Fortinet FortiMail-100 Install Manual Download Page 129 | Manualshive

Page: 129 / 174

background image

Transparent mode deployment

Example 3: FortiMail unit for an ISP or carrier

FortiMail™ Secure Messaging Platform Version 4.0 Patch 1 Install Guide
Revision 2

129

http://docs.fortinet.com/

•

Service providers often fundamentally require transparent mode. Requiring subscribers to
explicitly configure a mail relay can be problematic, and in the case of 3G mobile
subscribers, impossible. Therefore gateway mode is not suitable. Transparent mode
makes SMTP scanning possible without configuration by the subscriber.
A dual-arm attachment is used. This provides natural isolation of traffic before and after
inspection, which can be useful if traffic requires further analysis such as packet traces by
a sniffer. (If you use a load balancer and it does not support the same session on two
different ports, deploy the FortiMail unit using a single-arm attachment instead. For
example, Foundry IronServer has been known to require single-arm attachment.)

Figure 48: Transparent mode deployment at an ISP or carrier (with HA cluster)

Each network interface in the dual-arm attachment (port2 and port3) is removed from the
Layer 2 bridge, and is configured with its own IP address. This reduces the possibility of
Ethernet loops and improves compatibility with other filtering devices.
Because port1 cannot be removed from the bridge, and the management IP is accessible
from any bridging network interface, port1 is reserved for direct connections from the
administrator's computer. (If the administrator’s computer is not directly connected but is
instead part of a management LAN, a route must also be configured for port1.)

Note:

For increased session-handling capacity, multiple FortiMail units could be clustered

into a config-only HA group and deployed behind a load balancer that is attached to the
router. Connections to the same source IP address would be handled by the same FortiMail
unit to avoid sessions split among multiple units, and to maintain the accuracy of IP
statistics. Otherwise, attach a single FortiMail unit to the router.

Administrator

TRANSPARENT MODE

CONFIG-ONLY HA

External MTA

Internet

SMTP SESSIONS

TO INTERNAL

IPs

SMTP SESSIONS

TO EXTERNAL

IPs

port1

port2

Subscsriber

Network

port3

Router

RADIUS

Server

GGSN

DSLAM

SGSN

DSL modem/

router

DSL Subscriber

3G Subscriber

Load Balancer

RADIUS ACCOUNTING

NOTICES OF

CURRENT SUBSCRIBER

IP ADDRESSES

«
...
127
128
129
130
131
...
»

Summary of Contents for FortiMail-100

Page 1: ...FortiMail Secure Messaging Platform Version 4 0 Patch 1 Install Guide...

Page 2: ...SIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiAnalyze...

Page 3: ...ent server connections in SMTP 14 MTA 15 MUA 15 Incoming vs outgoing directionality 15 The role of DNS in email delivery 16 MX record 17 A record 18 Reverse DNS record 18 FortiMail web based manager m...

Page 4: ...Mounting the FortiMail unit 33 Removing the system from the rack 39 Installing the cable management arm 40 Installing the hard drives 45 Installing the bezel 48 Connecting the keyboard mouse and moni...

Page 5: ...ecting to FortiGuard services 89 Configuring scheduled updates 91 Configuring push updates 92 Manually requesting updates 94 Gateway mode deployment 95 Configuring DNS records 95 Configuring DNS recor...

Page 6: ...ridge 133 Configuring the session profiles 134 Configuring the IP based policies 136 Configuring the outgoing proxy 137 Testing the installation 138 Server mode deployment 139 Configuring DNS records...

Page 7: ...http docs fortinet com Feedback Testing the installation 159 Troubleshooting tools 161 Ping and traceroute 161 Nslookup 162 Telnet connections to the SMTP port number 163 Log messages 164 Greylist and...

Page 8: ...Contents FortiMail Secure Messaging Platform Version 4 0 Patch 1 Install Guide 8 Revision 2 http docs fortinet com Feedback...

Page 9: ...FortiMail provides bidirectional email routing virtualization and archiving capabilities with a lower total cost of ownership This document will assist you in physically connecting and performing req...

Page 10: ...ite you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD and on the Fortinet Knowledge Center Fortinet Tools and Documentation CD Many Fortinet publications are ava...

Page 11: ...he FortiMail CLI Reference This document is intended for administrators not end users If you are an email user please click the Help link in FortiMail webmail to see the webmail online help instead or...

Page 12: ...hnical documentation Convention Example Button menu text box field or check box label From Minimum log level select Notification CLI input config system dns set primary address_ipv4 end CLI output FGT...

Page 13: ...to the destination email server that hosts email for the recipient email user When an MTA connects to the destination email server it determines whether the recipient exists on the destination email s...

Page 14: ...computer a copy of the email remains on the email server s hard disk The advantage of this is that it enables email users to view email from more than one computer This is especially useful in situat...

Page 15: ...client is software such as Microsoft Outlook that enables users to send and receive email FortiMail units support SMTP connections for sending of email by a MUA FortiMail units operating in server mod...

Page 16: ...connection when determining the directionality of an email message FortiMail units examine the domain to which the recipient belongs if the domain to which the recipient email address belongs is a pr...

Page 17: ...or gateway may be a subdomain or another domain name entirely such as that of the MTA of an Internet service provider ISP For example the email gateways for the email domain example com could be mail1...

Page 18: ...liver the email to that IP address You must configure the public DNS server for your host names with an A record to resolve the host names referenced in MX records and the host name of the FortiMail u...

Page 19: ...sparent mode The FortiMail unit transparently proxies or relays email traffic to and from the email servers that it protects It does not locally store email unless queued or quarantined Server mode Th...

Page 20: ...availability modes Key concepts FortiMail Secure Messaging Platform Version 4 0 Patch 1 Install Guide 20 Revision 2 http docs fortinet com Feedback For more information on HA see the FortiMail Admini...

Page 21: ...never possible rather than Unshielded Twisted Pair UTP Do not connect or disconnect cables during lightning activity to avoid damage to the FortiMail unit or personal injury Rack mount instructions El...

Page 22: ...ortiMail unit FortiMail 100 and FortiMail 100C Adhere the rubber feet included in the package to the underside of the FortiMail unit near the corners of the unit if not already attached Place the Fort...

Page 23: ...l unit to the rack 5 Once you verify the spacing of the FortiMail unit and that it is level tighten the screws with a screwdriver Figure 3 Mounting in a rack FortiMail 2000A and FortiMail 4000A To mou...

Page 24: ...the innermost rail This rail will attach to the sides of the FortiMail unit Figure 4 FortiMail side rail To remove the side rail 1 Open the slide rails package and remove the rails 2 Extend the slide...

Page 25: ...ckets for a proper fit Ensure that both housings are on the same level to ensure the FortiMail unit can easily glide into place and is level 2 Use the screws and additional L brackets if required to s...

Page 26: ...O 2 Connect the power cord at the back of the FortiMail unit 3 Connect the power cable to a power outlet 4 Set the power switch on the back left of the FortiMail unit to the on position indicated by t...

Page 27: ...om your overall network However isolation is not required Using the supplied Ethernet cable connect one end of the cable to port1 on the FortiMail unit connect the other end of the cable to the router...

Page 28: ...mmand line interface similar to DOS or UNIX commands from a Secure Shell SSH or Telnet terminal using the front panel s LCD display and control buttons on some models that are equipped with LCD displa...

Page 29: ...ificate which usually contains the host name of the web site does not exactly match the URL you requested This could indicate server identity theft but could also simply indicate that the certificate...

Page 30: ...me for the connection and select OK 5 On Connect To from Connect using select the communications COM port where you connected the FortiMail unit 6 Select OK 7 Select the following Port settings and se...

Page 31: ...fferent IP address or SSH key If your management computer is directly connected to the FortiMail unit with no network hosts between them this is normal 9 Click Yes to verify the fingerprint and accept...

Page 32: ...manager to complete additional setup To continue see Connecting to the web based manager on page 28 Table 4 Control buttons on the front panel Button Description Enter Move into the currently selected...

Page 33: ...he power cables Securing the power cord Mounting the FortiMail unit The FortiMail 2000B unit comes with a sliding rail kit Use the instructions below to install the rails To install the sliding rail k...

Page 34: ...nstall Guide 34 Revision 2 http docs fortinet com Feedback Figure 1 Rail kit contents 2 In square hole racks do the following Position the left and right rail end pieces of the rail module labeled FRO...

Page 35: ...age the back end of the rail until it fully seats on the vertical rack flange and the second tooth on the latch locks in place Repeat these steps to position and seat the front end piece on the vertic...

Page 36: ...the first U and the top hole of the second U 8 Engage the back end of the rail until it fully seats on the vertical rack flange and the first tooth on the latch locks in place Repeat these steps to p...

Page 37: ...e system and lower them into the J slots on the slide assembly 12 Seat the three screws on the other side lowering the system until all shoulder screws engage in the J slots 13 Push the system inward...

Page 38: ...e latches engage automatically as the system is pushed into the rack and are released by pulling up on the latches 16 To secure the system for shipment in the rack or for other unstable environments l...

Page 39: ...the cables Bundle the cables gently pulling them clear of the system connectors to the left and right sides 19 Thread the Velcro straps through the tooled slots on the outer or inner CMA brackets on...

Page 40: ...a level surface 3 Installing the cable management arm The FortiMail 2000B unit comes with a cable management arm Use the instructions below to install the arm To install the cable management arm 1 Lo...

Page 41: ...side of the tray with the receiver brackets on the inner edges of the rails and push forward until the tray clicks into place 4 1 2 3 Note To secure the CMA for shipment in the rack loop the tie wraps...

Page 42: ...the receiver brackets 5 3 To install and remove the CMA do the following At the back of the system fit the latch on the front end of the CMA on the innermost bracket of the slide assembly until the la...

Page 43: ...and removing the cable management arm Fit the other latch on the end of the outermost bracket until the latch engages 7 To remove the CMA disengage both latches by pressing the CMA release buttons at...

Page 44: ...nce it is unseated from the tray swing the CMA away from the system 10 5 To cable the system using the CMA do the following Using the tie wraps provided bundle the cables together as they enter and ex...

Page 45: ...he CMA Attach the other end of this cable to the corner of the outer CMA basket 16 Installing the hard drives The FortiMail 2000B unit has six 3 5 inch drive bays All chassis support hot swappable SAS...

Page 46: ...be either all SAS or all SATA drives Removing a hard drive blank 1 Remove the front bezel See Installing the Bezel on page 18 2 Grasp the front of the hard drive blank press the release lever on the r...

Page 47: ...ank in the vacated drive bay See Installing a hard drive blank on page 46 6 If applicable install the bezel See Installing the Bezel on page 18 Installing a hot swap hard drive 1 If present remove the...

Page 48: ...with the connector end of the drive at the back See Figure 15 2 Align the screw holes on the hard drive with the back set of holes on the hard drive carrier When aligned correctly the back of the har...

Page 49: ...Rotate the left end of the bezel away from the system to release the right end of the bezel 4 Pull the bezel away from the system See Figure 16 Figure 16 Removing the front bezel To install the front...

Page 50: ...and monitor Connect the keyboard mouse and monitor optional The connectors on the back of your system have icons indicating which cable to plug into each connector Be sure to tighten the screws if any...

Page 51: ...edback Securing the power cord Figure 19 Securing the power cord Bend the system power cable into a loop as shown in the illustration and secure the cable to the bracket using the provided strap Plug...

Page 52: ...Securing the power cord FortiMail 2000B hardware installation FortiMail Secure Messaging Platform Version 4 0 Patch 1 Install Guide 52 Revision 2 http docs fortinet com Feedback...

Page 53: ...inserted into an Advanced Telecommunications Computing Architecture ACTA chassis such as the FortiGate 5140 FortiGate 5050 or FortiGate 5020 chassis Before inserting the board into a chassis you shou...

Page 54: ...ot contain an operating shelf manager you must change the SW11 switch setting as shown in Figure 21 Figure 21 FortiGate 5020 setting for SW11 standalone mode In all cases you should confirm that you h...

Page 55: ...W11 to the correct setting 5 Insert the FortiMail board into a chassis and verify that the board starts up and operates correctly For inserting instructions see Inserting a FortiMail board on page 56...

Page 56: ...closed the microswitch is on and if the board is fully inserted into a chassis slot the board can receive power You can use the right handle to cycle the power and reset the board without removing th...

Page 57: ...D wrist strap to your wrist and to an available ESD socket or wrist strap terminal 2 If required remove the protective metal frame that the FortiMail board has been shipped in 3 Insert the FortiMail b...

Page 58: ...slot and into full contact with the chassis backplane The FortiMail front panel should be in contact with the chassis front panel Both handles lock into place As the handles close power is supplied t...

Page 59: ...from a chassis slot To complete this procedure you need An ATCA chassis with a FortiMail board installed An electrostatic discharge ESD preventive wrist strap with connection cord 1 Attach the ESD wr...

Page 60: ...switch turns off all LEDs and ejects the board from the chassis slot 6 Pull the board about half way out 7 Turn both handles to their fully closed positions When the FortiMail handles are fully closed...

Page 61: ...oblem power down and then restart the chassis If you are operating a FortiGate 5000 series chassis you can power down and then restart the chassis without removing FortiGate 5000 series components All...

Page 62: ...Troubleshooting FortiMail 5001A hardware installation FortiMail Secure Messaging PlatformVersion 4 0 Patch 1Install Guide 62 Revision 2 http docs fortinet com Feedback...

Page 63: ...t You can test a new firmware image by temporarily running it from memory without saving it to disk By keeping your existing firmware on disk if the evaluation fails you do not have to re install your...

Page 64: ...cal Address 192 168 1 188 11 Type a temporary IP address that can be used by the FortiMail unit to connect to the TFTP server The following message appears Enter File Name image out 12 Type the firmwa...

Page 65: ...Firmware Version row select Update 6 Select Browse to locate and select the firmware file that you want to install then select OK 7 Select OK Your management computer uploads the firmware image to th...

Page 66: ...and the IP address of the TFTP server is 192 168 1 168 enter execute restore image out 192 168 1 168 One of the following message appears This operation will replace the current firmware version Do y...

Page 67: ...command execute ping 192 168 1 168 where 192 168 1 168 is the IP address of the TFTP server 8 Enter the following command to restart the FortiMail unit execute reboot 9 As the FortiMail units starts a...

Page 68: ...Mail units starts a series of system startup messages are displayed Press any key to display configuration menu Immediately press a key to interrupt the system startup If you successfully interrupt th...

Page 69: ...er the following command to restart the FortiMail unit execute reboot 7 As the FortiMail units starts a series of system startup messages are displayed Press any key to display configuration menu 8 Im...

Page 70: ...following Save as Default firmware Backup firmware Run image without saving D B R 13 Type D The FortiMail unit downloads the firmware image file from the TFTP server The FortiMail unit installs the f...

Page 71: ...e Quick Start Wizard This section describes each operation mode assisting you in choosing the operation mode that best suits your requirements This section contains the following topics Characteristic...

Page 72: ...provider ISP could deploy a FortiMail unit to protect their customers email servers For security reasons customers do not want their email servers to be directly visible to external MTAs Therefore the...

Page 73: ...be physically placed where it can intercept the connection Figure 25 Example transparent mode topology For example a school might want to install a FortiMail unit to protect its mail server but does n...

Page 74: ...ience of managing both their email server and email security on one network device Therefore the company deploys the FortiMail unit in server mode For sample deployment scenarios see the chapter Serve...

Page 75: ...com Feedback 4 Select OK A confirmation dialog appears warning you that many settings will revert to their default value for the version of your FortiMail unit s firmware 5 Select OK The FortiMail un...

Page 76: ...Configuring the operation mode Choosing the operation mode FortiMail Secure Messaging Platform Version 4 0 Patch 1 Install Guide 76 Revision 2 http docs fortinet com Feedback...

Page 77: ...n the Quick Start Wizard Step 1 Changing the admin password Step 2 Configuring the network settings and system time Step 3 Configuring local host settings Step 4 Adding protected domains Step 5 Config...

Page 78: ...ure 27 Quick Start Wizard Step 1 Step 2 Configuring the network settings and system time Step 2 of the Quick Start Wizard configures basic system time and network settings Available settings vary by w...

Page 79: ...FortiMail administrators will use to access the web based manager and CLI through port1 and other bridging network interfaces and which the FortiMail unit will use when connecting to the Fortinet Dist...

Page 80: ...To proceed to Step 4 Adding protected domains select Next Secondary DNS Enter the IP address of the secondary server to which the FortiMail unit will make DNS queries Default Gateway IP Address Enter...

Page 81: ...rtiMail unit will add the host name to the subject line of alert email messages Local Domain Name Enter the local domain name to which the FortiMail unit belongs The FortiMail unit s fully qualified d...

Page 82: ...gure a protected domain of example com whose SMTP server is 10 10 10 10 You usually must configure at least one protected domain FortiMail units can be configured to protect one or more email domains...

Page 83: ...of the protected domain For example if you want to protect email addresses such as user1 example com you would enter the protected domain name example com Use MX Record transparent mode and gateway mo...

Page 84: ...hat is located on a physically separate server from your internal mail server this could be your internal mail relay instead of your internal mail server Consider your network topology directionality...

Page 85: ...l unit as an open relay senders can deliver email incoming to protected domains but cannot deliver email outgoing to unprotected domains For details see the FortiMail Administration Guide Usually you...

Page 86: ...presents any single character For example the sender pattern com will match messages sent by any email user with a two letter email user name from any com domain name Regular expression Mark this chec...

Page 87: ...reverse DNS pattern for a match If the reverse DNS query fails the access control rule match will also fail If no other access control rule matches the connection will be rejected with SMTP reply cod...

Page 88: ...bility HA mode configure the HA settings before physically connecting the FortiMail units to your network For instructions on configuring HA see the FortiMail Administration Guide 2 If you have subscr...

Page 89: ...ivity To verify scheduled update connectivity Before performing this procedure if your FortiMail unit connects to the Internet using a proxy use the CLI command set system autoupdate tunneling to enab...

Page 90: ...ion updates from the FDN or override server using one or more of the following methods scheduled updates see Configuring scheduled updates on page 91 push updates see Configuring push updates on page...

Page 91: ...owing CLI command execute traceroute address_ipv4 where address_ipv4 is the IP address of the DNS server or FDN server When query connectivity is successful antispam profiles can use the FortiGuard An...

Page 92: ...eb based manager 2 Enable Scheduled Update 3 Select from one of the following 4 Select Apply The FortiMail unit starts the next scheduled update according to the configured update schedule If you have...

Page 93: ...r router performing NAT enable Use override push IP and enter the external IP address and port number of the NAT device You must also configure the NAT device with port forwarding or a virtual IP to f...

Page 94: ...available updates for its FortiGuard Antivirus and FortiGuard Antispam packages You can manually initiate updates as an alternative or in addition to other update methods For details see Configuring...

Page 95: ...ected domains Regardless of your private network topology in order for external MTAs to deliver email through the FortiMail unit you must configure the public MX record for each protected domain to in...

Page 96: ...ail users access to their per recipient quarantines FortiMail administrators access to the web based manager by domain name alert email report generation notification email For this reason you should...

Page 97: ...AMTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0Y jUyM2NTkjRSxVMzoyLA 3D 3D 3Abf3db63dab53a291ab53a291ab53a291 Then in the DNS configuration to support this and the other DNS dependent features you...

Page 98: ...figure the FortiMail unit to use it go to System Network DNS in the advanced mode of the web based manager Example 1 FortiMail unit behind a firewall In this example a FortiMail unit operating in gate...

Page 99: ...sting the installation Configuring the firewall With the FortiMail unit behind a FortiGate unit you must configure firewall policies to allow traffic between the internal network and the Internet To c...

Page 100: ...e protocols and port numbers used in that traffic Because FortiGuard related services for FortiMail units are not predefined you must define them before you can create a service group that contains th...

Page 101: ...lect OK To add a service group for outgoing FortiMail traffic 1 Go to Firewall Service Group 2 Select Create New 3 In Group Name enter a name to identify the service group entry such as FortiMail_outg...

Page 102: ...ual IP Virtual IP 2 Select Create New 3 Complete the following 4 Select OK To add a virtual IP for the protected email server 1 Go to Firewall Virtual IP Virtual IP 2 Select Create New 3 Complete the...

Page 103: ...y 2 Select Create New 3 Complete the following 4 Select NAT 5 Select OK To add the FortiMail to Internet policy 1 Go to Firewall Policy Policy 2 Select Create New 3 Complete the following 4 Select NAT...

Page 104: ...il destined for other email users in the protected domain may be accepted but email outgoing to unprotected domains will be denied by the access control rule Testing the installation Basic configurati...

Page 105: ...ween the internal network and the FortiMail unit between the internal network and protected email server between the protected email server and the FortiMail unit between the protected email server an...

Page 106: ...for the protected email server 1 Go to Firewall Address Address 2 Select Create New 3 Complete the following 4 Select OK To add a firewall address for the FortiMail unit 1 Go to Firewall Address Addre...

Page 107: ...ervice Group 2 Select Create New 3 In Group Name enter a name to identify the service group entry such as PO3_IMAP_services 4 In the Available Services area select POP3 and IMAP then select the right...

Page 108: ...vices that are received at the internal virtual IP address then apply a static NAT when forwarding the traffic to the private network IP address of the protected email server Allow PO3_IMAP_services t...

Page 109: ...t NAT 5 Select OK To add the local users to email server policy 1 Go to Firewall Policy Policy 2 Select Create New 3 Complete the following Service Select SMTP Action Select ACCEPT Source Interface zo...

Page 110: ...user name and password for outgoing mail The user name is the email user s entire email address including the domain name portion such as user1 example com If you do not configure the email clients to...

Page 111: ...cts accounts for email addresses ending in example com which are hosted on the local email server Figure 44 FortiMail unit in DMZ The FortiMail unit has also been configured with an access control rul...

Page 112: ...nd the IP address of the FortiMail unit you must first define the IP addresses of those hosts by creating firewall address entries To add a firewall address for local email users 1 Go to Firewall Addr...

Page 113: ...e following 4 Select OK To add a custom service for FortiGuard Antispam rating queries 1 Go to Firewall Service Custom 2 Select Create New 3 Configure the following 4 Select OK To add a service group...

Page 114: ...2 Select Create New 3 In Group Name enter a name to identify the service group entry such as SMTP_quar_services 4 In the Available Services area select HTTP HTTPS and SMTP then select the right arrow...

Page 115: ...Note To add virtual IPs the FortiGate unit must be operating in NAT mode For more information see the FortiGate Administration Guide Name Enter a name to identify the virtual IP entry such as FortiMai...

Page 116: ...s from the FortiMail unit to the Internet Allow SMTP traffic that is received at the DMZ virtual IP address then apply a static NAT when forwarding the traffic to the private network IP address of the...

Page 117: ...il to email server policy 1 Go to Firewall Policy Policy 2 Select Create New 3 Complete the following Source Interface zone Select wan1 Source Address Name Select all Destination Interface zone Select...

Page 118: ...cted email server can be scanned but email outgoing from your email users cannot Also configure email clients to authenticate with the email user s user name and password for outgoing mail The user na...

Page 119: ...igure public DNS records for the FortiMail unit itself For performance reasons and to support some configuration options you may also want to provide a private DNS server for use exclusively by the Fo...

Page 120: ...et is the local domain name to which the FortiMail unit belongs in the MX record it is the local domain for which the FortiMail is the mail gateway fortimail example net is the FQDN of the FortiMail u...

Page 121: ...Public and private DNS servers transparent mode In some situations a private DNS server may be required If you configure the FortiMail unit to use a private DNS server and both the FortiMail unit and...

Page 122: ...DNS server Public DNS server example com IN MX 10 mail example com example com IN MX 10 mail example com mail IN A 172 16 1 10 mail IN A 10 10 10 1 10 IN PTR fortimail example com 1 IN PTR fortimail e...

Page 123: ...ted Note Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface Hide the transparent box transparent mode only Enable to preserve the I...

Page 124: ...port2 must be scanned before traveling to the main email server and therefore are configured to be are proxied that is picked up by the implicit relay Outgoing connections arriving on port1 will conta...

Page 125: ...location are required to deliver through the main email server which encrypts outgoing SMTP connections The firewall will only allow SMTP traffic from the main email server Figure 47 Transparent mode...

Page 126: ...ns to hide the existence of the FortiMail unit For information on additional protected domain and session profile options see the FortiMail Administration Guide To configure the transparent mode optio...

Page 127: ...with that of the FortiMail unit Note If the protected SMTP server applies rate limiting according to IP addresses enabling this option can improve performance The rate limit will then be separate for...

Page 128: ...proxied nor implicitly relayed To configure SMTP proxy and implicit relay pick up 1 Go to Mail Settings Proxies SMTP in the advanced mode of the web based manager 2 Configure the following 3 Select Ap...

Page 129: ...2 and port3 is removed from the Layer 2 bridge and is configured with its own IP address This reduces the possibility of Ethernet loops and improves compatibility with other filtering devices Because...

Page 130: ...t the FortiMail unit from being able to scan the connection The outgoing proxy is enabled Unlike other transparent mode deployments because no protected domains are defined all connections will be con...

Page 131: ...IP based policies Configuring the outgoing proxy Testing the installation Configuring the connection with the RADIUS server FortiMail units can use your RADIUS accounting records to combat spam and v...

Page 132: ...video between mobile phones There are eight interfaces defined for the MMS standard referred to as MM1 through MM8 MM3 uses SMTP to transmit text messages to and from mobile phones Because it can be u...

Page 133: ...log msisdn radius host order network order where host order network order indicates your choice Most RADIUS servers use network order Removing the network interfaces from the bridge In transparent mo...

Page 134: ...open relays No protected domains are configured and so transparency will be configured through the session profiles alone This will hide the existence of the FortiMail unit to all SMTP clients Becaus...

Page 135: ...ent of the previous hour whichever value is greater Restrict number of emails per hour to n Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMT...

Page 136: ...Reject Reject email and MMS messages from MSISDNs subscriber IDs whose endpoint reputation scores exceed Auto blacklist score trigger value Monitor Log but do not reject email and MMS messages from M...

Page 137: ...ated in order until a policy is found that matches the connection Because the default IP based policy 0 0 0 0 0 0 0 0 0 0 matches all connections and because it is first in the list in order for conne...

Page 138: ...TP server to send email Because port1 is used exclusively for administration the outgoing proxy must be configure to pick up outgoing connections only on port2 and port3 To configure outgoing proxy pi...

Page 139: ...of your private network topology in order for external MTAs to deliver email to the FortiMail unit you must configure the public MX record for each protected domain to indicate that the FortiMail unit...

Page 140: ...ail users access to their per recipient quarantines FortiMail administrators access to the web based manager by domain name alert email report generation notification email For this reason you should...

Page 141: ...MTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0Y jUyM2NTkjRSxVMzoyLA 3D 3D 3Abf3db63dab53a291ab53a291ab53a291 Then in the DNS configuration to support this and the other DNS dependent features you...

Page 142: ...all Remote email users computers and external email servers are located on the Internet outside of the network protected by the firewall The FortiMail unit hosts and protects accounts for email addres...

Page 143: ...firewall address Configuring the service groups Configuring the virtual IPs Configuring the firewall policies Configuring the firewall address In order to create the outgoing firewall policy that gov...

Page 144: ...e following 4 Select OK To add a custom service for FortiGuard Antispam rating queries 1 Go to Firewall Service Custom 2 Select Create New 3 Configure the following 4 Select OK Name Enter a name to id...

Page 145: ...tgoing_services 4 In the Available Services area select DNS NTP HTTPS SMTP and your custom service for FortiGuard Antispam rating queries FortiMail_antispam_rating_queries then select the right arrow...

Page 146: ...ortiMail to Internet policy 1 Go to Firewall Policy Policy 2 Select Create New 3 Complete the following 4 Select NAT 5 Select OK Configuring the email user accounts Create email user accounts for each...

Page 147: ...t 10 10 10 1 or fortimail example com If you do not configure the email clients to send email through the FortiMail unit incoming email can be scanned but outgoing email cannot Also configure email cl...

Page 148: ...which is between the FortiMail unit and local email users you must configure a policy to allow from local email users to the FortiMail unit To create the required policies complete the following Confi...

Page 149: ...licy that governs only FortiMail related traffic you must first a create service group that contains services that define protocols and port numbers used in that traffic To add a service group for ema...

Page 150: ...t one email user account for each protected domain in order to verify connectivity for the domain To add an email user 1 Go to Settings User User If this menu path is not available first select Basic...

Page 151: ...email users in the protected domain may be accepted but email outgoing to unprotected domains will be denied by the access control rule Testing the installation Basic configuration is now complete and...

Page 152: ...he following Configuring the firewall addresses Configuring the service groups Configuring the virtual IPs Configuring the firewall policies Configuring the firewall addresses In order to create the f...

Page 153: ...service group that contains those services To add a custom service for FortiGuard Antivirus push updates 1 Go to Firewall Service Custom 2 Select Create New 3 Configure the following 4 Select OK Name...

Page 154: ...ice group for outgoing FortiMail traffic 1 Go to Firewall Service Group 2 Select Create New 3 In Group Name enter a name to identify the service group entry such as FortiMail_outgoing_services 4 In th...

Page 155: ...elect Create New 3 Complete the following 4 Select OK Configuring the firewall policies First create a firewall policy that allows incoming email and other FortiMail services that are received at the...

Page 156: ...lect Create New 3 Complete the following Source Interface zone Select wan1 Source Address Name Select all Destination Interface zone Select dmz Destination Address Name Select FortiMail_VIP_wan1 Sched...

Page 157: ...emote email users to use the FortiMail unit as their outgoing mail server SMTP MTA For local email users this is the virtual IP address on the internal network interface of the FortiGate unit that map...

Page 158: ...Example 3 FortiMail unit in DMZ Server mode deployment FortiMail Secure Messaging Platform Version 4 0 Patch 1 Install Guide 158 Revision 2 http docs fortinet com Feedback...

Page 159: ...ient quarantines If the FortiMail unit is operating in server mode you may also wish to test access to FortiMail webmail POP3 and or IMAP Figure 53 Connection test paths gateway mode Figure 54 Connect...

Page 160: ...office SMTP servers using an SMTP client on the remote network whose MTA is the FortiMail unit or protected email server send an email from an internal sender to an external recipient If you cannot c...

Page 161: ...iMail unit using CLI commands For example you might use ICMP ping to determine that 172 16 1 10 is reachable commands that you would type are highlighted in bold responses from the FortiMail unit are...

Page 162: ...ails or resolves incorrectly you may want to manually query your DNS server to verify that the records are correctly configured You can do this from the FortiMail unit using CLI commands For example y...

Page 163: ...test SMTP connectivity with mail example com on the standard SMTP port number 25 commands that you would type are highlighted in bold responses from the FortiMail unit are not bolded FortiMail 400 ex...

Page 164: ...n the default SMTP port number 25 mail example com is the fully qualified domain name FQDN of a protected email server from which you are connecting whose domain name resolves to the IP address 172 16...

Page 165: ...l despite being able to initiate SMTP connections to or through the FortiMail unit and is receiving SMTP error codes that indicate temporary failure or permanent rejection verify that the SMTP client...

Page 166: ...776c 2d2f 5a5f 545e 4555 5b5f 425b 545fwl Z_T EU _B T_ 0x0040 4559 6b6a 776b 646e 776c 6b6a 772b 646eEYkjwkdnwlkjw dn 0x0050 776c 6b6a 776b 646e 776c 6b6a 776b 86a9wlkjwkdnwlkjwk 0x0060 db73 21e1 5622...

Page 167: ...he following fgt2eth pl in fortimail_sniff txt out fortimail_sniff pcap where fgt2eth pl is the name of the conversion script include the path relative to the current directory which is indicated by t...

Page 168: ...nstall Guide 168 Revision 2 http docs fortinet com Feedback Figure 58 Viewing sniffer output in Wireshark For additional information on packet capture see the Fortinet Knowledge Center article Using t...

Page 169: ...omments documentation 10 common name CN field 29 communications COM port 29 connecting web based manager 28 control buttons 31 cooling 22 customer service 9 D default administrator account 29 30 certi...

Page 170: ...PS 14 29 humidity 22 HyperTerminal 30 I IMAP 13 14 15 19 inserting a board into a chassis 56 installing a board into a chassis 56 bezel 48 hard drive blank 46 hard drives 47 Internet service provider...

Page 171: ...s 91 score MSISDN reputation 131 Secure Shell SSH 28 secure SMTP 82 security certificate 29 self signed 29 server mode 14 15 17 19 71 95 139 email user 147 150 157 example 139 shielded twisted pair ST...

Page 172: ...il Secure Messaging Platform Version 4 0 Patch 1 Install Guide 172 Revision 2 http docs fortinet com Feedback W WAN 21 warnings security 29 web browser 28 warnings 29 web based manager 28 mode 19 webm...

Page 173: ...www fortinet com...

Page 174: ...www fortinet com...

Reviews:

No comments

Related manuals for FortiMail-100

VigorPro 5510 Series

Brand: Draytek Pages: 316

RG-WALL1600-S3600

Brand: Ruijie Networks Pages: 28

FortiBridge 1000

Brand: Fortinet Pages: 56

Brand: PaloAlto Networks Pages: 2

H3C SECPATH F1000-S

Brand: H3C Pages: 78

WALL IE 700-860-WAL01

Brand: Helmholz Pages: 39

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands