Configuring protected domains
The Domains tab displays the list of protected domains.
Protected domains define connections and email messages for which the FortiMail unit can perform protective email processing by describing both:
- the IP address of an SMTP server
- the domain name portion (the portion which follows the “@” symbol) of recipient email addresses in the envelope
The FortiMail unit uses both parts to compare to connections and email messages when looking for traffic that involves the protected domain.
For example, if you wanted to scan email from email addresses such as user.one@example.com hosted on the SMTP server 10.10.10.10, you would configure a protected domain of example.com whose SMTP server is 10.10.10.10.
Aside from defining the domain, protected domains contain settings that apply specifically to all email destined for that domain, such as mail routing and disclaimer messages.
Many FortiMail features require that you configure a protected domain. For example, when applying recipient-based policies for email messages incoming to the protected domain, the FortiMail unit compares the domain name of the protected domain to the domain name portion of the recipient email addresses.
When FortiMail units operating in transparent mode are proxying email connections for a protected domain, the FortiMail unit will pass, drop or intercept connections destined for the IP address of an SMTP server associated with the protected domain, and can use the domain name of the protected domain during the SMTP greeting.
For more information on how the domain name and mail exchanger (MX) IP address of protected domains are used, see “Incoming versus outgoing SMTP connections” on page 416 and “Incoming versus outgoing email messages” on page 454.
Usually, you have already configured at least one protected domain during installation of your FortiMail unit; however, some configurations may not require any protected domains. You can add more domains or modify the settings of existing ones if necessary.
If you have many mail domains that will use identical settings, instead of creating many protected domains, you may want to create one protected domain, and then configure the others as associated domains. For details, see “Domain Association” on page 393.
If the FortiMail unit is operating in gateway mode, you must change the MX entries for the DNS records for your email domain, referring email to the FortiMail unit rather than to your email servers. If you create additional protected domains, you must modify the MX records for each additional email domain. Similarly, MX records must also refer to the FortiMail unit if it is operating in server mode.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.
For details, see “About administrator account permissions and domains” on page 290.
Before you begin, if the protected domain will use an IP pool profile, first configure the IP pool profile. For details, see “Configuring IP pools” on page 598.
To view and configure protected domains
- Go to Mail Settings > Domains > Domains.
The tab varies with the operation mode.
Figure 155:Viewing the list of protected domains (transparent mode and gateway mode)
Figure 156:Viewing the list of protected domains (server mode)
GUI item | Description |
Delete
(button) |
Click Delete to remove the protected domain.
Caution: This also deletes all associated email user accounts and preferences. |
Domain FQDN | Displays the fully qualified domain name (FQDN) of the protected domain.
If the protected domain is a subdomain or domain association, click the + next to a domain entry to expand the list of subdomains and domain associations. To collapse the entry, click the –. |
Relay Type
(transparent and gateway mode only) |
Indicates one of the methods by which the SMTP server will receive email from the FortiMail unit for the protected domain: Host, MX Record (this domain), MX Record (alternative domain), IP pool, LDAP Domain Mail Host. |
SMTP Server
(transparent and gateway mode only) |
Displays the host name or IP address and port number of the mail exchanger (MX) for this protected domain.
If Relay Type is MX Record (this domain) or MX Record (alternative domain), this information is determined dynamically by querying the MX record of the DNS server, and this field will be empty. |
Sub
(transparent and gateway mode only) |
A green check mark indicates that the entry is a subdomain of a protected domain. |
Association
(transparent and gateway mode only) |
A green check nark indicates that the entry is a domain association. For more information on domain associations, see “Domain Association” on page 393. |
- Either click New to create a new protected domain, or click an row to modify it.
A multisection dialog appears. Its options vary with the operation mode.
Figure 157: Creating a protected domain (gateway and gateway mode)
Figure 158: Creating a protected domain (server mode)
- Configure the general information as it applies to the current operation mode and your choice for relay type:
GUI item | Description |
Domain name | Enter the fully qualified domain name (FQDN) of the protected domain.
For example, if you want to protect email addresses such as user1@example.com, you would enter the protected domain name example.com. Generally, your protected domain will use a valid, globally-resolvable top-level domain (TLD) such as .com. Exceptions could include testing scenarios, where you have created a .lab mail domain on your private network to prevent accidental conflicts with live mail systems legitimately using their globally-resolvable FQDN. |
Relay type
(transparent and gateway mode only) |
Select from one of the following methods of defining which SMTP server will receive email from the FortiMail unit that is destined for the protected domain:
• Host: Configure the connection to one protected SMTP server or, if any, one fallback. Also configure SMTP server and Fallback SMTP server. • MX Record (this domain): Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them. • MX Record (alternative domain): Query the DNS server’s MX record of a domain name you specify for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them. Also configure Alternative domain name. • IP pool: Configure the connection to rotate among one or many protected SMTP servers for load balancing. Also configure the IP pool profile (also see “Configuring IP pools” on page 598). • LDAP Domain Mail Host: Query the LDAP server for the FQDN or IP address of the SMTP server. Also configure the LDAP Profile (see “Configuring LDAP profiles” on page 549). Note: If an MX option is used, you may also be required to configure the FortiMail unit to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode of the FortiMail unit. |
GUI item | Description |
• In gateway mode, a private DNS server is required. On the private DNS server, configure the MX record with the FQDN of the SMTP server that you are protecting for this domain, causing the FortiMail unit to route email to the protected SMTP server. This is different from how a public DNS server should be configured for that domain name, where the MX record usually should contain the FQDN of the FortiMail unit itself, causing external SMTP servers to route email through the FortiMail unit. Additionally, if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall, on the private DNS server, configure the protected SMTP server’s A record with its private IP address, while on the public DNS server, configure the FortiMail unit’s A record with its public IP address.
• In transparent mode, a private DNS server is required if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall. On the private DNS server, configure the protected SMTP server’s A record with its private IP address. On the public DNS server, configure the protected SMTP server’s A record with its public IP address. Do not modify the MX record. • For performance reason, DNS lookups are skipped in gateway and server mode unless the sending domain is blank. |
|
SMTP server
(transparent and gateway mode only) |
Enter the fully qualified domain name (FQDN) or IP address of the primary SMTP server for this protected domain, then also configure Port and Use SMTPS.
If you have an internal mail relay that is located on a physically separate server from your internal mail server, this could be your internal mail relay, instead of your internal mail server. Consider your network topology, directionality of the mail flow, and the operation mode of the FortiMail unit. For more information, see “Incoming versus outgoing SMTP connections” on page 416 and “Avoiding scanning email twice” on page 418. This field appears only if Relay type is Host. |
Fallback SMTP server
(transparent and gateway mode only) |
Enter the fully qualified domain name (FQDN) or IP address of the secondary SMTP server for this protected domain, then also configure Port and Use SMTPS.
This SMTP server will be used if the primary SMTP server is unreachable. This field appears only if Relay type is Host. |
IP pool profile
(transparent and gateway mode only) |
Select the name of the IP pool profile that is the range of IP addresses. Also configure Port and Use SMTPS.
This field appears only if Relay type is IP pool. |
LDAP profile
(transparent mode and gateway mode only) |
Select the name of the LDAP profile that has the FQDN or IP address of the SMTP server you want to query. Also configure Port and Use SMTPS.
This field appears only if Relay type is LDAP Domain Mail Host. |
GUI item | Description |
Port | Enter the port number on which the SMTP server listens. |
If you enable Use SMTPS, Port automatically changes to the default port number for SMTPS, but can still be customized.
Displays the default SMTP port number is 25; the default SMTPS port number is 465.
This field appears only if Relay type is Host, IP pool or LDAP Domain Mail Host.
Use SMTPS | Enable to use SMTPS for connections originating from or destined for this protected server.
This field appears only if Relay type is Host, IP pool or LDAP Domain Mail Host. |
Alternative domain
name (transparent and gateway mode only) |
Enter the domain name to use when querying the DNS server for MX records.
This option appears only if Relay type is MX Record (alternative domain name). |
Is subdomain | Mark this check box to indicate the protected domain you are creating is a subdomain of an existing protected domain, then also configure Main domain.
Subdomains, like their parent protected domains, can be selected when configuring policies specific to that subdomain. Unlike top-level protected domains, however, subdomains will appear as grouped under the parent protected domain when viewing the list of protected domains. This option is available only when another protected domain exists to select as the parent domain. |
Main domain | Select the protected domain that is the parent of this subdomain. For example, lab.example.com might be a subdomain of example.com.
This option is available only when Is subdomain is enabled. |
LDAP User Profile
(server mode only) |
Select the name of an LDAP profile in which you have configured (see “Configuring LDAP profiles” on page 549), enabling you to authenticate email users and expand alias email addresses or replace one email address with another by using an LDAP query to retrieve alias members. |
- Configure the following sections as needed:
- Configuring domain associations
- Configuring transparent mode options
- Configuring removal of invalid accounts
- Configuring advanced settings
- Configuring advanced AS/AV settings
- Configuring domain level service settings (server mode only)
- Configuring mail migration settings (server mode only)
Hi,
Do you think I could use fortimail in server mode integrated with office 365?
Can i use this setup to be able to create email accounts in office 365 and some emails in fortimail?
In my case I have like 140 permanent users and 30-40 users let say “temporar users”(3-4 months/year). For them I want to create emails accounts in fortimail.
Ex: someone@testdomain.com is an office365 account, and someone2@testdomain.com to be an fortimail account.
When an email is received I want to be able to be redirected where it belongs. If an email created in office 365 to be redirected there, if was created in fortimail should be redirected to fortimail.
Is possible this setup?
Thank you
I have only ever deployed a FortiMail for Office 365 utilizing Gateway mode. I’m not sure, off hand, how one would make it work in server mode.
This is possible. Your O 365 server should relay to Fortimail if user not found on O 365
I have several associated domains in Fortimail, mainly for ease of administration. We currently have DKIM and SPF set up for O365 outbound mail but I’d like to start using Fortimail for outbound filtering. Will Fortimail just transparently relay the mail leaving the DKIM signature and SPF IP address unaltered and valid? Or will it strip them requiring me to use Fortimail for DKIM and its IP address in our SPF record? DKIM is so easy to set up in O365 so I would hate to have to redo it and split all our associated domains into dedicated domains.
Hi we Have created a user in migrated user and start to migrate mailbox from exchange after couple of minutes give connection error. We sniff on cli and get an error code 500.5.3.3 can you find whats problem thanks
I have configured the LDAP in my Outlook 2010. Is there a way to automatically sync the LDAP contacts to my local Outlook contact list, so i can search contacts even when i am offline?