Server Mode Deployment

Example 1: FortiMail unit behind a firewall

In this example, a FortiMail unit operating in server mode and email users’ computers are both positioned within a private network, behind a firewall. Remote email users’ computers and external email servers are located on the Internet, outside of the network protected by the firewall. The FortiMail unit hosts and protects accounts for email addresses ending in “@example.com”.

Figure 16:Server mode deployment behind a NAT device

Email Domain:                                              example.com IN M 10 fortimail.example.com

example.com                                                                  fortimail IN A 10.10.10.1

The FortiMail unit has also been configured with an access control rule that allows local and remote email users to send email to unprotected domains if they first authenticate:

Sender Pattern *@example.com
Recipient Pattern *
Sender

IP/Netmask

0.0.0.0/0
Reverse DNS Pattern *
Authentication Status authenticated
TLS < none >
Action RELAY

To deploy the FortiMail unit behind a NAT device such as a firewall or router, you must complete the following:

  • Configuring the firewall
  • Configuring the email user accounts
  • Configuring the MUAs
  • Testing the installation

This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see “Running the Quick Start Wizard” on page 34 and “Configuring DNS records” on page 101.

Configuring the firewall

With the FortiMail unit behind a FortiGate unit, you must configure policies to allow traffic:

  • from the Internet to the FortiMail unit
  • from the FortiMail unit to the Internet

To create the required policies, complete the following:

  • Configuring the firewall address
  • Configuring the service groups
  • Configuring the virtual IPs

Configuring the firewall address

In order to create the outgoing firewall policy that governs the IP address of the FortiMail unit, you must first define the IP address of the FortiMail unit by creating a firewall address entry.

To add a firewall address for the FortiMail unit

  1. Access FortiGate.
  2. Go to Firewall > Address > Address.
  3. Select Create New.
  4. Complete the following:
Name Enter a name to identify the firewall address entry, such as FortiMail_address.
Type Select Subnet/IP Range.
Subnet /IP Range Enter 172.16.1.5.
Interface Select internal.
  1. Select OK.

Configuring the service groups

In order to create firewall policies that govern only FortiMail-related traffic, you must first create groups of services that define protocols and port numbers used in that traffic.

Because FortiGuard-related services for FortiMail units are not predefined, you must define them before you can create a service group that contains those services.

To add a custom service for FortiGuard Antivirus push updates

  1. Access FortiGate.
  2. Go to Firewall > Service > Custom.
  3. Select Create New.
  4. Configure the following:
Name   Enter a name to identify the custom service entry, such as

FortiMail_antivirus_push_updates.

Protocol Type   Select TCP/UDP.
Protocol   Select UDP.
Destination Port    
  Low Enter 9443.
  High Enter 9443.
  1. Select OK.

To add a custom service for FortiGuard Antispam rating queries

  1. Access FortiGate.
  2. Go to Firewall > Service > Custom.
  3. Select Create New.
  4. Configure the following:
Name   Enter a name to identify the custom service entry, such as

FortiMail_antispam_rating_queries.

Protocol Type   Select TCP/UDP.
Protocol   Select UDP.
Destination Port    
  Low Enter 8889.
  High Enter 8889.
  1. Select OK.

To add a service group for incoming FortiMail traffic

  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as FortiMail_incoming_services.
  5. In the Available Services area, select HTTP, HTTPS, SMTP, POP3, IMAP, and your custom service for FortiGuard Antivirus push updates, FortiMail_antivirus_push_updates, then select the right arrow to move them to the Members
  6. Select OK.

To add a service group for outgoing FortiMail traffic

  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as FortiMail_outgoing_services.
  5. In the Available Services area, select DNS, NTP, HTTPS, SMTP, and your custom service for FortiGuard Antispam rating queries, FortiMail_antispam_rating_queries, then select the right arrow to move them to the Members
  6. Select OK.

Configuring the virtual IPs

In order to create the firewall policy that forwards email-related traffic to the FortiMail unit, you must first define a static NAT mapping from a public IP address on the FortiGate unit to the IP address of the FortiMail unit by creating a virtual IP entry.

  1. Access FortiGate.
  2. Go to Firewall > Virtual IP > Virtual IP.
  3. Select Create New.
  4. Complete the following:
Name Enter a name to identify the virtual IP entry, such as FortiMail_VIP.
External Interface Select wan1.
Type Select Static NAT.
External IP

Address/Range

Enter 10.10.10.1.
Mapped IP

Address/Range

Enter 172.16.1.5.
  1. Select OK.

Configuring the firewall policies

First, create a firewall policy that allows incoming email and other FortiMail services that are received at the virtual IP address, then applies a static NAT when forwarding the traffic to the private network IP address of the FortiMail unit.

Second, create a firewall policy that allows outgoing email and other connections from the FortiMail unit to the Internet.

To add the Internet-to-FortiMail policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select wan1.

Source Address Name Select all.

Destination

Interface/zone

Select internal.
Destination Address

Name

Select FortiMail_VIP.
Schedule Select ALWAYS.
Service Select FortiMail_incoming_services.
Action Select ACCEPT.
  1. Select OK.

To add the FortiMail-to-Internet policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select internal.

Source Address Name Select FortiMail_address.

Destination

Interface/zone

Select wan1.
Destination Address

Name

Select all.
Schedule Select ALWAYS.
Service Select FortiMail_outgoing_services.
Action Select ACCEPT.
  1. Select NAT.
  2. Select OK.

Configuring the email user accounts

Create email user accounts for each protected domain on the FortiMail unit.

You may choose to create additional email user accounts later, but you should create at least one email user account for each protected domain that you can use in order to verify connectivity for the domain.

To add an email user

  1. Go to User > User > User in the advanced mode of the web UI. (The User tab appears only when FortiMail operates in server mode.)
  2. From the Domain list, select com.
  3. Either select New to add an email user, or double-click an email user you want to modify.

A dialog appears.

  1. In User name, enter the user name portion, such as user1, of the email address that will be locally deliverable on the FortiMail unit (user1@example.com).
  2. Select Password, then enter the password for this email account.
  3. In Display Name, enter the name of the user as it should appear in a MUA, such as “Test User 1”.
  4. Select Create for a new user or OK for an existing user.

Configuring the MUAs

Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail server (SMTP)/MTA. For local email users, this is the private network IP address of the FortiMail unit, 172.16.1.5; for remote email users, this is the virtual IP on the FortiGate unit that maps to the FortiMail unit, 10.10.10.1 or fortimail.example.com.

If you do not configure the email clients to send email through the FortiMail unit, incoming email can be scanned, but outgoing email cannot.

Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as user1@example.com.

If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing instructions, see “Testing the installation” on page 159.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiMail and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.