Sei sulla pagina 1di 88

Installation Guide

FortiMail
Version 2.8

www.fortinet.com
FortiMail Installation Guide
Version 2.8
25 September 2006
06-28000-0234-20060925

© Copyright 2006 Fortinet, Inc. All rights reserved. No part of this


publication including text, examples, diagrams or illustrations may be
reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose,
without prior written permission of Fortinet, Inc.

Trademarks
ABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus,
FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, Fortinet,
FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse,
FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the
United States and/or other countries. The names of actual companies and
products mentioned herein may be the trademarks of their respective
owners.

Regulatory compliance
FCC Class A Part 15 CSA/CUS

Caution: If you install a battery that is not the correct type, it could
! explode. Dispose of used batteries according to local regulations.
Contents

Contents
Introduction ........................................................................................ 7
Fortinet Family Products .................................................................................. 7
FortiGuard Subscription Services ................................................................. 7
FortiAnalyzer ................................................................................................. 7
FortiBridge..................................................................................................... 8
FortiClient...................................................................................................... 8
FortiGate ....................................................................................................... 8
FortiManager ................................................................................................. 9
FortiReporter ................................................................................................. 9
About the FortiMail units .................................................................................. 9
FortiMail-100 ................................................................................................. 9
FortiMail-400 ................................................................................................. 9
FortiMail-2000 ............................................................................................. 10
FortiMail-4000 ............................................................................................. 10
FortiMail-4000A ........................................................................................... 10
About this document....................................................................................... 11
Document conventions................................................................................ 11
FortiMail documentation ................................................................................. 12
Fortinet Knowledge Center ........................................................................ 12
Comments on Fortinet technical documentation ........................................ 12
Customer service and technical support ...................................................... 12

Installing the FortiMail unit ............................................................. 15


Package contents ............................................................................................ 15
FortiMail-100 ............................................................................................... 15
FortiMail-400 ............................................................................................... 17
FortiMail-2000 ............................................................................................. 18
FortiMail-4000 ............................................................................................. 19
FortiMail-4000A ........................................................................................... 20
Connecting the FortiMail unit ......................................................................... 21
Environmental specifications....................................................................... 21
Air flow ........................................................................................................ 21
Mechanical loading ..................................................................................... 21
Powering on the FortiMail unit..................................................................... 22
Powering off ................................................................................................ 22
Connecting to the FortiMail unit..................................................................... 23
Web-based manager................................................................................... 23
Front control buttons and LCD .................................................................... 23
Command line interface .............................................................................. 23
Connecting to the web-based manager ...................................................... 23
Command line interface .............................................................................. 25
Connecting to the CLI ................................................................................. 25

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 3
Contents

LCD front control buttons............................................................................... 26


Using the front control buttons and LCD..................................................... 27

Choosing an Operating Mode......................................................... 29


Gateway mode ................................................................................................. 30
Transparent mode ........................................................................................... 31
Server mode..................................................................................................... 31

Configuring gateway mode............................................................. 33


FortiMail Gateway behind a firewall............................................................... 33
Configuring the network settings................................................................. 34
Configuring the email system settings ........................................................ 36
Configuring MX records to route incoming email ........................................ 37
Configuring the firewall ............................................................................... 37
Routing outgoing email to the FortiMail Gateway ....................................... 39
FortiMail Gateway in front of a firewall.......................................................... 39
Configuring the network settings................................................................. 40
Configuring the email system settings ........................................................ 42
Configuring MX records to route incoming email ........................................ 43
Configuring the firewall ............................................................................... 43
Routing outgoing email to the FortiMail Gateway ....................................... 45
FortiMail Gateway in the DMZ ........................................................................ 45
Configuring the network settings................................................................. 46
Configuring the email system settings ........................................................ 49
Configuring MX records to route incoming email ........................................ 49
Configuring the firewall ............................................................................... 50
Routing outgoing email to the FortiMail Gateway ....................................... 51
Testing and next steps.................................................................................... 51

Configuring transparent mode ....................................................... 53


Deploying in front of an email server ............................................................ 53
Configuring the network settings................................................................. 54
Configuring the email system settings ........................................................ 55
Configuring proxies ..................................................................................... 56
Deploying to protect an email hub................................................................. 56
Configuring the network settings................................................................. 57
Configuring the email system settings ........................................................ 59
Configuring proxies ..................................................................................... 60
Testing and next steps.................................................................................... 61

FortiMail Version 2.8 Installation Guide


4 06-28000-0234-20060925
Contents

Configuring server mode ................................................................ 63


FortiMail Server behind a firewall .................................................................. 63
Configuring the network settings ................................................................. 64
Configuring the email system settings ........................................................ 66
Configuring the firewall................................................................................ 67
FortiMail Server in front of a firewall ............................................................. 69
Configuring the network settings ................................................................. 69
Configuring the email system settings ........................................................ 71
Configuring the firewall................................................................................ 72
FortiMail Server in DMZ................................................................................... 74
Configuring the network settings ................................................................. 75
Configuring the email system settings ........................................................ 77
Configuring the firewall................................................................................ 78
Testing and next steps.................................................................................... 80

Testing the installation .................................................................... 81


Communicating with the SMTP service......................................................... 81
Next steps......................................................................................................... 82
Register your FortiMail unit ......................................................................... 82
Set the date and time .................................................................................. 82
Updating antivirus signatures...................................................................... 83
Additional configuration ............................................................................... 84

Index.................................................................................................. 85

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 5
Contents

FortiMail Version 2.8 Installation Guide


6 06-28000-0234-20060925
Introduction Fortinet Family Products

Introduction
Welcome and thank you for selecting Fortinet products for your real-time network
protection.
The FortiMail Secure Messaging Platform is an integrated hardware and software
solution that provides powerful and flexible antispam, antivirus, email archiving
and logging capabilities to incoming and outgoing email traffic. The FortiMail unit
has reliable and high performance features for detecting and blocking spam
messages and malicious attachments.
Built on the Fortinet award winning FortiOS™ and FortiAsic™ technology, the
FortiMail antivirus technology extends full content inspection capabilities to detect
the most advanced email threats.

Fortinet Family Products


Fortinet offers a family of products that includes both software and hardware
appliances for a complete network security solution including mail, logging and
reporting, network management, and security along with FortiGate Antivirus
Firewalls. For more information on the Fortinet product family, visit the Fortinet
web site at www.fortinet.com/products.

FortiGuard Subscription Services


FortiGuard Subscription Services are security services created, updated and
managed by a global team of Fortinet security professionals. They ensure the
latest attacks are detected and blocked before harming your corporate resources
or infecting your end-user computing devices. These services are created with the
latest security technology and designed to operate with the lowest possible
operational costs.
FortiGuard Subscription Services includes:
• FortiGuard Antivirus Service
• FortiGuard Intrusion Prevention subscription services (IPS)
• FortiGuard Web Filtering
• FortiGuard Antispam Service
• FortiGuard Premier Service
An online virus scanner and virus encyclopedia is also available for your
reference.

FortiAnalyzer
FortiAnalyzer™ provides network administrators with the information they need to
enable the best protection and security for their networks against attacks and
vulnerabilities. The FortiAnalyzer unit features include:
• collects logs from FortiGate devices and syslog devices and FortiClient
• creates hundreds of reports using collected log data

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 7
Fortinet Family Products Introduction

• monitors and reports on network traffic


• scans and reports vulnerabilities
• stores files quarantined from a FortiGate unit
The FortiAnalyzer unit can also be configured as a network analyzer to capture
real-time traffic on areas of your network where firewalls are not employed. You
can also use the unit as a storage device where users can access and share files,
including the reports and logs that are saved on the FortiAnalyzer hard disk.

FortiBridge
FortiBridge™ products are designed to provide enterprise organizations with
continuous network traffic flow in the event of a power outage or a FortiGate
system failure. The FortiBridge unit bypasses the FortiGate unit to make sure that
the network can continue processing traffic. FortiBridge products are easy to use
and deploy, including providing customizable actions a FortiBridge unit takes in
the event of a power outage or FortiGate system failure.

FortiClient
FortiClient™ Host Security software provides a secure computing environment for
both desktop and laptop users running the most popular Microsoft Windows
operating systems. FortiClient offers many features including:
• creating VPN connections to remote networks
• configuring real-time protection against viruses
• guarding against modification of the Windows registry
• virus scanning.
FortiClient also offers a silent installation feature, enabling an administrator to
efficiently distribute FortiClient to several users’ computers with preconfigured
settings.

FortiGate
The FortiGate™ Antivirus Firewalls improve network security, reduce network
misuse and abuse, and help you use communications resources more efficiently
without compromising the performance of your network. FortiGate Antivirus
Firewalls are ICSA-certified for firewall, IPSec, and antivirus services.
The FortiGate Antivirus Firewall is a dedicated, easily managed security device
that delivers a full suite of capabilities which include:
• application-level services such as virus protection and content filtering
• network-level services such as firewall, intrusion detection, VPN and traffic
shaping
The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content
Analysis System (ABACAS™) technology, which leverages breakthrough in chip
design, networking, security and content analysis. The unique ASIC-based
architecture analyzes content and behavior in real-time, enabling key applications
to be deployed right at the network edge where they are most effective at
protecting your networks.

FortiMail Version 2.8 Installation Guide


8 06-28000-0234-20060925
Introduction About the FortiMail units

FortiManager
The FortiManager system is designed to meet the needs of large enterprises
(including managed security service providers) responsible for establishing and
maintaining security policies across many dispersed FortiGate installations. With
this system you can configure multiple FortiGate devices and monitor their status.
You can also view real-time and historical logs for the FortiGate devices. The
FortiManager System emphasizes ease of use, including easy integration with
third party systems.

FortiReporter
FortiReporter Security Analyzer software generates easy-to-understand reports
and can collect logs from any FortiGate unit, as well as over 30 network and
security devices from third-party vendors. FortiReporter reveals network abuse,
manages bandwidth requirements, monitors web usage, and ensures employees
are using the office network appropriately. FortiReporter allows IT administrators
to identify and respond to attacks, including identifying ways to proactively secure
their networks before security threats arise.

About the FortiMail units


The FortiMail family of appliances are designed for any business size and
requirement, from a Small Business or Small Office Home Office (SOHO) to larger
businesses, and deliver the same enterprise-class network-based antivirus and
antispam features.

FortiMail-100
The FortiMail-100 is an easy-
to-deploy and
easy-to-administer solution POWER
1 2 3 4
10/100
LINK / ACT

that delivers exceptional value


STATUS

and performance for small


office, home office and branch office applications. The FortiMail-100 delivers
reliable and high performance features to detect, tag, and block spam messages
and their malicious attachments.

FortiMail-400
The FortiMail-400 is
optimized for medium
sized enterprise C O SNO E L U SB 1 0 /1 0 0 1 0 /1 0 0 /1 0 0 0

customers, delivering a
E sc E n et r 1 2 3 4 5 6

wealth of reliable and


high performance features to detect, tag, and block spam messages and their
malicious attachments. The FortiMail-4000 features a high-performance hardened
operating system with RAID storage system for redundancy and supports a rich
set of multi-layered spam detection and filtering technologies with global and per-
user spam policies for maximum configuration flexibility.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 9
About the FortiMail units Introduction

FortiMail-2000
For larger
installations where
higher performance
and better reliability
is required, the 1 2 3 4 CONSOLE

FortiMail-2000
system provides the
same software features as the FortiMail-400, but with a modular chassis with hot
swappable components. Ideal for the most demanding email infrastructures, the
FortiMail-2000 system delivers high performance for large enterprises and service
providers, which includes the performance capability to scan 6.8 million emails per
day, with six hot swappable disk drives with RAID for disk redundancy, and
redundant power supplies and fans. Four 10/100/1000 Base-T interfaces,
provides the flexibility to connect into many corporate or service provider
environments.

FortiMail-4000
For larger
installations where
higher performance
and better reliability
is required, the
FortiMail-4000
system provides the same software features as the FortiMail-2000. Ideal for the
most demanding email infrastructures, the FortiMail-4000 system delivers high
performance for large enterprises and service providers, which includes the
performance capability to scan 6.8 million emails per day, with 12 hot swappable
disk drives with RAID for disk redundancy, and redundant power supplies and
fans. Two 10/100/1000 Base-T interfaces, provides the flexibility to connect into
many corporate or service provider environments.

FortiMail-4000A
For larger
installations where
higher performance
and better reliability is 1
2
A

required, the
FortiMail-4000A system provides the same software features as the
FortiMail-4000. Ideal for the most demanding email infrastructures, the
FortiMail-4000A system delivers high performance for large enterprises and
service providers, which includes the performance capability to scan 6.8 million
emails per day, with 12 hot swappable disk drives with RAID for disk redundancy,
and redundant power supplies and fans. Two 10/100/1000 Base-T interfaces,
provides the flexibility to connect into many corporate or service provider
environments.

FortiMail Version 2.8 Installation Guide


10 06-28000-0234-20060925
Introduction About this document

About this document


This document explains how to install and configure your FortiMail unit onto your
network.
This document contains the following chapters:
• Installing the FortiMail unit – Describes setting up, and powering on a FortiMail
unit.
• Choosing an Operating Mode – Describes the three modes you can select
from to operate the FortiMail unit.
• Configuring gateway mode – Describes a number of network configuration
scenarios and how to configure the FortiMail unit and network to operate in this
mode.
• Configuring transparent mode – Describes a number of network configuration
scenarios and how to configure the FortiMail unit to operate in this mode.
• Configuring server mode – Describes a number of network configuration
scenarios and how to configure the FortiMail unit and network to operate in this
mode.

Document conventions
The following document conventions are used in this guide:
• In the examples, private IP addresses are used for both private and public IP
addresses.
• Notes and Cautions are used to provide important information:

Note: Highlights useful additional information.

Caution: Warns you about commands or procedures that could have unexpected or
! undesirable results including loss of data or damage to equipment.

Typographic conventions
FortiGate documentation uses the following typographical conventions:

Convention Example
Keyboard input In the Gateway Name field, type a name for the remote VPN
peer or client (for example, Central_Office_1).
Code examples config sys global
set ips-open enable
end
CLI command syntax config firewall policy
edit id_integer
set http_retry_count <retry_integer>
set natip <address_ipv4mask>
end
Document names FortiGate Administration Guide
Menu commands Go to VPN > IPSEC > Phase 1 and select Create New.
Program output Welcome!
Variables <address_ipv4>

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 11
FortiMail documentation Introduction

FortiMail documentation
Information about the FortiMail unit is available from the following guides:
• FortiMail QuickStart Guide
Provides basic information about connecting and installing a FortiMail unit and
configuring the unit for use on your network.
• FortiMail Administration Guide
Describes how to install, configure, and manage a FortiMail unit in
Transparent, Gateway, and Server modes, including how to configure the unit,
create profiles and policies, configure antispam and antivirus filters, create
user accounts, configure email archiving, and set up logging and reporting.
• FortiMail Installation Guide
Describes how to set up the FortiMail unit in Transparent, Gateway, and Server
modes. It also provides information on how to use system settings to view
FortiMail unit status and configure how the FortiMail unit connects to your
network and to the Internet.
• FortiMail Online Help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the web-based manager as you work.
• FortiMail Webmail Online Help
Describes how to use the FortiMail web-based email client, including how to
send and receive email; how to add, import, and export addresses; how to
configure message display preferences, and how to manage quarantined
email.
• FortiMail User Guide for Gateway and Transparent modes
Provides information that the FortiMail end users need to know in order to take
advantage of the services provided by the FortiMail unit in either Gateway or
Transparent mode.
• FortiMail User Guide for Server mode
Provides information that the FortiMail end users need to know in order to take
advantage of the services provided by the FortiMail unit in Server mode.

Fortinet Knowledge Center


Additional Fortinet technical documentation is available from the Fortinet
Knowledge Center. The knowledge center contains troubleshooting and how-to
articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at
http://kc.forticare.com.

Comments on Fortinet technical documentation


Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@fortinet.com.

Customer service and technical support


Fortinet Technical Support provides services designed to make sure that your
Fortinet systems install quickly, configure easily, and operate reliably in your
network.

FortiMail Version 2.8 Installation Guide


12 06-28000-0234-20060925
Introduction Customer service and technical support

Please visit the Fortinet Technical Support web site at http://support.fortinet.com


to learn about the technical support services that Fortinet provides.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 13
Customer service and technical support Introduction

FortiMail Version 2.8 Installation Guide


14 06-28000-0234-20060925
Installing the FortiMail unit Package contents

Installing the FortiMail unit


This section provides information on unpacking and connecting the FortiMail unit
to your network. This section includes the following topics:
• Package contents
• Connecting the FortiMail unit
• Connecting to the FortiMail unit
• LCD front control buttons

Package contents
Review the contents of your FortiMail package to ensure all components are
included.

FortiMail-100
The FortiMail-100 package contains the following items:
• FortiMail-100 unit
• one orange crossover ethernet cable (Fortinet part number CC300248)
• one gray regular ethernet cable (Fortinet part number CC300249)
• one DB-9 serial null-modem console cable (Fortinet part number CC300247)
• FortiMail-100 QuickStart Guide
• one power cable
• Fortinet Tools and Documentation CD

Figure 1: FortiMail 100 package contents

Front
Ethernet Cables:
Orange - Crossover
Grey - Straight-through
1 2 3 4
POWER 10/100
STATUS LINK / ACT

Power LED
Status LED Interface
status LEDs Power Cable Power Supply

Back Null-Modem Cable


(RS-232)
USB

4 3 2 1
DC+12V

QuickStart Guide

1 2 3 4
POWER 10/100
STATUS LINK / ACT

FortiMail-100

USB
Copyright 2006 Fortinet Incorporated. All rights reserved.
Trademarks
Products mentioned in this document are trademarks.

Power Internal Interface, (future) Documentation


Connection switch connectors
RS-232 Serial 1,2,3,4
Connection

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 15
Package contents Installing the FortiMail unit

Mounting
The FortiMail-100 unit can be installed as a free-standing appliance on any stable
surface.
Table 1: Technical Specifications

Dimensions 2 x 3.25 x 6.75 in. (5 x 8.3x 17cm)


Weight 4.4 lb. (2 kg)
Power AC input voltage: 100 to 240 VAC
requirements AC input current: 0.8A max
Frequency: 50 to 60Hz

Table 2: FortiMail-100 unit LED indicators

LED State Description


Power On The FortiMail unit is powered on.
Off The FortiMail unit is powered off.
Status On The FortiMail unit is running normally.
10/100 On The interface is connected at 100Mbps.
Off The interface is connected at 10 Mbps.
Link/Act Flashing Network activities on the FortiMail unit.
On Interface connected.

FortiMail Version 2.8 Installation Guide


16 06-28000-0234-20060925
Installing the FortiMail unit Package contents

FortiMail-400
The FortiMail-400 package contains the following items:
• FortiMail-400 unit
• one orange crossover ethernet cable (Fortinet part number CC300248)
• one gray regular ethernet cable (Fortinet part number CC300249)
• one RJ-45 to DB-9 serial console cable (Fortinet part number CC300302)
• FortiMail-400 QuickStart Guide
• one power cable
• Fortinet Tools and Documentation CD
• two 19-inch rack mount brackets

Figure 2: FortiMail-400 package contents

Ethernet Cables:
Front Orange - Crossover
- Grey - Straight-through
CONSOLE USB 10/100 10/100/1000
Esc Enter 1 2 3 4 5 6

RJ-45 to
DB-9 Console Cable
USB Port 1 Port 3 Port 5
LCD Control Power (Future use)
Port 2 Port 6
Buttons LED
Port 4
RJ-45 Console Power Cable

Back
Rack-Mount Brackets

QuickStart Guide

Power Power
CONSOLE USB 10/100 10/100/1000
Esc Enter 1 2 3 4 5 6

FortiMail-400
Switch Connection
Copyright 2006 Fortinet Incorporated. All rights reserved.
Trademarks
Products mentioned in this document are trademarks.

Documentation

Mounting
The FortiMail-400 unit can be mounted in a standard 19-inch rack. It requires
1 U of vertical space in the rack. The FortiMail-400 unit can also be installed as a
free-standing appliance on any stable surface.
Table 3: Technical Specifications

Dimensions 1.75 x 17 x 12.5 in. (4.4 x 43.2 x 31.8 cm)


Weight 11.9 lb. (5.4 kg)
Power AC input voltage: 100 to 240 VAC
requirements AC input current: 2.6A
Frequency: 50 to 60Hz

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 17
Package contents Installing the FortiMail unit

Table 4: FortiMail-400 unit LED indicators

LED State Description


Power On The FortiMail unit is powered on.
Off The FortiMail unit is powered off.
Port 1 Amber The correct cable is in use, and the connected equipment has
to 6 power.
Flashing amber Network activity at this interface.
Green Connected at up to 100 Mbps.
Off No link established.

FortiMail-2000
The FortiMail-2000 package contains the following items:
• FortiMail-2000 unit
• one orange crossover ethernet cable (Fortinet part number CC300248)
• one gray regular ethernet cable (Fortinet part number CC300249)
• one RJ-45 to DB-9 serial console cable (Fortinet part number CC300302)
• FortiMail-2000 QuickStart Guide
• two power cables
• Fortinet Tools and Documentation CD
• chassis mounting kit for 19-inch rack mount brackets

Figure 3: FortiMail 2000 package contents


Front
Ethernet Cables:
LCD Orange - Crossover
Grey - Straight-through
Power
LEDs
Control
Buttons RJ-45 to
1 2 3 4 CONSOLE DB-9 Serial Cable
USB
(Future use)
Port 1 Port 3 Power Cables
Hard Disks (6) Port 2 RJ-45 Console
Port 4

Back
Rack-Mount Brackets

QuickStart Guide

1 2 3 4 CONSOLE

FortiMail-2000

Copyright 2006 Fortinet Incorporated. All rights reserved.


Trademarks
Products mentioned in this document are trademarks.

Power Power (backup) Documentation

Mounting
The FortiMail-2000 unit can be mounted in a standard 19-inch rack. It requires
2 U of vertical space in the rack. The FortiMail-2000 unit can also be installed as a
free-standing appliance on any stable surface.

FortiMail Version 2.8 Installation Guide


18 06-28000-0234-20060925
Installing the FortiMail unit Package contents

Table 5: Technical Specifications

Dimensions 5 x 17 x 26.6 in. (12.2 x 43.2 x 67.6 cm)


Weight 20.9 lb. (9.5 kg)
Power Power dissipation: 360W (max.)
requirements AC input voltage: 100 to 240 VAC
AC input current: 9A max
Frequency: 50 to 60Hz

Table 6: FortiMail-2000 unit LED indicators

LED State Description


Power On The FortiMail unit is powered on.
Off The FortiMail unit is powered off.
Port 1 Amber The correct cable is in use, and the connected equipment has
to 6 power.
Flashing amber Network activity at this interface.
Green All ports connected at up to 1000 Mbps.
Off No link established.

FortiMail-4000
The FortiMail-4000 package contains the following items:
• FortiMail-4000 unit
• one orange crossover ethernet cable (Fortinet part number CC300248)
• one gray regular ethernet cable (Fortinet part number CC300249)
• one DB-9 serial console cable (Fortinet part number CC300302)
• FortiMail-4000 QuickStart Guide
• one power cable
• Fortinet Tools and Documentation CD
• chassis mounting kit for 19-inch rack mount brackets

Ethernet Cables:
Front
Orange - Crossover
Grey - Straight-through

Null-Modem Cable
(RS-232)
Back

Power Cable

UID

QuickStart Guide
Power
Serial Connection Connection FortiMail-4000

Copyright 2006 Fortinet Incorporated. All rights reserved.


Trademarks

Ethernet Connections Products mentioned in this document are trademarks.

Documentation

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 19
Package contents Installing the FortiMail unit

Table 7: Technical Specifications


Dimensions 5 x 17 x 26.6 in. (12.2 x 43.2 x 67.6 cm)
Weight 20.9 lb. (9.5 kg)
Power Power dissipation: 360W (max.)
requirements AC input voltage: 100 to 240 VAC
AC input current: 9A max
Frequency: 50 to 60Hz

Mounting
The FortiMail-4000 unit can be mounted in a standard 19-inch rack. It requires
2 U of vertical space in the rack. The FortiMail-4000 unit can also be installed as a
free-standing appliance on any stable surface.
Table 8: Technical Specifications
Dimensions 19 x 27 x 3.5in. (48.3 x 68.6 x 8.9 cm)
Weight 68 lb. (30.8 kg)
Power Power dissipation: 360W (max.)
requirements AC input voltage: 100 to 240 VAC
AC input current: 9A max
Frequency: 50 to 60Hz

FortiMail-4000A
The FortiMail-4000A package contains the following items:
• FortiMail-4000A unit
• one orange crossover ethernet cable (Fortinet part number CC300248)
• one gray regular ethernet cable (Fortinet part number CC300249)
• one DB-9 serial console cable (Fortinet part number CC300302)
• FortiMail-4000A QuickStart Guide
• one power cable
• Fortinet Tools and Documentation CD
• chassis mounting kit for 19-inch rack mount brackets

Front Ethernet Cables:


Orange - Crossover
Grey - Straight-through

1
2
A
Null-Modem Cable
(RS-232)
Back

Power Cable

Power QuickStart Guide

Connections USB
1
2
A

Ethernet Connections FortiAnalyzer-4000A

Copyright 2006 Fortinet Incorporated. All rights reserved.


Trademarks
Products mentioned in this document are trademarks.

Serial Connection
Documentation

FortiMail Version 2.8 Installation Guide


20 06-28000-0234-20060925
Installing the FortiMail unit Connecting the FortiMail unit

Mounting
The FortiMail-4000A unit can be mounted in a standard 19-inch rack. It requires
2 U of vertical space in the rack. The FortiMail-4000A unit can also be installed as
a free-standing appliance on any stable surface.
Table 9: Technical Specifications

Dimensions 19 x 27 x 3.5in. (48.3 x 68.6 x 8.9 cm)


Weight 68 lb. (30.8 kg)
Power Power dissipation: 360W (max.)
requirements AC input voltage: 100 to 240 VAC
AC input current: 9A max
Frequency: 50 to 60Hz

Connecting the FortiMail unit


You can install the FortiMail unit as a free-standing appliance on any stable
surface. You can also mount the FortiMail-400, FortiMail-2000 and FortiMail-
4000/4000A into a rack unit.

Environmental specifications
• Operating temperature: 32 to 104°F (0 to 40°C)
If you install the FortiMail unit in a closed or multi-unit rack assembly, the
operating ambient temperature of the rack environment may be greater than
room ambient temperature. Therefore, make sure to install the equipment in
an environment compatible with the manufacturer's maximum rated ambient
temperature.
• Storage temperature: -13 to 158°F (-25 to 70°C)
• Humidity: 5 to 95% non-condensing
Note: The FortiMail unit may overload your supply circuit and impact your surge protection
and supply wiring. Use appropriate equipment nameplate ratings to address this concern.
Make sure that the FortiMail unit has reliable grounding. Fortinet recommends direct
connections to the branch circuit.

Air flow
• For rack installation, make sure that the amount of air flow required for safe
operation of the equipment is not compromised.
• For free-standing installation, make sure that the appliance has at least 1.5 in.
(3.75 cm) of clearance on each side to allow for adequate air flow and cooling.

Mechanical loading
You can mount the FortiMail-400, FortiMail-2000 and FortiMail-4000/4000A in a
standard 19-inch rack. The FortiMail-400 requires 1U of vertical space and the
FortiMail-2000, FortiMail-4000/4000A requires 2U of vertical space in the rack.
For rack installation, ensure an even mechanical loading of the FortiMail-400,
FortiMail-2000, FortiMail-4000/4000A to avoid a hazardous condition.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 21
Connecting the FortiMail unit Installing the FortiMail unit

Powering on the FortiMail unit


To power on the FortiMail unit
1 Place the unit on a stable surface, or in a 19-inch rack unit.
2 Make sure the power of the unit is turned off.
3 Connect the network cable to the Port 1 interface.
4 Connect the power cable to a power outlet.
Turn on the power switch (FortiMail-400).

Powering off
Always shut down the FortiMail operating system properly before turning off the
power switch or disconnecting the power.
1 Go to System > Status.
2 In the System Command area, select Shutdown, or from the CLI, enter:
execute shutdown
3 Disconnect the power supply.

FortiMail Version 2.8 Installation Guide


22 06-28000-0234-20060925
Installing the FortiMail unit Connecting to the FortiMail unit

Connecting to the FortiMail unit


There are three methods of connecting and configuring the basic FortiMail
settings:
• the web-based manager
• the front control buttons and LCD (FortiMail-400 and FortiMail-2000)
• the command line interface (CLI)

Web-based manager
You can configure and manage the FortiMail unit using HTTP or a secure HTTPS
connection from any computer running Microsoft Internet Explorer 6.0 or recent
browser.
You can use the web-based manager to configure most FortiMail settings, and
monitor the status of the FortiMail unit.

Front control buttons and LCD


You can use the front control buttons and LCD on the FortiMail-400 and
FortiMail-2000 to configure IP addresses, default gateways and switch operating
modes. The LCD shows you what mode you are in without having to go to the
command line interface or the web-based manager. For more information on the
front control buttons and LCD, see “LCD front control buttons” on page 26.

Command line interface


You can access the FortiMail command line interface (CLI) by connecting a
management computer serial port to the FortiMail serial console connector. You
can also use Telnet or an SSH connection to connect to the CLI from any network
that is connected to the FortiMail unit, including the Internet.

Connecting to the web-based manager


Use the following procedure to connect to the web-based manager for the first
time. Configuration changes made with the web-based manager are effective
immediately, without resetting the firewall or interrupting service.
To connect to the web-based manager, you require:
• a computer with an Ethernet connection
• Microsoft Internet Explorer version 6.0 or higher or any recent version of most
popular web browser
• a crossover Ethernet cable or an Ethernet hub with two Ethernet cables

To connect to the web-based manager


1 Set the IP address of the computer with an Ethernet connection to the static IP
address 192.168.1.2 with a netmask of 255.255.255.0.
2 Using the crossover cable or the Ethernet hub and cables, connect the internal
interface of the FortiMail unit to the computer Ethernet connection.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 23
Connecting to the FortiMail unit Installing the FortiMail unit

3 Start Internet Explorer and browse to the address https://192.168.1.99.


(remember to include the “s” in https://)
To support a secure HTTPS authentication method, the FortiMail unit ships with a
self-signed security certificate, and is offered to remote clients whenever they
initiate a HTTPS connection to the FortiMail unit. When you connect, the FortiMail
unit displays two security warnings in the browser.
The first warning prompts you to accept and optionally install the FortiMail unit’s
self-signed security certificate. If you do not accept the certificate, the FortiMail
unit refuses the connection. If you accept the certificate, the FortiMail login page
appears. The credentials entered are encrypted before they are sent to the
FortiMail unit. If you choose to accept the certificate permanently, the warning is
not displayed again.
Just before the FortiMail login page is displayed, a second warning informs you
that the FortiMail certificate distinguished name differs from the original request.
This warning occurs because the FortiMail unit redirects the connection. This is an
informational message. Select OK to continue logging in.

Figure 4: FortiMail login

4 Type admin in the Name field and select Login.

System Dashboard
After logging into the web-based manager, the web browser displays the system
dashboard. The dashboard provides you with all system status information in one
location.

FortiMail Version 2.8 Installation Guide


24 06-28000-0234-20060925
Installing the FortiMail unit Connecting to the FortiMail unit

Figure 5: System dashboard for the FortiMail-400

The dashboard includes the following information:


• System Status – displays the up time, system time and capacity of the log and
mailbox disks.
• Unit Information – displays the operating system information including the
unit’s serial number and firmware build. Use this area to update the firmware,
and antivirus definitions or change the operating mode.
• System Settings – enables you to backup and restore the configuration
settings for the FortiMail unit.
• System Resources – displays and enables you to monitor the use of resources
for the unit including CPU, memory and mailbox usage.
• System Command – provides quick access to restarting or shutting down the
FortiMail unit.

Command line interface


You can access the FortiMail command line interface (CLI) by connecting a
management computer serial port to the FortiGate serial console connector. You
can also use Telnet or an SSH connection to connect to the CLI from any network
that is connected to the FortiMail unit, including the Internet.

Connecting to the CLI


As an alternative to the web-based manager, you can install and configure the
FortiGate unit using the CLI. Configuration changes made with the CLI are
effective immediately, without resetting the firewall or interrupting service.
To connect to the FortiMail CLI you require:
• a computer with an available communications port
• the DB-9 or RJ-45 to DB-9 cable included in your FortiMail package
• terminal emulation software such as HyperTerminal for Microsoft Windows

Note: The following procedure uses Microsoft Windows HyperTerminal software. You can
apply these steps to any terminal emulation program.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 25
LCD front control buttons Installing the FortiMail unit

To connect to the CLI


1 Connect the console cable to the communications port of your computer and to
the FortiMail console port.
2 Start HyperTerminal, enter a name for the connection and select OK.
3 Configure HyperTerminal to connect directly to the communications port on your
computer and select OK.
4 Select the following port settings and select OK:
Bits per second 9600
Data bits 8
Parity None
Stop bits 1
Flow control None

5 Press Enter to connect to the FortiMail CLI.


The login prompt appears.
6 Type admin and press Enter twice.
The following prompt is displayed:
Welcome!
Type ? to list available commands. For information about how to use the CLI, see
the CLI chapter of the FortiMail Administration Guide.

LCD front control buttons


You can use the front control buttons and LCD to configure the basic settings on
your FortiMail unit. This configuration method provides an easy and fast method to
configure your FortiMail unit. You can configure:
• IP addresses
• netmasks
• default gateways
• operating modes
• restore factory default settings
The front control buttons control how you enter and exit the different menus when
configuring the different ports and interfaces. The front control buttons also
enables you to increase or decrease each number for configuring IP addresses,
default gateway addresses, or netmasks. The following table defines each button
and what it does when configuring the basic settings of your FortiMail unit.

FortiMail Version 2.8 Installation Guide


26 06-28000-0234-20060925
Installing the FortiMail unit LCD front control buttons

Table 10: Front control button definitions

Enter Enables you to move forward through the configuration process.


Esc Enables you to move backward, or exit out of the menu you are in.
Up Allows you to increase the number for an IP address, default gateway address
or netmask.
Down Allows you to decrease the number for an IP address, default gateway
address or netmask.

Using the front control buttons and LCD


When the LCD displays the main menu, you can begin to configure the IP
addresses, netmasks, default gateways, and if required, change the operating
mode.

Setting the IP address and default gateway


Use the following procedure to set the IP address of the FortiMail unit.

To enter an IP address
1 Press Enter to select the interfaces.
2 Press the up and down buttons to highlight the interface you want to configure an
IP address for, and then press Enter.
3 Press Enter for the IP address.
4 Press the up and down buttons to increase or decrease the number.
5 Press Enter to select the number.
6 Repeat steps 4 and 5 for all numbers of the IP address.
Use the above steps to configure the netmasks.

To enter a default gateway


1 Press Enter to select the interfaces.
2 Press the down button to highlight Default Gateway.
3 Press Enter for the IP address.
4 Press the up and down buttons to increase or decrease the number.
5 Press Enter to select the number.

Changing the operating mode


Use the following procedure to change the operating mode of the FortiGate unit.

To change the operating mode


1 Make sure the LCD displays the main menu setting.
2 Press Enter to select the interfaces.
3 Press the down button to highlight the menu To <mode> mode, where mode is the
modes listed on the LCD.
4 Press Enter to change the mode.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 27
LCD front control buttons Installing the FortiMail unit

Resetting factory defaults


You can reset to factory defaults for your FortiMail unit by using the following
procedure.

To reset to factory defaults


1 Make sure the LCD displays the main menu setting.
2 Press Enter to go to the interfaces.
3 Press the down arrow to highlight the menu Restore Defaults.
4 Press Enter.
The FortiMail unit resets to factory default settings. This may take a few minutes.

FortiMail Version 2.8 Installation Guide


28 06-28000-0234-20060925
Choosing an Operating Mode

Choosing an Operating Mode


This section outlines the operation modes available for the FortiMail unit. The
FortiMail unit can run in one of three modes:
• Gateway mode
• Transparent mode
• Server mode.
Of the three modes, Server mode functions very differently from Gateway and
Transparent mode. With Server mode, the FortiMail unit is the email server as
well as the means of scanning the email traffic.
With Gateway and Transparent mode, the FortiMail unit sits between the firewall
and email server and acts as a filter for email passing through it. Depending on
how you choose to deploy the FortiMail unit, determines which of these modes
best suits your environment.
For all modes, the FortiMail unit scans email traffic for viruses and spam, and can
quarantine suspicious email and attachments.
This section contains the following topics:
• Gateway mode
• Transparent mode
• Server mode

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 29
Gateway mode Choosing an Operating Mode

Gateway mode
In gateway mode the FortiMail acts as a fully functional mail relay server. Gateway
mode does not provide local mailboxes but does provide a web user interface for
managing spam filters (black/white list), Auto White Lists, and per-user Bayesian
database management.
In Gateway mode, the FortiMail unit receives incoming email messages, scans for
viruses and spam, then passes (relays) the email to the email server for delivery.
In this mode, the FortiMail unit can effectively protect your email server as your
email server is not visible to outside users. The FortiMail unit can also archive
email for backup and monitoring purposes.
The FortiMail unit integrates into your existing network with only minor changes to
your network configuration. You must also change your MX record to route
incoming email to the FortiMail unit for scanning.

Figure 6: Gateway mode topology

Mail Users
(POP3/IMAP/Web Mail)

Hub
Mail Server Internet

Gateway Mode

For example, an ISP deploys a FortiMail unit to protect their customers’ mail
servers. Many customers do not want their mail servers to be visible to external
users for security reasons. Therefore, the ISP installs the FortiMail unit in
Gateway mode to satisfy the need of the customers.
The ISP takes advantage of the Gateway mode deployment flexibility and places
the FortiMail unit in the DMZ, while keeping the email server safe behind the
firewall.
For sample configuration information, see the chapter “Configuring gateway
mode” on page 33.

FortiMail Version 2.8 Installation Guide


30 06-28000-0234-20060925
Choosing an Operating Mode Transparent mode

Transparent mode
In Transparent mode, the FortiMail unit acts as a bridge, providing seamless
integration into existing network environments. In Transparent mode, the FortiMail
unit provides a flexible and versatile email scanning solution.
You can place the FortiMail unit in front of the existing email server without any
changes to the existing network topology. This means that all of the FortiMail
interfaces are on the same subnet.
Transparent mode also provides a web user interface for managing spam filters
(black/white list), Auto White Lists, and per-user Bayesian database
management.

Figure 7: Transparent mode topology

Transparent mode

Internet
Router

Mail Server

Mail Users
(POP3/IMAP/Web Mail)

For example, a company wants to install a FortiMail unit to protect its mail server.
The company installs the FortiMail unit in Transparent mode to avoid changing its
MX record to route email to the FortiMail unit, and to simply act as a filter for spam
and virus related email.
With this mode, the company’s end users do not need to change the mail server
setting on their email client. The company also wants its mail server to be visible
to the users to increase the company’s popularity.
For sample configuration information, see the chapter “Configuring transparent
mode” on page 53.

Server mode
In server mode the FortiMail unit is a fully functional SMTP, IMAP, POP3 mail
server with local mail boxes and an optional WebMail user interface. In addition,
the FortiMail Server provides antivirus, antispam, email archiving, and logging
and reporting services.
For sample configuration information, see the chapter “Configuring server mode”
on page 63.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 31
Server mode Choosing an Operating Mode

FortiMail Version 2.8 Installation Guide


32 06-28000-0234-20060925
Configuring gateway mode FortiMail Gateway behind a firewall

Configuring gateway mode


This section describes how to configure a FortiMail unit to operate in Gateway
mode. In Gateway mode the FortiMail acts as a fully functional mail relay server.
The FortiMail unit receives incoming email messages, scans for viruses and
spam, then passes (relays) the email to the email server for delivery.
This section describes common deployment options for a FortiMail unit running in
Gateway mode. Use these deployment and configuration examples to install the
FortiMail unit on your network, or use them as a guide for your own network
topology. Additional configuration information and details are available in the
Fortimail Administration Guide.
All examples use a FortiGate firewall device. If you are using an alternate firewall
appliance, consult the appliance’s documentation for completing similar
configurations.
This section includes the following:
• FortiMail Gateway behind a firewall
• FortiMail Gateway in front of a firewall
• FortiMail Gateway in the DMZ
• Testing and next steps

FortiMail Gateway behind a firewall


The FortiMail unit is positioned behind a FortiGate firewall. With the FortiMail unit
set up this way, the firewall blocks any attacks on the FortiMail unit and the email
server.

Figure 8: FortiMail Gateway behind firewall

Email Server

Switch
Internal External Internet

Router
Firewall

DNS Server

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 33
FortiMail Gateway behind a firewall Configuring gateway mode

Configuring the network settings


Use the following table to gather the information you need to customize the
Gateway mode settings.
Table 11: Gateway mode settings

Administrator Password:
IP: _____._____._____._____
Port 1
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 2
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 3
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 4
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 5
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 6
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the Fortimail unit. Add a
Network settings default gateway if the FortiMail unit must connect to a router to
reach the management computer.
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____

You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP or PPPoE, if the network supports it.

Switching to gateway mode


Use the web-based manager to complete the configuration of the FortiMail unit.
You can continue to use the web-based manager for all FortiMail settings.
For more information about connecting to the web-based manager, see
“Connecting to the web-based manager” on page 23.
Before you being configuring the FortiMail unit, ensure the mode is in Gateway
mode. To verify, go to System > Status and check the Operation Mode.

FortiMail Version 2.8 Installation Guide


34 06-28000-0234-20060925
Configuring gateway mode FortiMail Gateway behind a firewall

To change the operation mode


1 Go to System > Status.
2 Select Change for the Operation Mode.
3 Select Gateway from the list and select OK.

Configuring a static IP address


To configure a network interface with a static IP address
1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 Select Manual Addressing Mode.
4 Enter the IP address and netmask.
5 Select OK.
If you changed the IP address of the interface that you are connecting to manage
the FortiMail unit, you must reconnect to the web-based manager using the new
IP address.

Configuring an interface for DHCP


You can configure any FortiMail interface to acquire its IP address from a DHCP
server. Your Internet Service Provider (ISP) may provide IP addresses using one
of these protocols.
When configured, the FortiMail unit automatically broadcasts a DHCP request. By
default, the FortiMail unit also retrieves a default gateway IP address and DNS
server IP addresses from the DHCP server. You can disable this option if required
to configure them manually.

To configure an interface for DHCP


1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 In the Addressing Mode section, select DHCP.
4 If required, select Retrieve default gateway and DNS from server to disable this
option.
5 Select OK.

Configuring an interface for PPPoE


You can configure any FortiMail interface to acquire its IP address from a PPPoE
server. Your Internet Service Provider (ISP) may provide IP addresses using one
of these protocols.
When configured, the FortiMail unit automatically broadcasts a PPPoE request.
By default, the FortiMail unit also retrieves a default gateway IP address and DNS
server IP addresses from the PPPoE server. You can disable this option if
required to configure them manually.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 35
FortiMail Gateway behind a firewall Configuring gateway mode

To configure an interface for PPPoE


1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 In the Addressing Mode section, select PPPoE.
4 Enter your PPPoE account User Name and Password.
5 If required, select Retrieve default gateway and DNS from server to disable this
option.
6 Select OK.

Configuring DNS
You need to configure DNS server addresses so that FortiMail unit can send and
receive email. DNS server IP addresses are typically provided by your internet
service provider.

To add DNS server IP addresses


1 Go to System > Network > DNS.
2 Enter the primary and secondary DNS server IP addresses.
3 Select Apply.

Configuring routing
Configure routing on the FortiMail unit to define the route that enables the
FortiMail unit to contact the DNS server. If you configured your interfaces
dynamically using DHCP or PPPoE, the FortiMail unit configures a default route
automatically.
The gateway address for the route is on the same network as port 1.
You need to configure additional routes if any of your email servers are on a
different subnet. The gateway you specify is the address of the next hop router
that connects to the required network.

To configure routing
1 Go to System > Network > Routing.
2 Select Create New to add a new route.
3 Enter the Destination IP address and netmask.
4 Enter the Gateway IP address.
5 Select OK.

Configuring the email system settings


The FortiMail unit relays email after scanning for viruses and spam. You need to
configure basic email system settings to have this relay occur.

Configuring basic email system settings


Configure the FortiMail unit basic email system settings, including host name and
domain name.

FortiMail Version 2.8 Installation Guide


36 06-28000-0234-20060925
Configuring gateway mode FortiMail Gateway behind a firewall

To configure the basic email system settings


1 Go to Mail Settings > Settings > Settings.
2 Enter the following information and select Apply:

Host Name Enter the name for the FortiMail unit.


Local Domain Name Enter the local domain name. It must be different from the domain
name of your email server. The FortiMail unit's FQDN is <Host
Name>.<Local Domain Name>.
Relay Server Name Enter a relay server name if your ISP provides a relay email
server.
SMTP Server Port Enter the SMTP port number. The default SMTP port number
Number is 25.
SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have
enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP
server receives plain text email.
SMTPS Server Port The default port number is 465. This allows the encrypted SMTP
Number traffic to pass through the SMTPS Server Port. You must enable
SMTP over SSL/TLS to set this option.

Configuring MX records to route incoming email


In order to route incoming email through the FortiMail unit for scanning, you need
to register a fully qualified domain name (FQDN), for example,
fm.exampledom.com, and a global IP address for the FortiMail unit.
Route incoming email to the FortiMail unit by changing the MX record to point to
the FortiMail domain rather than the email server.
For example, using the information from the table below, change the existing MX
record currently pointing to the email server, to the FortiMail unit.

Email server mail.exampledom.com


Current MX record IN MX <n> mail.exampledom.com
FortiMail hostname fm.exampledom.com
FortiMail IP address 172.16.15.2

Change the existing MX record for mail.exampledom.com to point to the


FortiMail unit. For example:
IN MX <n> fm.exampledom.com
fm.exampledom.com IN A 172.16.15.2

Configuring the firewall


Note: The following steps use a FortiGate firewall device. If you are using an alternate
firewall appliance, consult the appliance’s documentation for completing similar
configurations.

With the FortiMail unit behind the FortiGate firewall, you must configure firewall
policies to ensure that incoming SMTP traffic goes to the FortiMail Gateway
before reaching the email server.
To accomplish this, configure a virtual IP address (VIP) on the FortiGate unit for
the FortiMail unit. When the FortiGate unit receives traffic destined for the VIP, the
FortiGate unit automatically directs the message to the internal IP address of the
FortiMail unit.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 37
FortiMail Gateway behind a firewall Configuring gateway mode

This allows the FortiMail unit to perform antivirus scanning, antispam filtering, and
email archiving on the SMTP traffic.

How Virtual IPs work


Virtual IP (VIP) addresses enable users from outside a private network to access
services inside that network. Under normal circumstances, this is not possible
because Internet routers generally do not connect to private IP addresses. For
example, a user on the Internet is not able to send an email directly to the
FortiMail unit on a company internal network. However, you can configure the
FortiGate unit to allow an email message to a company employee to reach the
FortiMail unit on a private network from the Internet.
The packets sent from the client computer have a source IP of 192.168.37.55 and
a destination IP of 192.168.37.4. The FortiGate unit receives these packets at its
external interface. The virtual IP settings indicate a mapping from 192.168.37.4 to
10.10.10.42 so the packets' addresses are changed. The source address is
changed to 10.10.10.2 and the destination is changed to 10.10.10.42. The
FortiGate unit makes a note of this translation in the firewall session table it
maintains internally. The packets are then sent on their way and arrive at the
server computer.
Note that the FortiGate unit must be in NAT/Route mode to add VIPs.
For more information on Virtual IPs, see the FortiGate Administration Guide.

To configure a VIP on a FortiGate unit


1 Got to Firewall > Virtual IP.
2 Select Create New.
3 Complete the following and select OK:

Name Enter a name for the FortiMail unit.


External Interface Select the virtual IP external interface from the list. The external
interface is connected to the source network and receives the
packets to be forwarded to the destination network.
Type Select Static NAT.
External IP Enter the external IP address that you want to map to an address
Address/Range on the destination network.
Mapped IP Enter the real IP address on the destination network to which the
Address/Range external IP address is mapped.

With the VIP established, create a firewall policy to pass traffic from the FortiGate
external interface to the VIP mapping on the internal interface.

To create the firewall policy


1 Go to Firewall > Policy.
2 Select Create New.
3 Set the following and select OK:

Source The FortiGate external interface connected to the Internet.


Interface/Zone
Source Address ALL
Name

FortiMail Version 2.8 Installation Guide


38 06-28000-0234-20060925
Configuring gateway mode FortiMail Gateway in front of a firewall

Destination The FortiGate internal interface to the network.


Interface/Zone
Destination Address Select the FortiMail name from the list under Virtual IP.
Name
Schedule Select ALWAYS.
Service Select ALL.
Action Select ACCEPT.
Create an outgoing policy that permits the email from the Fortimail unit to pass
through the FortiGate onto the Internet.

To create the firewall policy


1 Go to Firewall > Policy.
2 Select Create New.
3 Set the following and select OK:

Source The FortiGate internal interface connected to the network.


Interface/Zone
Source Address Select the FortiMail name from the list under Virtual IP.
Name
Destination The FortiGate external interface connected to the Internet.
Interface/Zone
Destination Address Select ALL.
Name
Schedule Select ALWAYS.
Service Select ALL.
Action Select ACCEPT.

Routing outgoing email to the FortiMail Gateway


The FortiMail unit is now configured to receive incoming email, scan and send to
the recipient as required. You must also configure the email environment so that
the FortiMail unit scans outgoing email, whether its destined for an internal user or
a user on the Internet.
To enable this, you must configure the email client of the user to send email
messages to the FortiMail unit. When the FortiMail unit receives the email
message, it scans the message for viruses or spam and routes the message to it
next destination.
To configure a email client to send email to the FortiMail unit, in the email client,
configure the outgoing mail server (SMTP) to be the FortiMail unit.

FortiMail Gateway in front of a firewall


The FortiMail unit is positioned in front of the firewall. With the FortiMail unit set up
this way, if the FortiMail gateway is compromised by attacks, the email server and
the internal network are not affected. The FortiMail unit however is not protected
by the firewall.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 39
FortiMail Gateway in front of a firewall Configuring gateway mode

Figure 9: FortiMail Gateway in front of firewall

Email Server

Internal
External Switch
Internet

Router
Firewall

DNS Server

Configuring the network settings


Use the following table to gather the information you need to customize the
Gateway mode settings.
Table 12: Gateway mode settings

Administrator Password:
IP: _____._____._____._____
Port 1
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 2
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 3
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 4
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 5
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 6
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the Fortimail unit. Add a
Network settings default gateway if the FortiMail unit must connect to a router to
reach the management computer.
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____

You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.

FortiMail Version 2.8 Installation Guide


40 06-28000-0234-20060925
Configuring gateway mode FortiMail Gateway in front of a firewall

Assign a static IP address or configure the interface for dynamic IP address


assignment using DHCP or PPPoE, if the network supports it.

Switching to gateway mode


Use the web-based manager to complete the configuration of the FortiMail unit.
You can continue to use the web-based manager for all FortiMail settings.
For more information about connecting to the web-based manager, see
“Connecting to the web-based manager” on page 23.
Before you being configuring the FortiMail unit, ensure the mode is in Gateway
mode. To verify, go to System > Status and check the Operation Mode.

To change the operation mode


1 Go to System > Status.
2 Select Change for the Operation Mode.
3 Select Gateway from the list and select OK.

Configuring a static IP address


To configure a network interface with a static IP address
1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 Select Manual Addressing Mode.
4 Enter the IP address and netmask.
5 Select OK.
If you changed the IP address of the interface to which you are connecting to
manage the FortiMail unit, you must reconnect to the web-based manager using
the new IP address.

Configuring an interface for DHCP


You can configure any FortiMail interface to acquire its IP address from a DHCP
server. Your Internet Service Provider (ISP) may provide IP addresses using one
of these protocols.
When configured, the FortiMail unit automatically broadcasts a DHCP request. By
default, the FortiMail unit also retrieves a default gateway IP address and DNS
server IP addresses from the DHCP server. You can disable this option if required
to configure them manually.

To configure an interface for DHCP


1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 In the Addressing Mode section, select DHCP.
4 If required, select Retrieve default gateway and DNS from server to disable this
option.
5 Select OK.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 41
FortiMail Gateway in front of a firewall Configuring gateway mode

Configuring an interface for PPPoE


You can configure any FortiMail interface to acquire its IP address from a PPPoE
server. Your Internet Service Provider (ISP) may provide IP addresses using one
of these protocols.
When configured, the FortiMail unit automatically broadcasts a PPPoE request.
By default, the FortiMail unit also retrieves a default gateway IP address and DNS
server IP addresses from the PPPoE server. You can disable this option if
required to configure them manually.

To configure an interface for PPPoE


1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 In the Addressing Mode section, select PPPoE.
4 Enter your PPPoE account User Name and Password.
5 If required, select Retrieve default gateway and DNS from server to disable this
option.
6 Select OK.

Configuring DNS
You need to configure DNS server addresses so that FortiMail unit can send and
receive email. DNS server IP addresses are typically provided by your internet
service provider.

To add DNS server IP addresses


1 Go to System > Network > DNS.
2 Enter the primary and secondary DNS server IP addresses.
3 Select Apply.

Configuring routing
Configure routing on the FortiMail unit to define the route that enables the
FortiMail unit to contact the DNS server. If you configured your interfaces
dynamically using DHCP or PPPoE, the FortiMail unit configures a default route
automatically.
The gateway address is the IP address of the router that connects to the Internet.

To configure routing
1 Go to System > Network > Routing.
2 Select Create New to add a new route or select Modify to change the default.
3 Enter the Destination IP address and netmask.
4 Enter the Gateway IP address.
5 Select OK.

Configuring the email system settings


The FortiMail unit relays email after scanning for viruses and spam. You need to
configure basic email system settings and email access permissions.

FortiMail Version 2.8 Installation Guide


42 06-28000-0234-20060925
Configuring gateway mode FortiMail Gateway in front of a firewall

Configuring basic email system settings


Configure the FortiMail unit basic email system settings, including host name and
domain name.

To configure the basic email system settings


1 Go to Mail Settings > Settings > Settings.
2 Enter the following information and select Apply:

Host Name Enter the name for the FortiMail unit.


Local Domain Name Enter the local domain name. It must be different from the domain
name of your email server. The FortiMail unit's FQDN is <Host
Name>.<Local Domain Name>.
Relay Server Name Enter a relay server name if your ISP provides a relay email
server.
SMTP Server Port Enter the SMTP port number. The default SMTP port number
Number is 25.
SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have
enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP
server receives plain text email.
SMTPS Server Port The default port number is 465. This allows the encrypted SMTP
Number traffic to pass through the SMTPS Server Port. You must enable
SMTP over SSL/TLS to set this option.

Configuring MX records to route incoming email


In order to route incoming email through the FortiMail unit for scanning, you need
to register a fully qualified domain name (FQDN), for example,
fm.exampledom.com, and a global IP address for the FortiMail unit.
Route incoming email to the FortiMail unit by changing the MX record to point to
the FortiMail domain.
For example, using the information from the table below, change the existing MX
record currently pointing to the email server, to the FortiMail unit.

Email server mail.exampledom.com


Current MX record IN MX <n> mail.exampledom.com
FortiMail hostname fm.exampledom.com
FortiMail IP address 172.16.15.2

Change the existing MX record for mail.exampledom.com to point to the


FortiMail unit. For example:
IN MX <n> fm.exampledom.com
fm.exampledom.com IN A 172.16.15.2

Configuring the firewall


With the FortiMail unit in front of the FortiGate firewall, you must configure policies
and to ensure that incoming SMTP traffic scanned by the FortiMail unit goes to
the email server, and email sent by internal users passes through the firewall for
scanning by the FortiMail unit before sending to the Internet.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 43
FortiMail Gateway in front of a firewall Configuring gateway mode

Note: The following steps use a FortiGate firewall device. If you are using an alternate
firewall appliance, consult the appliance’s documentation for completing similar
configurations.

Configuring the FortiMail policy


Create a firewall policy that permits all SMTP traffic on port 25 to pass from the
FortiMail unit, through the firewall and direct it to the email server.
First, you must create an address entry for the FortiMail unit and the email server.

To create an address for the FortiMail unit


1 Go to Firewall > Address.
2 Select Create New.
3 Complete the following and select OK:

Name Enter the name of the FortiMail unit.


Type Select Subnet/IP Range.
Subnet /IP Range Enter the IP address of the FortiMail unit.
Interface Select the interface for the FortiGate unit connected to the
Internet.

To create an address for the email server


1 Go to Firewall > Address.
2 Select Create New.
3 Complete the following and select OK:

Name Enter the name of the email server.


Type Select Subnet/IP Range.
Subnet /IP Range Enter the IP address of the email server.
Interface Select the interface for the FortiGate unit connected to the
Internet.

Next, create the incoming email firewall policy so the email from the FortiMail goes
to the email server.

To configure the incoming policy


1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:

Source Interface/zone Select the external interface connected to the Internet.


Source Address Select the FortiMail address from the list.
Name
Destination Select the internal interface connected to the network.
Interface/zone
Destination Address Select the Email server from the list.
Name
Schedule Select ALWAYS.

FortiMail Version 2.8 Installation Guide


44 06-28000-0234-20060925
Configuring gateway mode FortiMail Gateway in the DMZ

Service Select SMTP.


Action Select ACCEPT.

Configure the user send policy


You also need to add a firewall policy for end users to send email to the FortiMail
unit for scanning before sending an email message over the Internet. Note that
the policy is not using the email server address. All traffic passes through the
FortiMail unit before going through the firewall.

To configure the outgoing policy


1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:

Source Interface/zone Select the internal interface connected to the network.


Source Address Select ALL so that all users can send email messages through the
Name policy.
Destination Select the external interface connected to the Internet.
Interface/zone
Destination Address Select the FortiMail unit from the list.
Name
Schedule Select ALWAYS.
Service Select SMTP.
Action Select ACCEPT.

Routing outgoing email to the FortiMail Gateway


The firewall and FortiMail unit are now configured to receive incoming email, scan
and send to the recipient as required. You must also configure the email clients so
that the client software sends outgoing email to the FortiMail unit to scan outgoing
email, whether its destined for an internal user or a user on the Internet.
To configure a email client to send email to the FortiMail unit, in the email client,
configure the outgoing mail server (SMTP) to be the FortiMail unit.

FortiMail Gateway in the DMZ


The FortiMail unit is positioned in the DMZ of the firewall appliance. With the
FortiMail unit set up this way, the FortiMail is protected by the firewall, and if the
FortiMail unit is compromised by attacks, the internal network and email server
are not affected.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 45
FortiMail Gateway in the DMZ Configuring gateway mode

Figure 10: FortiMail Gateway in DMZ

Email Server

Internal External
Internet
Switch Router
DMZ

DNS Server

Configuring the network settings


Use the following table to gather the information you need to customize the
Gateway mode settings.
Table 13: Gateway mode settings

Administrator Password:
IP: _____._____._____._____
Port 1
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 2
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 3
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 4
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 5
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 6
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the Fortimail unit. Add a
Network settings default gateway if the FortiMail unit must connect to a router to
reach the management computer.
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____

FortiMail Version 2.8 Installation Guide


46 06-28000-0234-20060925
Configuring gateway mode FortiMail Gateway in the DMZ

You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to the DMZ interface of the firewall
appliance. The IP address of Port 1 must be on the same subnet as the DMZ
network and cannot use the same address as another device or computer on the
network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP or PPPoE, if the network supports it.

Switching to gateway mode


Use the web-based manager to complete the configuration of the FortiMail unit.
You can continue to use the web-based manager for all FortiMail settings.
For more information about connecting to the web-based manager, see
“Connecting to the web-based manager” on page 23.
Before you being configuring the FortiMail unit, ensure the mode is in Gateway
mode. To verify, go to System > Status and check the Operation Mode.

To change the operation mode


1 Go to System > Status.
2 Select Change for the Operation Mode.
3 Select Gateway from the list and select OK.

Configuring a static IP address


To configure a network interface with a static IP address
1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 Select Manual Addressing Mode.
4 Enter the IP address and netmask.
5 Select OK.
If you changed the IP address of the interface to which you are connecting to
manage the FortiMail unit, you must reconnect to the web-based manager using
the new IP address.

Configuring an interface for DHCP


You can configure any FortiMail interface to acquire its IP address from a DHCP
server. Your Internet Service Provider (ISP) may provide IP addresses using one
of these protocols.
When configured, the FortiMail unit automatically broadcasts a DHCP request. By
default, the FortiMail unit also retrieves a default gateway IP address and DNS
server IP addresses from the DHCP server. You can disable this option if required
to configure them manually.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 47
FortiMail Gateway in the DMZ Configuring gateway mode

To configure an interface for DHCP


1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 In the Addressing Mode section, select DHCP.
4 If required, select Retrieve default gateway and DNS from server to disable this
option.
5 Select OK.

Configuring an interface for PPPoE


You can configure any FortiMail interface to acquire its IP address from a PPPoE
server. Your Internet Service Provider (ISP) may provide IP addresses using one
of these protocols.
When configured, the FortiMail unit automatically broadcasts a PPPoE request.
By default, the FortiMail unit also retrieves a default gateway IP address and DNS
server IP addresses from the PPPoE server. You can disable this option if
required to configure them manually.

To configure an interface for PPPoE


1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 In the Addressing Mode section, select PPPoE.
4 Enter your PPPoE account User Name and Password.
5 If required, select Retrieve default gateway and DNS from server to disable this
option.
6 Select OK.

Configuring DNS
You need to configure DNS server addresses so that FortiMail unit can send and
receive email. DNS server IP addresses are typically provided by your internet
service provider.

To add DNS server IP addresses


1 Go to System > Network > DNS.
2 Enter the primary and secondary DNS server IP addresses.
3 Select Apply.

Configuring routing
Configure routing on the FortiMail unit to define the route that enables the
FortiMail unit to contact the DNS server. If you configured your interfaces
dynamically using DHCP or PPPoE, the FortiMail unit configures a default route
automatically.
The gateway address is the IP address of the firewall interface on the same
network as this FortiMail interface.

FortiMail Version 2.8 Installation Guide


48 06-28000-0234-20060925
Configuring gateway mode FortiMail Gateway in the DMZ

To configure routing
1 Go to System > Network > Routing.
2 Select Create New to add a new route or select Modify to change the default.
3 Enter the Destination IP address and netmask.
4 Enter the Gateway IP address.
5 Select OK.

Configuring the email system settings


The FortiMail unit relays email after scanning for viruses and spam. You need to
configure basic email system settings and email access permissions.

Configuring basic email system settings


Configure the FortiMail unit basic email system settings, including host name and
domain name.

To configure the basic email system settings


1 Go to Mail Settings > Settings > Settings.
2 Enter the following information and select Apply:

Host Name Enter the name for the FortiMail unit.


Local Domain Name Enter the local domain name. It must be different from the domain
name of your email server. The FortiMail unit's FQDN is <Host
Name>.<Local Domain Name>.
Relay Server Name Enter a relay server name if your ISP provides a relay email
server.
SMTP Server Port Enter the SMTP port number. The default SMTP port number is
Number 25.
SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have
enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP
server receives plain text email.
SMTPS Server Port The default port number is 465. This allows the encrypted SMTP
Number traffic to pass through the SMTPS Server Port. You must enable
SMTP over SSL/TLS to set this option.

Configuring MX records to route incoming email


In order to route incoming email through the FortiMail unit for scanning, you need
to register a fully qualified domain name (FQDN), for example,
fm.exampledom.com, and a global IP address for the FortiMail unit.
Route incoming email to the FortiMail unit by changing the MX record to point to
the FortiMail domain.
For example, using the information from the table below, change the existing MX
record currently pointing to the email server, to the FortiMail unit.
i
Email server mail.exampledom.com
Current MX record IN MX <n> mail.exampledom.com
FortiMail hostname fm.exampledom.com
FortiMail IP address 172.16.15.2

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 49
FortiMail Gateway in the DMZ Configuring gateway mode

Change the existing MX record for mail.exampledom.com to point to the


FortiMail unit. For example:
IN MX <n> fm.exampledom.com
fm.exampledom.com IN A 172.16.15.2

Configuring the firewall


With the FortiMail unit in the DMZ of the FortiGate firewall, you must configure
policies and to ensure that incoming SMTP traffic scanned by the FortiMail unit
goes to the email server, and email sent by internal users passes through the
firewall for scanning by the FortiMail unit before sending to the Internet.

Note: The following steps use a FortiGate firewall device. If you are using an alternate
firewall appliance, consult the appliance’s documentation for completing similar
configurations.

Configuring the FortiMail policy


Create a firewall policy that permits all SMTP traffic on port 25 to pass from the
FortiMail unit, through the firewall and direct it to the email server.
First, you must create an address entry for the FortiMail unit and the email server.

To create an address for the FortiMail unit


1 Go to Firewall > Address.
2 Select Create New.
3 Complete the following and select OK:

Name Enter the name of the FortiMail unit.


Type Select Subnet/IP Range.
Subnet /IP Range Enter the IP address of the FortiMail unit.
Interface Select the DMZ interface on the FortiGate unit.

To create an address for the email server


1 Go to Firewall > Address.
2 Select Create New.
3 Complete the following and select OK:

Name Enter the name of the email server.


Type Select Subnet/IP Range.
Subnet /IP Range Enter the IP address of the email server.
Interface Select the interface for the FortiGate unit connected to the internal
network.

Next, create the incoming email firewall policy.

To configure the incoming policy


1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:

FortiMail Version 2.8 Installation Guide


50 06-28000-0234-20060925
Configuring gateway mode Testing and next steps

Source Interface/zone Select the DMZ interface connected to the FortiMail unit.
Source Address Select the FortiMail address from the list.
Name
Destination Select the internal interface connected to the network.
Interface/zone
Destination Address Select the email server from the list.
Name
Schedule Select ALWAYS.
Service Select SMTP.
Action Select ACCEPT.

Configure the user send policy


You also need to add a firewall policy for end users to send email to the FortiMail
unit for scanning before sending an email message over the Internet.

To configure the outgoing policy


1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:

Source Interface/zone Select the internal interface connected to the network.


Source Address Select ALL so that all users can send email messages through the
Name policy.
Destination Select the DMZ interface connected to the FortiMail unit.
Interface/zone
Destination Address Select the FortiMail unit from the list.
Name
Schedule Select ALWAYS.
Service Select SMTP.
Action Select ACCEPT.

Routing outgoing email to the FortiMail Gateway


The firewall and FortiMail unit are now configured to receive incoming email, scan
and send to the recipient as required. You must also configure the email clients so
that the client software sends outgoing email to the FortiMail unit to scan outgoing
email, whether its destined for an internal user or a user on the Internet.
To configure a email client to send email to the FortiMail unit, in the email client,
configure the outgoing mail server (SMTP) to be the FortiMail unit.

Testing and next steps


The configuration is now complete. See the chapter “Testing the installation” on
page 81 for information on testing the installation and the next steps to complete
the installation of your FortiMail unit.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 51
Testing and next steps Configuring gateway mode

FortiMail Version 2.8 Installation Guide


52 06-28000-0234-20060925
Configuring transparent mode Deploying in front of an email server

Configuring transparent mode


This section describes how to configure a FortiMail unit to operate in Transparent
mode. In Transparent mode, the FortiMail unit acts as a bridge, providing
seamless integration into existing network environments as the FortiMail unit
scans email traffic to and from the email server.
Both offer effective email scanning and security. Use these deployment and
configuration examples to install the FortiMail unit on your network, or use them
as a guide for your own network topology. Additional configuration information and
details are available in the Fortimail Administration Guide.
All examples use a FortiGate firewall device. If you are using an alternate firewall
appliance, consult the appliance’s documentation for completing similar
configurations.
This section includes the following:
• Deploying in front of an email server
• Deploying to protect an email hub
• Testing and next steps

Deploying in front of an email server


A common configuration of the FortiMail unit in Transparent mode is to place the
Fortimail unit in front of the mail server. The FortiMail unit scans email travelling to
and from the email server. You can use the FortiMail unit using many of the default
settings and only minor configuration.

Figure 11: Typical FortiMail deployment in Transparent mode

Transparent mode

Internet
Router

Mail Server

Mail Users
(POP3/IMAP/Web Mail)

This section includes the following topics:


• Configuring the network settings
• Configuring the email system settings
• Configuring proxies

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 53
Deploying in front of an email server Configuring transparent mode

Configuring the network settings


Use the following table to gather the information you need to customize
Transparent mode settings.
Table 14: Transparent mode settings
Administrator Password:
Management IP IP: _____._____._____._____
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the Fortimail unit. Add a default
gateway if the FortiMail unit must connect to a router to reach the
management computer.
DNS Settings Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____

Changing to Transparent mode


Use the web-based manager to complete the configuration of the FortiMail unit.
You can continue to use the web-based manager for all FortiMail settings.
For more information about connecting to the web-based manager, see
“Connecting to the web-based manager” on page 23.
Before you begin, ensure the FortiMail unit is in Transparent mode. If not, switch
over to this mode.

To switch to Transparent mode


1 Go to System > Status.
2 Select Change beside the Operation Mode.
3 Select Transparent in the Operation Mode list.
4 Select Apply.
The FortiMail unit reboots and resets all configuration to the factory defaults.

Configuring the management IP


In Transparent mode, the FortiMail unit has a management IP address for
administrative access. The FortiMail unit also uses this IP address to connect to
the FDN for virus definition updates.

To configure the management interface


1 Connect to the web-based manager using the default address,
https://192.168.1.99/admin.
2 Go to System > Network > Management IP.
3 Enter the new management IP address and netmask.
4 Select Apply.
Reconnect to the web-based manager using the new management IP address.

FortiMail Version 2.8 Installation Guide


54 06-28000-0234-20060925
Configuring transparent mode Deploying in front of an email server

Configuring DNS
You need to configure DNS server addresses so that FortiMail unit can send and
receive email. DNS server IP addresses are typically provided by your internet
service provider.

To add DNS server IP addresses


1 Go to System > Network > DNS.
2 Enter the primary and secondary DNS server IP addresses.
3 Select Apply.

Configuring routing
At a minimum, you need to define a route that enables the FortiMail unit to contact
the DNS server. You need to configure additional routes if any of your email
servers are on a different network than the FortiMail unit and the DNS server. The
gateway you specify is the address of the next hop router that connects to the
required network.

To configure FortiMail unit routing


1 Go to System > Network > Routing.
2 Select Create New.
3 Enter the Destination IP, Netmask and Gateway.
4 Select OK.

Configuring the email system settings


The FortiMail unit can scan email for viruses and spam as they come and go to
the email server. You need to configure basic email system settings and email
access permissions so that the email messages pass through the FortiMail unit.

Configuring basic email system settings


Configure the basic email system settings, including host name and domain name
to provide successful email routing.

To configure the basic email system settings


1 Go to Mail Settings > Settings > Settings.
2 Enter the following information and select Apply:

Host Name Enter the name for the FortiMail unit.


Local Domain Name Enter the local domain name. It must be different from the domain
name of your email server. The FortiMail unit's FQDN is <Host
Name>.<Local Domain Name>.
Relay Server Name Enter a relay server name if your ISP provides a relay email
server.
SMTP Server Port Enter the SMTP port number. The default SMTP port number
Number is 25.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 55
Deploying to protect an email hub Configuring transparent mode

SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have
enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP
server receives plain text email.
SMTPS Server Port The default port number is 465. This allows the encrypted SMTP
Number traffic to pass through the SMTPS Server Port. You must enable
SMTP over SSL/TLS to set this option.

Configuring domains
Create a domain to define the email server(s) that the FortiMail unit protects. The
FortiMail unit automatically configures email access to allow relaying of email
messages to and from the domain.

To create a domain for your email server


1 Go to Mail Settings > Domains.
2 Select Create New.
3 Enter the following information and select OK.

Domain FDQN Enter a fully-qualified domain name for the mail server.
Use MX Record Select to use the record from the MX table to define the domain.
When enabled, the SMTP Server and Fallback MX Host are not
available.
SMTP Server Enter the IP address and port of the SMTP server.
Fallback MX Host Enter the IP address and port of the backup SMTP server. This
server is redundant in case of failure of the main SMTP server.
Is Subdomain Select to indicate the domain you are creating is a sub domain of
an existing domain.
Main Domain When selecting Is Subdomain, select the domain from the list.
Verify Recipient Select a method of verifying the email address of the recipient of
Address an incoming email message.
Mail Routing Select to enable mail routing based on the selected LDAP profile.
To configure LDAP profiles, go to Profile > LDAP.
Check AS/AV profile Select to enable antispam and antivirus configurations based on
the selected LDAP profile.
To configure LDAP profiles, go to Profile > LDAP.

Configuring proxies
For a typical Transparent mode installation, the default proxy options are
appropriate. Should you need to modify the proxies, go to Mail Settings >
Proxies to configure the email connections through the ports.

Deploying to protect an email hub


In this configuration, the email servers (Domain “A” and Domain “B”) in each WAN
location are required to send email externally through the head office email server
only. The head office mail server encrypts the outgoing email. The firewall will only
pass SMTP traffic from the headquarters email server.

FortiMail Version 2.8 Installation Guide


56 06-28000-0234-20060925
Configuring transparent mode Deploying to protect an email hub

This configuration requires a modification of the default operation of the FortiMail


unit. By default, the FortiMail unit acts as an SMTP server to relay email, even if
the email client names a domain email server as its SMTP server. With this
configuration, the domain mail servers send email to the hub email server for
encryption. The FortiMail unit must be configured to pass the encrypted email
messages.

Figure 12: FortiMail unit deployed to protect an email hub

Router
WAN
Internet

Port 2
Port 1

Head Office Mail Server


Mail Server Hub Mail Server
Domain “B”
Domain “A”

This section includes the following topics:


• Configuring the network settings
• Configuring the email system settings
• Configuring proxies

Configuring the network settings


Use Table 15 on page 57 to gather the information you need to customize
Transparent mode settings.
Table 15: Transparent mode settings
Administrator Password:
Management IP IP: _____._____._____._____
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the Fortimail unit. Add a default
gateway if the FortiMail unit must connect to a router to reach the
management computer.
DNS Settings Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____

Changing to Transparent mode


Use the web-based manager to complete the configuration of the FortiMail unit.
You can continue to use the web-based manager for all FortiMail settings.
For more information about connecting to the web-based manager, see
“Connecting to the web-based manager” on page 23.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 57
Deploying to protect an email hub Configuring transparent mode

Before you begin, ensure the FortiMail unit is in Transparent mode. If not, switch
over to this mode.

To switch to Transparent mode


1 Go to System > Status.
2 Select Change beside the Operation Mode.
3 Select Transparent in the Operation Mode list.
4 Select Apply.
The FortiMail unit reboots and resets all configuration to the factory defaults.

Configuring the management IP


In Transparent mode, the FortiMail unit has a management IP address for
administrative access. The FortiMail unit also uses this IP address to connect to
the FDN for virus definition updates. Configure the management IP

To configure the management interface


1 Connect to the web-based manager using the default address,
https://192.168.1.99/admin.
2 Go to System > Network > Management IP.
3 Enter the new management IP address and netmask.
4 Select Apply.
Reconnect to the web-based manager using the new management IP address.

Configuring DNS
You need to configure DNS server addresses so that FortiMail can send and
receive email. DNS server IP addresses are typically provided by your internet
service provider.

To add DNS server IP addresses


1 Go to System > Network > DNS.
2 Enter the primary and secondary DNS server IP addresses.
3 Select Apply.

Configuring routing
At a minimum, you need to define a route that enables the FortiMail unit to contact
the DNS server. You need to configure additional routes if any of your email
servers are on a different network than the FortiMail unit and the DNS server. The
gateway you specify is the address of the next hop router that connects to the
required network.

To configure FortiMail unit routing


1 Go to System > Network > Routing.
2 Select Create New.
3 Enter the Destination IP, Netmask and Gateway.
4 Select OK.

FortiMail Version 2.8 Installation Guide


58 06-28000-0234-20060925
Configuring transparent mode Deploying to protect an email hub

Configuring the email system settings


The FortiMail unit can scan email for viruses and spam as they come and go to
the email server. You need to configure basic email system settings and email
access permissions so that the email messages pass through the FortiMail unit.

Configuring basic email system settings


Configure the basic email system settings, including host name and domain name
to provide successful email routing.

To configure the basic email system settings


1 Go to Mail Settings > Settings > Settings.
2 Enter the following information and select Apply:

Host Name Enter the name for the FortiMail unit.


Local Domain Name Enter the local domain name. It must be different from the domain
name of the hub email server. The FortiMail unit's FQDN is <Host
Name>.<Local Domain Name>.
Relay Server Name Enter a relay server name if your ISP provides a relay email
server.
SMTP Server Port Enter the SMTP port number. The default SMTP port number
Number is 25.
SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have
enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP
server receives plain text email.
SMTPS Server Port The default port number is 465. This allows the encrypted SMTP
Number traffic to pass through the SMTPS Server Port. You must enable
SMTP over SSL/TLS to set this option.

Configuring domains
Create a domain to define the email server(s) that the FortiMail unit protects. The
FortiMail unit automatically configures email access to allow relaying of email
messages to and from the domain.

To create a domain for your email server


1 Go to Mail Settings > Domains.
2 Select Create New.
3 Enter the following information and select OK.

Domain FDQN Enter a fully-qualified domain name for the mail server.
Use MX Record Select to use the record from the MX table to define the domain.
When enabled, the SMTP Server and Fallback MX Host are not
available.
SMTP Server Enter the IP address and port of the SMTP server.
Fallback MX Host Enter the IP address and port of the backup SMTP server. This
server is redundant in case of failure of the main SMTP server.
Is Subdomain Select to indicate the domain you are creating is a sub domain of
an existing domain.
Main Domain When selecting Is Subdomain, select the domain from the list.
Verify Recipient Select a method of verifying the email address of the recipient of
Address an incoming email message.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 59
Deploying to protect an email hub Configuring transparent mode

Mail Routing Select to enable mail routing based on the selected LDAP profile.
To configure LDAP profiles, go to Profile > LDAP.
Check AS/AV profile Select to enable antispam and antivirus configurations based on
the selected LDAP profile.
To configure LDAP profiles, go to Profile > LDAP.
The FortiMail unit must relay all email through the head office email hub; outgoing
and incoming. You must ensure that the FortiMail unit passes the email to the
correct domain email server.
After configuring the domain, edit the domain information to configure additional
settings to make the FortiMail unit transparent to the email servers

To configure the transparent options


1 Go to Mail Settings > Domains.
2 Select the Edit icon for the email domain.
3 Go to the Transparent Mode Options section, configure the following settings and
select OK:

This server is on Select the port connected to the email server hub. In this example,
it is port 1.
Hide the transparent Select to enable the FortiMail unit to hide its presence by using
box the IP address of the domain email server or client as required.
Use the domain Select to relay email to the domain server the email sender
server to deliver the specified WAN domain.
email If not selected, the FortiMail unit relays the email directly to the
email destination domain, which is not desired in this example.

Configuring proxies
This example requires the FortiMail interface to act as a proxy so that the FortiMail
unit can scan email passing through to the email. Also, the email must simply pass
through the FortiMail unit when the hub email server relays an email message to
another domain email server on the network or on the Intranet. It is also important
to prevent SMTP clients using the FortiMail unit itself as an SMTP server. The
proxy settings will enable this flexibility.

To configure SMTP proxy settings


1 Go to Mail Settings > Proxies.
2 Configure the following and select Apply:

Port 1
Incoming SMTP connections are passed through
Outgoing SMTP connections are passed through
Local SMTP connections are allowed
Port 2
Incoming SMTP connections are proxied
Outgoing SMTP connections are proxied
Local SMTP connections are not allowed

FortiMail Version 2.8 Installation Guide


60 06-28000-0234-20060925
Configuring transparent mode Testing and next steps

Testing and next steps


The configuration is now complete. See the chapter “Testing the installation” on
page 81 for information on testing the installation and the next steps to complete
the installation of your FortiMail unit.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 61
Testing and next steps Configuring transparent mode

FortiMail Version 2.8 Installation Guide


62 06-28000-0234-20060925
Configuring server mode FortiMail Server behind a firewall

Configuring server mode


This section describes how to configure a FortiMail unit to operate in Server
mode. In Server mode the FortiMail acts as a fully functional email server.
Use these deployment and configuration examples to install the FortiMail unit on
your network, or use them as a guide for your own network topology. Additional
configuration information and details are available in the Fortimail Administration
Guide.
All examples use a FortiGate firewall device. If you are using an alternate firewall,
consult the appliances documentation for completing similar configurations.
This section includes the following:
• FortiMail Server behind a firewall
• FortiMail Server in front of a firewall
• FortiMail Server in DMZ
• Testing and next steps

FortiMail Server behind a firewall


The FortiMail unit is positioned behind a firewall. With the FortiMail unit set up this
way, the firewall blocks any attacks on the FortiMail unit.

Figure 13: FortiMail Server behind firewall

Switch
Internal External Internet

Router
Firewall

DNS Server

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 63
FortiMail Server behind a firewall Configuring server mode

Configuring the network settings


Use the following table to gather the information you need to customize the Server
mode settings.
Table 16: Gateway modesettings

Administrator Password:
IP: _____._____._____._____
Port 1
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 2
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 3
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 4
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 5
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 6
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the Fortimail unit. Add a
Network settings default gateway if the FortiMail unit must connect to a router to
reach the management computer.
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____

You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP or PPPoE, if the network supports it.

Switching to server mode


Before you being configuring the FortiMail unit, ensure the mode is in Server
mode. To verify, go to System > Status and check the Operation Mode.

To change the operation mode


1 Go to System > Status.
2 Select Change for the Operation Mode.
3 Select Server from the list and select OK.

FortiMail Version 2.8 Installation Guide


64 06-28000-0234-20060925
Configuring server mode FortiMail Server behind a firewall

Configuring a static IP address


To configure a network interface with a static IP address
1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 Select Manual Addressing Mode.
4 Enter the IP address and netmask.
5 Select OK.
If you changed the IP address of the interface that you are connected to, you must
reconnect to the web-based manager using the new IP address.

Configuring an interface for DHCP


You can configure any FortiMail interface to acquire its IP address from a DHCP
server. Your Internet Service Provider (ISP) may provide IP addresses using one
of these protocols.
When configured, the FortiMail unit automatically broadcasts a DHCP request. By
default, the FortiMail unit also retrieves a default gateway IP address and DNS
server IP addresses from the DHCP server. You can disable this option if required
to configure them manually.

To configure an interface for DHCP


1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 In the Addressing Mode section, select DHCP.
The FortiMail unit attempts to contact the DHCP server from the interface to set
the IP address, netmask, default gateway IP address, and DNS server IP
addresses.
4 If required, select Retrieve default gateway and DNS from server to disable this
option.
5 Select OK.

Configuring an interface for PPPoE


You can configure any FortiMail interface to acquire its IP address from a PPPoE
server. Your Internet Service Provider (ISP) may provide IP addresses using one
of these protocols.
When configured, the FortiMail unit automatically broadcasts a PPPoE request.
By default, the FortiMail unit also retrieves a default gateway IP address and DNS
server IP addresses from the PPPoE server. You can disable this option if
required to configure them manually.

To configure an interface for PPPoE


1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 In the Addressing Mode section, select PPPoE.
4 Enter your PPPoE account User Name and Password.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 65
FortiMail Server behind a firewall Configuring server mode

5 If required, select Retrieve default gateway and DNS from server to disable this
option.
By default, this option is enabled.
6 Select OK.
The FortiMail unit attempts to contact the PPPoE server from the interface to set
the IP address, netmask, default gateway IP address, and DNS server IP
addresses.

Configuring DNS and default gateway


You need to configure DNS server addresses and default gateway so that
FortiMail unit can send and receive email. DNS server IP addresses are typically
provided by your internet service provider.

To add DNS server IP addresses


1 Go to System > Network > Network.
2 Enter the primary and secondary DNS server IP addresses.
3 Enter the default gateway address. The default gateway address will be the
firewall interface on the same network as the Fortimail interface.
4 Select Apply.

Configuring the email system settings


The FortiMail unit relays email after scanning for viruses and spam. You need to
configure basic email system settings and email access permissions.

Configuring basic email system settings


Configure the FortiMail unit basic email system settings, including host name and
domain name.

To configure the basic email system settings


1 Go to Mail Settings > Settings > Settings.
2 Enter the following information and select Apply:

Host Name Enter the name for the FortiMail unit.


Local Domain Name Enter the local domain name. It must be different from the domain
name of your email server. The FortiMail unit's FQDN is <Host
Name>.<Local Domain Name>.
POP3 Server Port Enter the port number for the POP3 server. The default is 110.
Number
Relay Server Name Enter a relay server name if your ISP provides a relay email
server.
SMTP Server Port Enter the SMTP port number. The default SMTP port number
Number is 25.
SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have
enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP
server receives plain text email.

FortiMail Version 2.8 Installation Guide


66 06-28000-0234-20060925
Configuring server mode FortiMail Server behind a firewall

SMTPS Server Port The default port number is 465. You can change it if needed. This
Number allows the encrypted SMTP traffic to pass through the SMTPS
Server Port. SMTP over SSL/TLS must be enabled.
SMTP Authentication Select to enable authentication. When a user logs into the SMTP
server, they require a user name and password.

Creating local domains


Add multiple local email domains on the FortiMail unit if required for different
departments in your organization at the same or different locations. For example:
• accounting.company.com
• dev.company.com.
Once created, you can add users to the local domain. For information on adding
email users to a local domain, see the FortiMail Administration Guide.

Note: Deleting a domain also deletes all email users in that domain.

To create a local domain


1 Go to System > Mail Settings > Domains.
2 Select Create New.
3 Enter the local domain name.
4 Select Is Subdomain and select the main domain the local domain is a part of.
5 Complete the LDAP authentications if required.
6 Select OK.

Configuring the firewall


With the FortiMail unit behind the FortiGate firewall, you must configure policies
and to ensure that incoming SMTP traffic goes to the FortiMail unit, and outgoing
SMTP traffic passes through the firewall.
To accomplish this, configure a virtual IP address (VIP) on the FortiGate unit for
the FortiMail unit. When the FortiGate unit receives traffic destined for the VIP, the
FortiGate unit automatically directs the message to the internal IP address of the
FortiMail unit.
Note: The following steps use a FortiGate firewall device. If you are using an alternate
firewall appliance, consult the appliance’s documentation for completing similar
configurations.

Configuring the incoming mail policy


Create a firewall policy that permits all SMTP traffic on port 25 to pass from the
internet to the FortiMail unit.
First, you must create an address entry for the FortiMail unit.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 67
FortiMail Server behind a firewall Configuring server mode

To create an address for the FortiMail unit


1 Go to Firewall > Address.
2 Select Create New.
3 Complete the following and select OK:

Name Enter the name of the FortiMail unit.


Type Select Subnet/IP Range.
Subnet /IP Range Enter the IP address of the FortiMail unit.
Interface Select the interface for the FortiGate unit connected to the
Internet.

To configure the incoming policy


1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:

Source Interface/zone Select the external interface connected to the Internet.


Source Address Select ALL to enable all incoming email messages.
Name
Destination Select the internal interface connected to the network.
Interface/zone
Destination Address Select the FortiMail unit address from the list.
Name
Schedule Select ALWAYS.
Service Select SMTP.
Action Select ACCEPT.

Configure the outgoing mail policy


You also need to add a firewall policy for FortiMail unit to send email to the
Internet.

To configure the outgoing policy


1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:

Source Interface/zone Select the internal interface connected to the network.


Source Address Select the FortiMail unit from the list.
Name
Destination Select the external interface.
Interface/zone
Destination Address Select ALL.
Name
Schedule Select ALWAYS.
Service Select SMTP.
Action Select ACCEPT.

FortiMail Version 2.8 Installation Guide


68 06-28000-0234-20060925
Configuring server mode FortiMail Server in front of a firewall

FortiMail Server in front of a firewall


The FortiMail unit is positioned in front of the firewall. The benefit of this setup is
that if the Server is compromised by attacks, your internal network is not
jeopardized. However, the Server is not protected by the firewall.

Figure 14: FortiMail Server in front of firewall

To Internal
Network
Internal
External Switch
Internet

Router
Firewall

DNS Server

Configuring the network settings


Use the following table to gather the information you need to customize the Server
mode settings.
Table 17: Gateway mode settings

Administrator Password:
IP: _____._____._____._____
Port 1
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 2
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 3
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 4
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 5
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 6
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the Fortimail unit. Add a
Network settings default gateway if the FortiMail unit must connect to a router to
reach the management computer.
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 69
FortiMail Server in front of a firewall Configuring server mode

You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP or PPPoE, if the network supports it.

Switching to server mode


Before you being configuring the FortiMail unit, ensure the mode is in Server
mode. To verify, go to System > Status and check the Operation Mode.

To change the operation mode


1 Go to System > Status.
2 Select Change for the Operation Mode.
3 Select Server from the list and select OK.

Configuring a static IP address


To configure a network interface with a static IP address
1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 Select Manual Addressing Mode.
4 Enter the IP address and netmask.
5 Select OK.
If you changed the IP address of the interface you are connecting to, you must
reconnect to the web-based manager using the new IP address.

Configuring an interface for DHCP


You can configure any FortiMail interface to acquire its IP address from a DHCP
server. Your Internet Service Provider (ISP) may provide IP addresses using one
of these protocols.
When configured, the FortiMail unit automatically broadcasts a DHCP request. By
default, the FortiMail unit also retrieves a default gateway IP address and DNS
server IP addresses from the DHCP server. You can disable this option if required
to configure them manually.

To configure an interface for DHCP


1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 In the Addressing Mode section, select DHCP.
The FortiMail unit attempts to contact the DHCP server to set the IP address,
netmask, default gateway IP address, and DNS server IP addresses.
4 If required, select Retrieve default gateway and DNS from server to disable this
option.
5 Select OK.

FortiMail Version 2.8 Installation Guide


70 06-28000-0234-20060925
Configuring server mode FortiMail Server in front of a firewall

Configuring an interface for PPPoE


You can configure any FortiMail interface to acquire its IP address from a PPPoE
server. Your Internet Service Provider (ISP) may provide IP addresses using one
of these protocols.
When configured, the FortiMail unit automatically broadcasts a PPPoE request.
By default, the FortiMail unit also retrieves a default gateway IP address and DNS
server IP addresses from the PPPoE server. You can disable this option if
required to configure them manually.

To configure an interface for PPPoE


1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 In the Addressing Mode section, select PPPoE.
4 Enter your PPPoE account User Name and Password.
5 If required, select Retrieve default gateway and DNS from server to disable this
option.
6 Select OK.

Configuring DNS and default gateway


You need to configure DNS server addresses and default gateway so that
FortiMail unit can send and receive email. DNS server IP addresses are typically
provided by your internet service provider.

To add DNS server IP addresses


1 Go to System > Network > Network.
2 Enter the primary and secondary DNS server IP addresses.
3 Enter the default gateway address. The default gateway address will be the
address of the router connected to the Internet.
4 Select Apply.

Configuring the email system settings


The FortiMail unit relays email after scanning for viruses and spam. You need to
configure basic email system settings and email access permissions.

Configuring basic email system settings


Configure the FortiMail unit basic email system settings, including host name and
domain name.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 71
FortiMail Server in front of a firewall Configuring server mode

To configure the basic email system settings


1 Go to Mail Settings > Settings > Settings.
2 Enter the following information and select Apply:

Host Name Enter the name for the FortiMail unit.


Local Domain Name Enter the local domain name. It must be different from the domain
name of your email server. The FortiMail unit's FQDN is <Host
Name>.<Local Domain Name>.
POP3 Server Port Enter the port number for the POP3 server. The default is 110.
Number
Relay Server Name Enter a relay server name if your ISP provides a relay email
server.
SMTP Server Port Enter the SMTP port number. The default SMTP port number is
Number 25.
SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have
enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP
server receives plain text email.
SMTPS Server Port The default port number is 465. This allows the encrypted SMTP
Number traffic to pass through the SMTPS Server Port. You must enable
SMTP over SSL/TLS to set this option.
SMTP Authentication Select to enable authentication. When a user logs into the SMTP
server, they require a user name and password.

Creating local domains


Add multiple local email domains on the FortiMail unit if required for different
departments in your organization at the same or different locations. For example:
• accouting.company.com
• dev.company.com.
Once created, you can add users to the local domain. For information on adding
email users to a local domain, see the FortiMail Administration Guide.

Note: Deleting a domain also deletes all email users in that domain.

To create a local domain


1 Go to System > Mail Settings > Domains.
2 Select Create New.
3 Enter the local domain name.
4 Select Is Subdomain and select the main domain the local domain is a part of.
5 Complete the LDAP authentications if required.
6 Select OK.

Configuring the firewall


With the FortiMail unit in front of the FortiGate firewall, you must configure policies
and to ensure that incoming and outgoing SMTP traffic passes through the firewall
to the users on the network. You also need a policy to pass traffic from the users
to the FortiMail unit, which then sends the message on to the Internet.

FortiMail Version 2.8 Installation Guide


72 06-28000-0234-20060925
Configuring server mode FortiMail Server in front of a firewall

Both policies have the internal users as the source of the email traffic. In both
receiving and sending email, the user’s computer initiates the connection to the
FortiMail server, thus starting the communication (the source).
Note: The following steps use a FortiGate firewall device. If you are using an alternate
firewall appliance, consult the appliance’s documentation for completing similar
configurations.

Configuring the incoming mail policy


Create a firewall policy that permits all SMTP traffic from the FortiMail unit to pass
to users on the internal network.
First, you must create an address entry for the FortiMail unit and the email server.

To create an address for the FortiMail unit


1 Go to Firewall > Address.
2 Select Create New.
3 Complete the following and select OK:

Name Enter the name of the FortiMail unit.


Type Select Subnet/IP Range.
Subnet /IP Range Enter the IP address of the FortiMail unit.
Interface Select the interface for the FortiGate unit connected to the
Internet.

The incoming policy is a POP3 policy that allows users to send requests to the
FortiMail unit for new mail on the FortiMail server.

To configure the incoming policy


1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:

Source Interface/zone Select the internal interface connected to the network.


Source Address Select ALL for all internal users on the internal network.
Name
Destination Select the external interface connected to the Internet or router.
Interface/zone
Destination Address Select the FortiMail unit address from the list.
Name
Schedule Select ALWAYS.
Service Select POP3.
Action Select ACCEPT.

Configure the outgoing mail policy


Add a firewall policy for internal users to send email messages to the FortiMail
mail server for scanning and sending to destinations on the Internet.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 73
FortiMail Server in DMZ Configuring server mode

To configure the outgoing policy


1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:

Source Interface/zone Select the internal interface connected to the network.


Source Address Select ALL for all internal users on the internal network.
Name
Destination Select the external interface connected to the Internet or router.
Interface/zone
Destination Address Select the FortiMail unit address from the list.
Name
Schedule Select ALWAYS.
Service Select SMTP.
Action Select ACCEPT.

FortiMail Server in DMZ


The FortiMail unit is positioned in the DMZ. The benefit of this setup is that the
FortiMail unit is protected by the firewall, and if the Server is compromised by
attacks, the internal network is not jeopardized.

Figure 15: FortiMail Server in DMZ

To Internal Internal External


Internet
Network
DMZ Router

DNS Server

FortiMail Version 2.8 Installation Guide


74 06-28000-0234-20060925
Configuring server mode FortiMail Server in DMZ

Configuring the network settings


Use the following table to gather the information you need to customize the Server
mode settings.
Table 18: Gateway mode settings

Administrator Password:
IP: _____._____._____._____
Port 1
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 2
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 3
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 4
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 5
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 6
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the Fortimail unit. Add a
Network settings default gateway if the FortiMail unit must connect to a router to
reach the management computer.
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____

You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP or PPPoE, if the network supports it.

Switching to server mode


Before you being configuring the FortiMail unit, ensure the mode is in Server
mode. To verify, go to System > Status and check the Operation Mode.

To change the operation mode


1 Go to System > Status.
2 Select Change for the Operation Mode.
3 Select Server from the list and select OK.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 75
FortiMail Server in DMZ Configuring server mode

Configuring a static IP address


To configure a network interface with a static IP address
1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 Select Manual Addressing Mode.
4 Enter the IP address and netmask.
5 Select OK.
If you changed the IP address of the interface to which you are connecting to
manage the FortiMail unit, you must reconnect to the web-based manager using
the new IP address.

Configuring an interface for DHCP


You can configure any FortiMail interface to acquire its IP address from a DHCP
server. Your Internet Service Provider (ISP) may provide IP addresses using one
of these protocols.
When configured, the FortiMail unit automatically broadcasts a DHCP request. By
default, the FortiMail unit also retrieves a default gateway IP address and DNS
server IP addresses from the DHCP server. You can disable this option if required
to configure them manually.

To configure an interface for DHCP


1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 In the Addressing Mode section, select DHCP.
The FortiMail unit attempts to contact the DHCP server from the interface to set
the IP address, netmask, default gateway IP address, and DNS server IP
addresses.
4 If required, select Retrieve default gateway and DNS from server to disable this
option.
5 Select OK.

Configuring an interface for PPPoE


You can configure any FortiMail interface to acquire its IP address from a PPPoE
server. Your Internet Service Provider (ISP) may provide IP addresses using one
of these protocols.
When configured, the FortiMail unit automatically broadcasts a PPPoE request.
By default, the FortiMail unit also retrieves a default gateway IP address and DNS
server IP addresses from the PPPoE server. You can disable this option if
required to configure them manually.

To configure an interface for PPPoE


1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 In the Addressing Mode section, select PPPoE.

FortiMail Version 2.8 Installation Guide


76 06-28000-0234-20060925
Configuring server mode FortiMail Server in DMZ

4 Enter your PPPoE account User Name and Password.


5 If required, select Retrieve default gateway and DNS from server to disable this
option.
6 Select OK.

Configuring DNS and default gateway


You need to configure DNS server addresses and default gateway so that
FortiMail unit can send and receive email. DNS server IP addresses are typically
provided by your internet service provider.

To add DNS server IP addresses


1 Go to System > Network > Network.
2 Enter the primary and secondary DNS server IP addresses.
3 Enter the default gateway address. The default gateway address will be the DMZ
address.
4 Select Apply.

Configuring the email system settings


The FortiMail unit relays email after scanning for viruses and spam. You need to
configure basic email system settings and email access permissions.

Configuring basic email system settings


Configure the FortiMail unit basic email system settings, including host name and
domain name.

To configure the basic email system settings


1 Go to Mail Settings > Settings > Settings.
2 Enter the following information and select Apply:

Host Name Enter the name for the FortiMail unit.


Local Domain Name Enter the local domain name. It must be different from the domain
name of your email server. The FortiMail unit's FQDN is <Host
Name>.<Local Domain Name>.
POP3 Server Port Enter the port number for the POP3 server. The default is 110.
Number
Relay Server Name Enter a relay server name if your ISP provides a relay email
server.
SMTP Server Port Enter the SMTP port number. The default SMTP port number
Number is 25.
SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have
enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP
server receives plain text email.
SMTPS Server Port The default port number is 465. This allows the encrypted SMTP
Number traffic to pass through the SMTPS Server Port. You must set
SMTP over SSL/TLS before setting this option.
SMTP Authentication Select to enable authentication. When a user logs into the SMTP
server, they require a user name and password.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 77
FortiMail Server in DMZ Configuring server mode

Creating local domains


Add multiple local email domains on the FortiMail unit if required for different
departments in your organization at the same or different locations. For example:
• accouting.company.com
• dev.company.com.
Once created, you can add users to the local domain. For information on adding
email users to a local domain, see the FortiMail Administration Guide.

Note: Deleting a domain also deletes all email users in that domain.

To create a local domain


1 Go to System > Mail Settings > Domains.
2 Select Create New.
3 Enter the local domain name.
4 Select Is Subdomain and select the main domain the local domain is a part of.
5 Complete the LDAP authentications if required.
6 Select OK.

Configuring the firewall


With the FortiMail unit in the DMZ, you must configure policies to ensure that
incoming POP3 and outgoing SMTP traffic passes through the firewall to the
users on the network and so that the FortiMail unit can send and receive SMTP
traffic to and from the Internet.
Note: The following steps use a FortiGate firewall device. If you are using an alternate
firewall appliance, consult the appliance’s documentation for completing similar
configurations.

Configuring the incoming mail policy


Create a firewall policy that permits all SMTP traffic from the Internet to pass
through the firewall and arrive at the FortiMail unit on the DMZ interface.
First, you must create an address entry for the FortiMail unit.

To create an address for the FortiMail unit


1 Go to Firewall > Address.
2 Select Create New.
3 Complete the following and select OK:

Name Enter the name of the FortiMail unit.


Type Select Subnet/IP Range.
Subnet /IP Range Enter the IP address of the FortiMail unit.
Interface Select DMZ.

FortiMail Version 2.8 Installation Guide


78 06-28000-0234-20060925
Configuring server mode FortiMail Server in DMZ

To configure the incoming policy


1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:

Source Interface/zone Select the external interface connected to the network.


Source Address Select ALL for all external sources on the Internet.
Name
Destination Select the DMZ interface.
Interface/zone
Destination Address Select the FortiMail unit address from the list.
Name
Schedule Select ALWAYS.
Service Select SMTP.
Action Select ACCEPT.

Configure the outgoing mail policy


Add a firewall policy for the FortiMail unit to send email messages to destinations
on the Internet.

To configure the outgoing policy


1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:

Source Interface/zone Select the DMZ interface.


Source Address Select the FortiMail unit address from the list.
Name
Destination Select the external interface connected to the Internet.
Interface/zone
Destination Address Select ALL.
Name
Schedule Select ALWAYS.
Service Select SMTP.
Action Select ACCEPT.

Configuring the users’ incoming mail policy


Create a firewall policy that permits all SMTP traffic from the FortiMail unit to pass
to users on the internal network. Both of the following policies have the internal
users as the source of the email traffic. In both receiving and sending email, the
user’s computer initiates the connection to the FortiMail server, thus starting the
communication (the source).
The incoming policy is a POP3 policy that allows users to send requests to the
FortiMail unit for new mail on the server.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 79
Testing and next steps Configuring server mode

To configure the incoming policy


1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:

Source Interface/zone Select the internal interface connected to the network.


Source Address Select ALL for all internal users on the internal network.
Name
Destination Select DMZ.
Interface/zone
Destination Address Select the FortiMail unit address from the list.
Name
Schedule Select ALWAYS.
Service Select POP3.
Action Select ACCEPT.

Configure the users’ outgoing mail policy


Add a firewall policy for internal users to send email messages to the FortiMail
mail server for scanning and sending to destinations on the Internet.

To configure the outgoing policy


1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:

Source Interface/zone Select the internal interface connected to the network.


Source Address Select ALL for all internal users on the internal network.
Name
Destination Select DMZ.
Interface/zone
Destination Address Select the FortiMail unit address from the list.
Name
Schedule Select ALWAYS.
Service Select SMTP.
Action Select ACCEPT.

Testing and next steps


The configuration is now complete. See the chapter “Testing the installation” on
page 81 for information on testing the installation and the next steps to complete
the installation of your FortiMail unit.

FortiMail Version 2.8 Installation Guide


80 06-28000-0234-20060925
Testing the installation Communicating with the SMTP service

Testing the installation


After completing the installation and configuration of the FortiMail unit, you can
test the installation by sending an email from an external email system to an
internal user.
If you cannot retrieve/send email from an email account, review the previous
steps to ensure all information was entered correctly and try again.
You can also use some simple commands to test that the FortiMail unit accepts
SMTP communications and the server policies are configured correctly.
From a command prompt (UNIX or Windows) on your management computer,
telnet to the SMTP port (the default is 25) of the FortiMail unit to test the
connection to the SMTP service on the FortiMail unit.
For example, if your FortiMail host name is fortimail.com, enter:
telnet fortimail.com 25 <return>
The response should return:
Connected to fortimail.com
Escape character is '^]’
220 fortimail.com ESMTP Smtpd; <date and time>

Communicating with the SMTP service


After connecting to the SMTP service on the FortiMail unit using Telnet, you can
use SMTP commands to simulate sending email from an external email server to
an internal user. This will verify that the FortiMail unit receives email from external
email servers and forwards the email to internal users via the internal mail server
or relays the email to other email servers based on the recipient addresses.
Use the following commands to determine that the FortiMail unit is accepting
email from external SMTP services and will deliver the email to the internal users.
The table also includes the expected responses to the commands.
The commands use the following examples:
• client host name is mail.example.com
• outside user is user@outside.com
• internal user is user@inside.com)

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 81
Next steps Testing the installation

Commands Responses
ehlo mail.example.com <return> 250-mail.example.com Hello
<client_hostname>
<client_ip>, pleased to meet
you
mail from:user@outside.com <return> 250 2.1.0 user@outside.com...
Sender ok
rcpt to:user@inside.com <return> 250 2.1.0 user@inside.com...
Recipient ok
data <return> 354 Enter mail, end with "."
on a line by itself
this is a test message <return>
. <return> 250 2.0.0 j2TIw3MK026986
Message accepted for delivery

Next steps
The FortiMail unit is now installed and operational on your network. You can now
register the unit and configure the system time and FortiGuard update schedule.

Register your FortiMail unit


After installing a new FortiMail unit, register the unit by visiting
http://support.fortinet.com and select Product Registration.
By registering your FortiMail unit, you will receive updates to threat detection and
prevention databases and will also ensure your access to technical support.

Set the date and time


For effective scheduling and logging, the FortiMail system date and time must be
accurate. You can either manually set the system date and time or configure the
FortiMail unit to automatically keep its time correct by synchronizing with a
Network Time Protocol (NTP) server.

To set the date and time


1 Go to System > Config > Time.
2 Select your Time Zone from the list.
3 Optionally, select Automatically adjust clock for daylight saving changes check
box.
4 Select Set Time and set the FortiMail system date and time.
5 Select OK.

Note: If you choose the option Automatically adjust clock for daylight saving changes, the
system time must be manually adjusted after daylight savings time ends.

To use NTP to set the FortiMail date and time


1 Go to System > Config > Time.

FortiMail Version 2.8 Installation Guide


82 06-28000-0234-20060925
Testing the installation Next steps

2 Select Synchronize with NTP Server to configure the FortiMail unit to use NTP to
automatically set the system time and date.
3 Enter the IP address or domain name of the NTP server that the FortiMail unit can
use to set its time and date.
4 Specify how often the FortiMail unit should synchronize its time with the NTP
server.
5 Select OK.

Updating antivirus signatures


You can configure the FortiMail unit to connect to the FortiGuard Distribution
Network (FDN) to update the antivirus and antispam definitions.
The FDN is a world wide network of FortiGuard Distribution Servers (FDS). When
the FortiMail unit connects to the FDN, it connects to the nearest FDS. To do this,
all FortiMail units are programmed with a list of FDS addresses sorted by nearest
time zone according to the time zone configured for the FortiMail unit.
Before you can begin receiving updates, you must register your FortiMail unit on
the Fortinet web page. For information about registering your FortiMail unit, see
“Register your FortiMail unit” on page 82.
After registering your FortiMail unit, verify the FortiMail unit can connect to the
FDN:
• Check that the FortiMail unit’s system time is correct.
• From the web-based manager, select refresh from the FortiGuard Center.
If you cannot connect to the FDN, follow the procedure for registering your
FortiMail unit and try again or see “Adding an override server” on page 84.

Updating antivirus signatures


The FortiGuard Center enables you to receive push updates, allow push update to
a specific IP address, and schedule updates for daily, weekly, or hourly intervals.

To update antivirus definitions


1 Go to System > Update.
2 Select Update Now to update the antivirus definitions.
If the connection to the FDN is successful, the web-based manager displays a
message similar to the following:
Your update request has been sent. Your database will be
updated in a few minutes. Please check your update page
for the status of the update.
After a few minutes, if an update is available, the System FortiGuard Center page
lists new version information for antivirus definitions. The System Status page
also displays new dates and version numbers for the antivirus definitions.
Messages are recorded to the event log indicating whether the update was
successful or not.
Note: Updating antivirus definitions can cause a very short disruption in traffic currently
being scanned while the FortiMail unit applies the new signature database. Schedule
updates when traffic is light, for example overnight, to minimize any disruption.

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 83
Next steps Testing the installation

Scheduling antivirus updates


Configure a schedule for the frequency of the antivirus updates.

To enable scheduled updates


1 Go to System > Update.
2 Select the Scheduled Update check box.
3 Select one of the following to check for and download updates.

Every Once every 1 to 23 hours. Select the number of hours and


minutes between each update request.
Daily Once a day. You can specify the time of day to check for updates.
Weekly Once a week. You can specify the day of the week and time of day
to check for updates.

4 Select Apply.
The FortiMail unit starts the next scheduled update according to the new update
schedule. Whenever the FortiMail unit runs a scheduled update, the event is
recorded in the FortiMail event log.

Adding an override server


If you cannot connect to the FDN, or if your organization provides updates using
their own FortiGuard server, use the following procedures to add the IP address of
an override FortiGuard server.

To add an override server from the web-based manager


1 Go to System > Update.
2 Select the Use override server address check box.
3 Type the fully qualified domain name or IP address of a FortiGuard server.
4 Select Apply.
The FortiMail unit tests the connection to the override server.
If the FDN setting changes to available, the FortiMail unit has successfully
connected to the override server.
If the FDN stays set to not available, the FortiMail unit cannot connect to the
override server. Check the FortiMail configuration and network configuration for
settings that would prevent the FortiMail unit from connecting to the override
FortiGuard server.

Additional configuration
After setting up the FortiMail unit, you can manage it by configuring its many
advanced features as described in the FortiMail Administration Guide, including:
• creating antispam, antivirus, authentication, or content profiles
• creating user policies, including incoming and outgoing policies.
• configuring antispam settings, including email quarantine, FortiGuard
Antispam, Bayesian training settings, black and white lists, and antispam rules

FortiMail Version 2.8 Installation Guide


84 06-28000-0234-20060925
Index

Index
A G
air flow 21 gateway mode
antivirus definitions 83 behind a firewall 33
described 30
C in front of a firewall 39
in the DMZ 45
certificate, security 24
CLI 25 I
comments, documentation 12
configuring time 82 interface
configuring for DHCP 35
connecting
configuring for PPPoE 35
to the CLI 25
to the web-based manager 23
conventions, documentation 11 M
customer service 12 mechanical loading 21
mounting
D FortiMail-100 16
FortiMail-2000 18
dashboard 24 FortiMail-400 17
documentation FortiMail-4000 20
commenting on 12 FortiMail-4000A 21
conventions 11
FortiMail 12
N
E NTP server 82
environmental specifications 21
P
F package
FortiMail-100 15
FortiGuard FortiMail-2000 18
scheduling updates 84 FortiMail-400 17
updates 83 FortiMail-4000 19
FortiMail-100 FortiMail-4000A 20
mounting 16 package contents 15
package 15 powering
FortiMail-2000 off 22
mounting 18 on 22
package 18
FortiMail-400 R
mounting 17
package 17 registering 82
FortiMail-4000
mounting 20 S
package 19
FortiMail-4000A security certificate 24
mounting 21 server mode
package 20 behind a firewall 63
Fortinet described 31
customer service 12 in front of a firewall 69
family of products 7 in the DMZ 74
Knowledge Center 12 specifications, environmental 21
System dashboard 24

FortiMail Version 2.8 Installation Guide


06-28000-0234-20060925 85
Index

T turning
off 22
technical support 12 on 22
time, configuring 82
transparent mode V
described 31
in front of an email server 53 virtual IP 38
protecting the email hub 56
W
web-based manager, connecting 23

FortiMail Version 2.8 Installation Guide


86 06-28000-0234-20060925
www.fortinet.com
www.fortinet.com

Potrebbero piacerti anche