Example 2: FortiMail unit in front of a firewall
In this example, a FortiMail unit operating in server mode within a private network, but is separated from local email users’ computers by a firewall. Remote email users’ computers and external email servers are located on the Internet, outside of the private network. The FortiMail unit hosts and protects accounts for email addresses ending in “@example.com”.
Figure 17:Server mode deployment in front of a NAT device
Email Domain: example.com IN M 10 fortimail.example.com
example.com fortimail IN A 10.10.10.5
The FortiMail unit also includes an access control rule that allows local and remote email users to send email to unprotected domains if they first authenticate:
| Sender Pattern | *@example.com |
| Recipient Pattern | * |
| Sender
IP/Netmask |
0.0.0.0/0 |
| Reverse DNS Pattern | * |
| Authentication Status | authenticated |
| TLS | < none > |
| Action | RELAY |
To deploy the FortiMail unit in front of a NAT device such as a firewall or router, you must complete the following:
- Configuring the firewall
- Configuring the email user accounts
- Configuring the MUAs
- Testing the installation
This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see “Running the Quick Start Wizard” on page 34 and “Configuring DNS records” on page 101.
Configuring the firewall
With the FortiMail unit in front of a FortiGate unit which is between the FortiMail unit and local email users, you must configure a policy to allow from local email users to the FortiMail unit.
To create the required policies, complete the following:
- Configuring the firewall addresses
- Configuring the service group
Configuring the firewall addresses
In order to create the outgoing firewall policy that governs traffic from the IP addresses of local email users to the IP address of the FortiMail unit, you must first define the IP addresses of the local email users and the FortiMail unit by creating firewall address entries.
To add a firewall address for local email users
- Access FortiGate.
- Go to Firewall > Address > Address.
- Select Create New.
- Complete the following:
| Name | Enter a name to identify the firewall address entry, such as local_email_users_address. |
| Type | Select Subnet/IP Range. |
| Subnet /IP Range | Enter 172.16.1.0/24. |
| Interface | Select internal. |
- Select OK.
To add a firewall address for the FortiMail unit
- Access FortiGate.
- Go to Firewall > Address > Addres
- Select Create New.
- Complete the following:
| Name | Enter a name to identify the firewall address entry, such as FortiMail_address. |
| Type | Select Subnet/IP Range. |
| Subnet /IP Range | Enter 10.10.10.5/32. |
| Interface | Select wan1. |
- Select OK.
Configuring the service group
In order to create a firewall policy that governs only FortiMail-related traffic, you must first a create service group that contains services that define protocols and port numbers used in that traffic.
To add a service group for email user traffic to the FortiMail unit
- Access FortiGate.
- Go to Firewall > Service > Group.
- Select Create New.
- In Group Name, enter a name to identify the service group entry, such as local_email_users_services.
- In the Available Services area, select HTTP, HTTPS, SMTP, POP3, and IMAP, then select the right arrow to move them to the Members
- Select OK.
Configuring the firewall policy
Create a firewall policy that allows outgoing email and other FortiMail connections from the local email users to the FortiMail unit.
To add the internal-to-FortiMail policy
- Access FortiGate.
- Go to Firewall > Policy > Policy.
- Select Create New.
- Complete the following:
| Source
Interface/zone |
Select internal. |
| Source Address
Name |
Select local_email_users_address. |
| Destination
Interface/zone |
Select wan1. |
| Destination
Address Name |
Select FortiMail_address. |
| Schedule | Select ALWAYS. |
| Service | Select local_email_users_services. |
| Action | Select ACCEPT. |
- Select NAT.
- Select OK.
Configuring the email user accounts
Create email user accounts for each protected domain on the FortiMail unit.
You may choose to create additional email user accounts later, but you should create at least one email user account for each protected domain in order to verify connectivity for the domain.
To add an email user
- Go to User > User > User in the advanced mode of the web UI. (The User tab appears only when FortiMail operates in server mode.)
- From the Domain list, select com.
- Either select New to add an email user, or double-click an email user you want to modify.
A dialog appears.
- In User Name, enter the user name portion, such as user1, of the email address that will be locally deliverable on the FortiMail unit (user1@example.com).
- Select Password, then enter the password for this email account.
- In Display Name, enter the name of the user as it should appear in a MUA, such as “Test User 1”.
- Select Create for a new user or OK for an existing user.
Configuring the MUAs
Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail server (SMTP)/MTA. For local email users, this is the virtual IP address on the FortiGate unit that maps to the FortiMail unit, 172.16.1.2; for remote email users, this is the public IP address of the FortiMail unit, 10.10.10.5 or fortimail.example.com.
If you do not configure the email clients to send email through the FortiMail unit, incoming email can be scanned, but outgoing email cannot.
Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as user1@example.com.
If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.
Testing the installation
Basic configuration is now complete, and the installation may be tested. For testing instructions, see “Testing the installation” on page 159.