"<name_str>"

Enter the name of the administrator account.

The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), hyphens ( - ), and underscores ( _ ). Other special characters and spaces are not allowed.

Names in administrator login dialogs are case-insensitive.

Previously, names were case-sensitive. When you upgrade to FortiMail 8.0.0 or later, if some names differ only by capitalization, they are automatically renamed so that they will still be uniquely identifiable. For example, adminA and AdminA could be renamed to adminA and AdminA_1, respectively. To find renamed administrator accounts, see the log messages.

access-profile <profile_name>

Select which administrator access profile to use. See details about FortiMail administrator permissions.

If auth-strategy {ldap | local | pki | radius | sso} is radius and domain-override {enable | disable} is enabled, then the RADIUS server may override this setting to provide different permissions when the account authenticates.

access {cli gui rest}

Select which FortiMail access methods that this account is allowed to use:

• gui

• cli

• rest

Also select which network interfaces can receive these types of connections. See allowaccess {ping http https snmp ssh telnet}.

CLI access can be selected but is not currently supported for domain administrators. Administrators may be able to change their own setting, so this setting should not be used to deny access methods.

auth-strategy {ldap | local | pki | radius | sso}

Select which type of local or remote authentication the administrator will use:

• local (password is defined in password <password_str>)

• radius

• pki (certificate is defined in pkiuser <pkiuser_name>)

• ldap

• sso

If you select a remote authentication type, then also select which settings to use to query the authentication server, such as ldap-profile <profile_name>

The GUI login page may not include all types, depending on what you select for admin-sso-login-option {normal | sso-only}.

domain-group <protected-domain-group_name>

Select which group of protected domains the administrator is assigned to.

This setting is available only if level {domain | domain-group | system} is domain-group.

If auth-strategy {ldap | local | pki | radius | sso} is radius and domain-override {enable | disable} is enabled, then the RADIUS server may override this setting to provide different permissions when the account authenticates.

domain <protected-domain_name>

Select which protected domains the administrator is assigned to.

This setting is available only if level {domain | domain-group | system} is domain.

If auth-strategy {ldap | local | pki | radius | sso} is radius and domain-override {enable | disable} is enabled, then the RADIUS server may override this setting to provide different permissions when the account authenticates.

fic-activation-notification-method {email | sms}

Select which method to use when sending the MFA account invitation, either:

• email — The email address in tfa-email-address <administrator_email>.

• sms — The mobile telephone number in tfa-phone-number <sms_str>.

fic-token-delivery-method {app | email | sms}

Select how the administrator will get MFA token codes, either:

• app — A FortiToken Mobile app for mobile devices that has been enrolled with FortiIdentity Cloud. See also fortiidentity-cloud-push-status {enable | disable}.

• sms — The mobile number in tfa-phone-number <sms_str>.

• email — The email address in tfa-email-address <administrator_email>.

This setting is used only if tfa-status {enable | disable} is enable.

language <language_name>

Select which language to use for the display language of the GUI.

To view a list of languages, enter a question mark ( ? ).

Optionally, you can also configure login-page-language <language_name>.

ldap-profile <profile_name>

Select which LDAP profile to use.

This setting is available only if auth-strategy {ldap | local | pki | radius | sso} is ldap.

level {domain | domain-group | system}

Select the administrator's domain scope, either:

• system

• domain

• domain-group

See details about FortiMail administrator permissions.

old-password <password_str>

If you are testing a new firmware version, then you may need to downgrade if the test is not successful. This setting temporarily stores the password for the account in an older encryption format for backwards compatibility. It is automatically removed during the next upgrade. Alternatively, to strengthen security, manually remove this setting once firmware testing is complete.

For example, a line in a configuration backup file may show an old password that was previously encrypted with SHA-256:

set old-password ENC SH2...=

If the admin account does not have this setting and you downgrade to a version that does not support the newer password encryption, then the account could be locked out. For emergency recovery, see admin-maintainer {enable | disable} or make a firmware clean install.

password <password_str>

Enter the new password for the administrator account.

The password can contain any character except spaces. New passwords cannot be the same as the old one. More criteria may be configured in config system password-policy.

If you are changing another administrator's password, you are prompted enter the existing password first. Only the account named admin can reset administrators' lost passwords.

After you save the password, at rest, FortiMail stores the password in an encrypted format. For example, a line in a configuration backup file may show that a password has been encrypted with PBKDF2:

set password ENC PB2...=

Then FortiMail automatically logs out all of the administrator's existing GUI, CLI, and REST API sessions so that the new password takes effect immediately.

This setting is available only if auth-strategy {ldap | local | pki | radius | sso} is local or (if password fallback is allowed) pki.

pkiuser <pkiuser_name>

Select which PKI user profile to use. Also configure pki-certificate-req {yes | no} to determine whether the administrator is required to log in with a valid personal certificate or may use password-style authentication fallback. If you select no, also configure password <password_str>.

This setting is available only if auth-strategy {ldap | local | pki | radius | sso} is pki.

radius-profile <profile_name>

Select which RADIUS profile to use. Also configure remote-auth-timeout <timeout-factor_int>.

This setting is available only if auth-strategy {ldap | local | pki | radius | sso} is radius.

sshkey <key_str>

Enter the SSH public key string surrounded in single straight quotes ( ' ).

When connecting from an SSH client that presents this key, the administrator will not need to provide their account name and password to log in to the CLI.

sso-profile <profile_name>

Select which SSO profile to use.

This setting is available only if auth-strategy {ldap | local | pki | radius | sso} is sso.

status {enable | disable}

Enable or disable the administrator account. If disabled, the account cannot log into FortiMail.

tfa-email-address <administrator_email>

Enter the administrator's email address.

This setting is used only if tfa-status {enable | disable} is enable, and if fic-token-delivery-method {app | email | sms} is email or if fic-activation-notification-method {email | sms} is email.

tfa-phone-number <sms_str>

Enter the administrator's mobile device number. The number must start with + and then the country and (if any) area code. Do not include hyphens, parentheses, or other separators.

This setting is used only if tfa-status {enable | disable} is enable, and if fic-token-delivery-method {app | email | sms} is sms or if fic-activation-notification-method {email | sms} is sms.

tfa-status {enable | disable}

Enable to use one-time password (OTP) token codes in addition to a password for multi-factor authentication (MFA) when authenticating this account. Also configure fic-token-delivery-method {app | email | sms}, fic-activation-notification-method {email | sms}, tfa-email-address <administrator_email> etc.

Upon saving an account with this setting enabled, FortiMail automatically synchronizes the list of accounts in FortiIdentity Cloud, where you can provision tokens for them. However if needed, you can also manually trigger a synchronization. See sync. FortiIdentity Cloud automatically sends an enrollment invitation for newly synchronized accounts. If needed, you can use the CLI to manually resend the MFA invitation. See activation <administrator_name>.

When an administrator logs in, FortiMail validates the username and password like usual, and then if successful, sends an authentication request to the MFA provider, which provides a token code to the administrator. The administrator has up to 2 minutes to either:

• manually enter the token code in the FortiMail authentication dialog

• approve the login in FortiToken Mobile to send a push response that automatically enters the token code (GUI access only; requires that fortiidentity-cloud-push-status {enable | disable} is enable)

Token expiry times configured in FortiIdentity Cloud do not effect this time limit.

This setting is available only if:

• fortiidentity-cloud-status {enable | disable} is enable

• the service license is valid (see show service)

• auth-strategy {ldap | local | pki | radius | sso} is local, radius, or ldap

tfa-type {fortiidentity-cloud}

Select the type of MFA. Currently, only FortiIdentity Cloud is supported.

This setting is used only if tfa-status {enable | disable} is enable.

theme {Blue | Green | Light-Blue | Neutrino | Red}

Select which color theme to use for the GUI.

Optionally, you can also configure login-page-theme {Blue | Dark | Green | Light-Blue | Neutrino | Red}.

trusted-hosts <host_ipv4mask>

Enter an IPv4 or IPv6 address or subnet from which this administrator can log into FortiMail. Separate multiple IP address and netmask pairs with a comma ( , ).

To allow the administrator to authenticate from any IP address, use 0.0.0.0/0.0.0.0 and ::0.

An IPv4 address and netmask must be in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail system only from your management network by typing 192.168.1.0/255.255.255.0.

For additional security, restrict all trusted host entries to administrator computers on your management network. For information on restricting administrative access protocols that can be used, see system interface.