Transparent Mode Deployment

Configuring the session profiles

When configuring the protected domain and session profiles, you can select transparency, encryption, authentication, and antispam IP-based reputation settings that will be applied by an IP-based policy.

In this deployment example, you configure two session profiles:

  • a profile for connections from subscribers
  • a profile for connections from SMTP clients on the external network

FortiMail applies each profile in the IP-based policy that governs connections from either the subsurface or external network.

In both profiles, TLS-encrypted connections are not allowed in order to prevent viruses from entering or leaving the subscriber network, since encrypted connections cannot be scanned. Authentication is required to prevent spammers from connecting to open relays. No protected domains are configured, and so transparency will be configured through the session profiles alone. This will hide the existence of the FortiMail unit to all SMTP clients.

Because subscribers use dynamic IP addresses, instead of sender reputation, endpoint reputation is used in the subscribers’ session profile to score their trustworthiness. Endpoint reputation scans use RADIUS accounting notices from your RADIUS server to map subscriber end point identifiers or MSISDNs to their current IP address. Subscribers who have a reputation for sending spam or viruses will be blocked, thereby reducing the risk that your public IP addresses could be blacklisted by DNS black list (DNSBL) services.

Sender reputation, which functions best with static IP addresses and does not require a RADIUS server, will be used in the external networks’ session profile to score SMTP clients on external networks. This will help to prevent viruses and spam from reaching your subscribers.

To configure the session profile for connections from external SMTP clients

  1. Go to Profile > Session in the advanced mode of the web UI.
  2. Select New.
  3. In Profile Name, type a name for the session profile, such as external_session_profile.
  4. Configure the following:
Connection Settings  
Hide this box from the mail server

(transparent mode only)

Enable to preserve the IP address or domain name of the SMTP client in:

•      the SMTP greeting (HELO/EHLO) and in the Received:

message headers of email messages

•      the IP addresses in the IP header

This masks the existence of the FortiMail unit.

Sender Reputation  
Enable sender reputation Enable to accept or reject email based upon sender reputation scores.
Throttle client at Enter a sender reputation score over which the FortiMail unit will rate limit the number of email messages that can be sent by this SMTP client.

The enforced rate limit is either Restrict number of email per hour to n or Restrict email to n percent of the previous hour, whichever value is greater.

Restrict number of email per hour to Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client.
Restrict email to n percent of the previous hour Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client, as a percentage of the number of email messages that the SMTP client sent during the previous hour.
Temporarily fail client at Enter a sender reputation score over which the FortiMail unit will return a temporary failure error when the SMTP client attempts to initiate a connection.
Reject client at Enter a sender reputation score over which the FortiMail unit will return a permanent rejection error when the SMTP client attempts to initiate a connection.
Session Settings  
Prevent encryption of the session

(transparent mode only)

Enable to block STARTTLS/MD5 commands so that email connections cannot be TLS-encrypted.

Unauthenticated Session Settings

Prevent open relaying       Enable to prevent clients from using open relays to send email by blocking sessions that are unauthenticated.

(transparent mode only)

(Unauthenticated sessions are assumed to be occurring to an open relay.)

If you permit SMTP clients to use open relays to send email, email from their domain could be blacklisted by other SMTP servers.

  1. Select Create.

To configure the session profile for connections from internal SMTP clients

  1. Go to Profile > Session in the advanced mode of the web UI.
  2. Select New.
  3. In Profile Name, type a name for the session profile, such as internal_session_profile.
  4. Configure the following:
Connection Settings  
Hide this box from the mail server

(transparent mode only)

Enable to preserve the IP address or domain name of the SMTP client in:

•      the SMTP greeting (HELO/EHLO) and in the Received:

message headers of email messages

•      the IP addresses in the IP header

This masks the existence of the FortiMail unit.

Do not let client connect Enable to prevent clients from connecting to SMTP servers to blacklisted SMTP that have been blacklisted in antispam profiles or, if servers enabled, the FortiGuard AntiSpam service.

(transparent mode only)

Endpoint Reputation  
Enable Endpoint Reputation Enable to accept, monitor, or reject email based upon endpoint reputation scores.

This option is designed for use with SMTP clients with dynamic IP addresses. It requires that your RADIUS server provide mappings between dynamic IP addresses and MSISDNs/subscriber IDs to the FortiMail unit.

Action Select either:

•      Reject: Reject email and MMS messages from MSISDNs/subscriber IDs whose endpoint reputation scores exceed Auto blacklist score trigger value.

•      Monitor: Log, but do not reject, email and MMS messages from MSISDNs/subscriber IDs whose endpoint reputation scores exceed Auto blacklist score trigger value. Log entries appear in the history log.

Auto blacklist score trigger value Enter the endpoint reputation score over which the FortiMail unit will add the MSISDN/subscriber ID to the automatic blacklist.

The trigger score is relative to the period of time configured as the automatic blacklist window.

Auto blacklist duration Enter the number of minutes that an MSISDN/subscriber ID will be prevented from sending email or MMS messages after they have been automatically blacklisted.
Session Settings  
Prevent encryption of the session

(transparent mode only)

Enable to block STARTTLS/MD5 commands so that email connections cannot be TLS-encrypted.

Unauthenticated Session Settings

Prevent open relaying       Enable to prevent clients from using open relays to send email by blocking sessions that are unauthenticated.

(transparent mode only)

(Unauthenticated sessions are assumed to be occurring to an open relay.)

If you permit SMTP clients to use open relays to send email, email from their domains could be blacklisted by other SMTP servers.

Configuring the IP-based policies

Session profiles are applied to IP-based policies governing SMTP client connections.

In this deployment example, two IP-based policies are configured. The first policy governs connections from the internal subscriber network. The second policy matches all other connections that did not match the first policy, and will therefore govern connections from the external network.

To configure the IP-based policy for connections from internal SMTP clients

  1. Go to Policy > Policies > IP Policies in the advanced mode of the web UI.
  2. Select New.
  3. In Source IP/Netmask, type the IP address and netmask of your subscriber network.
  4. In Destination, type 0.0.0/0 to match all SMTP server IP addresses.
  5. From Session, select internal_session_profile.
  6. From AntiSpam, select the name of an antispam profile. When this profile detects spam, it will affect the subscriber’s endpoint reputation score.
  7. From AntiVirus, select the name of an antivirus profile. When this profile detects a virus, it will affect the subscriber’s endpoint reputation score.
  8. Select Create.

The internal network policy appears at the bottom of the list of IP-based policies. Policies are evaluated in order until a policy is found that matches the connection.

Because the default IP-based policy (0.0.0.0/0 –> 0.0.0.0/0) matches all connections, and because it is first in the list, in order for connections to be able to match the new policy, you must move the new policy to an index number above the default policy.

To move a policy

  1. Select the new IP policy and click Move.

A menu appears with four choices: Down, Up, after, Before.

  1. Do one of the following:
    • Select Up to move it one position in that direction and repeat the movement until the new record is in the top position.
    • Select A dialog appears.
    • In the field beside Move right before, enter 1.
    • Click OK

Your new policy for internal SMTP clients should now appear above the default policy, in the row whose index number is 1.

To configure the IP-based policy for connections from external SMTP clients

  1. Go to Policy > Policies > IP Policies in the advanced mode of the web UI.
  2. Select Edit for the default policy whose Match column contains 0.0.0/0 –> 0.0.0.0/0.
  3. From Session, select external_session_profile.
  4. From AntiSpam, select the name of an antispam profile. When this profile detects spam, it will affect the SMTP client’s sender reputation score.
  5. From AntiVirus, select the name of an antivirus profile. When this profile detects a virus, it will affect the SMTP client’s sender reputation score.
  6. Select OK.

Configuring the outgoing proxy

When operating in transparent mode, the FortiMail unit can use either transparent proxies or an implicit relay to inspect SMTP connections. If connection pick-up is enabled for connections on that network interface, the FortiMail unit can scan and process the connection. If not enabled, the FortiMail unit can either block or permit the connection to pass through unmodified.

Exceptions to SMTP connections that can be proxied or relayed include SMTP connections destined for the FortiMail unit itself. For those local connections, such as email messages from email users requesting deletion or release of their quarantined email, you must choose to either allow or block the connection.

 

Proxy pick-up is configured separately for incoming and outgoing connections.

In this deployment example, there are no protected domains; therefore, all connections are outgoing. In addition, per-domain and per-recipient Bayesian databases and per-recipient quarantines do not exist and, therefore, the FortiMail unit does not need to receive local SMTP connections in order to train databases or delete or release a domain’s recipient’s quarantined email.

The FortiMail unit must not expend resources to queue undeliverable email, nor reroute connections, and therefore it must not implicitly use its built-in MTA. Instead, it must always use its outgoing proxy by enabling Use client-specified SMTP server to send email under Mail Settings > Proxies. Because port1 is used exclusively for administration, the outgoing proxy must be configure to pick up outgoing connections only on port2 and port3.

To configure outgoing proxy pick-up

  1. Go to Mail Settings > Proxies in the advanced mode of the web UI.
  2. Enable Use client-specified SMTP server to send email.
  3. Go to System > Network.
  4. Edit SMTP proxy settings on both port 2 and port 3:
Port 2  
Incoming connections Drop
Outgoing connections Proxy
Local connections Disallow
Port 3  
Incoming connections Drop
Outgoing connections Proxy
Local connections Disallow

Configuring policy-based routes on the router

After you have configured the FortiMail settings, you must create policy routes on the router to redirect the SMTP traffic (from and to the subscribers) to the FortiMail unit for scanning.

For example, you use a FortiGate unit as the router/firewall, you can go to Router > Policy Route to create two routes: one for the external-to-subscribers SMTP traffic and one for the subscribers-to-external SMTP traffic.

For details, see the FortiGate Handbook on http://docs.fortinet.com.

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing instructions, see “Testing the installation” on page 159.

This entry was posted in Administration Guides, FortiMail and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “Transparent Mode Deployment

  1. Alexandru

    when configuring transparent mode is it necessary to configure mail settings (SMTP port, SSL for SMTP etc.). From my understanding is not necessary because Fortimail acts as a proxy. But if these are not configured connection is not intercepted(scanned).

    Reply
  2. Gerald Simila

    kindly expound on active-passive H/A deployment for two Fortimails in transparent mode in an ISP environment where we use PBRs on the connected routers. Am keen on the IPs to be used on the PBR and if this can be done without using an ADC.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.