Fortinet FortiMail-100 Скачать руководство пользователя страница 128 | Manualshive

Страница: 128 / 174

background image

Example 3: FortiMail unit for an ISP or carrier

Transparent mode deployment

FortiMail™ Secure Messaging Platform Version 4.0 Patch 1 Install Guide

128

Revision 2

http://docs.fortinet.com/

Exceptions to SMTP connections that can be proxied or relayed include SMTP
connections destined for the FortiMail unit itself. For those local connections, such as
email messages from email users requesting deletion or release of their quarantined
email, you must choose to either allow or block the connection.
Proxy/relay pick-up is configured separately for incoming and outgoing connections.

In this deployment example, incoming connections arriving on port2 must be scanned
before traveling to the main email server, and therefore are configured to be

are proxied

—

that is, picked up by the implicit relay.
Outgoing connections arriving on port1 will contain email that has already been scanned
once, during SMTP clients’ relay to the main email server. In addition, outgoing
connections by the main mail server will be encrypted using TLS. Encrypted connections
cannot be scanned. Therefore outgoing connections will be passed through, and neither
proxied nor implicitly relayed.

To configure SMTP proxy and implicit relay pick-up

1

Go to

Mail Settings > Proxies > SMTP

in the advanced mode of the web-based

manager.

2

Configure the following:

3

Select

Apply

.

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing
instructions, see

“Testing the installation” on page 159

.

For information on configuring additional features, see the

FortiMail Administration Guide

.

Example 3: FortiMail unit for an ISP or carrier

In this example, a FortiMail unit operating in transparent mode is positioned as an offshoot
from the backbone or other primary traffic flow between the internal and external network.
A router uses policy-based routes to redirect only SMTP connections to the FortiMail unit,
which scans the traffic before allowing legitimate connections to return the overall flow.
The FortiMail unit does

not

receive non-SMTP traffic. (This would result in unnecessary

processing and resource usage.)

Note:

For information on determining directionality, see

“Incoming vs. outgoing

directionality” on page 15

Port 1

Incoming SMTP connections

are dropped

Outgoing SMTP connections

are passed through

Local SMTP connections

are allowed

Port 2

Incoming SMTP connections

are proxied

Outgoing SMTP connections

are dropped

Local SMTP connections

are not allowed

«
...
126
127
128
129
130
...
»

Содержание FortiMail-100

Страница 1: ...FortiMail Secure Messaging Platform Version 4 0 Patch 1 Install Guide...

Страница 2: ...SIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiAnalyze...

Страница 3: ...ent server connections in SMTP 14 MTA 15 MUA 15 Incoming vs outgoing directionality 15 The role of DNS in email delivery 16 MX record 17 A record 18 Reverse DNS record 18 FortiMail web based manager m...

Страница 4: ...Mounting the FortiMail unit 33 Removing the system from the rack 39 Installing the cable management arm 40 Installing the hard drives 45 Installing the bezel 48 Connecting the keyboard mouse and moni...

Страница 5: ...ecting to FortiGuard services 89 Configuring scheduled updates 91 Configuring push updates 92 Manually requesting updates 94 Gateway mode deployment 95 Configuring DNS records 95 Configuring DNS recor...

Страница 6: ...ridge 133 Configuring the session profiles 134 Configuring the IP based policies 136 Configuring the outgoing proxy 137 Testing the installation 138 Server mode deployment 139 Configuring DNS records...

Страница 7: ...http docs fortinet com Feedback Testing the installation 159 Troubleshooting tools 161 Ping and traceroute 161 Nslookup 162 Telnet connections to the SMTP port number 163 Log messages 164 Greylist and...

Страница 8: ...Contents FortiMail Secure Messaging Platform Version 4 0 Patch 1 Install Guide 8 Revision 2 http docs fortinet com Feedback...

Страница 9: ...FortiMail provides bidirectional email routing virtualization and archiving capabilities with a lower total cost of ownership This document will assist you in physically connecting and performing req...

Страница 10: ...ite you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD and on the Fortinet Knowledge Center Fortinet Tools and Documentation CD Many Fortinet publications are ava...

Страница 11: ...he FortiMail CLI Reference This document is intended for administrators not end users If you are an email user please click the Help link in FortiMail webmail to see the webmail online help instead or...

Страница 12: ...hnical documentation Convention Example Button menu text box field or check box label From Minimum log level select Notification CLI input config system dns set primary address_ipv4 end CLI output FGT...

Страница 13: ...to the destination email server that hosts email for the recipient email user When an MTA connects to the destination email server it determines whether the recipient exists on the destination email s...

Страница 14: ...computer a copy of the email remains on the email server s hard disk The advantage of this is that it enables email users to view email from more than one computer This is especially useful in situat...

Страница 15: ...client is software such as Microsoft Outlook that enables users to send and receive email FortiMail units support SMTP connections for sending of email by a MUA FortiMail units operating in server mod...

Страница 16: ...connection when determining the directionality of an email message FortiMail units examine the domain to which the recipient belongs if the domain to which the recipient email address belongs is a pr...

Страница 17: ...or gateway may be a subdomain or another domain name entirely such as that of the MTA of an Internet service provider ISP For example the email gateways for the email domain example com could be mail1...

Страница 18: ...liver the email to that IP address You must configure the public DNS server for your host names with an A record to resolve the host names referenced in MX records and the host name of the FortiMail u...

Страница 19: ...sparent mode The FortiMail unit transparently proxies or relays email traffic to and from the email servers that it protects It does not locally store email unless queued or quarantined Server mode Th...

Страница 20: ...availability modes Key concepts FortiMail Secure Messaging Platform Version 4 0 Patch 1 Install Guide 20 Revision 2 http docs fortinet com Feedback For more information on HA see the FortiMail Admini...

Страница 21: ...never possible rather than Unshielded Twisted Pair UTP Do not connect or disconnect cables during lightning activity to avoid damage to the FortiMail unit or personal injury Rack mount instructions El...

Страница 22: ...ortiMail unit FortiMail 100 and FortiMail 100C Adhere the rubber feet included in the package to the underside of the FortiMail unit near the corners of the unit if not already attached Place the Fort...

Страница 23: ...l unit to the rack 5 Once you verify the spacing of the FortiMail unit and that it is level tighten the screws with a screwdriver Figure 3 Mounting in a rack FortiMail 2000A and FortiMail 4000A To mou...

Страница 24: ...the innermost rail This rail will attach to the sides of the FortiMail unit Figure 4 FortiMail side rail To remove the side rail 1 Open the slide rails package and remove the rails 2 Extend the slide...

Страница 25: ...ckets for a proper fit Ensure that both housings are on the same level to ensure the FortiMail unit can easily glide into place and is level 2 Use the screws and additional L brackets if required to s...

Страница 26: ...O 2 Connect the power cord at the back of the FortiMail unit 3 Connect the power cable to a power outlet 4 Set the power switch on the back left of the FortiMail unit to the on position indicated by t...

Страница 27: ...om your overall network However isolation is not required Using the supplied Ethernet cable connect one end of the cable to port1 on the FortiMail unit connect the other end of the cable to the router...

Страница 28: ...mmand line interface similar to DOS or UNIX commands from a Secure Shell SSH or Telnet terminal using the front panel s LCD display and control buttons on some models that are equipped with LCD displa...

Страница 29: ...ificate which usually contains the host name of the web site does not exactly match the URL you requested This could indicate server identity theft but could also simply indicate that the certificate...

Страница 30: ...me for the connection and select OK 5 On Connect To from Connect using select the communications COM port where you connected the FortiMail unit 6 Select OK 7 Select the following Port settings and se...

Страница 31: ...fferent IP address or SSH key If your management computer is directly connected to the FortiMail unit with no network hosts between them this is normal 9 Click Yes to verify the fingerprint and accept...

Страница 32: ...manager to complete additional setup To continue see Connecting to the web based manager on page 28 Table 4 Control buttons on the front panel Button Description Enter Move into the currently selected...

Страница 33: ...he power cables Securing the power cord Mounting the FortiMail unit The FortiMail 2000B unit comes with a sliding rail kit Use the instructions below to install the rails To install the sliding rail k...

Страница 34: ...nstall Guide 34 Revision 2 http docs fortinet com Feedback Figure 1 Rail kit contents 2 In square hole racks do the following Position the left and right rail end pieces of the rail module labeled FRO...

Страница 35: ...age the back end of the rail until it fully seats on the vertical rack flange and the second tooth on the latch locks in place Repeat these steps to position and seat the front end piece on the vertic...

Страница 36: ...the first U and the top hole of the second U 8 Engage the back end of the rail until it fully seats on the vertical rack flange and the first tooth on the latch locks in place Repeat these steps to p...

Страница 37: ...e system and lower them into the J slots on the slide assembly 12 Seat the three screws on the other side lowering the system until all shoulder screws engage in the J slots 13 Push the system inward...

Страница 38: ...e latches engage automatically as the system is pushed into the rack and are released by pulling up on the latches 16 To secure the system for shipment in the rack or for other unstable environments l...

Страница 39: ...the cables Bundle the cables gently pulling them clear of the system connectors to the left and right sides 19 Thread the Velcro straps through the tooled slots on the outer or inner CMA brackets on...

Страница 40: ...a level surface 3 Installing the cable management arm The FortiMail 2000B unit comes with a cable management arm Use the instructions below to install the arm To install the cable management arm 1 Lo...

Страница 41: ...side of the tray with the receiver brackets on the inner edges of the rails and push forward until the tray clicks into place 4 1 2 3 Note To secure the CMA for shipment in the rack loop the tie wraps...

Страница 42: ...the receiver brackets 5 3 To install and remove the CMA do the following At the back of the system fit the latch on the front end of the CMA on the innermost bracket of the slide assembly until the la...

Страница 43: ...and removing the cable management arm Fit the other latch on the end of the outermost bracket until the latch engages 7 To remove the CMA disengage both latches by pressing the CMA release buttons at...

Страница 44: ...nce it is unseated from the tray swing the CMA away from the system 10 5 To cable the system using the CMA do the following Using the tie wraps provided bundle the cables together as they enter and ex...

Страница 45: ...he CMA Attach the other end of this cable to the corner of the outer CMA basket 16 Installing the hard drives The FortiMail 2000B unit has six 3 5 inch drive bays All chassis support hot swappable SAS...

Страница 46: ...be either all SAS or all SATA drives Removing a hard drive blank 1 Remove the front bezel See Installing the Bezel on page 18 2 Grasp the front of the hard drive blank press the release lever on the r...

Страница 47: ...ank in the vacated drive bay See Installing a hard drive blank on page 46 6 If applicable install the bezel See Installing the Bezel on page 18 Installing a hot swap hard drive 1 If present remove the...

Страница 48: ...with the connector end of the drive at the back See Figure 15 2 Align the screw holes on the hard drive with the back set of holes on the hard drive carrier When aligned correctly the back of the har...

Страница 49: ...Rotate the left end of the bezel away from the system to release the right end of the bezel 4 Pull the bezel away from the system See Figure 16 Figure 16 Removing the front bezel To install the front...

Страница 50: ...and monitor Connect the keyboard mouse and monitor optional The connectors on the back of your system have icons indicating which cable to plug into each connector Be sure to tighten the screws if any...

Страница 51: ...edback Securing the power cord Figure 19 Securing the power cord Bend the system power cable into a loop as shown in the illustration and secure the cable to the bracket using the provided strap Plug...

Страница 52: ...Securing the power cord FortiMail 2000B hardware installation FortiMail Secure Messaging Platform Version 4 0 Patch 1 Install Guide 52 Revision 2 http docs fortinet com Feedback...

Страница 53: ...inserted into an Advanced Telecommunications Computing Architecture ACTA chassis such as the FortiGate 5140 FortiGate 5050 or FortiGate 5020 chassis Before inserting the board into a chassis you shou...

Страница 54: ...ot contain an operating shelf manager you must change the SW11 switch setting as shown in Figure 21 Figure 21 FortiGate 5020 setting for SW11 standalone mode In all cases you should confirm that you h...

Страница 55: ...W11 to the correct setting 5 Insert the FortiMail board into a chassis and verify that the board starts up and operates correctly For inserting instructions see Inserting a FortiMail board on page 56...

Страница 56: ...closed the microswitch is on and if the board is fully inserted into a chassis slot the board can receive power You can use the right handle to cycle the power and reset the board without removing th...

Страница 57: ...D wrist strap to your wrist and to an available ESD socket or wrist strap terminal 2 If required remove the protective metal frame that the FortiMail board has been shipped in 3 Insert the FortiMail b...

Страница 58: ...slot and into full contact with the chassis backplane The FortiMail front panel should be in contact with the chassis front panel Both handles lock into place As the handles close power is supplied t...

Страница 59: ...from a chassis slot To complete this procedure you need An ATCA chassis with a FortiMail board installed An electrostatic discharge ESD preventive wrist strap with connection cord 1 Attach the ESD wr...

Страница 60: ...switch turns off all LEDs and ejects the board from the chassis slot 6 Pull the board about half way out 7 Turn both handles to their fully closed positions When the FortiMail handles are fully closed...

Страница 61: ...oblem power down and then restart the chassis If you are operating a FortiGate 5000 series chassis you can power down and then restart the chassis without removing FortiGate 5000 series components All...

Страница 62: ...Troubleshooting FortiMail 5001A hardware installation FortiMail Secure Messaging PlatformVersion 4 0 Patch 1Install Guide 62 Revision 2 http docs fortinet com Feedback...

Страница 63: ...t You can test a new firmware image by temporarily running it from memory without saving it to disk By keeping your existing firmware on disk if the evaluation fails you do not have to re install your...

Страница 64: ...cal Address 192 168 1 188 11 Type a temporary IP address that can be used by the FortiMail unit to connect to the TFTP server The following message appears Enter File Name image out 12 Type the firmwa...

Страница 65: ...Firmware Version row select Update 6 Select Browse to locate and select the firmware file that you want to install then select OK 7 Select OK Your management computer uploads the firmware image to th...

Страница 66: ...and the IP address of the TFTP server is 192 168 1 168 enter execute restore image out 192 168 1 168 One of the following message appears This operation will replace the current firmware version Do y...

Страница 67: ...command execute ping 192 168 1 168 where 192 168 1 168 is the IP address of the TFTP server 8 Enter the following command to restart the FortiMail unit execute reboot 9 As the FortiMail units starts a...

Страница 68: ...Mail units starts a series of system startup messages are displayed Press any key to display configuration menu Immediately press a key to interrupt the system startup If you successfully interrupt th...

Страница 69: ...er the following command to restart the FortiMail unit execute reboot 7 As the FortiMail units starts a series of system startup messages are displayed Press any key to display configuration menu 8 Im...

Страница 70: ...following Save as Default firmware Backup firmware Run image without saving D B R 13 Type D The FortiMail unit downloads the firmware image file from the TFTP server The FortiMail unit installs the f...

Страница 71: ...e Quick Start Wizard This section describes each operation mode assisting you in choosing the operation mode that best suits your requirements This section contains the following topics Characteristic...

Страница 72: ...provider ISP could deploy a FortiMail unit to protect their customers email servers For security reasons customers do not want their email servers to be directly visible to external MTAs Therefore the...

Страница 73: ...be physically placed where it can intercept the connection Figure 25 Example transparent mode topology For example a school might want to install a FortiMail unit to protect its mail server but does n...

Страница 74: ...ience of managing both their email server and email security on one network device Therefore the company deploys the FortiMail unit in server mode For sample deployment scenarios see the chapter Serve...

Страница 75: ...com Feedback 4 Select OK A confirmation dialog appears warning you that many settings will revert to their default value for the version of your FortiMail unit s firmware 5 Select OK The FortiMail un...

Страница 76: ...Configuring the operation mode Choosing the operation mode FortiMail Secure Messaging Platform Version 4 0 Patch 1 Install Guide 76 Revision 2 http docs fortinet com Feedback...

Страница 77: ...n the Quick Start Wizard Step 1 Changing the admin password Step 2 Configuring the network settings and system time Step 3 Configuring local host settings Step 4 Adding protected domains Step 5 Config...

Страница 78: ...ure 27 Quick Start Wizard Step 1 Step 2 Configuring the network settings and system time Step 2 of the Quick Start Wizard configures basic system time and network settings Available settings vary by w...

Страница 79: ...FortiMail administrators will use to access the web based manager and CLI through port1 and other bridging network interfaces and which the FortiMail unit will use when connecting to the Fortinet Dist...

Страница 80: ...To proceed to Step 4 Adding protected domains select Next Secondary DNS Enter the IP address of the secondary server to which the FortiMail unit will make DNS queries Default Gateway IP Address Enter...

Страница 81: ...rtiMail unit will add the host name to the subject line of alert email messages Local Domain Name Enter the local domain name to which the FortiMail unit belongs The FortiMail unit s fully qualified d...

Страница 82: ...gure a protected domain of example com whose SMTP server is 10 10 10 10 You usually must configure at least one protected domain FortiMail units can be configured to protect one or more email domains...

Страница 83: ...of the protected domain For example if you want to protect email addresses such as user1 example com you would enter the protected domain name example com Use MX Record transparent mode and gateway mo...

Страница 84: ...hat is located on a physically separate server from your internal mail server this could be your internal mail relay instead of your internal mail server Consider your network topology directionality...

Страница 85: ...l unit as an open relay senders can deliver email incoming to protected domains but cannot deliver email outgoing to unprotected domains For details see the FortiMail Administration Guide Usually you...

Страница 86: ...presents any single character For example the sender pattern com will match messages sent by any email user with a two letter email user name from any com domain name Regular expression Mark this chec...

Страница 87: ...reverse DNS pattern for a match If the reverse DNS query fails the access control rule match will also fail If no other access control rule matches the connection will be rejected with SMTP reply cod...

Страница 88: ...bility HA mode configure the HA settings before physically connecting the FortiMail units to your network For instructions on configuring HA see the FortiMail Administration Guide 2 If you have subscr...

Страница 89: ...ivity To verify scheduled update connectivity Before performing this procedure if your FortiMail unit connects to the Internet using a proxy use the CLI command set system autoupdate tunneling to enab...

Страница 90: ...ion updates from the FDN or override server using one or more of the following methods scheduled updates see Configuring scheduled updates on page 91 push updates see Configuring push updates on page...

Страница 91: ...owing CLI command execute traceroute address_ipv4 where address_ipv4 is the IP address of the DNS server or FDN server When query connectivity is successful antispam profiles can use the FortiGuard An...

Страница 92: ...eb based manager 2 Enable Scheduled Update 3 Select from one of the following 4 Select Apply The FortiMail unit starts the next scheduled update according to the configured update schedule If you have...

Страница 93: ...r router performing NAT enable Use override push IP and enter the external IP address and port number of the NAT device You must also configure the NAT device with port forwarding or a virtual IP to f...

Страница 94: ...available updates for its FortiGuard Antivirus and FortiGuard Antispam packages You can manually initiate updates as an alternative or in addition to other update methods For details see Configuring...

Страница 95: ...ected domains Regardless of your private network topology in order for external MTAs to deliver email through the FortiMail unit you must configure the public MX record for each protected domain to in...

Страница 96: ...ail users access to their per recipient quarantines FortiMail administrators access to the web based manager by domain name alert email report generation notification email For this reason you should...

Страница 97: ...AMTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0Y jUyM2NTkjRSxVMzoyLA 3D 3D 3Abf3db63dab53a291ab53a291ab53a291 Then in the DNS configuration to support this and the other DNS dependent features you...

Страница 98: ...figure the FortiMail unit to use it go to System Network DNS in the advanced mode of the web based manager Example 1 FortiMail unit behind a firewall In this example a FortiMail unit operating in gate...

Страница 99: ...sting the installation Configuring the firewall With the FortiMail unit behind a FortiGate unit you must configure firewall policies to allow traffic between the internal network and the Internet To c...

Страница 100: ...e protocols and port numbers used in that traffic Because FortiGuard related services for FortiMail units are not predefined you must define them before you can create a service group that contains th...

Страница 101: ...lect OK To add a service group for outgoing FortiMail traffic 1 Go to Firewall Service Group 2 Select Create New 3 In Group Name enter a name to identify the service group entry such as FortiMail_outg...

Страница 102: ...ual IP Virtual IP 2 Select Create New 3 Complete the following 4 Select OK To add a virtual IP for the protected email server 1 Go to Firewall Virtual IP Virtual IP 2 Select Create New 3 Complete the...

Страница 103: ...y 2 Select Create New 3 Complete the following 4 Select NAT 5 Select OK To add the FortiMail to Internet policy 1 Go to Firewall Policy Policy 2 Select Create New 3 Complete the following 4 Select NAT...

Страница 104: ...il destined for other email users in the protected domain may be accepted but email outgoing to unprotected domains will be denied by the access control rule Testing the installation Basic configurati...

Страница 105: ...ween the internal network and the FortiMail unit between the internal network and protected email server between the protected email server and the FortiMail unit between the protected email server an...

Страница 106: ...for the protected email server 1 Go to Firewall Address Address 2 Select Create New 3 Complete the following 4 Select OK To add a firewall address for the FortiMail unit 1 Go to Firewall Address Addre...

Страница 107: ...ervice Group 2 Select Create New 3 In Group Name enter a name to identify the service group entry such as PO3_IMAP_services 4 In the Available Services area select POP3 and IMAP then select the right...

Страница 108: ...vices that are received at the internal virtual IP address then apply a static NAT when forwarding the traffic to the private network IP address of the protected email server Allow PO3_IMAP_services t...

Страница 109: ...t NAT 5 Select OK To add the local users to email server policy 1 Go to Firewall Policy Policy 2 Select Create New 3 Complete the following Service Select SMTP Action Select ACCEPT Source Interface zo...

Страница 110: ...user name and password for outgoing mail The user name is the email user s entire email address including the domain name portion such as user1 example com If you do not configure the email clients to...

Страница 111: ...cts accounts for email addresses ending in example com which are hosted on the local email server Figure 44 FortiMail unit in DMZ The FortiMail unit has also been configured with an access control rul...

Страница 112: ...nd the IP address of the FortiMail unit you must first define the IP addresses of those hosts by creating firewall address entries To add a firewall address for local email users 1 Go to Firewall Addr...

Страница 113: ...e following 4 Select OK To add a custom service for FortiGuard Antispam rating queries 1 Go to Firewall Service Custom 2 Select Create New 3 Configure the following 4 Select OK To add a service group...

Страница 114: ...2 Select Create New 3 In Group Name enter a name to identify the service group entry such as SMTP_quar_services 4 In the Available Services area select HTTP HTTPS and SMTP then select the right arrow...

Страница 115: ...Note To add virtual IPs the FortiGate unit must be operating in NAT mode For more information see the FortiGate Administration Guide Name Enter a name to identify the virtual IP entry such as FortiMai...

Страница 116: ...s from the FortiMail unit to the Internet Allow SMTP traffic that is received at the DMZ virtual IP address then apply a static NAT when forwarding the traffic to the private network IP address of the...

Страница 117: ...il to email server policy 1 Go to Firewall Policy Policy 2 Select Create New 3 Complete the following Source Interface zone Select wan1 Source Address Name Select all Destination Interface zone Select...

Страница 118: ...cted email server can be scanned but email outgoing from your email users cannot Also configure email clients to authenticate with the email user s user name and password for outgoing mail The user na...

Страница 119: ...igure public DNS records for the FortiMail unit itself For performance reasons and to support some configuration options you may also want to provide a private DNS server for use exclusively by the Fo...

Страница 120: ...et is the local domain name to which the FortiMail unit belongs in the MX record it is the local domain for which the FortiMail is the mail gateway fortimail example net is the FQDN of the FortiMail u...

Страница 121: ...Public and private DNS servers transparent mode In some situations a private DNS server may be required If you configure the FortiMail unit to use a private DNS server and both the FortiMail unit and...

Страница 122: ...DNS server Public DNS server example com IN MX 10 mail example com example com IN MX 10 mail example com mail IN A 172 16 1 10 mail IN A 10 10 10 1 10 IN PTR fortimail example com 1 IN PTR fortimail e...

Страница 123: ...ted Note Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface Hide the transparent box transparent mode only Enable to preserve the I...

Страница 124: ...port2 must be scanned before traveling to the main email server and therefore are configured to be are proxied that is picked up by the implicit relay Outgoing connections arriving on port1 will conta...

Страница 125: ...location are required to deliver through the main email server which encrypts outgoing SMTP connections The firewall will only allow SMTP traffic from the main email server Figure 47 Transparent mode...

Страница 126: ...ns to hide the existence of the FortiMail unit For information on additional protected domain and session profile options see the FortiMail Administration Guide To configure the transparent mode optio...

Страница 127: ...with that of the FortiMail unit Note If the protected SMTP server applies rate limiting according to IP addresses enabling this option can improve performance The rate limit will then be separate for...

Страница 128: ...proxied nor implicitly relayed To configure SMTP proxy and implicit relay pick up 1 Go to Mail Settings Proxies SMTP in the advanced mode of the web based manager 2 Configure the following 3 Select Ap...

Страница 129: ...2 and port3 is removed from the Layer 2 bridge and is configured with its own IP address This reduces the possibility of Ethernet loops and improves compatibility with other filtering devices Because...

Страница 130: ...t the FortiMail unit from being able to scan the connection The outgoing proxy is enabled Unlike other transparent mode deployments because no protected domains are defined all connections will be con...

Страница 131: ...IP based policies Configuring the outgoing proxy Testing the installation Configuring the connection with the RADIUS server FortiMail units can use your RADIUS accounting records to combat spam and v...

Страница 132: ...video between mobile phones There are eight interfaces defined for the MMS standard referred to as MM1 through MM8 MM3 uses SMTP to transmit text messages to and from mobile phones Because it can be u...

Страница 133: ...log msisdn radius host order network order where host order network order indicates your choice Most RADIUS servers use network order Removing the network interfaces from the bridge In transparent mo...

Страница 134: ...open relays No protected domains are configured and so transparency will be configured through the session profiles alone This will hide the existence of the FortiMail unit to all SMTP clients Becaus...

Страница 135: ...ent of the previous hour whichever value is greater Restrict number of emails per hour to n Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMT...

Страница 136: ...Reject Reject email and MMS messages from MSISDNs subscriber IDs whose endpoint reputation scores exceed Auto blacklist score trigger value Monitor Log but do not reject email and MMS messages from M...

Страница 137: ...ated in order until a policy is found that matches the connection Because the default IP based policy 0 0 0 0 0 0 0 0 0 0 matches all connections and because it is first in the list in order for conne...

Страница 138: ...TP server to send email Because port1 is used exclusively for administration the outgoing proxy must be configure to pick up outgoing connections only on port2 and port3 To configure outgoing proxy pi...

Страница 139: ...of your private network topology in order for external MTAs to deliver email to the FortiMail unit you must configure the public MX record for each protected domain to indicate that the FortiMail unit...

Страница 140: ...ail users access to their per recipient quarantines FortiMail administrators access to the web based manager by domain name alert email report generation notification email For this reason you should...

Страница 141: ...MTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0Y jUyM2NTkjRSxVMzoyLA 3D 3D 3Abf3db63dab53a291ab53a291ab53a291 Then in the DNS configuration to support this and the other DNS dependent features you...

Страница 142: ...all Remote email users computers and external email servers are located on the Internet outside of the network protected by the firewall The FortiMail unit hosts and protects accounts for email addres...

Страница 143: ...firewall address Configuring the service groups Configuring the virtual IPs Configuring the firewall policies Configuring the firewall address In order to create the outgoing firewall policy that gov...

Страница 144: ...e following 4 Select OK To add a custom service for FortiGuard Antispam rating queries 1 Go to Firewall Service Custom 2 Select Create New 3 Configure the following 4 Select OK Name Enter a name to id...

Страница 145: ...tgoing_services 4 In the Available Services area select DNS NTP HTTPS SMTP and your custom service for FortiGuard Antispam rating queries FortiMail_antispam_rating_queries then select the right arrow...

Страница 146: ...ortiMail to Internet policy 1 Go to Firewall Policy Policy 2 Select Create New 3 Complete the following 4 Select NAT 5 Select OK Configuring the email user accounts Create email user accounts for each...

Страница 147: ...t 10 10 10 1 or fortimail example com If you do not configure the email clients to send email through the FortiMail unit incoming email can be scanned but outgoing email cannot Also configure email cl...

Страница 148: ...which is between the FortiMail unit and local email users you must configure a policy to allow from local email users to the FortiMail unit To create the required policies complete the following Confi...

Страница 149: ...licy that governs only FortiMail related traffic you must first a create service group that contains services that define protocols and port numbers used in that traffic To add a service group for ema...

Страница 150: ...t one email user account for each protected domain in order to verify connectivity for the domain To add an email user 1 Go to Settings User User If this menu path is not available first select Basic...

Страница 151: ...email users in the protected domain may be accepted but email outgoing to unprotected domains will be denied by the access control rule Testing the installation Basic configuration is now complete and...

Страница 152: ...he following Configuring the firewall addresses Configuring the service groups Configuring the virtual IPs Configuring the firewall policies Configuring the firewall addresses In order to create the f...

Страница 153: ...service group that contains those services To add a custom service for FortiGuard Antivirus push updates 1 Go to Firewall Service Custom 2 Select Create New 3 Configure the following 4 Select OK Name...

Страница 154: ...ice group for outgoing FortiMail traffic 1 Go to Firewall Service Group 2 Select Create New 3 In Group Name enter a name to identify the service group entry such as FortiMail_outgoing_services 4 In th...

Страница 155: ...elect Create New 3 Complete the following 4 Select OK Configuring the firewall policies First create a firewall policy that allows incoming email and other FortiMail services that are received at the...

Страница 156: ...lect Create New 3 Complete the following Source Interface zone Select wan1 Source Address Name Select all Destination Interface zone Select dmz Destination Address Name Select FortiMail_VIP_wan1 Sched...

Страница 157: ...emote email users to use the FortiMail unit as their outgoing mail server SMTP MTA For local email users this is the virtual IP address on the internal network interface of the FortiGate unit that map...

Страница 158: ...Example 3 FortiMail unit in DMZ Server mode deployment FortiMail Secure Messaging Platform Version 4 0 Patch 1 Install Guide 158 Revision 2 http docs fortinet com Feedback...

Страница 159: ...ient quarantines If the FortiMail unit is operating in server mode you may also wish to test access to FortiMail webmail POP3 and or IMAP Figure 53 Connection test paths gateway mode Figure 54 Connect...

Страница 160: ...office SMTP servers using an SMTP client on the remote network whose MTA is the FortiMail unit or protected email server send an email from an internal sender to an external recipient If you cannot c...

Страница 161: ...iMail unit using CLI commands For example you might use ICMP ping to determine that 172 16 1 10 is reachable commands that you would type are highlighted in bold responses from the FortiMail unit are...

Страница 162: ...ails or resolves incorrectly you may want to manually query your DNS server to verify that the records are correctly configured You can do this from the FortiMail unit using CLI commands For example y...

Страница 163: ...test SMTP connectivity with mail example com on the standard SMTP port number 25 commands that you would type are highlighted in bold responses from the FortiMail unit are not bolded FortiMail 400 ex...

Страница 164: ...n the default SMTP port number 25 mail example com is the fully qualified domain name FQDN of a protected email server from which you are connecting whose domain name resolves to the IP address 172 16...

Страница 165: ...l despite being able to initiate SMTP connections to or through the FortiMail unit and is receiving SMTP error codes that indicate temporary failure or permanent rejection verify that the SMTP client...

Страница 166: ...776c 2d2f 5a5f 545e 4555 5b5f 425b 545fwl Z_T EU _B T_ 0x0040 4559 6b6a 776b 646e 776c 6b6a 772b 646eEYkjwkdnwlkjw dn 0x0050 776c 6b6a 776b 646e 776c 6b6a 776b 86a9wlkjwkdnwlkjwk 0x0060 db73 21e1 5622...

Страница 167: ...he following fgt2eth pl in fortimail_sniff txt out fortimail_sniff pcap where fgt2eth pl is the name of the conversion script include the path relative to the current directory which is indicated by t...

Страница 168: ...nstall Guide 168 Revision 2 http docs fortinet com Feedback Figure 58 Viewing sniffer output in Wireshark For additional information on packet capture see the Fortinet Knowledge Center article Using t...

Страница 169: ...omments documentation 10 common name CN field 29 communications COM port 29 connecting web based manager 28 control buttons 31 cooling 22 customer service 9 D default administrator account 29 30 certi...

Страница 170: ...PS 14 29 humidity 22 HyperTerminal 30 I IMAP 13 14 15 19 inserting a board into a chassis 56 installing a board into a chassis 56 bezel 48 hard drive blank 46 hard drives 47 Internet service provider...

Страница 171: ...s 91 score MSISDN reputation 131 Secure Shell SSH 28 secure SMTP 82 security certificate 29 self signed 29 server mode 14 15 17 19 71 95 139 email user 147 150 157 example 139 shielded twisted pair ST...

Страница 172: ...il Secure Messaging Platform Version 4 0 Patch 1 Install Guide 172 Revision 2 http docs fortinet com Feedback W WAN 21 warnings security 29 web browser 28 warnings 29 web based manager 28 mode 19 webm...

Страница 173: ...www fortinet com...

Страница 174: ...www fortinet com...

Отзывы:

Нет отзывов

Похожие инструкции для FortiMail-100

TECHDOCS ION 9000

Бренд: PaloAlto Networks Страницы: 32

Бренд: Watchguard Страницы: 19

Бренд: tufin Страницы: 22

Operator Box 3000 series

Бренд: Kerio Tech Страницы: 8

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды