FortiMail Student Guide

DO NOT REPRINT  Server Mode© FORTINETAfter you configure FortiMail to operate in server mode, FortiMail provides all the services of a full-featuredMTA, along with all the email message inspection features. The user mailboxes are stored locally, and useraccess is provided by POP3, IMAP, or webmail.Just like gateway mode, you should route SMTP traffic for all protected domains directly to FortiMail. Youmust publish the necessary MX records in DNS. These MX records typically resolve to an external IP that youshould set to destination NAT on the perimeter firewall for FortiMail’s private IP address.After the email message arrives at the FortiMail server, FortiMail inspects it and, if it is clean, delivers it to therecipient’s mailbox.FortiMail Student Guide 501

DO NOT REPRINT  Server Mode© FORTINETFor sever mode implementation, inbound email doesn’t require access receive rules. By default, FortiMailaccepts all email destined for protected domains. However, to allow outbound email, you must configure theappropriate access receive rule. To prevent unauthorized relaying, you should configure authenticationenforcement when you set up access receive rules for server mode. For more information aboutauthentication enforcement, see the Authentication and Encryption lesson.For more information about access control rules, see the Access Control and Policies lesson.FortiMail Student Guide 502

DO NOT REPRINT  Server Mode© FORTINETFortiMail Student Guide 503

DO NOT REPRINT  Server Mode© FORTINETIn this section, you will learn about specific configuration options for server mode.FortiMail Student Guide 504

DO NOT REPRINT  Server Mode© FORTINETIn a server mode protected domain configuration, you can define domain-level service settings to control thefollowing:• Account limit for each domain• Disk quota for each user• Mail access options for usersThese settings give you more granular control in environments where FortiMail may be hosting many domainsat the same time, such as in a service provider model.For more information about how to configure server mode protected domains, see the Basic Setup lesson.FortiMail Student Guide 505

DO NOT REPRINT  Server Mode© FORTINETYou must set up a user account for each end user. You can configure these user accounts to authenticatelocally or remotely using LDAP or RADIUS and an appropriate authentication profile. For more informationabout authentication profiles, see the Authentication and Encryption lesson.Creating a user account in server mode creates the user’s mailbox, which handles both regular email and thespam quarantine.Create users on the User tab, and manage user preferences on the User Preferences tab. End users canmanager user preferences on the webmail interface.FortiMail Student Guide 506

DO NOT REPRINT  Server Mode© FORTINETResource profiles allow you to control user account options at the policy level. You can define disk spacequotas, webmail access options, address book permissions, and email retention periods. Use recipient-basedpolicies to apply resource profiles.For more information about recipient-based and other policies, see the Authentication and Policies lesson.For more information about other inspection profiles, see the Session Management, Antivirus and ContentInspection, Antispam, and Content Management lessons.FortiMail Student Guide 507

DO NOT REPRINT  Server Mode© FORTINETBecause FortiMail holds user mailboxes when operating in server mode, the amount of storage FortiMailneeds can be far greater than it is in other operating modes. When you install FortiMail in server mode, youmust decide whether to use FortiMail’s internal storage or an external storage solution. In some configurationscenarios, such as config-only high availability (HA) clusters, external storage is a requirement when FortiMailis operating in server mode.See the FortiMail Administration Guide for a list of supported NFS servers.For more information about FortiMail clustering, refer to the High Availability lesson.FortiMail Student Guide 508

DO NOT REPRINT  Server Mode© FORTINETThere are three levels of address books: personal, domain, and global. The user manages their personaladdress book. The administrator manages domain address books, which contain entries of users within aparticular protected domain. The administrator also manages global address books and provides read-onlyaccess to users across all domains.While the webmail interface provides direct access to address books, third-party email clients, such asOutlook and Thunderbird, can access address books using the LDAP protocol. The FortiMail server containsan embedded LDAP server that acts as a bridge for address book access.FortiMail Student Guide 509

DO NOT REPRINT  Server Mode© FORTINETEnd users always have access to their personal address books. Access to the domain or global addressbooks depend on the matching resource profile.FortiMail Student Guide 510

DO NOT REPRINT  Server Mode© FORTINETYou can populate the global or domain address books by retrieving entries from an existing LDAP server. Themapping profile maps attributes from LDAP to Address Book fields. The LDAP attributes differ based on theLDAP server architecture. The example shown here uses attributes from a Windows Active Directory LDAPserver.FortiMail Student Guide 511

DO NOT REPRINT  Server Mode© FORTINETTo initiate the LDAP import, select the appropriate domain or global address book, then click Import > LDAP.You must perform the import task manually every time you add new users to the backend LDAP server.You must specify an existing LDAP profile along with the mapping profile. For more information about creatingLDAP profiles, see the Authentication lesson.Optionally, and in the case of periodic updates, overwrite existing contacts to avoid duplication, and delete anyaddress book entries that were not part of the import.FortiMail Student Guide 512

DO NOT REPRINT  Server Mode© FORTINETTo support Calendar sharing, you must enable the sharing protocols. The Calendar service also supportsresource management, such as meeting rooms and equipment.Of the two most popular email clients, only Thunderbird implements full, real-time calendar syncing becauseof its support of CalDAV. Outlook users can publish their local calendar to the FortiMail server and subscribeto other calendars using WebDAV, but their local, personal calendars remain owned by Outlook. Otherwise,Outlook provides full functionality to schedule meetings and view free or busy information.FortiMail Student Guide 513

DO NOT REPRINT  Server Mode© FORTINETFortiMail Student Guide 514

DO NOT REPRINT  Server Mode© FORTINETIn this section, you will learn about the server mode webmail interface and the features available to end users.FortiMail Student Guide 515

DO NOT REPRINT  Server Mode© FORTINETThe server mode webmail interface comes with all the standard mailbox features. Spam email is sent to theBulk mailbox folder, and Identity-Based Encryption (IBE) email is sent to the Encrypted Email folder.To access account settings, in the top-right corner of the screen, click the account settings drop-down list.FortiMail Student Guide 516

DO NOT REPRINT  Server Mode© FORTINETEmail users can manage their out-of-office settings using the webmail user interface. To set an out of officeauto reply, click User Preferences > Auto Reply Settings.Set specific start and end dates, which will prevent the user from accidentally leaving the auto reply active.Use the Auto reply interval option to control how often a sender receives an auto reply. You can also defineexactly which senders should receive an auto reply.Click the [Edit Auto-Reply Message…] link to compose the auto reply email.FortiMail Student Guide 517

DO NOT REPRINT  Server Mode© FORTINETIn addition to providing email services, FortiMail in server mode provides full calendar support for personaland shared calendars, free or busy status, and the scheduling of resources such as conference rooms andequipment.The webmail interface provides the user with full access to their calendars. A fully-interactive drag-and-dropinterface allows for the easy creation, editing, moving, and deletion of calendar events. Users can createmultiple personal calendars to keep their appointments organized.Along with traditional day, week, and month views, users can view calendar entries in the agenda view, whichshows upcoming calendar events in a compact list view.FortiMail Student Guide 518

DO NOT REPRINT  Server Mode© FORTINETFortiMail’s calendars support the industry-standard access protocols CalDAV and WebDAV. This providesthird-party email clients, such as Outlook and Thunderbird, with the ability to access user calendars stored onthe FortiMail server. This allows the end user to control their calendars completely using their email client ofchoice, assuming the client supports either CalDAV or WebDAV.FortiMail Student Guide 519

DO NOT REPRINT  Server Mode© FORTINETFortiMail operating in server mode also provides users with the ability to publish their free or busy status. Toaccess the URL, on the Calendar screen, click Preferences.FortiMail Student Guide 520

DO NOT REPRINT  Server Mode© FORTINETThe webmail interface provides quick access to the user manual. Users can click the Help menu to accessthe online manual, which contains guides on how to configure and use webmail features.FortiMail Student Guide 521

DO NOT REPRINT  Server Mode© FORTINETFortiMail Student Guide 522

DO NOT REPRINT  Server Mode© FORTINETIn this lesson, you reviewed the implementation requirements of a FortiMail server mode deployment. Youalso learned about specific features of server mode, such as domain-level service settings, resource profiles,address book management options, and calendar service. Finally, you learned about the features of thewebmail interface, including auto-reply, calendar management and sharing, and free or busy tracking.FortiMail Student Guide 523

DO NOT REPRINT  Server Mode© FORTINETThank you!FortiMail Student Guide 524

DO NOT REPRINT  Transparent Mode© FORTINETIn this lesson, we’ll show how to deploy the FortiMail in transparent mode.FortiMail Student Guide 525

DO NOT REPRINT  Transparent Mode© FORTINETThese are the topics that will be covered in this lesson. You will learn about the implementation details,configuration tasks, and deployment examples specific to transparent mode.FortiMail Student Guide 526

DO NOT REPRINT  Transparent Mode© FORTINETIn this section, you will review the implementation details for deploying FortiMail in transparent mode.FortiMail Student Guide 527

DO NOT REPRINT  Transparent Mode© FORTINETIn transparent mode, FortiMail physically sits on the email path to intercept email traffic transparently basedon the destination IP address, and perform the antispam and antivirus scans. In the example deploymentshown on this slide, FortiMail isn’t the intended IP destination of the email messages, therefore, no DNS orDNAT rule change is required.In some environments, such as large managed service providers (MSP) and carriers, the infrastructurechanges required by the other deployment modes are impractical. Because of these constraints, MSPs andcarriers usually deploy FortiMail in transparent mode.FortiMail Student Guide 528

DO NOT REPRINT  Transparent Mode© FORTINETJust like all other deployment modes, no access receive rules are required for inbound email. By default,FortiMail accepts all email destined for protected domains. However, to allow outbound email, you mustconfigure the appropriate access receive rule. You must create access receive rules if you intend to useFortiMail to scan outbound email.For more information about access control rules, see the Access Control and Policies lesson.FortiMail Student Guide 529

DO NOT REPRINT  Transparent Mode© FORTINETFortiMail Student Guide 530

DO NOT REPRINT  Transparent Mode© FORTINETIn this section, you will learn about the transparent mode specific configuration options.FortiMail Student Guide 531

DO NOT REPRINT  Transparent Mode© FORTINETBy default, all interfaces are configured as a bridge in transparent mode. You must assign the management IPstatically to port1. The management IP is used for all management-related traffic as well as FortiGuardcommunication. Bridge member interfaces belong to the same subnet as the management IP of port1.The built-in bridge forwards everything, not just SMTP traffic. This is why you can deploy transparent modewithout having to make extensive topology changes. All SMTP traffic is picked up for inspection, and any non-SMTP traffic is bridged.FortiMail Student Guide 532

DO NOT REPRINT  Transparent Mode© FORTINETYou can remove any interface, except Port 1, from the built-in bridge. This allows FortiMail to access morethan one subnet if the topology design requires it. Make sure you configure any required static routes to definethe gateway address for the new subnet.FortiMail Student Guide 533

DO NOT REPRINT  Transparent Mode© FORTINETIn the example deployment shown on this slide, port1 and port3 are still bridge members and are processingemail for the exmapleA.com domain in the 192.167.1.0/24 subnet. Port2 has been removed from the bridgeand connected to the 192.167.2.0/24 subnet to process email for the exampleB.com domain.FortiMail Student Guide 534

DO NOT REPRINT  Transparent Mode© FORTINETSetting up a transparent mode protected domain is similar to setting up a gateway mode protected domain.You must configure the domain name and provide the backend server IP address in the SMTP server field. Aconfiguration step specific to transparent mode is to define the interface that the SMTP server is connected to.Expand Transparent Mode Options, and then, in the This server is on drop-down list, select an interface.This ensures FortiMail forwards all inspected email from the correct interface.For more information about protected domains, see the Basic Setup lesson.FortiMail Student Guide 535

DO NOT REPRINT  Transparent Mode© FORTINETWhen operating in transparent mode, FortiMail has two ways of handling an SMTP session: proxy or relay.Depending on the topology setup, these two methods can produce vastly different results in email routing.When using the built-in MTA to relay email, FortiMail uses MX record lookups to deliver email. Using thismethod, FortiMail can queue undeliverable messages and generate DSNs. The built-in MTA is used implicitly.This means SMTP clients don’t explicitly establish a connection to it. This is also the default method forhandling SMTP sessions in transparent mode.FortiMail Student Guide 536

DO NOT REPRINT  Transparent Mode© FORTINETFortiMail has two transparent proxies: an incoming proxy, and an outgoing proxy. When configured to use theproxies, FortiMail doesn’t do any DNS lookups of its own, and only attempts to deliver the message to thedestination specified by the SMTP client. The incoming proxy supports message queuing, however, theoutgoing proxy does not. Therefore, when using the outgoing proxy, FortiMail can’t queue undeliverablemessages or generate DNS email messages.You can enable the proxy separately for each message flow direction. For outgoing sessions, on the Proxiestab, select the Use client specified SMTP server to send email check box. For incoming sessions, on theDomains tab, select the Use this domain’s SMTP server to deliver the email check box.If you disable these options, the built-in MTA is used to relay email.FortiMail Student Guide 537

DO NOT REPRINT  Transparent Mode© FORTINETAt the network connection level, directionality is determined by the destination IP address of the IP header.• Incoming connections: the destination IP address matches a protected domain’s SMTP server field• Outgoing connections: the destination IP address does not match any protected domain’s SMTP server fieldUnlike the application-layer directionality, connection-level directionality does not consider the email’srecipient domain (RCPT TO:). This can sometimes mean that the session direction is not the same as theemail direction.FortiMail Student Guide 538

DO NOT REPRINT  Transparent Mode© FORTINETThe example deployment scenario shown on this slide illustrates the difference between application layer andnetwork layer directionality.In this network, there is an internal mail relay server with the IP address 192.167.1.252. All inbound emailfrom remote MTAs for the internal.lab domain are delivered to this relay server. All outbound email generatingfrom the internal mail servers also must flow through this relay server. Therefore the transparent modeFortiMail is deployed in front of the internal mail relay server, and configured to protect the internal.lab domainwith the SMTP server 192.167.1.252.Users connect to an internal mail server to send an external email. When that email is sent to the internalrelay server, it arrives at FortiMail with a destination IP of 192.167.1.252, and a recipient domain ofexternal.lab. According to FortiMail’s directionality rules, this is an inbound connection sending an outboundemail.FortiMail Student Guide 539

DO NOT REPRINT  Transparent Mode© FORTINETThis table illustrates which sessions are handled by the built-in MTA, and which sessions are handled by theproxies.• Any inbound session with an inbound email is always processed by the built-in MTA, regardless of the proxy configuration.• Any inbound session with an outbound email processing depends on the proxy configuration.• Any outbound session processing also depends on the proxy configuration.To determine whether a connection was handled using the built-in MTA or one of the proxies, in the Historylog messages, view the Mailer column.FortiMail Student Guide 540

DO NOT REPRINT  Transparent Mode© FORTINETEach interface’s SMTP Proxy settings define which flows are picked up by FortiMail. The terminology usedhere can be confusing at first because the settings reference proxy. Don’t confuse this with the previousdiscussions about the transparent proxy versus built-in MTA. For each interface, you can select an action for eachdirection of SMTP sessions. The actions are:• Proxy: enable inspection of email messages• Pass through: let the message pass through without any inspections• Drop: drop the messageYou can use the Local connections setting to control whether or not client connections can be made on theinterface for quarantine control, IBE webmail, and so on. How you configure these settings depends on thearchitecture of the deployment.FortiMail Student Guide 541

DO NOT REPRINT  Transparent Mode© FORTINETWhen configuring SMTP Proxy pickup, it is important to make sure that you aren’t scanning the same traffictwice. A good rule to follow is to pick up sessions closest to the source.In the example deployment shown on this slide, port1 is the closest interface to the source for all inboundemail (Internet), therefore port1’s incoming connections are proxied. Port3 is the closest interface to thesource for all outbound email, and thus port3’s outbound connections are proxied.Note: this rule might not apply to all deployments. For example, a transparent mode FortiMail without anyprotected domains would only need to proxy outgoing connections, since all email for that specific deploymentwould be considered outgoing.FortiMail Student Guide 542

DO NOT REPRINT  Transparent Mode© FORTINETBy default, FortiMail in transparent mode is not truly transparent. Evidence of its existence can be found in thefollowing:• IP Sessions are sourced from the management IP if using a bridge member interface, or, the interface IP, if using an out-of-bridge interface• SMTP session banner, EHLO/HELO greetings are replaced by FortiMail’s IP• Received: headers in the SMTP header note the details of the transparent mode FortiMail that processed the emailYou must explicitly configure transparency, whether using the proxies or the built-in MTA.FortiMail Student Guide 543

DO NOT REPRINT  Transparent Mode© FORTINETTo hide FortiMail in all inbound sessions, on the Domain tab, in the Transparent Mode Options section,select the Hide the transparent box check box. This preserves the original source IP in the IP header, theSMTP greeting messages in the envelope, and the Received: message headers.FortiMail Student Guide 544

DO NOT REPRINT  Transparent Mode© FORTINETTo hide FortiMail in outbound sessions, a session profile must be configured with the Hide this box from themail server option enabled. This preserves the protected SMTP server’s source IP in the IP header.You can apply session profiles using an IP-based policy only. For more information about how to createoutbound IP policies, see the Access Control and Policies lesson.To replicate the SMTP server’s SMTP greetings, and preserve Received: headers, you must configure theSMTP Greeting (EHLO/HELO) Name (As Client) option in the protected domain configuration AdvancedSettings. Typically this value should be the same HELO/EHLO greeting the back end mail server uses.FortiMail Student Guide 545

DO NOT REPRINT  Transparent Mode© FORTINETTransparent mode FortiMail can’t scan encrypted sessions. If the backend server supports STARTTLS, on theSession tab, select the Prevent encryption of the session check box, and apply it using an IP-based policy.When you enable this setting, FortiMail blocks the STARTTLS command during the SMTP messageexchanges.You can enable this option session profile, and apply it using IP-based policies. For more information abouthow to configure IP-based policies, see the Access Control and Policies lesson.FortiMail Student Guide 546

DO NOT REPRINT  Transparent Mode© FORTINETFortiMail Student Guide 547

DO NOT REPRINT  Transparent Mode© FORTINETIn this section, you will learn how FortiMail operating in transparent mode can be deployed in differentnetworks.FortiMail Student Guide 548

DO NOT REPRINT  Transparent Mode© FORTINETIn SMB deployments, the networks are less complicated. Deploying FortiMail in transparent mode is assimple as locating FortiMail directly in front of the local mail server. If there are no relay servers, then youshould use the built-in MTA for outbound connections. If there are relay servers, you should proxyconnections in both directions.FortiMail Student Guide 549

DO NOT REPRINT  Transparent Mode© FORTINETEnterprise networks might have multiple branch offices with their own mail servers connected to the corporatenetwork. The challenge with these deployments is to locate FortiMail where it can inspect all inbound andoutbound connections. If there is a global relay server for the whole corporate network, then you shouldposition FortiMail in front of the global relay server, and proxy connections in both directions. If there are norelay servers, then you can use similar methodology as SMB deployments.FortiMail Student Guide 550