Not applicable

See also the "Troubleshooting" chapter of the FortiMail Administration Guide.

How do FortiMail units handle traffic in excess of their rated throughput: do they buffer it, or reject connections?

When system load such as hard disk I/O and SMTP connections exceed the FortiMail unit's capacity, the FortiMail unit will reject additional connections. Most SMTP servers will retry their connections later, resulting in a small delay that is usually self-correcting as load decreases.

What is the difference between temporary failure (TEMPFAIL) and rejection?

A temp fail will return the 4xx SMTP reply code. The command was not accepted, and the requested action did not occur. The error condition is temporary and the action may be requested again.

A reject will return the 5xx SMTP reply code. The sending MTA will remove the message from the sending queue and send a DSN email indicating delivery failure.

Can the local domain name be different from that of the protected domain?

For FortiMail v3.0 and greater, the local domain name can be the same as a protected domain. Previously, the local domain name had to be different from the protected domain. Note that the local DNS server must be able to resolve the local domain name for proper email delivery to the FortiMail unit, such as Bayesian training messages.

How do I enable/disable DNS caching?

You can enable/disable DNS caching with the CLI command set system dns cache {enable | disable}.

How do I configure mail routing using LDAP?

  1. Go to Profile > LDAP.
  2. Create an LDAP profile with the Mail Routing query option enabled.
  3. Enter the names of the Mail Routing Host and Mail Routing Address attributes in your LDAP directory.
  4. Go to Mail Settings > Domains and edit a protected domain.
  5. In the Advanced Settings section, enable Mail Routing. Select the LDAP profile you just created.
  6. Select OK.

For email destined for recipients at, the email will be routed according to the results of LDAP queries for the mail routing attributes of the recipient's user object. If the LDAP query result is null, the email will be sent to the original destination. In order to improve the LDAP query performance, it is recommended to enable the LDAP query cache.

Can the URL that is generated by the FortiMail unit within a spam report be modified?

No, this feature is not available. The link is hard coded to the FortiMail unit. Be sure that you have a DNS resolvable name to reach the FortiMail unit in within your LAN.

Why aren't large attachments allowed through the FortiMail unit?

The FortiMail unit limits email to a default maximum size of 10 MB. You can modify this value using the 'Cap message size at' setting in the SMTP Limits section of a session profile. Note that this limit applies to the total maximum size of the transmitted message, including message headers, attachments, and encoding, which can be significantly larger than the size of the attachments.

White list entries do not bypass content inspection. Is this normal?

Yes, this behavior is by design. White lists only bypass antispam scans; they do not bypass content scans or antivirus scans.

I enabled the "Add outgoing email addresses to "White" list" option in User > User > User Preferences. Why are the recipient addresses not being added to the personal white list?

Only recipient email addresses in outgoing email (that is, email destined for unprotected domains) are added to the email user’s personal white list. Recipient email addresses of incoming email are not added.

For how long will the sender reputation feature block an SMTP client?

It depends on how the SMTP client behaves. The blocking by sender reputation occurs in hourly increments. For example:

  1. An SMTP client is blocked at 1:00 because it has been sending spam and its sender reputation score has reached the threshold. The SMTP client will not be able to send email through the FortiMail unit from 1:01 to 2:00.
  2. Starting at 2:01, the SMTP client's sender reputation score will be decreased, and it is able to send email through the FortiMail unit again.
  3. If the SMTP client starts to send spam again, its score will again increase to the threshold and thus will be immediately blocked again.
  4. If the SMTP client never sends spams or virus messages after that, its score will gradually decrease to 0.

Why should I specify relay permission in Mail Settings > Access?

Access entries with the RELAY permission indicate the FortiMail unit is permitted to relay mail to or from a specified IP address/subnet, domain, or email address. Without explicit relay permission, the FortiMail unit will not relay unless the email is to or from domains defined in Mail Settings > Domains.

Why is Bayesian scanning not generally recommended?

Bayesian scanning is usually not recommended for the following reasons:

  • Spam that it catches can usually be caught by a FortiMail unit's other antispam techniques.
  • It tends to consume more resources (CPU and memory) than most other techniques.
  • If not properly trained, it may result in increased false postives and false negatives.

If I want to enable Bayesian scanning, what is the recommended configuration?

If you do want to enable Bayesian scanning, consider using the global Bayesian database instead of the per-domain (group) or per-user Bayesian databases. This will improve the performance of the Fortimail unit because there is only one database to maintain. To use only the global Bayesian database for incoming traffic, enable the “Use Global Bayesian Database” option in the Advanced AS/AV Settings section of each protected domain. For outgoing traffic, all Bayesian scanning uses only the global Bayesian database.

Email users are unable to perform Bayesian training. What could cause this?

  • The domain part of the message (for example, must properly resolve the FortiMail unit's IP address.
  • The Bayesian scan option for user (user personal database) in the active antispam profile must be enabled.
  • The 'Accept training messages from users' feature in the Bayesian portion of the antispam profile must be enabled.

I have trained my Bayesian database with an MBOX file, but the FortiMail unit does not report any messages learned as spam or non-spam. Why?

If the MBOX file used to train the Bayesian database is not RFC compliant, the FortiMail unit will not be able to read the file correctly. If this happens, use a different Mail User Agent (MUA) to export your email folders and try again. MBOX files created by the Thunderbird email client are not RFC compliant.

Note that that training of Bayesian databases with MBOX files is very resource intensive. Plan this type of training during low traffic periods, such as on weekends.

Can I copy a Bayesian database for one email user to another?

Yes. Since the Bayesian database backup file from the FortiMail unit contains no name or domain, this is possible. You must first backup the user database from the original user and restore it to any other email user. For example, if you have trained a large Bayesian database for, you can download that database and then restore it to or

What type of database is used for the Bayesian databases?


What type of database is used for the dictionary database?


Why do I get the error message 'Login incorrect' when attempting to log in to FortiMail webmail?

You may not have configured authentication properly. Check these five items:

  • Authentication must be enabled and the policy matched (gateway mode or transparent modes)
  • The "Server Requires Domain" option may need to be enabled in the authentication profile.
  • The "Allow Web Mail for SPAM access" option must be enabled in the Authentication and Access section of a policy
  • The authentication server must have authentication enabled.
  • Try to log in with your full email address. For example, use instead of user1 as the login name.

Why I am receiving the message 'Invalid Length Value' when logging in to the FortiMail unit?

This message will appear when the communication with the authenticator daemon has been abruptly dropped. This could be sign of communication problems in your network. Verify your networking between your management computer than the FortiMail unit. Proceed with packet capture if necessary.

Can the FortiMail unit create a browser cookie to override the need to enter the user ID/password for email users to view their quarantine list?

No, cookies are not feasible due to security implications. However, email users can log in with a certificate instead of a user name and password if you configure PKI authentication. For details, see the FortiMail Administration Guide.

Why does my disk usage remain the same even though I deleted the email from webmail?

When you delete email in webmail, the email is marked for deletion but for performance reasons is not physically deleted at that time. To immediately physically delete all marked email, select Edit Folder and then select Compact.

How can I prevent Microsoft Exchange 2003 from relaying mail? Or is relaying prevented by default?

The default configuration of Exchange Server 2003 and Exchange 2000 Server will relay mail under certain circumstances. Each Exchange 2000/2003 server has a SMTP Virtual Server that you can configure in the Exchange System Manager. Configure the relay restrictions on the Access property tab of the Default SMTP Virtual Server. The default is to not allow relaying, however the 'Allow all computers which successfully authenticate to relay, regardless of the list above' checkbox is enabled by default. This allows POP3 and IMAP4 clients with valid computer accounts in the domain/forest to send mail to your Exchange servers. This also reduces administrative overhead when an email based application server is added to the domain/forest.

If you do not have IMAP4 or POP3 clients, or the additional overhead of manually adding entries for email-based applications servers is not an issue, disable this option in each of your default SMTP virtual servers (one per Exchange server).

How do I configure an LDAP profile to allow email users to check the quarantined email for Microsoft Exchange public folders?

The FortiMail unit can quarantine spam messages sent to Microsoft Exchange public folders. To allow users to access their quarantined email, enable the 'Allow unauthenticated ldap bind' option in the LDAP profile and enable the 'Authentication And Access' options to allow your users whatever means of quarantine access you prefer. Insert the following string in the 'LDAP Query to Find User' field of the LDAP profile:

(objectClass=publicFolder)) (|(proxyAddresses=smtp:$m)(mail=$m)))

This is a basic LDAP query specifying that the type of object to look for is a user, group, or public folder. By default, the FortiMail unit is only concerned with users.

Can you offer some sample values for the HA service monitoring configuration?

Remote services: Every three minutes, wait 15 seconds for service check. Take over from Master after three failures.

Local services: Check every 30 seconds for interfaces and 60 seconds for hard disk. The slave takes over after three failures.

I have an HA group operating in transparent mode. On the backup unit, why are my bridging network interfaces listed as "isolated"?

When implementing HA in transparent mode, both the primary and the backup units will have bridged network interfaces. However, if those ports are connected together, it would cause a Layer 2 network loop. To avoid this problem, on the backup unit, the ports in the bridge (via HA configuration) will be isolated (displaying "isolated" on System > Network > Interface) and removed from the bridge until a failover occurs and the backup unit becomes the new primary unit, at which time the ports will be added back into the bridge.

How do I enable MSISDN reputation and view log messages for it?

  1. In the CLI console, enter the command set log msisdn enable. The MSISDN daemon will be started.
  2. On the web-based manager, go to AntiSpam > MSISDN Reputation to configure the settings. 
  3. Go to Profile > Session and select the “Enable MSISDN Reputation” option.
  4. Go to Policy > IP Based and select the session profile in an IP-based policy.
  5. Go to Log&Report > Logging > History, select one of the existing history logs, then select Choose Column. Move MSISDN from the Hidden Columns to the Displayed Columns list, and select OK. Now you can view logs with the MSISDN column.

What NFS servers does the FortiMail unit support?

Tested and Supported NFS servers

Linux NAS (NFS V2/V3) Supported Linux Distributions:

  • RedHat 4/5
  • Fedora 8/9/10
  • Ubuntu 8.04/8.10
  • OpenSUSE 10



Untested NFS servers

Buffalo TeraStation

Cisco Linksys NAS server

Non-Supported NFS Servers

Windows 2003 R2 /Windows 2008 Service for NFS