Setting Up The System

Running the Quick Start Wizard

The Quick Start Wizard leads you through required configuration steps, helping you to quickly set up your FortiMail unit.

While al settings configured by the Quick Start Wizard can also be configured through the basic and advanced modes of the web UI, the wizard presents each setting in the necessary order. The wizard also provides descriptions to assist you in configuring each setting. These descriptions are not available in the web UI.

Before running the Quick Start Wizard, select the operation mode of the FortiMail unit, such as gateway mode, transparent mode, or server mode. Failure to select the operation mode before running the Quick Start Wizard may require you to run the Quick Start Wizard again after changing the operation mode, as changing the operation mode may reset or change part of the configuration performed by the Quick Start Wizard. For more information on selecting the operation mode, see “Choosing the operation mode” on page 29.

The following topics describe how to use the Quick Start Wizard:

  • Starting the wizard
  • Step 1: Changing the “admin” password
  • Step 2: Configuring the network settings and system time
  • Step 3: Configuring local host settings
  • Step 4: Adding protected domains
  • Step 5: Configuring incoming antispam and antivirus settings
  • Step 6: Configuring access control rules and outgoing settings
  • Step 7: Reviewing and saving the configuration
  • Continuing the installation

Starting the wizard

Open the web UI in a browser.

In either basic mode or advanced mode, select Quick Start Wizard in the top-right button row of the web UI.

Select Yes when prompted to continue. The first page of the wizard appears in a new window over the web UI. You cannot access the web UI when the wizard is open.

You can navigate through the wizard using the Next and Back buttons at the lower corners of the window.

Step 1: Changing the “admin” password

Step 1 of the Quick Start Wizard configures the password of the default and most privileged administrator account, admin. By default, it has no password. Adding a password is optional for this account, but for security reasons, you should provide a password.

  1. Select Change password.
  2. Enter and confirm a new password.
  3. Select Next to move to the next step.

Step 2: Configuring the network settings and system time

Step 2 of the Quick Start Wizard configures basic system time and network settings.

Available settings vary by whether or not the FortiMail unit is operating in transparent mode.

To configure network and time settings

  1. Configure the following, as applicable to you operation mode.
Port1
IP Address Enter the IP address of the port1 network interface, such as 192.168.1.99.

This option does not appear if the FortiMail unit is operating in transparent mode.

Netmask Enter the netmask of the port1 network interface, such as 255.255.255.0.

This option does not appear if the FortiMail unit is operating in transparent mode.

 

Management

IP

IP Address Enter the IP address which FortiMail administrators will use to access the web UI and CLI through port1 and other bridging network interfaces, and which the FortiMail unit will use when connecting to the Fortinet Distribution Network (FDN), such as 192.168.1.99.

This option appears only if the FortiMail unit is operating in transparent mode.

Netmask Enter the netmask of the management IP address, such as 255.255.255.0.

This option appears only if the FortiMail unit is operating in transparent mode.

DNS
Primary DNS Enter the IP address of the primary server to which the FortiMail unit will make DNS queries.

Caution: Verify connectivity with the DNS servers. Failure to verify connectivity could result in many issues, including the inability of the FortiMail unit to process email.

Secondary DNS Enter the IP address of the secondary server to which the FortiMail unit will make DNS queries.
Default

Gateway

IP Address Enter the IP address of the default gateway router.
Time Settings
Time Zone Select the time zone of the FortiMail unit.
Set Time Select to manually set the system time, then select the:

•      Second

•      Minute

•      Hour

•      Date

Automatically         Select to automatically set the system time by synchronize system periodically synchronizing with an NTP server, then time using the      configure the NTP Server Name/IP.

Network Time Protocol (NTP) server

NTP Server Name/IP If you have selected to automatically synchronize the system time with an NTP server, enter the domain name or IP address of an NTP server. For a list of public NTP servers, see http://www.ntp.org/.

Note: Verify connectivity with the NTP server. Failure to set the correct time could result in issues such as inaccurate log message times and inability to make secure connections, including downloading FortiGuard Antivirus updates from the FDN.

  1. When done, select Next to move to the next step.

Step 3: Configuring local host settings

Step 3 of the Quick Start Wizard configures the fully qualified domain name (FQDN) of the FortiMail unit, its listening port numbers, and whether to use SSL/TLS with SMTP clients that request secure connections.

You usually should configure the FortiMail unit with a local domain name that is different from that of protected email servers, such as mail.example.com for the FortiMail unit and server.mail.example.com for the protected email server. The local domain name of the FortiMail unit will be used in many features such as email quarantine, Bayesian database training, spam report, and delivery status notification (DSN) email messages, and if the FortiMail unit uses the same domain name as your mail server, it may become difficult to distinguish email messages that originate from the FortiMail unit.

SMTP server port Enter the port number on which the FortiMail unit’s SMTP
number server will listen for SMTP connections. The default port number is 25.
SMTP over SSL/TLS Enable to allow SSL- and TLS-secured connections from servers and clients requesting SSL/TLS.

When disabled, SMTP connections with the FortiMail unit’s SMTP server will occur as clear text, unencrypted.

This option must be enabled to use SMTPS.

SMTPS server port number Enter the port number on which the FortiMail unit’s SMTP server listens for secure SMTP connections. The default port number is 465.

To configure the local host 1. Configure the following.

Local Host
Host name Enter the host name of the FortiMail unit.

You should use a different host name for each FortiMail unit, especially when you are managing multiple FortiMail units of the same model, or when configuring a FortiMail high availability (HA) cluster. This will enable you to distinguish between different members of the cluster. If the FortiMail unit is in HA mode:

•      when you connect to the web UI, your web browser will display the host name of that cluster member in its status bar.

•      the FortiMail unit will add the host name to the subject line of alert email messages.

Local domain name Enter the local domain name to which the FortiMail unit belongs.The FortiMail unit’s fully qualified domain name (FQDN) is in the format:

<Host Name>.<Local Domain Name>

This option does not appear if the FortiMail unit is operating in server mode.

Note: The local domain name can be a subdomain of an internal domain if the MX record for the domain on the DNS server can direct the mail destined for the subdomain to the intended FortiMail unit.

POP3 server port number Enter the port number on which the FortiMail unit’s POP3 server will listen for POP3 connections. The default port number is 110.

This option is unavailable if SMTP over SSL/TLS is disabled.

  1. When done, select Next to move to the next step.

Step 4: Adding protected domains

Step 4 of the Quick Start Wizard configures the protected domains.

Protected domains define connections and email messages for which the FortiMail unit can perform protective email processing by describing both:

  • the IP address of an SMTP server
  • the domain name portion (the portion which follows the “@” symbol) of recipient email addresses in the envelope

both of which the FortiMail unit compares to connections and email messages when looking for traffic that involves the protected domain.

For example, if you wanted to scan email from email addresses such as user.one@example.com that are hosted on the SMTP server 10.10.10.10, you would configure a protected domain of example.com whose SMTP server is 10.10.10.10.

You usually must configure at least one protected domain. FortiMail units can be configured to protect one or more email domains that are hosted on one or more email servers.

Exceptions include if you will not apply recipient-based policies or authentication profiles, such as in “Example 3: FortiMail unit for an ISP or carrier” on page 90.

To add a protected domain

  1. Select New.

A dialog appears that enables you to configure the protected domain. Its appearance varies by the operating mode of the FortiMail unit.

  1. Configure the following as applicable to your operation mode:
Domain name Enter the fully qualified domain name (FQDN) of the protected domain.

For example, if you want to protect email addresses such as user1@example.com, you would enter the protected domain name example.com.

Use MX record

(transparent mode

and gateway mode only)

Select to enable the FortiMail unit to query the DNS server’s MX record for the FQDN or IP address of the SMTP server for this domain name.

Note: If enabled, you may also be required to configure the FortiMail unit to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode of the FortiMail unit. For details, see “Configuring DNS records” on page 50 (gateway mode) or “Configuring DNS records” on page 101 (transparent mode).

SMTP server            Enter the fully qualified domain name (FQDN) or IP address of the primary SMTP server for this protected domain, then also configure

(transparent mode

Port.

and gateway mode

only)                        If you have an internal mail relay that is located on a physically separate server from your internal mail server, this could be your internal mail relay, instead of your internal mail server. Consider your network topology, directionality of the mail flow, and the operation mode of the FortiMail unit.

Port                   Enter the port number on which the SMTP server listens.

(transparent mode             The default SMTP port number is 25. and gateway mode only)

  1. Select
  2. Repeat the previous three steps for each domain that the FortiMail unit will protect.
  3. To change a domain configuration, select it and click Edit. To delete one, select it and click Delete.
  4. When done, select Next to move to the next step.

Step 5: Configuring incoming antispam and antivirus settings

Step 5 of the Quick Start Wizard enables or disables antivirus scanning and configures the intensity level of antispam scanning for email incoming to protected domains.

Each antispam level (Off, Low, Medium, and High) is a default antispam profile that groups settings for many antispam features. After completing the Quick Start Wizard, if you want to enable, disable, or differently configure those features, you can use the advanced mode of the web UI to create and/or modify the antispam profiles.

To enable spam and virus checking for incoming mail

  1. Select an antispam scan level for incoming email from the drop-down list.
    • Off: No scanning
    • Low: Good detection rate
    • Medium: Better detection rate with a small impact on system performance
    • High: Best detection rate with an additional impact on system performance
  2. Select or clear Enable AntiVirus scan for incoming email. (For security reasons, leave this option enabled.)
  3. When done, select Next to move to the next step.

Step 6: Configuring access control rules and outgoing settings

Step 6 of the Quick Start Wizard configures enables or disables antivirus scanning and configures the intensity level of antispam scanning for email outgoing from protected domains.

Step 6 also configures access control rules. Access control rules specify whether the FortiMail unit will process and relay, reject, or discard email messages for SMTP sessions that are initiated by SMTP clients.

Without any configured access control rules, the FortiMail unit’s access control prevents SMTP clients from using your protected server or FortiMail unit as an open relay: senders can deliver email incoming to protected domains, but cannot deliver email outgoing to unprotected domains.

Usually, you must configure at least one access control rule to allow SMTP clients such as your email users or email servers to send email to unprotected domains.

Exceptions include if you have not configured any protected domains, such as in “Example 3: FortiMail unit for an ISP or carrier” on page 90.

Access control rules can also match SMTP sessions based upon the use of TLS. To configure access control rules with TLS, after using the Quick Start Wizard, use the advanced mode of the web UI to create TLS profiles and select them in access control rules. For details, see “Controlling SMTP access and delivery” on page 456.

To enable spam and virus checking for outgoing mail

  1. Select an antispam scan level for incoming email from the drop-down list.
    • Off: No scanning
    • Low: Good detection rate
    • Medium: Better detection rate with a small impact on system performance
    • High: Best detection rate with an additional impact on system performance
  2. Select or clear Enable AntiVirus scan. (For security reasons, leave this option enabled.)

To add an access control rule

  1. Select New under Access Control for SMTP Relay.

A dialog appears, enabling you to create an access control rule.

For example, if your protected domain, example.com, contains email addresses in the format of user1@example.com, user2@example.com, etc., and you want to allow those email addresses to send email to any external domain as long as they authenticate their identities, you might configure the following access control rule:

Table 7:    Example access control rule

Sender Pattern user*@example.com
Recipient Pattern *
Sender IP/Netmask 0.0.0.0/0
Reverse DNS Pattern *
Authentication Status authenticated
Action RELAY
  1. Configure the following:

 

Sender Pattern Enter a complete or partial envelope sender (MAIL FROM:) email address to match.

Wildcard characters allow you to enter partial patterns that can match multiple sender email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.

For example, the sender pattern ??@*.com will match messages sent by any email user with a two letter email user name from any “.com” domain name.

Regular expression Mark this check box to use regular expression syntax instead of wildcards to specify the sender pattern.
Recipient Pattern Enter a complete or partial envelope recipient (RCPT TO:) email address to match.

Wildcard characters allow you to enter partial patterns that can match multiple recipient email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.

For example, the recipient pattern *@example.??? will match messages sent to any email user at example.com, example.net, example.org, or any other “example” domain ending with a three-letter top-level domain name.

Regular expression Mark this check box to use regular expression syntax instead of wildcards to specify the recipient pattern.
Sender IP/Netmask Enter the IP address and netmask of the SMTP client attempting to deliver the email message. Use the netmask, the portion after the slash (/), to specify the matching subnet.

For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as

10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

To match any address, enter 0.0.0.0/0.

Reverse DNS Pattern Enter a pattern to compare to the result of a reverse DNS look-up of the IP address of the SMTP client delivering the email message.

Because domain names in the SMTP session are self-reported by the connecting SMTP server and easy to fake, the FortiMail unit does not trust the domain name that an SMTP server reports. Instead, the FortiMail does a DNS lookup using the SMTP server’s

IP address. The resulting domain name is compared to the reverse DNS pattern for a match. If the reverse DNS query fails, the access control rule match will also fail. If no other access control rule matches, the connection will be rejected with SMTP reply code 550 (Relaying denied).

Wildcard characters allow you to enter partial patterns that can match multiple reverse DNS lookup results. An asterisk (*) represents one or more characters; a question mark (?) represents any single character.

For example, the recipient pattern mail*.com will match messages delivered by an SMTP server whose domain name starts with “mail” and ends with “.com”.

Note: Reverse DNS queries for access control rules require that the domain name be a valid top level domain (TLD). For example, “.lab” is not a valid top level domain name, and thus the FortiMail unit cannot successfully perform a reverse DNS query for it.

Regular expression Mark this check box to use regular expression syntax instead of wildcards to specify the reverse DNS pattern.
Authentication Status Select whether or not to match this access control rule based upon client authentication.

•      Any: Match or do not match this access control rule regardless of whether the client has authenticated with the FortiMail unit.

•      Authenticated: Match this access control rule only for clients that have authenticated with the FortiMail unit.

•      Not Authenticated: Clients do not need to authenticate with the FortiMail unit.

Action Select which action the FortiMail unit will perform for SMTP sessions matching this access control rule.

•      BYPASS: Relay or proxy and deliver the email, but, if the sender or recipient belongs to a protected domain, bypass all antispam profile processing. Antivirus, content and other scans will still occur.

•      DISCARD: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.

•      RELAY: Relay or proxy, process, and deliver the email normally if it passes all configured scans.

•      REJECT: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied).

  1. Click OK.

When you click OK, a new access control rule appears at the bottom of the list of access control rules. The FortiMail unit evaluates each new rule as a match for the SMTP session only if no previous access control rule matches. If you want your new rule to be evaluated before another rule, move your new access control rule to its intended position in the list.

  1. Repeat the previous three steps step for any additional access control rules.
  2. To change an access control rule, select it and click Edit. To delete one, select it and click Delete.
  3. When done, select Next to move to the last step.

Step 7: Reviewing and saving the configuration

Step 7 presents a list of all settings you have made in the wizard.

  • Review the configuration.
  • To change a setting, click Back until you reach the applicable step.
  • If all settings are correct, select OK.

The wizard and the dashboard disappear, and FortiMail prompts you to log in.

Continuing the installation

After using the Quick Start Wizard:

  1. If you have multiple FortiMail units, and you want to configure them in high availability (HA) mode, configure the HA settings before physically connecting the FortiMail units to your network.

For instructions on configuring HA, see “Using high availability (HA)” on page 305

  1. If you have subscribed to FortiGuard Antivirus or FortiGuard Antispam services, connect the FortiMail unit to the Fortinet Distribution Network (FDN) to update related packages. For details, see “Connecting to FortiGuard services” on page 44.
  2. You may need to configure additional features that may be specific to your operation mode and network topology, such as configuring your router or firewall, and records on your public DNS server. For instructions applicable to your operation mode, see:
    • Gateway mode deployment
    • Transparent mode deployment
    • Server mode deployment
  3. Expand your basic configuration using basic mode. See “Initial configuration in basic mode” on page 122.
  4. Verify that email clients can connect to or through the FortiMail unit. For details, see “Testing the installation” on page 159.
This entry was posted in Administration Guides, FortiMail and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.