FortiMail Student Guide

DO NOT REPRINT © FORTINETFortiMail 5.3.8Student Guidefor FortiMail 5.3.8

DO NOT REPRINT© FORTINET FortiMail Student Guide for FortiMail 5.3.8 Last Updated: 13 April 2017 We would like to acknowledge the following major contributors: Carl Windsor, Khalid Hassan, Michał Kułakowski and Laurent Blossier Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc. in the U.S. and other jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of Fortinet. All other product or company names may be trademarks of their respective owners. Copyright © 2002 - 2017 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the United States Copyright Act of 1976

DO NOT REPRINT© FORTINET Table of Contents VIRTUAL LAB BASICS ...................................................................................8 Network Topology ...................................................................................................................8 Lab Environment .....................................................................................................................8 System Checker......................................................................................................................9 Logging In ...............................................................................................................................10 Disconnections/Timeouts........................................................................................................12 Transferring Files to the VM....................................................................................................13 Screen Resolution...................................................................................................................13 International Keyboards ..........................................................................................................13 Student Tools: View Broadcast and Raise Hand....................................................................14 Troubleshooting Tips ..............................................................................................................14 LAB 1—INITIAL SETUP ................................................................................17 Objectives ...............................................................................................................................17 Time to Complete....................................................................................................................17 1 Verifying DNS Records .......................................................................................................18 2 Configuring a Server Mode FortiMail ..................................................................................20 3 Configuring a Gateway Mode FortiMail ..............................................................................27 LAB 2—ACCESS CONTROL AND POLICIES ...................................................31 Objectives ...............................................................................................................................31 Time to Complete....................................................................................................................31 1 Outbound Email Flow..........................................................................................................32

DO NOT REPRINT© FORTINET 2 Relay Host...........................................................................................................................35 3 Policy Usage Tracking ........................................................................................................37 4 Policy Creation ....................................................................................................................39 LAB 3—AUTHENTICATION ...........................................................................42 Objectives ...............................................................................................................................42 Time to Complete....................................................................................................................42 Prerequisites ...........................................................................................................................42 1 User Authentication Enforcement .......................................................................................43 2 LDAP Operations ................................................................................................................48 LAB 4—SESSION MANAGEMENT..................................................................59 Objectives ...............................................................................................................................59 Time to Complete....................................................................................................................59 Prerequisites ...........................................................................................................................59 1 Connection Limits ...............................................................................................................60 2 Sender Address Rate Control.............................................................................................63 3 Header Manipulation...........................................................................................................66 LAB 5—ANTIVIRUS .....................................................................................68 Objectives ...............................................................................................................................68 Time to Complete....................................................................................................................68 1 Antivirus Scanning for Malware Detection..........................................................................69 LAB 6—CONTENT INSPECTION ....................................................................72 Objectives ...............................................................................................................................72 Time to Complete....................................................................................................................72 1 Content Inspection ..............................................................................................................73

DO NOT REPRINT© FORTINET 2 Data Loss Prevention..........................................................................................................77 LAB 7—ANTISPAM ......................................................................................83 Objectives ...............................................................................................................................83 Time to Complete....................................................................................................................83 Prerequisites ...........................................................................................................................83 1 Scan Incoming Email for Spam ..........................................................................................84 2 Testing the Antispam Configuration....................................................................................86 3 User Quarantine Management ...........................................................................................88 3 Scan Outgoing Email for Spam ..........................................................................................91 LAB 8—SECURING COMMUNICATIONS .........................................................93 Objectives ...............................................................................................................................93 Time to Complete....................................................................................................................93 1 Implementing SMTPS .........................................................................................................94 2 Implementing Content-Inspection-Based IBE.....................................................................98 2 Accessing IBE Emails .........................................................................................................102 LAB 9—HIGH AVAILABILITY ........................................................................105 Objectives ...............................................................................................................................105 Time to Complete....................................................................................................................105 Prerequisites ...........................................................................................................................105 1 Configure the Primary FortiMail ..........................................................................................107 2 Configure the Secondary FortiMail .....................................................................................108 3 Verify Cluster Health ...........................................................................................................110 4 Configure HA Virtual IP.......................................................................................................113 5 Remote Services Monitoring...............................................................................................116

DO NOT REPRINT© FORTINET LAB 10—SERVER MODE .............................................................................120 Objectives ...............................................................................................................................120 Time to Complete....................................................................................................................120 Prerequisites ...........................................................................................................................120 1 Configure Resource Profiles...............................................................................................121 2 Address Book LDAP Import ................................................................................................124 LAB 11—TRANSPARENT MODE ...................................................................128 Objectives ...............................................................................................................................128 Time to Complete....................................................................................................................128 1 Configuring a Transparent Mode FortiMail .........................................................................129 2 Configuring Bidirectional Transparency.............................................................................134 LAB 12—MAINTANENCE..............................................................................138 Objectives ...............................................................................................................................138 Time to Complete....................................................................................................................138 1 Configure and Generate Local Reports..............................................................................139 2 Monitoring System Resource Use ......................................................................................141 3 Local Storage Management................................................................................................144 LAB 13—TROUBLESHOOTING......................................................................146 Objectives ...............................................................................................................................146 Time to Complete....................................................................................................................146 Prerequisites ...........................................................................................................................146 1 Troubleshooting the Problem..............................................................................................147 2 Fix the problem ...................................................................................................................153

DO NOT REPRINT© FORTINET APPENDIX A: ADDITIONAL RESOURCES........................................................154 APPENDIX B: PRESENTATION SLIDES...........................................................155 1 Email Concepts ...................................................................................................................156 2 Basic Setup .........................................................................................................................191 3 Access Control and Policies ...............................................................................................237 4 Authentication .....................................................................................................................268 5 Session Management .........................................................................................................295 6 Antivirus & Content Inspection............................................................................................324 7 Antispam .............................................................................................................................378 8 Securing Communications..................................................................................................422 9 High Availability...................................................................................................................474 10 Server Mode......................................................................................................................498 11 Transparent Mode.............................................................................................................525 12 Maintenance & Troubleshooting .......................................................................................555

DO NOT REPRINT  Virtual Lab Basics© FORTINET Virtual Lab BasicsIn this class, you will use a virtual lab for hands-on exercises. This section explains how to connect tothe lab and its virtual machines. It also shows the topology of the virtual machines in the lab. Note: If your trainer asks you to use a different lab, such as devices physically located in your classroom, please ignore this section. This applies only to the virtual lab accessed through the Internet. If you do not know which lab to use, please ask your trainer.Network TopologyLab EnvironmentFortinet's virtual lab for hands-on exercises is hosted on remote datacenters that allow each studentto have their own training lab environment or PoD - point of deliveries.FortiMail Student Guide 8

DO NOT REPRINT  Virtual Lab Basics© FORTINET System CheckerBefore starting any class, check if your computer can successfully connect to the remote datacenters.The System Checker fully verifies if your network connection and your web browser are reliable toconnect to the virtual lab.You do not have to be logged into the lab portal in order to perform the System Checker.To run the System Checker1. Click the URL for your location: Region System CheckerAMER - North and South https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-America WestEMEA - Europe, Middle https://remotelabs.training.fortinet.com/training/syscheck/?location=EuropeEast and AfricaAPAC - Asia and Pacific https://remotelabs.training.fortinet.com/training/syscheck/?location=APACIf your computer successfully connects to the virtual lab, the Browser Check and NetworkConnection Check each display a check mark icon. You can then proceed to log in.If any of the tests fail: Browser Check: This affects your ability to access the virtual lab environment. Network Connection Check: This affects the usability of the virtual lab environment.For solutions, click the Support Knowledge Base link or ask your trainer.FortiMail Student Guide 9

DO NOT REPRINT  Virtual Lab Basics© FORTINETLogging InOnce you confirm your system can successfully run the labs through System Checker, you can proceedto log in.To log in to the remote lab1. With the user name and password provided by your trainer, you can either:  Log in from the Login access at the bottom of the System Checker's result.  Log into the URL for the virtual lab provided by your trainer:https://remotelabs.training.fortinet.com/https://virtual.mclabs.com/2. If prompted, select the time zone for your location, and then click Update. This ensures that your class schedule is accurate.Click Enter Lab.FortiMail Student Guide 10

DO NOT REPRINT  Virtual Lab Basics© FORTINET Your system dashboard will appear, listing the virtual machines in accordance with your lab topology.3. From this page, open a connection to any virtual appliance by doing one of the following:  Clicking the device’s square (thumbnail) Selecting Open from the System drop-down list associated to the VM you want to access.FortiMail Student Guide 11

DO NOT REPRINT  Virtual Lab Basics© FORTINET Note: Follow the same procedure to access any of your virtual devices.A new web browser tab opens, granting you access to the virtual device. When you open a VM, yourbrowser uses HTML5 to connect to it.Depending on the virtual machine you select, the web browser provides access to either a text-based CLI or the GUI.Connections to the Windows VM use a Remote Desktop-like GUI. The web-based connection shouldautomatically log in and then display the Windows desktop.For most lab exercises, you will connect to this Windows VM.Disconnections/TimeoutsIf your computer’s connection with the virtual machine times out, or if you are accidentallydisconnected, to regain access, return to the initial window/tab that contains your session’s list ofVMs and open the VM again.FortiMail Student Guide 12

DO NOT REPRINT  Virtual Lab Basics© FORTINET If that does not succeed, see the Troubleshooting Tips section of this guide.Transferring Files to the VMIf you store files in a cloud service such as Dropbox or SugarSync, you can use the web browser todownload them to your Windows VM.From there, if required, you can use a web browser to upload them to Fortinet VMs' GUI.When connecting to a VM, your browser should then open a display in a new applet window.Screen ResolutionSome Fortinet devices' user interfaces require a minimum screen size.In the HTML 5 client, to configure screen resolution, open the System menu.International KeyboardsIf characters in your language don’t display correctly, keyboard mappings may not be correct.To solve this, open the Keyboard menu at the top of the tab of any GUI-based VM, and choose todisplay an on-screen keyboard.FortiMail Student Guide 13

DO NOT REPRINT  Virtual Lab Basics© FORTINETStudent Tools: View Broadcast andRaise HandYour instructor is able to broadcast his lab systems in order to allow students to see any on-going task inreal-time. When an instructor begins a broadcast, you will receive an alert at the top of all open labpages.To accept and view the broadcast, you may either click on the notification message or click ViewBroadcast on the left side panel.If you have any question or issue, use the Raise Hand tool, your instructor will be notified and will assistyou.Troubleshooting Tips Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low- bandwidth or high-latency connections. For best performance, use a stable broadband connection such as a LAN. Prepare your computer's settings by disabling screen savers and changing the power saving scheme, so that your computer is always on, and does not go to sleep or hibernate. If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal), please attempt to reconnect. If unable to reconnect, please notify the instructor. If you can't connect to a VM, on the VM's icon, you can force the VM to start up and by clicking System > Power Cycle. This fixes most problems. If that does not solve the problem, revert the VM to its initial state by System > Revert to Initial State.FortiMail Student Guide 14

DO NOT REPRINT  Virtual Lab Basics© FORTINET Note: Reverting to the VM's initial snapshot will undo all of your work. Try other solutions first. If during the labs, particularly when reloading configuration files, you see a limited management GUI similar to the one shown below, the VM is waiting for a response to the authentication server. To retry immediately, go to Maintenance > FortiGuard > Update, and click Update Now.FortiMail Student Guide 15

DO NOT REPRINT  Virtual Lab Basics© FORTINET If the authentication server response is received, you should be redirected to the login page If you don’t see the above prompt, wait a few minutes and try again, or ask your trainer.FortiMail Student Guide 16

DO NOT REPRINT  LAB 1—Initial Setup© FORTINET LAB 1—Initial SetupIn this lab, you will verify the DNS MX records for both of the lab domains, perform the initialconfiguration tasks for the FortiMail VMs installed in the internal.lab domain for inbound email, andconfigure an email client to connect to a server mode FortiMail. Then, you will issue basic SMTPcommands and inspect email headers to understand the flow of SMTP.Objectives Verify DNS MX records for the lab domains Configure the initial system and email settings on the server mode FortiMail Configure the initial system and email settings on the gateway mode FortiMail Manually send basic SMTP commands to an email server to understand the SMTP protocolTime to CompleteEstimated: 45 minutesFortiMail Student Guide 17

DO NOT REPRINT  LAB 1—Initial Setup© FORTINET 1 Verifying DNS RecordsDNS is a critical component in routing email messages. In this exercise, you will use Windows DOScommands to verify the published DNS MX records for both internal.lab and external.lab domains, tounderstand the lab network mail routing.To verify MX records1. In Windows, open a command prompt window, and then enter the following commands to display the MX records associated with the external.lab domain: nslookup -type=mx external.lab You should receive an output similar to the following: What is the primary MX record for the external.lab domain? ___________________________ What is the secondary MX record for the external.lab domain? ___________________________ Note: As indicated in the nslookup query output, there is only one MX record associated with the external.lab domain. extsrv.external.lab MX preference = 10 Therefore, all email messagess sent to the external.lab domain must be sent to the extsrv.external.lab (10.0.1.99) host.2. In the same command prompt window, enter the following commands to display the MX records associated with the internal.lab domain: nslookup -type=mx internal.lab You should receive an output similar to the following:FortiMail Student Guide 18

DO NOT REPRINT  LAB 1—Initial Setup ___________________________© FORTINET What is the primary MX record for the internal.lab domain?What is the secondary MX record for the internal.lab domain? ___________________________ Note: As indicated in the nslookup query output, there are two MX records associated with the internal.lab domain. intgw.internal.lab MX preference = 10 intsrv.internal.lab MX preference = 20 The intgw.internal.lab (10.0.1.11) host is the primary MTA for the internal.lab domain because it has the lowest preference value. However, at this point in the lab, you haven’t configured the IntGW FortiMail VM to process email, therefore, it won’t respond to any SMTP sessions. When the TCP connection fails, the remote sender will automatically try to send email to the next MX record on the list -intsrv.internal.lab (10.0.1.99)3. Close the command prompt window. Caution: In the lab network, the MX records for the internal.lab domain are geared for convenience, and should not be used as a template for real-world deployments. Since the back-end mail server might not have the full range of email security features enabled, publishing it as a secondary MX entry is detrimental to security. Spammers can easily identify and exploit these servers using MX records. Publishing the back-end mail server as a secondary MX entry will also prevent certain FortiMail features - such as greylisting, sender reputation - from working effectively.FortiMail Student Guide 19

DO NOT REPRINT  LAB 1—Initial Setup© FORTINET2 Configuring a Server ModeFortiMailIn the lab network, the IntSRV server mode FortiMail is intended to be the mail server for theinternal.lab domain. It is where the end user mailboxes are, where you will perform all user-management tasks, and where you will perform tasks specific to server mode.In this exercise, you will perform the basic configuration tasks required to establish inbound email flowon the IntSRV FortiMail VM. You will verify your configuration by sending an email from the ExtSRVFortiMail VM and then reviewing the logs. Then, you will configure a Mail User Agent (MUA) to connectto the server mode FortiMail.To verify the operation mode1. In Windows, open a web browser. Visit the IntSRV FortiMail's management GUI: https://intsrv.internal.lab/admin Ignore any security warnings generated by your browser. The warnings relate to the CN field and the signer of the self-signed FortiMail certificate.2. Log in as admin and leave the password field empty.3. On the System Status page, locate the System Information widget and verify that the Operation mode is set to Server.To configure the system settings Value Manual1. Click System > Network > Interface. 10.0.1.99/242. Select port1, and then click Edit.3. Verify and configure the following values for port1: Field Addressing Mode: IP/Netmask:FortiMail Student Guide 20

DO NOT REPRINT  LAB 1—Initial Setup© FORTINETAccess: HTTPS PING SSH TELNETAdministrative status: Up4. Click OK.5. Click System > Network > Routing.6. Click New.7. Add a new static route using the following values: Field ValueDestination IP/netmask: 0.0.0.0/0Interface: port1Gateway: 10.0.1.2548. Click Create to save the static route.9. Click System > Network > DNS, and then configure the following DNS servers: Field ValuePrimary DNS server 10.0.1.254Secondary DNS server 0.0.0.0Note: There is only one DNS server in the lab network; therefore you are only configuringonly the Primary DNS server field. However, in a production FortiMail deployment, youshould configure a primary and a secondary DNS server.10. Click Apply to save the DNS changes.To configure the mail settings1. Click Mail Settings > Settings > Mail Server Settings.2. Configure the following values under Local Host: Field ValueHost name: IntSRVLocal domain name: internal.lab3. Keep the default values for the remaining settings, and then click Apply to save the changes.4. Click Mail Settings > Domains > Domains.5. Click New to add a protected domain using the following values:FortiMail Student Guide 21

DO NOT REPRINT  LAB 1—Initial Setup© FORTINET Field ValueDomain name: internal.lab6. Keep the default values for the remaining settings, and then click Create.To create server mode users1. Click User > User > User.2. Click New to create a new mail user on the server mode FortiMail using the following values: Field ValueUser name: user1Authentication type: LocalPassword: fortinetDisplay name: Mail User 13. Click Create to save the user configuration.To verify the configuration1. In Windows, open a new web browser tab. Visit the ExtSRV FortiMail's webmail GUI: https://extsrv.external.lab/ Ignore any security warnings generated by your browser. The warnings relate to the CN field and the signer of the self-signed FortiMail certificate.2. Log in as extuser using the password fortinet.3. Click the Compose Mail icon ( ), and then compose a new email message using the following values: Field ValueTo: [email protected]: Hello World!Message Body: Your configuration is successful!4. Click Send.5. Open a new web browser tab. Visit the IntSRV FortiMail’s webmail GUI: https://intsrv.internal.lab/ Ignore any security warnings generated by your browser. The warnings relate to the CN field and the signer of the self-signed FortiMail certificate.6. Log in as user1 using the password fortinet.7. If the test email message doesn’t appear in the inbox, click Refresh.FortiMail Student Guide 22

DO NOT REPRINT  LAB 1—Initial Setup© FORTINET8. Log out of the webmail interface.9. Close the browser tab.To review the logs1. Visit the IntSRV FortiMail’s management GUI: https://intsrv.internal.lab/admin2. Click Monitor > Log > History.3. Double-click the current log file.4. Review the logs and verify that the system applied the appropriate Classifier and Disposition to your test email message.FortiMail Student Guide 23

DO NOT REPRINT  LAB 1—Initial Setup© FORTINET To configure an MUA to connect to the server mode FortiMail1. In Windows, open Mozilla Thunderbird. If the system prompts you to sign up for a new email address, click Skip this and use my existing email.2. After the Mail Account Setup wizard starts, enter the account information for Mail User 1.3. Click Continue. Thunderbird attempts to auto-configure the server settings. Click Manual Config.4. Modify the auto-discovered Server hostname values for both Incoming and Outgoing to match the following screenshot, and then click Done.FortiMail Student Guide 24

DO NOT REPRINT  LAB 1—Initial Setup© FORTINET5. Thunderbird displays a warning about unencrypted passwords. Check I understand the risks and then click Done. Caution: While unencrypted passwords are fine for a lab network, they should be avoided in real-world deployments.6. Thunderbird displays a certificate security warning. Select the Permanently store this exception check box, and then click Confirm Security Exception to complete the Mail Account Setup wizard.FortiMail Student Guide 25

DO NOT REPRINT  LAB 1—Initial Setup© FORTINET7. If your configuration is correct, the test email you created in the previous exercise appears in Thunderbird, in your local inbox.FortiMail Student Guide 26

DO NOT REPRINT  LAB 1—Initial Setup© FORTINET3 Configuring a Gateway ModeFortiMailIn the lab network, the IntGW gateway mode FortiMail is intended to be the MTA for the internal.labdomain. It will be the relay server for the IntSRV FortiMail, and also where most of the inspectionconfiguration tasks will be performed.In this exercise, you will perform the configuration tasks required to establish inbound email flow on theIntGW FortiMail VM. Then, you will verify your configuration by manually composing an email using atelnet session, and reviewing the headers of the email in your Thunderbird mail client.Note: Recall the DNS verification tasks you performed in the first exercise. As the MXrecords show, the intgw.internal.lab (10.0.1.11) host is the primary MTA for theinternal.lab main. So, all email messages should be sent to the IntGW FortiMail first forprocessing. The IntGW FortiMail will then pass the email to the IntSRV FortiMail VM fordelivery to the end user.To configure the system settings1. On the My Systems page, click IntGW. This opens a new tab with the console of the IntGW FortiMail VM.2. Click anywhere in the console window, and then press the Enter key.3. Log in as admin and leave the password field empty.4. Configure the port1 IP address, subnet mask, and access options using the following CLI commands: config system interface edit port1 set ip 10.0.1.11/24 set allowaccess https ping ssh telnet next end5. In Windows, open a new web browser tab. Visit the IntGW FortiMail's management GUI: https://intgw.internal.lab/admin6. Log in as admin and leave the password field empty.7. Click System > Network > Routing.8. Click New, and then add a new static route using the following values: Field ValueDestination IP/netmask: 0.0.0.0/0Interface: port1FortiMail Student Guide 27

DO NOT REPRINT  LAB 1—Initial Setup© FORTINET Field ValueGateway: 10.0.1.2549. Click Create to save the static route.10. Click System > Network > DNS, and then configure the following DNS servers: Field ValuePrimary DNS server: 10.0.1.254Secondary DNS server: 0.0.0.011. Click Apply to save the DNS changes.To configure the mail settings1. Click Mail Settings > Settings > Mail Server Settings.2. Configure the following values under Local Host: Field ValueHost name: IntGWLocal domain name: internal.lab3. Keep the default values for the remaining settings, and then click Apply to save the changes.4. Click Mail Settings > Domains > Domains.5. Click New to add a protected domain using the following values: Field ValueDomain name: internal.labSMTP Server: 10.0.1.99 Note: 10.0.1.99 is the IP address of the IntSRV host. This is the server mode FortiMail that you configured in the previous exercise. It contains the user mailboxes for the internal.lab domain. Therefore, the IntGW host is configured with 10.0.1.99 as the protected SMTP Server.6. Keep the default values for the remaining settings, and then click Create.To verify the configuration1. In Windows, open a command prompt window.2. Enter the following commands to start a telnet session on port 25 of the IntGW FortiMail:FortiMail Student Guide 28

DO NOT REPRINT  LAB 1—Initial Setup© FORTINETNote: You can’t use the backspace or delete key to correct any typing errors. If you makea mistake, close the connection and start over.telnet intgw.internal.lab 25…wait for reply…ehlo 10.0.1.10…wait for reply…mail from: <[email protected]>…wait for reply…rcpt to: <[email protected]>…wait for reply…data…wait for reply…Subject: Test Message from TelnetMessage body.…wait for reply… quit3. In Thunderbird, open the test message that you sent in the previous step.4. View the full headers of the message. To do this, in the More drop-down list, select View Source:FortiMail Student Guide 29

DO NOT REPRINT  LAB 1—Initial Setup© FORTINET 5. Compare the Received: headers in the Telnet session email with the Hello World! email you sent in the previous exercise. What differences do you see?Note: The Hello World email’s Received header shows that the IntSRV FortiMailreceived the email directly from the ExtSRV FortiMail.Received: from extsrv.external.lab ([10.200.1.99]) byIntSRV.internal.lab with ESMTP id v1OLZmQa002443-v1OLZmQc002443The Telnet session email’s Received header shows that the email was processed first bythe IntGW FortiMail, and then handed off to the IntSRV FortiMail.Received: from IntGW.internal.lab ([10.0.1.11]) byIntSRV.internal.lab with ESMTP id v1OMw47q002651-v1OMw47s002651FortiMail Student Guide 30

DO NOT REPRINT  LAB 2—Access Control and Policies© FORTINETLAB 2—Access Control andPoliciesIn this lab, you will establish outbound email flow for the internal.lab domain, as well as configure arelay host for the server mode FortiMail. You will create IP and recipient policies, and then use loggedpolicy IDs to identify how policies are applied to an email.Objectives Configure access receive rules to allow outbound email Configure an external relay host Configure IP and recipient policies Use logged policy IDs to track messagesTime to CompleteEstimated: 45 minutesFortiMail Student Guide 31

DO NOT REPRINT  LAB 2—Access Control and Policies© FORTINET1 Outbound Email FlowIn this exercise, you will configure the necessary access receive rules on both the IntGW and IntSRVFortiMail VMs to allow outbound email.To verify authenticated outbound relay1. In Windows, open Thunderbird, and then compose a new email message to the external user using the following values: Field ValueTo: [email protected]: Testing Outbound EmailMessage Body: Will this work?2. Click Send. If Thunderbird displays a security warning, select the Permanently store this exception check box, and then click Confirm Security Exception.1. Open a web browser and visit the ExtSRV FortiMail's webmail GUI: https://extsrv.external.lab/2. Login as extuser with the password fortinet.3. Verify that extuser has received the email.Note: By default, FortiMail rejects outbound email, unless the sender is authenticated.Since you configured Thunderbird to authenticate when sending emails using SMTP, theIntSRV FortiMail relays it.To configure the server mode access receive rule1. In Windows, open a web browser. Visit the IntSRV FortiMail's management GUI: https://intsrv.internal.lab/admin2. Log in as admin and leave the password field empty.3. Click Policy > Access Control > Receiving.4. Click New and configure an access receive rule using the following values: Field ValueSender Pattern: User Defined *@internal.labSender IP/netmask: User Defined 10.0.1.0/24FortiMail Student Guide 32

DO NOT REPRINT  LAB 2—Access Control and Policies© FORTINET Relay Action 5. Click Create to save the access receive rule.Note: While the default behavior reduces configuration requirements, it is still goodpractice to configure an access receive rule with specific sender patterns, and senderIP/netmask values in a server mode deployment to restrict filter outbound sessions.To configure the gateway mode access receive rule1. In Windows, open a new web browser tab. Visit the IntGW FortiMail’s management GUI: https://intgw.internal.lab/admin2. Log in as admin and leave the password field empty.3. Click Policy > Access Control > Receiving.4. Click New.5. Configure an access receive rule using the following values: Field ValueSender Pattern: User Defined *@internal.labSender IP/netmask: User Defined 10.0.1.99/32Action Relay Note: On the IntGW FortiMail you are allowing only the IntSRV server mode FortiMail to relay email. Therefore, you are configuring a /32 subnet mask. No other host is able to relay email through IntGW.6. Click Create to save the access receive rule.To verify the access receive rules1. Return to the Thunderbird composing window. Click Send.2. Open a new web browser tab and go to the ExtGW webmail GUI: https://extsrv.external.lab/3. Log in as extuser using the password fortinet.4. The email message should appear in the inbox. Click the email message to open it.5. Click More > Detailed Header. This displays the email header in the webmail interface.FortiMail Student Guide 33

DO NOT REPRINT  LAB 2—Access Control and Policies© FORTINET6. Review the Received: headers. What hops did the email take to reach the destination inbox? Note: The email message was generated by Windows (10.0.1.10) and sent to IntSRV (10.0.1.99). The IntSRV host then delivered the email message to ExtSRV (10.200.1.99). Received: from IntSRV.internal.lab ([10.0.1.99])by extsrv.external.lab with ESMTP id v1RL4umB001914-v1RL4umD001914 Received: from [10.0.1.10] ([10.0.1.10])([email protected] mech=CRAM-MD5 bits=0) by IntSRV.internal.lab with ESMTP id v1RL4uHI001985-v1RL4uHK001985According to the headers, the email message did not pass through the IntGW FortiMail, which isexpected. The IntSRV server mode FortiMail delivered the email based on MX query results. To makesure all outbound email from IntSRV FortiMail relays through the IntGW FortiMail, you must configure arelay host on the IntSRV FortiMail.FortiMail Student Guide 34

DO NOT REPRINT  LAB 2—Access Control and Policies© FORTINET 2 Relay HostIn this section, you will configure an external relay host on the IntSRV FortiMail so all outbound emailare sent to the IntGW gateway mode FortiMail for delivery.To configure a relay host1. In Windows, visit the IntSRV FortiMail's management GUI: https://intsrv.internal.lab/admin2. Click Mail Settings > Settings > Mail Server Settings.3. Expand the Outgoing Email sub-section.4. Select the Deliver to relay host check box, and then click New.5. Create a new relay host using the follow values: Field ValueName: IntGWRelayHost name/IP 10.0.1.116. Leave the remaining fields empty, and then click Create to save the relay host configuration.7. Click Apply to save the Outgoing Email setting changes.To verify the relay host1. Open Thunderbird, and then click Write.2. Compose a new email using the following values: Field ValueTo: [email protected]: Testing Relay HostMessage Body: Relay host is working!3. Click Send.4. Visit the ExtSRV webmail GUI: https://extsrv.external.lab/5. Verify that the email was delivered.6. Review the headers. Do you see any differences in the Received: headers? What hops did the email take this time to reach the destination inbox?FortiMail Student Guide 35

DO NOT REPRINT  LAB 2—Access Control and Policies© FORTINET Note: The email was generated by Windows (10.0.1.10) and sent to IntSRV (10.0.1.99). The IntSRV host then sent the email to IntGW (10.0.1.11). The IntGW host delivered the email to ExtGW (10.200.1.99). Received: from IntGW.internal.lab ([10.0.1.11]) by extsrv.external.lab with ESMTP id v1RLvKZS002158-v1RLvKZU002158 Received: from IntSRV.internal.lab ([10.0.1.99]) by IntGW.internal.lab with ESMTP id v1RLvKQj001948-v1RLvKQl001948 Received: from [10.0.1.10] ([10.0.1.10]) ([email protected] mech=CRAM-MD5 bits=0) by IntSRV.internal.lab with ESMTP id v1RLvJ8k002052-v1RLvJ8m002052By completing the previous configuration steps, you have successfully established bidirectional emailflow in which all inbound and outbound email must flow through the IntGW gateway mode FortiMail.FortiMail Student Guide 36

DO NOT REPRINT  LAB 2—Access Control and Policies© FORTINET3 Policy Usage TrackingAs email messages flow through FortiMail, log entries are created that show which policies weretriggered. This is extremely useful for testing new policies and troubleshooting existing ones.In this exercise, you will send two email messages, one in each direction, and then review which policiesthe messages used.To generate log entries1. In Windows, open Thunderbird.2. Send an email message to [email protected]. Visit the ExtGW FortiMail’s webmail GUI: https://extsrv.external.lab/4. Log in as extuser using the password fortinet.5. Open the new email message, and then click Reply.6. Type a reply in the message body, and then click Send.7. In Thunderbird, verify you received the reply.To review log entries1. Visit the IntGW FortiMail’s management GUI: https://intgw.internal.lab/admin2. Click Monitor > Log > History.3. Double-click the active log file. The first two entries in the History log should correspond to the two email messages that FortiMail just processed.4. Right-click the entry for the inbound email, and then select View Details.FortiMail Student Guide 37

DO NOT REPRINT  LAB 2—Access Control and Policies© FORTINET5. Review the Policy IDs field, and answer the following questions: The Policy IDs field is made up of three fields (X:Y:Z). What does each field’s value correspond to? The first policy usage value is 0. What does this mean? The third policy usage value is 0. What does this mean? Note: The policy IDs for each email message are recorded in the history logs in the format of X:Y:Z,where X is the ID of the access control rule, Y is the ID of the IP-based policy, and Z is the ID of the recipient-based policy. If the value in the access control rule field for an incoming email is 0, it means that FortiMail is applying its default rule for handling inbound email. If the value of X:Y:Z is 0 in any other case, it means that a policy or rule couldn’t be matched, or doesn’t exist.6. Click Close to close the Log Details window.7. Open the relevant log entry for the outbound email and review the Policy IDs field. Note: The policy use recorded for the outbound email message is 1:1:0. It was processed using access receive rule ID 1, which you created in the previous exercise. Then, the email message was processed using the default IP policy ID 1. Because you didn’t configure any outgoing recipient policy, the last field value is 0.FortiMail Student Guide 38

DO NOT REPRINT  LAB 2—Access Control and Policies© FORTINET 4 Policy CreationIn this exercise, you will create IP and recipient policies. Then, you will test your configuration bysending email messages back and forth. You will also use logs to observe the changes to the policy usefrom the previous exercise.To create IP policies1. Visit the IntGW FortiMail’s management GUI: https://intgw.internal.lab/admin2. Click Policy > Policies > Policies.3. In the IP Policies section, click New.4. Create a new IP policy using the following values: Field ValueSource: 10.0.1.99/32Session: Outbound_Session5. Click Create to save the policy.6. The new policy should have an ID value of 3.7. Click the policy to select it. In the Move drop-down list, select Before. Move IP policy ID 3 to appear in the list before IP policy ID 1.FortiMail Student Guide 39

DO NOT REPRINT  LAB 2—Access Control and Policies© FORTINET 8. The policies should appear in the following order: IP policy ID 3 will process all email sourced from the IntSRV FortiMail (outgoing), and IP Policy ID 1 will process all other email (incoming). IP policy ID 2 is a default IPv6 policy. Since this lab is not configured for IPv6, it is not required. You can delete it if you want to.To create recipient policies1. In the Recipient Policies section, in the Domain drop-down list, select internal.lab.2. Click New.3. Don’t modify any values. Click Create to save the policy.4. In the Direction drop-down list select Outgoing.5. Click New.6. Don’t modify any values. Click Create to save the policy.FortiMail Student Guide 40

DO NOT REPRINT  LAB 2—Access Control and Policies© FORTINETNote: FortiMail maintains a global list of outbound recipient policies. If you managemultiple protected domains, and you need to handle outbound email for each protecteddomain differently, you must create a different outbound recipient policy for each protecteddomain, and set the Sender Pattern accordingly.To generate log entries1. In Windows, open Thunderbird.2. Send an email message to [email protected]. Visit the ExtGW FortiMail’s webmail GUI: https://extsrv.external.lab/4. Log in as extuser using the password fortinet.5. Open the new email message, and then click Reply.6. Type a reply in the message body, and then click Send.7. In Thunderbird, verify you received the reply.To review log entries1. In the IntGW FortiMail’s management GUI, click Monitor > Log > History.2. Double-click the active log file. The first two entries in the History log should correspond to the two email messages that FortiMail just processed.3. Access the details for each log entry and review the Policy IDs field.4. What changes can you see from the previous exercise? Note: The policy use will reflect the new ID values for the policies you created. All outgoing email will be processed by IP policy ID 3, and outgoing recipient policy ID 1. All incoming email will be processed by IP policy ID 1, and incoming recipient policy ID 1.FortiMail Student Guide 41

DO NOT REPRINT  LAB 3—Authentication© FORTINETLAB 3—AuthenticationIn this lab, you will configure access receive rules to enforce user SMTP authentication. You will alsoconfigure an LDAP profile to enable recipient verification, alias mapping, and user authentication.Objectives Enforce user SMTP authentication using access receive rules Configure an LDAP profile Enable recipient verification and alias mapping Configure LDAP authentication for usersTime to CompleteEstimated: 60 minutesPrerequisitesBefore beginning this lab, you must disable sender reputation on the IntGW FortiMail.To disable sender reputation1. In Windows, open a web browser. Visit the IntGW FortiMail’s management GUI: https://intgw.internal.lab/admin2. Log in as admin and leave the password field empty.3. Click Policy > Policies > Policies.4. In the IP Policies section, double-click policy ID 1.5. Edit the Inbound_Session profile.6. Expand the Sender Reputation section and clear the Enable sender reputation check box.7. Click OK to save the changes. Note: The sender reputation feature can interfere with some of the testing that you will do in this lab.FortiMail Student Guide 42

DO NOT REPRINT  LAB 3—Authentication© FORTINET 1 User Authentication EnforcementIn this exercise you will explore how FortiMail handles SMTP authentication. You will enforceauthentication using access receive rules, and test your configuration using various outgoing serversettings in Thunderbird.To disable SMTP authentication in Thunderbird1. In Windows, open Thunderbird.2. Press the Alt key to show the Menu Bar.3. Click Tools > Account Settings.4. On the Account Settings screen, in the left pane, click Outgoing Server (SMTP), and then click Edit.FortiMail Student Guide 43

DO NOT REPRINT  LAB 3—Authentication© FORTINET 5. In the Authentication method drop-down list, select No authentication.6. Click OK to save the changes.7. Click OK to return to the main Thunderbird window. Note: By making these changes, you have disabled authentication for SMTP connections. So, when you send an email message, Thunderbird won’t authenticate.To send an unauthenticated email message1. In Thunderbird, send an email to [email protected]. Open a web browser, and then visit the ExtSRV FortiMail’s webmail GUI. https://extsrv.external.lab/3. Log in as extuser using the password fortinet.4. Why was the email delivered to the destination user even though you disabled SMTP authentication in Thunderbird? Note: The access receive rule that you configured in LAB 2—Access Control & Policies didn’t have authentication enforcement enabled.When you set Authentication Status to Any, FortiMail doesn’t verify whether thesender matching the rule is authenticated or not.FortiMail Student Guide 44

DO NOT REPRINT  LAB 3—Authentication© FORTINET To enforce authentication1. Open a new web browser tab. Visit the IntSRV FortiMail's management GUI: https://intsrv.internal.lab/admin2. Log in as admin and leave the password field empty.3. Click Policy > Access Control > Receiving.4. Select rule ID 1 and click Edit.5. In the Authentication status drop-down list, select Authenticated.6. Click OK to save the changes.To verify authentication enforcement1. In Thunderbird, send another email message to [email protected]. This time, an alert displays indicating that relaying is denied.FortiMail Student Guide 45

DO NOT REPRINT  LAB 3—Authentication© FORTINET 3. Click OK to close the alert, but leave the email compose window open in the background. 4. Visit the IntSRV FortiMail's management GUI: https://intsrv.internal.lab/admin 5. Click Monitor > Log > History. 6. Double-click the active log file. The first entry in the History log should correspond to the rejected email message. Note: In this log entry, you can see IntSRV has rejected (Disposition) the email because the session violated an access control rule (Classifier). By changing the Authentication Status value to Authenticated, you have successfully enforced authentication for users connecting to the IntSRV FortiMail.To restore SMTP authentication on Thunderbird1. In the main Thunderbird window, press the Alt key to show the Menu Bar.2. Click Tools > Account Settings.3. On the Account Settings screen, click Outgoing Server (SMTP), and then click Edit.4. In the Authentication method drop-down list, select Normal password.5. Click OK to save the changes.6. Click OK to return to the main Thunderbird window.7. Send the email message again.8. Visit the ExtGW FortiMail’s webmail GUI: https://extsrv.external.lab/9. Log in as extuser using the password fortinet.10. Verify that the email was delivered.11. Visit the IntSRV FortiMail’s management GUI: https://intsrv.internal.lab/admin12. Click Monitor > Log > History.13. Double-click the active log file. The first entry in the History log should correspond to the email message you just sent.FortiMail Student Guide 46

DO NOT REPRINT  LAB 3—Authentication© FORTINET14. Click the Session ID link to retrieve the cross search results.15. Right-click the event log related to the authentication event to view the detailsFortiMail Student Guide 47

DO NOT REPRINT  LAB 3—Authentication© FORTINET 2 LDAP OperationsThe Windows VM has been preconfigured with Active Directory Services for the internal.lab domain. Inthis exercise, you will review the Active Directory configuration and learn how to retrieve LDAP attributesfor Active Directory objects. Then, you will configure an LDAP profile on both IntSRV and IntGWFortiMail devices to use for user authentication, alias lookup, and recipient verification.To review the Active Directory configuration1. In Windows, from the desktop, open the Active Directory Users and Computers management console. Note: A service account for the LDAP profile is located in the Service Accounts Organization Unit (OU). The users and groups are located in the Training Users OU and Training Groups OU respectively.2. All account passwords have been set to fortinet.To access the LDAP attributes of Active Directory objects1. In the Active Directory Users and Computers management console, click View, and then verify that Advanced Features is selected.FortiMail Student Guide 48

DO NOT REPRINT  LAB 3—Authentication© FORTINET 2. Right-click internal.lab, and then select Properties.3. In the internal.lab Properties window, click the Attribute Editor tab. Note: You can use the previous steps to access the LDAP attributes of any 49 Active Directory object necessary to configure the LDAP profile on FortiMail.4. Click OK to close the properties window.5. Close the Active Directory Users and Computers management console.FortiMail Student Guide

DO NOT REPRINT  LAB 3—Authentication© FORTINETTo configure an LDAP profile on IntGW FortiMail1. Open a new web browser tab. Visit the IntGW FortiMail’s management GUI: https://intgw.internal.lab/admin2. Log in as admin and leave the password field empty.3. Click Profile > LDAP > LDAP.4. Click New.5. Create an LDAP profile using the following values: Field ValueProfile name: InternalLabLDAPServer name/IP: 10.0.1.106. Use the following values to configure the Default Bind Options: Field ValueBase DN: OU=Training Users,DC=internal,DC=labBind DN: CN=LDAP Service Account,OU=Service Accounts, DC=internal,DC=labBind password: fortinet7. In the User Query Options section, in the Schema drop-down list, select Active Directory.8. In the User Alias Options section, in the Schema drop-down list, select Active Directory.9. Use the following values to modify the User Alias Options: Field ValueAlias member query: proxyAddresses=smtp:$mUser group expansion in DisableadvanceUse Separate bind Disable10. Click Create to save the LDAP profile.To configure an LDAP profile on IntSRV FortiMail1. Open a new web browser tab. Visit the IntSRV FortiMail’s management GUI: https://intsrv.internal.lab/admin2. Log in as admin and leave the password field empty.3. Click Profile > LDAP > LDAP.4. Click New.FortiMail Student Guide 50