Wednesday, June 19, 2013

Fortimail IBE setup as simple as 1 2 3

In this blog we will look at the Fortinet's FortiMail  IBE setup. 1st what is IBE? 

Identity Based Encryption

What this means, we have a method to enforce encryption profiles & based on the user ( recipient ). This allows full encryption of the body of the email message and/or it's attachment(s).

What this means;
  •  we can control  the securing of the email content 
  •  based on sender and destination  ( ip_address or email address )
  •  enforce  enterprise strict security-policies between sender/recipient
  •  unlike TLS between MTAs, the message is fully  encrypted in transient and at rest
  • and with out his/her ( sender/recipient )  knowledgement or involvement ( we don't need any local mail encryption programs like PGP, nor have to worry about the user forgetting to encrypted his mail )
So in the fortimail appliance, we can set our delivery options after creation of a IBE profile. In the IBE encryption profile, you have these choices of  encryption ciphers ;

Profile > Security > IBE

These levels of encryptions, should satisfy most security policies & any requirements that your network might  demand. Theses choice of encryption, should meets most enterprise & government requirements. AES is highly recommended imho and should be used at minimum.

The name of the IBE profile should be simple & fit the purpose. It should also be easy to  remember. Once again this is my opinion.

Here, I'm naming this profile IBE-3des for  the "triple des encryption" encipher.


After you have defined your IBE profile(s), you  must set up the delivery under your access-controls.

AccessControls > Delivery

The above is a snippet of my  delivery access, and the  "from who", "to what"   & the level of encryption.  As you can see, I have a few  profiles built for 3des and even aes192.

At this point; 1> you should select you encryption profile, or  2> create a new one,  and install any comments within the profile ( optional).

In the below example,  I'm created a  encryption profile for any email from  <anyuser> to  <anyuser> & selection and selecting aes192. You can use wildcards or specific matches for either  the user email_address or ip_address.

Okay now, let's order the ACL to be match before any "wildcards" access-list entries. This step is crucial & you must remember the evaluation order of the profiles. Email policies are like firewall policies,  "top to bottom , & the most specific match 1st"

Okay now that the ordering is correct we will draft a mail message from  the appliance or even any mail that was relayed thru the unit. All would under go the encryption and the profile that's attached for the sender/receiver.

I'll send a email to someone on gmail. And let's  watch what happens. Here's the mail messages;


Unknown to the sender, his email will be  encrypted and  a link pushed to the recipient. The recipient can down load the  email attachment ( the secured data ),  but it would be encrypted by the cipher that we used. So good luck to anybody that intercepts our data.  They would not be able to  decryption the cipher.text.

A  message will appear in the  recipient inbox similar to the below. This message is  just a <notification> for mail sent securely to the recipient.

And if he/she want to read the message, they would need to follow the link and set a password. All of the above is done via  TLS and thru the redirection link give in the mail messages. The registering of the  user is simple and straight forward and takes about 1-2mins depending on how fast you can type :)

After you  have completed the register and crafted a new user, you can view the  email.

Decryption speeds will depend  on the cpu utilization and the network bandwidth of the fortimail appliance.

The fortimail will monitor the user  status and  display information concerning the user,  & under the user > ibe-user . You can display information about the  user logins and when they completes the pre-register process

See how simple this setup  & just how effective the IBE encryption process .

As with all email messages, you can download the message, but it would be encrypted with the cipher that you enabled under that profile. So if a man in the middle or big brother was watching, they would have only cipher.text. The only information not encrypted,  would be  our  html formatting and other non-mail message body data.

I hope this post has been helpful. IBE is easy to craft and setup. Key points to remember;

  • determine the level  of encryption that you need
  • determine the sender/recipient that needs encryption 
( i.e  maybe accounting and hr to other other accounting or HR  personnel , or maybe you need o encrypted that job offer letter to an external party ]
  • Build your profile
  • attach it via the ACL for the sender/recipient pairing
  • evaluate the ordering of the ACL and adjust if required

Ken Felix
Freelance Security/Network Engineer
kfelix ----at--- hyperfeed  --dot---com

    ^     ^
= ( *  * )=

1 comment:

  1. Thanks so much it was much more easy than official guide.
    But do you know how can I answer with encrypted massage?