Example 3: FortiMail unit in DMZ

In this example, a FortiMail unit operating in gateway mode, a protected email server, and email users’ computers are all positioned within a private network, behind a firewall. However, the FortiMail unit is located in the demilitarized zone (DMZ) of the firewall, separated from the local email users and the protected email server, which are located on the internal network of the firewall. Remote email users’ computers and external email servers are located on the Internet, outside of the network protected by the firewall. The FortiMail unit protects accounts for email addresses ending in “@example.com”, which are hosted on the local email server.

Figure 10:FortiMail unit in DMZ

The FortiMail unit has also been configured with an access control rule that allows local and remote email users to send email to unprotected domains if they first authenticate:

Sender Pattern	*@example.com
Recipient Pattern	*
Sender IP/Netmask	0.0.0.0/0
Reverse DNS Pattern	*
Authentication Status	authenticated
TLS	< none >
Action	RELAY

To deploy the FortiMail unit in the DMZ of a firewall, you must complete the following:

• Configuring the firewall
• Configuring the MUAs
• Testing the installation

This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see “Running the Quick Start Wizard” on page 34 and “Configuring DNS records” on page 50.

Configuring the firewall

With the FortiMail unit in front of a FortiGate unit, and local email users and protected email server located behind the FortiGate unit on its internal network, you must configure firewall policies to allow traffic:

• between the internal network and the FortiMail unit
• between the protected email server and the Internet • between the FortiMail unit and the Internet

To create the required policies, complete the following:

• Configuring the firewall addresses
• Configuring the service groups
• Configuring the virtual IPs

Configuring the firewall addresses

In order to create the firewall policies that governs traffic from the IP addresses of local email users and the protected email server, and the IP address of the FortiMail unit, you must first define the IP addresses of those hosts by creating firewall address entries.

To add a firewall address for local email users

1. Access FortiGate.
2. Go to Firewall > Address > Address.
3. Select Create New.
4. Complete the following:

Name	Enter a name to identify the firewall address entry, such as local_email_users_address.
Type	Select Subnet/IP Range.
Subnet /IP Range	Enter 172.16.1.0/24.
Interface	Select internal.

5. Select OK.

To add a firewall address for the FortiMail unit

1. Access FortiGate.
2. Go to Firewall > Address > Address.
3. Select Create New.
4. Complete the following:

Name	Enter a name to identify the firewall address entry, such as FortiMail_address.
Type	Select Subnet/IP Range.
Subnet /IP Range	Enter 192.168.1.5/32.
Interface	Select dmz.

5. Select OK.

Configuring the service groups

In order to create firewall policies that govern only email and FortiMail-related traffic, you must first create groups of services that define protocols and port numbers used in that traffic.

Because FortiGuard-related services for FortiMail units are not predefined, you must define them before you can create a service group that contains those services.

To add a custom service for FortiGuard Antivirus push updates

1. Access FortiGate.
2. Go to Firewall > Service > Custom.
3. Select Create New.
4. Configure the following:

Name	Enter a name to identify the custom service entry, such as FortiMail_antivirus_push_updates.
Protocol Type	Select TCP/UDP.
Protocol	Select UDP.
Destination Port
Low	Enter 9443.
High	Enter 9443.

5. Select OK.

To add a custom service for FortiGuard Antispam rating queries

1. Access FortiGate.
2. Go to Firewall > Service > Custom.
3. Select Create New.
4. Configure the following:

Name		Enter a name to identify the custom service entry, such as FortiMail_antispam_rating_queries.
Protocol Type		Select TCP/UDP.
Protocol		Select UDP.
Destination Port
	Low	Enter 8889.
	High	Enter 8889.

5. Select OK.

To add a service group for remote incoming FortiMail traffic

1. Access FortiGate.
2. Go to Firewall > Service > Group.
3. Select Create New.
4. In Group Name, enter a name to identify the service group entry, such as FortiMail_incoming_services.
5. In the Available Services area, select HTTP, HTTPS, SMTP, and your custom service for FortiGuard Antivirus push updates, FortiMail_antivirus_push_updates, then select the right arrow to move them to the Members
6. Select OK.

To add a service group for outgoing FortiMail traffic

1. Access FortiGate.
2. Go to Firewall > Service > Group.
3. Select Create New.
4. In Group Name, enter a name to identify the service group entry, such as FortiMail_outgoing_services.
5. In the Available Services area, select DNS, NTP, HTTPS, SMTP, and your custom service for FortiGuard Antispam rating queries, FortiMail_antispam_rating_queries, then select the right arrow to move them to the Members
6. Select OK.

To add a service group for internal email user traffic to the FortiMail unit

1. Access FortiGate.
2. Go to Firewall > Service > Group.
3. Select Create New.
4. In Group Name, enter a name to identify the service group entry, such as SMTP_quar_services.
5. In the Available Services area, select HTTP, HTTPS, and SMTP, then select the right arrow to move them to the Members
6. Select OK.

To add a service group for POP3 and IMAP traffic to the protected email server

1. Access FortiGate.
2. Go to Firewall > Service > Group.
3. Select Create New.
4. In Group Name, enter a name to identify the service group entry, such as PO3_IMAP_services.
5. In the Available Services area, select POP3 and IMAP, then select the right arrow to move them to the Members
6. Select OK.

Configuring the virtual IPs

In order to create the firewall policy that forwards email-related traffic to the FortiMail unit, you must first define a static NAT mapping from a public IP address on the FortiGate unit to the IP address of the FortiMail unit by creating a virtual IP entry.

You must also create virtual IPs to define static NAT mappings:

• from a public IP address on the FortiGate unit to the IP address of the protected email server
• from an IP address on the internal network of the FortiGate unit to the IP address of the FortiMail unit
• from an IP address on the DMZ of the FortiGate unit to the IP address of the protected email server

1. Access FortiGate.
2. Go to Firewall > Virtual IP > Virtual IP.
3. Select Create New.
4. Complete the following:

Name	Enter a name to identify the virtual IP entry, such as FortiMail_VIP_wan1.
External Interface	Select wan1.
Type	Select Static NAT.
External IP Address/Range	Enter 10.10.10.1.
Mapped IP Address/Range	Enter 192.168.1.5.

5. Select OK.

To add a wan1 virtual IP for the protected email server

1. Access FortiGate.
2. Go to Firewall > Virtual IP > Virtual IP.
3. Select Create New.
4. Complete the following:

Name	Enter a name to identify the virtual IP entry, such as protected_email_server_VIP_wan1.
External Interface	Select wan1.
Type	Select Static NAT.
External IP Address/Range	Enter 10.10.10.1.
Mapped IP Address/Range	Enter 172.16.1.10.

5. Select OK.

To add a internal virtual IP for the FortiMail unit

1. Access FortiGate.
2. Go to Firewall > Virtual IP > Virtual IP.
3. Select Create New.
4. Complete the following:

Name	Enter a name to identify the virtual IP entry, such as FortiMail_VIP_internal.
External Interface	Select internal.
Type	Select Static NAT.
External IP Address/Range	Enter 172.16.1.2.
Mapped IP Address/Range	Enter 192.168.1.5.

5. Select OK.

To add a dmz virtual IP for the protected email server

1. Access FortiGate.
2. Go to Firewall > Virtual IP > Virtual IP.
3. Select Create New.
4. Complete the following:

Name	Enter a name to identify the virtual IP entry, such as protected_email_server_VIP_dmz.
External Interface	Select dmz.
Type	Select Static NAT.
External IP Address/Range	Enter 192.168.1.2.
Mapped IP Address/Range	Enter 172.16.1.10.

5. Select OK.