Transparent Mode Deployment

Example 1: FortiMail unit in front of an email server

In this example, a FortiMail unit operating in transparent mode is positioned in front of one email server.

This example assumes that the FortiMail unit is protecting a single email server. If your FortiMail unit is protecting multiple email servers and they are not on the same subnet, you must first remove some network interfaces from the bridge and configure static routes. For an example of configuring out-of-bridge network interfaces, see “Removing the network interfaces from the bridge” on page 95.

Figure 12:Transparent mode deployment to protect an email server

172.16.1.10                                             Private DNS Server Public DNS Server

Email Domain: example.com IN MX 10 mail.example.com example.com IN MX 10 mail.example.com

@example.com mail IN A 172.16.1.10 mail IN A 10.10.10.1

The FortiMail unit has also includes an access control rule that allows local and remote email users to send email to unprotected domains if they first authenticate:

Sender Pattern *@example.com
Recipient Pattern *
Sender

IP/Netmask

0.0.0.0/0
Reverse DNS Pattern *
Authentication Status authenticated
TLS < none >
Action RELAY

To deploy the FortiMail unit in front of an email server, you must complete the following:

  • Configuring the protected domains and session profiles
  • Configuring the proxies and implicit relay

Configuring the protected domains and session profiles

When configuring the protected domain and session profiles, you can select transparent mode options to hide the existence of the FortiMail unit.

To configure the transparent mode options of the protected domain 1. Go to Mail Settings > Domains > Domains in the advanced mode of the web UI.

  1. Select the domain and then click Edit.
  2. Configure the following:
Transparent Mode Options  
This server is on

(transparent mode only)

Select the network interface (port) to which the protected SMTP server is connected.

Note: Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface.

Hide the transparent box

(transparent mode only)

Enable to preserve the IP address or domain name of the SMTP client for incoming email messages in:

•    the SMTP greeting (HELO/EHLO) in the envelope and in the Received: message headers of email messages

  • the IP addresses in the IP header

This masks the existence of the FortiMail unit to the protected SMTP server.

Disable to replace the SMTP client’s IP address or domain name with that of the FortiMail unit.

Note: If the protected SMTP server applies rate limiting according to IP addresses, enabling this option can improve performance. The rate limit will then be separate for each client connecting to the protected SMTP server, rather than shared among all connections handled by the FortiMail unit.

Note: Unless you have enabled Take precedence over recipient based policy match in the IP-based policy, this option has precedence over the Hide this box from the mail server option in the session profile, and may prevent it from applying to incoming email messages.

Use this domain’s SMTP Enable to allow SMTP clients to send outgoing email server to deliver the        directly through the protected SMTP server. mail

Disable to, instead of allowing a direct connection, proxy

(transparent mode only)    the connection using the incoming proxy, which queues email messages that are not immediately deliverable.

  1. Select OK.

To configure the transparent mode options of the session profile

  1. Go to Policy > Policies > IP Policies in the advanced mode of the web UI.
  2. In the Session column for an IP-based policy, select the name of the session profile to edit the profile.

A dialog appears.

  1. Configure the following:
Connection Settings  
Hide this box from the mail server

(transparent mode only)

Enable to preserve the IP address or domain name of the SMTP client in:

•      the SMTP greeting (HELO/EHLO) and in the Received:

message headers of email messages

•      the IP addresses in the IP header

This masks the existence of the FortiMail unit.

Disable to replace the IP addresses or domain names with that of the FortiMail unit.

Note: Unless you have enabled Take precedence over recipient based policy match in the IP-based policy, the Hide the transparent box option in the protected domain has precedence over this option, and may prevent it from applying to incoming email messages.

  1. Select OK.
  2. Repeat the previous three steps for each IP-based policy.

Configuring the proxies and implicit relay

When operating in transparent mode, the FortiMail unit can use either transparent proxies or an implicit relay to inspect SMTP connections. If connection pick-up is enabled for connections on that network interface, the FortiMail unit can scan and process the connection. If not enabled, the FortiMail unit can either block or permit the connection to pass through unmodified.

Exceptions to SMTP connections that can be proxied or relayed include SMTP connections destined for the FortiMail unit itself. For those local connections, such as email messages from email users requesting deletion or release of their quarantined email, you must choose to either allow or block the connection.

You configure proxy/relay pick-up separately for incoming and outgoing connections.

In this deployment example, incoming connections arriving on port2 must be scanned before traveling to the main email server, and therefore are configured to be Proxy — that is, picked up by the implicit relay.

Outgoing connections arriving on port1 will contain email that has already been scanned once, during SMTP clients’ relay to the main email server. Scanning outgoing connections again using either the outgoing proxy or the implicit relay would waste resources. Therefore outgoing connections will be Pass through.

To configure SMTP proxy and implicit relay pick-up

  1. Go to System > Network in the advanced mode of the web UI.
  2. Edit SMTP proxy settings on both Port 1 and Port 2:
Port 1  
Incoming connections Drop
Outgoing connections Pass through
Local connections Allow
Port 2  
Incoming connections Proxy
Outgoing connections Drop
Local connections Disallow

If Use client-specified SMTP server to send email is disabled under Mail Settings > Proxies, and an SMTP client is configured to authenticate, you must configure and apply an authentication profile. Without the profile, authentication with the built-in MTA will fail. Also, the mail server must be explicitly configured to allow relay in this case.

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing instructions, see “Testing the installation” on page 159.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiMail and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “Transparent Mode Deployment

  1. Alexandru

    when configuring transparent mode is it necessary to configure mail settings (SMTP port, SSL for SMTP etc.). From my understanding is not necessary because Fortimail acts as a proxy. But if these are not configured connection is not intercepted(scanned).

    Reply
  2. Gerald Simila

    kindly expound on active-passive H/A deployment for two Fortimails in transparent mode in an ISP environment where we use PBRs on the connected routers. Am keen on the IPs to be used on the PBR and if this can be done without using an ADC.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.