fortimail-mcp-server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@fortimail-mcp-serverCheck engine health and show deferred queue"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
FortiMail MCP Server
Secure AI Gateway for FortiMail — open-source MCP server that speaks only to the FortiMail Engine HTTP API (/v1, Bearer API keys). It does not connect directly to a FortiMail appliance or store appliance admin passwords.
License: MIT. Security disclosures: SECURITY.md.
Features
40+ tools mapped to the FortiMail Engine OpenAPI (
pnpm run codegenregenerates TypeScript types)Bearer-only upstream auth —
fme_...API keys with engine-side scopes (fortimail:read/fortimail:write, etc.)Dual-backend caching — in-memory (default) or Redis, with per-resource TTLs (MCP response cache only)
Retry with exponential backoff — transient HTTP errors
TLS — verify by default; set
FORTIMAIL_VERIFY_CERT=falseonly when appropriateDual transport — Streamable HTTP (remote) or stdio (local)
Input validation — Zod schemas on every tool
Truncation safety — ~25K character cap on tool output (final gate for LLM context)
Optional HTTP authentication — Bearer token and/or API key for
POST /mcp
Related MCP server: Zapmail MCP Server
Architecture (thin client)
Layer | Role |
This repo | Auditable MCP "driver": maps tools → Engine REST paths, adds caching and truncation |
FortiMail Engine (proprietary) | Policy, FortiMail quirks, rate limits, optional multi-tenant routing |
FortiMail appliance | Reached only by the engine, not by this MCP process |
Upstream contract: vendored openapi/openapi.json. When the engine API changes, refresh that file and run pnpm run codegen.
What the AI can do for you
Workflow | Example prompt | Tools involved |
Engine health | "Check FortiMail Engine status with detailed readiness" |
|
Queue triage | "List the incoming queue, then show full headers for mkey …" |
|
Redirect stuck mail | "Search the deferred queue for recipient X, reroute to backup.example.com" |
|
Log investigation | "List elog files, download the segment …" |
|
Reporting | "List reports, trigger mail stats for task Daily_Stats" |
|
Security model
Mode | Notes |
stdio | MCP runs on the operator machine. |
HTTP | Protect |
Threat model: Anyone who can call /mcp with valid HTTP auth can do whatever the engine API key allows. Protect Redis if used. See SECURITY.md.
Quick Start
pnpm install
pnpm run build
pnpm testRequired environment:
FORTIMAIL_ENGINE_URL=https://your-engine.example.com/v1
FORTIMAIL_ENGINE_API_KEY=fme_your_keyExample .env.local:
FORTIMAIL_ENGINE_URL=https://engine.example.com/v1
FORTIMAIL_ENGINE_API_KEY=fme_...
# FORTIMAIL_VERIFY_CERT=false # only if engine uses a private CA / self-signed certRun:
pnpm start
# HTTP + MCP auth
TRANSPORT=http PORT=3000 MCP_HTTP_BEARER_TOKEN=secret pnpm startEnvironment variables
Variable | Required | Default | Description |
| Yes | — | Engine base URL including |
| Yes | — | Bearer token ( |
| No | verify | Set |
| No |
|
|
| No |
| Redis URL |
| No |
|
|
| No |
| HTTP port |
| No |
| Bind address for HTTP |
| No | — | If set, |
| No | — | If set, |
Authentication tools
fortimail.engine.status— liveness (GET /health); optional detailed readiness (GET /health/detailed, Bearer). Both are requested at the engine origin (same host/port asFORTIMAIL_ENGINE_URLwith/v1stripped), not under/v1.fortimail.auth.logout— no-op (legacy name; engine uses API keys only).fortimail.cache.flush— clears MCP response cache (not the engine server cache).
Publishing to MCP directories (e.g. Smithery)
This server matches Smithery’s URL publishing expectations:
Requirement | How this repo satisfies it |
Streamable HTTP |
|
Auth | If you set |
401 for missing auth | Unauthenticated |
Config schema |
|
If Smithery or another gateway shows “couldn’t authenticate with the upstream server”: the gateway is calling your URL without a valid MCP secret. Set MCP_HTTP_BEARER_TOKEN on the host to match the value users enter in Smithery (or Cursor / ChatGPT connector) for MCP Bearer Token. Optional fields in the JSON Schema do not remove the need for that token when the server enforces HTTP auth.
Cloudflare / WAF: allow SmitheryBot and skip JS challenges on POST /mcp so scans succeed (Smithery troubleshooting). For MCP, also disable caching and response buffering on /mcp so SSE streams are not broken.
Reverse proxy (Traefik / nginx / Dokploy): The upstream must receive the same credential headers the client sends. If Authorization is stripped, configure the proxy to forward it, or have the gateway send X-MCP-Bearer-Token (supported by this server). Some setups copy the client Authorization into X-Forwarded-Authorization — that is supported when the primary Authorization header is missing.
Still failing: Set MCP_HTTP_DEBUG_AUTH=true on the container and retry from ChatGPT; check logs for hasAuthorization / hasXMcpBearerToken / queryKeys (no secrets logged). If all are false, the gateway is not forwarding credentials to your origin.
Name:
fortimail-mcp-serverDescription: MCP client for FortiMail Engine API — domains, users, profiles, queue, reports, logs, SMTP
Required env (process):
FORTIMAIL_ENGINE_URL,FORTIMAIL_ENGINE_API_KEYTransports:
stdio, Streamable HTTP (POST /mcpstreams SSE;GET /mcpreturns 401 without auth, else 405 with hint)
HTTP mode for Cursor / ChatGPT / Claude (remote URL)
Point the client at https://your-host/mcp and configure the same secret the server expects:
Authorization:
Bearer <MCP_HTTP_BEARER_TOKEN>, orHeader:
X-MCP-Bearer-Token: <MCP_HTTP_BEARER_TOKEN>(matches Smitherymcp_bearer_token/x-mcp-bearer-token), orQuery:
?mcp_bearer_token=<token>(less ideal; may appear in logs)
MSP and multi-instance
One process = one engine base URL + one API key. For many tenants or appliances, run multiple MCP instances (or let the engine multiplex tenants — the MCP only forwards the Bearer token). See docs/MULTI_INSTANCE.md.
Licensing and commercial roadmap
Open core: MIT (LICENSE).
Engine: The FortiMail Engine service that implements
openapi.jsonmay be proprietary; this repo stays a thin OSS client.
Contributions: CONTRIBUTING.md. Security: SECURITY.md.
Tool inventory
Engine & cache (3 tools)
fortimail.engine.status/fortimail.auth.logout/fortimail.cache.flush
Domains (7 tools)
fortimail.domains.list/fortimail.domains.get/fortimail.domains.create/fortimail.domains.update/fortimail.domains.deletefortimail.domains.info.get/fortimail.domains.info.update
Users (10 tools)
Mail users:
fortimail.users.list/.get/.create/.update/.deleteUser maps:
fortimail.users.maps.list/.get/.create/.update/.delete
Profiles (20 tools)
GeoIP, Notification, IMAP auth, SMTP auth — CRUD each (e.g.
fortimail.profiles.geoip.list)
Mail queue (6 tools)
fortimail.queue.list/.search/.view/.delete/.reroute/.download
Reports (6), Logs (2), SMTP (2)
fortimail.reports.*,fortimail.logs.*,fortimail.smtp.config.*
Repository layout
src/
├── index.ts
├── constants.ts
├── text-utils.ts
├── generated/engine-schema.ts # pnpm run codegen
├── engine/unwrap.ts
├── services/api-client.ts # EngineClient (Bearer)
└── tools/MCP client configuration (stdio)
{
"mcpServers": {
"fortimail": {
"command": "node",
"args": ["/path/to/fortimail-mcp-server/dist/index.js"],
"env": {
"FORTIMAIL_ENGINE_URL": "https://engine.example.com/v1",
"FORTIMAIL_ENGINE_API_KEY": "fme_..."
}
}
}
}HTTP mode
TRANSPORT=http PORT=3000 MCP_HTTP_BEARER_TOKEN=your-secret node dist/index.jsDevelopment
See CONTRIBUTING.md. Run pnpm test before submitting changes. After updating openapi/openapi.json, run pnpm run codegen.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Lynsoft/fortimail-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server