Tag Archives: fortimail

Configuring FortiGuard Updates and AntiSPAM Queries

Configuring FortiGuard updates and antispam queries

The Maintenance > FortiGuard > Update tab displays the most recent updates to

FortiGuard Antivirus engines, antivirus definitions, and FortiGuard antispam definitions

(antispam heuristic rules). You can also configure how the FortiMail unit will retrieve updates.

FortiGuard AntiSpam packages for FortiMail units are not the same as those provided to FortiGate units. To support FortiMail’s more full-featured antispam scans, FortiGuard AntiSpam packages for FortiMail contain platform-specific additional updates.

For example, FortiGuard AntiSpam packages for FortiMail contain heuristic antispam rules used by the a heuristic scan. Updates add to, remove from, and re-order the list of heuristic rules so that the current most common methods spammers use are ranked highest in the list. As a result, even if you configure a lower percentage of heuristic rules to be used by that scan, with regular updates, the heuristic scan automatically adjusts to use whichever heuristic rules are currently most effective. This helps to achieve an effective spam catch rate, while both reducing administrative overhead and improving performance by using the least necessary amount of FortiMail system resources.

FortiMail units receive updates from the FortiGuard Distribution Network (FDN), a world-wide network of FortiGuard Distribution Servers (FDS). FortiMail units connect to the FDN by connecting to the FDS nearest to the FortiMail unit by its configured time zone.

In addition to manual update requests, FortiMail units support two kinds of automatic update mechanisms:

  • scheduled updates, by which the FortiMail unit periodically polls the FDN to determine if there are any available updates
  • push updates, by which the FDN notifies FortiMail units when updates become available

For information on configuring scheduled updates, see “Configuring scheduled updates” on page 240. For information on configuring push updates, see “Configuring push updates” on page 241.

You may want to configure both scheduled and push updates. In this way, if the network experiences temporary problems such as connectivity issues that interfere with either method, the other method may still provide your FortiMail unit with updated protection. You can alternatively manually update the FortiMail unit by uploading an update file. For more information on uploading updates, see “License Information widget” on page 176.

For FortiGuard Antispam and FortiGuard Antivirus update connectivity requirements and troubleshooting information, see “Troubleshoot FortiGuard connection issues” on page 707.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view or change the currently installed FortiGuard status

  1. Go to Maintenance > FortiGuard > Update.

Figure 95:Update tab

  1. Configure the following:

 

GUI item Description
FortiGuard Service Status  
Name The name of the updatable item, such as Anti Virus Definition.
Version The version number of the item currently installed on the FortiMail unit.
Expiry Date The expiry date of the license for the item.
Last Update Attempt The date and time when the FortiMail unit last attempted to download an update.
Last Update Status The result of the last update attempt.

•      No updates: Indicates the last update attempt was successful but no new updates are available.

•      Installed updates: Indicates the last update attempt was successful and new updates were installed.

•      Other messages, such as Network Error, indicate that the FortiMail unit could not connect to the FDN, or other error conditions. For more information, see “Troubleshoot FortiGuard connection issues” on page 707.

Included signatures Displays the total number of the virus and spam signatures.
FortiGuard distribution network The result of the previous scheduled update (TCP 443) connection attempt to the FortiGuard Distribution Network (FDN) or, if enabled and configured, the override server.

•      Available: Indicates that the FortiMail unit successfully connected to the FDN.

•      Unavailable: Indicates that the FortiMail unit could not connect to the FDN. For more information, see “Verifying connectivity with FortiGuard services” on page 237.

•      Unknown: Indicates that the FortiMail unit has not yet attempted to connect to the FDN.

To test the connection, click Refresh.

Push update The result of the previous push update (UDP 9443) connection attempt from the FDN.

•      Available: Indicates that the FDN successfully connected to the FortiMail unit to send push updates. For more information, see “Configuring push updates” on page 241.

•      Unavailable: Indicates that the FDN could not connect to the FortiMail unit. For more information, see “Troubleshoot FortiGuard connection issues” on page 707.

•      Unknown: Indicates that the FortiMail unit has not yet attempted to connect to the FDN.

To test the connection, click Refresh.

GUI item Description
Refresh

(button)

Click to test the scheduled (TCP 443) and push (UDP 9443) update connection of the FortiMail unit to the FDN or, if enabled, the IP address configured in Use override server address.

When the test completes, the tab refreshes and results beside FortiGuard distribution network. Time required varies by the speed of the FortiMail unit’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiMail unit determines that it cannot connect.

Note: This does not test the connection for FortiGuard Antispam rating queries, which occurs over a different connection and must be tested separately. For details, see “Configuring FortiGuard updates and antispam queries” on page 233.

Use override server address Enable to override the default FortiGuard Distribution Server (FDS) to which the FortiMail unit connects for updates, then enter the IP address of the override public or private FDS.

For more information, see “Verifying connectivity with FortiGuard services” on page 237.

Allow push update Enable to allow the FortiMail unit to accept push notifications (UDP 9443). If the FortiMail unit is behind a NAT device, you may also need to enable and configure Use override push IP. For details, see “Configuring push updates” on page 241.

Push notifications only notify the FortiMail unit that an update is available. They do not transmit the update itself. After receiving a push notification, the FortiMail unit then initiates a separate TCP 443 connection, similar to scheduled updates, in order to the FDN to download the update.

Use override push Enable to override the IP address and default port number to which

IP                           the FDN sends push notifications.

  • When enabled, the FortiMail unit notifies the FDN to send push updates to the IP address and port number that you enter (for example, a virtual IP/port forward on a NAT device that will forward push notifications to the FortiMail unit).
  • When disabled, the FortiMail unit notifies the FDN to send push updates to the FortiMail unit’s IP address, using the default port number (UDP 9443). This is useful only if the FortiMail unit has a public network IP address.

For more information, see “Configuring push updates” on page 241.

This option is available only if Allow push update is enabled.

GUI item Description
Scheduled update Enable to perform updates according to a schedule, then select one of the following as the frequency of update requests. When the FortiMail unit requests an update at the scheduled time, results appear in Last Update Status.

•      Every: Select to request to update once every 1 to 23 hours, then select the number of hours between each update request.

•      Daily: Select to request to update once a day, then select the hour of the day to check for updates.

•      Weekly: Select to request to update once a week, then select the day of the week, the hour, and the minute of the day to check for updates.

If you select 00 minutes, the update request occurs at a randomly determined time within the selected hour.

Apply

(button)

Click to save configuration changes on this tab and, if you have enabled Allow push update, notify the FDN of the destination IP address and port number for push notifications to this FortiMail unit.
Update Now

(button)

Click to manually initiate a FortiGuard Antivirus and FortiGuard Antispam engine and definition update request. Results will appear in Last Update Status. Time required varies by the availability of updates, size of the updates, and speed of the FortiMail unit’s network connection.

Maintaining The System

Maintaining the system

The Maintenance menu contains features for use during scheduled maintenance: updates, backups, restoration, and centralized administration.

Also use it to configure FortiGuard Antispam query connectivity.

  • Backup and restore
  • Configuring centralized administration
  • Configuring FortiGuard updates and antispam queries

Backup and restore

Before installing FortiMail firmware or making significant configuration changes, back up your FortiMail configuration. Backups let you revert to your previous configuration if the new configuration does not function correctly. Backups let you compare changes in configuration.

A complete configuration backup consists of several parts:

  • core configuration file (fml.cfg), including the local certificates
  • Bayesian databases
  • mail queues
  • system, per-domain, and per-user black/white list databases
  • email users’ address books
  • images and language files for customized appearance of the web UI and webmail To access those parts of the web UI, your administrator account’s:
  • Domain must be System
  • access profile must have Read-Write permission to all categories

For details, see “About administrator account permissions and domains” on page 290.

Page 218

In addition, although they are not part of the configuration, you may want to back up the following data:

  • email archives
  • log files
  • generated report files
  • mailboxes

Alternatively, if you only want to back up your core configuration file, you can back up the FortiMail unit’s configuration to a FortiManager unit. For details, see “Backing up your configuration using a FortiManager unit” on page 221.

To back up the configuration file

Although mailboxes and quarantines cannot be downloaded to your management computer, you can configure the FortiMail unit to back up mail data by storing it externally, on a NAS server. For details, see “Selecting the mail data storage location” on page 376.

  1. Go to Maintenance > System > Configuration.
  2. In the Backup Configuration area:
    • Select Local PC
    • Enable System configuration.
    • Click Backup.

Your management computer downloads the configuration file. Time required varies by the size of the file and the speed of your network connection. You can restore the backup configuration later when required. For details, see “Restoring the configuration” on page 692.

FortiMail v4.0 configuration backing up to a FortiManager unit is supported in FortiManager v4.2 and newer releases. See “Backing up your configuration using a FortiManager unit” on page 221. Also see “Configuring centralized administration” on page 232.

To back up the Bayesian databases

  1. Go to Maintenance > AntiSpam > Database Maintenance.
  2. Click Backup Bayesian database.

Your management computer downloads the database file. Time required varies by the size of the file and the speed of your network connection.

To back up the mail queues

  1. Go to Maintenance > System > Mail Queue.
  2. Click Backup Queue.

Your management computer downloads the database file. Time required varies by the size of the file and the speed of your network connection.

To back up the black/white list database

  1. Go to Maintenance > AntiSpam > Black/White List Maintenance.
  2. Click Export Black/White List.

Your management computer downloads the database file. The time required varies by the size of the file and the speed of your network connection.

To back up email users’ accounts (server mode only)

  1. Go to User > User > User.
  2. Click Export .CSV.

Your management computer downloads the user account spreadsheet file. Time required varies by the size of the file and the speed of your network connection.

To back up the global address book (server mode only)

  1. Go to Mail Settings > Address Book > Contacts.
  2. Click
  3. On the pop-up menu, select CSV.

You are prompted for a location to save the file. Follow the prompts and click Save.

Your management computer downloads the address book spreadsheet file. Time required varies by the size of the file and the speed of your network connection.

To back up customized appearances of the web UI and webmail UI

  1. Go to System > Configuration > Appearance.
  2. In Administration interface, for each image file, save the image to your management computer.

Methods vary by web browser. For example, you might need to click and drag the images into a folder on your management computer in order to save them to that folder. For instructions, see your browser’s documentation.

  1. Click the arrow to expand Webmail interface.
  2. For each webmail language, click the name of the language to select it, then click Download.

Your management computer downloads the language file. Time required varies by the size of the file and the speed of your network connection.

  1. To back up email archivesGo to Maintenance > System > Mail Data.

In addition to downloading email archives to your management computer, you can configure the FortiMail unit to store email archives on an SFTP or FTP server. For details, see “Managing archived email” on page 203 and “Configuring email archiving accounts” on page 656.

  1. Continue using the instructions in “Configuring mailbox backups” on page 227.

Initial Configuration in Basic Mode

Initial configuration in basic mode

FortiMail Web UI has two configuration mode: Basic mode and Advanced mode. This section describes how to use the FortiMail unit’s web UI in basic configuration mode to adjust or enhance your FortiMail configuration or to examine email information. Basic mode offers fewer menu selections than advanced mode but basic mode’s simplicity can make it easier for a new administrator to get started.

This section assumes you have already configured your FortiMail unit using the Quick Start Wizard and have set up the correct deployment for your operation mode.

To access the web UI, enter its URL in a supported browser. See “Connecting to the Web UI or CLI” on page 25.

If you see Monitor instead of Management at the top of the web UI’s left-hand menu, it means the web UI is in advanced mode. Click Basic on the top button bar to switch modes.

Click the Help button on the web UI at any time to get information on currently displayed features.

This section includes:

  • Managing mail queues and quarantines
  • Configuring basic system and mail settings
  • Configuring logs, reports and email alerts

Managing mail queues and quarantines

The Management menu provides information on your FortiMail system including its overall health and resource usage, mail statistics, email queues, and quarantine lists.

Viewing system status and statistics

The dashboard always appears when you first start the web UI. To access it otherwise, go to Management > System Status > Status.

The dashboard displays information in specialized widgets. The widgets provide system information (such as the operation mode and firmware version) and the state of system resources, plus statistics on spam and virus detection. Take time to review the dashboard for obvious problems.

Buttons on the top-right side of each widget’s title bar let you expand/collapse it, refresh its contents, or close it. To open a closed widget, select it from the Add Content list.

Figure 19:Basic mode dashboard

You can change a widget’s position. Select its title bar and drag it to the new position. Other widgets adjust their position automatically to accommodate the change.

 

Server Mode Deployment

Server mode deployment

The following procedures and examples show you how to deploy the FortiMail unit in server mode.

  • Configuring DNS records
  • Example 1: FortiMail unit behind a firewall
  • Example 2: FortiMail unit in front of a firewall
  • Example 3: FortiMail unit in DMZ

Configuring DNS records

You must configure public DNS records for the protected domains and for the FortiMail unit itself.

For performance reasons, you may also want to provide a private DNS server for use exclusively by the FortiMail unit.

This section includes the following:

  • Configuring DNS records for protected domains
  • Configuring DNS records for the FortiMail unit itself
  • Configuring a private DNS server

Configuring DNS records for protected domains

Regardless of your private network topology, in order for external MTAs to deliver email to the FortiMail unit, you must configure the public MX record for each protected domain to indicate that the FortiMail unit is its email server.

For example, if the fully qualified domain name (FQDN) of the FortiMail unit is fortimail.example.com, and example.com is a protected domain, the MX record for example.com would be:

example.com IN MX 10 fortimail.example.com

If your FortiMail unit will operate in server mode, configure the MX record to refer to the FortiMail unit, and remove other MX records. If you fail to do so, external MTAs may not be able to deliver email to or through the FortiMail unit, or may be able to bypass the FortiMail unit by using the other MX records. If you have configured secondary MX records for failover reasons, consider configuring FortiMail high availability (HA) instead. For details, see “FortiMail high availability modes” on page 23.

An A record must also exist to resolve the domain name of the FortiMail unit into an IP address.

For example, if the MX record indicates that fortimail.example.com is the email gateway for a domain, you must also configure an A record in the example.com zone file to resolve fortimail.example.com into a public IP address: fortimail IN A 10.10.10.1

where 10.10.10.1 is either the public IP address of the FortiMail unit, or a virtual IP address on a firewall or router that maps to the private IP address of the FortiMail unit.

If your FortiMail unit will relay outgoing email, you should also configure the public reverse DNS record. The public IP address of the FortiMail unit, or the virtual IP address on a firewall or router that maps to the private IP address of the FortiMail unit, should be globally resolvable into the FortiMail unit’s FQDN. If it is not, reverse DNS lookups by external SMTP servers will fail.

For example, if the public network IP address of the FortiMail unit is 10.10.10.1, a public DNS server’s reverse DNS zone file for the 10.10.10.0/24 subnet might contain:

1 IN PTR fortimail.example.com.

where fortimail.example.com is the FQDN of the FortiMail unit.

Configuring DNS records for the FortiMail unit itself

In addition to that of protected domains, the FortiMail unit must be able to receive web connections, and send and receive email, for its own domain name. Dependent features include:

  • delivery status notification (DSN) email
  • spam reports
  • email users’ access to their per-recipient quarantines
  • FortiMail administrators’ access to the web UI by domain name
  • alert email
  • report generation notification email

For this reason, you should also configure public DNS records for the FortiMail unit itself.

Appropriate records vary by whether or not Web release host name/IP (located in AntiSpam > Quarantine > Quarantine Report in the advanced mode of the web UI) is configured:

  • Case 1: Web Release Host Name/IP is empty/default
  • Case 2: Web Release Host Name/IP is configured

Gateway Mode Deployment

Gateway mode deployment

After completing the Quick Start Wizard, you may need to configure some items that are specific to your network topology or the operation mode of your FortiMail unit.

This section contains examples of how to deploy a FortiMail unit operating in gateway mode. Other sections discuss deployment in the other two modes.

This section includes the following topics:

  • Configuring DNS records
  • Example 1: FortiMail unit behind a firewall
  • Example 2: FortiMail unit in front of a firewall
  • Example 3: FortiMail unit in DMZ

Configuring DNS records

You must configure public DNS records for the protected domains and for the FortiMail unit itself.

For performance reasons, and to support some configuration options, you may also want to provide a private DNS server for exclusive use by the FortiMail unit.

This section includes the following:

  • Configuring DNS records for the protected domains
  • Configuring DNS records for the FortiMail unit itself
  • Configuring a private DNS server

Configuring DNS records for the protected domains

Regardless of your private network topology, in order for external MTAs to deliver email through the FortiMail unit, you must configure the public MX record for each protected domain to indicate that the FortiMail unit is its email gateway.

For example, if the fully qualified domain name (FQDN) of the FortiMail unit is fortimail.example.com, and example.com is a protected domain, the MX record for example.com would be:

example.com IN MX 10 fortimail.example.com

If your FortiMail unit will operate in gateway mode, configure the MX record to refer to the FortiMail unit, and remove other MX records. If you fail to do so, external MTAs may not be able to deliver email to or through the FortiMail unit, or may be able to bypass the FortiMail unit by using the other MX records. If you have configured secondary MX records for failover reasons, consider configuring FortiMail high availability (HA) instead. For details, see “FortiMail high availability modes” on page 23.

An A record must also exist to resolve the host name of the FortiMail unit into an IP address.

For example, if the MX record indicates that fortimail.example.com is the email gateway for a domain, you must also configure an A record in the example.com zone file to resolve fortimail.example.com into a public IP address: fortimail IN A 10.10.10.1

where 10.10.10.1 is either the public IP address of the FortiMail unit, or a virtual IP address on a firewall or router that maps to the private IP address of the FortiMail unit.

If your FortiMail unit will relay outgoing email, you should also configure the public reverse DNS record. The public IP address of the FortiMail unit, or the virtual IP address on a firewall or router that maps to the private IP address of the FortiMail unit, should be globally resolvable into the FortiMail unit’s FQDN. If it is not, reverse DNS lookups by external SMTP servers will fail.

For example, if the public network IP address of the FortiMail unit is 10.10.10.1, a public DNS server’s reverse DNS zone file for the 10.10.10.0/24 subnet might contain:

1 IN PTR fortimail.example.com.

where fortimail.example.com is the FQDN of the FortiMail unit.

Configuring DNS records for the FortiMail unit itself

In addition to that of protected domains, the FortiMail unit must be able to receive web connections, and send and receive email, for its own domain name. Dependent features include:

  • delivery status notification (DSN) email
  • spam reports
  • email users’ access to their per-recipient quarantined mail
  • FortiMail administrators’ access to the web UI by domain name
  • alert email
  • report generation notification email

For this reason, you should also configure public DNS records for the FortiMail unit itself.

Appropriate records vary by whether or not you configured Web release host name/IP (located in AntiSpam > Quarantine > Quarantine Report in the advanced mode of the web UI).

See the following:

  • Case 1: Web Release Host Name/IP is empty/default
  • Case 2: Web Release Host Name/IP is configured

Case 1: Web Release Host Name/IP is empty/default

When Web release host name/IP is not configured (the default), the web release/delete links that appear in spam reports use the fully qualified domain name (FQDN) of the FortiMail unit. For example, if the FortiMail unit’s host name is fortimail, and its local domain name is example.net, resulting in the FQDN fortimail.example.net, a spam report’s default web release link might look like (FQDN highlighted in bold):

https://fortimail.example.net/releasecontrol?release=0%3Auser2%40examp le.com%3AMTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0YjUyM2N TkjRSxVMzoyLA%3D%3D%3Abf3db63dab53a291ab53a291ab53a291

In the DNS configuration to support this and the other DNS-dependent features, you would configure the following three records:

example.net IN MX 10 fortimail.example.net fortimail IN A 10.10.10.1 1 IN PTR fortimail.example.net.

where:

  • net is the local domain name to which the FortiMail unit belongs; in the MX record, it is the local domain for which the FortiMail is the mail gateway
  • example.net is the FQDN of the FortiMail unit
  • fortimail is the host name of the FortiMail unit; in the A record of the zone file for example.net, it resolves to the IP address of the FortiMail unit for the purpose of administrators’ access to the web UI, email users’ access to their per-recipient quarantines, to resolve the FQDN referenced in the MX record when email users send Bayesian and quarantine control email to the FortiMail unit, and to resolve to the IP address of the FortiMail unit for the purpose of the web release/delete hyperlinks in the spam report
  • 10.10.1 is the public IP address of the FortiMail unit

Connecting to FortiGuard Services

Connecting to FortiGuard services

After the FortiMail unit is physically installed and configured to operate in your network, if you have subscribed to FortiGuard Antivirus and/or FortiGuard Antispam services, connect the FortiMail unit to the Fortinet Distribution Network (FDN).

Connecting your FortiMail unit to the FDN or override server ensures that your FortiMail unit can:

  • download the most recent FortiGuard Antivirus and FortiGuard Antispam definitions and engine packages
  • query the FDN for blacklisted servers and other real-time information during FortiGuard Antispam scans, if configured

This way, you scan email using the most up-to-date protection.

The FDN is a world-wide network of Fortinet Distribution Servers (FDS). When a FortiMail unit connects to the FDN to download FortiGuard engine and definition updates, by default, it connects to the nearest FDS based on the current time zone setting. You can override the FDS to which the FortiMail unit connects.

Your FortiMail unit may be able to connect using the default settings. However, you should confirm this by verifying connectivity.

You must first register the FortiMail unit with the Fortinet Technical Support web site, https://support.fortinet.com/, to receive service from the FDN. The FortiMail unit must also have a valid Fortinet Technical Support contract which includes service subscriptions, and be able to connect to the FDN or the FDS that you will configure to override the default FDS addresses. For port numbers required for license validation and update connections, see the FortiMail Administration Guide.

Before performing the next procedure, if your FortiMail unit connects to the Internet using a proxy, use the CLI command config system fortiguard antivirus to enable the FortiMail unit to connect to the FDN through the proxy. For more information, see the FortiMail CLI Reference.

To override the default FDS server

  1. Go to Maintenance > FortiGuard > Update in the advanced mode of the web UI.
  2. In the FortiGuard Update Options area, select Use override server address,
  3. Enter the fully qualified domain name (FQDN) or IP address of the FDS.
  4. Click Apply.
  5. Click Refresh.

A dialog appears, notifying you that the process could take a few minutes.

The FortiMail unit tests the connection to the FDN and, if any, the override server. Time required varies by the speed of the FortiMail unit’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiMail unit determines that it cannot connect. When the connection test completes, the page refreshes. Test results are displayed in the FortiGuard Distribution Network field.

  • Available: The FortiMail unit successfully connected to the FDN or override server.
  • Not available: The FortiMail unit could not connect to the FDN or override server, and will not be able to download updates from it. For CLI commands that may be able to assist you in troubleshooting, see “To verify rating query connectivity” on page 46.
  1. When successful connectivity has been verified, continue by configuring the FortiMail unit to receive engine and definition updates from the FDN or the override server using one or more of the following methods:
    • scheduled updates (see “Configuring scheduled updates” on page 47)
    • push updates (see “Configuring push updates” on page 48)
    • manually initiated updates (see “Manually requesting updates” on page 49)
  2. Click Apply to save your settings.

To verify rating query connectivity

  1. Go to Maintenance > FortiGuard > AntiSpam in the advanced mode of the web UI.
  2. Make sure the Enable Service check box is marked. If it is not, mark it and click Apply.

If the FortiMail unit can reach the DNS server, but cannot successfully resolve the domain name of the FDS, a message appears notifying you that a DNS error has occurred.

Figure 5: DNS error when resolving the FortiGuard Antispam domain name

Verify that the DNS servers contain A records to resolve service.fortiguard.net and other FDN servers. You may be able to obtain additional insight into the cause of the query failure by manually performing a DNS query from the FortiMail unit using the following CLI command:

execute nslookup name service.fortiguard.net

If the FortiMail unit cannot successfully connect, or if your FortiGuard Antispam license does not exist or is expired, a message appears notifying you that a connection error has occurred.

Figure 6: Connection error when verifying FortiGuard Antispam rating query connectivity

Verify that:

  • your FortiGuard Antispam license is valid and currently active
  • the default route (located in System > Network > Routing) is correctly configured
  • the FortiMail unit can connect to the DNS servers you configured during the Quick Start Wizard (located in System > Network > DNS), and to the FDN servers
  • firewalls between the FortiMail unit and the Internet or override server allow FDN traffic (For configuration examples specific to your operation mode, see “Gateway mode deployment” on page 50, “Transparent mode deployment” on page 78, or “Server mode deployment” on page 101.)

Obtain additional insight into the point of the connection failure by tracing the connection using the following CLI command:

execute traceroute <address_ipv4> where <address_ipv4> is the IP address of the DNS server or FDN server.

When query connectivity is successful, antispam profiles can use the FortiGuard-AntiSpam scan option.

If FortiGuard Antispam scanning is enabled, you can use the antispam log to analyze any query connectivity interruptions caused because FortiMail cannot connect to the FDN and/or its license is not valid. To enable the antispam log, go to Log and Report > Log Settings > Local Log Settings in the advanced mode of the web UI. To view the antispam log, go to Monitor > Log > AntiSpam, then mark the check box of a log file and click View.

If FortiMail cannot connect with the FDN server, the log Message field contains:

FortiGuard-Antispam: No Answer from server.

Verify that the FortiGuard Antispam license is still valid, and that network connectivity has not been disrupted for UDP port 53 traffic from the FortiMail unit to the Internet.

Configuring scheduled updates

You can configure the FortiMail unit to periodically request FortiGuard Antivirus and FortiGuard Antispam engine and definition updates from the FDN or override server.

You can use push updates or manually initiate updates as alternatives or in conjunction with scheduled updates. If protection from the latest viral threats is a high priority, you could configure both scheduled updates and push updates, using scheduled updates as a failover method to increase the likelihood that the FortiMail unit will still periodically retrieve updates if connectivity is interrupted during a push notification. While using only scheduled updates could potentially leave your network vulnerable to a new virus, it minimizes short disruptions to antivirus scans that can occur if the FortiMail unit applies push updates during peak volume times. For additional/alternative update methods, see “Configuring push updates” on page 48 and “Manually requesting updates” on page 49.

For example, you might schedule updates every night at 2 AM or weekly on Sunday, when email traffic volume is light.

Before configuring scheduled updates, first verify that the FortiMail unit can connect to the FDN or override server. For details, see “To override the default FDS server” on page 45.

To configure scheduled updates

  1. Go to Maintenance > FortiGuard > Update in the advanced mode of the web UI.
  2. Enable Scheduled Update.
  3. Select one of the following:
Every Select to request updates once per interval, then configure the number of hours and minutes between each request.
Daily Select to request updates once a day, then configure the time of day.
Weekly Select to request updates once a week, then configure the day of the week and the time of day.

Updating FortiGuard Antivirus definitions can cause a short disruption in traffic currently being scanned while the FortiMail unit applies the new signature database. To minimize disruptions, update when traffic is light, such as during the night.

  1. Click Apply.

The FortiMail unit starts the next scheduled update according to the configured update schedule. If you have enabled logging, when the FortiMail unit requests a scheduled update, the event is recorded in the event log.

Configuring push updates

You can configure the FortiMail unit to receive push updates from the FDN or override server.

When push updates are configured, the FortiMail unit first notifies the FDN of its IP address, or the IP address and port number override. (If your FortiMail unit’s IP address changes, including if it is configured with DHCP, the FortiMail unit automatically notifies the FDN of the new IP address.) As soon as new FortiGuard Antivirus and FortiGuard Antispam packages become available, the FDN sends an update availability notification to that IP address and port number. Within 60 seconds, the FortiMail unit then requests the package update as if it were a scheduled or manually initiated update.

You can use scheduled updates or manually initiate updates as alternatives or in conjunction with push updates. If protection from the latest viral threats is a high priority, you could configure both scheduled updates and push updates, using scheduled updates as a failover method to increase the likelihood that the FortiMail unit will still periodically retrieve updates if connectivity is interrupted during a push notification. Using push updates, however, can potentially cause short disruptions to antivirus scans that can occur if the FortiMail unit applies push updates during peak volume times. For additional/alternative update methods, see “Configuring scheduled updates” on page 47 and “Manually requesting updates” on page 49.

Before configuring push updates, first verify that the FortiMail unit can connect to the FDN or override server. For details, see “To override the default FDS server” on page 45.

To configure push updates

  1. Go to Maintenance > FortiGuard > Update in the advanced mode of the web UI.
  2. Enable Allow push update.
  3. If the FortiMail unit is behind a firewall or router performing NAT, enable Use override push IP and enter the external IP address and port number of the NAT device.

You must also configure the NAT device with port forwarding or a virtual IP to forward push notifications (UDP port 9443) to the FortiMail unit.

For example, if the FortiMail unit is behind a FortiGate unit, configure the FortiGate unit with a virtual IP that forwards push notifications from its external network interface to the private network IP address of the FortiMail unit. Then, on the FortiMail unit, configure Use override push IP with the IP address and port number of that virtual IP. For details on configuring virtual IPs and/or port forwarding, see the documentation for the NAT device.

Push updates require that the external IP address of the NAT device is not dynamic (such as an IP address automatically configured using DHCP). If dynamic, when the IP address changes, the override push IP will become out-of-date, causing subsequent push updates to fail.

If you do not enable Use override push IP, the FDN will send push notifications to the IP address of the FortiMail unit, which must be a public network IP address routable from the Internet.

  1. Click Apply.

The FortiMail unit notifies the FDN of its IP address or, if configured, the override push IP. When an update is available, the FDN will send push notifications to this IP address and port number.

  1. Click Refresh.

A dialog appears, notifying you that the process could take a few minutes.

The FDN tests the connection to the FortiMail unit. Time required varies by the speed of the FortiMail unit’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiMail unit determines that it cannot connect. When the connection test completes, the page refreshes. Test results are displayed in the Push Update field.

  • Available: The FDN successfully connected to the FortiMail unit.
  • Not available: The FDN could not connect to the FortiMail unit, and will not be able to send push notifications to it. Verify that intermediary firewalls and routers do not block push notification traffic (UDP port 9443). If the FortiMail unit is behind a NAT device, verify that you have enabled and configured Use override push IP, and that the NAT device is configured to forward push notifications to the FortiMail unit.

Manually requesting updates

You can manually trigger the FortiMail unit to connect to the FDN or override server to request available updates for its FortiGuard Antivirus and FortiGuard Antispam packages.

You can manually initiate updates as an alternative or in addition to other update methods. For details, see “Configuring push updates” on page 48 and “Configuring scheduled updates” on page 47.

To manually request updates

Before manually initiating an update, first verify that the FortiMail unit can connect to the FDN or override server. For details, see “To override the default FDS server” on page 45.

  1. Go to Maintenance > FortiGuard > Update in the advanced mode of the web UI.
  2. Click Update Now.

Updating FortiGuard Antivirus definitions can cause a short disruption in traffic currently being scanned while the FortiMail unit applies the new signature database. To minimize disruptions, update when traffic is light, such as during the night.

The web UI displays a message similar to the following:

Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update.

  1. Click RETURN.
  2. After a few minutes, select the Update tab to refresh the page, or go to Monitor > System Status > Status.

If an update was available, new version numbers appear for the packages that were updated. If you have enabled logging, messages are recorded to the event log indicating whether the update was successful or not.

Setting Up The System

Setting up the system

These instructions in this chapter will guide you to the point where you have a simple, verifiably working installation. From there, you can begin to use optional features and fine-tune your configuration.

FortiMail initial setup involves the following steps:

  • Connecting to the Web UI or CLI
  • Choosing the operation mode
  • Running the Quick Start Wizard
  • Connecting to FortiGuard services
  • Gateway mode deployment
  • Transparent mode deployment
  • Server mode deployment
  • Initial configuration in basic mode
  • Testing the installation
  • Backing up the configuration

Connecting to the Web UI or CLI

To configure, maintain, and administer the FortiMail unit, you need to connect to it. There are three methods for these tasks:

  • using the web UI, a graphical user interface (GUI), from within a current web browser (see “Connecting to the FortiMail web UI for the first time”)
  • using the command line interface (CLI), a command line interface similar to DOS or UNIX commands, from a Secure Shell (SSH) or Telnet terminal (see “Connecting to the FortiMail CLI for the first time” on page 27)
  • using the front panel’s LCD display and control buttons available on some models (see “Using the front panel’s control buttons and LCD display” on page 29).

Connecting to the FortiMail web UI for the first time

To use the web UI for the initial configuration, you must have:

  • a computer with an Ethernet port
  • a supported web browser (Microsoft Internet Explorer 7 to 10, Firefox 3.5 to 20, Safari 4 to 5, and Chrome 6 to 26)
  • Adobe Flash Player 9 or higher plug-in to display statistic charts
  • a crossover Ethernet cable

Table 3: Default settings for connecting to the web UI

Network Interface port1
URL https://192.168.1.99/admin

 

Table 3: Default settings for connecting to the web UI

Administrator Account admin
Password (none)

To connect to the web UI

  1. Configure the management computer to be on the same subnet as the port 1 interface of the FortiMail unit.

For example, in Microsoft Windows 7, from the Windows Start menu, go to Control Panel > Network and Sharing Center > Change Adapter Settings > Local Area Connection Properties > Internet Protocol Version 4 (TCP/IPv4) Properties and change the management computer IP address to 192.168.1.2 and the netmask to 255.255.255.0.

  1. Using the Ethernet cable, connect your computer’s Ethernet port to the FortiMail unit’s port1.
  2. Start your web browser and enter the URL https://192.168.1.99/admin. (Remember to include the “s” in https:// and “/admin” at the end of the URL.)

If you are connecting to FortiMail-VM with a trial license or to a LENC version of FortiMail, you may not be able to see the logon page due to an SSL cipher error during the connection. In this case, you must configure your browser to accept low encryption. For example, in Mozilla Firefox, if you receive this error message:

ssl_error_no_cypher_overlap

you may need to enter about:config in the URL bar, then set security.ssl3.rsa.rc4_40_md5 to true.

To support HTTPS authentication, the FortiMail unit ships with a self-signed security certificate, which it presents to clients whenever they initiate an HTTPS connection to the FortiMail unit. When you connect, depending on your web browser and prior access of the FortiMail unit, your browser might display two security warnings related to this certificate:

  • The certificate is not automatically trusted because it is self-signed, rather than being signed by a valid certificate authority (CA). Self-signed certificates cannot be verified with a proper CA, and therefore might be fraudulent. You must manually indicate whether or not to trust the certificate.
  • The certificate might belong to another web site. The common name (CN) field in the certificate, which usually contains the host name of the web site, does not exactly match the URL you requested. This could indicate server identity theft, but could also simply indicate that the certificate contains a domain name while you have entered an IP address. You must manually indicate whether this mismatch is normal or not.

Both warnings are normal for the default certificate.

  1. Verify and accept the certificate, either permanently (the web browser will not display the self-signing warning again) or temporarily. You cannot log in until you accept the certificate.

For details on accepting the certificate, see the documentation for your web browser.

The Login dialog appears.

  1. In the Name field, type admin, then select Login. (In its default state, there is no password for this account.)

Login credentials entered are encrypted before they are sent to the FortiMail unit. If your login is successful, the web UI appears.

Concepts And Flow

Concepts and workflow

This section describes some basic email concepts, how FortiMail works in general, and the tools that you can use to configure your FortiMail unit.

This section includes:

  • Email protocols
  • Client-server connections in SMTP
  • The role of DNS in email delivery
  • How FortiMail processes email
  • FortiMail operation modes
  • FortiMail high availability modes
  • FortiMail management methods

Email protocols

There are multiple prevalent standard email protocols:

  • SMTP
  • POP3
  • IMAP
  • HTTP and HTTPS

SMTP

Simple Mail Transfer Protocol (SMTP) is the standard protocol for sending email between:

  • two mail transfer agents (MTA)

SMTP communications typically occur on TCP port number 25.

When an email user sends an email, their MUA uses SMTP to send the email to an MTA, which is often their email server. The MTA then uses SMTP to directly or indirectly deliver the email to the destination email server that hosts email for the recipient email user.

When an MTA connects to the destination email server, it determines whether the recipient exists on the destination email server. If the recipient email address is legitimate, then the MTA delivers the email to the email server, from which email users can then use a protocol such as POP3 or IMAP to retrieve the email. If the recipient email address does not exist, the MTA typically sends a separate email message to the sender, notifying them of delivery failure.

While the basic protocol of SMTP is simple, many SMTP servers support a number of protocol extensions for features such as authentication, encryption, multipart messages and attachments, and may be referred to as extended SMTP (ESMTP) servers.

FortiMail units can scan SMTP traffic for spam and viruses, and support several SMTP extensions.

POP3

Post Office Protocol version 3 (POP3) is a standard protocol used by email clients to retrieve email that has been delivered to and stored on an email server.

POP3 communications typically occur on TCP port number 110.

Unlike IMAP, after a POP3 client downloads an email to the email user’s computer, a copy of the email usually does not remain on the email server’s hard disk. The advantage of this is that it frees hard disk space on the server. The disadvantage of this is that downloaded email usually resides on only one personal computer. Unless all of their POP3 clients are always configured to leave copies of email on the server, email users who use multiple computers to view email, such as both a desktop and laptop, will not be able to view from one computer any of the email previously downloaded to another computer.

FortiMail units do not scan POP3 traffic for spam and viruses, but may use POP3 when operating in server mode, when an email user retrieves their email.

IMAP

Internet Message Access Protocol (IMAP) is a standard protocol used by email clients to retrieve email that has been delivered to and stored on an email server.

IMAP communications typically occur on TCP port number 143.

Unless configured for offline availability, IMAP clients typically initially download only the message header. They download the message body and attachments only when the email user selects to read the email.

Unlike POP3, when an IMAP client downloads an email to the email user’s computer, a copy of the email remains on the email server’s hard disk. The advantage of this is that it enables email users to view email from more than one computer. This is especially useful in situations where more than one person may need to view an inbox, such where all members of a department monitor a collective inbox. The disadvantage of this is that, unless email users delete email, IMAP may more rapidly consume the server’s hard disk space.

FortiMail units do not scan IMAP traffic for spam and viruses, but may use IMAP when operating in server mode, when an email user retrieves their email.

HTTP and HTTPS

Secured and non-secured HyperText Transfer Protocols (HTTP/HTTPS), while not strictly for the transport of email, are often used by webmail applications to view email that is stored remotely.

HTTP communications typically occur on TCP port number 80; HTTPS communications typically occur on TCP port number 443.

FortiMail units do not scan HTTP or HTTPS traffic for spam or viruses, but use them to display quarantines and, if the FortiMail unit is operating in server mode, FortiMail webmail.