FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
Article Id 195102
Authentication profiles on the FortiMail are used to allow users to access their personal quarantine folders.  This article provides an overview of how authentication profiles work.

Authentication takes place before the FortiMail knows which recipient profile will be used and thus which authentication profile should be used.  Therefore, the authentication username should include the domain as well ( or alternatively a default domain should be configured under Mail Settings > Settings > Default Domain for authentication.

Ensure that the authentication profile is set up correctly.  If the FortiMail will be polling the internal server on port 465 then SSL should be used instead of TLS.

The FortiMail receives an authentication request from a client, then uses the configured authentication profile to verify credentials against the backend server.  It would need to know the full email address of the user to match the correct recipient policy.  In many cases case you will want to make sure the "server requires domain" box remains unchecked in your authentication profile so the domain portion is not forwarded to your backend server.  You can also select a default domain for authentication so if clients do not send the full email address it will use the authentication profile for the default domain.

Another alternative would be to bypass the transparent FortiMail by having clients authenticate and send mail directly to the backend server on MSA port 587.  If you do this, make sure "SMTP MSA service" is not selected in the FortiMail settings.