Configuring encryption profiles
The Encryption tab lets you create encryption profiles, which contain encryption settings for secure MIME (S/MIME) and identity-based encryption (IBE).
Encryption profiles are applied through either message delivery rules or content action profiles used in content profiles which are included in policies. For more information, see
“Configuring delivery rules” and
“Configuring content action profiles”.
Before S/MIME encryption will work, you must also create at least one internal address certificate binding. For details, see
“Configuring certificate bindings”.
For more information about using S/MIME encryption, see
“Using S/MIME encryption”.
For more information about using IBE, see
“Configuring IBE encryption”.
To access this part of the web UI, your administrator account’s access profile must have
Read or
Read-Write permission to the
Policy category. For details, see
“About administrator account permissions and domains”.
To view or configure encryption profiles
1. Go to Profile > Security > Encryption.
GUI item | Description |
Clone (button) | Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK. |
Profile Name | Displays the name of the profile. |
Protocol | Displays the protocol used for this profile, S/MIME or IBE. |
Encryption Algorithm | Displays the encryption algorithm that will be used to encrypt the email ( AES 128, AES 192, AES 256, CAST5 128, or Triple DES). |
Action | Either Encrypt or Sign. |
Action On Failure | Indicates the action the FortiMail unit takes when S/MIME or IBE cannot be used: • Drop and send DSN: Send a delivery status notification (DSN) email to the sender’s email address, indicating that the email is permanently undeliverable. • Send plain message: Deliver the email without encryption. • Enforce TLS: If the TLS level in the TLS profile selected in the message delivery rule is Encrypt or Secure, the FortiMail unit will not do anything. If the message delivery rule has no TLS profile or the TLS level in its profile is None or Preferred, the FortiMail unit will enforce the Encrypt level . For more information, see “Configuring delivery rules” and “Configuring TLS security profiles”. |
IBE Action | Displays the action used by the mail recipients to retrieve IBE messages. • Push: A notification and a secure mail is delivered to the recipient who needs to go to the FortiMail unit to open the message. The FortiMail unit does not store the message. • Pull: A notification is delivered to the recipient who needs to go to the FortiMail unit to open the message. The FortiMail unit stores the message. |
Max Push Size (KB) | Displays the settings of the maximum message size (KB) of the secure mail delivered (or pushed) to the recipient. If the message exceeds the size limit, it will be delivered with the Pull method. |
(Green dot in column heading) | Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
2. Either click New to add a profile or double-click a profile to modify it.
A dialog appears.
3. For a new profile, enter the name of the profile in Profile name.
4. In Protocol, select S/MIME or IBE.
The availability of the following options varies by your selection in Protocol.
5. If you selected IBE as the protocol:
• Select the Action method (Push or Pull) for the mail recipients.
• For Push, specify the maximum message size (KB) for the Push method. (Messages exceeding the size limit will be delivered with the Pull method.)
7. From Encryption algorithm, select the encryption algorithm that will be used to encrypt email (AES 128, AES 192, AES 256, CAST5 128, or Triple DES).
8. From Action on failure, select the action the FortiMail unit takes when encryption cannot be used.
• Drop and send DSN: Send a delivery status notification (DSN) email to the sender’s email address, indicating that the email is permanently undeliverable.
• Send plain message: Deliver the email without encryption.
• Enforce TLS: If the TLS level in the TLS profile selected in the message delivery rule is Encrypt or Secure, the FortiMail unit will not do anything. If the message delivery rule has no TLS profile or the TLS level in its profile is None or Preferred, the FortiMail unit will enforce the Encrypt level.
9. Click Create or OK.