Configuring System Settings

Configuring DNS

FortiMail units require DNS servers for features such as reverse DNS lookups, FortiGuard connectivity, and other aspects of email processing. Your ISP may supply IP addresses of DNS servers, or you may want to use the IP addresses of your own DNS servers.

If the FortiMail unit is operating in gateway mode, you must configure the MX record of the DNS server for each protected domain to direct all email to this FortiMail unit instead of the protected SMTP servers. Failure to update the records of your DNS server may enable email to circumvent the FortiMail unit.

Go to System > Network > DNS to configure the DNS servers that the FortiMail unit queries to resolve domain names into IP addresses.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

Configuring dynamic DNS

The System > Network > DDNS tab lets you configure the FortiMail unit to use a dynamic DNS (DDNS) service.

If the FortiMail unit has a static domain name but a dynamic public IP address, you can use DDNS to update DNS servers on the Internet when the public IP address for its fully qualified domain name (FQDN) changes. For information on setting a dynamic public IP address, see the DHCP option.)

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view and configure dynamic DNS accounts Figure 109:Go to System > Network > DDNS.DDNS tab

1.

GUI item Description
Server Displays the name of your DDNS service provider.
User Name Displays your user name for the DDNS service provider.
Host/Domain Name A public host name or fully qualified domain name (FQDN) that should resolve to the public IP address of the FortiMail unit.

Its public DNS records are updated by the DDNS service provider when the FortiMail unit sends its current public IP address. As such, it might not be the same as the host name and local domain name that you configured in “Host name” on page 368 and “Local domain name” on page 368, which could be valid only for your internal network.

Update Time Displays the interval in hours that the FortiMail unit waits between contacts to the DDNS service provider.
  1. If you have not yet configured the dynamic DNS account that the FortiMail unit will use when it connects to the DDNS service provider, click New.
    • dialog appears.

Figure 110:Create New DDNS Profile dialog

GUI item Description
Server Select a DDNS service provider to which the FortiMail unit will send DDNS updates.
User name Enter the user name of your account with the DDNS service provider. The FortiMail unit will provide this to authenticate itself with the service when sending updates.
Password Enter the password for the DDNS user name.
Update time Enter the interval in hours between each time that the FortiMail unit will query the DDNS service provider’s IP detection page if “IP mode” on page 263 is Auto detect.

Caution: Do not exceed the recommended frequency published by your DDNS service provider. Some DDNS service providers consider excessive connections to be abusive, and may ignore further queries from the FortiMail unit.

  1. Click Create.
  2. The tab returns to the list of dynamic DNS accounts, which should now include your new account.
  3. Double-click the row corresponding to the new DDNS account.

The Host/Domain Name Setting area is now visible.

Figure 111: Editing a dynamic DNS account

  1. In the Host/Domain Name Setting area, click Create New, or, to modify an existing host/domain name, select its row and click Edit.
    • dialog appears.

Figure 112:Create New DDNS Domain dialog

  1. Configure the following:
GUI item Description
Server Displays the dynamic DNS service provider of this account.
Status Enable to update the DDNS service provider when the FortiMail unit’s public IP address changes.

Disable to notify the DDNS service provider that this FQDN should use its offline redirect, if you configured any. If the FortiMail unit’s public IP address changes, it will not notify the DDNS service provider.

Host name Enter the fully qualified domain name (FQDN) whose records the DDNS provider should update.
IP mode Select which of the following ways the FortiMail unit should use to determine its current publicly routable IP address.

•      Auto detect: Periodically query the DDNS service provider’s IP address detection web page to see if the FortiMail unit’s public IP address has changed. The IP detection web page returns the apparent source IP address of the query. If this IP address has changed, the FortiMail unit then sends an update request to the DDNS service provider, causing it to update DNS records for the FQDN in “Host name” on page 263. This option is the most common choice. To configure the interval of DDNS IP detection queries, see “Update time” on page 261.

Note: If this query occurs through a NAT device such as a router or firewall, its apparent source IP address will not be the private network IP address of any of the FortiMail unit’s network interfaces. Instead, it will be the IP address of the NAT device’s externally facing network interface. For example, a public virtual IP (VIP) on a FortiGate unit in NAT mode might be used to route email from the Internet to a FortiMail unit. DDNS updates are also routed out from the VIP to the DDNS service provider on the Internet. From the DDNS service provider’s perspective, the DDNS update connection appears to come from the VIP, and therefore it updates the DNS records with the IP address of the VIP. The DDNS service provider does not know the private network address of the FortiMail unit.

•      Bind interface: Use the current IP address of one of the FortiMail unit’s network interfaces. Choose this option only if the network interface has an IP address that is routable from the Internet — that is, it is not an RFC 1918 private network address.

•      Static IP: Use an IP address that you configure. You must manually update the accompanying field if the FortiMail unit’s public IP address changes.

Type Select one of the following:

•      dynamic (this is the default)

•      static

•      custom

To verify your DDNS configuration and connectivity, do not query DNS servers: depending on DNS caching, record propagation, and other effects, DNS queries may not be able to determine whether the update actually reached your DDNS service provider.

Instead, log in to your DDNS service provider account and verify whether its host records have been updated. You can also view the FortiMail event log. Log messages such as this indicate DDNS update failure:

DDNS daemon failed on update members.dyndns.org, domain fortimail.example.com, next try at 1251752285\n


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.