Gateway Mode Deployment

1 Reply

Case 2: Web Release Host Name/IP is configured

You could configure Web release host name/IP to use an alternative fully qualified domain name (FQDN) such as webrelease.example.info instead of the configured FQDN, resulting in the following web release link (web release FQDN highlighted in bold):

https://webrelease.example.info/releasecontrol?release=0%3Auser2%40exa mple.com%3AMTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0YjUyM 2NTkjRSxVMzoyLA%3D%3D%3Abf3db63dab53a291ab53a291ab53a291

Then, in the DNS configuration to support this and the other DNS-dependent features, you would configure the following MX record, A records, and PTR record (unlike “Case 1: Web Release Host Name/IP is empty/default” on page 52, in this case, two A records are required; the difference is highlighted in bold):

example.net IN MX 10 fortimail.example.net fortimail IN A 10.10.10.1 webrelease IN A 10.10.10.1 1 IN PTR fortimail.example.net.

where:

  • net is the local domain name to which the FortiMail unit belongs; in the MX record, it is the local domain for which the FortiMail is the mail gateway
  • example.net is the FQDN of the FortiMail unit
  • fortimail is the host name of the FortiMail unit; in the A record of the zone file for example.net, it resolves to the IP address of the FortiMail unit for the purpose of administrators’ access to the web UI and to resolve the FQDN referenced in the MX record when email users send Bayesian and quarantine control email to the FortiMail unit
  • webrelease is the web release host name; in the A record of the zone file for example.info, it resolves to the IP address of the FortiMail unit for the purpose of the web release/delete hyperlinks in the spam report
  • 10.10.1 is the public IP address of the FortiMail unit

Configuring a private DNS server

In addition to the public DNS server, consider providing a private DNS server on your local network to improve performance with features that use DNS queries.

Figure 7: Public and private DNS servers (gateway mode)

mail IN A 172.16.1.10                                                                                             fortimail IN A 10.10.10.1

In some situations, a private DNS server may be required. A private DNS server is required if you enable the Use MX record option. Because gateway mode requires that public DNS servers have an MX record that routes mail to the FortiMail unit, but Use MX record requires an MX record that references the protected SMTP server, if you enable that option, you must configure the records of the private DNS server and public DNS server differently.

For example, if both a FortiMail unit (fortimail.example.com) operating in gateway mode and the SMTP server reside on your private network behind a router or firewall as illustrated in Figure 7 on page 53, and the Use MX Record option is enabled, Table 9 on page 81 illustrates differences between the public and private DNS servers for the authoritative DNS records of example.com.

Table 8: Public versus private DNS records when “Use MX record” is enabled

Private DNS server Public DNS server
example.com IN MX 10 mail.example.com example.com IN MX 10 fortimail.example.com

Table 8: Public versus private DNS records when “Use MX record” is enabled

mail IN A 172.16.1.10 fortimail IN A 10.10.10.1
  1 IN PTR fortimail.example.com

If you choose to add a private DNS server, to configure the FortiMail unit to use it, go to System > Network > DNS in the advanced mode of the web UI.

Example 1: FortiMail unit behind a firewall

In this example, a FortiMail unit operating in gateway mode, a protected email server, a private DNS server, and email users’ computers are all positioned within a private network, behind a firewall. Remote email users’ computers and external email servers are located on the Internet, outside of the network protected by the firewall. The FortiMail unit protects accounts for email addresses ending in “@example.com”, which are hosted on the local email server. Figure 8: FortiMail unit behind a NAT device

example.com fortimail IN A 10.10.10.1 mail IN A 172.16.1.10

The private DNS server is configured to locally replicate records from public DNS servers for most domains, with the exception of records for protected domains, which instead have been configured differently locally in order to support the Use MX record option.

The FortiMail unit is configured to query the private DNS server, and also includes an access control rule that allows local and remote email users to send email to unprotected domains if they first authenticate:

Sender Pattern *@example.com
Recipient Pattern *
Sender

IP/Netmask

 0.0.0.0/0
Reverse DNS Pattern *
Authentication Status authenticated
TLS < none >
Action RELAY

To deploy the FortiMail unit behind a NAT device such as a firewall or router, you must complete the following:

  • Configuring the firewall
  • Configuring the MUAs
  • Testing the installation

This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see “Running the Quick Start Wizard” on page 34 and “Configuring DNS records” on page 50.

Configuring the firewall

With the FortiMail unit behind a FortiGate unit, you must configure firewall policies to allow traffic between the internal network and the Internet.

To create the required policies, complete the following:

  • Configuring the firewall address
  • Configuring the service groups
  • Configuring the virtual IPs
  • Configuring the firewall policies

Configuring the firewall address

In order to create the outgoing firewall policy that governs the IP address of the FortiMail unit, you must first define the IP address of the FortiMail unit by creating a firewall address entry.

To add a firewall address for the FortiMail unit

  1. Access FortiGate.
  2. Go to Firewall > Address > Address.
  3. Select Create New.
  4. Complete the following and then click OK.
Name Enter a name to identify the firewall address entry, such as FortiMail_address.
Type Select Subnet/IP Range.
Subnet /IP Range Enter 172.16.1.5.
Interface Select internal.

Configuring the service groups

In order to create firewall policies that govern only email and FortiMail-related traffic, you must first create groups of services that define protocols and port numbers used in that traffic.

Because FortiGuard-related services for FortiMail units are not predefined, you must define them before you can create a service group that contains those services.

To add a custom service for FortiGuard Antivirus push updates

  1. Access FortiGate.
  2. Go to Firewall > Service > Custom.
  3. Select Create New.
  4. Configure the following and then click OK:

Name                                  Enter a name to identify the custom service entry, such as FortiMail_antivirus_push_updates.

Protocol Type                     Select TCP/UDP.

Protocol                             Select UDP.

Destination Port

Low Enter 9443. High Enter 9443.

To add a custom service for FortiGuard Antispam rating queries

  1. Access FortiGate.
  2. Go to Firewall > Service > Custom.
  3. Select Create New.
  4. Configure the following and then click OK.
Name Enter a name to identify the custom service entry, such as FortiMail_antispam_rating_queries.
Protocol Type Select TCP/UDP.
Protocol Select UDP.
Destination Port  
Low Enter 8889.
High Enter 8889.

To add a service group for incoming FortiMail traffic

  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as FortiMail_incoming_services.
  5. In the Available Services area, select HTTP, HTTPS, SMTP, and your custom service for FortiGuard Antivirus push updates, FortiMail_antivirus_push_updates, then select the right arrow to move them to the Members
  6. Select OK.

To add a service group for outgoing FortiMail traffic

  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as FortiMail_outgoing_services.
  5. In the Available Services area, select DNS, NTP, HTTPS, SMTP, and your custom service for FortiGuard Antispam rating queries, FortiMail_antispam_rating_queries, then select the right arrow to move them to the Members
  6. Select OK.

To add a service group for email user traffic

  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as PO3_IMAP_services.
  5. In the Available Services area, select POP3 and IMAP, then select the right arrow to move them to the Members
  6. Select OK.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7
This entry was posted in Administration Guides, FortiMail and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Gateway Mode Deployment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.