Transparent Mode Deployment

Example 2: FortiMail unit in front of an email hub

In this example, a FortiMail unit operating in transparent mode is positioned between an email gateway and other internal email servers.

When sending email with external recipients, the email servers (Relay A and Relay B) in each WAN location are required to deliver through the main email server, which encrypts outgoing SMTP connections. The firewall will only allow SMTP traffic from the main email server.

Figure 13:Transparent mode deployment to protect an email hub

Email Domain:

@example.com

The FortiMail unit also includes an access control rule that allows local and remote email users to send email to unprotected domains if they first authenticate:

Sender Pattern *@example.com
Recipient Pattern *
Sender

IP/Netmask

0.0.0.0/0
Reverse DNS Pattern *
Authentication Status authenticated
TLS < none >
Action RELAY

To deploy the FortiMail unit in front of one or more email servers, you must complete the following:

  • Configuring the protected domains and session profiles
  • Configuring the proxies and implicit relay

Configuring the protected domains and session profiles

When configuring the protected domain and session profiles, you can select transparent mode options to hide the existence of the FortiMail unit.

To configure the transparent mode options of the protected domain 1. Go to Mail Settings > Domains > Domains in the advanced mode of the web UI.

  1. In the row corresponding to the protected domain, select Edit.
  2. Configure the following:
Transparent Mode Options  
This server is on

(transparent mode only)

Select the network interface (port) to which the protected SMTP server is connected.

Note: Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface.

Hide the transparent box

(transparent mode only)

Enable to preserve the IP address or domain name of the SMTP client for incoming email messages in:

•    the SMTP greeting (HELO/EHLO) in the envelope and in the Received: message headers of email messages

  • the IP addresses in the IP header

This masks the existence of the FortiMail unit to the protected SMTP server.

Disable to replace the SMTP client’s IP address or domain name with that of the FortiMail unit.

Note: If the protected SMTP server applies rate limiting according to IP addresses, enabling this option can improve performance. The rate limit will then be separate for each client connecting to the protected SMTP server, rather than shared among all connections handled by the FortiMail unit.

Note: Unless you have enabled Take precedence over recipient based policy match in the IP-based policy, this option has precedence over the Hide this box from the mail server option in the session profile, and may prevent it from applying to incoming email messages.

Use this domain’s SMTP Enable to allow SMTP clients to send outgoing email server to deliver the        directly through the protected SMTP server. mail

Disable to, instead of allowing a direct connection, proxy

(transparent mode only)    the connection using the incoming proxy, which queues email messages that are not immediately deliverable.

  1. Select OK.

To configure the transparent mode options of the session profile

  1. Go to Policy > Policies > IP Policies in the advanced mode of the web UI.
  2. In the Session column for an IP-based policy, select the name of the session profile to edit the profile.
  3. Configure the following:
Connection Settings  
Hide this box from the mail server

(transparent mode only)

Enable to preserve the IP address or domain name of the SMTP client in:

•      the SMTP greeting (HELO/EHLO) and in the Received:

message headers of email messages

•      the IP addresses in the IP header

This masks the existence of the FortiMail unit.

Disable to replace the IP addresses or domain names with that of the FortiMail unit.

Note: Unless you have enabled Take precedence over recipient based policy match in the IP-based policy, the Hide the transparent box option in the protected domain has precedence over this option, and may prevent it from applying to incoming email messages.

  1. Select OK.
  2. Repeat the previous three steps for each IP-based policy.

Configuring the proxies and implicit relay

When operating in transparent mode, the FortiMail unit can use either transparent proxies or an implicit relay to inspect SMTP connections. If connection pick-up is enabled for connections on that network interface, the FortiMail unit can scan and process the connection. If not enabled, the FortiMail unit can either block or permit the connection to pass through unmodified.

Exceptions to SMTP connections that can be proxied or relayed include SMTP connections destined for the FortiMail unit itself. For those local connections, such as email messages from email users requesting deletion or release of their quarantined email, you must choose to either allow or block the connection.

Proxy/relay pick-up is configured separately for incoming and outgoing connections.

In this deployment example, incoming connections arriving on port2 must be scanned before traveling to the main email server, and therefore are configured to be Proxy — that is, picked up by the implicit relay.

Outgoing connections arriving on port1 will contain email that has already been scanned once, during SMTP clients’ relay to the main email server. In addition, outgoing connections by the main mail server will be encrypted using TLS. Encrypted connections cannot be scanned. Therefore outgoing connections will be passed through, and neither proxied nor implicitly relayed.

To configure SMTP proxy and implicit relay pick-up

  1. Go to System > Network in the advanced mode of the web UI.
  2. Edit SMTP proxy settings on both Port 1 and Port 2:
Port 1  
Incoming connections Drop
Outgoing connections Pass through
Local connections Allow
Port 2  
Incoming connections Proxy
Outgoing connections Drop
Local connections Disallow

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing instructions, see “Testing the installation” on page 159.

This entry was posted in Administration Guides, FortiMail and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “Transparent Mode Deployment

  1. Alexandru

    when configuring transparent mode is it necessary to configure mail settings (SMTP port, SSL for SMTP etc.). From my understanding is not necessary because Fortimail acts as a proxy. But if these are not configured connection is not intercepted(scanned).

    Reply
  2. Gerald Simila

    kindly expound on active-passive H/A deployment for two Fortimails in transparent mode in an ISP environment where we use PBRs on the connected routers. Am keen on the IPs to be used on the PBR and if this can be done without using an ADC.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.