Tag Archives: fortimail documentation

Configuring Mail Settings

Configuring mail settings

The Mail Settings menu lets you configure the basic email settings of the FortiMail unit (such as the port number of the FortiMail SMTP relay/proxy/server), plus how to handle connections and how to manage the mail queues.

This section includes:

  • Configuring the built-in MTA and mail server
  • Configuring protected domains
  • Managing the address book (server mode only)
  • Sharing calendars and address books (server mode only)
  • Migrating email from other mail servers (server mode only)
  • Configuring proxies (transparent mode only)

Configuring the built-in MTA and mail server

Go to Mail Settings > Settings to configure assorted settings that apply to the SMTP server and webmail server that are built into the FortiMail unit.

This section includes:

  • Configuring mail server settings
  • Configuring global disclaimers
  • Configuring disclaimer exclusion list
  • Selecting the mail data storage location

Configuring mail server settings

Use the mail server settings to configure SMTP server/relay settings of the System domain, which is located on the local host (that is, your FortiMail unit).

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To configure local SMTP server settings

  1. Go to Mail Settings > Settings > Mail Server Settings.

A multisection page appears.

Page 366

Figure 153:Mail Server Settings tab

  1. Configure the following sections as needed:
  • “Configuring local host settings” on page 368
  • “Configuring SMTP relay hosts” on page 373
  • “Configuring deferred message delivery” on page 371
  • “Configuring DSN options” on page 369
  • “Configuring mail queue setting” on page 370
  • “Configuring domain check options” on page 372

Configuring local host settings

Provide the name and SMTP information for the mail server.

GUI item Description
Host name Enter the host name of the FortiMail unit.

Displays the FortiMail unit’s fully qualified domain name (FQDN) is in the format:

<host-name>.<local-domain-name>

such as fortimail-400.example.com, where fortimail-400 is the Host name and example.com is the Local domain name.

Note: The FQDN of the FortiMail unit should be different from that of protected SMTP servers. If the FortiMail unit uses the same FQDN as your mail server, it may become difficult to distinguish the two devices during troubleshooting.

Note: You should use a different host name for each FortiMail unit, especially when you are managing multiple FortiMail units of the same model, or when configuring a high availability (HA) cluster. This will let you to distinguish between different members of the cluster. If the FortiMail unit is in HA mode, the FortiMail unit will add the host name to the subject line of alert email messages. For details, see “Configuring alert email” on page 682.

Local domain name Enter the local domain name to which the FortiMail unit belongs.

The local domain name is used in many features such as email quarantine, Bayesian database training, quarantine report, and delivery status notification (DSN) email messages.

Displays the FortiMail unit’s fully qualified domain name (FQDN) is in the format:

<host-name>.<local-domain-name>

such as fortimail-400.example.com, where fortimail-400 is the Host name and example.com is the Local domain name.

Note: The IP address should be globally resolvable into the FQDN of the FortiMail unit if it will relay outgoing email. If it is not globally resolvable, reverse DNS lookups of the FortiMail unit’s domain name by external SMTP servers will fail. For quarantine reports, if the FortiMail unit is operating in server mode or gateway mode, DNS records for the local domain name may need to be globally resolvable to the IP address of the FortiMail unit. If it is not globally resolvable, web and email release/delete for the per-recipient quarantines may fail. For more information on configuring required DNS records, see “Setting up the system” on page 25.

Note: The Local domain name is not required to be different from or identical to any protected domain. It can be a subdomain or different, external domain.

For example, a FortiMail unit whose FQDN is fortimail.example.com could be configured with the protected domains example.com and accounting.example.net.

SMTP server port number Enter the port number on which the FortiMail unit’s SMTP server will listen for SMTP connections. The default port number is 25.
GUI item Description
SMTP over SSL/TLS Enable to allow SSL- and TLS-secured connections from SMTP clients that request SSL/TLS.

When disabled, SMTP connections with the FortiMail unit’s built-in MTA must occur as clear text, unencrypted.

Note: This option must be enabled to receive SMTPS connections. However, it does not require them. To enforce client use of SMTPS, see “Configuring access control rules” on page 456.

SMTPS server port number Enter the port number on which the FortiMail unit’s built-in MTA listens for secure SMTP connections. The default port number is 465.

This option is unavailable if SMTP over SSL/TLS is disabled.

SMTP MSA

service

Enable let your email clients use SMTP for message submission on a separate TCP port number from deliveries or mail relay by MTAs.

For details on message submission by email clients as distinct from SMTP used by MTAs, see RFC 2476.

SMTP MSA port number Enter the TCP port number on which the FortiMail unit listens for email clients to submit email for delivery. The default port number is 587.
POP3 server port number Enter the port number on which the FortiMail unit’s POP3 server will listen for POP3 connections. The default port number is 110.

This option is available only if the FortiMail unit is operating in server mode.

Default domain for

authentication

If you set one domain as the default domain, users on the default domain only need to enter their user names without the domain part for webmail/SMTP/IMAP/POP3 authentication, such as user1. Users on the non-default domains must enter both the user name part and domain part to authentication, such as user2@example.com.

Webmail access Enable to redirect HTTP webmail access to HTTPS.

Configuring DSN options

Use this section to configure mail server delivery status notifications.

For information on failed deliveries, see “Managing the deferred mail queue” on page 179 and “Managing undeliverable mail” on page 181.

For more information on DSN, see “Managing the deferred mail queue” on page 179.

GUI item Description
DSN (NDR) email generation Enable to allow the FortiMail unit to send DSN messages to notify email users of delivery delays and/or failure.
GUI item Description
Sender displayname Displays the name of the sender, such as FortiMail administrator, as it should appear in DSN email.

If this field is empty, the FortiMail unit uses the default name of postmaster.

Sender address Displays the sender email address in DSN.

If this field is empty, the FortiMail unit uses the default sender email address of postmaster@<domain_str>, where <domain_str> is the domain name of the FortiMail unit, such as example.com.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Transparent Mode Deployment

Transparent mode deployment

The following procedures and examples show you how to deploy the FortiMail unit in transparent mode.

  • Configuring DNS records
  • Example 1: FortiMail unit in front of an email server
  • Example 2: FortiMail unit in front of an email hub
  • Example 3: FortiMail unit for an ISP or carrier

Configuring DNS records

If the FortiMail unit is operating in transparent mode, in most cases, configuring DNS records for protected domain names is not required. Proper DNS records for your protected domain names are usually already in place. However, you usually must configure public DNS records for the FortiMail unit itself.

For performance reasons, and to support some configuration options, you may also want to provide a private DNS server for exclusive use by the FortiMail unit.

This section includes the following:

  • Configuring DNS records for the FortiMail unit itself
  • Configuring a private DNS server

Configuring DNS records for the FortiMail unit itself

In addition to that of protected domains, the FortiMail unit must be able to receive web connections, and send and receive email, for its own domain name. Dependent features include:

  • delivery status notification (DSN) email
  • spam reports
  • email users’ access to their per-recipient quarantined mail
  • FortiMail administrators’ access to the web UI by domain name
  • alert email
  • report generation notification email

For this reason, you should also configure public DNS records for the FortiMail unit itself.

Appropriate records vary by whether or not Web release host name/IP (located in AntiSpam > Quarantine > Quarantine Report in the advanced mode of the web UI) is configured:

  • Case 1: Web Release Host Name/IP is empty/default
  • Case 2: Web Release Host Name/IP is configured

Unless you have enabled both Hide the transparent box in each protected domain and Hide this box from the mail server in each session profile, the FortiMail unit is not fully transparent in SMTP sessions: the domain name and IP address of the FortiMail unit may be visible to SMTP servers, and they might perform reverse lookups. For this reason, public DNS records for the FortiMail unit usually should include reverse DNS (RDNS) records.

Case 1: Web Release Host Name/IP is empty/default

When Web release host name/IP is not configured (the default), the web release/delete links that appear in spam reports use the fully qualified domain name (FQDN) of the FortiMail unit. For example, if the FortiMail unit’s host name is fortimail, and its local domain name is example.net, resulting in the FQDN fortimail.example.net, a spam report’s default web release link might look like (FQDN highlighted in bold):

https://fortimail.example.net/releasecontrol?release=0%3Auser2%40examp le.com%3AMTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0YjUyM2N TkjRSxVMzoyLA%3D%3D%3Abf3db63dab53a291ab53a291ab53a291

In the DNS configuration to support this and the other DNS-dependent features, you would configure the following three records:

example.net IN MX 10 fortimail.example.net fortimail IN A 10.10.10.1 1 IN PTR fortimail.example.net.

where:

  • net is the local domain name to which the FortiMail unit belongs; in the MX record, it is the local domain for which the FortiMail is the mail gateway
  • example.net is the FQDN of the FortiMail unit
  • fortimail is the host name of the FortiMail unit; in the A record of the zone file for example.net, it resolves to the IP address of the FortiMail unit for the purpose of administrators’ access to the web UI, email users’ access to their per-recipient quarantines, to resolve the FQDN referenced in the MX record when email users send Bayesian and quarantine control email to the FortiMail unit, and to resolve to the IP address of the FortiMail unit for the purpose of the web release/delete hyperlinks in the spam report
  • 10.10.1 is the public IP address of the FortiMail unit

Case 2: Web Release Host Name/IP is configured

You could configure Web release host name/IP to use an alternative fully qualified domain name (FQDN) such as webrelease.example.info instead of the configured FQDN, resulting in the following web release link (web release FQDN highlighted in bold):

https://webrelease.example.info/releasecontrol?release=0%3Auser2%40exa mple.com%3AMTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0YjUyM 2NTkjRSxVMzoyLA%3D%3D%3Abf3db63dab53a291ab53a291ab53a291

Then, in the DNS configuration to support this and the other DNS-dependent features, you would configure the following MX record, A records, and PTR record (unlike “Case 1: Web Release Host Name/IP is empty/default” on page 52, in this case, two A records are required; the difference is highlighted in bold):

example.net IN MX 10 fortimail.example.net fortimail IN A 10.10.10.1 webrelease IN A 10.10.10.1 1 IN PTR fortimail.example.net.

where:

  • net is the local domain name to which the FortiMail unit belongs; in the MX record, it is the local domain for which the FortiMail is the mail gateway
  • example.net is the FQDN of the FortiMail unit
  • fortimail is the host name of the FortiMail unit; in the A record of the zone file for example.net, it resolves to the IP address of the FortiMail unit for the purpose of administrators’ access to the web UI and to resolve the FQDN referenced in the MX record when email users send Bayesian and quarantine control email to the FortiMail unit
  • webrelease is the web release host name; in the A record of the zone file for example.info, it resolves to the IP address of the FortiMail unit for the purpose of the web release/delete hyperlinks in the spam report
  • 10.10.1 is the public IP address of the FortiMail unit

Configuring a private DNS server

Consider providing a private DNS server on your local network to improve performance with features that use DNS queries.

Figure 11:Public and private DNS servers (transparent mode)

172.16.1.10                                       Private DNS Server Public DNS Server

Email Domain: example.com IN MX 10 mail.example.com example.com IN MX 10 mail.example.com

@example.com mail IN A 172.16.1.10 mail IN A 10.10.10.1

In some situations, a private DNS server may be required. If:

  • you configure the FortiMail unit to use a private DNS server, and
  • both the FortiMail unit and the protected SMTP server reside on the internal network, with private network IP addresses, and • you enable the Use MX record option you should configure the A records on the private DNS server and public DNS server differently: the private DNS server must resolve to the domain names of the SMTP servers into private IP addresses, while the public DNS server must resolve them into public IP addresses.

For example, if both a FortiMail unit (fortimail.example.com) operating in transparent mode and the SMTP server reside on your private network behind a router or firewall as illustrated in Figure 7 on page 53, and the Use MX record option is enabled, Table 9 on page 81 illustrates differences between the public and private DNS servers for the authoritative DNS records of example.com.

Table 9: Public versus private DNS records when “Use MX Record” is enabled

Private DNS server Public DNS server
example.com IN MX 10 mail.example.com example.com IN MX 10 mail.example.com
mail IN A 172.16.1.10 mail IN A 10.10.10.1
10 IN PTR fortimail.example.com 1 IN PTR fortimail.example.com

If you choose to add a private DNS server, to configure the FortiMail unit to use it, go to System > Network > DNS in the advanced mode of the web UI.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!