Configuring profiles : Workflow to enable and configure authentication of email users
Workflow to enable and configure authentication of email users
In general, to enable and configure email user authentication, you should complete the following:
1. If you want to require authentication for SMTP connections received by the FortiMail unit, examine the access control rules whose sender patterns match your email users to ensure that authentication is required (Authenticated) rather than optional (Any).
Additionally, verify that no access control rule exists that allows unauthenticated connections. For details, see “Configuring access control rules”.
2. For secure (SSL or TLS) authentication:
Upload a local certificate. For details, see “Managing local certificates”.
Enable SMTP over SSL/TLS. For details, see “Configuring mail server settings”.
If you want to configure TLS, create a TLS profile, and select it in the access control rules. For details, see “Configuring TLS security profiles” and “Configuring access control rules”.
If the email user will use a personal certificate to log in to webmail or their per-recipient quarantine, define the certificate authority (CA) and the valid certificate for that user. If OCSP is enabled, you must also configure a remote certificate revocation authority. For details, see “Configuring PKI authentication”, “Managing certificate authority certificates”, and “Managing OCSP server certificates”.
3. If authentication will occur by querying an external authentication server rather than email user accounts locally defined on the FortiMail unit, configure the appropriate profile type, either:
SMTP, IMAP, or POP3 (gateway mode or transparent mode only; see “Configuring authentication profiles”)
LDAP (see “Configuring LDAP profiles”)
RADIUS (see “Configuring authentication profiles”)
4. For server mode, configure the email users and type their password, or select an LDAP profile. Also enable webmail access in a resource profile. For details, see “Configuring local user accounts (server mode only)” and “Configuring resource profiles (server mode only)”.
5. For gateway mode or transparent mode, select the authentication profile in the IP-based policy or in the incoming recipient-based that matches that email user and enable Use for SMTP authentication. If the user will use PKI authentication, in the incoming recipient-based policy, also enable Enable PKI authentication for web mail spam access. For details, see “Controlling email based on recipient addresses” and “Controlling email based on IP addresses”.
For server mode, select the resource profile in the incoming recipient-based policy, and if users authenticate using an LDAP profile, select the LDAP profile. For details, see “Controlling email based on recipient addresses”.