Network topology tuning

The FortiMail unit can be bypassed in a complex network environment if the network is not carefully planned and deployed.

To ensure maximum safety:

• Configure routers and firewalls to send all SMTP traffic to or through the FortiMail unit for scanning.
• If the FortiMail unit will operate in gateway mode, on public DNS servers, modify the MX records for each protected domain to contain only a single MX record entry that refers to the FortiMail unit. Spammers can easily determine the lowest priority mail server (highest preference number in MX record) and deliver spam to it, instead of the FortiMail unit, in an attempt to avoid spam defenses.
• If the FortiMail unit will operate in transparent mode, deploy it directly in front of your protected email servers so that all email can be scanned.
• If the FortiMail unit will operate in transparent mode, do not connect two ports to the same VLAN on a switch or to the same hub. Some Layer 2 switches become unstable when they detect the same media access control (MAC) address originating on more than one switch interface or from more than one VLAN.

System security tuning

• Enable administrative access only to the network interfaces (located in System > Network > Interface) through which legitimate FortiMail administrators will connect.
• Restrict administrative access to trusted hosts/networks (located in System >

Administrator > Administrator) from which legitimate FortiMail administrators will connect.

Page 697

Figure 312:Administrator security

• Create additional system- and domain-level administrators with limited permissions for less-demanding management tasks.
• Administrator passwords should be at least six characters long, use both numbers and letters, and be changed regularly. Administrator passwords can be changed by going to System > Administrator > Administrator and selecting the Edit icon for the login to be modified.
• If your FortiMail unit has an LCD panel, restrict access to the control buttons and LCD by requiring a personal identification number (PIN, located in System > Configuration > Options).
• Do not increase the administrator idle time-out (located in System > Configuration > Options) from the default of five minutes.
• Verify that the system time and time zone (located in System > Configuration > Time) are correct. Many features, including FortiGuard updates, SSL connections, log timestamps and scheduled reports, rely on a correct system time.