Example 1: FortiMail unit in front of an email server
In this example, a FortiMail unit operating in transparent mode is positioned in front of one email server.
This example assumes that the FortiMail unit is protecting a single email server. If your FortiMail unit is protecting multiple email servers and they are not on the same subnet, you must first remove some network interfaces from the bridge and configure static routes. For an example of configuring out-of-bridge network interfaces, see “Removing the network interfaces from the bridge” on page 95.
Figure 12:Transparent mode deployment to protect an email server
172.16.1.10 Private DNS Server Public DNS Server
Email Domain: example.com IN MX 10 mail.example.com example.com IN MX 10 mail.example.com
@example.com mail IN A 172.16.1.10 mail IN A 10.10.10.1
The FortiMail unit has also includes an access control rule that allows local and remote email users to send email to unprotected domains if they first authenticate:
Sender Pattern | *@example.com |
Recipient Pattern | * |
Sender
IP/Netmask |
0.0.0.0/0 |
Reverse DNS Pattern | * |
Authentication Status | authenticated |
TLS | < none > |
Action | RELAY |
To deploy the FortiMail unit in front of an email server, you must complete the following:
- Configuring the protected domains and session profiles
- Configuring the proxies and implicit relay
Configuring the protected domains and session profiles
When configuring the protected domain and session profiles, you can select transparent mode options to hide the existence of the FortiMail unit.
To configure the transparent mode options of the protected domain 1. Go to Mail Settings > Domains > Domains in the advanced mode of the web UI.
- Select the domain and then click Edit.
- Configure the following:
Transparent Mode Options | |
This server is on
(transparent mode only) |
Select the network interface (port) to which the protected SMTP server is connected.
Note: Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface. |
Hide the transparent box
(transparent mode only) |
Enable to preserve the IP address or domain name of the SMTP client for incoming email messages in:
• the SMTP greeting (HELO/EHLO) in the envelope and in the Received: message headers of email messages |
- the IP addresses in the IP header
This masks the existence of the FortiMail unit to the protected SMTP server.
Disable to replace the SMTP client’s IP address or domain name with that of the FortiMail unit.
Note: If the protected SMTP server applies rate limiting according to IP addresses, enabling this option can improve performance. The rate limit will then be separate for each client connecting to the protected SMTP server, rather than shared among all connections handled by the FortiMail unit.
Note: Unless you have enabled Take precedence over recipient based policy match in the IP-based policy, this option has precedence over the Hide this box from the mail server option in the session profile, and may prevent it from applying to incoming email messages.
Use this domain’s SMTP Enable to allow SMTP clients to send outgoing email server to deliver the directly through the protected SMTP server. mail
Disable to, instead of allowing a direct connection, proxy
(transparent mode only) the connection using the incoming proxy, which queues email messages that are not immediately deliverable.
- Select OK.
To configure the transparent mode options of the session profile
- Go to Policy > Policies > IP Policies in the advanced mode of the web UI.
- In the Session column for an IP-based policy, select the name of the session profile to edit the profile.
A dialog appears.
- Configure the following:
Connection Settings | |
Hide this box from the mail server
(transparent mode only) |
Enable to preserve the IP address or domain name of the SMTP client in:
• the SMTP greeting (HELO/EHLO) and in the Received: message headers of email messages • the IP addresses in the IP header This masks the existence of the FortiMail unit. Disable to replace the IP addresses or domain names with that of the FortiMail unit. Note: Unless you have enabled Take precedence over recipient based policy match in the IP-based policy, the Hide the transparent box option in the protected domain has precedence over this option, and may prevent it from applying to incoming email messages. |
- Select OK.
- Repeat the previous three steps for each IP-based policy.
Configuring the proxies and implicit relay
When operating in transparent mode, the FortiMail unit can use either transparent proxies or an implicit relay to inspect SMTP connections. If connection pick-up is enabled for connections on that network interface, the FortiMail unit can scan and process the connection. If not enabled, the FortiMail unit can either block or permit the connection to pass through unmodified.
Exceptions to SMTP connections that can be proxied or relayed include SMTP connections destined for the FortiMail unit itself. For those local connections, such as email messages from email users requesting deletion or release of their quarantined email, you must choose to either allow or block the connection.
You configure proxy/relay pick-up separately for incoming and outgoing connections.
In this deployment example, incoming connections arriving on port2 must be scanned before traveling to the main email server, and therefore are configured to be Proxy — that is, picked up by the implicit relay.
Outgoing connections arriving on port1 will contain email that has already been scanned once, during SMTP clients’ relay to the main email server. Scanning outgoing connections again using either the outgoing proxy or the implicit relay would waste resources. Therefore outgoing connections will be Pass through.
To configure SMTP proxy and implicit relay pick-up
- Go to System > Network in the advanced mode of the web UI.
- Edit SMTP proxy settings on both Port 1 and Port 2:
Port 1 | |
Incoming connections | Drop |
Outgoing connections | Pass through |
Local connections | Allow |
Port 2 | |
Incoming connections | Proxy |
Outgoing connections | Drop |
Local connections | Disallow |
If Use client-specified SMTP server to send email is disabled under Mail Settings > Proxies, and an SMTP client is configured to authenticate, you must configure and apply an authentication profile. Without the profile, authentication with the built-in MTA will fail. Also, the mail server must be explicitly configured to allow relay in this case.
Testing the installation
Basic configuration is now complete, and the installation may be tested. For testing instructions, see “Testing the installation” on page 159.
when configuring transparent mode is it necessary to configure mail settings (SMTP port, SSL for SMTP etc.). From my understanding is not necessary because Fortimail acts as a proxy. But if these are not configured connection is not intercepted(scanned).
kindly expound on active-passive H/A deployment for two Fortimails in transparent mode in an ISP environment where we use PBRs on the connected routers. Am keen on the IPs to be used on the PBR and if this can be done without using an ADC.