FortiMail Student Guide

DO NOT REPRINT  LAB 13—Troubleshooting© FORTINET 5. Select the second packet (Source: 10.0.1.99 Destination 10.0.1.11), and expand the Transmission Control Protocol header. Review the details: Note: This second packet is not expected. It has a RST/ACK flag. The IntSRV FortiMail is sending a reset as soon as IntGW attempts to set up a TCP session on port 465. The expected packet would have been a SYN/ACK, but that is not the case. Note: From the above analysis, you can start to form an idea about the root cause. The IntGW FortiMail is, expectedly, sending a SYN packet for port 465 (SMTPS), however, the IntSRV FortiMail is refusing the session. You know, and can verify, that it’s not related to IP addressing because if it was you wouldn’t see a reply packet at all. So, it must be related to the TCP port. However, before you try to fix this issue, have a look at the outbound session using a packet capture.To capture outbound email traffic1. In Windows, open a PuTTY window.2. Double-click the preconfigured session for IntSRV.3. Log in as admin and leave the password field empty.4. Type the following commands to start a packet capture: diagnose sniffer packet any “host 10.0.1.10 and port 25” 4 Note: The filter is set up to capture SMTP (port 25) traffic from the 10.0.1.10 host (Windows).5. In Windows, open Thunderbird.6. Try to send another email message to [email protected]. In the PuTTY window, review the capture output:FortiMail Student Guide 151

DO NOT REPRINT  LAB 13—Troubleshooting© FORTINET Note: The IntSRV FortiMail is showing similar behavior for outbound traffic. The 10.0.1.10 host is initiating the session on port 25 with a SYN packet. However, the 10.0.1.99 host is refusing the session with an RST.8. Press Ctrl + C to stop the capture.9. Close the PuTTY window.FortiMail Student Guide 152

DO NOT REPRINT  LAB 13—Troubleshooting© FORTINET 2 Fix the problemIn this exercise, you will review the configuration and fix any errors. Then, you will verify your changesby sending email in both directionsTo review the configuration1. Visit the IntSRV FortiMail’s management GUI: https://intsrv.internal.lab/admin2. Log in as admin and leave the password field empty.3. Try to navigate the various configuration sections and discover where there could be a potential configuration issue for SMTP and SMTPS port numbers. Hint: Check Mail Settings > Settings > Mail Server Settings.4. Fix any errors you see in the Mail Server Settings section. Hint: SMTP uses port 25 and SMTPS uses port 465.To verify the change1. In the main Thunderbird window, send another email message to [email protected]. If your changes are correct, the email message will be delivered to the recipient2. Open another web browser tab. Visit the ExtSRV FortiMail’s webmail GUI: https://extsrv.external.lab/3. Log in as extuser using the password fortinet.4. Verify that the email was received.5. Open the email message, and then reply to it.6. In the main Thunderbird window, verify that the reply was received.FortiMail Student Guide 153

DO NOT REPRINT  Appendix A: Additional Resources© FORTINETAppendix A: AdditionalResourcesTraining Services https://www.fortinet.com/trainingNSE Institute https://training.fortinet.com/Technical Documentation http://docs.fortinet.com/fortimail/admin-guidesKnowledge Base http://kb.fortinet.comForums https://forum.fortinet.com/Customer Service & Support https://support.fortinet.comFortiGuard Threat Research & Response http://www.fortiguard.comThe Fortinet Cookbook http://cookbook.fortinet.com/fortimail/FortiMail Student Guide 154

DO NOT REPRINT  Appendix B: Presentation Slides© FORTINETAppendix B: PresentationSlides1 Email Concepts ...................................................................................................................1562 Basic Setup .........................................................................................................................1913 Access Control and Policies ...............................................................................................2374 Authentication .....................................................................................................................2685 Session Management .........................................................................................................2956 Antivirus & Content Inspection............................................................................................3247 Antispam .............................................................................................................................3788 Securing Communications..................................................................................................4229 High Availability...................................................................................................................47410 Server Mode......................................................................................................................49811 Transparent Mode.............................................................................................................52512 Maintenance & Troubleshooting .......................................................................................555FortiMail Student Guide 155

DO NOT REPRINT  Email Concepts© FORTINETIn this lesson, we will explore many of the basic concepts which you will need to understand SMTP andFortiMail.FortiMail Student Guide 156

DO NOT REPRINT  Email Concepts© FORTINETThese are topics we will cover in this lesson. You will learn how FortiMail is different from antispam filtering onFortiGate. You will learn different device roles, and the role DNS plays in email flow. You will also review howemail is sent and retrieved using different protocols, as well as how SMTP messages are exchanged betweenserver and client. Finally you will learn the different operation modes of FortiMail.FortiMail Student Guide 157

DO NOT REPRINT  Email Concepts© FORTINETWhy use a FortiMail? In this section we will look at the security advantages provided by the FortiMail emailsecurity appliance.FortiMail Student Guide 158

DO NOT REPRINT  Email Concepts© FORTINETFortiMail is an email security solution that goes far beyond traditional antispam technology to provide industry-leading messaging security. FortiMail combines more than a dozen antispam technologies that act at theconnection, header, and content levels in order to identify spam, phishing, newsletters, and more, with highaccuracy.With three different deployment modes ─ Server, Gateway, and Transparent ─ and various hardware, virtualappliance, and Fortinet Cloud hosted options make FortiMail scalable from small businesses, to managedsecurity service provider (MSSP), cloud, and carrier-class implementations. This flexibility goes far beyondwhat FortiGate’s proxy and flow engines provide.While FortiGate provides transparent in-line scanning for email-based threats, FortiMail provides much deeperanalysis, and implements a much richer feature set by taking advantage of a resource which is in limitedsupply on a FortiGate: time. Because of the store-and-forward nature of SMTP, FortiMail has the time toperform deep analysis of the connection request, the envelope, and the message payload. FortiMail can alsoqueue mail and retry if there are connectivity interruptions. FortiGate’s SMTP proxy can’t.Just like FortiGate, FortiMail uses FortiGuard services to stay up-to-date with the latest threat knowledge.Also, like FortiGate, you can integrate FortiMail with a FortiSandbox for deeper payload analysis to create acomplete ATP solution.FortiMail Student Guide 159

DO NOT REPRINT  Email Concepts© FORTINETIn addition to top-rated threat prevention, FortiMail data protection is unique because it’s included with allphysical and virtual FortiMail devices at no extra charge. This complete data protection solution includes:• Data leak prevention, which uses pre-set dictionaries for various terms covered by regulation, as well as smart identifiers for common personal and financial information, to detect and prevent the leak of sensitive information• Industry standard TLS and S/MIME encryption, as well as our own identity-based encryption, for secure email delivery all the way to the recipient• Email archiving, which you can use for email retention based on policy triggers, that enables off-box remote storage and even supports exchange journalingFortiMail Student Guide 160

DO NOT REPRINT  Email Concepts© FORTINETFortiMail Student Guide 161

DO NOT REPRINT  Email Concepts© FORTINETIn this section, you will learn about specific SMTP device roles and the role DNS plays in email exchanges.FortiMail Student Guide 162

DO NOT REPRINT  Email Concepts© FORTINETEnd users interact with SMTP by using an MUA such as Outlook, Thunderbird, or Apple Mail, to compose andsend email. MUAs facilitate email retrieval using protocols such as POP or IMAP.Any SMTP server that handles email, but isn't the final destination server, is an MTA, also known as a mailrelay. Mail relays can exist internally, on an enterprise network, or on the Internet, provided as a service by anISP for its customers. FortiMail operating in gateway mode is a mail relay. FortiMail in server mode is both amail relay and the destination server. Typically, MTAs implement a vetting mechanism to check if a sender isauthorized to use that particular MTA’s services. This can be in the form of authentication or filtering rulesbased on source IP. MTAs that don’t implement these mechanisms are referred to as open relays. Openrelays are widely exploited by spammers to send unsolicited spam in bulk.A mail server is the final destination of an email before the recipient retrieves it. A mail server may alsosupport MTA functionality.FortiMail Student Guide 163

DO NOT REPRINT  Email Concepts© FORTINETDNS plays an important role in email delivery. When an MTA needs to find out where to send an email, itperforms a lookup for a specific type of DNS record on the domain portion of the recipient’s email address.This specific DNS record is known as the MX record. The MX record lookup can return one or moredestination MTAs. The sending MTA connects to the address indicated by the MX record to send the email.When multiple MTA addresses exist, preference values are used to indicate priority. An MTA with the lowestpreference always has the highest priority. If the MTA with the lowest preference doesn’t respond to a TCPSYN request, then the next higher preference MTA is used. If the preference value is equal across multipleMX entries, then some form of load balancing may be used. The most common form of load balancing is DNSround robin. The DNS server will randomize the order of equally weighted DNS MX responses, and thesenders will therefore load distribute using whichever random server is on top of the list.For FortiMail deployments, depending on the deployment mode, the public DNS records indicate thatFortiMail is the MX destination.FortiMail Student Guide 164

DO NOT REPRINT  Email Concepts© FORTINETFortiMail Student Guide 165

DO NOT REPRINT  Email Concepts© FORTINETWhat happens after a user’s client software has initiated an SMTP connection with an SMTP server or mailrelay? How does email reach the recipient’s inbox? In this section, you will learn more about email flow.FortiMail Student Guide 166

DO NOT REPRINT  Email Concepts© FORTINETWhen a user composes an email message to a recipient in their email client software and clicks Send, thesoftware connects to the mail relay. Usually this is the corporate or ISP mail server. The mail relay performs aDNS lookup for the domain portion of the recipient’s email address, asking for the MX record for that domain,and delivers the email to the next hop. This process is repeated until the email reaches the destination mailserver.FortiMail Student Guide 167

DO NOT REPRINT  Email Concepts© FORTINETWe will use the next few slides to demonstrate, in detail, the processes involved in sending an email.1) User [email protected] wants to send an email to [email protected]. Since post.example1.org is the local mail server for the sender, the email will go through post.example1.org.FortiMail Student Guide 168

DO NOT REPRINT  Email Concepts© FORTINET2) To forward the email toward the destination, post.example1.org queries the public DNS server for the MX records of example3.com, and uses the entry with the lowest preference, relay.example2.net.FortiMail Student Guide 169

DO NOT REPRINT  Email Concepts© FORTINET3) The relay.example2.net MTA queries the DNS server as well. This time, the smallest preference entry is mail.example3.com. So relay.example2.net forwards the email to mail.example3.com.FortiMail Student Guide 170

DO NOT REPRINT  Email Concepts© FORTINET4) User [email protected] uses their MUA to download the email from mail.example3.com.FortiMail Student Guide 171

DO NOT REPRINT  Email Concepts© FORTINETFortiMail Student Guide 172

DO NOT REPRINT  Email Concepts© FORTINETIn this section, you will learn more about SMTP messages used in email transmission, as well as how SMTPimplements authentication and encryption. You will also learn how POP3 and IMAP is used for email retrieval.FortiMail Student Guide 173

DO NOT REPRINT  Email Concepts© FORTINETEmail on the Internet follows a set of standards known as SMTP. The SMTP protocol was first submitted in1982 under RFC 821. Although there have been many subsequent extensions, SMTP remains true to itsname: it is a relatively simple protocol, with a limited number of commands and responses.The SMTP commands shown on this slide show how the client—usually an MUA or an intermediary MTA—performs various tasks.There are also three-digit server response codes that the receiving MTA can use to convey various statusmessages back to the sender.Over the years, engineers have added features to SMTP that didn't exist in the original RFC. For example,servers that support ESMTP can be requested to use encryption of the email body using transport layersecurity (TLS).FortiMail Student Guide 174

DO NOT REPRINT  Email Concepts© FORTINETThis slide shows the typical commands used by the client and server during an email exchange. It starts withthe client–the sending MTA or MUA–initiating a TCP session on port 25.If the TCP session is established, the SMTP session starts with the server–the receiving MTA–presenting thebanner. The client then presents an HELO message, which the server acknowledges. At this point, the clientis free to start the SMTP transaction by providing the envelope addresses.The client uses the DATA command to indicate the start of the message, which includes the header and body.The message header can contain a lot more information than what is shown here. You will see an example onanother slide.The client sends a single “.” on a new line to indicate the end of the message and the server acknowledgesthe end of the SMTP transaction. If additional email must be sent, the client starts the process again at theMAIL FROM step.To end the SMTP session, the client sends a QUIT message, which is also acknowledged by the server. Atthis point the TCP session is torn down.This type of message exchange occurs any time an SMTP device has to send an email. Whether it is anMUA-to-MTA or an MTA-to-MTA transmission, this kind of client-server interaction occurs. The only exceptionto this interaction exists with Microsoft Outlook and Microsoft Exchange servers, which use a Microsoftproprietary protocol called Messaging Application Programming Interface (MAPI). MAPI is used for both emailtransmission and retrieval between Microsoft Outlook and Microsoft Exchange.Note: This example is the most unsecure form of SMTP message exchange. Since no authentication, orencryption was use, a session like this can be easily forged using telnet.FortiMail Student Guide 175

DO NOT REPRINT  Email Concepts© FORTINETA message header can contain a lot of useful information. Each email client has its own procedure for viewingthe message header of a single email. Message headers are often used to gather information or troubleshootemail issues. The contents of the message header remains intact when an email is forwarded as anattachment. Forwarding the email destroys the original message header because the MUA creates newheaders from the new point of origin.One of the most important pieces of information are the Received headers. Every time an email is generatedby an MUA, or traverses an MTA, a Received header is added. At minimum, the Received header containsthe IP address of the sender, if it is the first hop, or the receiver, if it is an intermediary hop, and the date andtime the email was processed by the hop. Depending on the vendor, sometimes MTAs add a session ID forthe email, as well as the TLS version and cipher information (if applicable).Received headers are added on top of one another. The bottommost entry shows where the email started itsjourney, and the topmost entry shows where the email is currently located.As well as the Received headers, other information contained in the message header includes, MIMEheaders, Content headers, and the Subject.FortiMail Student Guide 176

DO NOT REPRINT  Email Concepts© FORTINETThe original RFC for SMTP didn't include any requirements for security mechanisms. Email was transmitted inplain text by unauthenticated users.The AUTH extension was added as a way to verify sender identity. MTAs that support ESMTP can, andshould, enforce authentication to ensure that only authorized users can send email.FortiMail Student Guide 177

DO NOT REPRINT  Email Concepts© FORTINETSMTPS implemented a layer of security using TLS encryption, but it was never standardized. MTAs needed tomaintain separate ports for encrypted and unencrypted sessions because SMTP uses port 25, but SMTPSuses port 465.The current standard for secured email communication is SMTP over TLS. Connections are made using thestandard SMTP port, and a TLS negotiation occurs after the SMTP session has already been established. Ifboth sides agree, a secure connection is established and the remaining data is exchanged securely. ManyESMTP servers enforce the STARTTLS message for encryption. This means that the recipient MTA acceptsonly the envelope addresses (MAIL FROM and RCPT TO) after TLS is established.FortiMail Student Guide 178

DO NOT REPRINT  Email Concepts© FORTINETIn SMTP over TLS, the initial connection is made on the standard SMTP TCP port. The client, which could bean MUA or MTA, transmits its EHLO message and is presented with a list of extensions that represent the setof supported extensions on the server side of the connection. If STARTTLS is present in the list, and if theclient wants a secure connection, then the client responds with STARTTLS. This initiates the TLS negotiationbetween the two endpoints. After the secure connection is established, the remaining SMTP traffic isencrypted on the network.In SMTPS, the server and client start the SMTP session fully encrypted in a TLS tunnel.FortiMail Student Guide 179

DO NOT REPRINT  Email Concepts© FORTINETPOP is used to download new messages and store them locally in the user’s email client. Typically, themessages are deleted from the server after download. This works well, but there are also somedisadvantages. Since email messages are stored on the user’s device after download, they are onlyaccessible on that device. If the user accesses email from multiple devices, for example, a smartphone and alaptop, then it becomes challenging to keep track of which message is on which device.It’s important to use POP in a secure way. The original RFC for POP didn't implement any form of encryption,and passwords can be sent as clear text unless the email server and client are configured to support theSSL/TLS extensions to POP.FortiMail Student Guide 180

DO NOT REPRINT  Email Concepts© FORTINETIMAP is another mail retrieval protocol that has multiple advantages over POP3. It provides more robustmanagement of an email inbox including message retention, allowing multiple managers of an inbox, foldermanagement, and so on. IMAP is usually the go-to method for keeping multiple devices synchronized with aninbox. Like POP3, IMAP functions on two separate ports. TCP port 143 can use a STARTTLS message toupgrade the connection to be TLS encrypted, otherwise it functions in clear text. TCP port 993 is used forcomplete end-to-end encryption.FortiMail Student Guide 181

DO NOT REPRINT  Email Concepts© FORTINETNow when you look at the mail flow example, you should be able to identify where SMTP transactions occur,and where IMAP or POP3 transactions occur.FortiMail Student Guide 182

DO NOT REPRINT  Email Concepts© FORTINETFortiMail Student Guide 183

DO NOT REPRINT  Email Concepts© FORTINETYou can deploy FortiMail in three distinct operating modes: gateway, server, or transparent. You usually setthe operating mode at the beginning of a deployment. You rarely change modes after deployment. The modeyou set depends on the type of network in which you will be using FortiMail.FortiMail Student Guide 184

DO NOT REPRINT  Email Concepts© FORTINETIn gateway mode, FortiMail provides full MTA functionality. In the email path, FortiMail sits in front of anexisting email server and scans email. If FortiMail detects any spam email, it discards them or stores them inthe user quarantine mailboxes on the local FortiMail. FortiMail delivers all clean email to the back-end mailserver.A DNS MX record change (or destination NAT rule change on the firewall) is required to redirect all inboundemail traffic to the FortiMail device for inspection. For complete protection, all outbound email should also berouted through FortiMail for inspection.Gateway mode deployments are excellent at extending existing email infrastructure scalability. FortiMail canoffload all security-related and message-queuing tasks, and reduce the overall performance requirementsfrom back-end mail servers.FortiMail Student Guide 185

DO NOT REPRINT  Email Concepts© FORTINETIn server mode, FortiMail provides all of the typical functions of an email server as well as security scans. Youcan use FortiMail operating in server mode as a drop-in replacement for retiring email servers. It is also anexcellent choice for environments deploying internal email servers for the first time.The same DNS MX record change or destination NAT rule change on the firewall is needed to redirect allinbound email traffic to FortiMail for inspection. After inspection, FortiMail delivers the clean email to the end-user mailboxes stored locally on FortiMail. End users use IMAP, POP3, or Webmail to access their inboxes.Along with storing user mailboxes, FortiMail in server mode provides complete group calendar, resourcescheduling, webmail, and other advanced features.FortiMail Student Guide 186

DO NOT REPRINT  Email Concepts© FORTINETIn transparent mode, FortiMail is located physically on the email path to intercept email traffic transparently forinspection. When operating in transparent mode, FortiMail isn't the intended IP destination of the email,therefore, no DNS or DNAT rule change is required. This allows you to deploy FortiMail in environmentswhere you don’t want IP address and DNS MX changes. Transparent mode is often utilized in large MSSP orcarrier environments.FortiMail Student Guide 187

DO NOT REPRINT  Email Concepts© FORTINETFortiMail Student Guide 188

DO NOT REPRINT  Email Concepts© FORTINETIn this lesson, you learned about the following:• The specialized role FortiMail plays in email security, and the advantages FortiMail offers compared to FortiGate antispam features• Various device roles, and the role DNS plays in email transmission• How SMTP communication occurs, and the SMTP messages that are used during an email exchange• Various email retrieval protocols• The different deployment modes of FortMail, and their relevant environmentsFortiMail Student Guide 189

DO NOT REPRINT  Email Concepts© FORTINETThank you!FortiMail Student Guide 190

DO NOT REPRINT  Basic Setup© FORTINETIn this lesson, we’ll show how to complete basic settings for your FortiMail deployments.FortiMail Student Guide 191

DO NOT REPRINT  Basic Setup© FORTINETThese are topics that will be covered in this lesson. You will learn how to set up basic inbound email flow to aFortiMail configured in server or gateway mode, as well as user and email flow management.FortiMail Student Guide 192

DO NOT REPRINT  Basic Setup© FORTINETIn this section, you will learn about the following navigation tasks:• Accessing the Administration and Webmail interfaces• Navigating the GUI• Accessing the CLI• Using the context-sensitive online helpFortiMail Student Guide 193

DO NOT REPRINT  Basic Setup© FORTINETFortiMail has two interfaces: a GUI, which includes the administration interface and the webmail interface,and a CLI. Most of the time, administrators use the GUI to configure and maintain FortiMail.Use the following two URLs to connect to FortiMail:• To access the GUI, go to https://<fortimail FQDN or IP>/admin• To access webmail, go to https://<fortimail FQDN or IP>FortiMail Student Guide 194

DO NOT REPRINT  Basic Setup© FORTINETYou can use the quick start wizard to complete common FortiMail deployment tasks to save time and avoiderrors. The quick start wizard takes you through FortiMail’s basic settings.Note: You can’t use the quick start wizard to select the operation mode. Select the operation mode beforeyou use the wizard.FortiMail Student Guide 195

DO NOT REPRINT  Basic Setup© FORTINETThe FortiMail GUI has two display modes: advanced mode and basic mode. The default mode is advancedmode. In advanced mode, all configuration menu items are visible. To switch from advanced mode to basicmode, click Basic Mode. Basic mode displays only the features and functions that you use most commonlyfor daily operation and maintenance. Switching between advanced mode and basic mode affects only whatthe GUI displays–the configuration doesn’t change.FortiMail Student Guide 196

DO NOT REPRINT  Basic Setup© FORTINETTo access the CLI using the FortiMail GUI, do the following:1. In the left frame, click Monitor > System Status.2. In the right pane, click the Console tab.Since you have already authenticated by logging in to the GUI, you can access the CLI using a single click.Alternatively, you can access the CLI using SSH in a separate SSH client.FortiMail Student Guide 197

DO NOT REPRINT  Basic Setup© FORTINETThe FortiMail CLI syntax is similar to the FortiOS syntax, however, you need to use the CLI for only a fewconfiguration tasks. For example, you must use the CLI to disable POP3 and IMAP services to make sureFortiMail complies with information security standards.See the CLI Reference Guide in the Fortinet Document Library at http://docs.fortinet.com/fortimail/reference.FortiMail Student Guide 198

DO NOT REPRINT  Basic Setup© FORTINETYou can customize elements of both the Administration and Webmail GUIs to apply alternate branding, colorthemes, default languages, and more.FortiMail Student Guide 199

DO NOT REPRINT  Basic Setup© FORTINETTo view the online help for a particular feature or function of FortiMail, navigate to the location where thatfeature is configured and, at the top of the window, click the Help button. A separate window or tab opensthat contains related content. After the FortiMail Online Help window opens, you can navigate to other topicsin the window.Note: You must connect your computer to the Internet to view online help content.FortiMail Student Guide 200