FortiMail Student Guide

DO NOT REPRINT  Basic Setup© FORTINETFortiMail Student Guide 201

DO NOT REPRINT  Basic Setup© FORTINETIn this section, you will learn about the system settings for a base configuration, including the following:• Selecting the operation mode• Configuring network interfaces, DNS, routes, system time, and a hostname• Configuring administrators and administrative optionsAll of the system settings for a base configuration apply in all operation modes.FortiMail Student Guide 202

DO NOT REPRINT  Basic Setup© FORTINETThe default operation mode is gateway mode.To change the operation mode, do the following:1. Click Monitor > System Status.2. In the System Information widget, in the Operation mode drop-down list, select an operation mode.Note: If you change the operation mode, FortiMail reboots and most settings return to the factory defaultvalues.Since the operation mode affects how FortiMail functions, you should select the operation mode when you dothe initial setup. Or, if you plan to use the quick start wizard to begin the configuration, you must set theoperation mode before you use the quick start wizard.Before you select server or gateway for the operation mode, verify that your public DNS MX record is up todate.FortiMail Student Guide 203

DO NOT REPRINT  Basic Setup© FORTINETTypically, in gateway and server modes, only one interface is active. In transparent mode, depending on thedeployment topology, multiple interfaces may be active.The default IP address and subnet mask for the port1 interface is 192.168.1.99/24.To configure the interfaces, do the following:1. In the left frame, click System > Network.2. In the right pane, click the Interface tab.FortiMail also supports IPv6 and DHCP addresses. You can select an access option to enable or disableaccess to FortiMail using HTTP, HTTPS, PING, SSH, SNMP, and TELNET.FortiMail Student Guide 204

DO NOT REPRINT  Basic Setup© FORTINETBy default, there are no routes configured on FortiMail. You must configure at least one default route to theInternet to make sure FortiMail connects correctly to FortiGuard, and to make sure email traffic flows correctly.You can configure more static routes as needed to accommodate networks that have multiple gateways. Thefields in the New Routing Entry dialog support both IPv4 and IPv6 addresses.FortiMail Student Guide 205

DO NOT REPRINT  Basic Setup© FORTINETWhen you configure multiple static routes on FortiMail, FortiMail can select only one route to send an IPpacket on. To determine which route it uses, FortiMail examines the destination IP address of the packet andcompares it with the list of static routes, looking for routes that have a destination IP or netmask value that isclosest to the value of the packet it is sending. If two routes are equal candidates for selection, FortiMailselects the route that has the lowest index number. You can view the index number associated with eachroute entry only in the CLI, using the command get system route.FortiMail Student Guide 206

DO NOT REPRINT  Basic Setup© FORTINETBy default, FortiMail is preconfigured with FortiGuard DNS servers. DNS plays a vital role in emailtransmission as well as FortiGuard connectivity, therefore the choice of DNS servers can have a significanteffect on the performance of FortiMail.FortiMail Student Guide 207

DO NOT REPRINT  Basic Setup© FORTINETAccurate date and time values are important for timestamps in logs, for mail transfer agent (MTA)functionality, and SSL/TLS transactions. FortiMail applies timestamps to various message headers that getprocessed by other external MTAs along the way. You can configure the date and time in FortiMail manuallybut, to maintain accuracy, sync FortiMail with an NTP server instead.FortiMail Student Guide 208

DO NOT REPRINT  Basic Setup© FORTINETBy default, the system host name is set to the device serial number. This causes the device serial number toshow up in the SMTP banner during an SMTP session. You should set the host name and local domain nameto create an FQDN. To set the host name and local domain name, go to Mail Settings > Settings > MailServer Settings.The FQDN of a FortiMail instance is used in a variety of places. Many functions, such as email quarantine,won’t function unless the host name can be correctly resolved. For correct external MTA connectivity, youmust set FortiMail’s FQDN to be externally resolvable both forward and backward.FortiMail Student Guide 209

DO NOT REPRINT  Basic Setup© FORTINETFortiMail Student Guide 210

DO NOT REPRINT  Basic Setup© FORTINETIn this section, you will learn about configuration tasks for administrators, including the following:• Configuring local and remote authentication for administrator accounts• Defining levels for administrator account permissions• Configuring administrator optionsFortiMail Student Guide 211

DO NOT REPRINT  Basic Setup© FORTINETFortiMail is configured with a default admin user and an empty password field. You must create an adminuser password. To create an admin user password and additional admin users, do the following:1. In the left frame, click System > Administrator.2. In the right pane, click the Administrator tab.You can set the access profile and domain to restrict administrators to certain sections of the GUI, or tospecific domains. You can set the authentication type to local or remote, using RADIUS, LDAP, or PKI. Forremote authentication types, you must also configure an additional profile that defines the details of theauthentication.You can configure trusted hosts to restrict each account to specific IP subnets or addresses. You can also seta color theme and language for the GUI for each administrator.FortiMail Student Guide 212

DO NOT REPRINT  Basic Setup© FORTINETYou can also configure administrator accounts to authenticate against a remote server. In the Authenticationtype drop-down list, select RADIUS, PKI, or LDAP, and then select the appropriate authentication profile.FortiMail Student Guide 213

DO NOT REPRINT  Basic Setup© FORTINETYou must associate each admin user account with an access profile that determines which areas anadministrator can access, and provides permissions to modify elements within those areas. The defaultsuper_admin_prof access profile is assigned to the default admin account. You can’t remove thesuper_admin_prof access profile.Access profile levels can also be applied dynamically via RADIUS. We will explore RADIUS, and otherauthentication profiles more in a later lesson.FortiMail Student Guide 214

DO NOT REPRINT  Basic Setup© FORTINETYou can create a single, global password policy to enforce complex passwords, and you can choose whichadmin users, local mail users, and IBE users to apply the policy to. The authentication server usually enforcesthe password policies for non-local mail users (LDAP, and others).FortiMail Student Guide 215

DO NOT REPRINT  Basic Setup© FORTINETTo make sure FortiMail complies with information security standards, you can reduce the idle timeout andenable a login disclaimer. You can set the disclaimer to appear before or after the user logs in. You can alsoset the disclaimer to appear when an admin, webmail, or IBE user logs in . When you set the disclaimer foradmin users, it also appears when the admin users access the CLI using SSH or TELNET.You can also change the administration ports on the Options tab. If you change the default ports, you mustupdate the applicable port forwarding rules on your organization’s firewall to reflect the change.FortiMail Student Guide 216

DO NOT REPRINT  Basic Setup© FORTINETFortiMail Student Guide 217

DO NOT REPRINT  Basic Setup© FORTINETIn this section, you will learn about protected domains on FortiMail, including the following:• Defining protected domains• Differentiating between inbound and outbound email messages• Configuring advanced domain settingsFortiMail Student Guide 218

DO NOT REPRINT  Basic Setup© FORTINETFortiMail is designed to protect domains. You must create protected domains in order to establish email flow.To create a protected domain, you must select different options, depending on the operation mode ofFortiMail. For gateway or transparent modes, you must define the domain and the destination SMTP server.For server mode, you must define only the domain, because FortiMail is the final destination of the emailmessage.Protected domains also specify which email messages FortiMail considers to be inbound and which itconsiders to be outbound.FortiMail Student Guide 219

DO NOT REPRINT  Basic Setup© FORTINETWhen FortiMail receives an email, it compares the domain part of the recipient email address with the list ofprotected domains. If there is a match, FortiMail considers the message to be incoming; otherwise, themessage is outgoing.The direction of the email is important to FortiMail because it influences relay behavior. Incoming email isrelayed by default, so no additional configuration are required to allow email into the organization. By default,FortiMail rejects outgoing email messages, unless the sender is authenticated. This behavior is hardcoded toprevent FortiMail from being abused as an open relay.FortiMail Student Guide 220

DO NOT REPRINT  Basic Setup© FORTINETDomain association allows multiple email domains to share a single configuration in FortiMail. For example,any recipient-based policies created for the main domain apply to the associated domains as well.This is extremely convenient for environments that have more than one domain and you want to keepFortiMail protection consistent across all of the domains. This not only helps to minimize redundantconfigurations and speed up the deployment, but also to eliminate errors or drift over time in the configurationof the domains.When adding associated domains to FortiMail, update the MX records of the domains so all inbound email isdelivered to FortiMail.FortiMail Student Guide 221

DO NOT REPRINT  Basic Setup© FORTINETFortiMail Student Guide 222

DO NOT REPRINT  Basic Setup© FORTINETIn this section, you will learn about user management tasks, including the following:• Configuring, and managing server mode users• Managing gateway and transparent mode quarantine mailboxes• Configuring recipient verificationFortiMail Student Guide 223

DO NOT REPRINT  Basic Setup© FORTINETSince user mailboxes are managed by FortiMail in server mode, you should create user account entries foreach user. You can configure these user accounts to authenticate locally, or using LDAP or RADIUS. Inserver mode, the user inbox handles both regular email and the spam quarantine.You can use the User tab to create users, while the User Preferences tab allows you to manage userpreferences. The administrator can manage user preferences using the administration interface, and the enduser can manage user preferences using the webmail interface.FortiMail Student Guide 224

DO NOT REPRINT  Basic Setup© FORTINETIn gateway and transparent modes, FortiMail maintains quarantine mailboxes for users. These mailboxes arecreated automatically when FortiMail needs to send email to quarantine as a result spam detection.You can't manually create users on FortiMail when it is configured in gateway or transparent mode. You can,however, manage user preferences, such as block or safe list entries using the administration GUI. The enduser can access their quarantine mailbox and account preferences using the webmail interface.FortiMail Student Guide 225

DO NOT REPRINT  Basic Setup© FORTINETWe know that FortiMail, when it is configured in gateway or transparent mode, processes all email andattempts to relay it to the backend server. So what happens if a user account doesn't exist? In this case, thebackend server generates an error and FortiMail creates a quarantine account where the invalid userquarantines the email. Over time, this can lead to an excessive amount of storage space being used for emailfor invalid users.There are two ways to deal with this: recipient address verification or automatic removal of invalid quarantineaccounts. To optimize the use of storage space, you should implement at least one of these features forgateway or transparent mode deployments.Recipient verification is built into server mode’s regular email handling process, therefore you don’t need toconfigure this feature.FortiMail Student Guide 226

DO NOT REPRINT  Basic Setup© FORTINETRecipient Address Verification is a setting that you can configure for each protected domain entry. When youenable recipient address verification, FortiMail verifies the recipient email address, after the RCPT TOcommand, for each inbound email before allowing the sender to start the DATA portion of the email. If therecipient is found to be invalid, then the FortiMail rejects the email. This method keeps all invalid email out ofthe FortiMail system, thus reserving the storage for valid email only.There are two methods of performing recipient address verification: SMTP and LDAP. Using the LDAP servermethod requires you to configure an LDAP profile to define the LDAP server settings. Using the SMTP servermethod requires the backend server to support either VRFY or RCPT SMTP commands. Typically VRFY willbe disabled on most mail servers to prevent directory harvesting attacks.FortiMail Student Guide 227

DO NOT REPRINT  Basic Setup© FORTINETYou can use an alternate method to clean up quarantine mailboxes for invalid accounts. The AutomaticRemoval of Invalid Quarantine function removes all invalid quarantine mailboxes after FortiMail has alreadyaccepted email and created accounts for invalid accounts.Invalid removal of quarantine uses the same options as recipient address verification: SMTP or LDAP. Bydefault, it is scheduled to execute at 4:00 am local time. You can change the scheduled time using the CLI.FortiMail Student Guide 228

DO NOT REPRINT  Basic Setup© FORTINETFortiMail Student Guide 229

DO NOT REPRINT  Basic Setup© FORTINETThe configuration steps you have learned so far, establish basic inbound email flow using either gateway orserver mode deployments. Transparent mode deployments require a few more configuration steps, whichyou will learn in another lesson.Typically, the next step in the deployment task is to test and verify. In this section, you will learn how to verifyyour deployment, including the following:• Verifying email flow using logs• Managing FortiMail email queues when emails aren’t flowing because of errorsFortiMail Student Guide 230

DO NOT REPRINT  Basic Setup© FORTINETThe logs shown on the History tab provide an overview of what happened to an email. A successful emailtransmission is classified as Not Spam and shows Accept in the Disposition column. For more detail, click theSession ID link, which gathers and displays all log types generated by an email. You will learn more about logreview in another lesson.FortiMail Student Guide 231

DO NOT REPRINT  Basic Setup© FORTINETIt might not always be possible to deliver email immediately. Delayed messages must be stored somewhereso that MTA can attempt to resend them at a later time. The Mail Queue holds email that can't be sentimmediately. This is usually because of temporary circumstances, such as the remote MTA is busy, ortemporary loss of DNS or network connectivity. To check the current status of the mail queue, click Monitor >Mail Queue.If a message can’t be delivered or returned to the sender, it’s placed in the Dead Mail queue. Most often,messages end up in the Dead Mail queue because of permanent failures. Email moves from the Mail Queueto the Dead Mail queue after the MTA has exhausted the maximum retry period without resolution of theissues that caused the email to fail transmission in the first place.FortiMail Student Guide 232

DO NOT REPRINT  Basic Setup© FORTINETWhen messages are placed in the Mail Queue, several timers are used to determine how the email ishandled, and when to send delivery status notifications (DSNs).• Set Maximum time for email in queue to define the maximum number of hours that delayed emails can remain in the queue• Set Maximum time for DSN email in queue to define the maximum number of hours that an undeliverable DSN can remain in the queue• Set Time before delay warning to define the number of hours that must expire before the email is considered delayed and a DSN is sent to the sender• Set Time interval for retry to define how often the MTA attempts to re-deliver the message• Set Dead mail retention period to define the number of days an email can stay in the Dead Mail queueFortiMail Student Guide 233

DO NOT REPRINT  Basic Setup© FORTINETFortiMail Student Guide 234

DO NOT REPRINT  Basic Setup© FORTINETIn this lesson, you learned how to access and navigate the management GUI, the CLI, and webmail. You alsolooked at how to configure system settings, administrators, administrative options, and protected domains.You also learned how to manage users and user preferences, as well as verify email flow, and manage themail queue.All of these configuration tasks should help you establish basic inbound email flow to a Fortimail deployed ingateway or server mode. There are more configuration tasks required to establish outbound email flow, aswell as implement antispam, antivirus, and content filtering. You will explore these tasks other lessons.FortiMail Student Guide 235

DO NOT REPRINT  Basic Setup© FORTINETThank you!FortiMail Student Guide 236

DO NOT REPRINT  Access Control and Policies© FORTINETIn this lesson, we’ll show how to configure access control rules and policies on your FortiMail.FortiMail Student Guide 237

DO NOT REPRINT  Access Control and Policies© FORTINETThese are the topics that will be covered in this lesson. You will learn how FortiMail controls access for SMTPsessions, and explore FortiMail’s policies.FortiMail Student Guide 238

DO NOT REPRINT  Access Control and Policies© FORTINETIn this section, you will learn about the two different types of access control rules and how you can use themto control sessions generated from, and destined for, FortiMail.FortiMail Student Guide 239

DO NOT REPRINT  Access Control and Policies© FORTINETAccess receive rules determine whether an email is allowed to use FortiMail’s services. These rules can bethought of as a type of SMTP access control list (ACL) that allows or denies SMTP sessions.If an SMTP session doesn’t match any rule, or if there are no rules defined, and the sender isunauthenticated, the default behaviour of FortiMail is based on the RCPT TO: field of the envelope.• If an email is destined to a protected domain, FortiMail relays it• If an email is not destined to a protected domain, FortiMail rejects itThe default behavior prevents FortiMail from acting as an open relay, which is also the reason to explicitlydefine an access receive rule so that FortiMail can act as an outbound MTA and relay outbound email. Laterin this lesson, you will look at an example configuration.FortiMail Student Guide 240

DO NOT REPRINT  Access Control and Policies© FORTINETThe selection criteria used in access receive rules provide control based on the sender IP from the IP header,and recipient email addresses from the SMTP envelope. Access receive rules are applied before anymessage header inspection.FortiMail Student Guide 241

DO NOT REPRINT  Access Control and Policies© FORTINETTo define an access receive rule, do the following:1. Click Policy > Access Control.2. Click the Receiving tab.3. Click New.When creating rules, be as specific as possible. The rule shown in this example uses the following settings:Sender pattern: *@internal.labRecipient pattern: *Sender IP/netmask: 192.167.1.251/32Action: RelayBy using these settings, the example rule allows all email to any recipient, as long as the sender domain isinternal.lab and the source is the 192.167.1.251 host.FortiMail Student Guide 242

DO NOT REPRINT  Access Control and Policies© FORTINETThere are five possible choices for the action associated with an access receive rule:• Safe: Deliver only if the recipient belongs to a protected domain, or the sender has authenticated. Antispam profiles are skipped, but greylisting, antivirus, and content filters are still applied• Safe & Relay: Deliver regardless of recipient or sender status and skip antispam profiles. Greylisting and other scans are still performed.• Relay: Deliver and perform all scans except greylisting.• Reject: Stop processing and respond to sender with SMTP reply code 550 Relaying Denied• Discard: Stop processing and silently drop the email messageFortiMail Student Guide 243

DO NOT REPRINT  Access Control and Policies© FORTINETThe counterpart to access receive rules is access delivery rules. Access delivery rules provide control overconnections that originate from FortiMail. You can create access delivery rules to match sender and recipientpatterns, as well as the destination IP address or subnet.Access delivery rules allow you to enforce TLS for the SMTP sessions. They also allow you to apply secureMIME (S/MIME) or identity based encryption (IBE) to specific sessions. Access delivery rules aren’t requiredto establish email flow.FortiMail Student Guide 244

DO NOT REPRINT  Access Control and Policies© FORTINETFortiMail Student Guide 245

DO NOT REPRINT  Access Control and Policies© FORTINETIn this section, you will view example configurations that establish outbound MTA functionality for all threedeployment modes and learn how to configure an external relay host for outbound emails.FortiMail Student Guide 246

DO NOT REPRINT  Access Control and Policies© FORTINETCreate access receive rules for gateway and transparent mode deployments if you intend to scan outboundemails using FortiMail.In gateway mode deployments, you must make configuration changes on the backend mail server. Thesechanges ensure that all outbound email from the mail server is sent to FortiMail, instead of being routed to theInternet using the mail server’s own MTA functionalities.When you create the rules, use specific matching criteria. For example, when you specify a single SenderIP/netmask for the backend mail server, use a /32 mask.FortiMail Student Guide 247

DO NOT REPRINT  Access Control and Policies© FORTINETFor server mode deployments, the access receive rule is very similar to the gateway and transparent modeexample. However, in the Sender IP/netmask field you will most likely enter an actual subnet, instead of ahost address, because end users will be connecting directly to FortiMail to send email. Doing this, whileconvenient, is not very secure. A misconfigured printer or scanner on that subnet could potentially send outdocuments to unintended recipients because of a wide subnet rule. This is one of the reasons why you shouldenforce authentication when you create server mode access receive rules. Authentication is also required forusers to send emails via SMTP.Authentication on FortiMail is covered more in depth in another lesson.FortiMail Student Guide 248

DO NOT REPRINT  Access Control and Policies© FORTINETIn certain deployments, it might be necessary to send all outbound emails to an external relay server insteadof using the built-in MTA of the FortiMail. For these deployments you can configure an external relay server todeliver emails. When this feature is enabled FortiMail will not perform any DNS MX queries of its own anddeliver all outbound emails to the relay host.Configuring a relay host does not negate the need for access receive rules for outbound emails. For properoutbound email flow you must configure both.FortiMail Student Guide 249

DO NOT REPRINT  Access Control and Policies© FORTINETFortiMail Student Guide 250