Tag Archives: fortimail administration guide

Configuring Administrator Accounts and Access Profiles

Configuring administrator accounts and access profiles

The Administrator submenu configures administrator accounts and access profiles.

This topic includes:

  • About administrator account permissions and domains
  • Configuring administrator accounts
  • Configuring access profiles

About administrator account permissions and domains

Depending on the account that you use to log in to the FortiMail unit, you may not have complete access to all CLI commands or areas of the web UI.

Access profiles and domain assignments together control which commands and areas an administrator account can access. Permissions result from an interaction of the two.

The domain to which an administrator is assigned is one of:

  • System

The administrator can access areas regardless of whether an item pertains to the FortiMail unit itself or to a protected domain. Every administrator’s permissions are restricted only by their access profile.

  • a protected domain

The administrator can only access areas that are specifically assigned to that protected domain. With a few exceptions, the administrator cannot access system-wide settings, files or statistics, nor most settings that can affect other protected domains, regardless of whether access to those items would otherwise be allowed by the administrator’s access profile. The administrator cannot access the CLI, nor the basic mode of the web UI. (For more information on the display modes of the GUI, see “Basic mode versus advanced mode” on page 24.)

There are exceptions. Domain administrators can configure IP-based policies, the global black list, the global white list, the blacklist action, and the global Bayesian database. If you do not want to allow this, do not provide Read-Write permission to those categories in domain administrators’ access profiles.

Table 28:Areas of the GUI that domain administrators cannot access

Maintenance
Monitor except for the Personal quarantine tab
System except for the Administrator tab
Mail Settings except for the domain, its subdomains, and associated domains
User > User > PKI User
Policy > Access Control > Receive

Policy > Access Control > Delivery

Profile > Authentication
AntiSpam except for AntiSpam > Bayesian > User and AntiSpam > Black/White List
Email Archiving
Log and Report

Access profiles assign either read, read/write, or no access to each area of the FortiMail software. To view configurations, you must have read access. To make changes, you must have write access. For more information on configuring an administrator access profile, see “Configuring access profiles” on page 297.

Table 29:Areas of control in access profiles

Access control area name Grants access to

(For each config command, there is an equivalent get/show command, unless otherwise noted.

config access requires write permission. get/show access requires read permission.)

In the web UI In the CLI
Black/White List black-whit e-lis t Monitor > Endpoint Reputation > Auto Blacklist

Maintenance > AntiSpam > Black/White List Maintenance AntiSpam > Black/White List …

 N/A
Quarantine quarantine Monitor > Quarantine …

AntiSpam > Quarantine > Quarantine Report

AntiSpam > Quarantine > System Quarantine Setting

AntiSpam > Quarantine > Control Account

config antispam quarantine-report config mailsetting systemquarantine
Policy policy Monitor > Mail Queue …

Monitor > Greylist …

Monitor > Sender Reputation > Display

Mail Settings > Domains > Domains

Mail Settings > Proxies > Proxies User > User …

Policy …

Profile

AntiSpam > Greylist …

AntiSpam > Bounce Verification > Settings AntiSpam > Endpoint Reputation …

AntiSpam > Bayesian …

config antispam greylist exempt config antispam bounce-verification key config antispam settings config domain

config mailsetting proxy-smtp config policy … config profile … config user …

Table 29:Areas of control in access profiles

Archive archive Email Archiving

Monitor > Archive

config archive
Greylist greylist Monitor > Greylist …

AntiSpam > Greylist …

config antispam greylist… get antispam greylist …
Others others Monitor > System Status …

Monitor > Archive > Email Archives Monitor > Log …

Monitor > Report …

Maintenanceexcept the Black/White List Maintenance tab

System

Mail Settings > Settings

Mail Settings > Address Book > Address Book

User > User Alias > User Alias User > Address Map > Address Map Email Archiving

Log and Report

config archive … config log …

config mailsetting relayserver config mailsetting storage config report config system … config user alias config user map diagnose … execute …

get system status

About the “admin” account

Unlike other administrator accounts whose access profile is super_admin_prof and domain is System, the admin administrator account exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. Its name, permissions, and assignment to the System domain cannot be changed.

The admin administrator account always has full permission to view and change all FortiMail configuration options, including viewing and changing all other administrator accounts. It is the only administrator account that can reset another administrator’s password without having to enter the existing password. As such, it is the only account that can reset another administrator’s password if the existing password is unknown or forgotten. (Other administrators can change an administrator’s password if they know the current password.

About the “remote_wildcard” account

In previous FortiMail releases (older than v5.1), when you add remote RADIUS or LDAP accounts to FortiMail for account authentication purpose, you must add them one by one on FortiMail. Starting from FortiMail v5.1, you can use the wildcard to add RADIUS accounts (LDAP accounts will be supported in future releases) all at once.

To achieve this, you can enable the preconfigured “remote_wildcard” account and specify which RADIUS profile to use. Then every account on the RADIUS server will be able to log on to FortiMail.

To add all accounts on a RADIUS server to FortiMail

  1. Go to System > Administrator > Administrator.
  2. Double click the built-in “remote_wildcard” account.
  3. Configure the following and click OK.
GUI item Description
Enable Select it to enable the wildcard account.
Administrator The default name is remote_wildcard and it is not editable.
Domain Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned.

For more information on protected domain assignments, see “About administrator account permissions and domains” on page 290.

Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI.

Note: If you enable domain override in the RADIUS profile, this setting will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain. For details, see “Configuring authentication profiles” on page 542.

Access profile Select the name of an access profile that determines which functional areas the administrator account may view or affect.

Click New to create a new profile or Edit to modify the selected profile. For details, see “Configuring access profiles” on page 297.

Note: If you enable remote access override in the RADIUS profile, this access profile will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile. For details, see “Configuring authentication profiles” on page 542.

Authentication type For the v5.1 release, only RADIUS is supported. For details, see “Configuring authentication profiles” on page 542.
GUI item Description
Trusted hosts Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts.

If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0.

Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0.

Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network.

Note: For information on restricting administrative access protocols that can be used by these hosts, see “Editing network interfaces” on page 248.

Language Select this administrator account’s preference for the display language of the web UI.
Theme Select this administrator account’s preference for the display theme or click Use Current to choose the theme currently in effect.

The administrator may switch the theme at any time during a session by clicking Next Theme.

Configuring administrator accounts

The Administrator tab displays a list of the FortiMail unit’s administrator accounts and the trusted host IP addresses administrators use to log in (if configured).

By default, FortiMail units have a single administrator account, admin. For more granular control over administrative access, you can create additional administrator accounts that are restricted to a specific protected domain and with restricted permissions. For more information, see “About administrator account permissions and domains” on page 290.

Depending on the permission and assigned domain of your account, this list may not display all administrator accounts. For more information, see “About administrator account permissions and domains” on page 290.

If you configured a system quarantine administrator account, this account does not appear in the list of standard FortiMail administrator accounts. For more information on the system quarantine administrator account, see “Configuring the system quarantine administrator account and disk quota” on page 611.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Others category.

For details, see “About administrator account permissions and domains” on page 290.

To configure administrator accounts

  1. Go to System > Administrator > Administrator.
  2. Either click New to add an account or double-click an account to modify it.

A dialog appears.

Figure 121:New Administrator dialog

  1. Configure the following and then click Create:
GUI item Description
Enable Select it to enable the new account. If disabled, the account will not be able to access FortiMail.
Administrator Enter the name for this administrator account.

The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), hyphens ( – ), and underscores ( _ ). Other special characters and spaces are not allowed.

Domain Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned.

For more information on protected domain assignments, see “About administrator account permissions and domains” on page 290.

Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI.

Access profile Select the name of an access profile that determines which functional areas the administrator account may view or affect.

Click New to create a new profile or Edit to modify the selected profile.

For details, see “Configuring access profiles” on page 297.

 

GUI item Description
Authentication type Select the local or remote type of authentication that the administrator will use:

•      Local

•      RADIUS

•      PKI

•      LDAP

Note: RADIUS, LDAP and PKI authentication require that you first configure a RADIUS authentication profile, LDAP authentication profile, or PKI user. For more information, see “Configuring authentication profiles” on page 542 and “Configuring PKI authentication” on page 435.

Password If you select Local as the authentication type, enter a secure password for this administrator account.

The password can contain any character except spaces.

This field does not appear if Authentication type is not Local or RADIUS+Local.

Confirm password Enter this account’s password again to confirm it.

This field does not appear if Authentication type is not Local or RADIUS+Local.

LDAP profile If you choose to use LDAP authentication, select an LDAP profile you want to use.
RADIUS profile If you choose to use RADIUS or RADIUS + Local authentication, select a RADIUS profile you want to use.
PKI profile If you choose to use PKI authentication, select a PKI profile you want to use.
Trusted hosts Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts.

If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0.

Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0.

Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network.

Note: For information on restricting administrative access protocols that can be used by these hosts, see “Editing network interfaces” on page 248.

GUI item Description
Language Select this administrator account’s preference for the display language of the web UI.
Theme Select this administrator account’s preference for the display theme or click Use Current to choose the theme currently in effect.

The administrator may switch the theme at any time during a session by clicking Next Theme.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring System Settings

Configuring system settings

The System menu lets you administrator accounts, and configure network settings, system time, SNMP, RAID, high availability (HA), certificates, and more.

This section includes:

  • Configuring network settings
  • Configuring system time, configuration options, SNMP, and FortiSandbox
  • Customizing GUI, replacement messages and email templates
  • Configuring administrator accounts and access profiles
  • Configuring RAID
  • Using high availability (HA)
  • Managing certificates
  • Configuring IBE encryption
  • Configuring certificate bindings

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring FortiGuard Updates and AntiSPAM Queries

Configuring FortiGuard updates and antispam queries

The Maintenance > FortiGuard > Update tab displays the most recent updates to

FortiGuard Antivirus engines, antivirus definitions, and FortiGuard antispam definitions

(antispam heuristic rules). You can also configure how the FortiMail unit will retrieve updates.

FortiGuard AntiSpam packages for FortiMail units are not the same as those provided to FortiGate units. To support FortiMail’s more full-featured antispam scans, FortiGuard AntiSpam packages for FortiMail contain platform-specific additional updates.

For example, FortiGuard AntiSpam packages for FortiMail contain heuristic antispam rules used by the a heuristic scan. Updates add to, remove from, and re-order the list of heuristic rules so that the current most common methods spammers use are ranked highest in the list. As a result, even if you configure a lower percentage of heuristic rules to be used by that scan, with regular updates, the heuristic scan automatically adjusts to use whichever heuristic rules are currently most effective. This helps to achieve an effective spam catch rate, while both reducing administrative overhead and improving performance by using the least necessary amount of FortiMail system resources.

FortiMail units receive updates from the FortiGuard Distribution Network (FDN), a world-wide network of FortiGuard Distribution Servers (FDS). FortiMail units connect to the FDN by connecting to the FDS nearest to the FortiMail unit by its configured time zone.

In addition to manual update requests, FortiMail units support two kinds of automatic update mechanisms:

  • scheduled updates, by which the FortiMail unit periodically polls the FDN to determine if there are any available updates
  • push updates, by which the FDN notifies FortiMail units when updates become available

For information on configuring scheduled updates, see “Configuring scheduled updates” on page 240. For information on configuring push updates, see “Configuring push updates” on page 241.

You may want to configure both scheduled and push updates. In this way, if the network experiences temporary problems such as connectivity issues that interfere with either method, the other method may still provide your FortiMail unit with updated protection. You can alternatively manually update the FortiMail unit by uploading an update file. For more information on uploading updates, see “License Information widget” on page 176.

For FortiGuard Antispam and FortiGuard Antivirus update connectivity requirements and troubleshooting information, see “Troubleshoot FortiGuard connection issues” on page 707.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view or change the currently installed FortiGuard status

  1. Go to Maintenance > FortiGuard > Update.

Figure 95:Update tab

  1. Configure the following:

 

GUI item Description
FortiGuard Service Status  
Name The name of the updatable item, such as Anti Virus Definition.
Version The version number of the item currently installed on the FortiMail unit.
Expiry Date The expiry date of the license for the item.
Last Update Attempt The date and time when the FortiMail unit last attempted to download an update.
Last Update Status The result of the last update attempt.

•      No updates: Indicates the last update attempt was successful but no new updates are available.

•      Installed updates: Indicates the last update attempt was successful and new updates were installed.

•      Other messages, such as Network Error, indicate that the FortiMail unit could not connect to the FDN, or other error conditions. For more information, see “Troubleshoot FortiGuard connection issues” on page 707.

Included signatures Displays the total number of the virus and spam signatures.
FortiGuard distribution network The result of the previous scheduled update (TCP 443) connection attempt to the FortiGuard Distribution Network (FDN) or, if enabled and configured, the override server.

•      Available: Indicates that the FortiMail unit successfully connected to the FDN.

•      Unavailable: Indicates that the FortiMail unit could not connect to the FDN. For more information, see “Verifying connectivity with FortiGuard services” on page 237.

•      Unknown: Indicates that the FortiMail unit has not yet attempted to connect to the FDN.

To test the connection, click Refresh.

Push update The result of the previous push update (UDP 9443) connection attempt from the FDN.

•      Available: Indicates that the FDN successfully connected to the FortiMail unit to send push updates. For more information, see “Configuring push updates” on page 241.

•      Unavailable: Indicates that the FDN could not connect to the FortiMail unit. For more information, see “Troubleshoot FortiGuard connection issues” on page 707.

•      Unknown: Indicates that the FortiMail unit has not yet attempted to connect to the FDN.

To test the connection, click Refresh.

GUI item Description
Refresh

(button)

Click to test the scheduled (TCP 443) and push (UDP 9443) update connection of the FortiMail unit to the FDN or, if enabled, the IP address configured in Use override server address.

When the test completes, the tab refreshes and results beside FortiGuard distribution network. Time required varies by the speed of the FortiMail unit’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiMail unit determines that it cannot connect.

Note: This does not test the connection for FortiGuard Antispam rating queries, which occurs over a different connection and must be tested separately. For details, see “Configuring FortiGuard updates and antispam queries” on page 233.

Use override server address Enable to override the default FortiGuard Distribution Server (FDS) to which the FortiMail unit connects for updates, then enter the IP address of the override public or private FDS.

For more information, see “Verifying connectivity with FortiGuard services” on page 237.

Allow push update Enable to allow the FortiMail unit to accept push notifications (UDP 9443). If the FortiMail unit is behind a NAT device, you may also need to enable and configure Use override push IP. For details, see “Configuring push updates” on page 241.

Push notifications only notify the FortiMail unit that an update is available. They do not transmit the update itself. After receiving a push notification, the FortiMail unit then initiates a separate TCP 443 connection, similar to scheduled updates, in order to the FDN to download the update.

Use override push Enable to override the IP address and default port number to which

IP                           the FDN sends push notifications.

  • When enabled, the FortiMail unit notifies the FDN to send push updates to the IP address and port number that you enter (for example, a virtual IP/port forward on a NAT device that will forward push notifications to the FortiMail unit).
  • When disabled, the FortiMail unit notifies the FDN to send push updates to the FortiMail unit’s IP address, using the default port number (UDP 9443). This is useful only if the FortiMail unit has a public network IP address.

For more information, see “Configuring push updates” on page 241.

This option is available only if Allow push update is enabled.

GUI item Description
Scheduled update Enable to perform updates according to a schedule, then select one of the following as the frequency of update requests. When the FortiMail unit requests an update at the scheduled time, results appear in Last Update Status.

•      Every: Select to request to update once every 1 to 23 hours, then select the number of hours between each update request.

•      Daily: Select to request to update once a day, then select the hour of the day to check for updates.

•      Weekly: Select to request to update once a week, then select the day of the week, the hour, and the minute of the day to check for updates.

If you select 00 minutes, the update request occurs at a randomly determined time within the selected hour.

Apply

(button)

Click to save configuration changes on this tab and, if you have enabled Allow push update, notify the FDN of the destination IP address and port number for push notifications to this FortiMail unit.
Update Now

(button)

Click to manually initiate a FortiGuard Antivirus and FortiGuard Antispam engine and definition update request. Results will appear in Last Update Status. Time required varies by the availability of updates, size of the updates, and speed of the FortiMail unit’s network connection.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Server Mode Deployment

Server mode deployment

The following procedures and examples show you how to deploy the FortiMail unit in server mode.

  • Configuring DNS records
  • Example 1: FortiMail unit behind a firewall
  • Example 2: FortiMail unit in front of a firewall
  • Example 3: FortiMail unit in DMZ

Configuring DNS records

You must configure public DNS records for the protected domains and for the FortiMail unit itself.

For performance reasons, you may also want to provide a private DNS server for use exclusively by the FortiMail unit.

This section includes the following:

  • Configuring DNS records for protected domains
  • Configuring DNS records for the FortiMail unit itself
  • Configuring a private DNS server

Configuring DNS records for protected domains

Regardless of your private network topology, in order for external MTAs to deliver email to the FortiMail unit, you must configure the public MX record for each protected domain to indicate that the FortiMail unit is its email server.

For example, if the fully qualified domain name (FQDN) of the FortiMail unit is fortimail.example.com, and example.com is a protected domain, the MX record for example.com would be:

example.com IN MX 10 fortimail.example.com

If your FortiMail unit will operate in server mode, configure the MX record to refer to the FortiMail unit, and remove other MX records. If you fail to do so, external MTAs may not be able to deliver email to or through the FortiMail unit, or may be able to bypass the FortiMail unit by using the other MX records. If you have configured secondary MX records for failover reasons, consider configuring FortiMail high availability (HA) instead. For details, see “FortiMail high availability modes” on page 23.

An A record must also exist to resolve the domain name of the FortiMail unit into an IP address.

For example, if the MX record indicates that fortimail.example.com is the email gateway for a domain, you must also configure an A record in the example.com zone file to resolve fortimail.example.com into a public IP address: fortimail IN A 10.10.10.1

where 10.10.10.1 is either the public IP address of the FortiMail unit, or a virtual IP address on a firewall or router that maps to the private IP address of the FortiMail unit.

If your FortiMail unit will relay outgoing email, you should also configure the public reverse DNS record. The public IP address of the FortiMail unit, or the virtual IP address on a firewall or router that maps to the private IP address of the FortiMail unit, should be globally resolvable into the FortiMail unit’s FQDN. If it is not, reverse DNS lookups by external SMTP servers will fail.

For example, if the public network IP address of the FortiMail unit is 10.10.10.1, a public DNS server’s reverse DNS zone file for the 10.10.10.0/24 subnet might contain:

1 IN PTR fortimail.example.com.

where fortimail.example.com is the FQDN of the FortiMail unit.

Configuring DNS records for the FortiMail unit itself

In addition to that of protected domains, the FortiMail unit must be able to receive web connections, and send and receive email, for its own domain name. Dependent features include:

  • delivery status notification (DSN) email
  • spam reports
  • email users’ access to their per-recipient quarantines
  • FortiMail administrators’ access to the web UI by domain name
  • alert email
  • report generation notification email

For this reason, you should also configure public DNS records for the FortiMail unit itself.

Appropriate records vary by whether or not Web release host name/IP (located in AntiSpam > Quarantine > Quarantine Report in the advanced mode of the web UI) is configured:

  • Case 1: Web Release Host Name/IP is empty/default
  • Case 2: Web Release Host Name/IP is configured

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Transparent Mode Deployment

Transparent mode deployment

The following procedures and examples show you how to deploy the FortiMail unit in transparent mode.

  • Configuring DNS records
  • Example 1: FortiMail unit in front of an email server
  • Example 2: FortiMail unit in front of an email hub
  • Example 3: FortiMail unit for an ISP or carrier

Configuring DNS records

If the FortiMail unit is operating in transparent mode, in most cases, configuring DNS records for protected domain names is not required. Proper DNS records for your protected domain names are usually already in place. However, you usually must configure public DNS records for the FortiMail unit itself.

For performance reasons, and to support some configuration options, you may also want to provide a private DNS server for exclusive use by the FortiMail unit.

This section includes the following:

  • Configuring DNS records for the FortiMail unit itself
  • Configuring a private DNS server

Configuring DNS records for the FortiMail unit itself

In addition to that of protected domains, the FortiMail unit must be able to receive web connections, and send and receive email, for its own domain name. Dependent features include:

  • delivery status notification (DSN) email
  • spam reports
  • email users’ access to their per-recipient quarantined mail
  • FortiMail administrators’ access to the web UI by domain name
  • alert email
  • report generation notification email

For this reason, you should also configure public DNS records for the FortiMail unit itself.

Appropriate records vary by whether or not Web release host name/IP (located in AntiSpam > Quarantine > Quarantine Report in the advanced mode of the web UI) is configured:

  • Case 1: Web Release Host Name/IP is empty/default
  • Case 2: Web Release Host Name/IP is configured

Unless you have enabled both Hide the transparent box in each protected domain and Hide this box from the mail server in each session profile, the FortiMail unit is not fully transparent in SMTP sessions: the domain name and IP address of the FortiMail unit may be visible to SMTP servers, and they might perform reverse lookups. For this reason, public DNS records for the FortiMail unit usually should include reverse DNS (RDNS) records.

Case 1: Web Release Host Name/IP is empty/default

When Web release host name/IP is not configured (the default), the web release/delete links that appear in spam reports use the fully qualified domain name (FQDN) of the FortiMail unit. For example, if the FortiMail unit’s host name is fortimail, and its local domain name is example.net, resulting in the FQDN fortimail.example.net, a spam report’s default web release link might look like (FQDN highlighted in bold):

https://fortimail.example.net/releasecontrol?release=0%3Auser2%40examp le.com%3AMTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0YjUyM2N TkjRSxVMzoyLA%3D%3D%3Abf3db63dab53a291ab53a291ab53a291

In the DNS configuration to support this and the other DNS-dependent features, you would configure the following three records:

example.net IN MX 10 fortimail.example.net fortimail IN A 10.10.10.1 1 IN PTR fortimail.example.net.

where:

  • net is the local domain name to which the FortiMail unit belongs; in the MX record, it is the local domain for which the FortiMail is the mail gateway
  • example.net is the FQDN of the FortiMail unit
  • fortimail is the host name of the FortiMail unit; in the A record of the zone file for example.net, it resolves to the IP address of the FortiMail unit for the purpose of administrators’ access to the web UI, email users’ access to their per-recipient quarantines, to resolve the FQDN referenced in the MX record when email users send Bayesian and quarantine control email to the FortiMail unit, and to resolve to the IP address of the FortiMail unit for the purpose of the web release/delete hyperlinks in the spam report
  • 10.10.1 is the public IP address of the FortiMail unit

Case 2: Web Release Host Name/IP is configured

You could configure Web release host name/IP to use an alternative fully qualified domain name (FQDN) such as webrelease.example.info instead of the configured FQDN, resulting in the following web release link (web release FQDN highlighted in bold):

https://webrelease.example.info/releasecontrol?release=0%3Auser2%40exa mple.com%3AMTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0YjUyM 2NTkjRSxVMzoyLA%3D%3D%3Abf3db63dab53a291ab53a291ab53a291

Then, in the DNS configuration to support this and the other DNS-dependent features, you would configure the following MX record, A records, and PTR record (unlike “Case 1: Web Release Host Name/IP is empty/default” on page 52, in this case, two A records are required; the difference is highlighted in bold):

example.net IN MX 10 fortimail.example.net fortimail IN A 10.10.10.1 webrelease IN A 10.10.10.1 1 IN PTR fortimail.example.net.

where:

  • net is the local domain name to which the FortiMail unit belongs; in the MX record, it is the local domain for which the FortiMail is the mail gateway
  • example.net is the FQDN of the FortiMail unit
  • fortimail is the host name of the FortiMail unit; in the A record of the zone file for example.net, it resolves to the IP address of the FortiMail unit for the purpose of administrators’ access to the web UI and to resolve the FQDN referenced in the MX record when email users send Bayesian and quarantine control email to the FortiMail unit
  • webrelease is the web release host name; in the A record of the zone file for example.info, it resolves to the IP address of the FortiMail unit for the purpose of the web release/delete hyperlinks in the spam report
  • 10.10.1 is the public IP address of the FortiMail unit

Configuring a private DNS server

Consider providing a private DNS server on your local network to improve performance with features that use DNS queries.

Figure 11:Public and private DNS servers (transparent mode)

172.16.1.10                                       Private DNS Server Public DNS Server

Email Domain: example.com IN MX 10 mail.example.com example.com IN MX 10 mail.example.com

@example.com mail IN A 172.16.1.10 mail IN A 10.10.10.1

In some situations, a private DNS server may be required. If:

  • you configure the FortiMail unit to use a private DNS server, and
  • both the FortiMail unit and the protected SMTP server reside on the internal network, with private network IP addresses, and • you enable the Use MX record option you should configure the A records on the private DNS server and public DNS server differently: the private DNS server must resolve to the domain names of the SMTP servers into private IP addresses, while the public DNS server must resolve them into public IP addresses.

For example, if both a FortiMail unit (fortimail.example.com) operating in transparent mode and the SMTP server reside on your private network behind a router or firewall as illustrated in Figure 7 on page 53, and the Use MX record option is enabled, Table 9 on page 81 illustrates differences between the public and private DNS servers for the authoritative DNS records of example.com.

Table 9: Public versus private DNS records when “Use MX Record” is enabled

Private DNS server Public DNS server
example.com IN MX 10 mail.example.com example.com IN MX 10 mail.example.com
mail IN A 172.16.1.10 mail IN A 10.10.10.1
10 IN PTR fortimail.example.com 1 IN PTR fortimail.example.com

If you choose to add a private DNS server, to configure the FortiMail unit to use it, go to System > Network > DNS in the advanced mode of the web UI.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!