Release Notes

FortiMail 7.2.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

May 10, 2022

FortiMail 7.2.0 Release Notes
06-720-803372-202205010
 TABLE OF CONTENTS

Change Log 4
Introduction and Supported Models 5
Supported models 5
What's New 6
Special Notices 9
TFTP firmware install 9
Monitor settings for the web UI 9
SSH connection 9
Product Integration and Support 10
FortiSandbox support 10
FortiNDR support 10
FortiAnalyzer Cloud support 10
AV Engine 10
Recommended browsers 10
Firmware Upgrade and Downgrade 11
Upgrade path 11
Firmware downgrade 11
Resolved Issues 12
Antispam/Antivirus 12
Mail delivery 13
System 13
Log and Report 14
Admin GUI and Webmail 14
Common vulnerabilites and exposures 15

FortiMail 7.2.0 Release Notes 3

Fortinet Inc.
Change Log

Date Change Description

2022-05-10 Initial release.

2022-06-02 Added a note to What's New.

FortiMail 7.2.0 Release Notes 4

Fortinet Inc.
Introduction and Supported Models

This document provides a list of new and changed features, upgrade instructions and caveats, resolved issues, and
known issues in FortiMail 7.2.0 release, build 338.
For FortiMail documentation, see the Fortinet Document Library.

Supported models

FortiMail 200F, 2000E, 2000F, 3000E, 3000F, 3200E, 400F, 900F

FortiMail VM l VMware vSphere Hypervisor ESX/ESXi 6.0, 6.7, 7.0 and higher
l Microsoft Hyper-V Server 2008 R2, 2012 and 2012 R2, 2016, 2019
l KVM qemu 2.12.1 and higher
l Citrix XenServer v5.6sp2, 6.0 and higher; Open Source XenServer 7.4 and higher
l AWS BYOL
l Azure BYOL
l Google Cloud Platform BYOL
l Oracle Cloud Infrastructure BYOL

FortiMail 7.2.0 Release Notes 5

Fortinet Inc.
What's New
The following table summarizes the new features and enhancements in this release. For details, see the FortiMail
Administration Guide.
Feature
FortiNDR (FortiAI) Integration
FortiAnalyzer Cloud Integration
Email Continuity Enhancements
Mail Queue Search Enhancement
Quarantined Email Attachment
Download Control
Authenticated Received Chain
(ARC) Support
Header Removal
Configuration Control
Redirector URL Enhancement
Classifier Variables
Mail Routing Relay Type
DMARC Enhancement
Support MTA-STS
MSSP Advanced Management
Features
Recipient Verification
FortiMail 7.2.0 Release Notes
Fortinet Inc.
Description
FortiNDR malware detection server has been integrated into the antivirus
profile.
FortiMail can send logs to FortiAnalyzer Cloud.
l Internal email: Captures internal-to-internal email for Email Continuity.
l BCC self: Added "BCC self" option to Email Continuity in resource
profile.
l Address book synchronization: LDAP address book can be
synchronized to FortiMailat configured intervals.
l Authentication improvements.
Added sending, deleting, and delivering to alternative host functions in mail
queue search. Also added REST API support for these functions.
Added control in the resource profile to disable/enable webmail users'
attachment download of their personal quarantines.
Support ARC validation and sealing.
Added header removal to content and DLP action profiles.
Added CLI commands to restrict domain level admins to make changes to
some settings.
Try to resolve all URLs to their final destinations.
Added classifier variables to notification message templates and increased
notification profiles for some models.
Added mail host as the relay type to mail routing in MTA Advanced Control.
Use DMARC record's policy and take corresponding actions.
Support MTA-STS domain checking.
l Per domain statistics: In addition to system level mail statistics, per
domain statistics metrics can be generated and viewed.
l Intra domain protection: Both incoming and outgoing recipient policies
can be applied between protected domains of different tenants.
l New attribute fields for customer management: some domain admin
settings can only be configured by system admin.
Added "discard" action to recipient verification failures.
6
What's New
Feature
Web Filter
Maturity Levels of GA Releases
New Variables in Quarantine
Summary
External Email Warning
Description Fields
REST API Rate Limit
CLI Access Control
Utility Menu
MAIL FROM Customization
Block/Safe List Tracking
Replacement Custom Message
Enhancement
URL Neutralization
FortiSandbox URL Submission
Exception
DSN EHLO/HELO Argument
Customization
URL Checking
New execute factoryreset2
Command
MS365 Protection
Load Balancer
IP Pool Behavior Change
FortiMail 7.2.0 Release Notes
Fortinet Inc.
Description
Support web filter local categories.
New GA releases will be tagged as "Maturity" or "Feature" release.
The Feature tag indicates that the firmware release includes new features.
The Maturity tag indicates that the firmware release includes no new, major
features. Maturity firmware will contain bug fixes and vulnerability patches
where applicable.
Added "ORIG_ENVOLOPE_TO" and "ORIG_TO" (Header To) to quarantine
summary reports.
Added an option in incoming disclaimers for external email only.
Added description/comment fields to some settings.
Added rate limit control to REST API access.
Added privilege levels to access CLI in admin profiles.
Grouped a few utilities under System menu.
l Added .msg to .eml converter
l Added regular expression validator
Added option to customize Mail From attribute in domain settings.
Added auto aging and retention option to the block/safe lists.
Separate replacement messages for body and attachment parts.
Added URL neutralization action to CDR and content profile actions.
Added option to bypass one-time URLs.
The DSN EHLO/HELO argument can be set to host name, domain name, or
other customized name. The default is host name.
Resolve URLs to their final destinations before ForiGuard query.
Reset the FortiMail unit to its default settings for the currently installed
firmware version, while retaining all network settings.
l Added individual actions for IP reputation in MS365 antispam profiles.
l Added sender and recipient filtering.
l When set to on-policy-match, Microsoft 365 History, Mail Event,
Antivirus, and Antispam log entries will only be logged upon policy
match.
Support load balancer on Azure and Oracle Cloud platform.
(Same feature as introduced in 7.0.3) The following CLI command has been
added to control IP pool usage.
config system mailserver
7
What's New

Feature Description
set ip-pool-direction [ all | exclude-
internal-to-internal]
end
With the new "exclude-internal-to-internal" option, the IP pools will not be
applied to the internal-to-internal email. The default setting is "all".

SSO Workflow Enhancement Workflow and GUI enhancements.

FortiMail 7.2.0 Release Notes 8

Fortinet Inc.
Special Notices

This section highlights the special notices that should be taken into consideration before upgrading your platform.

TFTP firmware install

Using TFTP via the serial console to install firmware during system boot time will erase all current FortiMail
configurations and replace them with factory default settings.

Monitor settings for the web UI

To view all objects in the web UI properly, Fortinet recommends setting your monitor to a screen resolution of at least
1280x1024.

SSH connection

For security reasons, starting from 5.4.2 release, FortiMail stopped supporting SSH connections with plain-text
password authentication. Instead, challenge/response should be used.

FortiMail 7.2.0 Release Notes 9

Fortinet Inc.
Product Integration and Support

FortiSandbox support

l Version 2.3 and above

FortiNDR support

l Version 7.0.0

FortiAnalyzer Cloud support

l Version 7.0.3

AV Engine

l Version 6.4, build 273

Recommended browsers

For desktop computers:

l Microsoft Edge 100
l Firefox 99
l Safari 15
l Chrome 100

For mobile devices:

l Official Safari browser for iOS 14，15
l Official Google Chrome browser for Android 11，12

FortiMail 7.2.0 Release Notes 10

Fortinet Inc.
Firmware Upgrade and Downgrade

Before any firmware upgrade or downgrade, save a copy of your FortiMail configuration by going to Dashboard
> Status and click Backup in the System Information widget.
After any firmware upgrade or downgrade, if you are using the web UI, clear the browser cache prior to login on the
FortiMail unit to ensure proper display of the web UI screens. Also go to verify that the build number and version number
match the image loaded.
The antivirus signatures included with an image upgrade may be older than those currently available from the Fortinet
FortiGuard Distribution Network (FDN). Fortinet recommends performing an immediate AV signature update as soon as
possible.

Firmware downgrading is not recommended and not supported in general. Before

downgrading, consult Fortinet Technical Support first.

Upgrade path

Any 4.x release older than 4.3.6 > 4.3.6 (build 540) > 5.2.3 (build 436) > 5.2.8 (build 467) > 5.3.10 (build 643) > 5.4.4
(build 714) (required for VMware install only) > 5.4.6 (build 725) > 6.0.5 (build 148) > 6.2.4 (build 272) > 6.4.5 (build 453)
> 7.0.0 (build 133) > 7.2.0 (build 338)

Firmware downgrade

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are
retained:
l operation mode
l interface IP/management IP
l static route table
l DNS settings
l admin user accounts
l admin access profiles

FortiMail 7.2.0 Release Notes 11

Fortinet Inc.
Resolved Issues

The resolved issues listed below do not list every bug that has been corrected with this release. For inquires about a
particular bug, please contact Fortinet Customer Service & Support.

Antispam/Antivirus

Bug ID Description

782699 Email scanning continues after the final action has been taken.

782367 DLP condition "body is empty" should be applied to the email that looks empty (with invisible characters).

783166 SPF check fails for MS365 API mail.

770190 DKIM checking may not work properly in some cases.

773494 Manipulated MIME headers may bypass AV scan.

778938 In some cases, zip files cannot be decrypted.

772298 After upgrading from v7.0.1 to v7.0.2, DLP scan does not work properly.

771118 Sender IP address is added to authentication reputation blocklist after delivering five to 10 email
messages.

770566 Malicious URLs in text format may bypass FortiGuard URL filter check.

770445 DLP scan does not detect words in the headers and footers of Microsoft Word documents.

770841 URL exemption for domain names does not work properly with "aggressive" URL checking.

764802 Dictionary profile was triggered with no matching pattern.

785327 DKIM check fails incorrectly.

784305 In some cases, the content filter fails to detect HTML attachments.

789214 DKIM check is not performed if the sender is in the safelist.

794309 Final action of DMARC is not applied.

792507 Quarantine report does not work for associate domains when using domain recipient policy with regular
expressions.

799789 DKIM check false positive.

803094 Content filter with wildcard patterns cannot detect Thai language.

797391 In some cases, URL Click Protection does not work properly.

FortiMail 7.2.0 Release Notes 12

Fortinet Inc.
 Resolved Issues

Mail delivery

Bug ID Description

773010 Successful bounce verification scan does not remove the tag.

774758 DSNs are sent using the mail routing profile of the original email.

732598 In some cases, email delivery may be delayed after Microsoft 365 real-time scanning.

800994 Outbound email messages are rejected due to timeout but are logged as Accept.

System

Bug ID Description

781056 After upgrading from v6.4 to v7.0, FortiGuard antispam service is displayed as not reachable although the
service is disabled.

783656 DANE check 2.x.x should ignore "Unable to get CRL".

672299 The dnscached process may cache incorrect query results under heavy traffic.

773356 Missing deployment package for VMware ESXi 7.02.

771913 Domain disclaimers do not work properly.

768275 IP pools in ACL rules should have higher priority over IP pools in policies.

772318 Push update does not work properly.

769748 System encounters reboot loop with subscription license.

770916 Unable to configure distinguished name (DN) with more than 127 characters.

765128 In server mode config-only HA, multiple calendar event reminders are sent to users.

764216 When ping access is disabled on an interface, ping6 from FortiMail cannot be sent.

768328 Subdomain-based admins with read/write access privilege are not able to view domain based settings.

786272 In some cases, disclaimers are not added properly although the logs show otherwise.

788629 Associated domains should use the primary domain's Bayesian database.

782368 High CPU usage after upgrading from v6.4.5 to v6.4.6.

793149 Fail to subscribe MS365 users due to large number of invalid users.

781108 High memory usage caused by hasyncd.

797330 Disclaimers are not added at the top of email messages.

794074 If post-login banner is enabled on the admin portal, SSO login does not work.

FortiMail 7.2.0 Release Notes 13

Fortinet Inc.
Resolved Issues

Bug ID Description

766819 Mail data may get corrupted when transferred to a NAS device.

798144 Problem with system time when using GMT time zone.

799920 Admin profile with permission to Traffic Capture cannot sniffer via CLI.

801861 High memory usage over time.

Log and Report

Bug ID Description

781956 When adding a safe/block list via webmail, the entries are added successfully but the event is not logged.

786675 No System Event logs are generated when creating/deleting a DKIM key pair.

797621 In some cases, log search does not work properly.

Admin GUI and Webmail

Bug ID Description

781054 History log search by message ID does not work.

777084 Sender Reputation search filter does not work with relationship set to "or".

764729 In server mode, the "Failed to open mailbox" error message may display when a webmail user tries to
open a mail folder.

786646 Unable to create safelists and blocklists.

786675 No system event logs are generated when creating/deleting a DKIM key pair.

799549 Webmail GUI is blocked when composing an email message and trying to edit a link.

801157 System time section shows vertical format in Japanese GUI.

803220 FortiMail product icon is not shown on webmail GUI in server mode.

794341 IBE notification for new user registration and activation is in English while the language is set to German.

804982 On the log search page, the "Load Previous Setting" button does not repopulate the Client IP field.

804855 Admin login page is accessible from any IP address when trusted IP is set.

FortiMail 7.2.0 Release Notes 14

Fortinet Inc.
Resolved Issues

Common vulnerabilites and exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID Description

776309 CWE-121: Stack-based Buffer Overflow

765178 CWE-134: Use of Externally-Controlled Format String

686309 CWE-329: Not Using a Random IV with CBC Mode

771106 CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

703776 CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

790809 CWE-352: Cross-Site Request Forgery (CSRF)

793937 CWE-284: Improper Access Control

773386 CWE-610: Externally Controlled Reference to a Resource in Another Sphere

FortiMail 7.2.0 Release Notes 15

Fortinet Inc.
 www.fortinet.com

Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may
also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in
internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General
Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics
expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication
without notice, and the most current version of the publication shall be applicable.