FortiMail Student Guide

DO NOT REPRINT  Antispam© FORTINETFortiMail is capable of detecting spam messages that consist mainly of embedded GIF, JPEG, or PNGimages with little or no text in the message body. Many of the other spam detection techniques have difficultywith messages like this because of the lack of text.The image spam feature analyzes the characteristics of embedded images using fuzzy logic developed byFortiGuard to determine if the message is spam. If you select Aggressive, the features analyzes imageattachments too. Image span scanning can be resource intensive, especially if you select Aggressive,however you should use image spam scanning if image-based spam messages are passing through the otherspam techniques undetected.FortiMail Student Guide 401

DO NOT REPRINT  Antispam© FORTINETBayesian filtering is a classic anti-spam technique that analyzes the words in an email to determine theprobability that the email is spam. The technique compares words or tokens with two pre-existing databasesof tokens: one derived from known spam and the other from clean email. If there is a higher correlation oftokens with the spam collection, then the email is marked as spam. You can configure the collections used fora given protected domain to use either a global database, or a dedicated database for each domain. Supportfor personal databases or databases for each user has been removed to improve performance.FortiMail Student Guide 402

DO NOT REPRINT  Antispam© FORTINETBayesian filtering can work well, but it requires user interaction to continue being effective. As spammers altertheir content to evade detection by methods such as Bayesian filtering, you must continually update the twodatabases with fresh examples to keep up. The process of adding new examples of both spam and non-spammessages is known as training the database. While both the administrator and the end-user community cansubmit training samples to FortiMail, Bayesian filtering remains a fairly high-maintenance technique and is nolonger recommended. The other spam detection techniques in FortiMail are more accurate and require farless maintenance.FortiMail Student Guide 403

DO NOT REPRINT  Antispam© FORTINETThe newsletter scan detects messages that are likely to be legitimate newsletters and treats them as spam.One interesting possibility is to tag the subject line of these email messages with “[newsletter]” so that the enduser can filter them at their MUA email client.Spammers sometimes disguise email to look like legitimate newsletters. The suspicious newsletter scanexamines the content to detect spam characteristics and executes the configured antispam action.FortiMail Student Guide 404

DO NOT REPRINT  Antispam© FORTINETSimilar to image-based spam, spammers may attempt to evade detection by sending messages containingonly a PDF attachment. PDF scanning converts the first page of the PDF document to a format that is suitablefor analysis by the banned word, heuristic, and image scanning methods. You must enable at least one ofthese three methods in the antispam profile.FortiMail Student Guide 405

DO NOT REPRINT  Antispam© FORTINETFortiMail uses four levels of blocklisting and safelisting. In order of processing priority, the levels are:• System – FortiMail applies entries in the system lists to all protected domains• Session – FortiMail maintains session profile lists for each profile• Domain - Each protected domain maintains its own block and safe lists• Personal - Individual users also have their own lists. The end user can manage the lists using the webmail portal, or, the administrator can manage the lists using the management GUI.For any messages matching a safelist, FortiMail bypasses all antispam checks and the message is processedthrough any other configured inspection profiles from the matching policy. List entries can take the form ofemail addresses, domains, or IP addresses. If a message matches an entry on a blocklist, the message isprocessed by the blocklist action setting. You can set the blocklist action to reject or discard the message, orto invoke the action of the matching antispam profile.FortiMail Student Guide 406

DO NOT REPRINT  Antispam© FORTINETSpammers use many tricks to bypass security mechanisms. One of these tricks is to spoof SMTP headeraddresses. The spammer might use a legitimate sender in the envelope MAIL FROM: address, but when theycraft the header, they spoof the From: address. Since MUAs use the header addresses to display emailinformation, such as the From, and To fields, the recipients see the spoofed email sender.You can use the SPF validation options to detect spoofed header addresses. You can configure SPFvalidation only in the CLI using the following commands: config antispam settings set spf-checking <value> endThe aggressive-anti-spoofing option treats both the SPF hardfailed and softfailed email messages as spam,and compares the envelope MAIL FROM: address with the header From: address to detect spoofing. Thestrict-anti-spoofing option treats only the SPF hardfailed emails as spam, and also compares the envelopeMAIL FROM: address with the header From: address to detect spoofing.FortiMail Student Guide 407

DO NOT REPRINT  Antispam© FORTINETSpammers sometimes try to bypass antispam measures by hiding spam content in delivery statusnotifications (DSN) or bounce messages. DSN messages don’t undergo the same level of antispamprocessing as regular email, if any at all. In a clever abuse of SMTP, spammers forge the email address of theintended target as the MAIL FROM: address, and use a non-existent recipient in RCPT TO: and send it out toa relay MTA, which, since it cannot deliver the message, creates the DSN and sends it out to the spammer’sintended target with the original spam content attached. This technique is typically referred to as backscatter.FortiMail Student Guide 408

DO NOT REPRINT  Antispam© FORTINETIf we look at the same backscatter attack attempt, but this time with (bounce address tag validation) BATVenabled on the a.com MTA, the outcome looks very different. The BATV enabled MTA searches for the BATVtag in the DSN email header. If it doesn’t find the tag, the MTA drops the DSN message instead of delivering itto the end user.BATV provides a mechanism that can distinguish between legitimate DSN messages and backscatter spamby proving that the DSN was generated because of a message sent by a particular FortiMail-protecteddomain.FortiMail Student Guide 409

DO NOT REPRINT  Antispam© FORTINETTo configure BATV on FortiMail, you must first enter a key. The key can be any sequence of ASCIIcharacters. The key, along with a cryptographic salt value, generates the unique tag for each message. Youcan create new keys if necessary, but only one key in the list can be active at any time. Once an active key isavailable, enable BATV and set the action to execute if tag validation fails.After you enable BATV, FortiMail starts prepending the key to the sender’s email address in the SMTPenvelope’s MAIL FROM: field. FortiMail doesn’t alter the sender’s email address. If the tagged message isundeliverable, the resulting DSN contains the tagged version of the sender’s address, since the originalmessage is appended to the DSN. When the DSN arrives on FortiMail, FortiMail searches for this tag. If thetag exists, it means the DSN was generated for an email sent out from one of the protected domains, andFortiMail delivers the DSN to the recipient. If the tag doesn’t exist, FortiMail drops the DSN.For inbound DSN messages, the envelope MAIL FROM: field must be blank, otherwise the FortiMail won’tperform bounce verification on it. The MAIL FROM: envelope address of a DSN message is typically blank toavoid the potential to create continuous bounce messages that bounce back and forth forever.FortiMail Student Guide 410

DO NOT REPRINT  Antispam© FORTINETCertain MTAs reject email messages that have BATV tags in the email header, either deliberately or becauseof configuration mistakes. To allow successful email transmission between FortiMail and these MTAs, youmust exclude the MTAs from BATV tagging. Email sent from FortiMail to the MTAs in the tagging exempt listwon’t have the BATV tags added to their headers.Other MTAs won’t append the original email to the DSN email. If the original email isn’t appended to the DSN,the email won’t have a BATV tag, and tag verification would fail. To exclude these MTAs from tag verification,add them to the Verification Exempt List.FortiMail Student Guide 411

DO NOT REPRINT  Antispam© FORTINETWhenever an email triggers an antispam action, FortiMail adds an X-FEAS header. These headers show thespecific antispam technique that was triggered, as well as the relevant value that triggered it.This slide shows a list of the FortiMail header tags used in antispam scanning. These tags are useful tools fortroubleshooting and understanding what happened to an email message.FortiMail Student Guide 412

DO NOT REPRINT  Antispam© FORTINETFortiMail performs each of the antispam scanning and other actions in a particular order. Actions, as a resultof scanning, can be categorized as following:• Final actions • Reject, discard, personal quarantine, and system quarantine. • If these actions are taken, no more further scanning will be processed• Non-final actions • Tag, add header, replace, archive, notify, BCC, rewrite, and encrypt. • If one or more of these actions have been taken, FortiMail will keep processing the email with other scansExecution sequence of antispam techniques can be found in the following online help documenthttp://help.fortinet.com/fmail/5-3-6/admin/index.html#page/FortiMail_Online_Help/overview_01_24.htmlFortiMail Student Guide 413

DO NOT REPRINT  Antispam© FORTINETFortiMail Student Guide 414

DO NOT REPRINT  Antispam© FORTINETIn this section, you will learn about the management options available for user quarantines.FortiMail Student Guide 415

DO NOT REPRINT  Antispam© FORTINETFortiMail can generate a quarantine report for each end user, to notify them of any email in their quarantinemailbox. FortiMail sends the reports on a schedule. The reports are generated only for mailboxes that containquarantined email.Depending on the action profile configuration, users can use either email actions or web actions to release ordelete quarantined messages.FortiMail Student Guide 416

DO NOT REPRINT  Antispam© FORTINETTo configure the quarantine report schedule, click AntiSpam > Quarantine > Quarantine Report.Configuring an alternate host name for web release and delete links can be useful if the local domain name ormanagement IP of the FortiMail unit is not resolvable from everywhere that email users will use theirquarantine reports. In that case, you can override the web release link to use a globally resolvable host nameor IP address.FortiMail Student Guide 417

DO NOT REPRINT  Antispam© FORTINETWhen you configure FortiMail to send spam email to a user’s personal quarantine, the user can delete thequarantined email or release it to their inbox. The administrator GUI can display the messages contained inthe user’s quarantine and distinguish between released and unreleased messages. When users release emailmessages from their personal quarantine, the messages are tagged as Released.FortiMail Student Guide 418

DO NOT REPRINT  Antispam© FORTINETFortiMail Student Guide 419

DO NOT REPRINT  Antispam© FORTINETIn this lesson, you learned about the antispam scanning methods available on FortiMail and how to configurethem in antispam profiles. You explored which of the antispam techniques are most effective against zero-dayspam outbreaks. You also explored how to block spoofed headers, and backscatter attacks. And you learnedhow to enable quarantines for each user, and how to manage quarantine reports.FortiMail Student Guide 420

DO NOT REPRINT  Antispam© FORTINETThank you!FortiMail Student Guide 421

DO NOT REPRINT  Securing Communications© FORTINETIn this lesson, we’ll show diverse methods for securing communications within FortiMail.FortiMail Student Guide 422

DO NOT REPRINT  Securing Communications© FORTINETThese are topics that will be covered in this lesson. You will learn about traditional encryption methods, andhow to manage encryption options on the FortiMail. You will also learn about FortiMail’s identity-basedencryption feature (IBE), and how to configure IBE to provide end-to-end message encryption.FortiMail Student Guide 423

DO NOT REPRINT  Securing Communications© FORTINETIn this section, you will learn how to enable SMTPS and SMTP over TLS on FortiMail, as well as controlenforcement of TLS encrypted sessions.FortiMail Student Guide 424

DO NOT REPRINT  Securing Communications© FORTINETWhile SMTPS is usually deprecated in favor of STARTTLS, SMTPS is still supported on FortiMail forbackward compatibility. For gateway and transparent modes, you can enable an SMTPS connection in theprotected domain configuration. If the backend server doesn’t support SMTPS, the connection reverts tostandard SMTP by default.FortiMail Student Guide 425

DO NOT REPRINT  Securing Communications© FORTINETYou can also configure FortiMail to accept SMTPS connections by enabling SMTP over SSL/TLS. This alsoenables the STARTTLS extension for clients to use. You should enable this option for all deployment modes.FortiMail Student Guide 426

DO NOT REPRINT  Securing Communications© FORTINETThe TLS profile is configured with one of four security levels and associated sets of failure actions:• None - TLS is disabled, and only plain text connections are accepted• Preferred - TLS is used if available. This is FortiMail’s default behavior. Action on failure settings aren’t applicable.• Encrypt - TLS is required. Failure to negotiate a TLS connection enforces Action on failure setting.• Secure - Requires a certificate-authenticated TLS connection. CA certificates must be installed on FortiMail before the certificates can be used to secure TLS connections. Action on failure settings apply.There are two possible Action on failure settings:• Temporarily Fail: FortiMail rejects the connection and retries at a later time.• Fail: FortiMail rejects the connection and generates a delivery status notification indicating that the email transmission failed.FortiMail Student Guide 427

DO NOT REPRINT  Securing Communications© FORTINETBy default, FortiMail uses STARTTLS if the recipient MTA supports it, and reverts to plain text if the recipientMTA doesn’t support it. Using access control rules and TLS Profiles, FortiMail can enforce TLS in bothdirections. For example, you can configure an access receive rule that has a TLS Profile to accept email onlyif the sender selects STARTTLS. In the reverse direction, you can configure an access delivery rule that has aTLS Profile to force FortiMail to always select STARTTLS, and close the connection if the recipient MTAdoesn’t support STARTTLS.FortiMail Student Guide 428

DO NOT REPRINT  Securing Communications© FORTINETFortiMail logs all TLS-related entries as Event logs. To view TLS-related events, in a History log, click theSession ID link. The log entry contains the TLS version, cipher suite, and bit strength.FortiMail Student Guide 429

DO NOT REPRINT  Securing Communications© FORTINETFortiMail Student Guide 430

DO NOT REPRINT  Securing Communications© FORTINETIn this section you will learn about the risks that exist with traditional email encryption methods, and how IBEis used to address these risks for a complete end-to-end encryption solution.FortiMail Student Guide 431

DO NOT REPRINT  Securing Communications© FORTINETSMTP, as a store-and-forward protocol, is detrimental to email security because the contents of a messagecan land at multiple locations as it travels from the sender to the recipient. Even with traditional TLSencryption methods, If there are multiple hops, there is no way to ensure that all sessions are encrypted. Tomake matters worse, the message contents are available in clear text at each MTA along the path. Thisprovides multiple opportunities for unscrupulous individuals to observe the content of the message.To guarantee privacy and security, the contents of the message must remain encrypted over the entirejourney from sender to recipient, and receipt of the message must be authenticated.FortiMail Student Guide 432

DO NOT REPRINT  Securing Communications© FORTINETIdentity-based encryption leverages the best parts of public key cryptography and provides a powerful, yetsimplified solution for environments requiring end-to-end encryption for secure delivery of sensitive emailcontent.At the time an email message is created, the identities of the participants are already known from their emailaddresses. IBE uses email addresses as the source input to automatically generate a key pair for each useridentity. These key pairs are held and managed securely by FortiMail, and not distributed to the end users,eliminating the need for any cumbersome key exchange mechanisms.Because there is no key management overhead, IBE messages can be sent by FortiMail users to arbitraryexternal recipients, without needing any prior preparations. The only requirement for the recipient of an IBE-secured message is a relatively modern browser capable of SSL. No specialized software is needed.FortiMail Student Guide 433

DO NOT REPRINT  Securing Communications© FORTINETFortiMail Student Guide 434

DO NOT REPRINT  Securing Communications© FORTINETIn this section you will learn about the two delivery methods for IBE emails.FortiMail Student Guide 435

DO NOT REPRINT  Securing Communications© FORTINETIBE provides two options for message delivery.If you configure FortiMail to use the Pull method, messages remain on FortiMail in secure mailbox. Anotification email is sent to the recipient address stating that they have been sent an encrypted emailmessage. The notification also contains instructions to click on the embedded HTTPS URL to access theencrypted email message. When the recipient clicks the link, their browser opens and establishes an HTTPSconnection to the FortiMail. After the recipient authenticates, the secured message is decrypted and displayedusing a webmail interface.FortiMail Student Guide 436

DO NOT REPRINT  Securing Communications© FORTINETStep 1: a client composes and sends a regular email through FortiMail.FortiMail Student Guide 437

DO NOT REPRINT  Securing Communications© FORTINETStep 2: the email matches a policy in FortiMail that is configured to trigger IBE encryption. Matches are madeusing either an access delivery rule, or an outbound recipient-based policy using a content profile with adictionary word.FortiMail Student Guide 438

DO NOT REPRINT  Securing Communications© FORTINETStep 3: FortiMail encrypts the message and stores it in a secure mailbox.FortiMail Student Guide 439

DO NOT REPRINT  Securing Communications© FORTINETStep 4: after the email contents have been encrypted, a notification email is sent to the recipient containinginstructions and the SSL link.FortiMail Student Guide 440

DO NOT REPRINT  Securing Communications© FORTINETStep 5: the recipient opens the notification email and clicks the HTTPS link.FortiMail Student Guide 441

DO NOT REPRINT  Securing Communications© FORTINETStep 6: if this is the first time the recipient has accessed an IBE message on this FortiMail, the recipient isprompted to register for a new IBE account. Otherwise, the recipient authenticates using the credentials froma previous registration.FortiMail Student Guide 442

DO NOT REPRINT  Securing Communications© FORTINETStep 7: the message is decrypted and displayed for the recipient by a webmail interface using HTTPS.FortiMail Student Guide 443

DO NOT REPRINT  Securing Communications© FORTINETWhen you configure the push method, the recipient receives a plaintext email message containing theencrypted message as an HTML attachment, as well as instructions on how to authenticate and view thesecured message. The attachment opens in a browser that connects automatically to FortiMail by SSL, andpushes the encrypted contents back to FortiMail. After the recipient authenticates, FortiMail decrypts anddisplays the message using a webmail interface.The major difference between these two methods is the storage of the encrypted message. Using the pullmethod, the message is stored in FortiMail until it is deleted. The push method delivers the message to therecipient, who is then responsible for its storage.FortiMail Student Guide 444

DO NOT REPRINT  Securing Communications© FORTINETSteps 1-2: the first two steps in the push method are similar to the pull method, except that the encryptionconfiguration is set to use push.FortiMail Student Guide 445

DO NOT REPRINT  Securing Communications© FORTINETStep 3: using the push method, the original message is encrypted, and packaged as an HTML attachment inthe notification email.FortiMail Student Guide 446

DO NOT REPRINT  Securing Communications© FORTINETStep 4: a notification email is sent to the recipient containing instructions and the encrypted email message asan attachment.FortiMail Student Guide 447

DO NOT REPRINT  Securing Communications© FORTINETStep 5: when the recipient opens the attachment, it creates an HTTPS connection to FortiMailFortiMail Student Guide 448

DO NOT REPRINT  Securing Communications© FORTINETStep 6 : if this is the first time the recipient has accessed an IBE message on this FortiMail, the recipient isprompted to register for a new IBE account. Otherwise, the recipient authenticates using the credentials froma previous registration.FortiMail Student Guide 449

DO NOT REPRINT  Securing Communications© FORTINETStep 7: FortiMail decrypts and displays the message to the recipient using a webmail interface over HTTPS.,When the webmail connection with the recipient is closed, no traces of the encrypted message exist except atthe recipient’s inbox, because the encrypted message isn’t stored in FortiMail when the push method is used.FortiMail Student Guide 450