Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
FortiMail
Version 2.8
www.fortinet.com
FortiMail Installation Guide
Version 2.8
25 September 2006
06-28000-0234-20060925
Trademarks
ABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus,
FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, Fortinet,
FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse,
FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the
United States and/or other countries. The names of actual companies and
products mentioned herein may be the trademarks of their respective
owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
Caution: If you install a battery that is not the correct type, it could
! explode. Dispose of used batteries according to local regulations.
Contents
Contents
Introduction ........................................................................................ 7
Fortinet Family Products .................................................................................. 7
FortiGuard Subscription Services ................................................................. 7
FortiAnalyzer ................................................................................................. 7
FortiBridge..................................................................................................... 8
FortiClient...................................................................................................... 8
FortiGate ....................................................................................................... 8
FortiManager ................................................................................................. 9
FortiReporter ................................................................................................. 9
About the FortiMail units .................................................................................. 9
FortiMail-100 ................................................................................................. 9
FortiMail-400 ................................................................................................. 9
FortiMail-2000 ............................................................................................. 10
FortiMail-4000 ............................................................................................. 10
FortiMail-4000A ........................................................................................... 10
About this document....................................................................................... 11
Document conventions................................................................................ 11
FortiMail documentation ................................................................................. 12
Fortinet Knowledge Center ........................................................................ 12
Comments on Fortinet technical documentation ........................................ 12
Customer service and technical support ...................................................... 12
Index.................................................................................................. 85
Introduction
Welcome and thank you for selecting Fortinet products for your real-time network
protection.
The FortiMail Secure Messaging Platform is an integrated hardware and software
solution that provides powerful and flexible antispam, antivirus, email archiving
and logging capabilities to incoming and outgoing email traffic. The FortiMail unit
has reliable and high performance features for detecting and blocking spam
messages and malicious attachments.
Built on the Fortinet award winning FortiOS™ and FortiAsic™ technology, the
FortiMail antivirus technology extends full content inspection capabilities to detect
the most advanced email threats.
FortiAnalyzer
FortiAnalyzer™ provides network administrators with the information they need to
enable the best protection and security for their networks against attacks and
vulnerabilities. The FortiAnalyzer unit features include:
• collects logs from FortiGate devices and syslog devices and FortiClient
• creates hundreds of reports using collected log data
FortiBridge
FortiBridge™ products are designed to provide enterprise organizations with
continuous network traffic flow in the event of a power outage or a FortiGate
system failure. The FortiBridge unit bypasses the FortiGate unit to make sure that
the network can continue processing traffic. FortiBridge products are easy to use
and deploy, including providing customizable actions a FortiBridge unit takes in
the event of a power outage or FortiGate system failure.
FortiClient
FortiClient™ Host Security software provides a secure computing environment for
both desktop and laptop users running the most popular Microsoft Windows
operating systems. FortiClient offers many features including:
• creating VPN connections to remote networks
• configuring real-time protection against viruses
• guarding against modification of the Windows registry
• virus scanning.
FortiClient also offers a silent installation feature, enabling an administrator to
efficiently distribute FortiClient to several users’ computers with preconfigured
settings.
FortiGate
The FortiGate™ Antivirus Firewalls improve network security, reduce network
misuse and abuse, and help you use communications resources more efficiently
without compromising the performance of your network. FortiGate Antivirus
Firewalls are ICSA-certified for firewall, IPSec, and antivirus services.
The FortiGate Antivirus Firewall is a dedicated, easily managed security device
that delivers a full suite of capabilities which include:
• application-level services such as virus protection and content filtering
• network-level services such as firewall, intrusion detection, VPN and traffic
shaping
The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content
Analysis System (ABACAS™) technology, which leverages breakthrough in chip
design, networking, security and content analysis. The unique ASIC-based
architecture analyzes content and behavior in real-time, enabling key applications
to be deployed right at the network edge where they are most effective at
protecting your networks.
FortiManager
The FortiManager system is designed to meet the needs of large enterprises
(including managed security service providers) responsible for establishing and
maintaining security policies across many dispersed FortiGate installations. With
this system you can configure multiple FortiGate devices and monitor their status.
You can also view real-time and historical logs for the FortiGate devices. The
FortiManager System emphasizes ease of use, including easy integration with
third party systems.
FortiReporter
FortiReporter Security Analyzer software generates easy-to-understand reports
and can collect logs from any FortiGate unit, as well as over 30 network and
security devices from third-party vendors. FortiReporter reveals network abuse,
manages bandwidth requirements, monitors web usage, and ensures employees
are using the office network appropriately. FortiReporter allows IT administrators
to identify and respond to attacks, including identifying ways to proactively secure
their networks before security threats arise.
FortiMail-100
The FortiMail-100 is an easy-
to-deploy and
easy-to-administer solution POWER
1 2 3 4
10/100
LINK / ACT
FortiMail-400
The FortiMail-400 is
optimized for medium
sized enterprise C O SNO E L U SB 1 0 /1 0 0 1 0 /1 0 0 /1 0 0 0
customers, delivering a
E sc E n et r 1 2 3 4 5 6
FortiMail-2000
For larger
installations where
higher performance
and better reliability
is required, the 1 2 3 4 CONSOLE
FortiMail-2000
system provides the
same software features as the FortiMail-400, but with a modular chassis with hot
swappable components. Ideal for the most demanding email infrastructures, the
FortiMail-2000 system delivers high performance for large enterprises and service
providers, which includes the performance capability to scan 6.8 million emails per
day, with six hot swappable disk drives with RAID for disk redundancy, and
redundant power supplies and fans. Four 10/100/1000 Base-T interfaces,
provides the flexibility to connect into many corporate or service provider
environments.
FortiMail-4000
For larger
installations where
higher performance
and better reliability
is required, the
FortiMail-4000
system provides the same software features as the FortiMail-2000. Ideal for the
most demanding email infrastructures, the FortiMail-4000 system delivers high
performance for large enterprises and service providers, which includes the
performance capability to scan 6.8 million emails per day, with 12 hot swappable
disk drives with RAID for disk redundancy, and redundant power supplies and
fans. Two 10/100/1000 Base-T interfaces, provides the flexibility to connect into
many corporate or service provider environments.
FortiMail-4000A
For larger
installations where
higher performance
and better reliability is 1
2
A
required, the
FortiMail-4000A system provides the same software features as the
FortiMail-4000. Ideal for the most demanding email infrastructures, the
FortiMail-4000A system delivers high performance for large enterprises and
service providers, which includes the performance capability to scan 6.8 million
emails per day, with 12 hot swappable disk drives with RAID for disk redundancy,
and redundant power supplies and fans. Two 10/100/1000 Base-T interfaces,
provides the flexibility to connect into many corporate or service provider
environments.
Document conventions
The following document conventions are used in this guide:
• In the examples, private IP addresses are used for both private and public IP
addresses.
• Notes and Cautions are used to provide important information:
Caution: Warns you about commands or procedures that could have unexpected or
! undesirable results including loss of data or damage to equipment.
Typographic conventions
FortiGate documentation uses the following typographical conventions:
Convention Example
Keyboard input In the Gateway Name field, type a name for the remote VPN
peer or client (for example, Central_Office_1).
Code examples config sys global
set ips-open enable
end
CLI command syntax config firewall policy
edit id_integer
set http_retry_count <retry_integer>
set natip <address_ipv4mask>
end
Document names FortiGate Administration Guide
Menu commands Go to VPN > IPSEC > Phase 1 and select Create New.
Program output Welcome!
Variables <address_ipv4>
FortiMail documentation
Information about the FortiMail unit is available from the following guides:
• FortiMail QuickStart Guide
Provides basic information about connecting and installing a FortiMail unit and
configuring the unit for use on your network.
• FortiMail Administration Guide
Describes how to install, configure, and manage a FortiMail unit in
Transparent, Gateway, and Server modes, including how to configure the unit,
create profiles and policies, configure antispam and antivirus filters, create
user accounts, configure email archiving, and set up logging and reporting.
• FortiMail Installation Guide
Describes how to set up the FortiMail unit in Transparent, Gateway, and Server
modes. It also provides information on how to use system settings to view
FortiMail unit status and configure how the FortiMail unit connects to your
network and to the Internet.
• FortiMail Online Help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the web-based manager as you work.
• FortiMail Webmail Online Help
Describes how to use the FortiMail web-based email client, including how to
send and receive email; how to add, import, and export addresses; how to
configure message display preferences, and how to manage quarantined
email.
• FortiMail User Guide for Gateway and Transparent modes
Provides information that the FortiMail end users need to know in order to take
advantage of the services provided by the FortiMail unit in either Gateway or
Transparent mode.
• FortiMail User Guide for Server mode
Provides information that the FortiMail end users need to know in order to take
advantage of the services provided by the FortiMail unit in Server mode.
Package contents
Review the contents of your FortiMail package to ensure all components are
included.
FortiMail-100
The FortiMail-100 package contains the following items:
• FortiMail-100 unit
• one orange crossover ethernet cable (Fortinet part number CC300248)
• one gray regular ethernet cable (Fortinet part number CC300249)
• one DB-9 serial null-modem console cable (Fortinet part number CC300247)
• FortiMail-100 QuickStart Guide
• one power cable
• Fortinet Tools and Documentation CD
Front
Ethernet Cables:
Orange - Crossover
Grey - Straight-through
1 2 3 4
POWER 10/100
STATUS LINK / ACT
Power LED
Status LED Interface
status LEDs Power Cable Power Supply
4 3 2 1
DC+12V
QuickStart Guide
1 2 3 4
POWER 10/100
STATUS LINK / ACT
FortiMail-100
USB
Copyright 2006 Fortinet Incorporated. All rights reserved.
Trademarks
Products mentioned in this document are trademarks.
Mounting
The FortiMail-100 unit can be installed as a free-standing appliance on any stable
surface.
Table 1: Technical Specifications
FortiMail-400
The FortiMail-400 package contains the following items:
• FortiMail-400 unit
• one orange crossover ethernet cable (Fortinet part number CC300248)
• one gray regular ethernet cable (Fortinet part number CC300249)
• one RJ-45 to DB-9 serial console cable (Fortinet part number CC300302)
• FortiMail-400 QuickStart Guide
• one power cable
• Fortinet Tools and Documentation CD
• two 19-inch rack mount brackets
Ethernet Cables:
Front Orange - Crossover
- Grey - Straight-through
CONSOLE USB 10/100 10/100/1000
Esc Enter 1 2 3 4 5 6
RJ-45 to
DB-9 Console Cable
USB Port 1 Port 3 Port 5
LCD Control Power (Future use)
Port 2 Port 6
Buttons LED
Port 4
RJ-45 Console Power Cable
Back
Rack-Mount Brackets
QuickStart Guide
Power Power
CONSOLE USB 10/100 10/100/1000
Esc Enter 1 2 3 4 5 6
FortiMail-400
Switch Connection
Copyright 2006 Fortinet Incorporated. All rights reserved.
Trademarks
Products mentioned in this document are trademarks.
Documentation
Mounting
The FortiMail-400 unit can be mounted in a standard 19-inch rack. It requires
1 U of vertical space in the rack. The FortiMail-400 unit can also be installed as a
free-standing appliance on any stable surface.
Table 3: Technical Specifications
FortiMail-2000
The FortiMail-2000 package contains the following items:
• FortiMail-2000 unit
• one orange crossover ethernet cable (Fortinet part number CC300248)
• one gray regular ethernet cable (Fortinet part number CC300249)
• one RJ-45 to DB-9 serial console cable (Fortinet part number CC300302)
• FortiMail-2000 QuickStart Guide
• two power cables
• Fortinet Tools and Documentation CD
• chassis mounting kit for 19-inch rack mount brackets
Back
Rack-Mount Brackets
QuickStart Guide
1 2 3 4 CONSOLE
FortiMail-2000
Mounting
The FortiMail-2000 unit can be mounted in a standard 19-inch rack. It requires
2 U of vertical space in the rack. The FortiMail-2000 unit can also be installed as a
free-standing appliance on any stable surface.
FortiMail-4000
The FortiMail-4000 package contains the following items:
• FortiMail-4000 unit
• one orange crossover ethernet cable (Fortinet part number CC300248)
• one gray regular ethernet cable (Fortinet part number CC300249)
• one DB-9 serial console cable (Fortinet part number CC300302)
• FortiMail-4000 QuickStart Guide
• one power cable
• Fortinet Tools and Documentation CD
• chassis mounting kit for 19-inch rack mount brackets
Ethernet Cables:
Front
Orange - Crossover
Grey - Straight-through
Null-Modem Cable
(RS-232)
Back
Power Cable
UID
QuickStart Guide
Power
Serial Connection Connection FortiMail-4000
Documentation
Mounting
The FortiMail-4000 unit can be mounted in a standard 19-inch rack. It requires
2 U of vertical space in the rack. The FortiMail-4000 unit can also be installed as a
free-standing appliance on any stable surface.
Table 8: Technical Specifications
Dimensions 19 x 27 x 3.5in. (48.3 x 68.6 x 8.9 cm)
Weight 68 lb. (30.8 kg)
Power Power dissipation: 360W (max.)
requirements AC input voltage: 100 to 240 VAC
AC input current: 9A max
Frequency: 50 to 60Hz
FortiMail-4000A
The FortiMail-4000A package contains the following items:
• FortiMail-4000A unit
• one orange crossover ethernet cable (Fortinet part number CC300248)
• one gray regular ethernet cable (Fortinet part number CC300249)
• one DB-9 serial console cable (Fortinet part number CC300302)
• FortiMail-4000A QuickStart Guide
• one power cable
• Fortinet Tools and Documentation CD
• chassis mounting kit for 19-inch rack mount brackets
1
2
A
Null-Modem Cable
(RS-232)
Back
Power Cable
Connections USB
1
2
A
Serial Connection
Documentation
Mounting
The FortiMail-4000A unit can be mounted in a standard 19-inch rack. It requires
2 U of vertical space in the rack. The FortiMail-4000A unit can also be installed as
a free-standing appliance on any stable surface.
Table 9: Technical Specifications
Environmental specifications
• Operating temperature: 32 to 104°F (0 to 40°C)
If you install the FortiMail unit in a closed or multi-unit rack assembly, the
operating ambient temperature of the rack environment may be greater than
room ambient temperature. Therefore, make sure to install the equipment in
an environment compatible with the manufacturer's maximum rated ambient
temperature.
• Storage temperature: -13 to 158°F (-25 to 70°C)
• Humidity: 5 to 95% non-condensing
Note: The FortiMail unit may overload your supply circuit and impact your surge protection
and supply wiring. Use appropriate equipment nameplate ratings to address this concern.
Make sure that the FortiMail unit has reliable grounding. Fortinet recommends direct
connections to the branch circuit.
Air flow
• For rack installation, make sure that the amount of air flow required for safe
operation of the equipment is not compromised.
• For free-standing installation, make sure that the appliance has at least 1.5 in.
(3.75 cm) of clearance on each side to allow for adequate air flow and cooling.
Mechanical loading
You can mount the FortiMail-400, FortiMail-2000 and FortiMail-4000/4000A in a
standard 19-inch rack. The FortiMail-400 requires 1U of vertical space and the
FortiMail-2000, FortiMail-4000/4000A requires 2U of vertical space in the rack.
For rack installation, ensure an even mechanical loading of the FortiMail-400,
FortiMail-2000, FortiMail-4000/4000A to avoid a hazardous condition.
Powering off
Always shut down the FortiMail operating system properly before turning off the
power switch or disconnecting the power.
1 Go to System > Status.
2 In the System Command area, select Shutdown, or from the CLI, enter:
execute shutdown
3 Disconnect the power supply.
Web-based manager
You can configure and manage the FortiMail unit using HTTP or a secure HTTPS
connection from any computer running Microsoft Internet Explorer 6.0 or recent
browser.
You can use the web-based manager to configure most FortiMail settings, and
monitor the status of the FortiMail unit.
System Dashboard
After logging into the web-based manager, the web browser displays the system
dashboard. The dashboard provides you with all system status information in one
location.
Note: The following procedure uses Microsoft Windows HyperTerminal software. You can
apply these steps to any terminal emulation program.
To enter an IP address
1 Press Enter to select the interfaces.
2 Press the up and down buttons to highlight the interface you want to configure an
IP address for, and then press Enter.
3 Press Enter for the IP address.
4 Press the up and down buttons to increase or decrease the number.
5 Press Enter to select the number.
6 Repeat steps 4 and 5 for all numbers of the IP address.
Use the above steps to configure the netmasks.
Gateway mode
In gateway mode the FortiMail acts as a fully functional mail relay server. Gateway
mode does not provide local mailboxes but does provide a web user interface for
managing spam filters (black/white list), Auto White Lists, and per-user Bayesian
database management.
In Gateway mode, the FortiMail unit receives incoming email messages, scans for
viruses and spam, then passes (relays) the email to the email server for delivery.
In this mode, the FortiMail unit can effectively protect your email server as your
email server is not visible to outside users. The FortiMail unit can also archive
email for backup and monitoring purposes.
The FortiMail unit integrates into your existing network with only minor changes to
your network configuration. You must also change your MX record to route
incoming email to the FortiMail unit for scanning.
Mail Users
(POP3/IMAP/Web Mail)
Hub
Mail Server Internet
Gateway Mode
For example, an ISP deploys a FortiMail unit to protect their customers’ mail
servers. Many customers do not want their mail servers to be visible to external
users for security reasons. Therefore, the ISP installs the FortiMail unit in
Gateway mode to satisfy the need of the customers.
The ISP takes advantage of the Gateway mode deployment flexibility and places
the FortiMail unit in the DMZ, while keeping the email server safe behind the
firewall.
For sample configuration information, see the chapter “Configuring gateway
mode” on page 33.
Transparent mode
In Transparent mode, the FortiMail unit acts as a bridge, providing seamless
integration into existing network environments. In Transparent mode, the FortiMail
unit provides a flexible and versatile email scanning solution.
You can place the FortiMail unit in front of the existing email server without any
changes to the existing network topology. This means that all of the FortiMail
interfaces are on the same subnet.
Transparent mode also provides a web user interface for managing spam filters
(black/white list), Auto White Lists, and per-user Bayesian database
management.
Transparent mode
Internet
Router
Mail Server
Mail Users
(POP3/IMAP/Web Mail)
For example, a company wants to install a FortiMail unit to protect its mail server.
The company installs the FortiMail unit in Transparent mode to avoid changing its
MX record to route email to the FortiMail unit, and to simply act as a filter for spam
and virus related email.
With this mode, the company’s end users do not need to change the mail server
setting on their email client. The company also wants its mail server to be visible
to the users to increase the company’s popularity.
For sample configuration information, see the chapter “Configuring transparent
mode” on page 53.
Server mode
In server mode the FortiMail unit is a fully functional SMTP, IMAP, POP3 mail
server with local mail boxes and an optional WebMail user interface. In addition,
the FortiMail Server provides antivirus, antispam, email archiving, and logging
and reporting services.
For sample configuration information, see the chapter “Configuring server mode”
on page 63.
Email Server
Switch
Internal External Internet
Router
Firewall
DNS Server
Administrator Password:
IP: _____._____._____._____
Port 1
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 2
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 3
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 4
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 5
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 6
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the Fortimail unit. Add a
Network settings default gateway if the FortiMail unit must connect to a router to
reach the management computer.
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP or PPPoE, if the network supports it.
Configuring DNS
You need to configure DNS server addresses so that FortiMail unit can send and
receive email. DNS server IP addresses are typically provided by your internet
service provider.
Configuring routing
Configure routing on the FortiMail unit to define the route that enables the
FortiMail unit to contact the DNS server. If you configured your interfaces
dynamically using DHCP or PPPoE, the FortiMail unit configures a default route
automatically.
The gateway address for the route is on the same network as port 1.
You need to configure additional routes if any of your email servers are on a
different subnet. The gateway you specify is the address of the next hop router
that connects to the required network.
To configure routing
1 Go to System > Network > Routing.
2 Select Create New to add a new route.
3 Enter the Destination IP address and netmask.
4 Enter the Gateway IP address.
5 Select OK.
With the FortiMail unit behind the FortiGate firewall, you must configure firewall
policies to ensure that incoming SMTP traffic goes to the FortiMail Gateway
before reaching the email server.
To accomplish this, configure a virtual IP address (VIP) on the FortiGate unit for
the FortiMail unit. When the FortiGate unit receives traffic destined for the VIP, the
FortiGate unit automatically directs the message to the internal IP address of the
FortiMail unit.
This allows the FortiMail unit to perform antivirus scanning, antispam filtering, and
email archiving on the SMTP traffic.
With the VIP established, create a firewall policy to pass traffic from the FortiGate
external interface to the VIP mapping on the internal interface.
Email Server
Internal
External Switch
Internet
Router
Firewall
DNS Server
Administrator Password:
IP: _____._____._____._____
Port 1
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 2
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 3
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 4
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 5
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 6
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the Fortimail unit. Add a
Network settings default gateway if the FortiMail unit must connect to a router to
reach the management computer.
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.
Configuring DNS
You need to configure DNS server addresses so that FortiMail unit can send and
receive email. DNS server IP addresses are typically provided by your internet
service provider.
Configuring routing
Configure routing on the FortiMail unit to define the route that enables the
FortiMail unit to contact the DNS server. If you configured your interfaces
dynamically using DHCP or PPPoE, the FortiMail unit configures a default route
automatically.
The gateway address is the IP address of the router that connects to the Internet.
To configure routing
1 Go to System > Network > Routing.
2 Select Create New to add a new route or select Modify to change the default.
3 Enter the Destination IP address and netmask.
4 Enter the Gateway IP address.
5 Select OK.
Note: The following steps use a FortiGate firewall device. If you are using an alternate
firewall appliance, consult the appliance’s documentation for completing similar
configurations.
Next, create the incoming email firewall policy so the email from the FortiMail goes
to the email server.
Email Server
Internal External
Internet
Switch Router
DMZ
DNS Server
Administrator Password:
IP: _____._____._____._____
Port 1
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 2
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 3
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 4
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 5
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 6
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the Fortimail unit. Add a
Network settings default gateway if the FortiMail unit must connect to a router to
reach the management computer.
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to the DMZ interface of the firewall
appliance. The IP address of Port 1 must be on the same subnet as the DMZ
network and cannot use the same address as another device or computer on the
network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP or PPPoE, if the network supports it.
Configuring DNS
You need to configure DNS server addresses so that FortiMail unit can send and
receive email. DNS server IP addresses are typically provided by your internet
service provider.
Configuring routing
Configure routing on the FortiMail unit to define the route that enables the
FortiMail unit to contact the DNS server. If you configured your interfaces
dynamically using DHCP or PPPoE, the FortiMail unit configures a default route
automatically.
The gateway address is the IP address of the firewall interface on the same
network as this FortiMail interface.
To configure routing
1 Go to System > Network > Routing.
2 Select Create New to add a new route or select Modify to change the default.
3 Enter the Destination IP address and netmask.
4 Enter the Gateway IP address.
5 Select OK.
Note: The following steps use a FortiGate firewall device. If you are using an alternate
firewall appliance, consult the appliance’s documentation for completing similar
configurations.
Source Interface/zone Select the DMZ interface connected to the FortiMail unit.
Source Address Select the FortiMail address from the list.
Name
Destination Select the internal interface connected to the network.
Interface/zone
Destination Address Select the email server from the list.
Name
Schedule Select ALWAYS.
Service Select SMTP.
Action Select ACCEPT.
Transparent mode
Internet
Router
Mail Server
Mail Users
(POP3/IMAP/Web Mail)
Configuring DNS
You need to configure DNS server addresses so that FortiMail unit can send and
receive email. DNS server IP addresses are typically provided by your internet
service provider.
Configuring routing
At a minimum, you need to define a route that enables the FortiMail unit to contact
the DNS server. You need to configure additional routes if any of your email
servers are on a different network than the FortiMail unit and the DNS server. The
gateway you specify is the address of the next hop router that connects to the
required network.
SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have
enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP
server receives plain text email.
SMTPS Server Port The default port number is 465. This allows the encrypted SMTP
Number traffic to pass through the SMTPS Server Port. You must enable
SMTP over SSL/TLS to set this option.
Configuring domains
Create a domain to define the email server(s) that the FortiMail unit protects. The
FortiMail unit automatically configures email access to allow relaying of email
messages to and from the domain.
Domain FDQN Enter a fully-qualified domain name for the mail server.
Use MX Record Select to use the record from the MX table to define the domain.
When enabled, the SMTP Server and Fallback MX Host are not
available.
SMTP Server Enter the IP address and port of the SMTP server.
Fallback MX Host Enter the IP address and port of the backup SMTP server. This
server is redundant in case of failure of the main SMTP server.
Is Subdomain Select to indicate the domain you are creating is a sub domain of
an existing domain.
Main Domain When selecting Is Subdomain, select the domain from the list.
Verify Recipient Select a method of verifying the email address of the recipient of
Address an incoming email message.
Mail Routing Select to enable mail routing based on the selected LDAP profile.
To configure LDAP profiles, go to Profile > LDAP.
Check AS/AV profile Select to enable antispam and antivirus configurations based on
the selected LDAP profile.
To configure LDAP profiles, go to Profile > LDAP.
Configuring proxies
For a typical Transparent mode installation, the default proxy options are
appropriate. Should you need to modify the proxies, go to Mail Settings >
Proxies to configure the email connections through the ports.
Router
WAN
Internet
Port 2
Port 1
Before you begin, ensure the FortiMail unit is in Transparent mode. If not, switch
over to this mode.
Configuring DNS
You need to configure DNS server addresses so that FortiMail can send and
receive email. DNS server IP addresses are typically provided by your internet
service provider.
Configuring routing
At a minimum, you need to define a route that enables the FortiMail unit to contact
the DNS server. You need to configure additional routes if any of your email
servers are on a different network than the FortiMail unit and the DNS server. The
gateway you specify is the address of the next hop router that connects to the
required network.
Configuring domains
Create a domain to define the email server(s) that the FortiMail unit protects. The
FortiMail unit automatically configures email access to allow relaying of email
messages to and from the domain.
Domain FDQN Enter a fully-qualified domain name for the mail server.
Use MX Record Select to use the record from the MX table to define the domain.
When enabled, the SMTP Server and Fallback MX Host are not
available.
SMTP Server Enter the IP address and port of the SMTP server.
Fallback MX Host Enter the IP address and port of the backup SMTP server. This
server is redundant in case of failure of the main SMTP server.
Is Subdomain Select to indicate the domain you are creating is a sub domain of
an existing domain.
Main Domain When selecting Is Subdomain, select the domain from the list.
Verify Recipient Select a method of verifying the email address of the recipient of
Address an incoming email message.
Mail Routing Select to enable mail routing based on the selected LDAP profile.
To configure LDAP profiles, go to Profile > LDAP.
Check AS/AV profile Select to enable antispam and antivirus configurations based on
the selected LDAP profile.
To configure LDAP profiles, go to Profile > LDAP.
The FortiMail unit must relay all email through the head office email hub; outgoing
and incoming. You must ensure that the FortiMail unit passes the email to the
correct domain email server.
After configuring the domain, edit the domain information to configure additional
settings to make the FortiMail unit transparent to the email servers
This server is on Select the port connected to the email server hub. In this example,
it is port 1.
Hide the transparent Select to enable the FortiMail unit to hide its presence by using
box the IP address of the domain email server or client as required.
Use the domain Select to relay email to the domain server the email sender
server to deliver the specified WAN domain.
email If not selected, the FortiMail unit relays the email directly to the
email destination domain, which is not desired in this example.
Configuring proxies
This example requires the FortiMail interface to act as a proxy so that the FortiMail
unit can scan email passing through to the email. Also, the email must simply pass
through the FortiMail unit when the hub email server relays an email message to
another domain email server on the network or on the Intranet. It is also important
to prevent SMTP clients using the FortiMail unit itself as an SMTP server. The
proxy settings will enable this flexibility.
Port 1
Incoming SMTP connections are passed through
Outgoing SMTP connections are passed through
Local SMTP connections are allowed
Port 2
Incoming SMTP connections are proxied
Outgoing SMTP connections are proxied
Local SMTP connections are not allowed
Switch
Internal External Internet
Router
Firewall
DNS Server
Administrator Password:
IP: _____._____._____._____
Port 1
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 2
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 3
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 4
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 5
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 6
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the Fortimail unit. Add a
Network settings default gateway if the FortiMail unit must connect to a router to
reach the management computer.
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP or PPPoE, if the network supports it.
5 If required, select Retrieve default gateway and DNS from server to disable this
option.
By default, this option is enabled.
6 Select OK.
The FortiMail unit attempts to contact the PPPoE server from the interface to set
the IP address, netmask, default gateway IP address, and DNS server IP
addresses.
SMTPS Server Port The default port number is 465. You can change it if needed. This
Number allows the encrypted SMTP traffic to pass through the SMTPS
Server Port. SMTP over SSL/TLS must be enabled.
SMTP Authentication Select to enable authentication. When a user logs into the SMTP
server, they require a user name and password.
Note: Deleting a domain also deletes all email users in that domain.
To Internal
Network
Internal
External Switch
Internet
Router
Firewall
DNS Server
Administrator Password:
IP: _____._____._____._____
Port 1
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 2
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 3
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 4
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 5
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 6
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the Fortimail unit. Add a
Network settings default gateway if the FortiMail unit must connect to a router to
reach the management computer.
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP or PPPoE, if the network supports it.
Note: Deleting a domain also deletes all email users in that domain.
Both policies have the internal users as the source of the email traffic. In both
receiving and sending email, the user’s computer initiates the connection to the
FortiMail server, thus starting the communication (the source).
Note: The following steps use a FortiGate firewall device. If you are using an alternate
firewall appliance, consult the appliance’s documentation for completing similar
configurations.
The incoming policy is a POP3 policy that allows users to send requests to the
FortiMail unit for new mail on the FortiMail server.
DNS Server
Administrator Password:
IP: _____._____._____._____
Port 1
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 2
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 3
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 4
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 5
Netmask: _____._____._____._____
IP: _____._____._____._____
Port 6
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the Fortimail unit. Add a
Network settings default gateway if the FortiMail unit must connect to a router to
reach the management computer.
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP or PPPoE, if the network supports it.
Note: Deleting a domain also deletes all email users in that domain.
Commands Responses
ehlo mail.example.com <return> 250-mail.example.com Hello
<client_hostname>
<client_ip>, pleased to meet
you
mail from:user@outside.com <return> 250 2.1.0 user@outside.com...
Sender ok
rcpt to:user@inside.com <return> 250 2.1.0 user@inside.com...
Recipient ok
data <return> 354 Enter mail, end with "."
on a line by itself
this is a test message <return>
. <return> 250 2.0.0 j2TIw3MK026986
Message accepted for delivery
Next steps
The FortiMail unit is now installed and operational on your network. You can now
register the unit and configure the system time and FortiGuard update schedule.
Note: If you choose the option Automatically adjust clock for daylight saving changes, the
system time must be manually adjusted after daylight savings time ends.
2 Select Synchronize with NTP Server to configure the FortiMail unit to use NTP to
automatically set the system time and date.
3 Enter the IP address or domain name of the NTP server that the FortiMail unit can
use to set its time and date.
4 Specify how often the FortiMail unit should synchronize its time with the NTP
server.
5 Select OK.
4 Select Apply.
The FortiMail unit starts the next scheduled update according to the new update
schedule. Whenever the FortiMail unit runs a scheduled update, the event is
recorded in the FortiMail event log.
Additional configuration
After setting up the FortiMail unit, you can manage it by configuring its many
advanced features as described in the FortiMail Administration Guide, including:
• creating antispam, antivirus, authentication, or content profiles
• creating user policies, including incoming and outgoing policies.
• configuring antispam settings, including email quarantine, FortiGuard
Antispam, Bayesian training settings, black and white lists, and antispam rules
Index
A G
air flow 21 gateway mode
antivirus definitions 83 behind a firewall 33
described 30
C in front of a firewall 39
in the DMZ 45
certificate, security 24
CLI 25 I
comments, documentation 12
configuring time 82 interface
configuring for DHCP 35
connecting
configuring for PPPoE 35
to the CLI 25
to the web-based manager 23
conventions, documentation 11 M
customer service 12 mechanical loading 21
mounting
D FortiMail-100 16
FortiMail-2000 18
dashboard 24 FortiMail-400 17
documentation FortiMail-4000 20
commenting on 12 FortiMail-4000A 21
conventions 11
FortiMail 12
N
E NTP server 82
environmental specifications 21
P
F package
FortiMail-100 15
FortiGuard FortiMail-2000 18
scheduling updates 84 FortiMail-400 17
updates 83 FortiMail-4000 19
FortiMail-100 FortiMail-4000A 20
mounting 16 package contents 15
package 15 powering
FortiMail-2000 off 22
mounting 18 on 22
package 18
FortiMail-400 R
mounting 17
package 17 registering 82
FortiMail-4000
mounting 20 S
package 19
FortiMail-4000A security certificate 24
mounting 21 server mode
package 20 behind a firewall 63
Fortinet described 31
customer service 12 in front of a firewall 69
family of products 7 in the DMZ 74
Knowledge Center 12 specifications, environmental 21
System dashboard 24
T turning
off 22
technical support 12 on 22
time, configuring 82
transparent mode V
described 31
in front of an email server 53 virtual IP 38
protecting the email hub 56
W
web-based manager, connecting 23