FortiMail Student Guide

DO NOT REPRINT  Session Management© FORTINETAs FortiMail processes and scans email messages, it maintains a sender reputation score for the IP addressof each external MTA that opens an inbound SMTP connection. This score is calculated as the percentage ofemail from this sender that is spam, contains a virus, or has invalid recipients or senders, during a 12-hourperiod. The higher the score, the worse the sender’s reputation. You can use the sender reputation score inthe session profile to set score thresholds for FortiMail to throttle the client, issue a temporary fail message, orreject the client at this early stage. FortiMail can also check the reputation of the sender IP against theFortiGuard blocklist database.FortiMail Student Guide 301

DO NOT REPRINT  Session Management© FORTINETTo view the current sender reputation values, click Monitor > Sender Reputation. By default, the view showsthe scores sorted in descending order with the worst reputation at the top. You can use this view to identify theworst offenders and troubleshoot the possible causes of delayed or rejected messages.Any changes that you make to the sender reputation configuration take some time to manifest because of thescoring system. To force changes to take effect immediately, use the following CLI command to clear thesender reputation database:# execute db reset sender-reputationFortiMail Student Guide 302

DO NOT REPRINT  Session Management© FORTINETBecause the IP addresses of mobile devices can change frequently, you can use endpoint reputation to trackthe reputation scores of the devices. Like sender reputation, endpoint reputation uses the unique MSISDNnumber associated with a device’s SIM card to identify mobile devices that could be compromised and aresending spam or infected messages.The endpoint reputation feature is mainly used by carriers to block messages sent by compromised mobiledevices. By blocking messages, carriers protect the Internet reputation of their own IP address space. Youmust integrate FortiMail with a backend authentication RADIUS server in order to map IP addresses to theircorresponding MSISDN values.FortiMail Student Guide 303

DO NOT REPRINT  Session Management© FORTINETA common sender validation technique is to use sender policy framework (SPF). Using SPF, a domain ownerpublishes specially formatted DNS text (TXT) records. The records contain the domain’s authorized MTAs. Itssecurity relies on the fact that only authorized domain administrators are allowed to make changes to thedomain DNS records.If you enable SPF verification in the session profile, FortiMail performs a DNS TXT record lookup for thesending domain of any email session. If an SPF entry exists, FortiMail compares the address with the addressof the sending MTA. The sender reputation decreases for authorized clients, and increases for unauthorizedclients.While SPF is not universally adopted, it is still an effective way to validate sender IP addresses. Enabling theSPF check in the session profile for all email won’t be detrimental because if FortiMail doesn’t receive anyresponses for the DNS TXT record lookup, it skips the SPF check and continues processing the email.FortiMail Student Guide 304

DO NOT REPRINT  Session Management© FORTINETDKIM (DomainKeys Identified Mail) differs from SPF in that rather than simply validating that the sendingserver is authorized to send mail for the domain, it also validates that mail content has not changed sincebeing sent by the server. DKIM utilizes a public/private key signing process using DKIM keys stored in DNS.With DKIM, the following steps are added to the email process:• Sending servers use their DKIM private key to generate a signature, and insert that signature into the email header (DKIM-Signature).• Email recipients query the sending domain’s DNS TXT record for the DKIM public key, which is then used to validate the DKIM-Signature attached to the email.If you enable FortiMail to perform DKIM validation, FortiMail queries DNS for the public key as a DNS TXTrecord lookup. DKIM validation requires more processing overhead than SPF validationFortiMail Student Guide 305

DO NOT REPRINT  Session Management© FORTINETTo configure DKIM signing for outgoing messages you must first generate a public and private key pair for thedomain by clicking Mail Settings > Domains. DKIM signatures are domain specific. FortiMail generates andstores the private key and uses it to generate the DKIM signature. After the key is created and activated, youmust download the public key and publish it to your external DNS server. Then, in a session profile, select theEnable DKIM signing for outgoing messages check box, to start affixing the DKIM signature to alloutbound email headers.FortiMail Student Guide 306

DO NOT REPRINT  Session Management© FORTINETThe Session Settings section contains the settings that you use to inspect and control many aspects of theSMTP protocol.Most legitimate MTA implementations are based on mature codebases and are compliant with standards. Thechance of SMTP protocol errors occuring is almost zero. Spammers, on the other hand, are known to usehomegrown scripts and code that often exhibit protocol errors. You can use strict syntax and invalidcharacters checking to identify suspicious behavior and reject sessions that show abnormalities. You can alsohave FortiMail acknowledge end-of-message or, if using transparent mode, switch to splice mode, to preventthe session from timing out because of antispam inspections.FortiMail instances operating in transparent mode have additional options that you can use to manipulate theSMTP session. These options include the ability to rewrite the EHLO or HELO greeting strings and preventsession encryption negotiations so that the message is sent in the clear. This enables FortiMail to scan thecontents of email messages that would otherwise be encrypted.FortiMail Student Guide 307

DO NOT REPRINT  Session Management© FORTINETUnauthenticated Session Settings are used to control sessions that are not authenticated using SMTP AUTH.These settings enable you to enforce stricter checks. When the domain checks are being used, the domainclaimed by the EHLO or HELO, sender domain (MAIL FROM:), and recipient domain (RCPT TO:) must beresolvable in DNS for either an A or an MX record type. If the domain can’t be resolved, the SMTP commandis rejected with an appropriate error code.FortiMail Student Guide 308

DO NOT REPRINT  Session Management© FORTINETUsing the SMTP Limits settings, you can set limits on SMTP sessions to restrict common spammingtechniques. The default settings work well, but you can adjust them if necessary.Noteworthy settings include the restrictions on the number of SMTP greetings (EHLO or HELO), NOOPs, andRSETs. Legitimate connections typically require only a few of these commands in a given session, andspammers may try to abuse them. Closing the sessions when these limits are reached forces spammers toreconnect if they want to continue; however, they are just as likely to abandon the attack and move on to theirnext target.The Cap message size (KB) at option is commonly used to control email size. You will learn more about thislater in the lesson.FortiMail Student Guide 309

DO NOT REPRINT  Session Management© FORTINETUsually, correctly configured SMTP servers don’t generate errors. So, SMTP protocol errors can indicateserver misuse. FortiMail can penalize misbehaving clients, including disconnecting them, if they exceed themaximum number of errors.The first limit you can set is the number of free SMTP errors that is tolerated before delays are imposed on theclient. Once that value is reached, the client is delayed for the number of seconds specified in the Delay forthe first non-free error field. During this time, FortiMail won’t accept any SMTP commands from the remoteMTA in the session. Any subsequent errors result in additional incremental delays, as specified in the Delayincrement for subsequent errors field. After the number of errors exceeds the value in the Maximum numberof errors allowed for each connection field, FortiMail drops the connection.FortiMail Student Guide 310

DO NOT REPRINT  Session Management© FORTINETAs an email message travels from MTA to MTA, each MTA adds a new Received: header entry to theemail. This not only increases the size of the header, but might also reveal details about your internal networkthat you want to keep private. You can use the session profile’s header manipulation settings to remove theseReceived: headers, typically on all outbound emails.Be careful not to violate SMTP standards when deleting specific headers because there may be unintendedconsequences if other mail processing devices require or verify these headers.FortiMail Student Guide 311

DO NOT REPRINT  Session Management© FORTINETYou can also configure each session profile to use independent sender and recipient block and safe lists. Thelists contain email addresses to either block or allow certain senders or recipients when a specific sessionprofile is used. FortiMail applies session profile lists very early in its order of execution, which are overriddenonly by the system safe and block lists.FortiMail Student Guide 312

DO NOT REPRINT  Session Management© FORTINETFortiMail Student Guide 313

DO NOT REPRINT  Session Management© FORTINETIn this section, you will learn how the sender address rate control feature is useful for hosting environments inwhich to place rate limits on each internal user.FortiMail Student Guide 314

DO NOT REPRINT  Session Management© FORTINETWithout any rate limits, a single sender can potentially monopolize FortiMail’s session capabilities by sendingan unlimited number of messages which, under some circumstances, could result in a poor reputation beingassigned to the organization’s MX IP address. In the worst-case scenario, the MX IP address could be placedon an Internet block list if a compromised endpoint, which has been infected with a spam bot, starts sendingout mass spam email.The sender address rate control settings are part of the domain entry for each protected domain. They providegranular control of messages sent in terms of the number of messages, the total size in megabytes, and eventhe ability to notify someone when the rate limit function is triggered. You can choose to either reject sessionsfrom senders that have triggered the rate limits, or temporarily fail them to allow transmission at a later time.FortiMail Student Guide 315

DO NOT REPRINT  Session Management© FORTINETIn FortiMail logs, you can see sender address rate control in action.In the history log, look for entries with a Classifier of Sender Address Rate Control.The search result contains details of the rate limit violation, as well as how long the user will be blocked fromsending any new messages.FortiMail Student Guide 316

DO NOT REPRINT  Session Management© FORTINETFortiMail Student Guide 317

DO NOT REPRINT  Session Management© FORTINETIn this section, you will learn how to enforce size limits for all email passing through FortiMail, includingattachments.FortiMail Student Guide 318

DO NOT REPRINT  Session Management© FORTINETFortiMail rejects all email larger than 10 MB. This size limit is enforced by the kernel and includes the SMTPheader size as well as the message body size, which includes attachments. You can override this value in twoplaces: in the session profile or in each protected domain definition.FortiMail Student Guide 319

DO NOT REPRINT  Session Management© FORTINETFortiMail’s behavior varies, depending on whether the email is incoming or outgoing. For outgoing email,FortiMail uses only the session profile value, assuming that a session profile matches the email. If no sessionprofile matches, FortiMail uses the default limit of 10 MB.For incoming messages, FortiMail evaluates both the session profile and the protected domain values andselects the smallest value. As with outgoing messages, if no session profile matches, then FortiMail uses thedefault limit of 10 MB for the session profile value.FortiMail Student Guide 320

DO NOT REPRINT  Session Management© FORTINETFortiMail Student Guide 321

DO NOT REPRINT  Session Management© FORTINETIn this lesson, you learned about the session profile and its ability to control various aspects of the SMTPconnection at the lower layers. You explored how the session profile can place limits on sessions from remoteMTAs, including rejecting connections to blocklisted IPs.You also learned how to use the session profile to detect erroneous behavior, place limits on the size of emailmessages, and hide internal network information in email headers. All of this enables FortiMail to take actionearly in the process and eliminates the need to execute more resource-intensive scans. In the sessionmanagement lesson, you also learned how to impose rate limits on internal users to protect your MX IPreputation.FortiMail Student Guide 322

DO NOT REPRINT  Session Management© FORTINETThank you!FortiMail Student Guide 323

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETIn this lesson, we’ll show how to configure the antivirus and content inspection features.FortiMail Student Guide 324

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETThese are the topics that will be covered in this lesson. You will learn about FortiMail’s antivirus functions, andhow to integrate FortiMail with FortiSandbox to form a complete advanced threat protection solution. You willalso learn about the different content inspection features, and how to archive emails.FortiMail Student Guide 325

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETAs FortiMail processes email messages, it can also scan them for viruses and malware and take appropriateaction when it detects an infected message. FortiMail has multiple levels of threat and malware detection,including anti-spam detection, that can block malware even before transmission.FortiMail Student Guide 326

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETFortiGuard antivirus is included in the FortiGuard antivirus subscription. FortiMail uses the FortiGuardantivirus service to protect against the latest threats. Fortinet’s unique content pattern recognition language(CPRL) allows single signatures to protect against multiple different malware strains. FortiMail’s antivirusscanning uses the same FortiGuard virus signature databases that are used in FortiGate firewalls. Thedatabases are kept up-to-date by regular updates from the FortiGuard Distribution Network (FDN).The FortiGuard real-time sandbox is also included in the FortiGuard antivirus subscription. FortiMail uses thelocal sandbox to evaluate executable content that has passed the FortiGuard antivirus signatures. The localsandbox examines the construction of files to look for characteristics commonly found in viruses. It alsoemulates the execution of the content to look for typical virus behavior.FortiGuard labs receive global requests for ratings of sender IPs, content, and attachments. Using dataanalytic techniques, FortiGuard can quickly detect and respond to new outbreaks, blocking suspicious virusobjects without the need for antivirus signatures. The FortiGuard malware outbreak database is included inthe antispam subscription.FortiMail Student Guide 327

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETThis slide shows the process flow for antimalware detection.FortiMail Student Guide 328

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETTo enable local antivirus scanning techniques and actions, you must create an antivirus profile first. Eachantivirus profile specifies a default action that FortiMail runs when it detects a virus. You can override thedefault action if you select a different action on a technique-by-technique basis. When you create an antivirusprofile, set the domain attribute to determine the profile’s visibility within the system. You can set the domainattribute to be available for use across the system, or in a specific protected domain only.FortiMail Student Guide 329

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETYou can create a new action profile in the Antivirus Profile dialog box. The most commonly-used action isReplace infected/suspicious body or attachment(s). This option allows the body of the email to be delivered tothe intended recipient without the malicious attachments. Other commonly used actions include the following:• Discard: FortiMail silently drops the email• Reject: FortiMail drops the email and sends a message to the sender that explains why it was droppedNote: there is no personal quarantine option in an antivirus action profile. This protects the end user fromreleasing infected content accidentally on their local computer.FortiMail Student Guide 330

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETThe antivirus profile can be referenced by IP-based policies or recipient-based policies. For completeprotection, enable antivirus scanning on outbound policies to prevent malicious content from accidentallyleaving your organization.FortiMail Student Guide 331

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETTo view the logs, click Monitor > Logs. The history logs provide an overview of the events that haveoccurred, including classifier, disposition, and virus name. For more detail, click the Session ID link to see across search result of all the logs for that single event.This slide shows an example of a Reject action in response to the detection of a virus. FortiMail generates anSMTP 554 message that explains the reason for the rejection.FortiMail Student Guide 332

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETWhen you use the Replace action, and FortiMail detects an infected attachment, FortiMail replaces theinfected attachment with a text attachment that contains the details of the original file and the detected virus.This allows the recipient to stay informed.FortiMail Student Guide 333

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETFortiMail Student Guide 334

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETIn this section, you will learn how you can integrate FortiMail with FortiSandbox to enhance your system’smalware detection capabilities.FortiMail Student Guide 335

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETFortiSandbox integrates with FortiMail to provide protection against email-borne threats. Unlike network traffic,FortiMail handles email traffic using a store and forward system; so, it is generally okay to introduce a smallamount of latency into the system. Because of this, you can use FortiMail with FortiSandbox and FortiGate toprevent advanced threats in email from reaching the end user.When you make this simple integration, at risk email traffic is sent to FortiSandbox and held until it has beenanalyzed. If a suspicious or malicious item is found by FortiSandbox, that email can be blocked from beingdelivered.FortiMail Student Guide 336

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETThe list of files that FortiMail submits to FortiSandbox for inspection is largely dependent on the file typesFortiSandbox supports. As of FortiSandbox 2.1 and FortiMail 5.3.0, FortiSandbox supports the following filetypes:• PDF - PDF, PS• Java script - JS• Windows executables - EXE, COM, DLL, MSI, CMD, BAT, OCX• Java archive - JAR• Microsoft Office - Word, Excel, PowerPoint, OneNote, Theme• Adobe Flash – SWF• Hypertext Markup Language – HTM, HTML• All of the supported files within archives - ZIP, GZIP, RAR, TAR, BZIP, CAB, 7ZIPFortiMail Student Guide 337

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETTo enable FortiSandbox integration, you must choose a FortiSandbox that is running on the local network oron a cloud-based appliance. When you perform the initial configuration, use the test function to validatecommunications between FortiMail and FortiSandbox.The default values for the Scan timeout and Scan results expire in settings are 30 and 60 minutesrespectively. The Scan timeout value determines how long FortiMail waits for a response from FortiSandbox,and the Scan result expires in value determines how long FortMail caches a scan result.FortiMail Student Guide 338

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETThe scan mode determines whether FortiMail waits for results after submission, or submits the files andimmediately continues processing the email.If you select Submit only, FortiMail submits all files to FortiSanbox and delivers the email to the intendedrecipient without waiting for a response. In this mode, FortiSandbox is only a monitoring device and doesn’tgenerate any antivirus actions based on scan results from FortiSandbox.If you select Submit and wait for result, FortiMail submits all files to FortiSandbox and waits for the durationof time set in the Scan timeout field. This is the recommended option to protect your network from email-bornethreats.FortiMail Student Guide 339

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETYou can expand the File Scan Settings section to see and select the file types that are submitted toFortiSandbox. You can also create custom file pattern definitions and limit file submission by size.By default, the URI Scan Settings is disabled. You can enable the setting to send uniform resource identifiers(URIs) embedded in email bodies to FortiSandbox to identify if they are malicious. URI Scan Settings providesgranular control over which type of URIs FortiMail submits to FortiSandbox. Select Unrated or All URIs to setthe type of URIs that are sent for scanning. To limit the number of URIs, enter a value in the Number of URIsper email field.FortiMail Student Guide 340

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETAfter FortiMail connects to FortiSandbox, you must select the FortiSanbox check box in an antivirus profile.Optionally, you can assign different action profiles for different threat levels, or select the global Defaultaction. If the antivirus profile is referenced by an IP or recipient policy, FortiMail starts sending files toFortiSandbox as it starts processing email using the policy.FortiMail Student Guide 341

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETYou can examine the cross search results to learn details about the events generated by FortiSanboxintegrated virus scanning. The logs show what type of file triggered the FortiSandbox scan, the file checksum,and the scan result. FortiMail also logs how long it took to process the email.FortiMail Student Guide 342

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETThe URI submission logs are similar to the file submission logs.FortiMail Student Guide 343

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETFortiMail Student Guide 344

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETFortiMail uses content profiles to examine the content of inbound or outbound email for specific content. Youcan use the findings to control the type of content that is allowed to pass by email, enforce compliance withnetwork usage policies, or trigger content-based message encryption.FortiMail Student Guide 345

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETContent Profiles support attachment detection based on MIME types or file extensions. Content profiles alsosupport dictionary profiles to detect the content of words or phrases using RegEx or Wildcard expressions.FortiMail Student Guide 346

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETYou can use the Scan Options to detect various properties of email or attachments such as the following:• Password-protected Microsoft Office files• Password-protected archives• Archive bombs• Number of attachmentsFortiMail Student Guide 347

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETYou can use file filters to match email attachments based on the file extension or type. The predefined FileType definitions can detect files based on their MIME header. This allows FortiMail to detect, for example, anexecutable file masked with a .txt extension.If the predefined set of file filters doesn’t include the file type you need, you can add entries on the File Filtertab and specify MIME types, file extensions, or both.FortiMail Student Guide 348

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETAdd file filters to the content profile’s Attachment Scan Rules, and select a default action profile. You can alsooverride the default action profile for each file filter individually.FortiMail Student Guide 349

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETA dictionary profile is a list of words or phrases defined using either RegEx or Wildcard patterns. FortiMail hasthree predefined dictionaries for HIPAA, SOX, and GLB. You can also add new dictionary profiles to use thepredefined Smart Identifiers, or user-defined Dictionary Entries.Dictionary profiles allow you to inspect email content on a deeper level. You can search for words or phrasesin the email header, body, and attachments. Dictionary matching, while granular, is also very resourceintensive.FortiMail Student Guide 350