FortiMail - Relay Basic Configuration

 

Problem

Nowhere is it written exactly how FortiMail must be configured in Relay Mode to run a secure Basic Mail Server.
Here is a summary of most of the settings:

Solution

System

Network

  1. Configure your Interfaces
  2. Be sure that you have configured an default Gateway

Port Forwarding

FortiMail are able to forward Traffic from a the internet to the local LAN (DNAT). For more information: FortiMail Doc

FortiGate

The FortiGate are able to send SMTP traffic through an WCCP Tunnel to the FortiMail for scanning. See for more information: FortiDoc

Configuration

  1. Set the correct Time Zone
  2. Configure your Password Policy
  3. Change the Admin Ports to non default ports
  4. If you need configure the SNMP settings

Mail Settings

  1. Set the Hostname and the Local domain name. Togther there are the FQDN of the FortiMail.
  2. Activate the SMTP MA service (use other ports for mail submiting by clients as mail transfer to other Mail servers. 

FortiGuard

  1. Activate the License

Domain & User

Domain

Configure your Domain as new Domain. The following settings are important:
  • Domain name
  • Host (or other setting, in depend of your enviroment)
  • Enable Recipient Address Verification
  • Enable Automatic Removal of Invalid Quarantine Accounts

This settings enable the mail forwarding to the Mailserver. If you want you can active Relay Authentication. For that you need an own User Account on the Mailserver only for relaing. 

User

Because we run FortiMail in relay mode, we do not need to create the users on the FortiMail. Nevertheless, user settings for quarantine etc. can be configured here. You can find more information in the documentation.

Policy

First, it is very important to understand how policies works. To be short:
  • Access Control: Let you control the SMTP Traffic after the FortiMail accept the TCP/IP connection. This ACLs control what happen with the SMTP Traffic it self for receiving and delivery.
  • IP-Policy: Control the IP Traffic in general. Who is allowed to connect to the FortiMail and with which limitations (Session Profile).
  • Recipient Policy: This rules control the IP Traffic based on the Recipient in the SMTP Header "RCPT TO:". That the only place where you are able to assing the Ressource Profile.
Read the Manual for deep information. It is very important to understand how the polices works!

TIPP:
  • Use IP-Policy where is possible. Recipient Policies makes the evaluation complicate and is often not needed.
IMPORTANT:
Never create on a FortiMail in Relay Modus the following rule:
Becuase if you allow all Mails from anywhere with all senders and recipient you create an open relay and anyone on the world can use your FortiMail as relay host! NEVER DO THAT!


Order of execution of policies

  1. The FortiMail unit looks for a matching IP-based policy
  2. The FortiMail unit loosk for a matching Recipient policy
  3. The FortiMail execute the Recipient policy first (except you enable Take precedence over recipient based policy match)
  4. The FortiMail execute the IP-based policy (only if there some setting which are not set by the recipient policy. No override of settings!)
  5. If traffic allowed: Go further with the Access-Control Policies
Important to now:
  • If the connection not matching any IP-based policy or recipient policy it is allowed and no antivirus or antispam policies are applied!
  • If the connection not matching any Access-Control Policies and the sender is a trusted domain the connection is allowed!

Examples

IP-Policy

The first rule enable outgoing mails (with SMTP Authentication). The second rule allow incoming mails from anywhere. And the both last rules block all other connection in IPv4 and IPv6.

Recipient Policy

Disable all Inbound and Outbound policies.

Access-Control

The first rule allow outgoing Mails only comming from the internal Mail server. The second rule allow all incoming mails from external. And the last rule reject all not authenticated mails from anywhere else.

Profiles

With the different security profiles you have a lot of options. With the default profiles you can work securelly. Please red the guide to find more information about the different options. Link to the guide

More Options

In this post I focus to the important settings to run the FortiMail in Server Mode successfully. The FortiMail as a lot of more features, please read the guide to find out more. ;)

Comments

Post a Comment

Popular posts from this blog

FortiGate BGP dual-home with multiple ISP

Image
Problem Design with two ISPs and an RIPE Routed public IP Ranges. How to solve, that the public Range is available over both ISPs but without asymetric Routing and ISP-1 is the primary. Solution FortiGate Basic BGP configuration First start with basic BGP configuration config router bgp set as 65301 set router-id 100.200.100.254 set keepalive-timer 45 set holdtime-timer 120 set bestpath-med-missing-as-worst enable set graceful-restart enable     config redistribution connected          set status enable     end end bestpath-med-missing-as-worst :  The route without MED is automaticly the worst destination. gracefule-restart :  Advertise reboots to neighbors so they don't see the router as offline, wait before declaring them offline, and how long to wait when they reboot before advertising updates. These commands apply to neighbors and are part of the BGP capabilities. This prevents unneeded routing updates. holdtime-timer: How long the router will wait for
Read more

FortiGate as DNS Server or DNS Proxy

Image
 Problem Especially in small networks, sometimes you do not have a dedicated DNS server available. For this purpose, the FortiGate can be used as DNS server. For larger installations, all DNS queries should be proxied for security reasons. The FortiGate can also help here. Solution A detail documentation about the DNS Server functionality is in the offical documentation:  Fortinet Doc In this post I would like to clearly present the most important functions and configuration types of the DNS function. DNS-Server In the following example the FortiGate act as DNS Server: Enable DNS Feature Enable the DNS Feature in the GUI: CLI command: config system settings     set gui-dns-database enable end Configure DNS Server Enable the DNS Feature on the interface on which DNS requests should be answered: Select Network Select DNS Servers Select the listen Interface Select the DNS Server Mode (see delecration below) The same on the CLI: config system dns-server     edit DMZ2          set mode recu
Read more

FortiGate and Windows L2TP / IPsec with Split Tunneling

 Problem In some scenarios, the user does not want to install an additional VPN client on their device, but use the already built-in one from Windows. Thus, the FortiGate SSL VPN solution cannot be used. So that only systems behind the FortiGate unit are accessible, a split tunnel connection must be established. Solution The L2TP over IPsec VPN solution is used for this purpose. First an IPsec connection is established between the client and FortiGate and then an L2TP connection is established. This is authenticated via a PSK and L2TP via username and password. The following steps are necessary to implement this solution. IPsec Connection config vpn ipsec phase1-interface edit "Dialup" set type dynamic set interface " wan " set peertype any set net-device disable set proposal aes256-md5 3des-sha1 aes192-sha1 set dhgrp 2 set wizard-type dialup-windows set psksecret **** next end config vpn ipsec pha
Read more