www.fortinet.com

FortiMailVersion 3.0 MR2

I n s t a l l G u i d e

FortiMail Install GuideVersion 3.0 MR212 December 200706-30002-0234-20071212

Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

TrademarksABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Regulatory complianceFCC Class A Part 15 CSA/CUS

! CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According to the Instructions.

Contents ContentsIntroduction ........................................................................................ 7

Register your FortiMail unit .............................................................................. 7

About the FortiMail unit .................................................................................... 7FortiMail-100 ................................................................................................. 8FortiMail-400 ................................................................................................. 8FortiMail-2000/2000A.................................................................................... 8FortiMail-4000/4000A.................................................................................... 8

About this document......................................................................................... 8Document conventions.................................................................................. 9

FortiMail documentation ................................................................................... 9Fortinet Knowledge Center ........................................................................ 10Comments on Fortinet technical documentation ........................................ 10

Customer service and technical support ...................................................... 10

Email Concepts ................................................................................ 11FortiMail modes ............................................................................................... 11

Gateway mode ............................................................................................ 11Transparent mode....................................................................................... 12Server mode................................................................................................ 13

Email protocols................................................................................................ 13POP3........................................................................................................... 13IMAP ........................................................................................................... 14SMTP .......................................................................................................... 14

Definitions ........................................................................................................ 14MX record.................................................................................................... 14A record....................................................................................................... 15MTA............................................................................................................. 15MUA ............................................................................................................ 15White and Black lists ................................................................................... 16Grey lists ..................................................................................................... 16Bayesian scanning ...................................................................................... 16Heuristic scanning....................................................................................... 17

Installing ........................................................................................... 19Environmental specifications......................................................................... 19

Cautions and warnings ................................................................................... 19Grounding ................................................................................................... 19Rack mount instructions.............................................................................. 20FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 3

4

ContentsMounting .......................................................................................................... 20FortiMail-100 ............................................................................................... 20FortiMail-400 ............................................................................................... 20FortiMail-2000A and FortiMail-4000A ......................................................... 21

Plugging in the FortiMail unit ......................................................................... 24FortiMail-100 ............................................................................................... 24FortiMail-400 ............................................................................................... 24FortiMail-2000/A and FortiMail-4000/A ....................................................... 25Connecting to the network .......................................................................... 25

Turning off the FortiMail unit.......................................................................... 25

Connecting to the FortiMail unit .................................................................... 25Web-based manager .................................................................................. 26Command line interface .............................................................................. 26LCD front control buttons ............................................................................ 27

Configuring the FortiMail unit ........................................................................ 28Management modes ................................................................................... 28Quick Start wizard....................................................................................... 28

Configuring gateway mode............................................................. 29Switching to gateway mode ........................................................................... 29

FortiMail Gateway behind a firewall............................................................... 30Configuring the network settings................................................................. 30Configuring the email system settings ........................................................ 32Configuring the firewall ............................................................................... 35Routing outgoing email to the FortiMail Gateway ....................................... 37Next Steps .................................................................................................. 37

FortiMail Gateway in front of a firewall.......................................................... 38Configuring the network settings................................................................. 38Configuring the email system settings ........................................................ 40Configuring the firewall ............................................................................... 43Routing outgoing email to the FortiMail Gateway ....................................... 44Next Steps .................................................................................................. 45

FortiMail Gateway in the DMZ ........................................................................ 45Configuring the network settings................................................................. 46Configuring the email system settings ........................................................ 48Configuring the firewall ............................................................................... 50Routing outgoing email to the FortiMail Gateway ....................................... 53Next Steps .................................................................................................. 53

Configuring transparent mode ....................................................... 55Switching to transparent mode...................................................................... 55FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Contents Deploying in front of an email server ............................................................ 56Configuring the network settings................................................................. 56Configuring the email system settings ........................................................ 57Configuring proxies ..................................................................................... 59Next Steps................................................................................................... 59

Deploying to protect an email hub................................................................. 60Configuring the network settings................................................................. 60Configuring the email system settings ........................................................ 61Configuring proxies ..................................................................................... 63Next Steps................................................................................................... 64

Configuring server mode ................................................................ 65Switching to server mode............................................................................... 65

Configuring MX records to route incoming email ........................................ 65

FortiMail Server behind a firewall .................................................................. 66Configuring the network settings................................................................. 67Configuring the email system settings ........................................................ 68Configuring the firewall................................................................................ 70Next Steps................................................................................................... 72

FortiMail Server in front of a firewall ............................................................. 72Configuring the network settings................................................................. 72Configuring the email system settings ........................................................ 74Configuring the firewall................................................................................ 76Next Steps................................................................................................... 77

FortiMail Server in DMZ................................................................................... 78Configuring the network settings................................................................. 78Configuring the email system settings ........................................................ 80Configuring the firewall................................................................................ 81Next Steps................................................................................................... 84

Advanced configuration .................................................................. 85Set the date and time....................................................................................... 85

Updating antivirus signatures ........................................................................ 86

Receiving regular antivirus updates.............................................................. 86Configuring push updates ........................................................................... 87Scheduling antivirus updates ...................................................................... 87

Configuring antispam...................................................................................... 88Black/White lists .......................................................................................... 88Bayesian scanning ...................................................................................... 90Heuristic scanning....................................................................................... 90FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 5

6

ContentsCreate profiles ................................................................................................. 91Antispam profile .......................................................................................... 91Antivirus profile ........................................................................................... 92Applying profiles.......................................................................................... 92

Create policies ................................................................................................. 92

Add users (Server mode)................................................................................ 93Adding users ............................................................................................... 93Adding groups............................................................................................. 93Adding user alias ........................................................................................ 93

Firmware ........................................................................................... 95Backing up the FortiMail information............................................................ 95

Back up the configuration ........................................................................... 95Back up the Bayesian database ................................................................. 95Back up the Black/White list database........................................................ 96Back up the FortiMail mail queue................................................................ 96

Using the web-based manager....................................................................... 96Upgrading the firmware............................................................................... 96Reverting to a previous firmware version.................................................... 97

Using the CLI ................................................................................................... 97Upgrading the firmware............................................................................... 97Reverting to a previous firmware version.................................................... 98Installing firmware images from a system reboot........................................ 99

Testing a new firmware image before installing it ..................................... 100

Installing and using a backup firmware image........................................... 102

Index................................................................................................ 105FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Introduction Register your FortiMail unitIntroductionWelcome, and thank you for selecting Fortinet products for your real-time network protection.

The FortiMail Secure Messaging Platform is an integrated hardware and software solution that provides powerful and flexible antispam, antivirus, email archiving and logging capabilities to incoming and outgoing email traffic. The FortiMail unit has reliable and high performance features for detecting and blocking spam messages and malicious attachments.

Built on the Fortinet award winning FortiOS and FortiAsic technology, the FortiMail antivirus technology extends full content inspection capabilities to detect the most advanced email threats.

Register your FortiMail unitBefore your begin, take a moment to register your FortiMail unit(s) by visiting http://support.fortinet.com and select Product Registration.

To register, enter your contact information and the serial numbers of the FortiMail units that you or your organization have purchased. You can register multiple FortiMail units in a single session without re-entering your contact information.

By registering your FortiMail unit, you will receive antivirus updates and will also ensure your access to technical support, as well as access to new firmware releases.

For more information, see the Fortinet Knowledge Centre article Registration Frequently Asked Questions (http://kc.forticare.com/default.asp?id=2071).

About the FortiMail unitThe FortiMail family of appliances are designed for any business size and requirement, from a Small Business or Small Office Home Office (SOHO) to larger businesses, and deliver the same enterprise-class network-based antivirus and antispam features.

FortiMail is an email security system that provides multi-layered protection against blended threats comprised of spam, viruses, worms and spyware.

To ensure up to date email protection, FortiMail relies on Fortinet FortiGuard antivirus, antispyware and antispam security subscription services that are powered by a worldwide 24x7 Global Threat Research Team. FortiMail provides bi-directional email routing, Quality of Service (QoS), virtualization and archiving capabilities with a lower total cost of ownership.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 7

http://www.support.fortinet.comhttp://support.fortinet.comhttp://kc.forticare.com/default.asp?id=2071

8

About this document IntroductionFortiMail-100The FortiMail-100 is an easy-to-deploy and easy-to-administer solution that delivers exceptional value and performance for small office, home office and branch office applications. The FortiMail-100 delivers reliable and high performance features to detect, tag, and block spam messages and their malicious attachments.

FortiMail-400The FortiMail-400 is optimized for medium sized enterprise customers, delivering a wealth of reliable and high performance features to detect, tag, and block spam messages and their malicious attachments. The FortiMail-400 features a high-performance hardened operating system with RAID storage system for redundancy and supports a rich set of multi-layered spam detection and filtering technologies with global and per-user spam policies for maximum configuration flexibility.

FortiMail-2000/2000AFor larger installations where higher performance and better reliability is required, the FortiMail-2000/2000A system provides the same software features as the FortiMail-400, but with a modular chassis with hot swappable components. Ideal for the most demanding email infrastructures, the FortiMail-2000/2000A system delivers high performance for large enterprises and service providers, which includes the performance capability to scan 6.8 million emails per day, with six hot swappable disk drives with RAID for disk redundancy, and redundant power supplies and fans. Four 10/100/1000 Base-T interfaces, provides the flexibility to connect into many corporate or service provider environments.

FortiMail-4000/4000AFor larger installations where higher performance and better reliability is required, the FortiMail-4000/4000A system provides the same software features as the FortiMail-2000. Ideal for the most demanding email infrastructures, the FortiMail-4000/4000A system delivers high performance for large enterprises and service providers, which includes the performance capability to scan 6.8 million emails per day, with 12 hot swappable disk drives with RAID for disk redundancy, and redundant power supplies. Two 10/100/1000 Base-T interfaces, provides the flexibility to connect into many corporate or service provider environments.

About this documentThis document explains how to install and configure your FortiMail unit onto your network.

This document contains the following chapters:

Installing Describes setting up, and powering on a FortiMail unit. Email Concepts Describes the three modes you can select from to operate

the FortiMail unit and briefly describes some email terminology for administrators and users new to email administration and setup.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Introduction FortiMail documentation Configuring gateway mode Describes a number of network configuration scenarios and how to configure the FortiMail unit and network to operate in this mode.

Configuring transparent mode Describes a number of network configuration scenarios and how to configure the FortiMail unit to operate in this mode.

Configuring server mode Describes a number of network configuration scenarios and how to configure the FortiMail unit and network to operate in this mode.

Advanced configuration Describes next step configurations you need to consider to ensure email is scanned and protected from viruses.

Document conventionsThe following document conventions are used in this guide:

In the examples, private IP addresses are used for both private and public IP addresses.

Notes and Cautions are used to provide important information:

Typographic conventionsFortiGate documentation uses the following typographical conventions:

FortiMail documentationInformation about the FortiMail unit is available from the following guides:

FortiMail QuickStart GuideProvides basic information about connecting and installing a FortiMail unit and configuring the unit for use on your network.

Note: Highlights useful additional information.

! Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.

Convention ExampleKeyboard input In the Host Name field, type a name for the remote server (for

example, Central_Office_1).

CLI command syntax execute restore image Document names FortiMail Administration GuideMenu commands Go to Mail Settings > Domains and select Create New.Program output Welcome!Variables FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 9

10

Customer service and technical support Introduction FortiMail Administration GuideDescribes how to install, configure, and manage a FortiMail unit in Transparent, Gateway, and Server modes, including how to configure the unit, create profiles and policies, configure antispam and antivirus filters, create user accounts, configure email archiving, and set up logging and reporting.

FortiMail Installation GuideDescribes how to set up the FortiMail unit in Transparent, Gateway, and Server modes. It also provides information on how to use system settings to view FortiMail unit status and configure how the FortiMail unit connects to your network and to the Internet.

FortiMail Online HelpProvides a searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work.

FortiMail Webmail Online HelpDescribes how to use the FortiMail web-based email client, including how to send and receive email; how to add, import, and export addresses; how to configure message display preferences, and how to manage quarantined email.

Fortinet Knowledge Center Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at http://kc.forticare.com.

Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.

Customer service and technical supportFortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network.

Please visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

http://kc.forticare.comhttp://support.fortinet.com

Email Concepts FortiMail modesEmail ConceptsIf you are new to FortiMail, or new to the configuration and managing of an email system, this chapter provides basic email concepts and terminology and to configure your FortiMail unit.

This chapter provides an overview of the FortiMail unit, the modes it supports and its key features. This chapter will also describe the key terms and concepts that you will use when configuring your FortiMail unit.

If you are familiar with email concepts and terminology, you can skip to the section FortiMail modes on page 11, which describes the modes of operation available with FortiMail.

This chapter contains the following:

FortiMail modes Email protocols Definitions

FortiMail modesThe FortiMail unit can run in one of three modes:

Gateway mode Transparent mode Server mode.

With Gateway and Transparent mode, the FortiMail unit sits between the firewall and email server and acts as a filter for email passing through it. Depending on how you choose to deploy the FortiMail unit, determines which of these modes best suits your environment.

Of the three modes, Server mode functions very differently from Gateway and Transparent mode. With Server mode, the FortiMail unit is the email server as well as the means of scanning the email traffic.

For all modes, the FortiMail unit scans email traffic for viruses and spam, and can quarantine suspicious email and attachments.

Gateway modeIn gateway mode the FortiMail acts as a fully functional mail relay server. Gateway mode does not provide local mailboxes but does provide a web user interface for managing spam filters (black/white list), auto white lists, and per-user Bayesian database management.

In Gateway mode, the FortiMail unit receives incoming email messages, scans for viruses and spam, then passes (relays) the email to the email server for delivery. In this mode, the FortiMail unit can effectively protect your email server as your email server is not visible to outside users. The FortiMail unit can also archive email for backup and monitoring purposes.

The FortiMail unit integrates into your existing network with only minor changes to your network configuration. You must also change your MX record to route incoming email to the FortiMail unit for scanning.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 11

12

FortiMail modes Email ConceptsFigure 1: Gateway mode topology

For example, an ISP deploys a FortiMail unit to protect their customers mail servers. Many customers do not want their mail servers to be visible to external users for security reasons. Therefore, the ISP installs the FortiMail unit in Gateway mode to satisfy the need of the customers.

The ISP takes advantage of the Gateway mode deployment flexibility and places the FortiMail unit in the DMZ, while keeping the email server safe behind the firewall.

For sample configuration information, see the chapter Configuring gateway mode on page 29.

Transparent modeIn Transparent mode, the FortiMail unit acts as a bridge, providing seamless integration into existing network environments. In Transparent mode, the FortiMail unit provides a flexible and versatile email scanning solution.

You can place the FortiMail unit in front of the existing email server without any changes to the existing network topology. This means that all of the FortiMail interfaces are on the same subnet.

Transparent mode also provides a web user interface for managing spam filters (black/white list), auto white lists, and per-user Bayesian database management.

Mail Users(POP3/IMAP/Web Mail)

Mail ServerHub

Internet

Gateway ModeFortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Email Concepts Email protocolsFigure 2: Transparent mode topology

For example, a company wants to install a FortiMail unit to protect its mail server. The company installs the FortiMail unit in Transparent mode to avoid changing its MX record to route email to the FortiMail unit, and to simply act as a filter for spam and virus related email.

With this mode, the companys end users do not need to change the mail server setting on their email client. The company also wants its mail server to be visible to the users to increase the companys popularity.

For sample configuration information, see the chapter Configuring transparent mode on page 55.

Server modeIn server mode the FortiMail unit is a fully functional SMTP, IMAP, POP3 mail server with local mail boxes and an optional WebMail user interface. In addition, the FortiMail Server provides antivirus, antispam, email archiving, and logging and reporting services.

For sample configuration information, see the chapter Configuring server mode on page 65.

Email protocolsAn email protocol is a standard method for two ends of a communication channel to transmit and receive information. There are three standard email protocols, POP3, IMAP and SMTP. Each has its own pros and cons, as well as application uses.

POP3The Post Office Protocol (version 3) enables email users to retrieve their email stored on a mail server. Once email application retrieves the messages, the server removes the message from the servers hard disk. POP3 transmissions occur over port 110 by default.

The advantage of POP3 is that users download their email to their local machine, releasing hard disk space from the server. The disadvantage, is the mail resides on a single computer. Users who use an alternate computer to check email cannot access the mail they viewed, and downloaded, previously.

Router

Mail Server

Internet

Mail Users(POP3/IMAP/Web Mail)

Transparent modeFortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 13

14

Definitions Email ConceptsThe FortiMail unit supports the POP3 protocol on port 110 in server mode only. If necessary, you can change the default port in the Mail Settings > Settings menu.

IMAPInternet Message Access Protocol is a method of accessing email messages kept on a remote mail server without downloading the messages to the users local computer. All messages remain on the email servers hard disk. With IMAP only the headers of email messages are downloaded to the users email application inbox on their computer.

The advantage of this is that it enables a user to access new and saved messages at any time from more than one computer. This is especially useful in situations where more than one person may need to look at an inbox, such as a technical support inbox where a number of technicians monitor for incoming questions.

The disadvantage of IMAP storing email messages is the large storage capacity required for storing email and attachments. To free up disk space requires email users to manually clean their inbox.

The FortiMail unit supports the IMAP protocol on port 143 in server mode only.

SMTPSimple Mail Transfer Protocol is the standard for sending email between to email servers using port 25.

When a user sends an e-mail, a connection between the sending server and the receiving server is established. Both servers communicate to determine whether the recipient user exists, and if the e-mail can be sent. If the email address is legitimate then the transfer of data/email message follows.

FortiMail only supports SMTP authentication because it has no local user accounts. Instead, it uses external server types to authenticate e-mail such as POP3. SMTP authentication is enabled during the installation process in server mode only.

FortiMail also supports SMTP over SSL/TLS which allows for the exchange of encrypted mail. This feature is available in all three modes.

DefinitionsWhen you configure the FortiMail unit by following the steps in the subsequent chapters of this guide, there are a number of terms that you should be familiar with before preceding.

MX recordMail Exchange Records are used to route e-mails to specific destinations. It is an entry in a domain name database such as a Domain Name System or DNS server. A DNS server acts much like a phone book containing data on how to reach different domains and it is usually made accessible by internet server providers (ISP). If a local DNS server exists, MX Records can be added or changed on the DNS server using one of several user interfaces depending on the operating system used.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Email Concepts DefinitionsIn FortiMail, MX Records are configured by the administrator by going to Mail Settings > Domains. When gateway and server mode are used, the MX Records are changed so that e-mails are routed to the FortiMail unit for scanning before they reach the mail server.

In gateway and transparent modes, FortiMail can be set up to protect multiple domains. MX Records are used to identify these domains and are configured by going to Mail Settings > Domains. When an e-mail is sent out, the senders mail server performs a DNS lookup using the recipients domain name, for example, user1@example.com and acquires the MX Record.

Example of MX Record entry:

(example.com 3600 IN MX 50 docs.example.com)

The MX Record contains the domain and host names (docs.example.com). This information is used to send the e-mail to the recipients mail server which stores it until it is downloaded.

A recordThe A record is an entry that assigns an internet protocol or IP address to a domain name. Much like a phone number is assigned to a specific name in a phone book entry. IP addresses are used to locate devices such as computers and servers. The A Records are stored and configured on DNS server. The administrator can configure these records using one of several user interfaces depending on the operating system used.

Before e-mail is sent out, the email server looks for the recipients MX and A Records in the DNS server by the senders mail server. Then using the A record entry, the email server sends the email to the recipient using the corresponding domain names IP address.

Example of an A record:

(docs.example.com IN A 203.254.581)

MTAThe Mail Transfer Agent is a software agent or mail server that transfers e-mail messages from one computer to another. It works in the background and in conjunction with email clients.

In order to deliver e-mail to the right recipient, the MTA looks up the MX Record and the corresponding A Records in the DNS server.

FortiMail functions as an MTA or fully functional SMTP, IMAP, POP3 mail server when configured in server mode. It provides local mail boxes and optional Web Mail user interfaces.

MUAThe Mail User Agent refers to a computer application or e-mail client such as Outlook Express that enables users to send and receive e-mail.

FortiMail unit provides a web based email client interface. However, FortiMail can be used with any other type of e-mail clients available as well as web based email clients.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 15

16

Definitions Email ConceptsWhite and Black listsWhile the FortiMail unit and FortiGuard services maintain a large list of known spammers, it is not perfect. In some cases, some mail tagged as spam is an individual you want to receive mail from, while email that is not caught by the spam filters or users you dont want to receive email from gets through to your inbox.

White lists and black lists enable you and users to maintain a list of email addresses that you want (white list) or dont want (black list) to receive email from.

FortiMail enables you and your users to maintain these lists to meet their requirements. Addresses can be added or removed from lists as required.

For details on adding a white list and black list, see Black/White lists on page 88.

Grey listsGrey listing is a means of reducing spam in a relatively low maintenance manner. There are no IP address lists, email lists, or word lists to keep up to date. The only required list is automatically maintained by the FortiMail unit.

When examining an email message, the grey list routine looks at three message attributes: the sender address, the recipient address, and the IP address of the mail server delivering the message. More specifically, the grey list routine examines the envelope from (Mail From:), the envelope recipient (Rctp to:), and the sender IP. If the grey list routine doesn't have a record of a message with these three values, the message is refused and a temporary error is reported to the server attempting delivery. If the sending server sends the message again within a specific time frame, the FortiMail unit will consider the email valid and add it as an accepted sender. If further attempts are not made, the FortiMail unit considers it a spammer.

The grey list feature has two compelling attributes:

Extremely low administrator maintenance. Spam detection routines do not have to be run on mail stopped by grey listing.

This can save significant processing and storage resources.

Bayesian scanningBayesian scanning is a method of teaching the FortiMail unit what is a spam email and what is not. Bayesian training uses Bayes' theorem of probability. Using this theorem the spam filters take into account the type of words used in spam messages versus those that are not. For every word in these email messages, it calculates the probability of a scanned message being spam based on the proportion of spam occurrences.

Bayesian training is a manual process by the admin or email users. For each email received, an email user will tell the filter whether it is a good email, spam, or a false positive. The more training, that is, the more a user sends email indicating its status, the more efficient the spam filter will be.

For details on setting up Bayesian training, see Bayesian scanning on page 90.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Email Concepts DefinitionsHeuristic scanningWhile Bayesian training is a manual procedure of teaching the spam filters what to look for in email messages for spam, the Heuristic filtering uses a scoring technique based on predetermined terms and words. The rules are broken down into 5 categories: header, body, raw body, URI, and metadata. Each rule has an individual score used to calculate the total score for an email. To determine if an email is spam, the heuristic filter looks at an email message and adds the score for each rule that applies to get a total score for that email. If the total is greater than or equal to the upper threshold, the mail is classified as spam and processed accordingly.

For more information on configuring Heuristic scanning, see Heuristic scanning on page 90.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 17

18

Definitions Email ConceptsFortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Installing Environmental specificationsInstallingThis chapter provides information on mounting and connecting the FortiMail unit to your network. This chapter includes the following topics:

Environmental specifications Cautions and warnings Mounting Plugging in the FortiMail unit Turning off the FortiMail unit Connecting to the FortiMail unit

Environmental specifications Operating temperature: 32 to 104F (0 to 40C)

If you install the FortiMail unit in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient temperature. Therefore, make sure to install the equipment in an environment compatible with the manufacturer's maximum rated ambient temperature.

Storage temperature: -13 to 158F (-25 to 70C) Humidity: 5 to 90% non-condensing Air flow - For rack installation, make sure that the amount of air flow required

for safe operation of the equipment is not compromised. For free-standing installation, make sure that the FortiMail unit has sufficient

clearance on each side to allow for adequate air flow and cooling.

Cautions and warningsReview the following cautions before installing your FortiMail unit.

Grounding Ensure the FortiMail unit is connected and properly grounded to a lightning

and surge protector. WAN or LAN connections that enter the premises from outside the building should be connected to an Ethernet CAT5 (10/100 Mb/s) surge protector.

Shielded Twisted Pair (STP) Ethernet cables should be used whenever possible rather than Unshielded Twisted Pair (UTP).

Do not connect or disconnect cables during lightning activity to avoid damage to the FortiMail unit or personal injury.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 19

20

Mounting InstallingRack mount instructionsElevated Operating Ambient - If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient temperature. Therefore, consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature (Tma) specified by the manufacturer.

Reduced Air Flow - Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the equipment is not compromised.

Mechanical Loading - Mounting of the equipment in the rack should be such that a hazardous condition is not achieved due to uneven mechanical loading.

Circuit Overloading - Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern.

Reliable Earthing - Reliable earthing of rack-mounted equipment should be maintained.

Particular attention should be given to supply connections other than direct connections to the branch circuit (e.g. use of power strips).

If required to fit into a rack unit, remove the rubber feet from the bottom of the FortiMail unit.

Mounting

FortiMail-100Adhere the rubber feet included in the package to the underside of the FortiMail unit, near the corners of the unit if not already attached.

Place the FortiMail unit on any flat, stable surface. Ensure the FortiMail unit has sufficient clearance on each side to ensure adequate airflow for cooling.

FortiMail-400The FortiMail unit can be placed on any flat surface, or mounted in a standard 19-inch rack unit.

When placing the FortiMail unit on any flat, stable surface, ensure the FortiMail unit has sufficient clearance on each side to ensure adequate airflow for cooling.

For rack mounting, use the mounting brackets and screws included with the FortiMail unit.

! Caution: To avoid personal injury, you may require two or more people to install the unit in the rack.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Installing MountingTo install the FortiMail unit into a rack1 Attach the mounting brackets to the side to the unit so that the brackets are on the

front portion of the FortiMail unit. Ensure that the screws are tight and not loose.

The following photos illustrate how the brackets should be mounted. Note that the screw configuration may vary.

Figure 3: Installed mounting brackets

2 Position the FortiMail unit in the rack to allow for sufficient air flow.3 Line up the mounting bracket holes to the holes on the rack, ensuring the FortiMail

unit is level.

4 Finger tighten the screws to attach the FortiMail unit to the rack.5 Once you verify the spacing of the FortiMail unit and that it is level, tighten the

screws with a screwdriver. Ensure that the screws are tight and not loose.

Figure 4: Mounting in a rack

FortiMail-2000A and FortiMail-4000ATo mount the FortiMail unit on a 19 in rack or cabinet, use the slide rails included with the product.

! Caution: To avoid personal injury or damage to the FortiMail unit, it is highly recommended a minimum of two people perform this procedure.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 21

22

Mounting InstallingMounting requires three steps:

disassembling the slide rail from the slide housing attaching the slide rail to the sides of the FortiMail unit mounting the FortiMail unit to the rack or cabinet.

Disassembling the slide railThe slide rail assembly has two moving rails within the housing. You need to remove the innermost rail. This rail will attach to the sides of the FortiMail unit.

Figure 5: FortiMail side rail

To remove the side rail1 Open the slide rails package and remove the rails.2 Extend the slide rail and locate the slide rail lock.

Rail housing Sliding Rail

Rail LockFortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Installing Mounting3 Push down on the lock while pulling the rail completely out of the slide rail assembly.

4 Repeat these steps for the other slide rail assembly.You will attach this part to the side of the FortiMail unit.

Attaching the slide rail to the FortiMail unitAttach the disconnected slide rails from the previous step to the sides of the FortiMail unit. Use the screws provided with the slide rail package, being sure to securely fasten the rail to the FortiMail chassis.

Mounting the FortiMail unitMounting the FortiMail-2000A or FortiMail-4000A is a two step process. First, you must attached the slide rail housing to the rack or cabinet, then insert the FortiMail unit.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 23

24

Plugging in the FortiMail unit InstallingTo mount the FortiMail unit1 Mount the slide rail housing to the rack or cabinet frame. Adjust the outside

L-shaped brackets for a proper fit. Ensure that both housings are on the same level to ensure the FortiMail unit can easily glide into place and is level.

2 Use the screws and additional L-brackets if required to securely fasten the housing.

3 Position the FortiMail unit so that the back of the unit is facing the rack, and the slide rails affixed in the previous step line up with the slide rail housing.

4 Gently push the FortiMail unit into the rack or cabinet. You will hear a click when the slide rail lock has been engaged.

5 Push the FortiMail unit until it is fully inserted into the rack.

Plugging in the FortiMail unit

FortiMail-100The FortiMail-100 does not have a power switch.

To power on the FortiMail unit 1 Connect the AC adapter to the power connection at the back of the FortiMail unit.2 Connect the AC adapter to the power cable.3 Connect the power cable to a power outlet.

The FortiMail unit starts and the Power and Status LEDs light up. The Status LEDs flash while the FortiMail unit starts up, and remain lit when the system is running.

FortiMail-400Use the following steps to connect the power supply to the FortiMail unit.

To power on the FortiMail unit1 Ensure the power switch, located at the back of the FortiMail unit is in the off

position, indicated by the O.

2 Connect the power cord at the back of the FortiMail unit.3 Connect the power cable to a power outlet.4 Set the power switch on the back left of the FortiMail unit to the on position

indicated by the I.

After a few seconds, SYSTEM STARTING appears on the LCD. The main menu setting appears on the LCD when the system is running.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Installing Turning off the FortiMail unitFortiMail-2000/A and FortiMail-4000/AThe FortiMail unit does not have an on/off switch.

To power on the FortiMail unit 1 Connect the power cables to the power connections on the back of the

FortiMail unit.

2 Connect the power cables to power outlets. Each power cable should be connected to a different power source. If one power source fails, the other may still be operative.

After a few seconds, SYSTEM STARTING appears on the LCD. The main menu setting appears on the LCD when the system is running.

The FortiMail unit starts and the Power and Status LEDs light up. The Status LEDs flash while the FortiMail unit starts up, and remain lit when the system is running.

Connecting to the networkUsing the supplied Ethernet cable, connect one end of the cable to your router or switch. Connect the other end to port 1 on the FortiMail unit.

Turning off the FortiMail unitAlways shut down the FortiMail unit properly before turning off the power switch to avoid potential hardware problems. This enables the hard drives to spin down and park correctly and avoid losing data.

To power off the FortiMail unit 1 From the web-based manager, go to System > Status.2 In the System Command display, select Shutdown, or from the CLI enter:

execute shutdown

3 Turn off and/or Disconnect the power cables from the power supply.

Connecting to the FortiMail unitThere are three methods of connecting and configuring the basic FortiMail settings:

the web-based manager the command line interface (CLI) the front control buttons and LCD (FortiMail-400 and FortiMail-2000A)

Note: If only one power supply is connected, an audible alarm sounds to indicate a failed power supply. Press the red alarm cancel button on the rear panel next to the power supply to stop the alarm. FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 25

26

Connecting to the FortiMail unit InstallingWeb-based managerYou can configure and manage the FortiMail unit using HTTP or a secure HTTPS connection from any computer using a recent browser.

You can use the web-based manager to configure most FortiMail settings, and monitor the status of the FortiMail unit.

Use the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately, without interrupting service.

To connect to the web-based manager, you require:

a computer with an Ethernet connection any recent version of most popular web browser a crossover Ethernet cable or an Ethernet hub with two Ethernet cables

To connect to the web-based manager1 Set the IP address of the computer with an Ethernet connection to the static IP

address 192.168.1.2 with a netmask of 255.255.255.0.

2 Using the crossover cable or the Ethernet hub and cables, connect the internal interface of the FortiMail unit to the computer Ethernet connection.

3 Start the web browser and browse to the address https://192.168.1.99/admin. (remember to include the s in https://)

To support a secure HTTPS authentication method, the FortiMail unit ships with a self-signed security certificate, and is offered to remote clients whenever they initiate a HTTPS connection to the FortiMail unit. When you connect, the FortiMail unit displays two security warnings in the browser.

The first warning prompts you to accept and optionally install the FortiMail units self-signed security certificate. If you do not accept the certificate, the FortiMail unit refuses the connection. If you accept the certificate, the FortiMail login page appears. The credentials entered are encrypted before they are sent to the FortiMail unit. If you choose to accept the certificate permanently, the warning is not displayed again.

Just before the FortiMail login page is displayed, a second warning informs you that the FortiMail certificate distinguished name differs from the original request. This warning occurs because the FortiMail unit redirects the connection. This is an informational message. Select OK to continue logging in.

4 Type admin in the Name field and select Login.

Command line interfaceYou can access the FortiMail command line interface (CLI) by connecting a management computer serial port to the FortiMail serial console connector. You can also use Telnet or an SSH connection to connect to the CLI from any network that is connected to the FortiMail unit, including the Internet.

As an alternative to the web-based manager, you can install and configure the FortiMail unit using the CLI. Configuration changes made with the CLI are effective immediately, without interrupting service. FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Installing Connecting to the FortiMail unitTo connect to the FortiMail CLI you require:

a computer with an available communications port the DB-9 or RJ-45 to DB-9 cable included in your FortiMail package terminal emulation software such as HyperTerminal for Microsoft Windows

To connect to the CLI1 Connect the console cable to the communications port of your computer and to

the FortiMail console port.

2 Start HyperTerminal, enter a name for the connection and select OK.3 Configure HyperTerminal to connect directly to the communications port on your

computer and select OK.

4 Select the following port settings and select OK:

5 Press Enter to connect to the FortiMail CLI. The login prompt appears.

6 Type admin and press Enter twice.The following prompt is displayed:

Welcome!

Type ? to list available commands. For information about how to use the CLI, see the FortiMail CLI Reference.

LCD front control buttonsYou can use the front control buttons and LCD on the FortiMail-400 and FortiMail-2000A to configure IP addresses, default gateways and switch operating modes. The LCD shows you what mode you are in without having to go to the command line interface or the web-based manager.

This configuration method provides an easy and fast method to configure your FortiMail unit. You can configure:

IP addresses and netmasks default gateways operating modes restore factory default settings

The front control buttons control how you enter and exit the different menus when configuring the different ports and interfaces. The front control buttons also enables you to increase or decrease each number for configuring IP addresses, default gateway addresses, or netmasks. The following table defines each button and what it does when configuring the basic settings of your FortiMail unit.

Note: The following procedure uses Microsoft Windows HyperTerminal software. You can apply these steps to any terminal emulation program.

Bits per second 9600Data bits 8Parity NoneStop bits 1Flow control NoneFortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 27

28

Configuring the FortiMail unit InstallingTable 1: Front control button definitions

Configuring the FortiMail unitOnce the FortiMail unit is properly mounted, plugged in and connected to the network, you can configure it onto your network. The FortiMail unit can run in three different modes. Each mode has multiple configuration options depending on where you place the unit within your network infrastructure. Each configuration has unique options and settings.This Install Guide contains a chapter for each mode and their configuration options.

Management modesFortiMail running version 3.0 MR2 and higher of the operating system includes two management modes: basic and advanced. Depending on your familiarity with configuring network email or email appliances, select the mode that best suits your abilities. You can switch between modes at any time without losing any settings. Basic mode enables you to configure the minimum settings to enable antispam and antivirus protection to your network email. Advanced mode provides more robust options, including user configuration, and more detailed antispam and antivirus options. You can use either management mode in all the FortiMail operating modes.

Quick Start wizardIf you are new to FortiMail, and this is your first installation, you can use the Quick Start Wizard, available in basic management mode. The Quick Start wizard guides you through the settings necessary to configure the FortiMail unit onto the network, including network configuration, email server configuration, and basic antispam and antivirus options.

The Quick Start Wizard is available in all FortiMail operating modes. It is recommended that you select the operating mode before running the Quick Start Wizard, as some options are specific to the operating mode. If you switch operating modes after using the Quick Start Wizard, some configuration settings may be lost or be incomplete.

Enter Enables you to move forward through the configuration process.Esc Enables you to move backward, or exit out of the menu you are in. Up Allows you to increase the number for an IP address, default gateway address

or netmask.

Down Allows you to decrease the number for an IP address, default gateway address or netmask. FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Configuring gateway mode Switching to gateway modeConfiguring gateway modeThis chapter describes how to configure a FortiMail unit to operate in gateway mode. In gateway mode the FortiMail unit acts as a fully functional mail relay server. The FortiMail unit receives incoming email messages, scans for viruses and spam, then passes (relays) the email to the email server for delivery.

This chapter describes common deployment options for a FortiMail unit running in gateway mode. Use these deployment and configuration examples to install the FortiMail unit on your network, or use them as a guide for your own network topology. Additional configuration information and details are available in the Fortimail Administration Guide.

All examples use a FortiGate firewall device. If you are using an alternate firewall appliance, consult the appliances documentation for completing similar configurations.

This chapter includes the following:

FortiMail Gateway behind a firewall FortiMail Gateway in front of a firewall FortiMail Gateway in the DMZ

Switching to gateway modeUse the web-based manager to complete the configuration of the FortiMail unit. You can continue to use the web-based manager for all FortiMail settings.

Before you being configuring the FortiMail unit, ensure the mode is in gateway mode. To verify, go to System > Status and check the Operation Mode.

To change the operation mode1 Go to System > Status.2 Select Change for the Operation Mode.3 Select Gateway from the list and select OK.

Note: This chapter uses the FortiMail unit in the advanced management mode.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 29

http://docs.forticare.com/fmail.html

30

FortiMail Gateway behind a firewall Configuring gateway modeFortiMail Gateway behind a firewallThe FortiMail unit is positioned behind a FortiGate firewall. With the FortiMail unit set up this way, the firewall blocks any attacks on the FortiMail unit and the email server. Incoming and outgoing email is routed through the FortiMail unit for scanning before being sent to the email server or the Internet.

Figure 6: FortiMail Gateway behind firewall

Configuring the network settingsUse the following table to gather the information you need to customize the gateway mode settings.Table 2: Gateway mode settings

RouterFirewall

DNS Server

Email Server

InternetSwitch Internal External

Administrator Password:

Port 1IP: _____._____._____._____

Netmask: _____._____._____._____

Port 2IP: _____._____._____._____

Netmask: _____._____._____._____

Port 3IP: _____._____._____._____

Netmask: _____._____._____._____

Port 4IP: _____._____._____._____

Netmask: _____._____._____._____

Port 5IP: _____._____._____._____

Netmask: _____._____._____._____

Port 6IP: _____._____._____._____

Netmask: _____._____._____._____FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Configuring gateway mode FortiMail Gateway behind a firewallYou must configure at least one network interface to connect the FortiMail unit to the network. Connect the Port 1 interface to your internal network hub or switch. The IP address of Port 1 must be on the same subnet (address range) as the network and cannot use the same address as another device or computer on the network.

Configuring a static IP address

To configure a network interface with a static IP address1 Go to System > Network > Interface.2 Select Modify for Port 1.3 Select Manual Addressing Mode.4 Enter the IP address and netmask.5 Select OK.

If you changed the IP address of the interface that you are connecting to manage the FortiMail unit, you must reconnect to the web-based manager using the new IP address.

Configuring an interface for DHCPYou can configure any FortiMail interface to acquire its IP address from a Dynamic Host Configuration Protocol (DHCP) server. Your Internet Service Provider (ISP) may provide IP addresses using one of these protocols.

DHCP is used to obtain IP addresses from a DHCP server, such a from your ISP. Obtaining an IP address from a DHCP server ensures that the IP address for the FortiMail unit is unique and not assigned to another device, such as your FortiGate unit or other firewall device that is also connected directly to the Internet.

When configured, the FortiMail unit automatically broadcasts a DHCP request. By default, the FortiMail unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server. You can disable this option if required to configure them manually.

To configure an interface for DHCP1 Go to System > Network > Interface.2 Select Modify for Port 1.3 Select DHCP.4 If required, select Retrieve default gateway and DNS from server to disable this

option.

5 Select OK.

Network settings

Default Gateway: _____._____._____._____

The management IP address and netmask must be valid for the network from which you will manage the Fortimail unit. Add a default gateway if the FortiMail unit must connect to a router to reach the management computer.

Primary DNS Server: _____._____._____._____

Secondary DNS Server: _____._____._____._____FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 31

32

FortiMail Gateway behind a firewall Configuring gateway modeConfiguring DNSYou need to configure Domain Name System (DNS) server addresses so that FortiMail unit can send and receive email. DNS server IP addresses are typically provided by your internet service provider.

In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com. The DNS server translates this name to a mail exchange server IP address to deliver an email message.

To add DNS server IP addresses 1 Go to System > Network > DNS.2 Enter the primary and secondary DNS server IP addresses.3 Select Apply.

Configuring routing Configure routing on the FortiMail unit to define the route that enables the FortiMail unit to contact the DNS server. If you configured your interfaces dynamically using DHCP, the FortiMail unit configures a default route automatically.

The gateway address for the route is on the same network as port 1.

You need to configure additional routes if any of your email servers are on a different subnet. The gateway you specify is the address of the next hop router that connects to the required network.

To configure routing1 Go to System > Network > Routing.2 Select Create New to add a new route.3 Enter the Destination IP address and netmask. 4 Enter the Gateway IP address.5 Select OK.

Configuring the email system settingsThe FortiMail unit relays email after scanning for viruses and spam. You need to configure basic email system settings to have this relay occur.

Configuring basic email system settingsConfigure the FortiMail unit basic email system settings, including host name and domain name.

To configure the email system settings1 Go to Mail Settings > Settings > Local Host.2 Enter the following information and select OK:FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Configuring gateway mode FortiMail Gateway behind a firewallConfiguring MX records to route incoming emailMail Exchange (MX) Records are used to route email to specific destinations. It is an entry in a domain name database such as a DNS server. If a local DNS server exists, MX Records can be added or changed on the DNS server using one of several user interfaces depending on the operating system used.

When a user sends an e-mail, the senders mail server performs a DNS lookup using the recipients domain name, for example, example.com in the email address user@example.com, and acquires the MX Record.

The MX Record contains the domain and host names. The sending mail server uses this information to send the e-mail to the recipients mail server.

In order to route incoming email through the FortiMail unit for scanning, you need to register a Fully Qualified Domain Name (FQDN), for example, fm.exampledom.com, and a global IP address for the FortiMail unit.

Route incoming email to the FortiMail unit by changing the MX record to point to the FortiMail domain rather than the email server.

For example, using the information from the table below, change the existing MX record currently pointing to the email server, to point to the FortiMail unit.

Change the existing MX record for mail.exampledom.com to point to the FortiMail unit. For example:

IN MX fm.exampledom.comfm.exampledom.com IN A 172.16.15.2

The A recordThe second line in the above example is

fm.exampledom.com IN A 172.16.15.2

Host Name Enter the name for the FortiMail unit.Local Domain Name Enter the local domain name. It must be different from the domain

name of your email server. The FortiMail unit's Fully Qualified Domain Name (FQDN) is .. For example mailsvr.company.com

SMTP Server Port Number

Enter the SMTP port number. The default and standard SMTP port number is 25.

SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP server receives plain text email.

SMTPS Server Port Number

The default port number is 465. This allows the encrypted SMTP traffic to pass through the SMTPS Server Port. You must enable SMTP over SSL/TLS to set this option.

Relay Server Name Enter a relay server name if your ISP provides a relay email server.

Relay Server Port Enter the relay server port number if your ISP provides a relay email server.

Email server mail.exampledom.comCurrent MX record IN MX mail.exampledom.comFortiMail hostname fm.exampledom.comFortiMail IP address 172.16.15.2FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 33

34

FortiMail Gateway behind a firewall Configuring gateway modeThis is an address record, or commonly called, an A record. It is a type of DNS entry that assigns an IP address to a domain name.

Before e-mail is sent out, the MX and A Records for the recipient are looked up in the DNS server by the senders mail server. Then using the A record entry, the email is sent to the recipient using the corresponding domain names IP address.

Adding a domainYou create domains to define the email server(s) that the FortiMail unit protects. Usually, you configure at least one domain as part of your installation. You can add more domains or modify the settings of existing ones as needed.

The local domain name will be used by many FortiMail features such as email quarantine, Bayesian database training, spam reports, and DSN notifications. A sub domain of the protected domain is recommended for the local domain because of the domain registration savings.

To add a domain1 Go to Mail Settings > Domains.2 Select Create New.3 Enter the domain name including the suffix. For example, company.com.4 Enter the IP address or name of the SMTP Server and port number if different

than the default 25.

Entering the email server IP address or server name tells the FortiMail gateway where the email server is to route mail to it.

5 Select OK.

Creating local domainsAdd multiple local email domains on the FortiMail unit if required for different departments in your organization at the same or different locations. For example:

accouting.company.com dev.company.com.

Once created, you can add users to the local domain. For information on adding email users to a local domain, see the FortiMail Administration Guide.

To create a local domain1 Go to Mail Settings > Domains.2 Select Create New.3 Enter the local domain name.4 Enter the domain name including the suffix. For example, company.com.5 Enter the IP address of the SMTP Server and port number if different than the

default 25.

Entering the email server IP address tells the FortiMail gateway where the email server is to route mail to it.

Note: Deleting a domain also deletes all email users in that domain.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

http://docs.forticare.com/fmail.html

Configuring gateway mode FortiMail Gateway behind a firewall6 Select Is Subdomain.7 Select the main domain the local domain is a part of.8 Select OK.

Configuring the firewall

With the FortiMail unit behind the FortiGate firewall, you must configure firewall policies on the FortiGate unit to ensure that incoming SMTP traffic goes to the FortiMail Gateway before reaching the email server.

To accomplish this, configure a virtual IP address (VIP) on the FortiGate unit for the FortiMail unit. When the FortiGate unit receives traffic destined for the VIP, the FortiGate unit automatically directs the message to the internal IP address of the FortiMail unit.

This allows the FortiMail unit to perform antivirus scanning, antispam filtering, and email archiving on the SMTP traffic.

How Virtual IPs workVirtual IP (VIP) addresses enable users from outside a private network to access services inside that network. Under normal circumstances, this is not possible because Internet routers generally do not connect to private IP addresses. For example, a user on the Internet is not able to send an email directly to the FortiMail unit on a company internal network. However, you can configure the FortiGate unit to allow an email message to a company employee to reach the FortiMail unit on a private network from the Internet.

The packets sent from the client computer have a source IP of 192.168.37.55 and a destination IP of 192.168.37.4. The FortiGate unit receives these packets at its external interface. The virtual IP settings indicate a mapping from 192.168.37.4 to 10.10.10.42 so the packets' addresses are changed. The source address is changed to 10.10.10.2 and the destination is changed to 10.10.10.42. The FortiGate unit makes a note of this translation in the firewall session table it maintains internally. The packets are then sent on their way and arrive at the server computer.

Note that the FortiGate unit must be in NAT/Route mode to add VIPs.

For more information on Virtual IPs, see the FortiGate Administration Guide.

To configure a VIP on a FortiGate unit1 Got to Firewall > Virtual IP.2 Select Create New.3 Complete the following and select OK:

Note: The following steps use a FortiGate firewall device. If you are using a different firewall appliance, consult the appliances documentation for completing similar configurations.

Name Enter a name for the FortiMail unit.External Interface Select the virtual IP external interface from the list. The external

interface is connected to the source network and receives the packets to be forwarded to the destination network.

Type Select Static NAT.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 35

http://docs.forticare.com/fgt.html

36

FortiMail Gateway behind a firewall Configuring gateway modeCreate a incoming traffic firewall policyWith the VIP established, create a firewall policy to allow traffic from the FortiGate external interface to the VIP mapping on the internal interface.

To create the firewall policy1 Go to Firewall > Policy.2 Select Create New.3 Set the following and select OK:

Create an outgoing traffic firewall policyCreate an outgoing policy that allows the email from the Fortimail unit to pass through the FortiGate onto the Internet.

To create the firewall policy1 Go to Firewall > Policy.2 Select Create New.3 Set the following and select OK:

External IP Address/Range

Enter the external IP address that you want to map to an address on the destination network.

Mapped IP Address/Range

Enter the real IP address on the destination network to which the external IP address is mapped.

Source Interface/Zone

The FortiGate external interface connected to the Internet.

Source Address Name

ALL

Destination Interface/Zone

The FortiGate internal interface to the network.

Destination Address Name

Select the FortiMail name from the list under Virtual IP.

Schedule Select ALWAYS.Service Select ALL.Action Select ACCEPT.

Source Interface/Zone

The FortiGate internal interface connected to the network.

Source Address Name

Select the FortiMail name from the list under Virtual IP.

Destination Interface/Zone

The FortiGate external interface connected to the Internet.

Destination Address Name

Select ALL.

Schedule Select ALWAYS.Service Select ALL.Action Select ACCEPT.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Configuring gateway mode FortiMail Gateway behind a firewallRouting outgoing email to the FortiMail GatewayThe FortiMail unit is now configured to receive incoming email, scan it and send it to the recipient as required. You must also configure the email environment so that the FortiMail unit scans outgoing email, whether its destined for an internal user or a user on the Internet.

To do this, you must configure the email client of the user to send email messages to the FortiMail unit. When the FortiMail unit receives the email message, it scans the message for viruses or spam and routes the message to it next destination.

To configure a email client to send email to the FortiMail unit, in the email client, configure the outgoing mail server (SMTP) to be the FortiMail unit.

Next StepsThe configuration is now complete. Using your email client software, try sending email using the test user to verify that you can send and receive email.

If you are having difficulties, review the steps and the values entered to ensure they are correct.

See the chapter Testing and next steps on page 79 for information on testing the installation and the next steps to complete the installation of your FortiMail unit.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 37

38

FortiMail Gateway in front of a firewall Configuring gateway modeFortiMail Gateway in front of a firewallThe FortiMail unit is positioned in front of the firewall. With the FortiMail unit set up this way, if the FortiMail gateway is compromised by attacks, the email server and the internal network are not affected. The FortiMail unit however is not protected by the firewall.

Figure 7: FortiMail Gateway in front of firewall

Configuring the network settingsUse the following table to gather the information you need to customize the gateway mode settings.Table 3: Gateway mode settings

Router

Firewall

DNS Server

Email Server

InternetSwitchInternal External

Administrator Password:

Port 1IP: _____._____._____._____

Netmask: _____._____._____._____

Port 2IP: _____._____._____._____

Netmask: _____._____._____._____

Port 3IP: _____._____._____._____

Netmask: _____._____._____._____

Port 4IP: _____._____._____._____

Netmask: _____._____._____._____

Port 5IP: _____._____._____._____

Netmask: _____._____._____._____

Port 6IP: _____._____._____._____

Netmask: _____._____._____._____FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Configuring gateway mode FortiMail Gateway in front of a firewallYou must configure at least one network interface to connect the FortiMail unit to the network. Connect the Port 1 interface to your internal network hub or switch. The IP address of Port 1 must be on the same subnet as the network and cannot use the same address as another device or computer on the network.

Configuring a static IP address

To configure a network interface with a static IP address1 Go to System > Network > Interface.2 Select Modify for Port 1.3 Select Manual Addressing Mode.4 Enter the IP address and netmask.5 Select OK.

If you changed the IP address of the interface to which you are connecting to manage the FortiMail unit, you must reconnect to the web-based manager using the new IP address.

Configuring an interface for DHCPYou can configure any FortiMail interface to acquire its IP address from a Dynamic Host Configuration Protocol (DHCP) server. Your Internet Service Provider (ISP) may provide IP addresses using one of these protocols.

DHCP is used to obtain IP addresses from a DHCP server, such a from your ISP. Obtaining an IP address from a DHCP server ensures that the IP address for the FortiMail unit is unique and not assigned to another device, such as your FortiGate unit or other firewall device that is also connected directly to the Internet.

When configured, the FortiMail unit automatically broadcasts a DHCP request. By default, the FortiMail unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server. You can disable this option if required to configure them manually.

To configure an interface for DHCP1 Go to System > Network > Interface.2 Select Modify for Port 1.3 Select DHCP.4 If required, select Retrieve default gateway and DNS from server to disable this

option.

5 Select OK.

Network settings

Default Gateway: _____._____._____._____

The management IP address and netmask must be valid for the network from which you will manage the Fortimail unit. Add a default gateway if the FortiMail unit must connect to a router to reach the management computer.

Primary DNS Server: _____._____._____._____

Secondary DNS Server: _____._____._____._____FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 39

40

FortiMail Gateway in front of a firewall Configuring gateway modeConfiguring DNSYou need to configure DNS server addresses so that FortiMail unit can send and receive email. DNS server IP addresses are typically provided by your internet service provider.

In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com. The DNS server translates this name to a mail exchange server IP address to deliver an email message.

To add DNS server IP addresses 1 Go to System > Network > DNS.2 Enter the primary and secondary DNS server IP addresses.3 Select Apply.

Configuring routing Configure routing on the FortiMail unit to define the route that enables the FortiMail unit to contact the DNS server. If you configured your interfaces dynamically using DHCP, the FortiMail unit configures a default route automatically.

The gateway address for the route is on the same network as port 1.

You need to configure additional routes if any of your email servers are on a different subnet. The gateway you specify is the address of the next hop router that connects to the required network.

To configure routing1 Go to System > Network > Routing.2 Select Create New to add a new route or select Modify to change the default.3 Enter the Destination IP address and netmask. 4 Enter the Gateway IP address.5 Select OK.

Configuring the email system settingsThe FortiMail unit relays email after scanning for viruses and spam. You need to configure basic email system settings and email access permissions.

Configuring basic email system settingsConfigure the FortiMail unit basic email system settings, including host name and domain name.

To configure the email system settings1 Go to Mail Settings > Settings > Local Host.2 Enter the following information and select Apply:FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

Configuring gateway mode FortiMail Gateway in front of a firewallConfiguring MX records to route incoming emailMail Exchange (MX) Records are used to route email to specific destinations. It is an entry in a domain name database such as a DNS server. If a local DNS server exists, MX Records can be added or changed on the DNS server using one of several user interfaces depending on the operating system used.

When a user sends an e-mail, the senders mail server performs a DNS lookup using the recipients domain name, for example, example.com in the email address user@example.com, and acquires the MX Record.

The MX Record contains the domain and host names. The sending mail server uses this information to send the e-mail to the recipients mail server.

In order to route incoming email through the FortiMail unit for scanning, you need to register a Fully Qualified Domain Name (FQDN), for example, fm.exampledom.com, and a global IP address for the FortiMail unit.

Route incoming email to the FortiMail unit by changing the MX record to point to the FortiMail domain rather than the email server.

For example, using the information from the table below, change the existing MX record currently pointing to the email server, to point to the FortiMail unit.

Change the existing MX record for mail.exampledom.com to point to the FortiMail unit. For example:

IN MX fm.exampledom.comfm.exampledom.com IN A 172.16.15.2

The A recordThe second line in the above example is

fm.exampledom.com IN A 172.16.15.2

Host Name Enter the name for the FortiMail unit.Local Domain Name Enter the local domain name. It must be different from the domain

name of your email server. The FortiMail unit's Fully Qualified Domain Name (FQDN) is .. For example mailsvr.company.com

SMTP Server Port Number

Enter the SMTP port number. The default and standard SMTP port number is 25.

SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP server receives plain text email.

SMTPS Server Port Number

The default port number is 465. This allows the encrypted SMTP traffic to pass through the SMTPS Server Port. You must enable SMTP over SSL/TLS to set this option.

Relay Server Name Enter a relay server name if your ISP provides a relay email server.

Relay Server Port Enter the relay server port number if your ISP provides a relay email server.

Email server mail.exampledom.comCurrent MX record IN MX mail.exampledom.comFortiMail hostname fm.exampledom.comFortiMail IP address 172.16.15.2FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212 41

42

FortiMail Gateway in front of a firewall Configuring gateway modeThis is an address record, or commonly called, an A record. It is a type of DNS entry that assigns an IP address to a domain name.

Before e-mail is sent out, the MX and A Records for the recipient are looked up in the DNS server by the senders mail server. Then using the A record entry, the email is sent to the recipient using the corresponding domain names IP address.

Adding a domainYou create domains to define the email server(s) that the FortiMail unit protects. Usually, you configure at least one domain as part of your installation. You can add more domains or modify the settings of existing ones as needed.

The local domain name will be used by many FortiMail features such as email quarantine, Bayesian database training, spam reports, and DSN notifications. A sub domain of the protected domain is recommended for the local domain because of the domain registration savings.

To add a domain1 Go to Mail Settings > Domains.2 Select Create New.3 Enter the domain name including the suffix. For example, company.com.4 Enter the IP address or name of the SMTP Server and port number if different

than the default 25.

Entering the email server IP address or server name tells the FortiMail gateway where the email server is to route mail to it.

5 Select OK.

Creating local domainsAdd multiple local email domains on the FortiMail unit if required for different departments in your organization at the same or different locations. For example:

accouting.company.com dev.company.com.

Once created, you can add users to the local domain. For information on adding email users to a local domain, see the FortiMail Administration Guide.

To create a local domain1 Go to Mail Settings > Domains.2 Select Create New.3 Enter the local domain name.4 Enter the domain name including the suffix. For example, company.com.5 Enter the IP address of the SMTP Server and port number if different than the

default 25.

Entering the email server IP address tells the FortiMail gateway where the email server is to route mail to it.

Note: Deleting a domain also deletes all email users in that domain.FortiMail Version 3.0 MR2 Install Guide06-30002-0234-20071212

http://docs.forticare.com/fmail.html

Configuring gateway mode FortiMail Gateway in front of a firewall6 Select Is Subdomain.7 Select the main domain the local domain is a part of.8 Select OK.

Configuring the firewallWith the FortiMail unit in front of the FortiGate firewall, you must configure policies to ensure that incoming SMTP traffic scanned by the FortiMail unit goes to the email server. You also need a policy so that email sent by internal users passes through the firewall for scanning by the FortiMail unit before sending to the Internet.

Configuring the FortiMail policyCreate a firewall policy that permits all SMTP traffic on port 25 to pass from the FortiMail unit, through the firewall and direct it to the email server.

First, you must create an address entries on the FortiGate unit that identifies the FortiMail unit and the email server.

To create an address for the FortiMail unit, on the FortiGate unit1 Go to Firewall > Address.2 Select Create New.3 Complete the following and select OK:

To create an address for the email server, on the FortiGate unit1 Go to Firewall > Address.2 Select Create New.3 Complete the following and select OK:

Next, create the incoming email firewall policy so the email from the FortiMail goes to the email server.

Note: The following steps use a FortiGate firewall device. If you are using an alternate firewall appliance,