Example 2: FortiMail unit in front of an email hub

In this example, a FortiMail unit operating in transparent mode is positioned between an email gateway and other internal email servers.

When sending email with external recipients, the email servers (Relay A and Relay B) in each WAN location are required to deliver through the main email server, which encrypts outgoing SMTP connections. The firewall will only allow SMTP traffic from the main email server.

Figure 13:Transparent mode deployment to protect an email hub

Email Domain:

@example.com

The FortiMail unit also includes an access control rule that allows local and remote email users to send email to unprotected domains if they first authenticate:

Sender Pattern	*@example.com
Recipient Pattern	*
Sender IP/Netmask	0.0.0.0/0
Reverse DNS Pattern	*
Authentication Status	authenticated
TLS	< none >
Action	RELAY

To deploy the FortiMail unit in front of one or more email servers, you must complete the following:

• Configuring the protected domains and session profiles
• Configuring the proxies and implicit relay

Configuring the protected domains and session profiles

When configuring the protected domain and session profiles, you can select transparent mode options to hide the existence of the FortiMail unit.

To configure the transparent mode options of the protected domain 1. Go to Mail Settings > Domains > Domains in the advanced mode of the web UI.

2. In the row corresponding to the protected domain, select Edit.
3. Configure the following:

Transparent Mode Options
This server is on (transparent mode only)	Select the network interface (port) to which the protected SMTP server is connected. Note: Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface.

Hide the transparent box (transparent mode only)

Enable to preserve the IP address or domain name of the SMTP client for incoming email messages in: •    the SMTP greeting (HELO/EHLO) in the envelope and in the Received: message headers of email messages

• the IP addresses in the IP header

This masks the existence of the FortiMail unit to the protected SMTP server.

Disable to replace the SMTP client’s IP address or domain name with that of the FortiMail unit.

Note: If the protected SMTP server applies rate limiting according to IP addresses, enabling this option can improve performance. The rate limit will then be separate for each client connecting to the protected SMTP server, rather than shared among all connections handled by the FortiMail unit.

Note: Unless you have enabled Take precedence over recipient based policy match in the IP-based policy, this option has precedence over the Hide this box from the mail server option in the session profile, and may prevent it from applying to incoming email messages.

Use this domain’s SMTP Enable to allow SMTP clients to send outgoing email server to deliver the        directly through the protected SMTP server. mail

Disable to, instead of allowing a direct connection, proxy

(transparent mode only)    the connection using the incoming proxy, which queues email messages that are not immediately deliverable.

4. Select OK.

To configure the transparent mode options of the session profile

1. Go to Policy > Policies > IP Policies in the advanced mode of the web UI.
2. In the Session column for an IP-based policy, select the name of the session profile to edit the profile.
3. Configure the following:

Connection Settings

Hide this box from the mail server (transparent mode only)

Enable to preserve the IP address or domain name of the SMTP client in: •      the SMTP greeting (HELO/EHLO) and in the Received: message headers of email messages •      the IP addresses in the IP header This masks the existence of the FortiMail unit. Disable to replace the IP addresses or domain names with that of the FortiMail unit. Note: Unless you have enabled Take precedence over recipient based policy match in the IP-based policy, the Hide the transparent box option in the protected domain has precedence over this option, and may prevent it from applying to incoming email messages.

4. Select OK.
5. Repeat the previous three steps for each IP-based policy.

Configuring the proxies and implicit relay

When operating in transparent mode, the FortiMail unit can use either transparent proxies or an implicit relay to inspect SMTP connections. If connection pick-up is enabled for connections on that network interface, the FortiMail unit can scan and process the connection. If not enabled, the FortiMail unit can either block or permit the connection to pass through unmodified.

Exceptions to SMTP connections that can be proxied or relayed include SMTP connections destined for the FortiMail unit itself. For those local connections, such as email messages from email users requesting deletion or release of their quarantined email, you must choose to either allow or block the connection.

Proxy/relay pick-up is configured separately for incoming and outgoing connections.

In this deployment example, incoming connections arriving on port2 must be scanned before traveling to the main email server, and therefore are configured to be Proxy — that is, picked up by the implicit relay.

Outgoing connections arriving on port1 will contain email that has already been scanned once, during SMTP clients’ relay to the main email server. In addition, outgoing connections by the main mail server will be encrypted using TLS. Encrypted connections cannot be scanned. Therefore outgoing connections will be passed through, and neither proxied nor implicitly relayed.

To configure SMTP proxy and implicit relay pick-up

1. Go to System > Network in the advanced mode of the web UI.
2. Edit SMTP proxy settings on both Port 1 and Port 2:

Port 1
Incoming connections	Drop
Outgoing connections	Pass through
Local connections	Allow
Port 2
Incoming connections	Proxy
Outgoing connections	Drop
Local connections	Disallow

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing instructions, see “Testing the installation” on page 159.