Rublon

Secure Remote Access

By

Last updated on September 1, 2025

Overview of MFA for Fortinet FortiMail

This documentation describes how to integrate Rublon MFA with Fortinet FortiMail using the LDAP(S) protocol to enable multi-factor authentication for logins to FortiMail.

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
WebAuthn/U2F Security Key N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP Security Key N/A

Before You Start Configuring MFA for Fortinet FortiMail Using LDAP(S)

Before configuring Rublon MFA for Fortinet FortiMail:

  • Ensure you have prepared all required components.
  • Create an application in the Rublon Admin Console.
  • Install the Rublon Authenticator mobile app.

Required Components

1. User Identity Provider (IdP) – You need an external Identity Provider, such as Microsoft Active Directory, OpenLDAP, or FreeIPA.

2. Rublon Authentication Proxy – Install the Rublon Authentication Proxy if you have not already, and configure the Rublon Authentication Proxy as an LDAP proxy.

3. Fortinet FortiMail  – A properly installed and configured Fortinet FortiMail v7.0, v7.2, v7.4, v7.6, or newer.

Create an Application in the Rublon Admin Console

1. Sign up for the Rublon Admin Console. Here’s how.

2. In the Rublon Admin Console, go to the Applications tab and click Add Application

3. Enter a name for your application (e.g., FortiMail) and then set the type to Rublon Authentication Proxy.

4. Click Save to add the new application in the Rublon Admin Console.

5. Copy the values of System Token and Secret Key of the newly created application. You will need them later.

Install Rublon Authenticator

Some end-users may use the Rublon Authenticator mobile app. So, as a person configuring MFA for Fortinet FortiMail, we highly recommend you install the Rublon Authenticator mobile app, too. Thanks to that, you will be able to test MFA for Fortinet FortiMail via Mobile Push.

Download the Rublon Authenticator for:

Configuring Multi-Factor Authentication (MFA) for Fortinet FortiMail Using LDAP(S)

Rublon Authentication Proxy

1. Edit the Rublon Auth Proxy configuration file and paste the previously copied values of System Token and Secret Key in system_token and secret_key, respectively.

2. Config example file in YAML:

log:
  debug: true

rublon:
  api_server: https://core.rublon.net
  system_token: YOURSYSTEMTOKEN
  secret_key: YOURSECRETKEY

proxy_servers:
- name: LDAP-Proxy
  type: LDAP
  ip: 0.0.0.0
  port: 636
  auth_source: LDAP_SOURCE_1
  auth_method: push, email
  rublon_section: rublon
  cert_path: /etc/ssl/certs/ca.crt
  pkey_path: /etc/ssl/certs/key.pem

auth_sources:
- name: LDAP_SOURCE_1
  type: LDAP
  ip: 172.16.0.127
  port: 636
  transport_type: ssl
  search_dn: dc=example,dc=org
  access_user_dn: cn=admin,dc=example,dc=org
  access_user_password: CHANGE_ME
  ca_certs_dir_path: /etc/ssl/certs/

FortiMail

Creating an LDAP Profile

1. Log in to the FortiMail admin panel.

2. Select View (eye icon) in the upper-right corner and change it from Simple to Advanced.

Image showing selecting the Advanced View in the FortiMail admin panel.

3. Go to Profile → LDAP and select New….

Image showing how to create a new LDAP Profile in the FortiMail admin panel.

4. Fill in information about a new LDAP Profile and select Apply and then OK to create the profile. Refer to the following image and table. Keep the default values of options not listed in the table.

Image showing the window where you create a new LDAP Profile in Fortinet FortiMail.
NameAn easily recognizable name for your LDAP profile.
Server name/IPThe IP Address of the Rublon Auth Proxy.
PortThe port of the Rublon Auth Proxy (389 for LDAP or 636 for LDAPS).
Use secure connectionToggle to SSL if you are using LDAPS.
Client certificateNone, regardless of whether you are using LDAP or LDAPS.
Use client certificate for TLS authenticationDisable, regardless of whether you are using LDAP or LDAPS.
Default Bind
Base DNThe Base DN from your AD/LDAP (where to search for users), e.g., OU=Rublon,dc=rublondemo,dc=local
Bind DNThe Bind DN (the full LDAP path of the service account, e.g., CN=rublonadmin,OU=Rublon,DC=rublondemo,DC=local) that FortiMail will use to authenticate and access the LDAP directory for querying user information.
Note: This Bind DN must be the same as access_user_dn in your Rublon Auth Proxy’s config file.
Bind passwordThe password of the user defined in the Bind DN
Note: This Bind password must be the same as access_user_password in your Rublon Auth Proxy’s config file.
User Query
User query(|(objectClass=user)(objectClass=group)(objectClass=publicFolder))
ScopeSubtree
DereferNever
Retrieve display name for webmailDisabled
Display name attributecn
User Authentication
Select Try common name with base DN as bind DN.
Common name IDCN
Note: Must be entered using uppercase letters to ensure proper LDAP syntax and compatibility.
User Alias
Switch off the User Alias feature by toggling the switch.
Advanced
Enable cacheDisable to enforce MFA during each login.

Configuring Certificate for LDAPS

1. Adjust the Rublon Auth Proxy config file to handle LDAPS. See: How to set up LDAPS certificates in the Rublon Authentication Proxy?

2. In the FortiMail admin panel, go to System → Certificate → CA Certificate, select Import… and then select your certificate from the filesystem. Set a name for your certificate and select OK to add it.

Note: This must be the same certificate you set in cert_path in Rublon Auth Proxy’s configuration file.

Enabling MFA for Administrators

1. Go to System → Administrator → Administrator and select New… (or double-click an existing admin to edit).

Image showing how to create a new administrator in Fortinet FortiMail’s admin panel.

2. Fill in information about a new administrator and select Create to add that admin (or OK to edit an existing admin). Refer to the following image and table. Keep the default values of options not listed in the table.

Image showing the window where you create a new administrator in Fortinet FortiMail.
AdministratorEnter a name for the administrator.
Make sure this name is the same as the name in the Identity Provider (IdP).
Authentication typeLDAP
LDAP profileThe profile you have previously created.

Enabling MFA for Users

If you are using FortiMail in Server mode, you should also enable multi-factor authentication for users accessing FortiMail.

1. Go to Domain & User → Domain and select New… (or double-click an existing domain to edit).

2. Enter the Domain name if you are creating a domain.

3. In User profile, select the LDAP profile you have previously created.

4. Select Create or OK to save changes.

Adjusting Timeout

The default authentication timeout is short, so you need to increase it to have more time to confirm the second factor from Rublon. This can be done via CLI Console using the following commands:

config system global
set remote-auth-timeout 60
end
Image showing how to change the Authentication timeout in FortiMail’s CLI Console.

Testing Multi-Factor Authentication (MFA) for Fortinet FortiMail Integrated Via LDAP(S)

This example portrays logging in to Fortinet FortiMail with Rublon Multi-Factor Authentication. Mobile Push has been set as the second factor in the Rublon Authentication Proxy configuration (AUTH_METHOD was set to push).

1. Log in to FortiMail as a user by entering your name and password and clicking Log In.

Image showing logging in to Fortinet FortiMail

2. Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

Image showing a Mobile Push notification received by the user during Fortinet FortiMail authentication

3. You will be logged in to Fortinet FortiMail.

Troubleshooting MFA for Fortinet FortiMail Using LDAP(S)

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations