FortiMail Student Guide

DO NOT REPRINT  LAB 8—Securing Communications© FORTINET 3. Double-click the active log file. The first entry in the history log should correspond to the email you just sent.4. Click on the Session ID link to retrieve the cross search results and review the AntiSpam, and Encryption logs related to the session.FortiMail Student Guide 101

DO NOT REPRINT  LAB 8—Securing Communications© FORTINET2 Accessing IBE EmailsIn this exercise, you will register a new IBE user. Then, you will log in to the secure portal to retrieve theIBE email. You will also see the message read notification email messages that the sender will receiveafter the IBE user has read the IBE email.To register an IBE user1. In Windows, open a new web browser. Visit the ExtGW FortiMail’s webmail GUI: https://extsrv.external.lab/2. Log in as extuser using the password fortinet.3. Open the IBE notification email.4. Click the link in the notification email to access the encrypted email.FortiMail Student Guide 102

DO NOT REPRINT  LAB 8—Securing Communications© FORTINET 5. Click Register.6. Complete the registration form, and then click Register.7. When the registration is complete, webmail should display a notification that the registration was successful. Click Continue.To access the IBE email1. After registration, you will be returned to a login page. Type the password that you entered during the registration process, and then click Open.2. The secure portal displays the contents of the IBE email.FortiMail Student Guide 103

DO NOT REPRINT  LAB 8—Securing Communications© FORTINET 3. In the IBE Service configuration, you enabled secure replying. Reply to the IBE email message to observe the behavior.To access the message read notification1. In Windows, open Thunderbird.2. You should see a “message read” notification that was generated when [email protected] read the IBE email.FortiMail Student Guide 104

DO NOT REPRINT  LAB 9—High Availability© FORTINETLAB 9—High AvailabilityIn this lab, you will build an active-passive FortiMail HA cluster that has two FortiMail VMs. The clusterwill operate in server mode.You will configure the IntSRV FortiMail (10.0.1.99) as the primary and the IntGW FortiMail (10.0.1.11)as the secondary. You will verify the HA and configuration synchronization status, configure a virtual IP,and use the HA service monitor to detect when the SMTP service connectivity fails on the primaryFortiMail.The lab network DNS server has the following CNAME records to aid in identifying the two clustereddevices: primary CNAME intsrv.internal.lab secondary CNAME intgw.internal.labObjectives Configure a FortiMail HA group to synchronize their configuration and data Verify cluster health Configure HA virtual IP Configure remote services monitoringTime to CompleteEstimated: 50 minutesPrerequisitesBefore beginning this lab, you must change the operation mode of the IntGW FortiMail.To change the operation mode1. In Windows, open a web browser. Visit the IntGW FortiMail’s management GUI. https://intgw.internal.lab/admin2. Log in as admin and leave the password field empty.3. Click Monitor > System Status > Status.4. In the System information widget, in the Operation mode drop-down list, select Server.FortiMail Student Guide 105

DO NOT REPRINT  LAB 9—High Availability© FORTINET 5. The system will prompt you twice about most settings being reset to factory defaults. Click Yes in both prompts.6. Wait for the FortiMail to reboot.7. The FortiMail will still have an IP address assigned to the port1 interface. So, after it finishes rebooting, you should be able to access the management GUI again.8. Log in to the management GUI, and then verify that the following system settings persisted:  Interface (System > Network > Interface)  Route (System > Network > Route)  DNS (System > Network > DNS)9. Verify the status of the following mail settings. The settings should have reset to factory default values.  Mail Server Settings (Mail Settings > Settings > Mail Server Settings)  Domains (Mail Settings > Domains > Domains)10. The IntGW FortiMail is ready to be configured as a secondary device in the cluster. Caution: When doing the lab exercises, ensure you are applying the configuration changes to the correct FortiMail VM. If at any point you wish to reset the configuration state for the FortiMail VMs, you can restore the following configuration files: IntGW: Desktop\Resources\Starting Configs\Lab 9\09_Reset_IntGW.tgz IntSRV: Desktop\Resources\Starting Configs\Lab 9\09_Reset_InSRV.tgz Always restore the secondary unit first, and then the primary. The configuration files will restore the VMs to the standalone states they were in at the end of the Securing Communications lab.FortiMail Student Guide 106

DO NOT REPRINT  LAB 9—High Availability© FORTINET1 Configure the Primary FortiMailIn this exercise, you will configure the mail server settings on the primary FortiMail. Then, you willconfigure the HA settings.To configure mail server settings on the primary device1. In Windows, open a web browser. Visit the primary FortiMail's management GUI: https://primary.internal.lab/admin Ignore any security warnings generated by your browser. These relate to the CN field and the signer of the self-signed FortiMail certificate.2. Log in as admin and leave the password field empty.3. Click Mail Settings > Settings > Mail Server Settings.4. Change the Host name field to primary, and then click Apply to save the change.To configure HA on the primary device1. Click System > High Availability > Configuration, and then configure the following values: Field ValueMode of operation: masterOn failure: wait for recovery then restore slave roleShared password: fortinet2. Expand the Backup options section, and then configure the following values: Field ValueBackup mail data directories EnabledBackup MTA queue directories Enabled3. Click Apply.4. In the Interface section, double-click port1 and configure the following settings: Field ValueEnable port monitor: EnabledHeartbeat status: PrimaryPeer IP address: 10.0.1.115. Click OK to save the HA interface configuration.FortiMail Student Guide 107

DO NOT REPRINT  LAB 9—High Availability© FORTINET2 Configure the SecondaryFortiMailIn this exercise, you will configure the mail server settings on the secondary FortiMail because they arenot synchronized. Then, you will configure the HA settings, and verify that the cluster has formed.To configure mail server settings on the secondary device1. Open a new tab in the web browser. Visit the secondary FortiMail’s management GUI: https://secondary.internal.lab/admin Ignore any security warnings generated by your browser. These relate to the CN field and the signer of the self-signed FortiMail certificate.2. Log in as admin and leave the password field empty.3. Click Mail Settings > Settings > Mail Server Settings.4. Configure the following values: Field ValueHostname: secondaryLocal domain name: internal.lab5. Click Apply.To configure HA on the secondary device1. Click System > High Availability > Configuration.2. Configure the following values: Field ValueMode of operation: slaveOn failure: wait for recovery then restore slave roleShared password: fortinet3. Expand the Backup options section, and then configure the following values: Field ValueBackup mail data directories EnabledBackup MTA queue directories EnabledFortiMail Student Guide 108

DO NOT REPRINT  LAB 9—High Availability© FORTINET 4. Click Apply. 5. In the Interface section, double-click port1. 6. Configure the following values: Field ValueEnable port monitor: EnabledHeartbeat status: PrimaryPeer IP address: 10.0.1.997. Click OK to save the HA interface configuration.8. Click System > High Availability > Status.9. Click Refresh to update the Daemon status.Note: As soon as the two devices join in a cluster and complete synchronization, thesecondary device’s management GUI session will time out and return you to the loginprompt. This process may take a few minutes.FortiMail Student Guide 109

DO NOT REPRINT  LAB 9—High Availability© FORTINET 3 Verify Cluster HealthIn this exercise, you will verify the HA and configuration synchronization status.To verify the HA status1. Visit the primary FortiMail's management GUI: https://primary.internal.lab/admin2. Click Monitor > System Status > Status.3. In the System Information Widget, verify that the HA mode values are Configured: master, Effective: master4. You can find the same information in System > High Availability > Status.5. Visit the secondary FortiMail’s management GUI: 110 https://secondary.internal.lab/admin6. Verify the HA status of the secondary FortiMail.FortiMail Student Guide

DO NOT REPRINT  LAB 9—High Availability© FORTINETTo verify configuration synchronization status1. On the secondary FortiMail, verify Domains (Mail Settings > Domains > Domains), Users (User > User > User), and LDAP (Profile > LDAP > LDAP). These are configuration elements that should have been synchronized from the primary FortiMail.2. Visit the primary FortiMail’s management GUI: https://primary.internal.lab/admin3. Click Policy > Policies > Policies.4. In the Recipient Policies section, click New.5. Don’t change any values. Click Create.6. Visit the secondary FortiMail’s management GUI: https://secondary.internal.lab/adminFortiMail Student Guide 111

DO NOT REPRINT  LAB 9—High Availability© FORTINET 7. Click Policy > Policies > Policies, and then verify that the new policy has synchronized with the secondary device.To verify configuration synchronization status (alternatemethod)1. Visit the primary FortiMail’s management GUI: https://primary.internal.lab/admin2. Click Monitor > System Status > Console.3. In the Console widget, type the following command: # diagnose system ha showcsum4. The console outputs the HA checksum for the primary device.5. Open a new web browser tab, and visit the secondary FortiMail’s management GUI: https://secondary.internal.lab/admin6. Click Monitor > System Status > Console.7. In the Console widget, type the following command: # diagnose system ha showcsum8. The console outputs the HA checksum for the secondary device.9. Compare the checksum values of the two devices. If they match, then their configurations are in sync.FortiMail Student Guide 112

DO NOT REPRINT  LAB 9—High Availability© FORTINET4 Configure HA Virtual IPIn this exercise, you will configure a virtual IP for the HA cluster. You will also verify the virtual IPfunction by forcing a failover.To configure a virtual IP on the primary device1. Visit the primary FortiMail’s management GUI: https://primary.internal.lab/admin2. Click System > High Availability > Configuration.3. In the Interface section, double-click port1.4. Configure the following values: Field ValueVirtual IP action: UseVirtual IP address: 10.0.1.100/245. Click OK to save the HA interface configuration.To configure a virtual IP on the secondary device1. Visit the secondary FortiMail’s management GUI: https://secondary.internal.lab/admin2. Click System > High Availability > Configuration.3. In the Interface section, double-click port1.4. Configure the following values: Field ValueVirtual IP action: Use Virtual IP address: 10.0.1.100/245. Click OK to save the HA interface configuration.To verify the virtual IP configuration1. Open a new web browser tab. Use the virtual IP to access the management GUI: https://10.0.1.100/admin Ignore any security warnings generated by your browser. These relate to the CN field and the signer of the self-signed FortiMail certificate.2. Log in as admin and leave the password field empty.3. Click Mail Settings > Settings > Mail Server Settings.FortiMail Student Guide 113

DO NOT REPRINT  LAB 9—High Availability© FORTINET4. Verify the host name of the current cluster device that owns the virtual IP. It should be primary.5. In Windows, open a command prompt window.6. Initiate a telnet command to start an SMTP session to the virtual IP: telnet 10.0.1.100 257. You should be presented with the following banner, which belongs to the primary device: 220 primary.internal.lab ESMTP Smtpd;To failover to the secondary device1. Visit the cluster management GUI: https://10.0.1.100/admin2. Click System > High Availability > Status.3. In the Actions section, click click HERE to switch to SLAVE mode.4. The system prompts you to verify this action. Click Yes. This forces a failover to the secondary device.5. Wait a few seconds, and then reload the management GUI. You should be returned to the login prompt.6. Log in as admin and leave the password field empty.To verify the virtual IP after failover1. Click Mail Settings > Settings > Mail Server Settings.2. Verify the hostname of the current cluster device that owns the virtual IP. It should be secondary.FortiMail Student Guide 114

DO NOT REPRINT  LAB 9—High Availability© FORTINET3. In Windows, open a command prompt window.4. Initiate a telnet command to start an SMTP session to the virtual IP: telnet 10.0.1.100 255. The following banner, which belongs to the secondary device, should appear: 220 secondary.internal.lab ESMTP Smtpd;6. Close the command prompt window.To restore the cluster1. Visit the cluster management GUI: https://10.0.1.100/admin2. Click System > High Availability > Status.3. In the Actions section, click click HERE to restore configured operating mode.4. The system prompts you to verify your action. Click Yes. This forces a failover to the primary device.5. Wait a few seconds, and then reload the management GUI. You should be returned to the login prompt.6. Log in as admin and leave the password field empty.7. Click Mail Settings > Settings > Mail Server Settings.8. Verify that the primary FortiMail was restored to the master role.FortiMail Student Guide 115

DO NOT REPRINT  LAB 9—High Availability© FORTINET5 Remote Services MonitoringIn addition to hardware failure, it’s often useful for cluster devices to monitor the network connectivityand services of each other. This ensures a failover occurs if any of these services experience an outage.In this exercise, you will configure remote SMTP service monitoring on both cluster devices. Then, youwill trigger a service-based failover to verify the configuration, and then verify the failover using eventlogs.To configure service monitoring on the primary device1. Visit the primary FortiMail’s management GUI: https://primary.internal.lab/admin2. Click System > High Availability > Configuration.3. In the Service Monitor section, double-click Remote SMTP.4. Configure the following values: Field ValueEnable EnabledRemote IP: 10.0.1.11Timeout: 10Interval: 30Retries: 2 Note: For the purposes of this lab, you are reducing the time values to their lowest configurable value to speed things up. In a live production environment, the default values are a good place to start. You can fine tune them as you discover what kind of outage your email network can tolerate. Using this procedure, you configured the secondary device to test the primary’s device’s port 25 connectivity every 30 seconds (Interval). If a connection attempt times out for 10 seconds (Timeout) it is considered a failure. Two (Retries) failures must occur before the secondary device forces a failover.5. Click OK to save the changesTo configure service monitoring on the secondary device1. Visit the secondary FortiMail’s management GUI: https://secondary.internal.lab/admin2. Click System > High Availability > Configuration.3. In the Service Monitor section, double-click Remote SMTP.4. Configure the following values:FortiMail Student Guide 116

DO NOT REPRINT  LAB 9—High Availability© FORTINET Field ValueEnable EnabledRemote IP: 10.0.1.99Timeout: 10Interval: 30Retries: 25. Click OK to save the changes.To trigger a service-based failover1. Visit the primary FortiMail’s management GUI: https://primary.internal.lab/admin2. Click Mail Settings > Settings > Mail Server Settings3. Change the SMTP server port number value to 125.4. Click Apply.Note: Using this procedure, you changed the SMTP service port on the primary FortiMailto port 125. Because of this change, the secondary FortiMail can no longer detect SMTPservices on port 25 and should trigger a failover based on remote service failure.You must to wait a few minutes for the secondary device to go through the servicemonitoring check schedule before a failover is triggered.To verify service-based failover1. Visit the secondary FortiMail’s management GUI: https://secondary.internal.lab/admin2. Click Monitor > Log > Event.3. Double-click the active log file.4. In the Sub type drop-down list, select HA, and keep clicking the refresh icon to see the latest logs related to HA events.FortiMail Student Guide 117

DO NOT REPRINT  LAB 9—High Availability© FORTINET 5. Event logs related to the remote SMTP service should show up when the secondary device detects failure for the first time.6. After the second detection, the secondary device takes over as the active member.7. Click Monitor > System Status > Status.8. In the System Information Widget, verify that the HA mode values are Configured: slave, Effective: master.9. Visit the primary FortiMail’s management GUI: https://primary.internal.lab/admin10. Click Monitor > System Status > Status.11. In the System Information Widget, verify that the HA mode values are Configured: slave, Effective: failed.FortiMail Student Guide 118

DO NOT REPRINT  LAB 9—High Availability© FORTINETTo restore the cluster1. Visit the primary FortiMail’s management GUI: https://primary.internal.lab/admin2. Click Mail Settings > Settings > Mail Server Settings.3. Change the SMTP server port number value back to 25.4. Click Apply.5. Click System > High Availability > Status.6. In the Actions section, click click HERE to restart the HA system.7. The system prompts you to confirm your action. Click Yes.8. Click Refresh. The primary FortiMail reverts to the master role.9. Click Monitor > Log > Event.10. Double-click the active log file.11. In the Sub type drop-down list, select HA.12. Review the log messages related to the HA events:FortiMail Student Guide 119

DO NOT REPRINT  LAB 10—Server Mode© FORTINET LAB 10—Server ModeIn this lab, you will configure server mode resource profiles, and see their effect on user resourceallocation. You will also populate the global address book from the LDAP server.Objectives Configure resource profiles Configure LDAP mapping to import a domain address bookTime to CompleteEstimated: 40 minutesPrerequisitesBefore beginning this lab, you must restore a configuration file.To restore the initial configuration files1. In Windows, open a web browser. Visit the IntGW FortiMail’s management GUI: https://intgw.internal.lab/admin2. Log in as admin and leave the password field empty.3. Click Maintenance > System > Configuration. Upload the following configuration file: Desktop\Resources\Starting Configs\Lab 10\10_Initial_IntGW.tgz4. Click Restore.5. Open a new web browser tab. Visit the IntSRV FortiMail’s management GUI: https://intsrv.internal.lab/admin6. Log in as admin and leave the password field empty.7. Click Maintenance > System > Configuration. Upload the following configuration file: Desktop\Resources\Starting Configs\Lab 10\10_Initial_IntSRV.cfg8. Wait for the VMs to finish rebooting before proceeding with the exercise. Note: The configuration files will restore the devices to the standalone states they were in before you completed the High Availability lab.FortiMail Student Guide 120

DO NOT REPRINT  LAB 10—Server Mode© FORTINET1 Configure Resource ProfilesIn this exercise you will review the IntSRV FortiMail’s existing configuration. Then, you will configureresource profiles, and observe their effects on resource allocation for email users.To review the server mode FortiMail configuration1. In Windows, open a web browser. Visit the IntSRV FortiMail’s webmail GUI: https://intsrv.internal.lab/2. Log in as user1 using the password fortinet.3. Scroll to the bottom and find the Disk Usage value for user1. Note: If there are no resource profiles or domain level service settings configured, there is a system default 500 MB disk limit for each user mailbox.4. Click the Address Book icon and find the address books user1 has access to. Note: If there are no resource profiles configured, server mode users have access to their personal address book only.To configure a resource profile1. Open a new web browser tab. Visit the IntSRV FortiMail’s management GUI: https://intsrv.internal.lab/admin2. Click Profile > Resource > Resource.3. Click New.4. Create a new resource profile using the following values:FortiMail Student Guide 121

DO NOT REPRINT  LAB 10—Server Mode© FORTINET Field ValueDomain internal.labProfile name: PowerUsersDisk quota (MB): 2000Domain address book Enabled5. Click Create to save the profile.6. Click New again.7. Create another resource profile using the following values: Field ValueDomain internal.labProfile name: RegularUsersDisk quota (MB): 10008. Click Create to save the profile.To apply the resource profile to a recipient policy1. Click Policy > Policies > Policies.2. In the Recipient Policies section, click New.3. Create a new recipient policy using the following values: Field ValueRecipient Pattern user1Resource: PowerUsers4. Click Create to save the policy.5. Click New again.6. Create another recipient policy using the following values: Field ValueRecipient Pattern user2Resource: RegularUsers7. Click Create to save the policy.8. The following two recipient policies should appear:FortiMail Student Guide 122

DO NOT REPRINT  LAB 10—Server Mode© FORTINET Note: For larger deployments that have different levels of resource allocation requirements, you can create recipient policies for local or LDAP groups, and assign resource profiles using separate recipient policies.To verify the resource profile configuration1. Visit the IntSRV FortiMail’s webmail GUI: https://intsrv.internal.lab/2. Log in as user1 using the password fortinet. If you were already logged in, you must log out and log back in for the resource profile changes to apply.3. Verify user1 has the disk quota and address book access as defined in the PowerUsers resource profile.4. Log out of user1’s account.5. Log in as user2 using the password fortinet.6. Verify user2 has the disk quota and address book access as defined by the RegularUsers resource profile.FortiMail Student Guide 123

DO NOT REPRINT  LAB 10—Server Mode© FORTINET2 Address Book LDAP ImportIn this exercise, you will review the existing LDAP profile you configured in Lab 3 - Authentication. Then,you will configure an LDAP mapping profile, and use the LDAP profile to import contacts into the domainaddress book.To review the existing LDAP profile1. Visit the IntSRV FortiMail’s management GUI: https://intsrv.internal.lab/admin2. Click Profile > LDAP > LDAP.3. Double-click the InternalLabLDAP profile.4. Verify the profile configuration matches the following screenshot below: Note: When the LDAP mapping profile uses the existing LDAP profile to import contacts, it starts from the Base DN. To ensure the LDAP mapping profile doesn’t import Active Directory system accounts, configure the Base DN to point to the location of the user accounts.To configure an LDAP mapping profile1. Click Mail Settings > Address Book > LDAP Mapping.2. Click New.3. Create a new mapping profile using the following values. To add new contact fields, click Add.FortiMail Student Guide 124

DO NOT REPRINT  LAB 10—Server Mode© FORTINET Value Field InternalLabMapping Mapping name: mail Email* cn Display name givenName First name sn Last name title Title department Department company Company nameNote: To review how to find LDAP attributes of Active Directory objects, you can refer tothe LDAP Operations exercise in Lab 3 – Authentication.4. The profile should match the following screenshot:5. Click Create to save the profile. 125To import contacts from LDAP1. Click Mail Settings > Address Book > Contacts.2. In the Domain drop-down list, select internal.lab.3. In the Import drop-down list, select LDAP.4. Configure the following values:FortiMail Student Guide

DO NOT REPRINT  LAB 10—Server Mode© FORTINET Field ValueSelect LDAP profile: InternalLabLDAPSelect LDAP mapping: InternalLabMappingOverwrite existing contacts EnabledDelete nonexistent contacts Enabled5. Click OK.6. The system notifies you that LDAP synchronization is running. Click OK.7. Click the refresh icon.8. You should see all the users that were imported from the Training Users OU in the internal.lab address book.To verify the domain address book 1261. Visit the IntSRV FortiMail’s webmail GUI: https://intsrv.internal.lab/2. Log in as user1 using the password fortinet.FortiMail Student Guide

DO NOT REPRINT  LAB 10—Server Mode© FORTINET3. In the address book, verify that domain address book contains the imported contacts.FortiMail Student Guide 127

DO NOT REPRINT  LAB 11—Transparent Mode© FORTINETLAB 11—Transparent ModeIn this lab, you will configure the transparent mode FortiMail to process bidirectional email for theexternal.lab domain using the built-in MTA. You will also configure and verify bidirectional transparency.Objectives Configure a transparent mode FortiMail to process bidirectional email Verify built-in MTA functionality Configure bidirectional transparencyTime to CompleteEstimated: 50 minutesFortiMail Student Guide 128

DO NOT REPRINT  LAB 11—Transparent Mode© FORTINET1 Configuring a TransparentMode FortiMailIn this exercise. you will review the initial system configuration and the topology for the ExtTP FortiMailVM. Then, you will perform the rest of the basic configuration tasks required to establish bidirectionalemail flow. You will also verify built-in MTA functionality using logs.To review the initial system configuration1. In Windows, open a web browser. Visit the ExtTP FortiMail’s management GUI: https://exttp.external.lab/admin Ignore any security warnings generated by your browser. These relate to the CN field and the signer of the self-signed FortiMail certificate.2. Log in as admin and leave the password field empty.3. On the System Status page, in the System Information widget, verify that the Operation mode is set to Transparent.4. Click System > Network > Interface.5. Verify the following:  port1/Management IP is configured using the IP address 10.200.1.98/24  All interfaces are members of the built-in bridge  port3 and port4 are administratively down6. Click System > Network > Routing. 1297. Verify that there is a default route configured through port1.FortiMail Student Guide

DO NOT REPRINT  LAB 11—Transparent Mode© FORTINETTo review the topology1. Review the topology below and make note of the following:  ExtSRV FortiMail is directly connected to ExtTP FortiMail’s bridge-member interface port2To configure connection pickup1. Visit the ExtTP FortiMail’s management GUI: https://exttp.external.lab/admin2. Click System > Network > Interface.3. Double-click port1/Management IP.4. Verify that the SMTP Proxy configuration has the following values: Field ValueIncoming connections: ProxyOutgoing connections: Pass throughLocal connections: Allow5. Click OK.6. Double-click port2.7. Configure the following SMTP Proxy values: Field ValueIncoming connections: Pass throughOutgoing connections: ProxyLocal connections: DisallowFortiMail Student Guide 130

DO NOT REPRINT  LAB 11—Transparent Mode© FORTINET 8. Click OK to save the changes.Note: Because port1 is the closest interface to the source for all inbound email, port1’sincoming connections are proxied. Port2 is the closest interface to the source for alloutbound email, so port2’s outbound connections are proxied.To configure the system settings1. Click System > Network > DNS.2. Configure the following DNS servers: Field ValuePrimary DNS server 10.200.1.254Secondary DNS server 0.0.0.03. Click Apply to save the changes.To configure the mail settings1. Click Mail Settings > Settings > Mail Server Settings.2. Configure the following values for the Local Host: Field ValueHost name: ExtTPLocal domain name: external.lab3. Keep the default values for the remaining settings, and then click Apply to save the changes.4. Click Mail Settings > Domains.5. Click New to add a protected domain using the following values: Field ValueDomain name: external.labSMTP server: 10.200.1.996. Expand Transparent Mode Options.7. In the This server is on drop-down list, select port2.8. Keep the default values for the remaining settings, and then click Create.To configure an access receive rule for outbound email1. Click Policy > Access Control > Receiving.2. Click New.3. Create a new access receive rule using the following values:FortiMail Student Guide 131

DO NOT REPRINT  LAB 11—Transparent Mode© FORTINET Field ValueSender pattern: User Defined *@external.labSender IP/netmask: User Defined 10.200.1.99/32Action: Relay4. Click Create to save the rule.To verify built-in MTA functionality1. In Windows, open Thunderbird.2. Click Write.3. Compose a new email message using the following values: Field ValueTo: [email protected]: Testing Transparent ModeMessage Body: Will this work?4. Click Send.5. Open a new web browser tab. Visit the ExtSRV FortiMail’s webmail GUI: https://extsrv.external.lab/6. Log in as extuser using the password fortinet.7. Verify that the email message was delivered.8. Reply to the email message.9. In Thunderbird, verify that the reply was received.10. Visit the ExtTP FortiMail’s management GUI: https://exttp.external.lab/admin11. Click Monitor > Log > History.12. Double-click the active log file. The first two entries in the History log should correspond to the two email messages that FortiMail just processed.FortiMail Student Guide 132

DO NOT REPRINT  LAB 11—Transparent Mode© FORTINET13. View the details for each log, and review the Direction and Mailer fields.Note: FortiMail is using its built-in MTA to route email in both directions. In the Mailer field,the mta value shows this.FortiMail Student Guide 133

DO NOT REPRINT  LAB 11—Transparent Mode© FORTINET2 Configuring BidirectionalTransparencyYou have verified that the ExtTP FortiMail is picking up email in both directions and using the built-inMTA to route email to its intended destination successfully.In this exercise, you will examine email headers to investigate the transparency of ExtTP FortiMail’semail processing. Then, you will configure transparency for both incoming and outgoing email.To examine outgoing email headers1. In Windows, open Thunderbird.2. Open the last email user1 received from extuser.3. Click More > View Source.4. Review the Received: headers: Received: from IntGW.internal.lab ([10.0.1.11]) by IntSRV.internal.lab with ESMTP id v29HESsx001946-v29HESt0001946 Received: from ExtTP.external.lab ([10.200.1.98]) by IntGW.internal.lab with ESMTP id v29HESm1001931-v29HESm3001931 Received: from extsrv.external.lab ([10.200.1.99]) by ExtTP.external.lab with ESMTP id v29HERuL002360-v29HERuN002360 Received: from [10.0.1.10] ([127.0.0.1]) by extsrv.external.lab with ESMTP id v29HER6G001960-v29HER6H001960To examine incoming email headers1. Visit the ExtSRV FortiMail’s webmail GUI: https://extsrv.external.lab/2. Open the last email extuser received from user1.3. Click More > Detailed Header.4. Review the Received: headers: Received: from ExtTP.external.lab ([10.200.1.98]) by extsrv.external.lab with ESMTP id v29HEDnS001931-v29HEDnU00193 Received: from IntGW.internal.lab ([10.0.1.11]) by ExtTP.external.lab with ESMTP id v29HEDhs002345-v29HEDhu002345Note: You should see that the transparent mode FortiMail is not really transparent in theemail headers.FortiMail Student Guide 134

DO NOT REPRINT  LAB 11—Transparent Mode© FORTINET To configure inbound transparency 1. Visit the ExtTP FortiMail’s management GUI: https://exttp.external.lab/admin 2. Click Mail Settings > Domains > Domains. 3. Double-click the external.lab domain. 4. Expand the Transparent Mode Options section. 5. Select the Hide this transparent box check box. 6. Click OK to save the changes.To configure outbound transparency1. Click Policy > Policies > Policies.2. In the IP Policies section, click the Inbound_Session link. This session profile is applied to IP policy ID 1, which is currently processing all email.3. In the Connection Settings section, select the Hide this box from the mail server check box.4. Click OK.To verify inbound transparency1. In Thunderbird, send a new email message to [email protected]. Visit the ExtSRV FortiMail’s webmail GUI: http://extsrv.external.lab/3. Open the email message you just sent.4. Click More > Detailed Header.5. Review the Received: headers. Received: from IntGW.internal.lab ([10.0.1.11]) by extsrv.external.lab with ESMTP id v29IUVNd002175-v29IUVNf002175Note: The ExtTP FortiMail no longer appears in the inbound email headers.To verify outbound transparency1. Visit the ExtSRV FortiMail’s webmail GUI: http://extsrv.external.lab/2. Send a new email message to [email protected]. In Thunderbird, open the email message you just sent.4. Click More > View Source. Review the Received: headers: Received: from IntGW.internal.lab ([10.0.1.11]) by IntSRV.internal.lab with ESMTP id v29IgrVu001966-XXXXXXXFortiMail Student Guide 135

DO NOT REPRINT  LAB 11—Transparent Mode© FORTINET Received: from ExtTP.external.lab ([10.200.1.99]) by IntGW.internal.lab with ESMTP id v29IgrJV001947-XXXXXXXReceived: from [10.0.1.10] ([127.0.0.1])by extsrv.external.lab with ESMTP id v29IgqvA00221-XXXXXXXNote: While the header is now showing the IP address of the ExtSRV FortiMail(10.200.1.99), the hostname still shows ExtTP.external.lab. This is because theExtTP FortiMail uses its own hostname in the SMTP greeting. There is one moreconfiguration change you must make to prevent this.To configure SMTP greeting rewrite1. Visit the ExtTP FortiMail’s management GUI: https://exttp.external.lab/admin2. Click Mail Settings > Domains > Domains.3. Double-click the external.lab domain.4. Click Advanced Settings > SMTP Greeting (EHLO/HELO) Name (As Client).5. Select Use other name, and then enter ExtSRV.external.lab.6. Click OK to save the changes 136To verify outbound transparency1. Visit the ExtSRV FortiMail’s webmail GUI: https://extsrv.external.lab/2. Send an email message to [email protected]. In Thunderbird, open the new email message.4. Click More > View Source.FortiMail Student Guide

DO NOT REPRINT  LAB 11—Transparent Mode© FORTINET 5. Review the Received: headers. The ExtTP FortiMailshould no longer appear in the headers: Received: from IntGW.internal.lab ([10.0.1.11]) by IntSRV.internal.lab with ESMTP id v29MUF0s001921-v29MUF0t001921Received: from ExtSRV.external.lab ([10.200.1.99])by IntGW.internal.lab with ESMTP id v29MUEdn001911-v29MUEdp001911Received: from [10.0.1.10] ([127.0.0.1])by extsrv.external.lab with ESMTP id v29MUExs002184-v29MUExt002184FortiMail Student Guide 137

DO NOT REPRINT  LAB 12—Maintanence© FORTINET LAB 12—MaintanenceIn this lab, you will configure and generate a local report, monitor system resource use, and performlocal storage management,Objectives Configure and generate a local report Monitor historical and real-time system resource use Partition a disk to allocate more space to the log diskTime to CompleteEstimated: 25 minutesFortiMail Student Guide 138

DO NOT REPRINT  LAB 12—Maintanence© FORTINET1 Configure and Generate LocalReportsIn this exercise, you will configure a local report to query the IntGW FortiMail’s mail filtering statistics.Then, you will generate an on-demand report and review the statistics.To configure a local report1. In Windows, open a web browser. Visit the IntGW FortiMail’s management GUI: https://intgw.internal.lab/admin2. Log in as admin and leave the password field empty.3. Click Log and Report > Report Settings > Configuration.4. Click New.5. Create a new report configuration using the following values: Field ValueReport name: IntGWReportTime Period This week6. Expand the Query Selection section.7. Expand the Mail Filtering Statistics query, and enable the following queries:  Mail Category by Date  Non-Spam Classifier by Date  Spam Classifier by Date  Virus Classifier by Date8. In the Domain section, add the internal.lab domain.9. Click Create to save the report configuration.Note: In a production FortiMail, you should also configure scheduling and add anotification email so that the report is automatically generated and sent to you by email.The scheduled reporting will help keep you up-to-date on the email trends of yournetwork.To generate an on-demand report1. Click Log and Report > Report Settings > Configuration.2. Select the IntGWReport entry, and click Generate.3. FortiMail generates the following notification:FortiMail Student Guide 139

DO NOT REPRINT  LAB 12—Maintanence© FORTINET 4. Click OK. To view the local report 1. Click Monitor > Report > Report. 2. Expand the report file entry. 3. Double-click the html file.4. The report opens in a separate web browser tab. Use the menu on the left to navigate and review the data.FortiMail Student Guide 140

DO NOT REPRINT  LAB 12—Maintanence© FORTINET2 Monitoring System ResourceUseIn this exercise, you will view the historical and real-time resources used by the IntGW FortiMail.To view the resource use history1. Visit the IntGW FortiMail’s management GUI: https://intgw.internal.lab/admin2. Click Monitor > System Status > Status.3. In the System Resource widget, make note of the following values: o CPU usage o Memory usage o System load o Active sessions4. Click History.5. You may need to allow Flash to run in the web browser. 1416. Make note of the trends in resource use.FortiMail Student Guide

DO NOT REPRINT  LAB 12—Maintanence© FORTINETTo view resource use in real-time1. In Windows, open PuTTY.2. Double-click the preconfigured session for IntGW.3. Log in as admin and leave the password field empty.4. To view the list of processes that are consuming the most CPU cycles or RAM, enter the following command: diagnose system top delay 1 Note: A list of system processes is displayed, sorted by the processes consuming the most CPU at the top of the list. The list refreshes every second, which gives you a real- time view of the system’s resource use. To stop the output, you can press q.5. Make note of the processes that are using the most:  CPU:_______________________________________________________________  Memory:____________________________________________________________6. Press q to stop the output but leave the PuTTY session running. You will come back to it soon.To generate traffic1. In Windows, on the taskbar, right-click the PuTTY icon, and then select Linux.2. Log in as root using the password password.3. Run the spam script by entering the following command: ./spamengine.pl -host 10.0.1.11 -mbox spam -recipient [email protected] -sender [email protected]. Leave the script running.FortiMail Student Guide 142

DO NOT REPRINT  LAB 12—Maintanence© FORTINETTo view resource use during traffic1. Return to the IntGW FortiMail’s PuTTY window.2. Press the up-arrow key, and then press the Enter key. The history buffer should send the diagnose system top delay 1 command again.3. Make note of the resource use by the processes. Which process is using the most:  CPU:________________________________________________________________  Memory:_____________________________________________________________4. Visit the IntGW FortiMail’s management GUI: https://intgw.internal.lab/admin5. Click Monitor > System Status > Status.6. In the System Resource widget, click History.7. Make note of the resource use trends during traffic. You must wait a few minutes before the charts refresh with new data.To stop the spam script 1431. In the Linux VM PuTTY window, press Ctrl + C.2. Close the PuTTY window.To stop the CLI output1. In the IntGW PuTTY window, press q.2. Leave this PuTTY session running. You will use it for the next exercise.FortiMail Student Guide

DO NOT REPRINT  LAB 12—Maintanence© FORTINET3 Local Storage ManagementBy default, the mail disk partition size is 80% of the total disk. For a gateway mode FortiMail, this canmean that a lot of unused space is taken up by the mail disk partition.In this exercise, you will partition the IntGW FortiMail’s local storage, and allocate more space to the logdisk partition.To verify partition sizes1. Visit the IntGW FortiMail’s management GUI: https://intgw.internal.lab/admin2. Click Monitor > System Status > Status.3. In the System Information widget, make note of the Log disk and Mailbox disk sizes:To change the partition size1. On the My Systems page, click IntGW. This opens a new tab with the FortiMail VM’s console session. Note: You should always perform disk formatting and partitioning tasks using the console connection. This allows you to monitor the entire process and take action in case of errors.2. Click anywhere in the console window, and then press the Enter key. This displays the login prompt.3. Log in as admin and leave the password field empty.4. Type the following commands to change the log disk partition size to 50% of the total storage: execute partitionlogdisk 50 Note: The system prompts you about data loss on the mail and log disk. Press y.5. After partitioning completes the VM will reboot.FortiMail Student Guide 144

DO NOT REPRINT  LAB 12—Maintanence© FORTINETTo verify the size after partitioning1. In Windows, return to the IntGW FortiMail’s management GUI: https://intgw.internal.lab/admin2. Log in as admin and leave the password field empty.3. Click Monitor > System Status > Status.4. In the System Information widget, make note of the Log disk and Mailbox disk sizes:FortiMail Student Guide 145

DO NOT REPRINT  LAB 13—Troubleshooting© FORTINETLAB 13—TroubleshootingThe internal.lab users are complaining that they are not able to send or receive email. In this lab, youwill use SMTP event logs and the built-in packet capture tools to investigate and remedy the mail flowissues.Objectives Investigate user complaints Use SMTP event logs and packet capturing to determine where the issue is occuring Remedy the email flow issueTime to CompleteEstimated: 60 minutesPrerequisitesBefore beginning this lab, you must restore a configuration file.To restore the initial configuration files1. In Windows, open a web browser. Visit the IntGW FortiMail’s management GUI: https://intgw.internal.lab/admin2. Log in as admin and leave the password field empty.3. Click Maintenance > System > Configuration. Upload the following configuration file: Desktop\Resources\Starting Configs\Lab 13\13_Initial_IntGW.tgz4. Click Restore.5. Open a new web browser tab. Visit the IntSRV FortiMail’s management GUI: https://intsrv.internal.lab/admin6. Log in as admin and leave the password field empty.7. Click Maintenance > System > Configuration. Upload the following configuration file: Desktop\Resources\Starting Configs\Lab 13\13_Initial_IntSRV.cfg8. Wait for the VMs to finish rebooting before proceeding with the exercise. Note: The config files introduce errors that cause the mail flow issues. Try to follow the methodologies presented in the lab to troubleshoot and remedy the problem.FortiMail Student Guide 146

DO NOT REPRINT  LAB 13—Troubleshooting© FORTINET1 Troubleshooting the ProblemIn this exercise, you will verify the problem. Then, you will use SMTP event logs and packet capturing todetermine where the issue lies.To investigate inbound email flow1. In Windows, open a web browser. Visit the ExtSRV FortiMail’s webmail GUI: https://extsrv.external.lab/1. Log in as extuser using the password fortinet.2. Send an email message to [email protected]. Open Thunderbird, and then wait for the email message to arrive. Hint: It won’t arrive.1. Open a new web browser tab. Visit the IntGW FortiMail’s management GUI: https://intgw.internal.lab/admin2. Log in as admin and leave the password field empty.3. Click Monitor > Log > History.4. Double-click the active log file. The first entry in the History log should correspond to the email message you just sent from extuser.5. View the log details. Do the details indicate that there is a problem?FortiMail Student Guide 147

DO NOT REPRINT  LAB 13—Troubleshooting© FORTINET Note: In this particular instance, the History log details don’t provide much information. You must dig deeper.6. Click Close.7. Click the Session ID link to retrieve the cross search results.8. Review the event logs related to the session: Note: The first two event logs relate to the external part of the session – from ExtSRV to IntGW. The third event log relates to the internal part of the session – from IntGW to IntSRV.9. Do the event logs indicate that there is a problem?Note: The external part of the session appears to be without issues. The internal part ofthe session appears to be experiencing problems. Specifically, the connection fromIntGW to IntSRV is being refused. However the reason for refusal isn’t listed.To investigate outbound email flow 1481. In Windows, open Thunderbird.2. Try to send an email message to [email protected]. Hint: It won’t work!3. Open a new web browser tab. Visit the IntSRV FortiMail’s management GUI: https://intsrv.internal.lab/admin4. Log in as admin and leave the password field empty.FortiMail Student Guide

DO NOT REPRINT  LAB 13—Troubleshooting© FORTINET 5. Click Monitor > Log > History. 6. Double-click the active log file. Try to find an entry in the History log for the outbound email message you just tried to send. 7. Click Monitor > Log > Event. 8. Double-click the active log file. 9. In the Sub type drop-down list, select SMTP. Try to find a related SMTP event log entry for the outbound email message you just tried to send.Note: If you can’t find an entry in the history or event logs for a specific session, it meansthere is an issue at either the IP or TCP layer. In these types of scenarios, only a trafficcapture might show you what the problem is.To capture inbound email traffic1. Visit the IntGW FortiMail’s management GUI: https://intgw.internal.lab/admin2. Click Maintenance > System > Traffic Capture.3. Click New.4. Configure the following values: Field ValueDescription InboundCaptureDuration 10 minutesInterface port1IP/Host 10.0.1.99Filter Capture allNote: After investigating the inbound email flow, you established that the issue appearsto be with the internal portion of the email session. Therefore you are only interested inseeing traffic for the IntSRV (10.0.1.99) FortiMail.5. Click Create.6. Visit the ExtSRV FortiMail’s webmail GUI: https://extsrv.external.lab/7. Send a new email message to [email protected]. Visit the IntGW FortiMail’s management GUI.9. Click Maintenance > System > Traffic Capture.10. Click Refresh until you see the Size(Byte) column populated.FortiMail Student Guide 149

DO NOT REPRINT  LAB 13—Troubleshooting© FORTINET11. Select the capture, and then click Stop.12. Select the capture again, and then click Download.13. Save the capture file to the desktop.To review the inbound traffic capture1. On the Windows desktop, open the capture file.2. In the Display Filter field, type ip.addr==10.0.1.99, and then press the Enter key.3. You should see the following packets:4. Select the first packet (Source: 10.0.1.11 Destination 10.0.1.99), and expand the Transmission Control Protocol header. Review the details:Note: This is the first packet of the session between IntGW (10.0.1.11) and IntSRV(10.0.1.99) on port 465 (Dst Port). This packet has a sequence number of 0 and isflagged as the SYN packet. This packet is expected, since all TCP sessions start with aSYN packet.FortiMail Student Guide 150