Help
FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
nagarajs_FTNT
Staff
Staff

Created on ‎10-10-2025 04:14 AM Edited on ‎10-10-2025 05:29 AM

Article Id 414661

Technical Tip: FortiMail LDAP-based mail routing

Description This article describes guidance on configuring LDAP-based Mail routing in FortiMail.
Scope FortiMail.
Solution

When an email is accepted, FortiMail can query the LDAP server using the 'User Query' with the recipient’s email address, and retrieve specific attributes defined under Mail Routing to determine the mail host for message delivery.

 

  • mailHost - IP/FQDN of backend mail server to which the emails are routed.
  • mailRoutingAddress - SMTP envelope (RCPT TO:) the email address to which the emails are delivered.

  

On the AD server:

Create new mailHost and mailRoutingAddress custom attributes on AD and assign the values to the attributes on the required user.

Alternatively, use the existing unused attributes from the AD for Mail host attribute and Mail routing address attribute.

In this example, the attributes 'division' and 'desktopProfile' are used, using the Attribute Editor:

 

Configure the mailHost attribute for the required users, setting its value to the IP address or FQDN of the appropriate exchange or mail server.

 

Optional: Configure the mailRoutingAddress attribute LDAP attribute for the required users, setting its value to the email address of the intended recipient on the email server.

 

For the tests using the following configuration on the AD server:

Mail Address

division

desktopProfile

user1@labfmlemea.com

 

 

test1@labfmlemea.com

mailserver.labfmlemea.com

internal1@labfml.com

internal3@labfmlemea.com

mailserver.labfmlemea.com

 

 

The attributes for the account with mail address user1@labfmlemea.com have not been configured with any values for the attribute division and desktopProfile.

 

The attributes for the account with mail address internal3@labfmlemea.com.

 

Internal3.jpg

 

The attributes for the account with mail address test1@labfmlemea.com.

 

Test1.JPG

 

LDAP profile configuration on FortiMail:

  1. Create or edit an existing LDAP profile.
  2. The following is an example profile. Select the option to enable the Mail Routing Options.

 

LDAP_profile.JPG

 

Note: LDAP cache is enabled by default.

Go to Domain & User -> Domain -> Domain.

Select a row to modify it.

Expand the LDAP Option section.

Configure the following: Mail routing profile. Assign the LDAP profile created for Mail Routing.

 

Domain_settings_ldap.JPG


mailHost and mailRoutingAddress configuration on the AD server:

 

mailHost

mailRoutingAddress

Result on FortiMail if the LDAP profile is used for Mail Routing

Set   

Set

Mail routed to mailHost and delivered to mailRoutingAddress.

Set  

Not set

Mail routed to mailHost and delivered to original recipient address

Not set

Set

Mail routed to SMTP server under Protected domain and delivered to mailRoutingAddress

Not set

Not set

Mail routed to SMTP server under Protected domain and delivered to original recipient address

 

The example logs for the emails received for the recipient user1@labfmlemea.com:

 

User1_Logs.JPG

 

The example logs for the emails received for the recipient test1@labfmlemea.com:

 

Test1_logs.JPG

 

The example logs for the emails received for the recipient Internal3@labfmlemea.com:

 

Internal3_logs.JPG
46
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.