3. 7 February 20122
1 FortiMail v4.0 MR3 Release
This document provides installation instructions, and addresses issues and caveats for FortiMail v4.0 MR3 Release (Build
486).
Model FortiMail v4.0 MR3 Release Status
FortiMail-100
FortiMail-100C
FortiMail-400
FortiMail-400B
FortiMail-400C
FortiMail-2000
FortiMail-2000A
FortiMail-2000B
FortiMail-3000C
FortiMail-4000A
FortiMail-5001A
FortiMail-5002B
FortiMail-VM
FortiMail firmware builds are available for all models.
Please visit http://docs.fortinet.com/fmail.html for additional FortiMail documentation.
1.1 Summary of Enhancements and New Features
The following list highlights some new features and enhancements in the v4.0 MR3 release. For more information, see
the FortiMail Install Guide, FortiMail CLI Guide, FortiMail online help or FortiMail Administration Guide.
Add new 400C platform
64-bit OS on 3000C and 5002B platforms
IPv6 Support
Logical interface support – Now you can configure VLAN sub-interfaces, redundant interfaces, and loopback
interfaces on the FortiMail physical interfaces.
CLI console on web UI – The Java Script console has been added under Monitor > System Status.
Check FortiGuard IP query during connection phase – This will improve FortiMail performance.
Antivirus action profile enhancement – System quarantine action has been added. You can also choose not to
replace the infected part of email for analysis and other purposes.
Content action profile enhancement – System quarantine and notification actions have been added.
Disclaimer insertion exclusion list – You can choose not to insert the disclaimer for some email senders or
recipients as you specify.
Mail user authentication without domain name – Users under the default domain can be authenticated without
entering the domain part in their user names.
Address book access control on webmail – The resource profile can control end-user access to system- and
domain-level address books.
User notification profile – This profile can notify an administrator or email users about the actions that FortiMail
takes against email messages. It can be used in content action profiles, antispam action profiles, and antivirus action
profiles.
Outbound mail rate limiting based on sender email addresses – Under domain settings, an option has been
added to limit the number of email messages or data volume a user can send per half hour.
Trash folder auto-deletion – This is configurable in a resource profile.
IP groups in IP-based policies – Now you can use IP groups as the source and destination IP addresses.
Treat phishing URI as spam URI – This is configurable in an antispam profile.
Indicator for messages that have been released from quarantine – Web UI includes an indicator to show the
quarantined messages that have been released. This is under Monitor > Quarantine > Personal Quarantine. Open a
mailbox and go to the Filter field.
Option to BCC quarantine released email – Added BCC action in action profiles to inform administrators when a
quarantined message is released. This will help administrators to research false positives.
4. 7 February 20123
IBE user auto-enrollment restriction – When configuring IBE authentication, if you specify that all users (wildcard
*) need to authenticate through an LDAP profile, then users will not be asked nor allowed to register.
Categorized system quarantine folders – Now there are three folders in the system quarantine: a Virus folder
containing email caught by antivirus profiles, a Bulk folder containing email caught by antispam profiles, and a
Content folder containing email caught by content profiles.
Allow customization of domain HELO/EHLO details – Provide ability to customize HELO/EHLO string on a per-
domain basis.
Transparent proxy performance enhancement for hidden connections – The proxy now handles SMTP
connections more efficiently.
Support MSA port (587) in transparent mode – Previously, FortiMail in transparent mode only processes email
traffic on port 25. Now it will also pick up SMTP traffic on port 587.
Webmail enhancements – You can now download multiple messages at a time, customize the login page, use the
HTML format signature, and configure auto reply options.
New CLI commands to enable/disable SMTP/POP3/IMAP services – Commands have been added under “config
system mailserver”. For details, see the FortiMail CLI Guide.
Scan redirected URI – If an email contains a shortened URI that redirects to another URI, the FortiMail unit is able to
send a HTTP request to the shortened URI to get the redirected URI and scan it against the FortiGuard AntiSpam
database. By default, this function is enabled. To use it, you need to open your HTTP port to allow the FortiMail unit
to send request for scanning the redirected URI. If you do not want to use this feature, disable “uri-redirect-lookup”
under the “config system fortiguard antispam” command.
5. 7 February 20124
2 Special Notices
2.1 TFTP Firmware Install
Using TFTP via the serial console to install firmware during system boot time will erase all current FortiMail configurations
and replace them with factory default settings.
2.2 Monitor Settings for Web User Interface
Fortinet recommends setting your monitor to a screen resolution of at least 1280x1024. This allows for all objects in the
web UI to be viewed properly.
2.3 Recommended Web Browsers
Internet Explorer 7 or higher
Firefox 3.5 or higher
Safari 4 or higher
Adobe Flash Player 9 or higher plug-in is required to display the mail statistics charts.
2.4 FortiGuard AntiSpam Service Port Change
In FortiMail v3.0, queries made to the FortiGuard AntiSpam Service were accomplished using port 8889. In FortiMail
v4.0, the FortiGuard AntiSpam Service port number is configurable. The default is port 53, with port 8888 and 8889
available as options.
6. 7 February 20125
3 Firmware Upgrade Information
3.1 Before and After Firmware Upgrades
Before any firmware upgrade/downgrade:
FortiMail Configuration – Save a copy of your FortiMail configuration (including replacement messages) by going to
Maintenance > System > Configuration.
After any firmware upgrade/downgrade:
Web UI Display – If you are using the web UI, clear the browser cache prior to login on the FortiMail unit to ensure
proper display of the web UI screens.
Update AV definitions – The antivirus signatures included with an image upgrade may be older than those currently
available from the Fortinet FortiGuard Distribution Network (FDN). Fortinet recommends performing an immediate AV
signature update as soon as possible after upgrading. Consult the FortiMail Administration Guide for detailed
procedures.
3.2 Upgrade Path
3.2.1 For Any Older v3.0 Release
Any v3.0 release older than v3.0 MR5 Patch 4
v3.0 MR5 Patch 4 (Build 531)
v4.0 GA Patch 5 (Build 146)
(Note: This step is for upgrade from GUI only. If you upgrade from CLI, skip this step)
v4.0 MR3 (Build 486)
3.2.2 For Any v4.0 Release
Any v4.0 GA, v4.0 MR1, or v4.0 MR2 release
v4.0 MR3 (Build 486)
After every upgrade, verify that the build number and branch point match the image that was loaded. To do this, go to
Monitor > System Status > Status.
3.3 Firmware Downgrade
3.3.1 Downgrading from v4.0 MR3 to v4.0 MR2, MR1 or v4.0 GA Releases
Downgrading from v4.0 MR3 to v4.0 MR2, MR1 or v4.0 GA releases is not fully supported. If you have to downgrade,
follow these steps:
1. Back up the MR2 configuration.
2. Install the MR1 or GA image.
3. In the CLI, enter “execute factoryreset” to reset the FortiMail unit to factory defaults.
4. Configure the unit’s IP address and other network settings.
5. Reload the MR2 backup configuration if needed.
7. 7 February 20126
3.3.2 Downgrading from v4.0 to v3.0 Releases
FortiMail firmware downgrade directly from v4.0 to v3.0 is not supported. If you install v3.0 firmware on a v4.0 FortiMail
unit, all configuration and mail data will be erased.
In addition, you can only clean-install the v3.0 firmware by using serial console connection. For details, see the FortiMail
Administration Guide.
After you install the v3.0 firmware:
1. In the CLI, enter “execute formatmaildisk”, “execute formatlogdisk”, and “execute factoryreset” to format the hard disk
and reset the FortiMail unit to factory defaults.
2. Configure the unit’s IP address and other network settings.
3. Reload the v3.0 configuration if needed.
8. 7 February 20127
4 Resolved Issues
4.1 Web User Interface
Description: When adding an IP address under Pofile > Group > IP Group, an IP address without a netmask can cause
IP address errors after saving.
Bug ID: 156748
4.2 System
Description: Wrong destination IP address in a static route may be deleted after system reboot.
Bug ID: 158401
Description: When processing multipart MIME messages that contain empty parts, FortiMail removes the empty part, but
incorrectly adds a blank line after the boundary string.
Bug ID: 149516
4.3 AntiSpam
Description: Sender reputation score increases when an ACL bypass rule is matched.
Bug ID: 160417
Description: If Microsoft Office attachment file type checking is enabled in a content profile under Profile > Content >
Content, some Microsoft Office files may be incorrectly blocked.
Bug ID: 153465
Description: FortiMail should not check recipient domains in authenticated sessions.
Bug ID: 150052
Description: Add validation for sender reputation score ranges.
Bug ID: 150311
Description: When “Reject if recipient and HELO domain match but sender domain is different” is enabled in a session
profile, this three-way check incorrectly matches the substring in the recipient address.
Bug ID: 147690
4.4 MTA
Description: Some email with Microsoft Word attachments can crash the mailfilterd process.
Bug ID: 159540
Description: Some PDF attachments may cause mailfilterd crashes.
Bug ID: 148196
4.5 Webmail
Description: Webmail displays the date and time in English format even when it is set to other languages.
Bug ID: 145362
9. 7 February 20128
4.6 CLI
Description: The “get system status” command should show if the FortiMail platform is running a 32-bit or 64-bit OS.
Bug ID: 157144
10. 7 February 20129
5 Image Checksums
The MD5 checksums for the firmware images are available at the Fortinet Customer Service and Support website
(https://support.fortinet.com).
1. Log on to the web site.
2. Click "Firmware Image Checksums" in the Download section.
3. For “File Name”, enter the firmware image file name.
4. Click “Get Checksum Code”.
(End of Release Notes.)