresholds set in the session profile
to determine how the client will be handled.
Throttled
The volume of mail accepted from the client will

be limited. The session profile includes a field
where the admin can enter the maximum
number of messages, and a second field where
the admin can enter the percentage of the
number of messages received in the last hour.
The throttle limit will be larger of these two.
Blacklisted
Connection attempts from this client will be

denied with a reject error. The Last Modified time
will not be updated, therefore the record is
deleted 12 hours after the last successful
connection attempt. Any connection attempt
after the record is deleted will create a new
record with default settings.
Whitelisted
Mail deliveries from this client will be permitted

without restriction regardless of the sender
reputation score. The Last Modified time will not
be updated, therefore the record is deleted 12
hours after the last successful connection
attempt before being set to Whitelisted. Any
connection attempt after the record is deleted will
create a new record with default settings.
The time and date the sender reputation score was most recently
modified.

06-30003-0154-20080327
Note: Although client sender reputation records are only valid for 12 hours after last
contact, the record may still appear in the sender reputation table after that time. Visible
entries older than 12 hours are considered invalid until they are removed or replaced.

To evade antispam measures, spammers will sometimes disguise their email by
putting the message content in a PDF attachment. Since the contents of PDF files
are inaccessible to traditional spam detection methods, these messages are not
recognized as spam.
To combat this type of spam, the FortiMail PDF option will allow three FortiMail
antispam scanners to examine attached PDF files. The PDF option itself is not a
scanner. Rather, it makes the first page of each PDF attachment available to the
banned word, heuristic, and image spam scanners. Any or all of these three
antispam scanners must also be enabled in the antispam profile for the PDF to be
examined.
For example, if the only the PDF option and the banned word scanner are
enabled, the image spam and heuristic scanners will not examine the PDF
attachments. If the banned word, heuristic, and image spam scanners are all
disabled, no PDF scanning will occur regardless of the PDF option setting.
If the PDF option is disabled, no PDF scanning will occur. Other antispam
scanners may still detect the message as spam based on the sender, envelope,
or message header, but any PDF attachments will not be examined.
For details on enabling the PDF option and a description of the settings in the
antispam profile, see PDF on page 167.

06-30003-0154-20080327
245
246

06-30003-0154-20080327
Archiving email
Configuring email archiving settings
Archiving email
The FortiMail unit can archive incoming or outgoing email according to the
archiving policies you specify.
This section describes how to configure the email archiving settings and policies
and search for archived email.
Setting archiving policies
Setting exempt policies

Running in any of the operating modes, the FortiMail unit can be configured to
archive incoming and/or outgoing email on its local hard disk or to a remote
storage server.
Before you can archive email, go to Email Archiving > Settings on the
FortiManager web-based manager and do the following:
Set up an email archiving account.

You must set up an account to which the FortiMail unit will send the archived
email. You will also use this account to log on to the FortiMail unit when you
use IMAP to access the archived email.
Enable the email archiving feature to start archiving email.
Specify mailbox rotation size. When the mailbox reaches the rotation size or
time, whichever is the first, the mailbox file (mbx file) will be renamed and
backed up. A new mailbox file will be generated, into which the new archived
email are saved. All the rotated mailboxes are still accessible when you search
the email in them.
Specify an archiving destination, either on the FortiMail local hard drive, or to a

remote storage server.
All mail to be archived can also be forwarded to a separate email account.
To set up and enable the email archiving account

1
Go to Email Archiving > Settings.
Enter an email archiving account name and password. The default account name
is archive and the default password is also archive.
Enter an email address in the Forward to field if youd like a copy of all email
messages forwarded to an email address of your choice as theyre being
archived. If forwarding is not required, leave the field empty. Specifying an email
address here will not forward previously archived email.
Enable Email archiving status.
Select Apply.

06-30003-0154-20080327
247
Archiving email
To specify an archiving destination

1
If you want to archive email to the local disk, select Archive to local disk and set
the disk quota.
If you want to archive email to a remote server, select Archive to remote host and
configure the following:
Protocol
Select the protocol of the remote host. The FortiMail unit supports SFTP
and FTP protocols.
IP address
Enter the IP address of the remote host.
User name
Enter the user name for logging in to the remote host.
Password
Enter the password for logging in to the remote host.
Remote
directory
Enter the directory on the remote host for archiving email.
Local cache
quota
Set the FortiMail unit cache quota. Email archived on a remote host are
also cached by the FortiMail unit. When you view or search for email, the
cached email are viewed or searched more quickly.
Remote disk
quota
Set the disk quota for the remote host to archive email.
Select Apply.
Managing archived email

Once the email is archived, you can view and search them. You can also
download them, send them to an email address, and use them to train the
Bayesian databases.
For information on Bayesian databases, see Training Bayesian databases on
page 222.
Go to Email Archiving > Settings, and select Enter for View archived email to
view and manage the achieved email.
Figure 119:Managing archived email
Export
Select to download all the currently selected messages.
Send
Select to send the selected messages to an email address as an mbx file.
Train bayesian Select to use the selected messages to train the Bayesian databases.
See To train Bayesian databases with archived mail on page 249.
database
248
New Search
Select to open a new search page.
Mark
Select message check boxes and then select Mark to mark messages for
further operations. This allows messages across multiple pages to be
marked at the same time.
Unmark
Select a marked message and then Unmark to deselect it.

06-30003-0154-20080327
Archiving email
To search or view archived email

1
For View Archived Email, select Enter. A new window opens.
To search for email, type or select the search parameters to search by content
or time frame, then select Search.
To browse the archived email, select Browse.
Note: You can search archived email in the current mailbox and the rotated mailboxes
whether email is archived on the local disk or remote host. You can only view the archived
email in the current mailbox on the local disk.
To export archived email

1
Execute a search to list the messages to be exported.
Select the check boxes of all the messages in the current window you want
exported. It all messages are to be exported, selecting the check box above the
first message will automatically select the check boxes of all the messages on the
current page.
Once the appropriate messages have been selected, select the Mark button. A
red check mark will appear in the status column for all the previously selected
messages. If a message is mistakenly marked, select the check box and choose
Unmark to remove the red check mark from a message.
Continue to subsequent pages of search results and mark all messages to be

exported. When complete, select the Export button.
A new window opens. To start a new search without exporting, select New
Search. To initiate the download, select Click to download the exported mbx file.
You can choose the mbx filename and location.
To train Bayesian databases with archived mail
For View archived email, select Enter.
Select Search or Browse.
Select the messages you want to use to train the Bayesian databases. It all
messages are to be used for training, selecting the check box above the first
message will automatically select the check boxes of all the messages on the
current page.
Once the appropriate messages have been selected, select the Mark button. A
red check mark will appear in the status column for all the previously selected
messages. If a message is mistakenly marked, select the check box and choose
Unmark to remove the red check mark from a message.
Select Train bayesian database.
Indicate whether you want to use the messages to the Bayesian database as
spam or innocent (non-spam) email.

06-30003-0154-20080327
249
Archiving email
Select the database you want to train: global, group, or user.
Global requires no further information.
If group training is required, select the domain in the drop down menu.
If user training is required, select the domain in the drop down menu, and enter
of the name of the user.
Select OK.

You can specify which types of email should be archived. The criteria you specify
are called policies.
Figure 120:Archiving policy list
The order of archiving policies in the list.
ID
The identification numbers of the policies. IDs are generated by the

FortiMail unit.
Type
The policy type. The five types are pre-defined. See step 3 of To set
archiving policies on page 250.
Pattern
Specific policy pattern for the chosen policy type.
Status
The policy status (enabled or disabled).
Modify
Icons for deleting and modifying policies, or changing the order of policies
in the list.
To set archiving policies

1
Go to Email Archiving > Archiving Policy.
Select Create New.
For Policy Type, select a policy type and enter a pattern based on the selected
policy type.
The five types include:
Sender address: email address of a sender.
Recipient address: email address of a recipient.
Keyword in subject: keyword in the subject field of an email.
Keyword in body: keyword in the body of an email.
Attachment file name: name of an attachment file.
Note: The Pattern field can contain wildcard (*) if the policy type is Sender address,
Recipient address, or Attachment file name.
For example, if you select Sender address as the policy type and enter
*@example.com as the pattern, all email from the example.com domain will be
archived.
250

06-30003-0154-20080327
Archiving email
To activate this policy, enable Policy Status.
Select OK.

After setting up email archiving policies, you can make exceptions to the policies
to prevent email from being archived based on criteria you define.
Figure 121:Exempt policy list
The order of exempt policies in the list.
ID
The identification numbers of the policies. IDs are generated by the

FortiMail unit.
Type
The policy type. The three types are pre-defined. See step 3 of To set
exempt policies on page 251.
Pattern
Specific policy pattern for the chosen policy type.
Status
The policy status (enabled or disabled).
Modify
Icons for deleting and modifying policies, or changing the order of policies
in the list.
To set exempt policies

1
Go to Email Archiving > Exempt Policy.
Select Create New.
For Policy Type, select a policy type and enter the policy pattern based on the
selected policy type.
The three types include:
Sender address: email address of a sender.
Recipient address: email address of a recipient.
Spam email: email that has been tagged as spam.
For example, if you select Sender address as the policy type and enter
top20deals@email7.example.com as the pattern, all email from this address will
not be archived.
Note: The Pattern field can contain wildcard (*) if the policy type is Sender address or
Recipient address. If the policy type is Spam email, the Pattern field will be ignored.
If you want to activate this policy, enable Policy Status.
Select OK.

06-30003-0154-20080327
251
252
Archiving email

06-30003-0154-20080327
FortiMail logging

The FortiMail unit provides extensive logging capabilities for virus incidents, spam
incidents and system event functions. Detailed log information and reports provide
historical as well as current analysis of network activity to help identify security
issues and reduce network misuse and abuse. This section provides information
on how to enable logging, view log files and reports available through the
web-based manager.
The following topics are included in this section:
FortiMail logging
Log message levels
Storing logs
Logs
Emptying a log file
Deleting log files
Alert Email
Reports
FortiMail logging
A FortiMail unit can log many different email activities and traffic including:
system-related events including system restarts and HA activity
antivirus infection and blocking
spam filtering
POP3, SMTP, IMAP and WebMail events.
You can customize the level that the FortiMail unit logs these events at and where
the FortiMail unit stores the logs. The level that the FortiMail unit logs these
events at, or the log severity level, is defined where you configure the logging
location. There are six severity levels to choose from. See Log message levels
on page 254 for more information.
The FortiMail unit is able to save log messages to its hard disk, or to a remote
location such as a Syslog server or FortiAnalyzer unit. You can view the log
messages available on the hard disk using the web-based manager.
Customizable filters enable you to easily locate specific information within the log
files.
details and descriptions of log messages.

06-30003-0154-20080327
253
Log message levels
Log message levels

You can define what severity level the FortiMail unit records logs at when
configuring the logging location. A severity level indicates important and/or critical
events that occur on your network. When you choose a severity level, the
FortiMail unit records all log messages at and above that logging severity level.
For example, if you select Error, the FortiMail unit logs Error, Critical, Alert and
Emergency level messages.
Table 13: Log severity levels
Levels
Description
0 - Emergency
The system has become unusable.
1 - Alert
Immediate action is required.
2 - Critical
Functionality is affected.
3 - Error
An error condition exists and functionality could be affected.
4 - Warning
Functionality could be affected.
5 - Notification
Information about normal events.
6 - Information
General information about system operations.
Storing logs
The FortiMail unit can store logs in various locations, depending on your office
environment and configuration. You can configure the FortiMail unit to log to its
hard disk, a FortiAnalyzer unit, or a Syslog server. The FortiMail unit can also be
configured to log to different logging locations. For example, information logs go to
a Syslog server, while error log messages are stored on the hard disk.
You can also configure the FortiMail unit to log to multiple FortiAnalyzer units and
Syslog servers. Logging to multiple logging devices provides redundancy,
ensuring logs are available at all times.
When configuring the logging location, you also need to configure what type of
FortiMail features you want to log. These log types include email traffic
information, spam detection events, as well as system activity events. You can
enable these log types when configuring the logging location.
Logging to the hard disk

When configuring logging to the FortiMail hard disk, you need to decide the
maximum log file size when it rolls and when you want the log file to roll. Log
rolling is when the log file reaches its specified maximum size and starts a new log
file. A rolled log file has an incremental number, for example, elog1, elog2, and so
on.
The log file size is measured in megabytes and should be 1000 MB or smaller.
Large log files may affect the performance and searching capabilities of the
FortiMail unit.
To configure login to the hard disk
254
Go to Log & Report > Log Setting.
Select Log to Local Disk.

06-30003-0154-20080327
Storing logs
Enter a number in the Log file size field.
Enter the maximum number of days before the current log file rolls, in the Log time
field.
Select a severity level.
Select Config Policy.
Select from the following log types and activities to record:

Event log
activities
Select to log all management activity and events, such as administration and
HA activity.
When
configuration has
changed
Select to log all management events, such as

configuration changes.
Admin login/logout Select to log all administrative events, such as logins,

event
resets, and configuration updates.
System activity
event
Select to log all system-related events, such as system

restart.
POP3 server event Select to log all POP3 events. This is available only if
(server mode)
the FortiMail unit is in server mode.
IMAP server event Select to log all POP3 events. This is available only if
(server mode)
SMTP server event Select to log all SMTP server events.
Failed update
Select to log all failed update events.
Successful update Select to log all successful update events.
Virus Log
HA activity
Select to log all high availability activity. See HA log

messages, alert email, and SNMP on page 297 for
more information.
Webmail event
Select to log all activities of webmail events. Webmail

acts like a desktop email client, such as Microsoft
Outlook, but is accessed on the Internet. Hotmail is
considered a provider of webmail.
Select to enable logging of all email messages that contain a virus.

Virus infected
Select to enable all virus infections.
Spam Log Select to enable logging of all spam.

Spam detected
History
Select to log email traffic information, including email successfully or

unsuccessfully sent. The history log also enables you to find all log files
Select OK.

Overwrite
Select to enable logging of detected spam.
Select to delete the oldest log entry and continue logging

when the maximum log disk space is reached.
Do not log Select to stop log messages going to the FortiMail hard disk
or other logging devices when the maximum log disk space is
reached.

06-30003-0154-20080327
255
Storing logs
10
Select Apply.
Logging to a Syslog server

A Syslog server is a remote computer running Syslog software. Syslog is an
industry standard for forwarding log messages in an IP network. The Syslog
server is both a convenient and flexible logging device, since any computer can
run syslog software, such as Linux, Unix, and any Windows systems.
When configuring to log to a Syslog server, you need to also configure the facility
and what format to save the log messages. Facility, similar to severity levels, is a
user-selectable identifier attached to log entries from a device. If multiple devices
are configured to send logs to a single Syslog server, setting a different facility on
each device makes the source of each log entry easily identifiable.
You also need to configure the format of log files. Log files are saved in either
Comma Separated Values (CSV) format, or normal format. Normal format saves
the log file with spaces and CSV format saves the log file with commas; spaces
and commas are used to separate the fields within the log messages.
To configure FortiMail to send logs to a Syslog server
1
Select the blue arrow to expand Log to Remote Host.
Select the Remote Host 1 check box.
Select the blue arrow to expand the Remote Host 1 options.
Enter the IP address and port number of the remote computer running the syslog
software.
Select the severity level.

Event log
activities
HA activity.
When
configuration has
changed


event
System activity
event

restart.
(server mode)
(server mode)
Failed update

HA activity
256

more information.

06-30003-0154-20080327
Storing logs
Webmail event
Virus Log


Virus infected

Spam detected
History

Select OK.
10
Select a Facility level that easily identifies each log entry.
11
Enable the CSV format if you want to save log messages in comma delimited text
format.
12
Select Apply.
Logging to a FortiAnalyzer unit

You can configure a FortiMail unit to send logs to a FortiAnalyzer unit. Before
proceeding, contact the FortiAnalyzer administrator to make sure the IP address
is correct for connecting to the FortiAnalyzer unit.
To configure a FortiMail unit to send logs to a FortiAnalyzer unit
1
Select the blue arrow to expand the Log to Remote Host options.
Enter the IP address and port number of the FortiAnalyzer unit.
Select Config policy.

Event log
activities
HA activity.
When
configuration has
changed


event
System activity
event

restart.
(server mode)
(server mode)
Failed update

06-30003-0154-20080327
257
Storing logs
Virus Log
HA activity

more information.
Webmail event

Select to enable logging of all emails containing a virus.

Virus infected

Spam detected
History

Select OK.
10
Select a Facility level that easily identifies each log entry.
11
Enable the CSV format if you want to save log messages in comma delimited text
format.
12
Select Apply.
After configuring the log settings on the FortiMail unit, you or the FortiAnalyzer
administrator must configure the FortiAnalyzer unit to receive logs sent from the
FortiMail unit. The following procedure is provided if you are configuring a
FortiAnalyzer unit to received logs instead of the FortiAnalyzer administrator.
To configure a FortiAnalyzer unit to receive logs from the FortiMail unit
258
Log into the FortiAnalyzer web-based manager.
Go to Device > All.
Select Add Device.
Select Syslog from the drop-down list in the Hardware column.
Set the following options:

Device Type
Select FortiMail from the device list.
Device Name
Enter a name to represent the FortiMail unit.
Device ID
Enter the serial number of the FortiMail unit.Serial number

information is located in FortiMail by going to System > Status, in
the Unit Information area.
Description
Enter additional information for the FortiMail unit, up to 128

characters long. Description information appears when you hover
the mouse over the name of the FortiMail unit in the devices list.
Allocated Disk
Space (MB)
Set the amount of the FortiAnalyzer hard disk is allocated to log

files.
When Allocated
Disk Space is All
Used
Select what the FortiAnalyzer unit should do once the allocated

disk space has been reached. Select from overwriting older files
or stop logging.
Expand the Device Privileges settings.
Verify the Allow FortiMail to send logs here is enabled.

06-30003-0154-20080327
Storing logs
Expand the Group Membership settings.
Select the group or groups where you want to include the Syslog server, and
select the right arrow button to add the Syslog servers to the group.
10
Select OK.
Logging to multiple logging devices

The FortiMail unit can log to multiple Syslog servers or FortiAnalyzer units, as well
as the local disk. Logging multiple devices can provide redundancy, sharing log
traffic load, or both.
Redundancy provides log availability in the event one of the logging devices
becomes unavailable. When multiple log devices share traffic between
themselves, system performance is better.
You can configure redundancy by enabling logging of the same log types to
different devices, for example, enabling logging of events to the local disk, remote
host 1, and remote host 2. You can configure traffic sharing between logging
devices by logging different log types and devices. For example, enabling logging
of both events and antispam to remote host 1 and remote host 2.
You can also configure both redundancy and traffic sharing at the same time, if
required. For example, the local disk logs event, antivirus, antispam, and history
while remote host 1 logs event, and remote host 2 logs antivirus, antispam and
history logs. In this example, remote host 1 and 2 provide redundancy to the local
disk but also share traffic load.
To configure multiple logging devices
1
Enter the IP address of either the Syslog server or FortiAnalyzer unit.
Enter the port number.

Event log
activities
HA activity.
When
configuration has
changed


event
System activity
event

restart.
(server mode)
(server mode)

06-30003-0154-20080327
259
Storing logs

Failed update
Virus Log
HA activity

more information.
Webmail event


Virus infected

Spam detected
History

10
Select OK.
11
Select Apply.
12
13
14
Enter the IP address of the second Syslog server or FortiAnalyzer unit.
15
Repeat steps 5 to 10 to configure the second logging device.

You need to configure both FortiAnalyzer units to receive logs. See To configure a
FortiAnalyzer unit to receive logs from the FortiMail unit on page 258 for
configuring the FortiAnalyzer units to receive log files.
Logging to different devices

The FortiMail unit can be configured to log to different logging locations at the
same time. For example, you can configure the FortiMail unit to log to a Syslog
server and to the FortiMail hard drive. Logging to different devices ensures
availability of log files, as well as providing redundancy.
To configure logging to different devices
260
Go to Log & Report > Log Settings.
Enter a number in the Log file size field.
Enter the maximum number of days before the current log file rolls, in the Log time
field.
Select a severity level.

06-30003-0154-20080327
Storing logs
Event log
activities
HA activity.
When
configuration has
changed


event
System activity
event

restart.
(server mode)
(server mode)
Failed update
Virus Log
HA activity

more information.
Webmail event


Virus infected

Spam detected
History

Select OK.

Overwrite
Select to delete the oldest log entry and continue logging

when the maximum log disk space is reached.
Do not log Select to stop log messages going to the FortiMail hard disk
or other logging devices when the maximum log disk space is
reached.
10
11
12
13
Enter the IP address of either a Syslog server or FortiAnalyzer unit.
14
15
16
Repeat step 7 and 8.
17
Select a facility level.
18
Select Apply.

06-30003-0154-20080327
261
Logs
Logs
Logs recorded by the FortiMail unit contain valuable information about email
events and activities that occur on your network. These logs record per recipient,
which presents log information in a very different way than most other logs do. By
recording logs per recipient, log information is presented in layers, which means
that one log file type contains the what and another log file type contains the why.
For example, a log message in the history log contains an email message that the
FortiMail unit flagged as spam (the what) and the antispam log contains why the
FortiMail unit flagged the email message as spam.
Logs are divided into four types: history, event, antispam, and antivirus. Each of
these four log types contains a session identification number, located in the
session ID field of each log message that is recorded by the FortiMail unit. The
session ID corresponds to each of the four log types so that the administrator can
get all the information about the event or activity that occurred on their network.
additional information about log messages that are recorded in FortiMail 3.0 as
well as examples of log messages.
History logs
History logs are used to quickly determine the disposition of a message. History
logs describe what action was taken by the FortiMail unit. Administrators use the
history logs to quickly determine the status of a message for a specific recipient,
and then go to other logs with that session ID to find out why that particular action
was taken.
In the following log messages, the bolded information indicates what an
administrator looks for when using history logs to find out what action was taken,
and the antispam log to find out why the action was taken.
(Below is an example of a history log message)
2008-01-07 18:19:08 log_id=04000050100 type=statistics
subtype=n/a pri=information session_id=m07NJ62T00110
from=aabb@example.com mailer=mta
client_name=[172.16.105.99] resolved=OK
to=ccdd@example.com message_length=0 virus=
disposition=0x200 classifier=0x12 subject=accounting
information
From the disposition, 0x200, we know that the FortiMail unit deferred the delivery
of the email message. We then take the session ID number and match it within the
antispam logs, as in the following:
2008-01-07 18:19:08 log_id=0501080300 type=spam
subtype=detected pri=information session_id= m07NJ62T00110
client_name= [172.16.105.99] from=aabb@example.com
to=ccdd@example.com subject=accounting information
msg=Grey Listing sender
In the above antispam log message, we now know why the FortiMail unit deferred
the delivery because the FortiMail unit has the sender in a grey list, which is
shown in the message field.
262

06-30003-0154-20080327
Logs
Event logs
Event logs contain log messages that concern network or system activities and
events, such as firmware upgrades or password changes. This log type shows
what is occurring at the protocol level, as well as the TCP level.
The following is an example of an event log message:
2008-02-09 13:56:56 log_id=0100010601 log_part=00 type=event
subtype=config pri=information user=admin ui=console
module=system submodule=dns msg=DNS has been changed by
user admin via CLI (console)
The event log does not have the same relationship with the history log as the
antispam or antivirus log does. The event log is not necessarily used for finding
the reason why an event occurred because there may not be a corresponding
session ID number. Event logs are also usually self-explanatory, meaning they
usually give the what and why within the log message.
Antispam logs
Antispam logs provide information pertaining to email messages that are
classified as Spam or Ham messages. The antispam logs describe why they were
classified, as was shown in the example in History logs on page 262.
The following is an example of an antispam log message:
2008-02-12 11:31:29 log_id=0501016384 log_part=00 type=spam
subtype=detected pri=notice session_id="m08CNJ42P0054"
from="" to="" msg="Loaded 91 FortiGuard heuristic rules. 88
are active (v1ubtype=detected pri=information session_id=""
from="" to="" msg="Deep Header Scanner Rules Reload Finished."
Antispam log messages describe spammy URIs, black/white listed IP addresses,
or other techniques the FortiMail unit used to classify the message. Antispam log
messages may also describe message processing errors, such as not handling
email that was sent from a specific user.
Antivirus logs
Antivirus logs provide information pertaining to email messages that are classified
as virus or suspicious messages. These log messages describe what virus is
contained in the email message or in a file attached to the email message.
The following is an example of an antivirus log message:
2008-03-28 16:30:18 log_id=0200060101 log_part=00 type=virus
subtype=infected pri=information session_id=n/a
from=abba@hynj.com to=<bccb@xyn.com> src_ip=172.20.130.26
msg=The file wqdf.zip is infected with HGBYN_TEST_FILE.
Administrators use antivirus logs to determine why an attachment was stripped
from a file after someone informed them about not receiving an attachment.
Administrators may also use this log type to verify why the history log detected a
virus.
The session ID is not usually used when looking up an antivirus log message; the
time stated in the time field of the log message is usually used as well as using the
search method.

06-30003-0154-20080327
263

The FortiMail unit enables you to view the logs stored on the local hard disk or
stored on a FortiAnalyzer unit running FortiLog 1.6 firmware or any FortiAnalyzer
firmware.
Log messages stored on the FortiMail hard disk display in Log & Report >
Logging. History logs display on the System Status page as well as in the
Logging menu. The tabs in the Logging menu display the types of logs you can
access. For example, by selecting the Event tab, you can view all event log
messages. The Logging menu also provides navigational features, allowing you to
view specific information in a log message or, if required, delete log messages.
Log messages stored on other logging devices such as a Syslog server, are
viewed from those logging devices.
The Logging menu also enables you to view rolled log files. A rolled log file is a log
file that has reached its specified maximum size and starts a new log file.
Rolled log files appear by time period, not by rolled log file name. For example, the
event log rolled; that rolled event log displays as 2008-03-05 15:11:12 Wed 200803-10 06:30:55 Wed, instead of elog.log1. The current log appears at the top of
the list, and rolled logs appear below. A current log file contains only recent log
messages.
Figure 122:Viewing the log file list
Search
Delete Selected
Items
Empty Log
View
Download
Delete
264
Next Page
Previous Page
Select to move through the pages of log files.
Search
Select to search through the log messages.
View n lines per

page
Select the number of rows of log entries to display per page from the
drop-down list.
Total lines:
Displays the amount of lines on the page. For example, if there are
only two lines on the page, the number is 2.
Go to line:
Enter a line number and select Go to jump to the specified line.

06-30003-0154-20080327
Delete Selected
Items
Select the log files by clicking the checkbox in the same row. Select
Delete Selected Items to remove those items from the hard disk.
Action
Select from the following actions:

Select Empty Log to clear the current log file of all messages.
Select View to open the log file and view the log messages.
Select Download to save the log file to a local or network drive.
Select Delete to remove the selected log file from the hard disk.
The Logging menu enables you to view the log messages from a selected log file.
The columns that appear reflect the content in the log file.
To view log messages
1
Select the log type tab of the log file to view.
Locate the log file.
Select the view icon from the Action column.

Figure 123:Viewing log messages
Search
Next Page
Previous page
Select to move through the pages of log messages.
Level
Select the log level to view. The FortiMail unit displays the log
messages for selected level and above.
Subtype
Select the subtype to view. The FortiMail unit displays the log
(Event logs only) messages for that log subtype. This is available only when viewing
event logs.
View n lines per
page
Select the number of lines of log messages from the drop-down list to
display on each page.
Go to Line
Type the line number of the first line you want to display and select
Go.
Choose Columns Select to add or remove log information columns to display. For more
information see Customizing the column views on page 269.

06-30003-0154-20080327
265
When you are viewing log messages, you can also view the log message in Raw
format by moving your mouse over a number in the number column (#), as shown
in Figure 114. You can also highlight a log message by selecting the row that the
log message is in.
To view history log messages on the Status page
1
Go to System > Status.
Under History Log, select the History Log link.

A window appears, displaying all History logs recorded by the FortiMail unit.

Searching provides a way to quickly find specific log information, such as subtype
and type, or time the log message occurred. The search method uses keywords
as well as log identification (session ID or Log ID), to find the log message you
require. The search method searches through all log files to find a specific log file
or a log file containing a specific word or phrase.
To search log messages
1
Keyword
Subject
If you are searching for emails, enter the subject line of the email
(History Log only) contained in the email.
From
If you are searching for emails, enter the senders email address.
To
If you are searching for emails, enter the receivers email address.
Session Id
for.
Log Id
searching for.
Client Name
Enter the client name of the log messages you are searching for. The
(History Log only) client name is usually an IP address, for example, 10.30.15.1.
Time
following options.
[0 day]
266

of the following:
0 day default

and time



06-30003-0154-20080327
[12] hour(s)

[current day of
the current
month]

[current year]

the current year.
[current time]

Select Apply.
To search event logs
Select the Event log type tab.
Select View in the Action column.
Keyword
Session Id
for.
Log Id
searching for.
Time
following options.
[0 day]

of the following:
0 day default

and time


[12] hour(s)

[current day of
the current
month]


06-30003-0154-20080327
267
[current year]

the current year.
[current time]

Select Apply.
You can also search event logs by using the Level or Subtype drop-down list,
which is available when viewing log messages. The Level drop-down list allows
you to select a specific log severity level. The Subtype drop-down list allows you
to select a specific subtype. The following tables provide information on what is
available in the drop-down lists of Level and Subtype.
Table 14: Level drop-down list options
Emergency
Displays log messages containing only the Emergency severity level.
Alert
Displays log messages containing only the Alert severity level.
Critical
Displays log messages containing only the Critical severity level.
Error
Displays log messages containing only the Error severity level.
Warning
Displays log messages containing only the Warning severity level.
Notification
Displays log messages containing only the Notification severity level.
Information
Displays log messages containing only the Information severity level.
Table 15: Subtype drop-down list options
268
ALL
Displays no filtering on the subtype column.
Configuration
Displays log messages containing only configuration in the

subtype field.
Admin User
Displays log messages containing only admin user in the subtype

field.
Web Mail
Displays log messages containing only webmail in the subtype

field.
System
Displays log messages containing only system in the subtype

field.
HA
Displays log messages containing only HA in the subtype field.
Update Failure
Displays log messages containing only Update Failure in the

subtype field.
Update
Success
Displays log messages containing only Update Success in the

subtype field.
POP3
Displays log messages containing only POP3 in the subtype field.
IMAP
Displays log messages containing only IMAP in the subtype field.
SMTP
Displays log messages containing only SMTP in the subtype field.
OTHERS
Displays all lines that have a value other than all of the above
subtypes, from Configuration to SMTP.

06-30003-0154-20080327

Each log type has unique column settings that are specific to that log type. You
can customize how these columns display by using the Column Settings icon to
view the information you need within the log messages.
You can also use the column settings feature as a method of filtering log
messages. By adding or removing certain columns, you can view only the parts of
the log messages you want to view. For example, you can remove all columns
except for the subtype, type and message to view only that information for
antispam logs.
Figure 124:Column settings for viewing log messages
To customize the columns

1
Select Choose Columns.
Select a column name and do one of the following to change the views of the log
information:
Add ->
Select to move selected fields from Hidden Columns list to the

Displayed Columns list.
<- Remove
Select to move selected fields from the Displayed Columns list to the
Hidden Columns.
Move up
Select to move the selected field up one position in the Displayed

Columns list.
Move down
Select to move the selected field down one position in the Displayed
Columns list.
Select Apply.

06-30003-0154-20080327
269

Downloading log files enables you to view them on another computer, while also
providing additional archiving of older log files. Downloading log files also creates
more available space for log files currently being recorded by the FortiMail unit.
Log files can be downloaded in one of two formats, normal format and CSV
format. If you download a log file in Normal format, the file is saved as a text
document, displaying the log messages in a text-based program such as Notepad.
If you download a log file in CSV format, the file can then be viewed in a
spreadsheet program, such as Microsoft Excel.
To download a log file
1
Select the log type tab.
Locate the log file and select Download in the Action column.

Download file in
normal format
Downloads the log file in its raw format with an extension of .log.
Download file in
CSV format
Downloads the log format as a commas separated file with an

The web browser prompts you for a location to save the file.
5
Save the file to your management computer.

To download all log files
Select the checkbox in the column header beside the Action column.
Select Download in the Action column of the first log file.

Download file in Downloads the log file in its raw format with an extension of .log.
normal format
Download file in Downloads the log format as a commas separated file with an
CSV format
Save the file to your management computer.
Emptying a log file

When emptying a current log file, all log messages within the log file are deleted,
not the log file itself. Emptying a log file formats the log disk, increases
performance, and helps with troubleshooting.
270

06-30003-0154-20080327
Deleting log files
To empty a current log file

1
Select the Empty Log icon in the Action column.

The following message appears:
Are you sure want to delete: <log_type>?
Select OK.
Deleting log files

Deleting log files provides more available space on the FortiMail hard disk. You
can delete only rolled log files.
Caution: Download log files before deleting them. This provides a way to recover deleted
log files in the event you require those deleted log files later on. See Downloading log files
on page 270 for more information about downloading log files.
To delete rolled log files

1
Select Delete in the Action column for the log file you want to delete.
You can select multiple rolled log files by selecting the checkboxes of the rolled
log files you want deleted.
To delete all rolled log files
Select the checkbox in the checkbox column heading.
Select Delete Selected Items.
Alert Email
Alert Email enables the FortiMail unit to monitor logs for specific log messages,
and notifies you by email when they appear. For example, if you require
notification about antivirus detection activity, you can configure an alert email that
is sent whenever the FortiMail unit detects antivirus activity.

06-30003-0154-20080327
271
Alert Email
Configuring alert email

You need to configure at least one DNS server is required before configuring alert
email. The FortiMail unit uses the SMTP server name to connect to the email
server, and must look up this name on your DNS server. You can configure DNS
servers in System > Network > DNS. See Configuring FortiMail system settings
on page 89 for more information about configuring DNS servers.
To configure alert email
1
Go to Log & Report > Alert Email > Configuration.
Enter up to three email addresses in the fields provided.
Select Apply
Verify the alert email is configured correctly by selecting Test. This sends an alert
email to the configured recipients.
Selecting event categories

Before the FortiMail unit can send an alert email, you need to enable the event, or
events, that will trigger the FortiMail unit to send an alert email.
To select the events
1
Select one or more of the following event categories and select Apply:
virus incidents
Select to send an email when viruses are detected.
critical events
Select to send an email when the FortiMail unit detects

a system error that may affect its operation.
disk is full

FortiMail unit is full.
remote archiving/NAS
failures
Select to send an email when the remote archiving

feature encounters a failure or more than one failure.
HA events
Select to send an email when any high availability (HA)

event occurs. When a FortiMail unit is operating in HA
mode, the subject line of the alert email includes the
FortiMail unit host name. This host name is included to
easily identify which FortiMail unit in the HA group sent
the email. See HA log messages, alert email, and
SNMP on page 297 for more information.
disk quota of an
account is exceeded
(Server mode only)

FortiMail unit exceeds the quota amount in an account.
dictionary is corrupted Select to send an email when a dictionary is corrupt.
272
system quarantine
quota
is full
Select to send an email when the systems quarantine

quota is full.
deferred emails #
over(default=10000),
interval time
(default=30) minutes
Select to send alert email messages if the deferred

email query is over a defined value. Enter a number
between 1 and 10000 for the number of email
messages that are over the deferred query amount.
Enter the time duration between alert email messages if
the number of email size remains over the set limit.

06-30003-0154-20080327
Reports
Reports
The FortiMail unit can generate activity reports by analyzing the history log files
and presenting the data in a tabular and graphical format.
Reports provide valuable information, helping you to manage your network more
effectively while making more informed decisions on the administration of your
network and mail server.
FortiMail enables you to generate reports by configuring an on demand report or a
report scheduled at specified intervals.
The FortiMail unit generates reports by two methods:
Reports on demand are reports generated immediately after they are

configured
Schedule reports are reports generated at a certain day(s) or time(s). These

reports are configured with a specific time or day, even a certain year, day and
time.
FortiMail also generates a Mail Statistics report in System > Status > Mail
Statistics. The Mail Statistics page displays a summary of spam messages and
viruses detected by the scanning tools of the FortiMail unit in tabular and
graphical views. This page also shows actions taken by the unit against spam and
viruses. See Viewing mail statistics on page 73 for more information.
You can also configure your own reports. There are default settings for all reports;
for example, when configuring domains for your report, the default is All Domains.
All Domains includes all types of domains you configured on the FortiMail unit.
Caution: Generating reports at high-traffic times may affect mail traffic coming through the
FortiMail unit. Generate reports during low traffic times, for example at night.
Note: Predefined reports are available only when configuring basic settings in the quick
start wizard, in the basic management mode.
Configuring Reports
Reports are configured in Log & Report > Report > Config. These reports are
referred to as report profiles. Report profiles define what information appears in
the report. When you select Create, you can configure the type of report,
device(s) to include, including the time frame for specialized reports.
Figure 125:Viewing report profiles
Delete
Edit
Run Report
Config Name
The name of the report profile.
Domain
The mail domain within the report.
Schedule
The scheduled frequency when the FortiMail unit generates the report.

06-30003-0154-20080327
273
Reports
Modify
Select Delete to remove the report profile from the list.

Select Edit to modify the report profile.
Select Run Report to create a report on demand outside of the
scheduled time.
Create New
Select to add a new report profile.
Configuring a report profile

A report profile provides the log information that the FortiMail unit requires for
compiling and generating a report. Configuring a report profile includes
determining what log data information should be in the report, including who
receives the report after it is generated.
To configure a report profile
1
Go to Log & Report > Report > Config.
Select Create New.
Enter a report name, without spaces, in the Report Name field.
Select the blue arrow next to the options you need to configure:
Time Period
Configure what span of time the FortiMail unit uses when looking
at the logs. See Configuring time period on page 274.
Query Selection
Select the reports you want to include. See Configuring the query
selection on page 275.
Schedule
Configure when the FortiMail unit runs the report, for example,
weekly, or monthly. See Configuring the schedule on page 275.
Domain
Select the domains to include in the report. See Configuring the

domain on page 276.
Incoming Outgoing
Select if the information includes incoming email, outgoing email

or both. See Configuring incoming and outgoing on page 276.
Output
Select the file format for the reports and add email recipients for
the report. See Configuring output on page 277.
Select OK.
Configuring time period

Select the time period you want the report to cover. The time period includes all
log information for only the length of time specified.
Figure 126:Report time period
Time Period
274
Select the time period for the report. When you select, last n hours,
days or weeks, a field will appear beside the drop-down list. Enter a
number in the field, for example, eight, for the last n hours.

06-30003-0154-20080327
Reports
From Date
Select to configure the start date of the report. For example, you may
want to begin the report on May 5, 2006 at 6 pm.
To Date
Select to configure the end date of the report. For example, you may
want to end the report on May 6, at 12 am.
Configuring the query selection

Select the query or queries you want included in the report. For example, if you
want to include only log files that concern spam, select the Spam by Sender and
Spam by Recipient queries.
Figure 127:Report query selection
Query
Selection
Select to include or not include log information based on the following

queries. Select the plus sign to expand the query and select the individual
queries. Select the checkbox to include all individual queries.
Mail Statistics
Select to include mail statistical information by

day, week, or month.
Total Summary
Select to include only summary information of all
High level breakdown Select if you want to include all top level and
summary information for all queries.
Mail by Sender

sender
Mail by Recipient

recipient
Spam by Sender

sender
Spam by Recipient

recipient
Virus by Sender
Select to include only virus messages sent by

sender
Virus by Recipient
Select to include only virus messages send by

recipient.
Configuring the schedule

Select to set a schedule for when the FortiMail unit should generate the report.
You can choose from a daily schedule, or specify certain days of the week and/or
hours.

06-30003-0154-20080327
275
Reports
Figure 128:Report schedule
Not Scheduled
Select if you do not want the report on a schedule.
Daily
Select to generate the report every day at the same time.
These Days
Select specific days of the week that the FortiMail unit should
generate the report.
These Dates
Select specific days of the month to generate the report. For example,
to generate a report on the first and thirtieth of every month, enter
1,30. The comma is required for separating the days.
At Hour
Select the time of day when the FortiMail unit should generate the
report.
Configuring the domain

Select to remove or add one or more domains for the report. You can specify a
specific domain for the report. The default, All Domains, includes all domains
configured on the FortiMail unit.
Figure 129:Report domains
Remove Selected Select a domain or domains to remove them from the list.
Add
Enter a domain and select Add to add the domain to the Domain list.
Configuring incoming and outgoing

Select to include what type of mail messages, incoming or outgoing (or both), to
include in the report.
Figure 130:Report incoming and outgoing mail messages
276

06-30003-0154-20080327
Reports
Incoming
Select to include only incoming email messages from senders.
Outgoing
Select to include only outgoing email messages from recipients.
Incoming and
Outgoing
Select to include both incoming email messages from senders and

outgoing email messages from recipients.
Configuring output
Select what type of file format you want the report to be, either HTML or PDF. You
can also add email addresses of recipients for receiving the generated report.
Figure 131:Report output
Output
Select what type of format you want the report to be when it is

generated. You can select HTML report or PDF report.
Remove
Selected
Select if you want to remove the recipient so he or she will not receive
the report. Make sure the email address you want removed is
selected before selecting Remove Selected.
Add
Enter the email address of the person who will receive the report and
select Add to add the email address to the list.
Viewing reports
Generated reports display on the Browse page as a roll-up report, or individual
reports in HTML format. A roll-up report is a report that contains all individual
reports included. An individual report has the same look and functionality as the
roll-up report when viewing in HTML format but when viewing the report in one of
the alternate formats, only the right frame with the report information is included.
From Log & Report > Reports > Browse, you can select a report group from the
list in the Report files column and do one of the following:
Select the report name to view a roll up report of all individual reports
Select the plus sign to expand the individual report list, and then select to view
an individual report.

06-30003-0154-20080327
277
Reports
Figure 132:A FortiMail report showing the Mail Sender Report individual report
\
Browsing reports
You can browse through generated reports in Log & Report > Reports >
Browse. From the Browse page, you can delete reports if required, download
reports to view on another computer, or view only parts of a report.
Figure 133:Browse generated reports
Delete Selected
Delete
Download HTML
Download PDF
278

06-30003-0154-20080327
Reports
Previous page icon
View to the previous page.
Next page icon
View to the next page.
View lines per page
Select the number of reports displayed on each page.
Total lines
Displays the amount of lines on the page. For example, if there

are only two lines on the page, the number is 2.
Go to line
Type the line number you want to display and select Go.
Report Files
Displays the generated reports. Select the report name to view a

roll up of all reports in HTML format.
The report appears in the reports list with the report name, date
and time the report was generated.
For example, a report name of Report 1-2007-03-31-2112, is a
report called Report 1, generated on March 31, 2007 at 9:12pm.
Select the plus sign to expand the report to view the individual
reports in HTML format.
Last Access Time
Indicates the date and time when the FortiMail unit completed the
generated report.
Size (bytes)
The file size of the report in HTML format.
Action
Select Delete to remove the report or report group from the

FortiMail hard disk.
Select Download HTML to save the reports on a local hard disk.
The FortiMail unit downloads the report ins TGZ compressed
format.
Select Download PDF to save a PDF version of the report on a
local hard disk.
Check All/Check
None
Select to select all reports for removal from the FortiMail hard disk.
Select a check box for a report name and select Delete Selected
to remove the report from the hard disk.
If you require viewing a report from outside the FortiMail web-based manager, you
can download the report in either HTML or PDF.
To download a report
1
Go to Log & Report > Reports > Browse.
Locate the report you want to download in the Report Files column.
Select the Download icon in the Action column to download an HTML or PDF
version of the report.

06-30003-0154-20080327
279
Reports
280

06-30003-0154-20080327
FortiMail active-passive HA
Configuring and operating FortiMail

HA
FortiMail can operate in two high availability (HA) modes:
Active-passive HA Two FortiMail units operate as an HA group providing failover
protection. Most of this chapter describes how to configure and
operate an active-passive FortiMail HA group. See FortiMail activepassive HA on page 281 for a definition of active-passive FortiMail
HA. See most of the rest of the sections of this chapter for
information about how to configure and operate a active-passive
FortiMail HA group.
Config only HA
Up to 25 FortiMail units share a common configuration, but operate

as separate FortiMail units. See FortiMail config only HA on
page 282 for a definition of configuration FortiMail HA.
The following topics are included in this chapter:
FortiMail config only HA
Mixing FortiMail models in a FortiMail HA group
HA heartbeat and synchronization
HA network interface configuration in master mode
HA log messages, alert email, and SNMP
HA and storing FortiMail mail data on a NAS Server
Changing the FortiMail firmware for an operating HA group
Viewing and changing HA status
Configuring HA options
Configuring active-passive HA service monitoring
FortiMail HA configuration examples
HA failover scenarios
FortiMail supports active-passive high availability (HA) with full FortiMail
configuration and mail data synchronization between two FortiMail units. Mail data
consists of the FortiMail system mail directory, user home directories, and MTA
spool directories.
A FortiMail high availability (HA) group consists of two FortiMail units, one
functioning as a primary FortiMail unit (also called the master) and the other as a
backup FortiMail unit (also called the slave). The FortiMail units in the HA group
do not have to be the same FortiMail model but must be running the same
firmware build. The primary and backup units are configured separately and then
joined together to form the FortiMail HA group.

06-30003-0154-20080327
281
Both FortiMail units in the group have the same configuration except for the
FortiMail unit host name, SNMP system information, and some HA settings. For
details about how configuration synchronization works and about what is
synchronized and what is not, see Synchronizing the FortiMail configuration on
page 286.
You can include different FortiMail models in an active-passive HA group. For
details, see Mixing FortiMail models in a FortiMail HA group on page 284.
The primary unit performs all email processing including special FortiMail services
such as sending spam reports to email users. Email users connect to the primary
unit to download email, manage quarantined email, and to use FortiMail Webmail.
To configure and manage the FortiMail HA group, administrators connect to the
primary unit web-based manager or CLI.
Figure 134:Example FortiMail active-passive HA group operating in gateway mode
Internal
network
Mail Server
Internet
Switch
HA Group
Administrators can also manage the backup FortiMail unit. The backup unit
monitors the primary unit to make sure that the primary unit is operating correctly.
If the backup unit determines that the primary unit has failed, the backup unit
becomes the primary unit without interrupting mail processing.
FortiMail HA is supported for FortiMail gateway mode, transparent mode, and
server mode. HA configuration and operating procedures are similar in all three
FortiMail operating modes.

Using FortiMail config only HA you can set up a group of two to 25 FortiMail units.
The FortiMail units in the config only HA group operate independently; processing
email and providing FortiMail services such as antispam and antivirus scanning
and special FortiMail services such as sending spam reports to email users.
All FortiMail units in the group have the same configuration except for the
following:
282
Network settings including interface IP addresses and default routes
The FortiMail unit host name and SNMP system information

06-30003-0154-20080327
Other system names such as the local domain name and the spam report host
name
Some HA settings
For details about how configuration synchronization works and about what is
synchronized and what is not, see Synchronizing the FortiMail configuration on
page 286/
You can include different FortiMail models in a config only HA group. For details,
see Mixing FortiMail models in a FortiMail HA group on page 284.
Email users connect to any FortiMail unit to download email, manage quarantined
email, and to use FortiMail Webmail. For most HA group configuration and
management operations administrators connect to the primary unit web-based
manager or CLI. However, Administrators must connect to each FortiMail unit in
the HA group to configure interface IP addresses and some HA settings for that
FortiMail unit.
A config only HA group can function as a mail server farm for a large organization.
You can also install a FortiMail config only HA group behind a load balancer. The
load balancer can balance the mail processing load to all of the FortiMail units in
the config only HA group, improving mail processing capacity.
To set up a FortiMail config only HA group you configure one of the FortiMail units
as the config primary (or config master) and the other FortiMail units (up to 24) as
config backup units (also called config slaves or peer systems). Every
configuration change made to the config master is synchronized to all of the
config backup units.
FortiMail configuration HA does not synchronize mail data between the FortiMail
units in the config only HA group. As well, FortiMail config only HA does not
provide failover protection. If a FortiMail unit in a config only HA group fails, mail
data on the unit is lost (unless the unit can be restarted) and the functioning of the
failed FortiMail unit will not be resumed by other FortiMail units in the config only
HA group.
If the config primary unit fails the config backup units will continue to operate
normally. However, with no config primary unit configuration, changes to the
configuration are no longer synchronized. You can manually switch one of the
remaining config backup units to operate as the config primary unit. Then you can
make configuration changes to this config primary unit and have the configuration
changes synchronized to the remaining config backup units.
You cannot configure service monitoring for a config only HA group.

06-30003-0154-20080327
283
Figure 135:Example FortiMail config only HA group operating in gateway mode

Internal
network
Mail Server
Internet
Load balancer
Config only mode HA Group
If the config only HA group is installed behind a load balancer, the load balancer
stops sending email to the failed FortiMail unit. All sessions being processed by
the failed FortiMail unit must be restarted and will be re-directed by the load
balancer to other FortiMail units in the config only HA group.
Also a FortiMail unit operating in config only HA cannot also be part of a FortiMail
HA group operating in active-passive HA.
Config only HA uses the same configuration synchronization mechanism as
active-passive HA. The only difference is that a config only HA group can have up
to 24 peers. Part of configuring HA involves adding the IP addresses of all of the
peers to the config only primary HA configuration.
You must give each backup unit a peer IP address that is the same as one of the
peer IP addresses added to the primary unit. The backup unit configuration also
includes the IP address of the primary unit.

You can mix different FortiMail models in the same active-passive or config only
HA group. However all units in the HA group should be running the same firmware
build.
You can mix FortiMail models in an HA group for a number of reasons. For
example, a FortiMail-100 unit may provide sufficient performance for your email
processing, but you may prefer the higher performance of a FortiMail-400 unit.
You can set up an active-passive HA group consisting of a FortiMail-400 unit
operating as the primary unit and a FortiMail-100 unit operation as the backup
unit. Usually the FortiMail-400 primary unit would be processing all email. If a
failover occurs, the FortiMail-100 backup unit would keep processing email until
you can restart or replace the failed FortiMail-400 unit.
284

06-30003-0154-20080327
If you mix FortiMail models in a FortiMail HA group you should make sure that the
configuration settings that you add can be supported on all of the models in the
HA group. For example, in the FortiMail-400 and FortiMail-100 HA group
described above you are limited by the capacity of the FortiMail-100 unit.
According to the FortiMail 3.0 Maximum Values Matrix on the Fortinet Knowledge
Center you can add 50 domains to a FortiMail-100 unit and 500 domains to a
FortiMail-400 unit. So in a HA group consisting of a FortiMail-400 and a FortiMail100 you should only add 50 domains. For a complete list of configuration
limitations for all FortiMail models, see the FortiMail v3.0 Maximum Values Matrix.

For an active-passive HA group FortiMail HA heartbeat and synchronization has
three primary functions; to monitor the status of the FortiMail units in the HA
group, to synchronize configuration changes from the primary unit to the backup
unit, and to synchronize mail data from the primary unit to the backup unit. Mail
data consists of the FortiMail system mail directory, user home directories, and
MTA spool directories.
For a config only HA group, FortiMail HA heartbeat and synchronization is used to
synchronize the FortiMail configuration from the config primary unit to the config
backup units. FortiMail config only HA configuration works the same way as
FortiMail active-passive HA configuration synchronization except that the
configuration is synchronized to multiple backup units.
HA heartbeat and synchronization consists of TCP packets transmitted between
the FortiMail units in the HA group over a dedicated heartbeat interface. As part of
the HA configuration you select one or two FortiMail unit interfaces to be used as
the primary and secondary heartbeat interfaces. You can also configure the TCP
ports that the heartbeat interface uses for its functions.
During normal FortiMail HA group operation the backup unit expects to constantly
receive HA heartbeat packets from the primary unit. If the backup unit stops
receiving HA heartbeat packets, the backup unit assumes that the primary unit
has failed. A failover takes place in which the backup unit becomes the primary
unit and continues processing email. During the failover no mail data or
configuration changes are lost. Some in-progress email transactions may be
interrupted and need to be restarted; but most email clients and servers can
gracefully handle the temporary service interruption that occurs during a failover.
Note: If you restart the primary unit (by going to System > Status and selecting Restart or
from the CLI by entering execute reboot) or if you enter the execute reload
command from the primary unit CLI, the backup unit may stop receiving HA heartbeat
packets from the primary unit for enough time to assume that the primary unit has failed. To
prevent false failovers when one of the above occurs, the primary unit signals to the backup
unit to wait for the primary unit to complete the restart or reload.
Configuring the HA heartbeat and synchronization interface
Synchronizing the FortiMail configuration
Synchronizing FortiMail mail data
FortiMail MTA spool directory synchronization after a failover

06-30003-0154-20080327
285
Configuring the HA heartbeat and synchronization interface

By default, the network interface with the highest number is used for the primary
heartbeat interface for HA heartbeat and for HA synchronization. For example, the
FortiMail-400 has 6 network interfaces numbered port1 to port6. By default a
FortiMail-400 HA group would use port6 as the primary heartbeat interface. If
required, you can select a different primary heartbeat interface. You can also
configure a secondary heartbeat interface. See HA Main configuration options
on page 310 and HA daemon configuration options on page 313 for more
information about how to configure heartbeat interfaces.
Caution: Using the same FortiMail network interface for user data and HA synchronization
is not supported.
For a FortiMail HA group to operate correctly, you must maintain an ethernet

connection between the heartbeat interfaces of the primary and backup FortiMail
units. You can use a crossover ethernet cable or two regular ethernet cables and a
switch to connect the network interfaces.
Note: Isolate heartbeat interfaces from your user networks. Heartbeat and synchronization
packets contain sensitive configuration information and can consume considerable network
bandwidth. For an active-passive or a config only HA group consisting of only two FortiMail
units, directly connect the heartbeat interfaces using a crossover cable. For a config only
HA group consisting of more than two FortiMail units, connect the heartbeat interfaces to a
switch and do not connect this switch to your user networks.
If the heartbeat interfaces become disconnected, the operation of the FortiMail HA

group will be interrupted. See Failover scenario: primary heartbeat link fails on
page 330 for details about what might happen and how to solve any problems that
occur.
By default, primary and backup unit heartbeat interfaces are configured with
special IP addresses. The default primary unit primary heartbeat interface IP
address is 10.0.0.1 and the default backup unit primary heartbeat interface IP
address is 10.0.0.2. You can change these IP addresses if required. The primary
and backup unit heartbeat interfaces must have different IP addresses.
Synchronizing the FortiMail configuration

Every time you change the configuration of the primary unit, the configuration
change is immediately synchronized to the backup unit (or peer units in a config
only HA group). This synchronization uses the primary heartbeat interface link.
You can also configure FortiMail HA to synchronize the primary and backup unit
configurations at scheduled time intervals. Synchronization is always started by
the backup unit. The backup unit asks the primary unit to send the primary unit
configuration to the backup unit.
See HA daemon configuration options on page 313 to configure how often the
HA group synchronizes the FortiMail configuration and to change the TCP port
used for synchronizing the configuration across the heartbeat link.
You can also manually synchronize configuration changes if you are concerned
about losing changes that you have just made. See Forcing the HA group to
synchronize configuration and mail data on page 305.
286

06-30003-0154-20080327
FortiGuard Antispam and FortiGuard Antivirus

You must license all of the FortiMail units in the HA group for the FortiGuard
Antispam service. If you only license the primary unit in an active-passive HA
group, after a failover the backup unit will not be able to connect to the FortiGuard
Antispam service.
You must also license both of the FortiMail units in the HA group for the
FortiGuard Antivirus service. Antivirus engine and antivirus definition versions are
not synchronized between the primary and backup units. Each of these units
connects to the FortiGuard Distribution Network to download FortiGuard Antivirus
updates.
Configuration settings that are not synchronized

All configuration settings on the primary unit are synchronized to the backup unit
except for the following settings:
FortiMail Operation
Mode
In active-passive and config only HA the FortiMail operation mode

is not synchronized. When configuring an HA group you must set
the operation mode of each HA group member before configuring
HA. (Go to System > Status. From the CLI enter set system
opmode.)
FortiMail unit host

name (also called the
mail server host
name)
In active-passive and config only HA the mail server host name is

not synchronized. (Go to Mail Settings > Settings. From the CLI
enter set system hostname.) To identify a FortiMail unit in an
HA group the host name appears at the bottom of the FortiMail
web-based manager. The host name is also added to the subject
line of alert email messages sent by a FortiMail unit operating in
HA mode.
Interface
configuration
In active-passive and config only HA each FortiMail unit in the HA

group has its own interface configuration. (Go to System >
Network > Interface. From the CLI enter set system
interface.)
Some active-passive HA settings affect the interface
configuration. These HA settings are synchronized between both
FortiMail units in an active-passive HA group. See HA interface
configuration in master mode options (active-passive HA) on
page 315.
Transparent mode
Management IP
address
In active-passive and config only HA for FortiMail units operating

in Transparent mode, all of the FortiMail units in the HA group
should have a different management IP address. So the
management IP address is not synchronized. (On a FortiMail unit
operating in Transparent mode, go to System > Network >
Management IP. From the CLI enter set system
managementip.)
SNMP system
information
In active-passive and config only HA the SNMP system

information (including the system Description, Location, and
Contact information) are not synchronized. (Go to System >
Confg > SNMP v1/v2c. From the CLI enter set system snmp
sysinfo status.)
Main HA
configuration
In active-passive and config only HA the main HA configuration,

which includes the HA mode of operation of the unit (master or
slave) is not synchronized because this configuration must be
different on the primary and backup units.

06-30003-0154-20080327
287
HA Daemon
configuration
In active-passive and config only HA the following HA daemon

settings are synchronized (some of the settings listed below only
apply to active-passive HA):
Heartbeat use port, test every timer, and take over after
failures number
Configuration use port and synchronize every timer
Data use port and synchronize every timer
The following HA daemon settings are not synchronized:
Shared password
Backup system mail directory
Backup user home directories
Backup MTA spool directories
Even though the shared password must be same on all units,
because the password is used to identify the HA group the
password is not synchronized and the same password must be
added to all units in the HA group.
The remaining HA daemon options that are synchronized are
active-passive HA settings that affect how often the backup unit
tests the primary unit and how the backup unit synchronizes
configuration and mail data. The HA daemon settings on the
backup unit control how the HA daemon operates. The HA
daemon settings on the primary unit do not affect the operation of
the HA daemon. In a functioning HA group you would change the
HA daemon configuration on the backup unit to change how the
HA daemon operates.
As well, you might want to have a different HA daemon
configuration on the primary unit. After a failover, you might not
want the new backup unit to synchronize with the new primary unit
in the same way as when the HA group is functioning normally. If
the original primary unit becomes a backup unit this new backup
unit will have the HA daemon configuration of the original primary
unit.
HA service
monitoring
configuration
In active-passive HA the HA service monitoring configuration is

not synchronized. The remote service monitoring configuration on
the backup unit controls how the backup unit checks the operation
of the primary unit. The local services configuration on the primary
unit controls how the primary unit tests the operation of the
primary unit.
You might want to have a different service monitoring
configuration on the primary and backup units. After a failover you
may not want service monitoring to operate until you have fixed
the problems that caused the failover and have restarted normal
operation of the HA group.
In addition to the settings mentioned above, the following settings

Config only HA
network settings and are not synchronized when operating config only HA:
names
Default routes (Go to System > Network > Routing. From the
CLI enter set system route.)
The mail server local domain name, the relay server local
domain name (Go to Mail Settings > Settings > Settings.
From the CLI enter set mailserver localdomain.)
The spam report host name (Go to Anti-Spam > Quarantine >
Spam Report. From the CLI enter set as spamreport
hostname.)
Synchronizing FortiMail mail data

All FortiMail mail data is synchronized from the primary unit to the backup unit
according to the HA daemon data synchronization schedule. Mail data consists of
the following:
288

06-30003-0154-20080327
System mail directory Contains quarantined email messages and archived email
messages stored on the FortiMail unit hard drives. The system
mail directory may contain a relatively large amount of data.
However, this data does not usually change rapidly so
synchronizing the system mail directory does not usually require a
large amount of bandwidth or processing time. The system mail
directory should be synchronized because it could be difficult to
recover from a failed FortiMail unit.
User home
directories
In server mode the user home directories contain user email

messages stored on the FortiMail unit hard drives. The user home
directories may also contain a relatively large amount of data.
However, this data also does not usually change rapidly so
synchronizing the user home directories does not usually require a
large amount of bandwidth or processing time. The user home
directories should be synchronized because it could be difficult to
recover this data from a failed FortiMail unit.
MTA spool directories Contain the FortiMail mail queues including the outgoing mail
queue, the deferred queue, the spam queue, the failed queue, and
the dead mail queue. (See Managing mail queues on page 141
for more information about these mail queues.) The MTA spool
directories may contain a large amount of data that changes
rapidly. Synchronizing large amounts of data that changes rapidly
may take considerable bandwidth and processing time; both of
which may affect the performance of the FortiMail unit. Also, if the
primary unit fails, when it is restarted it becomes a backup unit
and synchronizes all MTA spool directories to the new primary unit
(see FortiMail MTA spool directory synchronization after a
failover on page 289 for more information). Because of this
synchronization, the data in the MTA spool directories is usually
recovered after failover.
If the primary unit experiences a hardware failure and cannot be
restarted you might not be able to recover mail in the MTA spool
directories. Synchronizing the MTA spool directories means that
you will not lose mail in the MTA spool directories if the primary
unit experiences a hardware failure.
See HA daemon configuration options on page 313 to configuring how often the
HA group synchronizes mail data, to change the TCP port used for synchronizing
data across the heartbeat link, and to select the types of mail data to synchronize.
You can also manually synchronize mail data. See Forcing the HA group to
synchronize configuration and mail data on page 305.
You should disable mail data synchronization if the HA group stores mail data on a
remote NAS server. See HA and storing FortiMail mail data on a NAS Server on
page 300.
FortiMail MTA spool directory synchronization after a failover

During failover no mail data, no configuration changes, and no email messages
being queued by primary unit are lost. In-progress email transactions in which the
primary unit is actively sending or receiving email messages may be interrupted
and need to be restarted. However, most email clients and servers can gracefully
handle these types of temporary service interruptions. In these cases after failover
the interrupted email session is restarted but with the new primary unit.
During normal operation email messages can be in two states:
Being received by the primary unit
Stored on the primary unit the system mail directory, the user home directories,
or the MTA spool directories (which includes the outgoing mail directory).

06-30003-0154-20080327
289
When a failover occurs, the network connections between the sender and the
primary unit and are cut off. From the senders point of view, the email send
attempt fails, and the sender attempts to re-send the email message.
Usually you should configure HA to synchronize the system mail directory and the
user home directory so that no email messages in these directories are lost when
a failover occurs.
Email messages stored on the primary unit MTA spool directories are either being
stored or sent by the primary unit. When a failover occurs, email being sent is
stopped, but the stored message remains in a primary unit MTA mail directory.
The FortiMail MTA spool directories are always synchronized by the FortiMail HA
group after a failover. Synchronizing the MTA spool directories after a failover
means that even if you choose not to configure the HA group to synchronize MTA
spool directories during normal operation, the email in the MTA directories on the
failed primary unit can still be delivered after a failover as long as the failed
primary unit can be restarted.
Even if the HA group synchronizes MTA spool directories, because the
synchronization is periodic, there is a chance that some of the email in these
directories will not be synchronized when a failover occurs. This is especially true
for the outgoing mail queue, the content of which changes very rapidly.
FortiMail HA uses the following mechanism to make sure that after a failover
occurs, email messages in the failed primary unit MTA spool directories are not
lost.
Note: If failed primary unit effective operating mode is FAILED a sequence similar to the
following occurs automatically when the problem that caused the failure is corrected.
After a failover the former backup unit operates as the new primary unit.
The primary unit that failed starts up again, detects the presence of the new
primary unit, and becomes a backup unit.
Note: You may have to manually restart the failed primary unit.
The new backup unit synchronizes its MTA spool directories with the new primary
unit MTA spool directories.
This synchronization takes place over the heartbeat link between the primary and
backup FortiMail units. Synchronizing the MTA spool directories prevents
duplicate email messages from getting into the primary unit MTA spool directories.
290
The new primary unit continues to deliver the email messages in its MTA spool
directories, including the email messages synchronized from the new backup unit.

06-30003-0154-20080327

Using the FortiMail HA network interface configuration in master mode settings
you can modify how FortiMail network interfaces function when two FortiMail units
are operating as an active-passive HA group and you can control how the network
interface configuration changes during a failover. The FortiMail HA network
interface configuration in master mode that you select depends on the FortiMail
mode that the HA group is operating in (gateway, transparent, or server) and on
how the FortiMail HA group connects to your network.
A config only HA group heartbeat interface configuration consists of selecting the
primary heartbeat interface and configuring the heartbeat interface IP addresses
of the primary unit and the backup units. Then you must configure the IP
addresses of the remaining interfaces of each of the FortiMail units in the HA
group according to the requirements of your network.
Changing the IP address of an HA group interface
Removing an interface from an HA group
Example config only HA network interface configuration

Figure 136 shows two FortiMail-400 units operating as an HA group in gateway
mode. In this configuration the port6 interfaces are connected together with a
cross-over cable to form the primary heartbeat link. The port1 interfaces of each
FortiMail unit are connected to the same switch and this switch is connected to the
network.
Figure 136:Example FortiMail-400 HA network connections
Internal
network
Mail Server
Internet
Network
Switch
HA Group
Primary unit
Switch for
port1 interfaces
Primary
Heartbeat
Link
Backup unit

06-30003-0154-20080327
291
For mail sessions to continue to be processed by the new primary unit after a
failover, the new primary unit must have the same IP addresses as the original
primary unit. In most HA configurations you would use FortiMail HA virtual IP
address to make this happen. When a FortiMail HA group is operating, network
interfaces that send and receive email or that users connect to for Webmail
access are configured with HA virtual IP addresses. All email transactions and
Webmail connections use these virtual IP addresses.
When the HA group is operating, the virtual IP addresses are associated with
primary unit network interfaces. As a result all email is processed by the primary
unit. After a failover, the virtual IP addresses are associated with the new primary
unit interfaces. As a result, after a failover all email is processed by the new
primary unit (originally the backup unit).
Outgoing traffic is sent from the virtual IP address

Adding a virtual IP address to a FortiMail interface gives the interface two IP
addresses: the virtual IP address and the actual IP address. The interface can
receive traffic sent to both of these IP addresses.
Normally you would configure your network (MX records, firewall policies, routing
and so on) so that clients and mail services use the virtual IP address. All replies
to sessions with the virtual IP address include the virtual IP address as the source
address.
All replies to sessions with the actual IP address include the actual IP address as
the source address.
All outgoing sessions that originate from this interface also use the virtual IP
address of the interface and not the actual IP address. This means that all
outbound mail or relayed mail packets sent from a FortiMail primary unit interface,
configured with a virtual IP address, will have the virtual IP address of the primary
unit interface as the source IP address. If you are using this interface to send
outgoing email, you should configure your network devices (such as NAT
firewalls) to process traffic from the virtual primary unit interface IP address.
DNS and firewall settings for the HA virtual IP configuration

Incoming traffic can only connect to the virtual IP address of the FortiMail unit
operating as a primary unit. A single MX record pointing at the virtual IP address is
sufficient for all incoming client and SMTP email traffic to connect to this virtual IP
address.
For outgoing traffic, if the FortiMail HA group is configured with public IP
addresses and if you are using the virtual IP configuration, you still only require 1
public IP addresses for the virtual IP address. However, you may want two
additional public addresses; one for the actual address of the primary unit
interface and one for the actual address of the backup unit interface. But these
two public IP addresses are not required.
However, if the FortiMail HA group is installed behind a NAT firewall, the virtual IP
address and the two actual IP addresses can all be private IP addresses. You can
then configure the NAT firewall so that outgoing traffic from virtual IP address is
mapped to an external IP address. Only this single external IP address needs to
be resolvable and only packets from this external IP address are sent to external
MTAs.
292

06-30003-0154-20080327
Example configuration using HA virtual IP addresses

This example shows how HA virtual IP addresses can be implemented for a basic
FortiMail-400 gateway configuration. In a typical standalone FortiMail gateway
configuration, you could set the IP address of the port1 network interface of the
FortiMail-400 unit to 172.16.5.2. You can also add a DNS record called
examplegw.com that points to IP address 172.16.5.2 and an MX record for
fortimail.examplegw.com that also points to IP address 172.16.5.2. Then
users and email servers can use the DNS and MX records to connect to the port1
network interface of the FortiMail-400 unit.
To replicate the same configuration with a FortiMail HA group, you would set the
actual IP addresses of the port1 interfaces of the primary and backup units to
different IP address. Then in the HA configuration you would add a virtual IP
address to the port1 interface.
To configure FortiMail HA virtual IP addresses
1
Set the IP address of the primary unit port1 network interface to a new IP address
(for example, 172.16.5.10).
Set the IP address of the backup unit port1 network interface to another new IP
address (for example, 172.16.5.11).
Enable HA on the primary unit and add a virtual IP/netmask to the port1 network
interface. Set the virtual IP address to 172.16.5.2.
Note: Because of this virtual IP address configuration, port1 of the primary unit can receive
packets sent to IP address 172.16.5.10 and 172.16.5.2. All packets sent from the primary
unit port1 interface will have a source IP address of 172.16.5.2 (the virtual IP address).
After a failover, all packets sent from the backup unit port1 interface will have a source IP
address of 172.16.5.2.
Enable HA on the backup unit.

FortiMail HA synchronizes the HA network interface configuration from the
primary unit to the backup unit.
When the HA group is operating, the primary unit port1 network interface has a
virtual IP of 172.16.5.2. Users and email servers use DNS and MX records to
connect to the port1 network interface of the primary unit. Administrators can
manage the primary unit by connecting to 172.16.5.2 (the virtual IP address of
port1) or 172.16.5.10 (the actual IP address of port1). Administrators can manage
the backup unit by connecting to 172.16.5.11 (the IP address of port1 of the
backup unit).
Note: The configuration example, Gateway mode active-passive HA configuration on
page 320 uses HA network interface virtual IP addresses as well as other HA network
interface settings.

06-30003-0154-20080327
293
Figure 137:Example FortiMail-400 HA virtual IP address configuration

Mail
Server
DNS
Server
Internal
network
DNS record
examplegw.com=172.16.5.2
MX record
fortimail.examplegw.com=172.16.5.2
Internet
Network
Switch
port1 virtual IP: 172.16.5.2
port1 IP: 172.16.5.10
Primary unit
Heartbeat
Link
Switch for
port1 interfaces
HA Group
Backup unit
port1 IP: 172.16.5.11
Changing the IP address of an HA group interface

Using HA virtual IPs is the most common HA network interface in master mode
configuration. However, you can also use the HA network interface set interface
IP/netmask option to change the IP address of any primary unit interface when the
primary unit is operating in HA mode. If a failover occurs, the IP address of this
interface is changed on the new primary unit as well.
If an interface is set to set interface IP/netmask then the actual IP address of the
interface is disabled for the primary unit and the backup unit. This means that you
can only connect to the primary unit interface using this IP address and that you
cannot connect to the backup unit using this interface.
Changing the IP address of an HA group interface using set interface IP/netmask
replaces the actual IP address of the interface with the set IP address. The
interface has only one IP address, unlike the virtual IP address configuration,
which results in the interface having two IP addresses.
page 320 uses the HA network interface set interface IP/netmask option as well as other
HA network interface settings.
Removing an interface from an HA group

If you are not using a FortiMail interface for network traffic, management, or for HA
traffic, you can use the HA network interface configuration in master mode do
nothing option to remove the interface from the HA group. Removing the interface
means nothing is done with the interface during a failover. It also means that the
primary unit will not monitor this interface.
294

06-30003-0154-20080327

page 320 uses the HA network interface do nothing option as well as other HA network
interface settings.
Example config only HA network interface configuration

This example config only HA network interface configuration consists of a config
mode HA group consisting of three FortiMail-400 units. The port6 interfaces of
each FortiMail unit are used for HA communications, so these interfaces are
connected together with a switch.
The port1 interfaces of each FortiMail unit are connected to a load balancer. The
port1 interface of each FortiMail unit has a different IP address so that the load
balancer can send traffic to each FortiMail unit.
Figure 138:Example FortiMail-400 config only heartbeat interface configuration
Mail
Server
DNS
Server
Internal
network
Internet
Network
Switch
Config mode HA Group

port1 IP: 172.16.5.1
Primary unit
Load balancer for
port1 interfaces
Primary Heartbeat: port6

Local IP: 10.0.0.1
port1 IP: 172.16.5.2
Backup unit 1
Backup
peer 1 IP: 10.0.0.2
Switch for
Heartbeat
Link
port1 IP: 172.16.5.3
Backup unit 2
Backup
peer 2 IP: 10.0.0.3
To configure the FortiMail config only HA group

1
Configure the primary unit:
Go to System > HA > Configuration.
Set Mode of Operation to config master.
Set Primary Heartbeat to port6.
Set Local IP Address to 10.0.0.1
Change Config Daemon settings as required
Add the IP addresses of both peer systems (10.0.0.2, and 10.0.0.3)
Go to System > Network > Interface and set the IP address of the port1
interface to 172.16.5.1

06-30003-0154-20080327
295
Figure 139:Example config only HA primary unit HA configuration
Configure backup unit 1:
Set Mode of Operation to config slave.
Set Local IP address to 10.0.0.2.
Change Config Daemon settings as required.
Set the Master Configuration IP address to the local IP address of the primary
unit (10.0.0.1).
interface to 172.16.5.2.
Figure 140:Example config only HA backup unit 1 HA configuration
296

06-30003-0154-20080327
Configure backup unit 2:
Set Mode of Operation to config slave.
Set Local IP address to 10.0.0.3.
Change Config Daemon settings as required.
Set the Master Configuration IP address to the local IP address of the primary
unit (10.0.0.1).
interface to 172.16.5.3.

Active-passive and config only HA groups support logging, alert email, and SNMP.
You configure logging, and alert email on the primary unit. When the configuration
changes are synchronized to the backup unit or units all of the FortiMail units in
the HA group record separate log messages and send separate alert email
messages.
You configure SNMP separately for each FortiMail unit in an HA group. If you
enable SNMP for all of the FortiMail units in the HA group all of the units can send
SNMP traps. As well, you can use an SNMP server to monitor the primary and
backup units for HA settings such as the HA configured and effective operating
modes.
HA does not synchronize log messages between the primary unit and the backup
unit. During normal operation the primary unit sends log messages to a remote
host or saves log messages on the primary unit local disks. The backup unit or
units send log messages to a remote host or save log messages on the backup
unit local disks. Log messages are not lost during a failover. After a failover the
new primary unit uses the same Log & Report configuration to send or save log
messages as does the backup unit.
The backup unit can only send alert email messages and SNMP traps if at least
one of its interfaces (or the management interface in transparent mode) has an IP
address and is connected to your network.
You can use logging to a remote host, alert email, and SNMP to monitor a
FortiMail active-passive or config only HA group for failover messages and other
HA event messages. Monitoring the HA group in this way may aid in quick
discovery and diagnosis of HA problems. For information about how to configure
logging, alert email, and SNMP to monitor HA events, see Sending HA log
messages to a remote syslog server on page 298, Sending alert email for HA
events on page 299, Sending SNMP traps for HA events on page 299, and
Getting the HA information using SNMP on page 300.

06-30003-0154-20080327
297
See Restarting the HA processes on a stopped primary unit on page 306 for
sample HA log message and alert email.
Recording HA log messages on the primary and backup unit hard disks
Sending HA log messages to a remote syslog server
Sending alert email for HA events
Sending SNMP traps for HA events
Getting the HA information using SNMP
Recording HA log messages on the primary and backup unit hard disks
Use the following steps to configure the primary and backup units in an HA group
to record HA log messages on their hard disks. This configuration is synchronized
to all FortiMail units in the HA group. Any of the units in the HA group will record a
log message when that unit detects an HA event.
To record HA log messages on the primary and backup unit hard disks
1
Log into the primary unit web-based manager.
Set Level to Information to generate all HA messages.

You can also set Level to Warning if you just want to generate HA log messages
when a problem occurs. A problem could be a failover or a synchronization
problem and so on.
Select Event Log and under Event log select HA activity event.
Select OK and Apply.
Sending HA log messages to a remote syslog server

Use the following steps to configure the primary and backup units in an HA group
to send HA log messages to a remote syslog server. This configuration is
synchronized to all FortiMail units in the HA group. Any of the units in the HA
group will send a log message to the remote syslog server when that unit detects
an HA event.
To send HA log messages to a remote syslog server
1
Select Log to Remote Host.
Add the IP address of your syslog server.
Change the Port if your syslog server receives log messages on a custom TCP
port.
The most commonly used TCP port number for syslog messages is 514.
Set Level to Information to generate all HA messages.

You can also set Level to Warning if you just want to generate HA log messages
when a problem occurs. A problem could be a failover or a synchronization
problem and so on.
298

06-30003-0154-20080327
Select Event Log and under Event log select HA activity event.
Select OK and Apply.
Sending alert email for HA events

Use the following steps to configure a FortiMail HA group to send alert email
messages when HA events occur. This configuration is synchronized to all
FortiMail units in the HA group. Any of the units in the HA group will send an alert
email when that unit detects an HA event.
When a FortiMail unit operating in HA mode sends an alert email, the subject line
of the alert email includes the host name of the FortiMail unit that sent the alert
email. The subject line contains the alert email title followed by the FortiMail unit
host name in square brackets. If the different FortiMail units in the HA group all
have different host names you can identify the FortiMail unit that sent the alert
email according to the host name in the alert email subject.
To send alert mail messages for HA events
1
Go to Log & Report > Alert Email.
Add email addresses of the system administrators who should receive HA alert
email messages.
Select Apply.
You can select Test to confirm that the primary unit can successfully send alert
email messages to your addresses. You can also log into the backup unit
web-based manager and select Test to confirm that the backup unit can
successfully send alert email messages to your addresses.
Select HA events.
Select OK.
Sending SNMP traps for HA events

Use the following steps to configure all of the units in a FortiMail HA group to send
SNMP traps when HA events occur. You configure SNMP separately for each
FortiMail unit in an HA group. If you enable SNMP for all of the FortiMail units in
the HA group all of the units can send SNMP traps for HA events.
To send SNMP traps for HA events
1
Go to System > Config > SNMP v1/v2c.
Enable the SNMP agent.
Add a new community or edit a community that has already been added.
Configure the community as required.
Select HA event.
Select OK.
Repeat these steps for all the backup units in the HA group.

06-30003-0154-20080327
299
Getting the HA information using SNMP

You can use an SNMP server to get information about how FortiMail HA is
operating. The FortiMail MIB (fortimail.mib) and the FortiMail trap MIB
(fortimail.trap.mib) include the HA fields listed in Table 16.
Table 16: New HA FortiMail MIB and FortiMail trap MIB fields
MIB Field
Description
fortimail.mib
fmlHAEventId
The ID of the most recent HA event.
fmlHAUnitIp
The IP address of the port1 interface of the FortiMail unit on which

an HA event occurred.
fmlHAEventReason
A description of the reason for the HA event.
fmlHAMode
The HA configured operating mode. The HA operating mode that

you have configured the FortiMail unit to operate in. Configured
operating mode can be MASTER (primary unit) or SLAVE
(backup unit).
fmlHAEffectiveMode The effective HA operating mode. The HA operating mode that

the FortiMail unit is currently operating in. The effective operating
mode matches the configured operating mode unless a failure
has occurred.
fortimail.trap.mib
fmlTrapHAEvent
The FortiMail HA trap that is sent when an HA event occurs. This

trap includes the contents of the fmlSysSerial, fmlHAEventId,
fmlHAUnitIp, and fmlHAEventReason MIB fields.

You can go to Mail Settings > Settings > Storage to select the location at which
the FortiMail unit stores mail data. Mail data consists of the FortiMail system mail
directory, user home directories, and MTA spool directories. By default the
FortiMail unit stores mail data on the FortiMail unit hard disk. From
Mail Setting > Settings > Storage you can select NAS Server to store mail data
on a remote Network Attached Storage (NAS) server using NFS. If you select to
store mail data on a NAS server, the FortiMail unit uses the NAS server in the
same way as it uses the FortiMail unit hard disk.
Storing mail data on a NAS server may have a number of benefits for your
organization. For example, backing up your NAS server regularly can help prevent
loss of FortiMail mail data. Also, if your FortiMail unit experiences a temporary
failure you can still access the mail data on the NAS server. And when the
FortiMail unit restarts the unit can usually continue to access and use the mail
data stored on the NAS server.
This section describes how storing mail data on a NAS server can affect FortiMail
HA operation and also recommends some HA configuration settings if you are
using a NAS server with FortiMail HA.
300
Active-passive HA and storing mail data on a NAS server
Config only HA and storing mail data on a NAS server

06-30003-0154-20080327
Active-passive HA and storing mail data on a NAS server

For a FortiMail HA group operating in active-passive HA mode, the primary unit
read and writes all mail data to and from the NAS server in the same way as a
standalone unit. If a failover occurs, the new primary unit uses the same NAS
server for mail data. The new primary unit can access all of the mail data stored
on the NAS server by the original primary unit. So if you are using a NAS server to
store mail data, after a failover the new primary unit continues operating with no
loss of mail data.
Using a NAS server in this way is an effective replacement for enabling HA mail
data synchronization (see Synchronizing FortiMail mail data on page 288). Mail
data synchronization is intended to provide a backup copy of mail data on the
backup unit so that if a failover occurs mail data is not lost. As mentioned above
you can achieve the same result by user a NAS server.
In fact, if you are using a NAS server you should disable mail data
synchronization. If mail data synchronization is enabled for a FortiMail activepassive HA group that is using a NAS server for mail data, both the primary and
backup units have the same NAS server configuration and so both would store
mail data at the same location on the same NAS server. There is no benefit to
storing mail data twice to the same location. So mail data synchronization should
be turned off to save CPU cycles and network bandwidth.
Config only HA and storing mail data on a NAS server

For a FortiMail HA group operating in config only HA mode, all of the units in the
HA group use the same NAS server for storing mail data. Each FortiMail unit
maintains its own mail data on the NAS server. Mail data is not synchronized
between the units in a config only HA group.
Also, in a NAS server configuration, only the primary unit sends spam reports to
email users. The primary unit also acts as a proxy between email users and the
NAS server when email users use FortiMail web mail to access quarantined email
and to configure their own Bayesian filters.

You can upgrade the FortiMail firmware of an operating HA group without
interrupting the normal operation of the HA group. The following procedure
describes upgrading the primary unit firmware first. After the primary unit firmware
upgrade is complete and the primary unit is functioning normally, the next step is
to upgrade the backup unit firmware.
Similar to upgrading the firmware of a standalone FortiMail unit, normal mail
processing is temporarily interrupted while the primary unit firmware upgrades.
Upgrading the firmware of the backup unit does not affect normal mail processing.
The following procedure describes how to upgrade the firmware from the FortiMail
web-based manager. You can use a similar procedure to upgrade the firmware
from the FortiMail CLI.
To upgrade HA group firmware
1

06-30003-0154-20080327
301
Upgrade the primary unit firmware.

See Changing the FortiMail firmware on page 75 for details. During the upgrade
the primary unit temporarily stops processing email.
During a firmware upgrade, the primary unit lets the backup unit know that a
firmware upgrade is taking place. The HA daemon operating on the backup unit
stops checking the status of the primary unit for a short time. Once the firmware
upgrade is complete the primary unit lets the backup unit know to resume normal
operation. Backup unit waits a few minutes for this signal and if it is not received
the backup unit resumes checking the primary unit. If the primary unit has failed
during the firmware upgrade the backup unit fails over and becomes the new
primary unit.
Log into the backup unit web-based manager.
Upgrade the backup unit firmware.

See Changing the FortiMail firmware on page 75 for details.
After the backup unit firmware upgrade is complete, the backup unit synchronizes
configuration information and mail data with the primary unit.
If you are operating a config only HA group, you can repeat steps 3 and 4 for each
backup unit.
Viewing HA mode status
Viewing HA Daemon status
Forcing the HA group to synchronize configuration and mail data
Resetting a FortiMail unit to its configured HA operating mode
Restarting the HA processes on a stopped primary unit

Connect to the web-based manager of the primary unit or the backup unit and go
to System > HA > Status to view the HA status of the unit. On the primary unit,
HA status consists of the HA Mode status of the primary unit. HA Mode status
displays the configured and effective operating mode of the primary unit.
On the backup unit, HA status consists of the HA Mode status of the backup unit
as well as the HA Daemon status of the backup unit.
FortiMail units in a config only HA group only operate in their configured operating
mode. The effective operating mode does not apply to config only HA. The config
primary unit only operates in config master mode and the config backup units only
operate in config slave mode.
302

06-30003-0154-20080327

On the primary or backup unit, you can go to System > HA > Status to view the
effective operating mode and configured operating mode of the primary or backup
unit.
Figure 141:Normal primary unit active-active HA mode status
Figure 142:Normal primary unit config only HA mode status
A FortiMail unit configured for HA operation has two operating modes:

Configured Operating The HA operating mode that you have configured the unit to
operate in. Configured operating mode can be MASTER (primary
Mode
unit) or SLAVE (backup unit).
Effective Operating
Mode
The HA operating mode that the unit is currently operating in. The
effective operating mode matches the configured operating mode
unless a failure has occurred.
During normal operation the configured and effective operating modes of each
FortiMail unit in the HA group match. If a failover occurs, the configured and
effective operating modes may not match. For example, after a failover, the
backup unit becomes the primary unit. The effective operating mode of the new
primary unit is changed to MASTER (primary), but the configured operating mode
is SLAVE (backup).
Depending on the On Failure setting the failed primary unit effective operating
mode could be OFF or FAILED. If the effective operating mode is FAILED, after
the problem that caused the failure is corrected the effective operating mode
could change to BACKUP or MASTER depending on the On Failure setting. See
HA Main configuration options on page 310 for more information about setting
On Failure.
If the failed primary unit restarts, the failed primary unit will find the new primary
unit and switch to operating as the new backup unit. So, after a failure the
effective operating mode of a restarted primary unit is SLAVE (backup) while the
configured operating mode of this unit is MASTER (primary). See Table 17 for
more examples of configured and effective operating modes.

06-30003-0154-20080327
303
Table 17: Configured and effective operating modes
304
Configured Effective
Operating Operating
mode
Mode
Description
MASTER
MASTER
Normal operation for a FortiMail unit configured to be the

primary unit and operating as the primary unit.
SLAVE
SLAVE
Normal operation for a FortiMail unit configured to be the

backup unit and operating as the backup unit.
MASTER
OFF
A FortiMail unit configured to be the primary unit has detected

a failure. The effective operating mode can also display OFF if
the FortiMail unit is in the process of switching to operating in
HA mode.
SLAVE
OFF
A FortiMail unit configured to be the backup unit has

experienced a failure. The effective operating mode can also
display OFF if the FortiMail unit is in the process of switching
to operating in HA mode.
In some special cases, after the backup unit starts up and
connects with the primary unit to form an HA group, the first
configuration synchronization fails. If the first configuration
synchronization fails, the backup unit effective operating mode
changes to OFF.
If subsequent configuration synchronization fails the backup
unit assumes that the primary unit has failed and the backup
unit effective operating mode becomes MASTER.
Switching to the OFF effective operating mode if the first
configuration synchronization after startup fails prevents both
the backup unit and the primary unit from operating as primary
units at the same time.
MASTER
FAILED
A FortiMail unit configured to be the primary unit has switched

to FAILED mode because remote service monitoring or local
network interface monitoring detected a failure of the primary
unit and On Failure is set to wait for recovery and then restore
original role or wait for recovery then assume slave role.
If the effective operating mode is FAILED, the primary unit
uses remote service monitoring to attempt to connect to the
other FortiMail unit. If the problem that caused the failure is
corrected, the unit effective operating mode switches from
FAILED to SLAVE or to match the configured operating mode
(depending on the On Failure setting).
Also for the backup unit of aFortiMail HA group operating in
transparent mode, if the effective operating mode changes to
FAILED, on System > Network > Interface the interface
status shows bridging (waiting for recovery).
MASTER
SLAVE
A FortiMail unit configured to be the primary unit has

experienced a failure but then returned to operation. When the
failure occurred the unit configured to be the backup unit
became the primary unit. Then the unit configured to be the
primary unit restarted, found the other primary unit and so
switched to operating as the backup unit.
SLAVE
MASTER
A FortiMail unit configured to be the backup unit has

registered that the FortiMail unit configured to be the primary
unit failed. When the failure occurred the unit configured to be
the backup unit became the primary unit.
MASTER
CONFIG
N/A
Normal operating mode for a FortiMail unit configured as a

primary unit in a config only HA group.
SLAVE
CONFIG
N/A
Normal operating mode for a FortiMail unit configured as a

backup unit in a config only HA group.

06-30003-0154-20080327

On the backup unit, you can go to System > HA > Status to view the HA Daemon
status of the HA group. The HA Daemon status contains information about the last
time the backup unit checked the status of the primary unit and the last time the
FortiMail configuration and mail data was synchronized from the primary unit to
the backup unit.
Figure 143:Example HA Daemon status
Monitor
The time at which the backup unit HA daemon will check to make sure that
the primary unit is operating correctly. This checking takes place across
the heartbeat link between the primary and backup units. If the heartbeat
link becomes disconnected, the next time the backup unit checks for the
primary unit, the primary unit will not respond, so the backup unit will
assume that the primary unit has failed and become the primary unit.
Change monitor timing using the HA Daemon Heartbeat setting. See HA
daemon configuration options on page 313.
Configuration The time at which the backup unit HA daemon will synchronize the
FortiMail configuration from the primary unit to the backup unit.
Change configuration synchronization timing using the HA Daemon
Configuration setting. See HA daemon configuration options on
page 313.
The message slave unit is currently synchronizing is displayed when the
HA daemon is synchronizing the configuration.
Data
The time at which the backup unit HA daemon will synchronize mail data
from the primary unit to the backup unit.
Change data synchronization timing using the HA Daemon Data setting.
See HA daemon configuration options on page 313.
The message slave unit is currently synchronizing is displayed when the
HA daemon is synchronizing data.

Use the following procedure to force the backup unit to synchronize its
configuration and mail data with the primary unit. In a functioning HA group you
can run this procedure from the backup unit or from the primary unit. In both cases
it is the backup unit that requests information and data from the primary unit. This
procedure applies to active-passive and config only HA groups.
To force an HA group to synchronize the FortiMail configuration and mail
data
1
From either the primary or backup unit web-based manager, go to System > HA >
Status.

06-30003-0154-20080327
305
Select click HERE to start a configuration/data resync.

The synchronization can take a few minutes.

If the configured operating mode and effective operating mode of a FortiMail unit
in a HA group do not match, you can use the following procedure to reset the unit
to its configured HA operating mode. You can run this procedure from the primary
unit or backup unit when the click HERE to restore configured operating mode
option appears on the HA status page.
This procedure is only necessary if the normal operation of the HA group has
been effected by a failure of some kind and you want to restore the HA group or
one of the units in the HA group to normal operation. Before completing this
procedure you should resolve any problems that could have caused a failure.
For example, if the heartbeat interfaces of the primary and backup units are
disconnected, the backup unit effective operating mode will change to MASTER
(primary). Before resetting the operating mode of the backup unit you should
reconnect the heartbeat interfaces.
If you do find and resolve the problem that caused the effective operating mode of
one or both FortiMail units in an HA group to change, you can use the following
procedure to successfully reset the operating modes of both FortiMail units and
resume normal operation of the FortiMail HA group.
Figure 144:Restoring the configured operating mode
To restore the effective operating mode of a FortiMail unit

This procedure only restores the operating mode of the current unit. If you want to
restore the operating modes of both units in an HA group you must complete this
procedure separately for each unit.
1
Go to System > HA > Status.
Select click HERE to restore configured operating mode.

The effective operating mode of the FortiMail unit becomes the same as the
configured operating mode.

If you have configured local service monitoring (see Configuring HA primary unit
local services monitoring to monitor network interfaces and hard drives on
page 320) and the primary unit detects that an interface as failed, the primary unit
effective operating mode changes to OFF. The primary unit stops processing
email and all HA processes on the primary unit stop.
306

06-30003-0154-20080327
You can use the following steps to restart the HA processes on the primary unit.
Before restarting the HA processes on the primary unit you should find and
resolve the problem that caused the failure. If local service monitoring detects a
failure the primary unit sends alert email and records log messages with
information about the problem.
For example, if local service monitoring detects that port2 failed, the primary unit
records a log message similar to the following.
date=2005-11-18 time=18:20:31 device_id=FE-4002905500194
log_id=0107000000 type=event subtype=ha pri=notice user=ha
ui=ha action=unknown status=success msg="monitord: local
problem detected (port2), shutting down"
The primary unit (with host name primary-host-name) also sends an alert email
with the following content:
Subject: monitord: local problem detected (port2), shutting
down [primary-host-name]
This is the FortiMail HA unit at 10.0.0.1.
A local problem (port2) has been detected, telling remote to
take over and shutting down.
Figure 145:Status page after local service monitoring detected a failure
Resolving this problem could be as simple as reconnecting the port2 interface.

To restart a stopped primary unit
Once the problem is resolved, use the following steps to restart the stopped
primary unit:
1
Go to System > HA > Status.
Select click HERE to restart the HA system.

The primary unit restarts and rejoins the HA group.
Go to System > HA > Configuration to set HA configuration options. To
configure a FortiMail HA group you must set the HA configuration separately on
the primary unit and on the backup unit. The configuration of both units is very
similar except that you set the mode of operation of the primary unit to master and
the mode of operation of the backup unit to slave.
Config only HA options are similar to active-passive HA configuration options.
This section describes both active-passive HA options and config only HA
options.
06-30003-0154-20080327
307
Figure 146 shows a typical HA configuration for a FortiMail-400 unit operating as a

primary unit in gateway mode.
Figure 146:HA configuration example: primary unit operating in gateway mode
Figure 147 shows a typical HA configuration for a FortiMail-400 unit operating as a

backup unit in transparent mode.
308

06-30003-0154-20080327
Figure 147:HA configuration example: backup unit operating in gateway mode
Figure 148:Config only HA example: primary unit with three backup units

06-30003-0154-20080327
309
Figure 149:Config only HA example: backup unit
HA Main configuration options
HA daemon configuration options
HA interface configuration in master mode options (active-passive HA)
HA peer systems options (config only HA primary unit)
HA master configuration options (config only HA backup units)
HA Main configuration options

Set the main HA configuration options to switch a FortiMail unit into HA mode and
to configure other required HA settings. The HA main configuration options are not
synchronized and must be set separately on the primary and backup units.
Mode of Operation
On Failure (active-passive HA)
Primary Heartbeat
Secondary Heartbeat (active-passive HA)
Treat remote services as a heartbeat (active-passive HA)
Mode of Operation
Set the HA configured operating mode of the FortiMail unit. The FortiMail unit
switches to operating in the HA configured operating mode immediately after you
enter this command. The configured operating mode can be:
310
off if the FortiMail unit is not operating in HA mode.
master if the FortiMail unit is the primary unit in the HA group.
slave if the FortiMail unit is the backup unit in the HA group.
config master if the FortiMail unit is the primary unit in a config only HA group.
config slave if the FortiMail unit is a backup unit in a config only HA group.

06-30003-0154-20080327
On Failure (active-passive HA)

Control the behavior of a FortiMail unit in an active-passive HA group when
remote service monitoring detects a failure. In most cases you should set On
Failure to wait for recovery and then assume slave role. In this mode when service
monitoring detects a failure the FortiMail unit effective operating mode changes to
FAILED. In FAILED mode the FortiMail unit and can automatically recover, switch
to the SLAVE effective operating mode and synchronize MTA spool directories
with the other FortiMail unit which should be operating in the MASTER effective
operating mode. You can select one of the other options as well depending on
your requirements.
On failure can be:
Switch OFF, the FortiMail unit effective operating mode changes to OFF. The
FortiMail unit will not process mail or join the HA group until you manually
change the FortiMail unit effective operating mode to MASTER (primary) or
SLAVE (backup).
wait for recovery then restore original role, similar to the wait for recovery and
then assume slave role, the FortiMail unit effective operating mode changes to
FAILED when remote service monitoring detects a failure. However, in this
case on recovery the failed FortiMail unit effective operating mode switches
back to its configured operating mode. This behavior may be useful in some
scenarios but may cause problems in others.
wait for recovery and then assume slave role, the FortiMail unit effective
operating mode changes to FAILED when remote service or local network
interface service monitoring detects a failure. In FAILED mode the FortiMail
unit uses remote service monitoring to attempt to connect to the other FortiMail
unit in the HA group (which should be operating as the primary unit with
effective operating mode of MASTER). If you fix the problem that caused the
failure the failed FortiMail unit recovers by changing its effective operating
mode to SLAVE. The failed FortiMail unit then synchronizes the content of its
MTA spool directories to the FortiMail unit operating as the primary unit. The
primary unit can then deliver this email.
See Table 17 on page 304 for information about configured and effective
operating modes including OFF and FAILED. See Configuring active-passive HA
service monitoring on page 318 for information about local and remote service
monitoring.
Primary Heartbeat
Select the network interface to be used as the primary heartbeat interface. The
primary heartbeat interface is the primary heartbeat link between the units in the
HA group. The primary heartbeat link is used for the HA heartbeat and for HA
synchronization. The default primary heartbeat interface is the network interface
with the highest number. In most cases you would not have to select a different
network interface.
Note: The primary heartbeat interface configuration in master mode is set to do nothing
and this setting cannot be changed.
For information about the heartbeat interface and about HA heartbeat and HA
synchronization, see Configuring the HA heartbeat and synchronization
interface on page 286.

06-30003-0154-20080327
311
Caution: Using the same FortiMail network interface for user data and HA synchronization
is not supported.
Note: Isolate heartbeat interfaces from your user networks. Heartbeat and synchronization
packets contain sensitive configuration information and can consume considerable network
bandwidth. For an active-passive or a config only HA group consisting of only two FortiMail
units, directly connect the heartbeat interfaces using a crossover cable. For a config only
HA group consisting of more than two FortiMail units, connect the heartbeat interfaces to a
switch and do not connect this switch to your user networks.
The local IP is the primary heartbeat IP address for this FortiMail unit. When the
FortiMail unit is operating in HA mode, the primary heartbeat local IP appears on
the System > Network > Interface list for the heartbeat interface.
For the primary heartbeat you must configure the local IP and peer IP as follows:
The local IP of the primary unit must match the peer IP of the backup unit.
Normally you would set the local IP of the primary unit to 10.0.0.1.
The local IP of the backup unit must match the peer IP of the primary unit. In
an active-passive HA group you would normally set the local IP on the backup
unit to 10.0.0.2.
For an active passive HA group the peer IP is the local IP of the other FortiMail
unit in the HA group. This is the IP address that the FortiMail unit expects to be
able to connect to using the primary heartbeat to find the other FortiMail unit in
the HA group.
The peer IP of the primary unit must match the local IP of the backup unit.
Normally you would set the peer IP of the primary unit to 10.0.0.2.
The peer IP of the backup unit must match the local IP of the primary unit.
Normally you would set the peer IP address of the backup unit to 10.0.0.1.
Local IP Address (config only HA)

For config only HA the local IP Address is the primary heartbeat IP address for
this FortiMail unit. When the FortiMail unit is operating in HA mode, the local IP
address appears on the System > Network > Interface list for the heartbeat
interface.
The local IP address of the primary unit must match the Master Configuration IP
address of the backup units. Normally you would set the local IP address of the
primary unit to 10.0.0.1.
You would normally set 10.0.0.2 as the local IP address of the first backup unit,
10.0.0.3 as the local IP address of the second backup unit, 10.0.0.4 as the local IP
address of the third backup unit, and so on.
Secondary Heartbeat (active-passive HA)

Optionally select the network interface to be used as the secondary heartbeat
interface. The secondary heartbeat interface is the backup heartbeat link between
the units in the HA group. If the primary heartbeat link is operating, the secondary
heartbeat link is used for the HA heartbeat. If the primary heartbeat link fails, the
secondary link is used for the HA heartbeat and for HA synchronization.
312

06-30003-0154-20080327
Note: The secondary heartbeat interface configuration in master mode is set to do nothing
and this setting cannot be changed.
Configuring the secondary heartbeat interface is optional. If you dont want to

configure a secondary heartbeat interface, set use to disabled.
You can also select any port if you dont want to use a specific interface as the
backup heartbeat interface. Selecting any port means that any interface with its
HA interface configuration in master mode set to do nothing can be used as the
secondary heartbeat interface.
Configure the secondary heartbeat local IP and peer IP in the same manner as for
the primary heartbeat. The secondary heartbeat peer IPs cannot be on the same
subnet as the primary heartbeat IPs.
Treat remote services as a heartbeat (active-passive HA)

Select this option so that if both the primary and secondary heartbeat links fail,
remote service monitoring takes over the role of the HA heartbeat. This means
that if remote service monitoring is enabled and both heartbeat links fail or
become disconnected, the FortiMail HA group can continue to operate.
Using remote services as heartbeat provides HA heartbeat only. HA
synchronization is only supported using the primary or secondary heartbeat. To
avoid synchronization problems, you should not use remote service monitoring as
a heartbeat for extended periods. This feature is intended only as a temporary
heartbeat solution that operates until you reestablish a normal primary or
secondary heartbeat link.
HA daemon configuration options

Change HA daemon configuration options to change the HA group shared
password and to change default HA heartbeat and synchronization settings. In
most cases you do not have to change any of the HA daemon settings. However
you should change the shared password. Also, you may want to change HA
heartbeat and synchronization settings to improve failover protection or to reduce
the processing load used by the HA daemon to synchronization configuration and
mail data. The HA daemon shared password, Heartbeat, Configuration, and Data
configuration options are not synchronized and must be set separately on the
primary and backup units. The settings for the type of mail data to backup is set
on the primary unit and synchronized to the backup unit.
Shared Password Enter a password for the HA group. The password must be the same
on the primary and backup unit.

06-30003-0154-20080327
313
Heartbeat
Set options used by the HA daemon for sending HA heartbeat
(active-passive HA) packets. Set the following options:
The TCP port used for HA heartbeat communications. The default
TCP port is 20000.
The time between which the FortiMail units in the HA group send
HA heartbeat packets. The default test interval between HA
heartbeat packets is 5 seconds. The test interval range is 2 to 60
seconds. Heartbeat packets are sent at regular intervals so that
each FortiMail unit in an active-passive HA group can confirm that
the other unit in the group is functioning. If the primary unit detects
that the backup unit has failed the primary unit continues to
operate normally. If the backup unit detects that the primary unit
has failed, the HA effective operating mode of the backup unit
changes to MASTER and the back up unit becomes the primary
unit.
The number of consecutive times the HA heartbeat detects a
failure before a FortiMail unit in an active-passive HA unit decides
that the primary unit has failed. The number of times the check
fails range is 1 to a very high number. Set the number of times the
check fails to 0 to disable interface monitoring or hard drive
monitoring.
In most cases you do not have to change heartbeat settings. The
default settings mean that if the primary unit fails, the backup unit
switches to being the primary unit after 3 x 5 or about 15 seconds;
resulting in a failure detection time of 15 seconds.
If the failure detection time is too long the primary unit could fail and a
delay in detecting the failure could mean that email is delayed or lost.
Decrease the failure detection time if email is delayed or lost because
of an HA failover.
If the failure detection time is too short the backup unit may detect a
failure when none has occurred. For example, if the primary unit is
very busy processing email it may not respond to HA heartbeat
packets in time. In this situation, the backup unit may assume that the
primary unit has failed when the primary unit is actually just busy.
Increase the failure detection time to prevent the backup unit from
detecting a failure when none has occurred.
Configuration
314
Set the TCP port and time interval for synchronizing the configuration.
Set the following:
The TCP port used for synchronizing the configuration of the
primary unit to the backup unit. The default TCP port is 20001.
How often HA synchronizes the configuration. The default
configuration synchronization time is 60 minutes. The
configuration synchronization time range 15 to 999 minutes.
Set the configuration synchronization time to 0 to disable
configuration synchronization.
In most cases you do not have to change the default settings.
However if you are making a lot of configuration changes, you may
want to reduce the time between synchronizations so that changes
are not lost if a failover occurs. During normal operation,
synchronizing the configuration every 60 minutes is usually sufficient.
You can also synchronize the configuration manually. See Forcing
the HA group to synchronize configuration and mail data on
page 305.
For more information about how FortiMail HA synchronizes the
configuration and about what is synchronized and what is not
synchronized, see Synchronizing the FortiMail configuration on
page 286.

06-30003-0154-20080327
Data
Set the TCP port and time interval for synchronizing mail data. Set the
(active-passive HA) following:
The TCP port used for synchronizing mail data. The default TCP
port is 20002.
How often the synchronization occurs. The default data
synchronization time is every 30 minutes. The data
synchronization range is 15 to 999 minutes. Set the data
synchronization time to 0 to disable data synchronization.
The type of mail data to synchronize. You can synchronize the
system mail directory, the user home directories, and the MTA
spool directories. See Synchronizing FortiMail mail data on
page 288 for more information about what to consider before
configuring mail data synchronization. Synchronization of all three
types of mail data is disabled by default.
In most cases you do not have to change the default settings except
to select the data to synchronize. You might also want to reduce the
synchronization time if you find you are losing mail data during a
failover. Also, synchronizing large amounts of mail data may cause
processing delays. Reducing how often mail data is synchronized may
alleviate this problem. During normal operation, synchronizing data
once every 30 minutes is usually sufficient.
You can also synchronize mail data manually. See Forcing the HA
group to synchronize configuration and mail data on page 305.
You should disable mail data synchronization if the HA group stores
mail data on a remote NAS server. See HA and storing FortiMail mail
data on a NAS Server on page 300.
HA interface configuration in master mode options (active-passive HA)

Use HA interface configuration in master mode options to control how network
interface IP addressing and status is changed for the primary unit when operating
in active-passive HA mode.
For FortiMail units operating in gateway and server modes, you can select do
nothing, set interface IP/netmask, and add virtual IP/netmask for any FortiMail
network interface. For FortiMail units operating in transparent mode you can
select any of these options as well as add to bridge for any FortiMail network
interface.
In transparent mode you can also configure how the FortiMail management
interface (mgmt) configuration is changed by HA. Also in transparent mode you
can select add to bridge for all network interfaces to be added to the FortiMail
transparent mode bridge.
Note: The primary and secondary heartbeat interface configuration is set to do nothing and
this setting cannot be changed.

06-30003-0154-20080327
315
316
do nothing
The default setting for all network interfaces. Select this option if you
do not want to apply special functionality to a network interface when
operating in HA mode.
See Removing an interface from an HA group on page 294 for more
information about the do nothing interface configuration option. See
Gateway mode active-passive HA configuration on page 320 for a
FortiMail configuration example that uses the do nothing option.
set interface
IP/netmask
Set an IP address and netmask for a network interface. Select this

option and add an IP address and netmask. When operating in HA
mode, set network interface IP/netmask changes the IP address of
the selected network interface of the primary unit to the specified IP
address. When a failover occurs this IP address is assigned to the
corresponding network interface of the new primary unit.
See Changing the IP address of an HA group interface on page 294
for more information about the set interface IP/netmask option. See
FortiMail configuration example that uses the set interface IP/netmask
option.
Changing the IP address of an HA group interface using set interface
IP/netmask replaces the actual IP address of the interface with the set
IP address. The interface has only one IP address. (This is different
from the virtual IP address configuration, which results in the interface
having two IP addresses.)

06-30003-0154-20080327
add virtual
IP/netmask
Assign a virtual IP address to a network interface. Select this option

and add an IP address and netmask. When operating in HA mode,
add virtual IP/netmask adds the specified IP address to the selected
interface of the primary unit. Email processing, FortiMail users, and
FortiMail administrators can all connect to this virtual IP address to
connect to the primary unit. If a failover occurs, the virtual IP address
is transferred to the new primary unit. Email processing, FortiMail
users, and FortiMail administrators can now connect to the same IP
address to connect to the new primary unit.
In most cases you would select add virtual IP/netmask for all FortiMail
network interfaces that will be processing email when the FortiMail HA
group is operating in gateway or server mode. See Adding an IP
address to an HA group interface using HA virtual IP addresses on
page 291 for more information about HA virtual IP addresses. See
FortiMail configuration example that uses HA virtual IP addresses.
Configuring virtual IP addresses for FortiMail active-passive HA
configuration may produce unexpected results. Adding a virtual IP
address to a FortiMail interface gives the interface two IP addresses:
the virtual IP address and the actual IP address.
Normally you would configure your network (MX records, firewall
policies, routing and so on) so that clients and mail services use the
virtual IP address. All replies to sessions with the virtual IP address
include the virtual IP address as the source address.
However, all outgoing sessions that originate from this interface use
the actual IP address of the interface and not the virtual IP address.
This means that all outbound mail or relayed mail packets sent from a
FortiMail primary unit interface, configured with a virtual IP address,
will have the actual IP address of the primary unit interface as the
source IP address.
add to bridge
For a FortiMail HA group operating in transparent mode, select add to

bridge for all network interfaces to be added to the FortiMail
transparent mode bridge for a FortiMail HA group operating in
transparent mode.
When you select add to bridge for an interface that is not physically
connected, the interface name is displayed with red text.
For the primary unit, add to bridge has the same affect as do nothing.
In both cases the interface is added to the bridge.
For the backup unit, add to bridge means that the interface is
disconnected and cannot process traffic when the effective operating
mode of the unit is SLAVE. The interface is disconnected to prevent
layer 2 loops. If the effective operating mode of the unit changes to
MASTER the interface becomes connected again and as part of the
bridge can process traffic. For this reason, selecting add to bridge is
the recommended configuration.
The add to bridge option is only available for FortiMail interfaces that
are already added to the bridge. If you have added an IP address to
an interface you cannot select add to bridge for the interface.
When you select add to bridge, on System > Network > Interface the
interface status shows bridged (isolated) indicating that the interface
is not connected to the network.
If the effective operating mode changes to FAILED, on System >
Network > Interface the interface status shows bridging (waiting for
recovery).
HA peer systems options (config only HA primary unit)

Use HA peer systems options to add the IP addresses of the backup units in the
config only HA group to the configuration of the primary unit. The primary unit
requires these IP addresses to be able to communicate with the backup units.

06-30003-0154-20080327
317
Known Peers
The list of backup unit IP addresses that have been added to the
primary unit HA configuration. The primary unit only synchronizes with
backup units that have IP addresses in the known peers list. You can
select the delete icon for any IP address in the known peers list to
remove the IP address of this backup unit from the primary unit HA
configuration.
New Peer
Add the IP address of a backup unit and select add to add the backup
unit IP address to the known peers list. You can add up to 24 backup
units or peers.
HA master configuration options (config only HA backup units)

Use HA master configuration options to add the IP address of the primary unit to
the configuration of the backup units in a config only HA group.
IP address
The heartbeat interface IP address of the primary unit in the config

only HA group. The backup unit uses the master configuration IP
address to communicate with the primary unit. The master
configuration IP address must be the same as the Local IP address
added to the primary unit HA configuration.
The master configuration IP address is equivalent to the Peer IP
address that is added to the backup unit in an active-passive HA
group.

For an active-passive HA group, you can go to System > HA > Services to
configure HA service monitoring. Use HA service monitoring to configure remote
service monitoring, local network interface monitoring, and local hard drive
monitoring.
You can configure remote service monitoring so that the backup unit confirms that
it can connect to the primary unit over the network using SMTP service, POP
Service (POP3), and Web Service (HTTP) connections.
You can configure local network interface monitoring and local hard drive
monitoring so that the primary unit monitor its own network interfaces and hard
drives.
If remote service monitoring detects a failure, the effective operating mode of the
backup unit switches to MASTER and the backup unit operates as the primary
unit. As well, the effective operating mode of the primary unit switches to OFF or
FAILED (depending on the on failure setting). When these HA events occur the
FortiMail units send HA event alert email, write HA event log messages, and send
HA event SNMP traps.
HA service monitoring options are not synchronized and must be set separately
on the primary and backup units.
See HA Main configuration options on page 310 for information about the on
failure setting. See Viewing HA mode status on page 303 for information about
FortiMail HA effective operating modes.
Note: HA services monitoring is not supported for config only HA groups.
318

06-30003-0154-20080327
Figure 150:HA services monitoring
Configuring the backup unit to monitor remote services on the primary unit

interfaces and hard drives
Configuring the backup unit to monitor remote services on the primary unit
Connect to the backup unit and go to System > HA > Services and configure
remote service monitoring so that the backup unit monitors the primary unit to
verify that the primary unit can accept SMTP service, POP service (POP3), and
Web service (HTTP) connections.
For each service you can enter the IP address and TCP port number to check.
You can enter the same IP address or different IP addresses for each service.
Remote service monitoring is an effective way to make sure that both FortiMail
units in the HA group are connected to your network. If the primary unit becomes
disconnected from the network, the FortiMail HA group can no longer process
email. If this happens and remote service monitoring is configured the backup unit
detects that the primary unit network connection has failed.
Normally you would set remote monitoring to monitor the IP address of the
primary unit interface that processes email. For example, if the primary unit uses
port1 for email traffic, set the remote service monitoring IP address to the port1 IP
address of the primary unit.
If you set the remote service monitoring IP address to the IP address of the
primary heartbeat interface or the secondary heartbeat interface of the primary
unit, checking takes place over the heartbeat link.
For each protocol you must specify the check time interval in minutes to wait
between checks and the response wait time in seconds to wait for a response.
You must also specify how many times the check fails before the backup unit
decides that the primary unit has failed and a failover occurs.
The check time interval range is 1 to 60 minutes. Set the time interval to 0 to
disable remote service monitoring. The response wait time range is 1 to a very
high number of seconds. Set the response wait time to 0 to disable remote service
monitoring.
06-30003-0154-20080327
319
The number of times the check fails range is 1 to a very high number. Set the
number of times the check fails to 0 to disable interface monitoring or hard drive
monitoring.
You must specify an IP address and port number and configure all settings for
each protocol.
If the backup unit detects a remote service failure, the backup unit HA effective
operating mode changes to MASTER. The backup unit becomes the new primary
unit. The primary unit effective operating mode changes to OFF or FAILED
depending on the on failure setting. See HA Main configuration options on
page 310 for information about setting on failure.

interfaces and hard drives
Connect to the primary unit and go to System > HA > Services and configure
Local Services to configure an active-passive HA primary unit to monitor its own
network interfaces or hard drives. You must configure the check time interval in
seconds to wait between checks of the interfaces or hard drives and how many
consecutive times the check fails before a failover occurs.
The check time interval range is 1 to 60 seconds. Set the check time interval to 0
to disable interface monitoring or hard drive monitoring. The number of times the
check fails range is 1 to a very high number. Set the number of times the check
fails to 0 to disable interface monitoring or hard drive monitoring.
Network interface monitoring monitors all active network interfaces. Network
interfaces with their HA network interface configuration in master mode set to do
nothing are not monitored. For information about HA network interface
configuration, see HA interface configuration in master mode options
(active-passive HA) on page 315.
If the primary unit detects an interface failure (for example, if the network cable is
disconnected from a monitored interface) or a hard drive failure the primary unit
effective operating mode changes to OFF or FAILED depending on the on failure
setting. See HA Main configuration options on page 310 for information about
setting on failure.
If the primary unit effective operating mode changes to OFF of FAILED the
primary unit will no longer respond to HA heartbeat packets sent by the backup
unit. The backup unit assumes that the primary unit has failed and becomes the
new primary unit.

This section describes the following FortiMail installation and configuration
example:
Gateway mode active-passive HA configuration
Gateway mode active-passive HA configuration

The following example describes how to configure two new FortiMail-400 units to
operate in gateway mode, how to configure the FortiMail-400 units to operate as
an active-passive HA group, and then how to connect the FortiMail-400 units to
your network. This example contains the following steps:
320

06-30003-0154-20080327
Deciding on the HA network interface configuration in master mode settings
Configuring the primary unit for HA operation
Configuring the backup unit for HA operation
Connecting the gateway mode HA group to your network
Configuring and administering the HA group
Deciding on the HA network interface configuration in master

mode settings
You can decide on the HA network interface configuration in master mode settings
that meet your requirements if you start by understanding the required standalone
FortiMail network interface configuration. In this example, you want to configure a
gateway mode HA group consisting of two FortiMail-400 units that has two
connections to your network. You can start by understanding the standalone
FortiMail-400 network interface configuration as shown in Table 18 and
Figure 151.
Table 18: Example standalone network interface configuration
FortiMail
interface
IP address
setting
Used for
port1
172.20.2.10
Administrative connections to the FortiMail unit.
port2 to port4 Default IP.
Not connected.
port5
172.16.5.2
The target of your email DNS and MX records, this

gigabit ethernet interface is used for all mail processing
and email user connections. No administrative access
to this interface.
port6
Default IP.
Not connected.
Figure 151:Example FortiMail-400 gateway standalone configuration

Mail
Server
DNS
Server
Internal
network
DNS record
MX record
Network
Switch
Internet
port5
IP: 172.16.5.2
port1
IP: 172.20.2.10 Administrators
When operating as an HA group, DNS and MX records should target the port5
interface of the primary FortiMail-400 unit. As well, administrators should be able
to administrator the HA group by connecting to port1 of the primary unit.
06-30003-0154-20080327
321
If a failover occurs, port5 of the backup unit should become the DNS and MX
record target. As well, administrators should be able to connect to port1 of the
backup unit using the same administration IP address.
Additionally, all connections to port5 should only use the 172.16.5.2 IP address
and during normal HA group operation users should not be able to connect to
port5 of the backup unit. But administrators should be able to connect to port1 of
the backup unit at any time.
The network configuration shown in Table 19 supports these requirements for the
primary unit.
Table 19: Example primary unit HA network interface configuration
FortiMail IP address
interface setting
HA Network Interface
configuration in master
mode
Setting
port1
172.20.2.20 add virtual

IP/netmask
port2 to
port4
Default IP.
do nothing
port5
Default IP.
set interface
IP/netmask
port6
Default IP.
do nothing
IP address
Description
172.20.2.10
Enable HTTPS, SSH, and ping

access. Administrative access to
this interface using IP address
172.20.2.20 or 172.20.2.10.
172.16.5.2
The target of your email DNS and

MX records, this interface is used
for all mail processing and email
user connections. No
administrative access to this
interface.
Primary heartbeat interface. The
default IP address of this interface
is 10.0.0.1.
The HA network interface configuration in master mode is synchronized between

the primary and backup units. Because of this, you do not need to change the HA
network interface configuration in master mode of the backup unit. Table 20
shows the network interface changes required for the backup unit.
Table 20: Example backup unit HA network interface configuration
FortiMail IP address
interface setting
322
HA Network Interface
configuration in master
mode
Setting
IP address
Description
Enable HTTPS, SSH, and ping
access. Administrative access to
this interface using IP address
172.20.2.30.
port1
172.20.2.30 N/A
N/A
port2 to
port5
Default IP.
N/A
N/A
port6
Default IP.
N/A
N/A
Primary heartbeat interface. The

default IP address of this interface
is 10.0.0.2.

06-30003-0154-20080327
Figure 152:Example FortiMail-400 gateway HA group configuration

Mail
Server
DNS
Server
DNS record
MX record
Internal
network
Network
Switch
Internet
primary unit port1

IP: 172.20.2.20
virtual IP: 172.20.2.10
Primary unit port5

virtual IP: 172.16.5.2
Primary unit
Port 6
Primary
Heartbeat
Administrators
Backup unit
backup unit port1

IP: 172.20.2.30
HA Group
Configuring the primary unit for HA operation

The following procedure describes how to prepare a FortiMail unit for HA
operation as the primary unit by setting the operating mode, configuring interface
IP addresses, and configuring HA.
This example includes the primary heartbeat interface only. As well, On Failure is
set to wait for recovery and then resume slave role. Since the HA daemon
configuration of the backup unit controls how the HA daemon operates, the HA
daemon settings of the primary unit will not be changed.
To configure the primary unit for HA operation
1
Power up the primary unit.
Connect to the FortiMail web-based manager.
Go to System > Status and change the operating mode to Gateway.
Reconnect to the primary unit and go to System > Network > Interface.
Configure the port1 interface.

IP/Netmask
172.20.2.20/255.255.255.0
Access
Enable HTTPS, SSH, and PING.

06-30003-0154-20080327
323
Select OK.
Connect to the port1 interface using https://172.20.2.20.
Go to System > HA > Configuration and change the following settings:

Main Configuration
Mode of Operation
master
On Failure
wait for recovery and then assume slave role
Primary Heartbeat
Use
Keep the default setting.
Local IP
10.0.0.1
Peer IP
10.0.0.2
Secondary Heartbeat
Use
disabled
Treat Remote Services as a

heartbeat
Daemon Configuration
Shared Password
PassW0rd
Heartbeat
Configuration
Data
Backup system mail directory Keep the default setting.

Backup user home directories Keep the default setting.
Backup MTA spool directories Keep the default setting.
Interface Configuration in Master Mode
port1
add virtual IP/netmask

172.20.2.10/255.255.255.0
port5
set interface/netmask 172.16.5.2/255.255.255.0
port2 to 4 and port6
Note: The backup unit HA daemon configuration settings control how the HA daemon
operates. For the initial configuration of the primary unit there is no need to change these
settings. However, after the HA group is operating you might want to change the primary
unit HA daemon configuration settings to control how the primary unit operates when it
becomes the new backup unit after a failover.
Select Apply. The primary unit switches to HA mode.

You can connect to port1 of the primary unit using https://172.20.2.10 as well as
https://172.20.2.20.
10
324
Optionally go to System > HA > Status to confirm that the primary unit configured
and effective operating modes are both set to MASTER. See Viewing and
changing HA status on page 302.

06-30003-0154-20080327
Figure 153:Primary unit status
11
Power off the primary unit.
Configuring the backup unit for HA operation

The following procedure describes how to prepare a FortiMail unit for HA
operation as the backup unit by setting the operating mode, configuring interface
IP addresses, and configuring HA. This procedure also changes HA daemon
settings so that the HA daemon synchronizes the system mail directory.
To configure the backup unit for HA operation
1
Power up the backup unit.
Connect to the FortiMail web-based manager.
Go to System > Status and change the operating mode to Gateway.
Reconnect to the backup unit and go to System > Network > Interface.
Configure the port3 interface.

IP/Netmask
172.20.2.30/255.255.255.0
Access
Enable HTTPS, SSH, and PING.
Select OK.
Connect to the port1 interface using https://172.20.2.30.
Go to System > HA > Configuration and change the following settings:

Main Configuration
Mode of Operation
slave
Primary Heartbeat
Use
Local IP
10.0.0.2
Peer IP
10.0.0.1
Secondary Heartbeat
Use
disabled
Treat Remote Services as a

heartbeat
Daemon Configuration
Shared Password
PassW0rd (enter the same password as the

primary unit).
Heartbeat
Configuration
Data
Backup system mail directory Select

06-30003-0154-20080327
325
Backup user home directories Keep the default setting.

Backup MTA spool directories Keep the default setting.
Interface Configuration in Master Mode
port2 to port6
Keep the default setting. (The heartbeat interface

configuration is synchronized from the primary
unit.)
Select Apply. The backup unit switches to HA mode.

You can only connect to port1 of the backup unit using https://172.20.2.30.
10
Optionally go to System > HA > Status to confirm that the backup unit configured
operating mode is SLAVE. See Viewing and changing HA status on page 302.
Because the heartbeat interfaces are not connected, the backup unit cannot
connect to the primary unit so the backup unit assumes that the primary unit has
failed and switches the effective operating mode to MASTER.
Figure 154:Backup unit status page
11
Power off the backup unit.
Connecting the gateway mode HA group to your network

Use the following procedure to connect the gateway mode HA group to your
network. In this example because you are connecting the port1 and port5
interfaces to your network, you must connect these interfaces together using a
switch before connecting them to your network. As well you must connect the
port6 interfaces together because the port6 interfaces are used for the heartbeat
link. Figure 152 on page 323 shows the connections required for this gateway
mode HA group.
Connecting the HA group into your network may temporarily interrupt
communications on the network because new physical connections are being
made. Also, starting the HA group interrupts traffic to the FortiMail units until the
HA group is operating.
1
Connect the port1 interfaces of the primary and backup FortiMail units to a switch
and connect the switch to the network that administrators would use to connect to
the HA group.
The port1 interface is used for administrator connections to the FortiMail unit.
Connect the port5 interfaces of the primary and backup FortiMail units to a switch
and connect the switch to the network that connects the FortiMail unit to the
Internet and to your email users.
The port5 interface is used for mail processing connections to the FortiMail unit.
326

06-30003-0154-20080327
Connect the port6 primary heartbeat interface of the primary and backup FortiMail
units together using a crossover ethernet cable.
You can also use two regular ethernet cables and a switch.
Turn on the FortiMail units.

The FortiMail units startup and automatically form an HA group.
Configuring and administering the HA group

You connect to the primary unit to configure FortiMail settings. As you make
configuration changes they are synchronized to the backup unit.
HA main configuration changes, daemon configuration changes, and service
monitoring changes are not synchronized to the backup unit. You must make
these configuration changes by connecting to the backup unit.
Connect to the primary unit to view and manage log messages recorded on the
primary unit hard disk. Connect to the backup unit to view and manage log
messages recorded on the backup unit hard disk.
1
Connect to the web-based manager of the primary unit.

You can browse to actual IP address of the primary unit port1 interface
(https://172.20.2.20)or to the virtual IP address of the primary unit port1 interface
(https://172.20.2.10)
Configure the HA group in the same way as you would configure a standalone
FortiMail unit.
All configuration changes made to the primary unit are synchronized to the
backup unit.
Connect to the web-based manager of the backup unit by browsing to the actual
IP address of the backup unit port1 interface (https://172.20.2.30).
This section describes some basic FortiMail active-passive HA failover scenarios.
For each scenario you can refer to the HA group shown in Figure 155. To simplify
the descriptions of these scenarios:
P1 identifies the FortiMail unit configured to be the primary unit (also called the
master) in the HA group.
B2 identifies the FortiMail unit configured to be the backup unit (also called the
slave) in the HA group.

06-30003-0154-20080327
327
Figure 155:Example FortiMail HA group
HA Group
port1 virtual IP: 172.16.5.2
port1 IP: 172.16.5.10
Primary unit (P1)

Switch for
port1 interfaces
Heartbeat
Link
Backup unit (B2)

port1 IP: 172.16.5.11
Failover scenario: Temporary failure of the primary unit
Failover scenario: primary heartbeat link fails
Failover scenario: Network connection between primary and backup units fails
(remote service monitoring detects a failure)
Failover scenario: Temporary failure of the primary unit

In this scenario, the primary unit (P1) fails because of a software failure or a
recoverable hardware failure (in this example, the P1 power cable is unplugged).
HA logging and alert email is configured for HA group.
When the backup unit (B2) detects that P1 has failed, B2 becomes the new
primary unit and continues processing email.
1
The FortiMail HA group is operating normally.
The power is accidently disconnected from P1.
The B2 primary heartbeat test detects that P1 (the primary unit) has failed.
How soon this happens depends on the HA daemon configuration of B2.
The effective operating mode of B2 changes to MASTER.
B2 sends an alert email similar to the following indicating that B2 has determined
that P1 has failed and that B2 is switching its effective operating mode to
MASTER.
Date sent:
From:
Subject:
To:
Wed, 30 Nov 2009 20:27:18 GMT

root@FortiMail-400.localdomain
Remote HA Event
administrator@company.com
A remote problem (heartbeat) has been detected, telling the

remote to shutdown and taking over.
328

06-30003-0154-20080327
B2 records the following event log messages (among others) indicating that B2
has determined that P1 has failed and that B2 is switching its effective operating
mode to MASTER.
2009-11-30 13:33:34 log_id=0107000000 type=event subtype=ha
pri=notice user=ha ui=ha action=unknown status=success
msg="monitord: peer stop responding (heartbeat), assuming
MASTER role"
pri=information user=ha ui=ha action=unknown status=success
msg="monitord: main loop stopping"
msg="backupd: main loop stopping"
msg="configd: main loop stopping"
msg="configd: main loop starting, entering master mode"
msg="backupd: main loop starting, entering master mode"
msg="monitord: main loop starting, entering MASTER mode"

06-30003-0154-20080327
329
Recovering from temporary failure of the primary unit

Use the following steps to return to normal operation of the HA group after the P1
power cable is unplugged.
1
Turn off the P1 power switch, reconnect the power cable and then turn the power
switch back on.
P1 starts up and finds B2 operating as a primary unit. P1 switches its effective
operating mode to SLAVE.
P1 records the following log messages (among others) as this happens.
msg="monitord: starting pre-amble"
msg="monitord: ** response from peer, setting to SLAVE mode"
The configured operating mode of P1 is MASTER and the effective operating
mode of P1 is SLAVE.
The configured operating mode of B2 is SLAVE and the effective operating mode
of B2 is MASTER.
P1 synchronizes the content of its MTA spool directories to B2. Email in these
directories can now be delivered by B2.
Connect to the P1 web-based manager, go to System > HA > Status.
Check for synchronization messages.

Do not proceed to the next step until P1 has synchronized with B2.
Connect to the B2 web-based manager, go to System > HA > Status and select
click HERE to restore configured operating mode.
Connect to the P1 web-based manager, go to System > HA > Status and select
P1 should return to operating as the primary unit and B2 should return to
operating as the backup unit. You may have to repeat steps 4 and 5 a few times.
P1 and B2 synchronize their MTA spool directories again. All of the email in these
directories can now be delivered by P1.
Failover scenario: primary heartbeat link fails

If the primary heartbeat link between the primary and backup units fails and the
secondary heartbeat link has not been configured, the FortiMail units in the HA
group can no longer use the HA heartbeat to verify that the other unit in the HA
group is operating. As a result the backup unit (B2) changes to operating as a
primary unit.
330

06-30003-0154-20080327
The primary unit (P1) continues to operate as a primary unit. In fact P1 is not
aware that HA communication has been disrupted.
Two primary units connected to the same network may cause address conflicts on
your network because matching interfaces will have the same IP addresses. As
well, because the heartbeat link is interrupted the units in the HA group cannot
synchronize configuration changes or mail data changes.
Even after reconnecting the heartbeat link, both units will continue operating as
primary units. To return the HA group to normal operation you must connect to the
B2 web-based manager to restore B2 to operate as the backup unit.
1
The heartbeat link ethernet cable is accidently disconnected.
The B2 HA heartbeat test detects that the primary unit has failed.
How soon this happens depends on the HA daemon configuration of B2.
MASTER.
Date sent:
From:
Subject:
To:
Wed, 30 Jan 2005 16:27:18 GMT

Remote HA Event


06-30003-0154-20080327
331
mode to MASTER.
MASTER role"
msg="backupd:mainloopstarting,enteringmastermode"
msg="configd:mainloopstarting,enteringmastermode"
Recovering from a heartbeat link failure

Use the following steps to return to normal operation of the HA group after the
heartbeat link fails.
1
Reconnect the primary heartbeat interface by reconnecting the heartbeat link

ethernet cable.
Even though the effective operating mode of B2 is MASTER, B2 is continues to
attempt to find the other primary unit. When the heartbeat link is reconnected, B2
finds P1 and determines that P1 is also operating as a primary unit. So B2 sends
an HA heartbeat packet to notify P1 to stop operating as a primary unit. The
effective operating mode of P1 changes to OFF.
P1 sends an alert email similar to the following indicating that P1 has stopped
Date sent:
From:
Subject:
To:
Wed, 30 Jan 2005 17:10:18 GMT

HA Event

The slave unit detected a problem and has told me to shutdown
332

06-30003-0154-20080327
P1 records the following log messages (among others) indicating that P1 is

switching to OFF mode.
msg="monitord: remote detected problem, shutting down"
msg="backupd: main loop starting, entering off mode"
msg="configd: main loop starting, entering off mode"
The configured operating mode of P1 is MASTER and the effective operating
mode of P1 is OFF.
The configured operating mode of B2 is SLAVE and the effective operating mode
of B2 is MASTER.

The HA group should return to normal operation. P1 records the following log
message (among others) indicating that B2 asked P1 to return to operating as the
primary unit.
msg="monitord: being asked to assume original role"
P1 and B2 synchronize their MTA spool directories. All of the email in these

06-30003-0154-20080327
333
Failover scenario: Network connection between primary and backup units

fails (remote service monitoring detects a failure)
Depending on your network configuration, the network connection between the
primary and backup units can fail for a number of reasons. In the network
configuration shown in Figure 155 on page 328 the connection between port1 of
P1 and port1 of B2 can fail if a network cable is disconnected or if the switch
between P1 and B2 fails.
A more complex network configuration could include a number of network devices
between the primary and backup unit network interfaces. In any configuration
remote service monitoring can only detect a simple communication failure.
Remote service monitoring cannot determine where the failure occurred or the
reason for the failure.
In this scenario remote service monitoring has been configured so that the backup
unit B2 in Figure 155 on page 328 makes sure it can connect to the primary unit
P1. The HA main configuration on failure setting is wait for recovery then assume
slave role. See HA Main configuration options on page 310 for information about
setting on failure. See Configuring the backup unit to monitor remote services on
the primary unit on page 319 for information about remote service monitoring.
The failure occurs when power to the switch that connects the P1 and B2 port1
interfaces is disconnected. Remote service monitoring detects the failure of the
network connection between the primary and backup units. Because of the on
failure setting, P1 changes its effective operating mode to FAILED.
When the failure is corrected P1 detects the correction because while operating in
failed mode P1 has been attempting to connect to B2 using the port1 interface.
When P1 can connect to B1, the effective operating mode P1 changes to SLAVE
and the mail data on P1 will be synchronized to P2. P2 can now deliver this mail.
The HA group continues to operate in this manner until an administrator resets the
effective operating modes of the FortiMail units.
1
The power cable for the switch between P1 and P2 is accidently disconnected.
B2 remote service monitoring cannot connect to the primary unit.

How soon this happens depends on the remote service monitoring configuration
of B2.
334
Over the HA heartbeat link B2 signals P1 to shut down.
The effective operating mode of P1 changes to FAILED.

06-30003-0154-20080327
MASTER.
Date sent:
From:
Subject:
To:
Wed, 30 Jan 2005 16:27:18 GMT

Remote HA Event

8
mode to MASTER.
MASTER role"
msg="backupd:mainloopstarting,enteringmastermode"
msg="configd:mainloopstarting,enteringmastermode"

06-30003-0154-20080327
335
P1 sends an alert email similar to the following indicating that P1 has stopped
Date sent:
From:
Subject:
To:
Wed, 30 Jan 2005 17:10:18 GMT

HA Event

The slave unit detected a problem and has told me to shutdown
10
P1 records the following log messages (among others) indicating that P1 is

switching to OFF mode.
msg="monitord: remote detected problem, shutting down"
msg="backupd: main loop starting, entering off mode"
msg="configd: main loop starting, entering failed mode"
Recovering from a network connection failure

Use the following steps to return to normal operation of the HA group after the
heartbeat link fails.
1
Reconnect power to the switch.

Because the effective operating mode of P1 is FAILED, P1 is using remote service
monitoring to attempt to connect to P2 through the switch.
When the switch resumes operating, P1 successfully connects to B2.

P1 has determined the B2 can connect to the network and process mail.
336

06-30003-0154-20080327
The effective operating mode of P1 switches to SLAVE.

P1 records the following log messages (among others) as this happens.
msg="monitord: starting pre-amble"
msg="monitord: ** response from peer, setting to SLAVE mode"
The HA group can continue to operate with B2 as the primary unit and P1 as the
backup unit. However, you can use the following steps to restore each unit to its
configured operating mode.

Connect to the P1 web-based manager, go to System > HA > Status and select
P1 should return to operating as the primary unit and B2 should return to
operating as the backup unit. You may have to repeat steps 4 and 5 a few times.
P1 and B2 synchronize their MTA spool directories again. All of the email in these

06-30003-0154-20080327
337
338

06-30003-0154-20080327

This chapter details information needed by end-users on a network serviced by a
FortiMail unit running in gateway or transparent mode. This end-user information
is included in the Administration Guide for a number of reasons:
End-users are unlikely to even know their network has a FortiMail unit, much
less where to get documentation for it.
End-users will not know the mode in which the FortiMail unit is operating.
Administrators may not enable all the documented features (e.g. Bayesian
scanning, spam quarantine) leading to confusion when users try to access a
disabled feature
Administrators know their end-users and may wish to tailor the information to
their end-users needs.
For all these reasons, the basic end-user information is provided here so the
administrator can deliver what the end-user needs to know in a form best suited to
their situation.
These topics are included:
Accessing quarantined email
Managing tagged spam
Sending email remotely through the FortiMail unit

06-30003-0154-20080327
339
Introduction
Introduction
To maximize the services provided by the FortiMail unit, the end-user needs to be
aware of the following features:

Bayesian scanning is one of the key technologies the FortiMail unit uses to filter
email for spam. The FortiMail unit uses an account system to train the Bayesian
databases that are the core of Bayesian scanning. Well-trained Bayesian
databases are more effective and accurate for catching spam.
You can improve the accuracy of the Bayesian databases by training them. You
first forward spam and non-spam messages to the FortiMail unit to train your
databases (See the first two bulleted items in the box below). This is especially
important when your databases are empty. Later, you can forward spam the
FortiMail unit has failed to catch, or non-spam email the FortiMail unit has
incorrectly detected as spam, to the FortiMail unit to fine-tune the databases (See
the third and fourth bulleted items in the box below).
Your administrator is responsible for setting up the FortiMail Bayesian accounts
for you to send spam information to train the Bayesian databases. The
administrator will also send you instructions similar to the following on how to train
the Bayesian databases:
To train the Bayesian databases:
If you have collected spam email and want to train your personal Bayesian database
on the FortiMail unit, forward them to learn-is-spam@yourcompany.com from your
company email account. This ensures that similar email will be tagged as spam by the
340
If you have collected non-spam email and want to train your personal Bayesian
database on the FortiMail unit, forward them to learn-is-not-spam@example.com from
your company email account. This ensures that similar email will not be tagged as
If you receive spam email that has not been caught and tagged by the FortiMail unit,
forward them to is-spam@yourcompany.com from your company email account to
ensure that similar email will be caught by the FortiMail unit in the future.
If you receive email that the FortiMail unit has incorrectly tagged as spam, forward
them to is-not-spam@yourcompany.com from your company email account to ensure
that similar email will not be tagged as spam by the FortiMail unit in the future.
If you belong to an email alias and receive a spam message sent to the alias address,
forward it to the FortiMail "is-spam" Bayesian account to train the database of the alias
address. Remember to enter the alias address in the "From" field instead of your own
email address.

06-30003-0154-20080327

The FortiMail unit has a spam folder for each email user. The spam messages in
the folder are quarantined. You can retrieve the quarantined spam from the
FortiMail unit to ensure the messages are truly spam.
Depending on the FortiMail unit configurations, there are three ways for you to
access the quarantined spam:
Using FortiMail webmail
Using the daily spam summary report
Setting up a POP3 user account

If your administrator has enabled your FortiMail webmail access, you can log on
to FortiMail webmail to retrieve the quarantined messages. For information on
using webmail, see the FortiMail Webmail Online Help once you have accessed
webmail.
Using the daily spam summary report

If your administrator has enabled your FortiMail auto release and auto delete
accounts and enabled the FortiMail unit to send you a daily spam summary, you
will receive a daily summary from the FortiMail unit, similar to one of the samples
below. You can follow the instructions in the report to release or delete your
quarantined email. The FortiMail unit releases and sends the email messages to
you.
Sample report in HTML format

The following sample report in HTML format informs you of how many messages
are in quarantine, how to delete all quarantined messages, and how to release or
delete individual messages. You make decisions based on a messages subject
and sender information contained in the Spam Information section of the report.

06-30003-0154-20080327
341
Sample report in text format

The following sample report in text format informs you of how many messages are
in quarantine, how to delete all quarantined messages, and how to release or
delete individuals message. You make decisions based on a messages subject
and sender information contained in the Spam Information section of the report.
To:
user1@example.com
From:
release-ctrl@fm3.example.com
Subject: Quarantine Summary: [3 message(s) quarantined from Wed, 11 Jul 2007 11:00:01
to Wed, 11 Jul 2007 12:00:01]
Date:
Wed, 11 Jul 2007 12:00:01 -0400
Date:
Subject:
From:
Message-Id:
Wed, 11 Jul 2007 11:11:25

Sign up for FREE offers!!!
"Spam Sender" <spamsender@example.org>
1184166681.l6BFAj510009380000@fm3.example.com
Date:
Subject:
From:
Message-Id:
Wed, 11 Jul 2007 11:14:16

Buy cheap stuff!
1184166854.l6BFDchG0009440000@fm3.example.com
Date:
Subject:
From:
Message-Id:
Wed, 11 Jul 2007 11:15:46

Why pay more?
1184166944.l6BFF7HI0009460000@fm3.example.com
Actions:
o) Release a message:
Send an email to <release-ctrl@fm3.example.com> with subject line set to
"user1@example.com:Message-Id".
o) Delete a message:
"user1@example.com:Message-Id".
o) Delete all messages:
"delete_all:user1@example.com:ea809095:ac146004:05737c7c111d68d0111d68d0111d68d0".
Setting up a POP3 user account

If your administrator has enabled your POP3 access, you can set up a user
account on your PC to retrieve the quarantined messages from the FortiMail unit.
To set up a user account, you need to:
get the FortiMail unit host name or IP address from the administrator to set
your email gateway as the POP3 server.
get your FortiMail login user name and password from the administrator.

The FortiMail unit can be configured to send found spam to recipients with tags in
the subject line or header. You can set up a rule-based folder on your PC to
automatically collect the spam based on tags. Your administrator can provide you
with the subject line or header tags before you can set up the spam folder.
Consult you email client documentation for information on setting up a rule-based
folder.
342

06-30003-0154-20080327

Although the FortiMail unit has no local user accounts, it supports SMTP
authentication to allow remote email users to send email through the FortiMail
unit.
Your administrator is responsible for configuring FortiMail SMTP authentication
and notifying remote users.
If you want to remotely send email through the FortiMail unit, enable SMTP
authentication when configuring an email account. See your email client
documentation for information on configuring email account.
Because the FortiMail unit supports multiple domains, use full domain names for
login account names.

06-30003-0154-20080327
343
344

06-30003-0154-20080327

This chapter details information needed by end-users on a network serviced by a
FortiMail unit running in server mode. This end-user information is included in the
Administration Guide for a number of reasons:
End-users are unlikely to even know their network has a FortiMail unit, much
less where to get documentation for it.
End-users will not know the mode in which the FortiMail unit is operating.
Administrators may not enable all the documented features (e.g. Bayesian
scanning, spam quarantine) leading to confusion when users try to access a
disabled feature
Administrators know their end-users and may wish to tailor the information to
their end-users needs.
For all these reasons, the basic end-user information is provided here so the
administrator can deliver what the end-user needs to know in a form best suited to
their situation.
These topics are including:

06-30003-0154-20080327
345
Introduction
Introduction
To maximize the services provided by the FortiMail unit, the end-user needs to be
aware of the following features:

Bayesian scanning is one of the key technologies the FortiMail unit uses to scan
email for spam. The FortiMail unit uses an account system to train the Bayesian
databases that are the core of Bayesian scanning. Well-trained Bayesian
databases are more effective and accurate for catching spam.
You can improve the accuracy of the Bayesian databases by training them. You
first forward spam and non-spam messages to the FortiMail unit to train your
databases (See the first two bulleted items in the box below). This is especially
important when your databases are empty. Later, you can forward spam the
FortiMail unit has failed to catch, or non-spam email the FortiMail has incorrectly
detected as spam, to the FortiMail unit to fine-tune the databases (See the third
and fourth bulleted items in the box below).
Your administrator is responsible for setting up the FortiMail Bayesian accounts
for you to send spam information to train the Bayesian databases. The
administrator will also send you instructions similar to the following on how to train
the Bayesian databases:
To train the Bayesian databases:
If you have collected spam email and want to train your personal Bayesian database
on the FortiMail unit, forward them to learn-is-spam@yourcompany.com from your
company email account. This ensures that similar email will be tagged as spam by the
If you have collected non-spam email and want to train your personal Bayesian
database on the FortiMail unit, forward them to learn-is-not-spam@example.com from
your company email account. This ensures that similar email will not be tagged as
If you receive spam email that has not been caught and tagged by the FortiMail unit,
forward them to is-spam@yourcompany.com from your company email account to
ensure that similar email will be caught by the FortiMail unit in the future.
If you receive email that the FortiMail unit has incorrectly tagged as spam, forward
them to is-not-spam@yourcompany.com from your company email account to ensure
that similar email will not be tagged as spam by the FortiMail unit in the future.
If you belong to an email alias and receive a spam message sent to the alias address,
forward it to the FortiMail "is-spam" Bayesian account to train the database of the alias
address. Remember to enter the alias address in the "From" field instead of your own
email address.
346

06-30003-0154-20080327

The FortiMail unit has a spam folder for each email user. The spam messages in
the folder are quarantined. You can retrieve the quarantined spam from the
FortiMail unit to ensure the messages are truly spam.
Depending on the FortiMail unit configurations, there are three ways for you to
access the quarantined spam:
Setting up POP3/IMAP user account
Receiving tagged email through the inbox

If your administrator has enabled your FortiMail webmail access, you can log in to
FortiMail webmail to retrieve the quarantined messages. For information on using
webmail, see the FortiMail Webmail Online Help once you have accessed the
webmail.
Setting up POP3/IMAP user account

If your email policy contains an antispam profile that is configured to quarantine
spam, you can set up a user account on your PC to retrieve the quarantined
messages from the FortiMail unit.
To set up a user account, you need to:
get the FortiMail unit host name or IP address from the administrator to set
your email gateway as the POP3 or IMAP server.
get your FortiMail login user name and password from the administrator.
Receiving tagged email through the inbox

If your email policy contains an antispam profile that is configured to tag spam in
subject line or with header, the FortiMail unit will tag the spam and deliver them to
your inbox.

06-30003-0154-20080327
347
348

06-30003-0154-20080327
Index
Index
A
access
discard 115, 141
access control
description 114
Access Control List (ACL) 29, 78
action 163
automatically update white list 49, 171
configuring 170
discard 48, 170
forward to email address 49, 171
quarantine 49, 171
quarantine for review 49, 171
reject 48, 170
tag email in header 48, 170
tag email in subject 48, 170
active-passive
HA 281
add to bridge
HA interface option 317
add virtual IP/netmask
address book
adding an 145
address book, global 145
address map 147, 158
creating 159
address verification 114
admin 38, 98
administrator
server mode 38, 97
adding and editing 37, 96
advanced protection settings
description 115
advanced settings
configuring 120
description 115
alert email 61, 271
configuring 61, 272
example message 307
HA 297
selecting event categories 62, 272
sending for HA events 299
alert email, logging 61, 271
alias 147
antispam
banned word scan 19
Bayesian scan 18
black/white list 19
deep header scan 165
DKIM 182
DNSBL 18
DomainKeys 182
forged IP 17
FortiGuard Antispam 15
greylist 17
heuristic scan 18
PDF scan 245
profile 162
sender reputation 20
SHASH 15
spam quarantine 35, 209
SPF 182
SURBL 18
system quarantine 36, 219
whitelist word scan 19
antispam profile 162
antivirus
profile 171
update 80
antivirus definitions
HA 287
manually initiating updates 83
update 83
update from a file 83
antivirus update 80
appearance, web-based manager 125
archive 247
exempting spam from 251
policies 250
archived email
exporting 249
HA synchronization 289
using for Bayesian training 249
authentication
IMAP 175
LDAP 193
POP3 174
profile 173
Radius 174
SMTP 176
B
back up
Bayesian databases
all databases 231
global or group 227
user 229
black/white lists
domain 237
personal 238
system 236
dictionaries 192
mail queues 34, 145
system settings 29, 78
backup unit 281
banned word scan 19

06-30003-0154-20080327
349
Index
basic 23
Bayesian accounts
configuring 230
Bayesian database training 44, 129
Bayesian databases
back up
all databases 231
global or group 227
user 229
repairing 231
reset
all databases 232
global or group 228
user 229
restore
all users 231
global or group 228
user 229
train
from archived email 249
global or group 227
user 228
training example 232
types 222
Bayesian scan 18
black/white list 19
action 238
backing up
domain 237
personal 238
system 236
configuring 235
hierarchy 239
restoring
domain 237
personal 238
system 236
blacklist action 238
bridge
add to bridge HA interface option 317
browsing reports 68, 278
C
CA 108
category
logging 62, 272
certificate
options 109
certificate authority 108
certificate request
downloading and submitting 110
clear
Bayesian databases
all databases 232
global or group 228
user 229
CLI 14
command line interface 14
config master
HA mode 310
350
config only
HA 281, 282
config slave
HA mode 310
configuration 291
HA Daemon status 305
configuration example
HA 320
configured HA operating mode
using SNMP 300
configured operating mode
HA 303
content
profile 178
content monitor
profile 180
quarantine 36, 219
controller card 106
CPU Usage 25, 73
CSV 146
custom messages 123
customer service 22
customizing column views 58, 269
customizing the display of log messages 58, 269
CVS (Comma Separated Values) 151
D
daemon
HA 288, 313
HA daemon status 305
daily
update schedule 84
data
data striping 104
date and time
setting 96
Daylight Savings Time 37, 96
DDNS 44, 92
dead email list
managing 33, 144
dead mail queue
HA 289
deep header scan
Black IP scan 165
Header analysis 165
deferred queue
HA 289
managing 31, 141
definition
updating antivirus 83
deleting log files 61, 271
delivery status notification (DSN) 33, 115, 121, 144
delivery status notification email 33, 144
DHCP 42, 85, 92
dictionary profile 185
category 187
creation steps 186
dictionary 188

06-30003-0154-20080327
Index
dictionary group 190

language 187
maintenance 192
digital certificate requests 90
discard
domain access 115, 141
disclaimers
adding 122
disclaimers, adding to email 122
disk space
syslog server 258
display name
mail user 152
Distinguished Name (DN) 108
DNS
configuring 42, 93
DNS server 89
DNSBL 18
DNS-resolvable 44, 129
do nothing
documentation
FortiMail 21
domain
subdomain 159
domain access
discard 115, 141
reject 115, 141
relay 31, 32, 33, 115, 141, 142, 143, 144
domain, protected 44, 129
domains, email
description 113
download
logs 59, 270
downloading
log files 59, 270
reports 69, 279
DSN email 33, 144
DSN notifications 44, 129
dynamic public IP address 94
E
effective HA operating mode
using SNMP 300
effective operating mode
HA 303
email
HA alert email 297
how FortiMail handles 113
email access
configuring 139
email access control
description 114
email address map 158
creating 159
email archiving
configuring settings 247
policies 250
setting exempt policies 251
email domains
description 113
email routing
configuring 43, 94
email settings 113
email users
creating 151
emptying a log file 60, 270
end-user guide
gateway and transparent modes 339
server mode 345
Error Correcting Code (ECC) 107
event log 54, 264
expire
system status 74
export
archived email 249
Extended Simple Mail Transfer Protocol (ESMTP) 122
F
factory defaults 27, 30, 76, 79
failed queue
HA 289
managing 33
failover
email data 289
HA 285, 327
failover messages 100
FDN 95
connecting to 83
testing connection to 83
firmware
changing the firmware on an operating cluster 301
upgrading to a new version 75
firmware version
reverting to a previous 76
upgrading 75
forged IP 17
FortiAnalyzer unit
logging 257
HA 287
FortiGuard Antivirus
HA 287
FortiGuard Distribution Network 80
FortiGuard Distribution Network (FDN) 80, 83
FortiGuard Distribution Server 80
FortiGuard-Antispam
configuring 221
FortiMail
configuration and management 14
key features 12
FortiMail 2000 40, 91, 103
FortiMail 2000A 40, 91
FortiMail 400 40, 91, 103
FortiMail 4000 103
FortiMail 4000A 40, 91
FortiMail firmware 26, 75
installing 26, 75
FortiMail SMTP server 46, 117
FortiMail unit
registering 83

06-30003-0154-20080327
351
Index
restarting and shutting down 27, 76

FortiMail-2000 106
Fortinet customer service 22
FortiResponse server 83
from IP
system status 74
from port
system status 74
G
gateway mode 28, 77
MX record 114
global address book 145
greylist 17
configuring 240
search 241
H
HA 281, 289, 320
active-passive 281
active-passive configuration synchronization 282
adding an IP address to an interface 291
alert email 297
alert email for HA events 299
antivirus definitions 287
archived email synchronization 288
backup unit 281
backup unit configuration 325
backup unit monitors remote services 319
changing an interface IP address in HA mode 294
changing FortiMail firmware 301
changing status 302
config only 281, 282
config only configuration synchronization 282
config only HA heartbeat and synchronization 285
config only HA interface configuration 291, 295
config only interface configuration 287
config only master configuration options 318
config only operating mode 302
config only overview 282
config only peer systems options 317
configuration 314
configuration not synchronized 287
configuration options 307
configuration synchronization 286, 314, 327
configuration synchronization options 314
configured operating mode 303
configuring an HA group 327
connecting an HA group to your network 326
daemon options 288, 313
daemon status 305
data synchronization 288
dead mail queue 289
deferred queue 289
effective operating mode 303
example 320
example alert email 307
example log message 307
example virtual IP configuration 293
failed queue 289
failover 285
failover email data 289
352
failover messages 100

failover scenario 327
forcing configuration synchronization 305
forcing data synchronization 305
FortiGuard Antivirus 287
gateway mode configuration example 320
HA activity event 298, 299
hard disk monitoring 320
heartbeat 285, 314
heartbeat interface 286
heartbeat TCP port 314
interface 291
local hard drive monitoring 320
local IP 312
local network interface monitoring 320
local service monitoring 320
logging 297
mail data 315
mail data synchronization 288
mail data synchronization options 315
mail data TCP port 315
mail queue sync after a failover 289
main configuration 287, 310
master unit 281
mode of operation 310
mode status 303
monitoring 285
monitoring HTTP 318
monitoring POP service 318
monitoring POP3 318
monitoring SMTP 318
MTA spool directories 288
MTA spool directory sync after a failover 289
NAS server for mail data 300
network interface configuration in master mode 291
network interface in master mode options 315
on failure 311
on failure switch off 311
outgoing mail queue 289
overview 281
peer IP 312
primary heartbeat 311
primary unit 281
primary unit configuration 323
quarantined email synchronization 288
recording HA log messages 298
recording HA log messages to a remote syslog
server 298
remote service monitoring 319
removing an interface from an HA group 294
resetting the configured HA operating mode 306
restarting HA processes on a stopped primary unit
306
secondary heartbeat 312
sending alert email for HA events 299
service monitoring 318, 319
services monitoring 288
shared password 313
slave unit 281
SNMP 297
SNMP to view HA configured operating mode 300
SNMP to view HA effective operating mode 300
SNMP trap for HA event 299

06-30003-0154-20080327
Index
SNMP traps for HA events 299

spam queue 289
spam reports 282
storing mail data on a NAS server 300
synchronization interface 286
synchronization TCP port 314
synchronization timer 314
synchronizing MTA spool directories 289, 315
synchronizing the system mail directory 289, 315
synchronizing user home directories 289, 315
system mail directory 288
treat remote services as heartbeat 313
user home directories 288
viewing status 302
virtual IP 291
virtual IP DNS settings 292
virtual IP firewall settings 292
virtual IP outgoing traffic 292
wait for recovery and then assume slave role 311
wait for recovery then restore original role 311
web service 318
HA activity event
event log 298, 299
HA heartbeat
configuration options 314
HA monitoring 285
overview 285
TCP port 314
HA interface
add to bridge 317
add virtual IP/netmask 317
do nothing 316
mgmt 315
set interface IP/netmask 316
hard disk
logging to 254
heartbeat
HA 285, 314
heartbeat interface
HA 286, 311
heuristic scan 18
high availability 281
home directories
user 289, 315
hot spare 103, 106
hourly
update 84
HTTP
monitoring for HA 318
I
image spam scan 167
IMAP
server authentication 175
interface
configuring 91
configuring for HA 291
DHCP 85
HA heartbeat 286
interface address
resetting 30, 79
interface configuration
config only HA mode 295

interface monitoring 320
Invalid Quarantine Accounts 132
IP address 94
IP pool
profile 197
IP-based policy 204
gateway mode 204
server mode 206
transparent mode 207
K
key size
certification 110
key type
certificate 110
known peers
HA config only option 318
L
language
web-based manager 97
layer 2 bridge 40, 91
LCD control pane 96
LDAP
profile 193
user profiles 137
LDAP server 132
local certificate
options 109
local hard drive monitoring
HA 320
local IP
HA 312
local network interface monitoring
HA 320
log
message levels 53, 254
messages 55, 265
log files
downloading 59, 270
log message
example 307
log messages
accessing 55, 265
searching 56, 266
logging
alert email 61, 271
alert email, selecting event categories 62, 272
category 62, 272
customizing column view 58, 269
customizing column views 58, 269
deleting log files 61, 271
downloading a report 69, 279
downloading log files 59, 270
emptying a log file 60, 270
FortiAnalyzer unit 257
HA 297
hard disk 254
log information about history, event, antispam, and
antivirus 262

06-30003-0154-20080327
353
Index
log message severity levels 53, 254

log to different devices 260
log to local disk 254
log to multiple devices 259
log to syslog server 256
recording HA log messages 298
reports 62, 273
reports on demand 63, 273
roll up report 69, 279
searching log messages 56, 266
severity levels 53, 254
storing logs 254
syslog server 256
viewing logs 54, 264
logs
download 59, 270
saving to the hard disk 254
M
mail data
mail directory
system 289, 315
mail queues
back up and restore 34, 145
dead email 33, 144
deferred 31, 141
failed 33
spam 32, 143
mail settings 113
configuring 113
mail statistics
viewing 25, 73
mail user
adding 152
change 152
display name 152
maintenance
Bayesian database back up
all databases 231
global or group 227
user 229
Bayesian database restore
all databases 231
global or group 228
user 229
black/white list back up
domain 237
personal 238
system 236
black/white list restore
domain 237
personal 238
system 236
dictionary back up and restore 192
mail queue back up and restore 34, 145
management access 41, 91
management IP 41, 91
configuring 95
manual
virus definition updates 83
354
master
HA mode 310
master configuration
HA config only 318
master unit 281
matched policies 90
maximum transmission unit (MTU) 42, 93
messages with viruses
treating as spam 167
messages, log 55, 265
mgmt
mirrored array 104
misc profile 176
mode of operation
HA 310
mode status
HA 303
monitor
HA 285
monitoring services
for HA 288, 318
MTA spool directories
synchronizing 289, 315
MX record 44, 89, 114, 129
preference number 89
MX record configuration 44, 129
N
NAS server 128
NAS server for mail data
HA 300
NAT device 86
network 89
configuring 94
Network Attached Storage (NAS) 127
network configuration
network deployment 89
network interface
configuring for HA 291
Network Time Protocol (NTP) 37, 96
network utilization 25, 73
new peer
HA config only option 318
next hop router 43, 95
NFS 127
O
off
HA mode 310
on failure
HA 311
on HA failure
switch off 311
wait for recovery and then assume slave role 311
wait for recovery then restore original role 311
operating mode
changing 28, 77

06-30003-0154-20080327
Index

gateway 11
server 12
transparent 11
operation mode 11
HA 306
outbound relay server 44, 129
outgoing mail queue 289
override server
add 84
P
password
shared HA password 313
PDF scan 245
configuring 167
peer IP
HA 312
peer systems
HA config only 317
PIN (Personal Identification Number) 97
pipelining 183
policy
archive 250
defined 199
IP-based 204
IP-based, gateway mode 204
IP-based, server mode 206
IP-based, transparent mode 207
recipient-based 200
recipient-based, server mode 203
recipient-based, transparent and gateway modes
incoming 200
outgoing 202
POP service
POP3
port 8890 80
port 9443 80, 86
primary heartbeat
HA 311
primary unit 281
product logo 122
profile 161
antispam 162
antivirus 171
authentication 173
content 178
content monitor 180
dictionary 185
IP pool 197
LDAP 193
misc 176
session 181
protocol
system status 74
proxy
configuring 147
push update
enabling 85
FortiMail IP addresses change 85
through a NAT device 86
push updates
enabling 85
Q
quarantine
spam 35, 209
system 36, 219
quarantine to review. See quarantine, system
quarantined email
managing 209
managing in basic mode 34
R
Radius
RAID 90
configuring 103
mirrored array 104
striped array 104
RAID 0 104
RAID 1 104
RAID 10 103, 104
RAID 10 + hot spare 104
RAID 5 104
RAID 50 104
RAID 50 + hot spare 104
RAID controller card 106
RAID levels 89, 103
read & write
administrator 38, 39, 98, 99
read & write access level
administrator account 37, 82, 96
read only
administrator 38, 39, 98, 99
read only access level
administrator account 37, 96
reading log messages 55, 265
recipient address verification 114
recipient-based policy 200
in server mode 203
in transparent and gateway modes
incoming 200
outgoing 202
Redundant Array of Independent Disks (RAID) 90
register
FortiMail Server 83
reject
domain access 115, 141
relay
domain access 31, 32, 33, 115, 141, 142, 143, 144
relay email 114
remote administration 92
remote service monitoring
HA 319
remote services
monitored by the HA backup unit 319

06-30003-0154-20080327
355
Index
repair
Bayesian databases 231
replacement messages 115, 123
custom 123
report
spam
HTML format 215
text format 213
reports
browsing 68, 278
browsing reports 68, 278
configuring a report profile, domains 66, 276
configuring a report profile, incoming&outgoing 66,
276
configuring a report profile, output 66, 277
configuring a report profile, query selection 64, 275
configuring a report profile, schedule 65, 275
configuring a report profile, time period 64, 274
configuring reports 63, 273
downloading 69, 279
on demand 63, 273
roll up 69, 279
viewing reports 67, 277
reset
Bayesian databases
all databases 232
global or group 228
user 229
restart
primary unit 306
restore
Bayesian databases
all users 231
global or group 228
user 229
black/white lists
domain 237
personal 238
system 236
factory defaults 30, 79
mail queues 34, 145
system settings 30, 79
RFC 1869 122
routing
static 43, 94
S
scheduled updates
enable 84
secondary heartbeat
HA 312
secured SMTP (SMTPS) 45
send alert email for HA events 299
send SNMP trap for HA event 299
sender reputation 243
sender validation
DKIM 182
DomainKeys 182
SPF 182
server mode 28, 41, 77, 92
email user 152
356
email users 151

service
service monitoring
HA 318
services
monitored by the HA backup unit 319
services monitoring
HA 288
session
profile 181
session list 74
view 74
viewing 74
set interface IP/netmask
shared password
HA 313
SHASH 15
slave
HA mode 310
slave unit 281
SMTP
proxy settings 147
SMTP connections for the interfaces
configuring 148
SMTP server 132, 148
SMTP traffic, blocked 149
SNMP
agent, configuring 100
community, configuring 102
HA 297
SNMP Agent 100
SNMP agent 102
SNMP community 102
SNMP get
HA configured operating mode 300
HA effective operating mode 300
SNMP manager 102, 103
SNMP MIB 100
SNMP traps
sending for HA events 299
spam
action 163
exempting from archive 251
image 167
also see antispam
spam queue
HA 289
managing 32, 143
spam report
HA 282
HTML format 215
text format 213
spam reports 44, 129
spammers 89
SSL/TLS 46, 117
static routing 43, 94

06-30003-0154-20080327
Index
status
HA 302
viewing and changing HA status 302
STMP requests, incoming 142
storing mail data on a NAS server
HA 300
striped array 104
subdomain 44, 129, 159
subject information
certificate 110
support
customer service and technical 22
SURBL 18
switch off
on HA failure 311
syn interval 37, 96
synchronization
HA 288
synchronization interface
HA 286, 311
syslog server
disk space 258
logging to 256
system
changing options 96
setting date and time 96
status 71
system date and time
setting 96
system mail directory
system options
changing 96
system settings
backing up 29, 78
restoring 30, 79
restoring to factory defaults 30, 79
system status 83
system update 83
T
technical support 22
time and date
setting 96
time zone 37, 96
to IP
system status 74
to port
system status 74
train
Bayesian databases
global or group 227
user 228
transparent mode 28, 41, 77, 91, 95
treat remote services as heartbeat
HA 313
trusted host 40, 100
U
unknown servers
configuring SMTP options for 148, 183
update
antivirus 80
antivirus definitions 83
antivirus definitions, from a file 83
enabling push updates 85
enabling push updates through a NAT device 86
hourly 84
logging 84
manual virus definition update 83
weekly 84
upgrade
firmware 75
upgrading firmware
on an HA cluster 301
user alias
creating 157
user groups
creating 156
user guide
gateway and transparent modes 339
server mode 345
user home directories
user name 152
group 157
V
verification of recipient addresses 114
viewing 58, 269
viewing reports 67, 277
virtual IP
DNS settings 292
example HA virtual IP configuration 293
firewall settings 292
HA 291
outgoing traffic 292
virus definition
manual update 83
virus status
view 74
W
wait for recovery and then assume slave role
on HA failure 311
wait for recovery then restore original role
on HA failure 311
web service
web-based manager
customizing appearance 125
introduction 14
language 97
weekly
update 84
Whitelist word scan 19

06-30003-0154-20080327
357
Index
358

06-30003-0154-20080327
www.fortinet.com
www.fortinet.com

FortiMail Administration Guide 06 30003 0154 20080327

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

FortiMail Administration Guide 06 30003 0154 20080327

Hochgeladen von

Copyright:

Verfügbare Formate

ADMINISTRATION GUIDE

FortiMail Secure Messaging Platform

FortiMail Secure Messaging Platform Administration Guide

CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type.

FortiMail basic mode ....................................................................... 23

FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide

Log & Report.................................................................................................... 51

Quick Start Wizard........................................................................................... 69

FortiMail unit status and maintenance .......................................... 71

Configuring FortiMail system settings .......................................... 89

FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide

Configuring the interfaces .............................................................................. 91

Configuring Mail Settings.............................................................. 113

Configuring basic email server settings ..................................................... 116

FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide

Configuring storage settings ....................................................................... 127

Adding address books (server mode) ......................................................... 145

Configuring users .......................................................................... 151

Creating email filtering and control profiles ............................... 161

Creating email filtering and control policies ............................... 199

FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide

How to use policies ....................................................................................... 199

Configuring antispam settings ..................................................... 209

Example: FortiMail spam release and delete .............................................. 216

Managing the system quarantine................................................................. 219

Example: FortiMail Bayesian training.......................................................... 232

FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide

Configuring black and white lists ................................................................ 235

Configuring greylist ...................................................................................... 240

Configuring sender reputation..................................................................... 243

Archiving email .............................................................................. 247

Logging and reporting................................................................... 253

Logs ................................................................................................................ 262

Viewing log messages .................................................................................. 264

FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide

Deleting log files ............................................................................................ 271

Configuring and operating FortiMail HA...................................... 281

HA network interface configuration in master mode ................................. 291

HA and storing FortiMail mail data on a NAS Server ................................. 300

FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide

Configuring HA options ................................................................................ 307

Configuring active-passive HA service monitoring ................................... 318

End-user guide (GW & TP modes) ............................................... 339

End-user guide (server mode) ...................................................... 345

FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide

About the FortiMail unit

About the FortiMail unit

About FortiMail antispam solutions

About this document

Customer service and technical support

About the FortiMail unit

FortiMail Secure Messaging Platform Version 3.0 MR3 Administration Guide

About the FortiMail unit

Gateway and transparent modes

Multiple email domain support

Tiered administration accounts

SMTP mail gateway for existing email servers

Integrated policy-based email routing and queue management

Outbound mail relay for improved email security

Granular layered detection policies for spam and viruses

Antivirus replacement messages for notification

Spam quarantine and spam tagging

Spam management (accept, relay, reject or discard) based on email

LDAP-based email routing