Variable | Description | Default |
access-banner {admin | webmail | ibe} | Enable or disable the legal disclaimer. • admin: Select to display the disclaimer message when the administrator logs into the FortiMail unit web-based manager. • webmail: Select to display the disclaimer message when the user logs into the FortiMail Webmail. • ibe: Select to display the disclaimer message when the user logs into the FortiMail unit to view IBE encrypted email. | |
admin-idle-timeout <timeout_int> | Enter the amount of time in minutes after which an idle administrative session will be automatically logged out. The maximum idle time out is 480 minutes (8 hours). To improve security, do not increase the idle timeout. | 5 |
admin-scp {enable | disable} | Enable to allow system configuration download by SCP. | disable |
default-certificate <name_str> | Enter the name of a local certificate to use it as the “default" (that is, currently chosen for use) certificate. FortiMail units require a local server certificate that it can present when clients request secure connections. | |
disclaimer-per-domain {enable | disable} | Enable to allow individualized disclaimers to be configured for each protected domain. | |
disk-monitor {enable | disable} | Enable to monitor the hard disk status of the FortiMail unit. If a problem is found, an alert email is sent to the administrator. | disable |
hostname <host_str> | Enter the host name of the FortiMail unit. | Varies by model. |
iscsi-initiator-name <name_str> | Enter the FortiMail ISCSI client name used to communicate with the ISCSI server for centralized quarantine storage. This is only used to change the name generated by the FortiMail unit automatically. | |
lcd-pin <pin_int> | Enter the 6-digit personal identification number (PIN) that administrators must enter in order to access the FortiMail LCD panel. The PIN is used only when lcdprotection is enable. | Encoded value varies. |
lcd-protection {enable | disable} | Enable to require that administrators enter a PIN in order to use the buttons on the front LCD panel. Also configure lcdpin. | disable |
ldap-conn-monitor {enable | disable} | Enable to monitor the connection status to LDAP server. If FortiMail’s connection to the LDAP server is not healthy, the FortiMail LDAP daemon may not do off-box query all the time; instead, the LDAP daemon will return TEMPFAIL to the LDAP query right away. This is intended to reduce the burden on the already heavily loaded LDAP server. This feature is enabled by default. In some cases, this feature may not be desired. | enable |
ldap-sess-cache-size <session_int> | Enter the number of connection sessions allowed from the FortiMail unit to the LDAP server. This option applies when ldap-sess-cache-state is enable. | 10 |
ldap-sess-cache-state {enable | disable} | Enable to keep the continuity of the connection sessions to the LDAP server. Repeated session connections waste network resources. Also configure ldap-sess-cache-size. | enable |
operation mode {gateway | server | transparent} | Enter one of the following operation modes: • gateway: The FortiMail unit acts as an email gateway or MTA, but does not host email accounts. • server: The FortiMail unit acts as a standalone email server that hosts email accounts and acts as an MTA. • transparent: The FortiMail unit acts as an email proxy. | gateway |
pki-certificate-req {yes | no} | If the administrator’s web browser does not provide a valid personal certificate for PKI authentication, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enter yes. To allow password-style fallback, enter no. | no |
pki-mode {enable | disable} | Enable to allow PKI authentication for FortiMail administrators. For more information, see “user pki” and “system admin”. Also configure pki-certificate-req {yes | no}. Caution: Before disabling PKI authentication, select another mode of authentication for FortiMail administrators and email users that are currently using PKI authentication. Failure to first select another authentication method before disabling PKI authentication will prevent them from being able to log in. | disable |
port-http <port_int> | Enter the HTTP port number for administrative access on all interfaces. | 80 |
port-https <port_int> | Enter the HTTPs port number for administrative access on all interfaces. | 443 |
port-ssh <port_int> | Enter the SSH port number for administrative access on all interfaces. | 22 |
port-telnet <port_int> | Enter the TELNET port number for administrative access on all interfaces. | 23 |
strong-crypto {enable | disable | rc4-cipher} | Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access. When strong encryption is enabled, HTTPS is supported by the following web browsers: Netscape 7.2, Netscape 8.0, Firefox, and Microsoft Internet Explorer 7.0 (beta) and higher. Note that Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption. Select the rc4-cipher option to force HTTPS to user RC4-SHA ciphers only. | disable |