FortiMail Student Guide

DO NOT REPRINT  Access Control and Policies© FORTINETIn this section, you will learn how policies on FortiMail identify email flow and apply inspection profiles to thatflow.FortiMail Student Guide 251

DO NOT REPRINT  Access Control and Policies© FORTINETThere are two types of policies:• IP-based policies• Recipient-based policiesMuch like firewall rules, policies are evaluated in a top-down order. Once an email flow matches a policy, anyremaining policies in the list are skipped. FortiMail maintains a single global list of IP-based policies butmaintains domain-specific lists for recipient-based policies if there are multiple protected domains.FortiMail Student Guide 252

DO NOT REPRINT  Access Control and Policies© FORTINETPolicies reference profiles. Profiles define which inspections and actions are performed on an email.Different types of profiles govern different types of inspections. Profile types include session, antispam,antivirus, and so on. Specific processing activities are enabled and configured in profiles. Each inspectionprofile, other than the session profile, has corresponding action profiles that define the action that is taken onan email as a result of the scan. Possible actions include reject, discard, personal quarantine, systemquarantine, and so on.FortiMail policies and profiles give you the flexibility to treat each email differently by allowing you to buildFortiMail configurations with multiple policies, each having unique selection criteria and calling differentprofiles.FortiMail Student Guide 253

DO NOT REPRINT  Access Control and Policies© FORTINETIP-based policies use source and destination IP information as selection criteria. This is useful in situationswhere it’s preferable to distinguish email traffic using IP information, such as when FortiMail is placedbetween the Internet and a large, multi-tenant email server farm.Session profiles are only available through IP policies and perform actions that are applied to informationgathered early in the SMTP connection process. This action can detect malicious activities even beforeFortiMail processes the SMTP header. Session profile scans eliminate the need to conduct more resource-intensive scans.FortiMail Student Guide 254

DO NOT REPRINT  Access Control and Policies© FORTINETDeciding which policy type to implement doesn’t necessarily mean choosing one type over the other. It’s notuncommon for both IP-based and recipient-based policy types to be used concurrently. Having both policytypes available to use provides flexibility, especially when deployments increase and become very large.As mentioned earlier, the two policy types have different capabilities. The most significant differences are thatsession profiles can only be applied from IP-based policies, and IP-based policy action profiles don’t supportthe user quarantine option.Specific deployment types use strict IP-based filtering: large mail hosting services and ISPs. Thesedeployment types usually require that email be inspected for a high number of domains. On such a largescale, it isn’t feasible to maintain a complete list of protected domains, and configure recipient-based policiesfor each domain. That’s why large-scale deployments usually opt for a strict IP-based filtering setup.FortiMail Student Guide 255

DO NOT REPRINT  Access Control and Policies© FORTINETThe exclusive flag forces FortiMail to apply only profiles from the matching IP-based policy in the event thatthere is also a matching recipient-based policy.FortiMail Student Guide 256

DO NOT REPRINT  Access Control and Policies© FORTINETRecipient-based policies use the sender and recipient information from the email message to match the policyand apply inspection profiles to the email flow. When you use recipient-based policies, you also have theoption to configure profiles to support authentication for SMTP, POP3, IMAP, and webmail access. FortiMailmaintains separate lists for inbound and outbound recipient-based policies.FortiMail Student Guide 257

DO NOT REPRINT  Access Control and Policies© FORTINETIf you configure inspection profiles using recipient-based policies, you should have at least one IP-basedpolicy in place to apply a session profile to all SMTP sessions. Recipient-based policies allow more granularitywhen applying inspection to specific email flows.FortiMail Student Guide 258

DO NOT REPRINT  Access Control and Policies© FORTINETIf you use a configuration that employs strict IP policy-based filtering, or if you set the IP policy exclusive flag,then the FortiMail applies only the inspection profiles from the matching IP policy. No other policy or profilesneed to be evaluated. However, if you don’t set the exclusive flag, or there are matching recipient-basedpolicies, then the behavior changes:• FortiMail applies the session profile from the matching IP-based policy• FortMail applies the rest of the profiles, such as antispam, antivirus, content filter, DLP, from the matchingrecipient-based policyFortiMail Student Guide 259

DO NOT REPRINT  Access Control and Policies© FORTINETFortiMail Student Guide 260

DO NOT REPRINT  Access Control and Policies© FORTINETIn this section, you will learn about rule and policy IDs. An email can be processed by an access control rule,an IP-based policy, and, sometimes, a recipient-based policy. The rule or policy ID provides a way to trackwhich policies allowed and inspected a particular email.FortiMail Student Guide 261

DO NOT REPRINT  Access Control and Policies© FORTINETAccess control rules are assigned an ID by the system at the time the rule is created. The ID number doesn’tchange as rules move higher or lower in the sequence. The default behavior–for example, allow all inboundemails destined for a protected domain, or allow authenticated outbound email–is considered ID 0 by thesystem.FortiMail Student Guide 262

DO NOT REPRINT  Access Control and Policies© FORTINETIP-based policy IDs are globally relevant, since FortiMail maintains only a single list of IP policies for thewhole system. Recipient-based policy IDs, however, are relevant only for specific protected domains. That iswhy you can have multiple policies with ID 1. Recipient-based policies can be re-ordered only after selectingthe relevant domain in the Domain drop-down list.FortiMail Student Guide 263

DO NOT REPRINT  Access Control and Policies© FORTINETThe policy IDs for each email are recorded in the history logs in the format of X:Y:Z, where X:Y:Z representthe following:• X is the ID of the access control rule• Y is the ID of the IP-based policy• Z is the ID of the recipient-based policyIf the value in the access control rule field for incoming email is 0, it means that FortiMail is applying its defaultrule for handling inbound emails. If the value of x,y,z is 0 in any other case, it means that no policy or rulecould be matched.FortiMail Student Guide 264

DO NOT REPRINT  Access Control and Policies© FORTINETFortiMail Student Guide 265

DO NOT REPRINT  Access Control and Policies© FORTINETIn this lesson, you learned how to control SMTP sessions from other MTAs and user clients using accesscontrol rules. You reviewed the details of an example configuration in which access receive rules allowedoutbound email for all three deployment modes, and how to configure an external relay host for outboundemails.. You also explored how FortiMail uses IP-based policies and recipient-based policies to applyinspection profiles, and process email accordingly. Finally, you reviewed how to examine rule and policy IDsusing the history logs.FortiMail Student Guide 266

DO NOT REPRINT  Access Control and Policies© FORTINETThank you!FortiMail Student Guide 267

DO NOT REPRINT  Authentication© FORTINETIn this lesson, we’ll show how to configure and enforce authentication on the FortiMailFortiMail Student Guide 268

DO NOT REPRINT  Authentication© FORTINETThese are the topics that will be covered in this lesson. You will learn how to configure and enforceauthentication on the FortiMail. You will also learn how to configure LDAP and use it for features such asrecipient verification, user authentication, alias mapping etc.FortiMail Student Guide 269

DO NOT REPRINT  Authentication© FORTINETIn this section, you will learn how to configure FortiMail to support and enforce authentication for SMTP,POP3, IMAP, and webmail. You will also learn how to enable remote authentication for administrativeaccounts.FortiMail Student Guide 270

DO NOT REPRINT  Authentication© FORTINETIn transparent and gateway modes, FortiMail acts as an authentication proxy. User credentials are not storedon FortiMail, so you must tell FortiMail explicitly where to find this information using authentication profiles.When a user needs to authenticate, FortiMail prompts the user for their ID and password, which is then sentto the backend authentication server. The user is granted or denied access based on the response from theauthentication server.In server mode, however, FortiMail acts as the authentication server. Users authenticate directly against alocal database of users and passwords using SMTP, POP3, IMAP, HTTP, or HTTPS.FortiMail Student Guide 271

DO NOT REPRINT  Authentication© FORTINETOn FortiMail, you can use authentication profiles to define the server details and protocol options that supportauthentication. FortiMail supports SMTP, POP3, IMAP, and RADIUS server integration.All deployment modes can also use LDAP profiles for LDAP server integration. LDAP profiles provide moreadvanced functionality, such as alias and group lookup, which cannot be achieved using authenticationprofiles. You will learn more about LDAP profiles later in this lesson.FortiMail Student Guide 272

DO NOT REPRINT  Authentication© FORTINETFortiMail supports the RADIUS access-challenge message to allow for two-factor authentication.RADIUS authentication profiles can also be used to define the administrator account’s domain, and accessprofiles dynamically using vendor specific attributes.FortiMail Student Guide 273

DO NOT REPRINT  Authentication© FORTINETThere are two methods of enabling authentication:• You can use IP-based policies to enable SMTP authentication• Inbound recipient-based policies offer more flexibility because you can use them to enable authentication for SMTP, POP3, IMAP, and webmail access.You do not need to explicitly enable user authentication in Server mode deployments as it is enabled bydefault.While policies enable authentication, they don’t enforce it. You can enforce authentication using accessreceive rules.You can configure administrator accounts individually using RADIUS, PKI, and LDAP authentication profiles,or configure wildcard authentication if using RADIUS or LDAP.FortiMail Student Guide 274

DO NOT REPRINT  Authentication© FORTINETSource and destination IP information trigger IP-based policies. IP policies support only SMTP authentication.You can’t use IP-based policies to allow POP3, IMAP, or webmail access.FortiMail Student Guide 275

DO NOT REPRINT  Authentication© FORTINETIncoming recipient-based policies offer more flexibility. You can use recipient-based policy authentication toallow SMTP, POP3, and webmail access.FortiMail Student Guide 276

DO NOT REPRINT  Authentication© FORTINETAs mentioned earlier, policies enable, but don’t enforce, authentication. To enforce SMTP authentication, youmust create appropriate access control receive rules. For gateway mode deployments, access control receiverules could apply to individual hosts, such as auto-mailers, that use FortiMail as a mail relay. However, forserver mode deployments, you should enable access control receive rules for the entire user base to ensurethat FortiMail isn’t being used by unauthorized users to relay potential spam.FortiMail Student Guide 277

DO NOT REPRINT  Authentication© FORTINETFortiMail Student Guide 278

DO NOT REPRINT  Authentication© FORTINETIn this section, you will learn how you can use LDAP profiles on FortiMail for more than just userauthentication. You can use LDAP profiles for user, alias, and group query, as well domain lookups and mailrouting.FortiMail Student Guide 279

DO NOT REPRINT  Authentication© FORTINETIf your organization has an LDAP server, you should integrate it with FortiMail to reduce configurationoverhead for FortiMail features, such as user alias and group lookups.In this lesson, you will learn about the most commonly-used features of the LDAP profile, including thefollowing:• User Query• Group Query• User Authentication• User AliasFortiMail Student Guide 280

DO NOT REPRINT  Authentication© FORTINETBefore you can start using the LDAP profile, you must configure at least one server name/IP and the DefaultBind Options.The Base DN field defines the distinguished name of the point in the LDAP tree where the FortiMail startssearching for users. This could be the root of the tree or an organizational unit.The Bind DN and Bind Password fields define the distinguished name and password of a user account withthe necessary privileges to perform LDAP queries and search the directory. This account is also referred to asa bind accountThe Default Bind Options rely solely on the backend LDAP server vendor and schema. The example on thisslide is based on a Windows Active Directory LDAP server. To validate your settings, click [Browse…]. Ifyour configuration is correct, FortiMail fetches the contents of the base DN.FortiMail Student Guide 281

DO NOT REPRINT  Authentication© FORTINETThis slide shows an example of the output that appears after you click [Browse…]. FortiMail fetches all theobjects in the base DN. To view more details, you can click individual objects.FortiMail Student Guide 282

DO NOT REPRINT  Authentication© FORTINETUse the User Query Options to specify a query string, which will return a user based on their email address.The query string syntax differs based on the backend LDAP server schema. FortiMail has predefined stringsfor Active Directory, Lotus Domino, and OpenLDAP. You can also define your own query string to work withany custom LDAP implementation, as long as you define the query to search for users based on their emailaddress.This user query function is used by Recipient Address Verification and Automatic Removal of InvalidQuarantine Accounts for protected domains.FortiMail Student Guide 283

DO NOT REPRINT  Authentication© FORTINETBy default, User Authentication Options is enabled in all LDAP profiles.After you configure the Default Bind Options and User Query Options, you can use the LDAP profile forrecipient address verification, automatic removal of invalid quarantine accounts, user authentication usingpolicies, and administrator authentication.FortiMail Student Guide 284

DO NOT REPRINT  Authentication© FORTINETThe Group Query Options section allows you to configure the necessary settings to use user groupmembership queries. Many FortiMail features can use group queries to create a highly customizedconfiguration. The settings you must use depend solely on the backend LDAP server schema. For example,memberOf as the Group membership attribute and CN as the Group name attribute are only relevant forWindows Active Directory.The Use group name with base DN as group DN option allows you to use the group name instead of the fullydistinguished name for any FortiMail feature that uses group queries. To make configuration easier, select Use groupname with base DN as group DN and enter the Group base DN. You will see an example of this on a later slide.To validate your settings, click the [Test…] button. In the LDAP Query Test pop-up window, enter a user’semail address and the group name and click Test. If your configuration is correct, the results show whetherthe user is a member of the group or not.FortiMail Student Guide 285

DO NOT REPRINT  Authentication© FORTINETThis slide shows an example of using an LDAP group query to craft inbound recipient-based policies. You cancustomize inspection profiles based on user group membership. The example also shows the configurationrequirement with and without the Use group name with base DN as group DN option enabled.FortiMail Student Guide 286

DO NOT REPRINT  Authentication© FORTINETThe User Alias option converts email aliases into a user’s real email address. Use this option to consolidateobjects in FortiMail that are stored using an email address as the identifier. For example, if a user has fivealiases in addition to a primary email address, FortiMail can use this feature to maintain a single userquarantine instead of six separate quarantines and quarantine reports.FortiMail Student Guide 287

DO NOT REPRINT  Authentication© FORTINETTo use the user alias feature, select a predefined Schema or customize one to fit any LDAP server.The default Active Directory schema’s Alias member query is set up to perform alias expansion based ongroups. To perform an alias expansion, you must change the query to search for proxyAddresses.To validate your settings, click [Test…], and then enter a proxyAddress. If the configuration is correct,FortiMail retrieves the corresponding mail attribute.FortiMail Student Guide 288

DO NOT REPRINT  Authentication© FORTINETYou can enable user alias mapping on the protected domain configuration screen. Expand AdvancedSettings. In the LDAP user alias/address mapping profile drop-down list, select the appropriate LDAPprofile.FortiMail Student Guide 289

DO NOT REPRINT  Authentication© FORTINETClick [Test LDAP Query…] to validate various sections of the LDAP Configuration, including the following:• User query• User authentication• Group lookup• Alias expansionFortiMail Student Guide 290

DO NOT REPRINT  Authentication© FORTINETIf an SMTP authentication attempt is unsuccessful, the system creates an entry in the History logs andassigns it an SMTP Auth Failure Classifier. You can use these log entries to troubleshoot and expose brute-force authentication attacks.FortiMail Student Guide 291

DO NOT REPRINT  Authentication© FORTINETFortiMail Student Guide 292

DO NOT REPRINT  Authentication© FORTINETIn this lesson, you learned FortiMail’s role in authenticating users, based on deployment mode. You alsolearned how you can use various authentication profiles to define sources for user credentials, and how youcan use access control rules and IP- or recipient-based policies to enable and enforce authentication.Additionally, you explored how to enable remote authentication for administrative accounts, and how to use anLDAP server to do user, group, and alias query, as well as perform user authentication.FortiMail Student Guide 293

DO NOT REPRINT  Authentication© FORTINETThank you!FortiMail Student Guide 294

DO NOT REPRINT  Session Management© FORTINETIn this lesson we’ll show the FortiMail session management related features.FortiMail Student Guide 295

DO NOT REPRINT  Session Management© FORTINETThese are the topics that will be covered in this lesson. You will learn about the options you can configure onFortiMail to inspect and filter SMTP sessions based on rate, volume, spam characteristics, and so on.FortiMail Student Guide 296

DO NOT REPRINT  Session Management© FORTINETSession profiles inspect properties of SMTP connections at the lowest layers—from the IP session to theSMTP envelope. In this section, you will learn about the options you can configure for the session profile.FortiMail Student Guide 297

DO NOT REPRINT  Session Management© FORTINETThe overall purpose of session profile inspections is to detect suspicious activities as soon as possible. Thisallows FortiMail to take action early and eliminates the need to perform some, or all, of the more resource-intensive scans that would be required after the entire email message arrives.FortiMail Student Guide 298

DO NOT REPRINT  Session Management© FORTINETSession profiles are unique because they can be referenced only by IP policies. You should create separateIP policies for outbound and inbound email regardless of the deployment mode.This type of setup for IP policies and session profiles allows you to disable specific session profile features foryour internal assets, such as sender reputation, while still enforcing those features for all inbound email.FortiMail Student Guide 299

DO NOT REPRINT  Session Management© FORTINETThe settings in the Connection Settings section allow you to set limits on the number of connections,messages, recipients, and concurrent connections for each client. Since each connection consumesresources, you can use limits to prevent a single MTA from exhausting FortiMail services.If FortiMail is operating in transparent mode, two additional options appear in the GUI that govern FortiMail’slow-level connection behaviors. You will learn about transparent mode in another lesson.FortiMail Student Guide 300