Configuring profiles : Configuring authentication profiles
Configuring authentication profiles
The Authentication submenu lets you configure the FortiMail unit to connect to an external SMTP server in order to authenticate email users.
FortiMail units support the following authentication methods:
SMTP
IMAP
POP3
RADIUS
LDAP
 
When the FortiMail unit is operating in server mode, only local and RADIUS authentication are available.
 
 
LDAP profiles can configure many features other than authentication, and are not located in the Authentication menu. For information on LDAP profiles, see “Configuring LDAP profiles”.
In addition to authenticating email users for SMTP connections, SMTP profiles can be used to authenticate email users making webmail (HTTP or HTTPS) or POP3 connections to view their per-recipient quarantine.
Depending on the mode in which your FortiMail unit is operating, you may be able to apply authentication profiles through incoming recipient-based policies, IP-based policies, and email user accounts. For more information, see “Controlling email based on recipient addresses”, “Controlling email based on IP addresses”, and “Configuring local user accounts (server mode only)”.
For the general procedure of how to enable and configure authentication, see “Workflow to enable and configure authentication of email users”.
To access this part of the web UI, your administrator account’s:
Domain must be System
access profile must have Read or Read-Write permission to the Policy category
For details, see “About administrator account permissions and domains”.
To view and manage the list of authentication profiles
1. Go to Profile > Authentication.
The name of the tab, varies. It is Authentication in gateway and transparent mode and RADIUS server mode.
GUI item
Description
Clone
(button)
Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.
Domain
(drop-down list)
Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.
Auth type
(drop-down list)
To filter the list of authentication profiles, either select which protocol to display, or select ALL to display all authentication profiles, regardless of their protocol. Not available in server mode.
Profile Name
Displays the name of the profile.
Auth Type
(column)
Displays the protocol used to connect to the authentication server, either SMTP, POP3, IMAP, or RADIUS.
Not present in server mode, which can only use RADIUS authentication profiles.
Server
or
Server Name/IP
Displays the fully qualified domain name (FQDN) or IP address of a server that will be queried to authenticate email users if they authenticate to send email, or when they are accessing their personal quarantine.
Server Port
Displays the port number in server mode.
Domain Name
(column)
Displays either System or a domain name.
(Green dot in column heading)
Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.
2. Either click New to add a profile or double-click a profile to modify it.
A dialog appears that varies depending on the operation mode.
3. Configure the following:
 
GUI item
Description
Domain
For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a protected domain name to apply it to that domain. You can see only the domains that are permitted by your administrator profile.
Authentication type
(not in server mode)
Select the protocol used to connect to the authentication server, either SMTP, POP3, IMAP, or RADIUS.
This drop-down list does not appear if the FortiMail unit is operating in server mode, which can only use RADIUS authentication profiles.
Profile name
For a new profile, enter the name of the profile.
Server name/IP
Enter the fully qualified domain name (FQDN) or IP address of a server that will be queried to authenticate email users if they authenticate to send email, or when they are accessing their personal quarantine.
Use generic LDAP mail host if available: For gateway and transparent mode, select this option if your LDAP server has a mail host entry for the generic user. for more information, see “Domain Lookup Query”.
If you select this option, the FortiMail unit will query the generic LDAP server first to authenticate email users. If no results are returned for the query, the FortiMail unit will query the server you entered in the Server name/IP field.
Server port
Enter the port number on which the authentication server listens.
The default value varies by the protocol. You must change this value if the server is configured to listen on a different port number, including if the server requires use of SSL.
For example, the standard port number for SMTP is 25. However, for SMTP with SSL, the default port number is 465. Similarly, IMAP is 143, while IMAP with SSL is 993; POP3 is 110, while POP3 with SSL is 995; and RADIUS is 1812.
Protocol
(for RADIUS server)
Select the authentication method for the RADIUS server.
NAS IP/Called station ID
(for RADIUS server)
Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiMail interface uses to communicate with the RADIUS server will be applied.
This filed appears only for RADIUS authentication profiles.
Server secret
(for RADIUS server)
Enter the secret required by the RADIUS server. It must be identical to the secret that is configured on the RADIUS server.
This field appears only for RADIUS authentication profiles.
Server requires domain
Enable if the authentication server requires that email users authenticate using their full email address (such as user1@example.com) and not just the user name (such as user1).
Advanced Settings
(for RADIUS server)
When you add a FortiMail administrator (see “Configuring administrator accounts”), you must specify an access profile (the access privileges) for the administrator. You must also specify a domain (either system or a protected domain) that the administrator is entitled to access.
If you are adding a RADIUS account, you can override the access profile and domain setting with the values of the remote attributes returned from the RADIUS server.
Enable remote access override: Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile. If there is no match, the specified access profile will still be used.
Vender ID: Enter the vender’s registered RADIUS ID for remote access permission override. The default ID is 12356, which is Fortinet.
Attribute ID: Enter the attribute ID of the above vender for remote access permission override. The attribute should hold an access profile name that exists on FortiMail. The default ID is 6, which is Fortinet-Access-Profile.
Enable remote domain override: Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain. If there is no match, the specified domain will still be used.
Vender ID: Enter the vender’s registered RADIUS ID for remote domain override. The default ID is 12356, which is Fortinet.
Attribute ID: Enter the attribute ID of the above vender for remote domain override. The attribute should hold a domain name that exists on FortiMail. The default ID is 3, which is Fortinet-Vdom-Name.
Secure authentication
Enable if you want to use secure authentication to encrypt the passwords of email users when communicating with the server, and if the server supports it.
This option is not available for RADIUS authentication profiles.
SSL
Enable if you want to use secure socket layers (SSL) to encrypt communications between the FortiMail unit and this server, and if the server supports it.
This option is not available for RADIUS authentication profiles.
TLS
Enable if you want to use transport layer security (TLS) to authenticate and encrypt communications between the FortiMail unit and this server, and if the server supports it.
This option is not available for RADIUS authentication profiles.
To apply the authentication profile, you must select it in a policy. You may also need to configure access control rules, user accounts, and certificates. For details, see “Workflow to enable and configure authentication of email users”.