Fortinet black logo

Administration Guide

Server mode deployment

Server mode deployment

The following procedures and examples show you how to deploy the FortiMail unit in server mode.

Configuring DNS records

You must configure public DNS records for the protected domains and for the FortiMail unit itself.

Note

If you are unfamiliar with configuring DNS and related MX and A records, first read DNS role in email delivery.

For performance reasons, you may also want to provide a private DNS server for use exclusively by the FortiMail unit.

This section includes the following:

Configuring DNS records for protected domains

Regardless of your private network topology, in order for external MTAs to deliver email to the FortiMail unit, you must configure the public MX record for each protected domain to indicate that the FortiMail unit is its email server.

For example, if the fully qualified domain name (FQDN) of the FortiMail unit is fortimail.example.com, and example.com is a protected domain, the MX record for example.com would be:

example.com IN MX 10 fortimail.example.com

Note

If your FortiMail unit will operate in server mode, configure the MX record to refer to the FortiMail unit, and remove other MX records. If you fail to do so, external MTAs may not be able to deliver email to or through the FortiMail unit, or may be able to bypass the FortiMail unit by using the other MX records. If you have configured secondary MX records for failover reasons, consider configuring FortiMail high availability (HA) instead. For details, see FortiMail high availability modes.

An A record must also exist to resolve the host name of the FortiMail unit into an IP address.

For example, if the MX record indicates that fortimail.example.com is the email gateway for a domain, you must also configure an A record in the example.com zone file to resolve fortimail.example.com into a public IP address:

fortimail IN A 10.10.10.1

where 10.10.10.1 is either the public IP address of the FortiMail unit, or a virtual IP address on a firewall or router that maps to the private IP address of the FortiMail unit.

If your FortiMail unit will relay outgoing email, you should also configure the public reverse DNS record. The public IP address of the FortiMail unit, or the virtual IP address on a firewall or router that maps to the private IP address of the FortiMail unit, should be globally resolvable into the FortiMail unit’s FQDN. If it is not, reverse DNS lookups by external SMTP servers will fail.

For example, if the public network IP address of the FortiMail unit is 10.10.10.1, a public DNS server’s reverse DNS zone file for the 10.10.10.0/24 subnet might contain:

1 IN PTR fortimail.example.com.

where fortimail.example.com is the FQDN of the FortiMail unit.

Configuring DNS records for the FortiMail unit itself

In addition to that of protected domains, the FortiMail unit must be able to receive web connections, and send and receive email, for its own domain name. Dependent features include:

  • delivery status notification (DSN) email
  • spam reports
  • email users’ access to their per-recipient quarantines
  • FortiMail administrators’ access to the web UI by domain name
  • alert email
  • report generation notification email

For this reason, you should also configure public DNS records for the FortiMail unit itself.

Appropriate records vary by whether or not Web release host name/IP (located in AntiSpam > Quarantine > Quarantine Report in the advanced mode of the web UI) is configured:

Case 1: Web release host name/IP is empty/default

If Web release host name/IP is not configured (the default), the web release/delete links that appear in spam reports will use the fully qualified domain name (FQDN) of the FortiMail unit.

For example, if the FortiMail unit’s host name is fortimail, and its local domain name is example.net, resulting in the FQDN fortimail.example.net, a spam report’s default web release link might look like (FQDN highlighted in bold):

https://fortimail.example.net/releasecontrol?release=0%3Auser2%40example.com%3AMTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0YjUyM2NTkjRSxVMzoyLA%3D%3D%3Abf3db63dab53a291ab53a291ab53a291

In the DNS configuration to support this and the other DNS-dependent features, you would configure the following three records:

example.net IN MX 10 fortimail.example.net

fortimail IN A 10.10.10.1

1 IN PTR fortimail.example.net.

where:

  • example.net is the local domain name to which the FortiMail unit belongs; in the MX record, it is the local domain for which the FortiMail is the mail gateway
  • fortimail.example.net is the FQDN of the FortiMail unit
  • fortimail is the host name of the FortiMail unit; in the A record of the zone file for example.net, it resolves to the IP address of the FortiMail unit for the purpose of administrators’ access to the web UI, email users’ access to their per-recipient quarantines, to resolve the FQDN referenced in the MX record when email users send Bayesian and quarantine control email to the FortiMail unit, and to resolve to the IP address of the FortiMail unit for the purpose of the web release/delete hyperlinks in the spam report
  • 10.10.10.1 is the public IP address of the FortiMail unit
Case 2: Web release host name/IP is configured

You could configure Web release host name/IP to use an alternative fully qualified domain name (FQDN) such as webrelease.example.info instead of the configured FQDN, resulting in the following web release link (web release FQDN highlighted in bold):

https://webrelease.example.info/releasecontrol?release=0%3Auser2%40example.com%3AMTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0YjUyM2NTkjRSxVMzoyLA%3D%3D%3Abf3db63dab53a291ab53a291ab53a291

Then, in the DNS configuration to support this and the other DNS-dependent features, you would configure the following MX record, A records, and PTR record (unlike Case 1: Web Release Host Name/IP is empty/default, in this case, two A records are required; the difference is highlighted in bold):

example.net IN MX 10 fortimail.example.net

fortimail IN A 10.10.10.1

webrelease IN A 10.10.10.1

1 IN PTR fortimail.example.net.

where:

  • example.net is the local domain name to which the FortiMail unit belongs in the MX record, it is the local domain for which the FortiMail is the mail gateway
  • fortimail.example.net is the FQDN of the FortiMail unit
  • fortimail is the host name of the FortiMail unit; in the A record of the zone file for example.net, it resolves to the IP address of the FortiMail unit for the purpose of administrators’ access to the web UI and to resolve the FQDN referenced in the MX record when email users send Bayesian and quarantine control email to the FortiMail unit
  • webrelease is the web release host name; in the A record of the zone file for example.info, it resolves to the IP address of the FortiMail unit for the purpose of the web release/delete hyperlinks in the spam report
  • 10.10.10.1 is the public IP address of the FortiMail unit

Configuring a private DNS server

In addition to the public DNS server, consider providing a private DNS server on your local network to improve performance with features that use DNS queries.

Public and private DNS servers (server mode)

If the FortiMail unit is operating in server mode, the private DNS server should contain identical records to a public DNS server.

If you choose to add a private DNS server, to configure the FortiMail unit to use it, go to System > Network > DNS in the advanced mode of the web UI.

Example 1: FortiMail unit behind a firewall

In this example, a FortiMail unit operating in server mode and email users’ computers are both positioned within a private network, behind a firewall. Remote email users’ computers and external email servers are located on the Internet, outside of the network protected by the firewall. The FortiMail unit hosts and protects accounts for email addresses ending in “@example.com”.

Server mode deployment behind a NAT device

To deploy the FortiMail unit behind a NAT device such as a firewall or router, you must complete the following:

Note

This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see Running the Quick Start Wizard and Configuring DNS records.

Configuring the firewall

With the FortiMail unit behind a FortiGate unit, you must configure policies to allow traffic:

  • from the Internet to the FortiMail unit
  • from the FortiMail unit to the Internet

To create the required policies, complete the following:

Note

The following procedures use a FortiGate unit running FortiOS v3.0 MR7. If you are using a different firewall appliance, consult the appliance’s documentation for completing similar configurations.

Configuring the firewall address

In order to create the outgoing firewall policy that governs the IP address of the FortiMail unit, you must first define the IP address of the FortiMail unit by creating a firewall address entry.

To add a firewall address for the FortiMail unit
  1. Access FortiGate.
  2. Go to Firewall > Address > Address.
  3. Select Create New.
  4. Complete the following:
  5. Name

    Enter a name to identify the firewall address entry, such as FortiMail_address.

    Type

    Select Subnet/IP Range.

    Subnet /IP Range

    Enter 172.16.1.5.

    Interface

    Select internal.

  6. Select OK.
Configuring the service groups

In order to create firewall policies that govern only FortiMail-related traffic, you must first create groups of services that define protocols and port numbers used in that traffic.

Because FortiGuard-related services for FortiMail units are not predefined, you must define them before you can create a service group that contains those services.

Note

For more information on protocols and port numbers used by FortiMail units, see the Fortinet Knowledge Center article FortiMail Traffic Types and TCP/UDP Ports.

To add a custom service for FortiGuard Antivirus push updates
  1. Access FortiGate.
  2. Go to Firewall > Service > Custom.
  3. Select Create New.
  4. Configure the following:
  5. Name

    Enter a name to identify the custom service entry, such as FortiMail_antivirus_push_updates.

    Protocol Type

    Select TCP/UDP.

    Protocol

    Select UDP.

    Destination Port

    Low

    Enter 9443.

    High

    Enter 9443.

  6. Select OK.
To add a custom service for FortiGuard Antispam rating queries
  1. Access FortiGate.
  2. Go to Firewall > Service > Custom.
  3. Select Create New.
  4. Configure the following:
  5. Name

    Enter a name to identify the custom service entry, such as FortiMail_antispam_rating_queries.

    Protocol Type

    Select TCP/UDP.

    Protocol

    Select UDP.

    Destination Port

    Low

    Enter 8889.

    High

    Enter 8889.

  6. Select OK.
To add a service group for incoming FortiMail traffic
  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as FortiMail_incoming_services.
  5. In the Available Services area, select HTTP, HTTPS, SMTP, POP3, IMAP, and your custom service for FortiGuard Antivirus push updates, FortiMail_antivirus_push_updates, then select the right arrow to move them to the Members area.
  6. Select OK.
To add a service group for outgoing FortiMail traffic
  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as FortiMail_outgoing_services.
  5. In the Available Services area, select DNS, NTP, HTTPS, SMTP, and your custom service for FortiGuard Antispam rating queries, FortiMail_antispam_rating_queries, then select the right arrow to move them to the Members area.
  6. Select OK.
Configuring the virtual IPs

In order to create the firewall policy that forwards email-related traffic to the FortiMail unit, you must first define a static NAT mapping from a public IP address on the FortiGate unit to the IP address of the FortiMail unit by creating a virtual IP entry.

Note

To add virtual IPs, the FortiGate unit must be operating in NAT mode.

To add a virtual IP for the FortiMail unit
  1. Access FortiGate.
  2. Go to Firewall > Virtual IP > Virtual IP.
  3. Select Create New.
  4. Complete the following:
  5. Name

    Enter a name to identify the virtual IP entry, such as FortiMail_VIP.

    External Interface

    Select wan1.

    Type

    Select Static NAT.

    External IP Address/Range

    Enter 10.10.10.1.

    Mapped IP Address/Range

    Enter 172.16.1.5.

  6. Select OK.
Configuring the firewall policies

First, create a firewall policy that allows incoming email and other FortiMail services that are received at the virtual IP address, then applies a static NAT when forwarding the traffic to the private network IP address of the FortiMail unit.

Second, create a firewall policy that allows outgoing email and other connections from the FortiMail unit to the Internet.

To add the Internet-to-FortiMail policy
  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:
  5. Source Interface/zone

    Select wan1.

    Source Address Name

    Select all.

    Destination Interface/zone

    Select internal.

    Destination Address Name

    Select FortiMail_VIP.

    Schedule

    Select ALWAYS.

    Service

    Select FortiMail_incoming_services.

    Action

    Select ACCEPT.

  6. Select OK.
To add the FortiMail-to-Internet policy
  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:
  5. Source Interface/zone

    Select internal.

    Source Address Name

    Select FortiMail_address.

    Destination Interface/zone

    Select wan1.

    Destination Address Name

    Select all.

    Schedule

    Select ALWAYS.

    Service

    Select FortiMail_outgoing_services.

    Action

    Select ACCEPT.

  6. Select NAT.
  7. Select OK.

Configuring the email user accounts

Create email user accounts for each protected domain on the FortiMail unit.

You may choose to create additional email user accounts later, but you should create at least one email user account for each protected domain that you can use in order to verify connectivity for the domain.

To add an email user
  1. Go to Domain & User > User > User. (The User tab appears only when FortiMail operates in server mode.)
  2. From the Domain list, select example.com.
  3. Either select New to add an email user, or double-click an email user you want to modify.
  4. A dialog appears.

  5. In User name, enter the user name portion, such as user1, of the email address that will be locally deliverable on the FortiMail unit (user1@example.com).
  6. Select Password, then enter the password for this email account.
  7. In Display Name, enter the name of the user as it should appear in a MUA, such as "Test User 1".
  8. Select Create for a new user or OK for an existing user.

Configuring the MUAs

Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail server (SMTP)/MTA. For local email users, this is the private network IP address of the FortiMail unit, 172.16.1.5; for remote email users, this is the virtual IP on the FortiGate unit that maps to the FortiMail unit, 10.10.10.1 or fortimail.example.com.

If you do not configure the email clients to send email through the FortiMail unit, incoming email can be scanned, but outgoing email cannot.

Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as user1@example.com.

If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing instructions, see Testing the installation.

Example 2: FortiMail unit in front of a firewall

In this example, a FortiMail unit operating in server mode within a private network, but is separated from local email users’ computers by a firewall. Remote email users’ computers and external email servers are located on the Internet, outside of the private network. The FortiMail unit hosts and protects accounts for email addresses ending in “@example.com”.

Server mode deployment in front of a NAT device

To deploy the FortiMail unit in front of a NAT device such as a firewall or router, you must complete the following:

Note

This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see Running the Quick Start Wizard and Configuring DNS records.

Configuring the firewall

With the FortiMail unit in front of a FortiGate unit which is between the FortiMail unit and local email users, you must configure a policy to allow from local email users to the FortiMail unit.

To create the required policies, complete the following:

Note

The following procedures use a FortiGate unit running FortiOS v3.0 MR7. If you are using a different firewall appliance, consult the appliance’s documentation for completing similar configurations.

Configuring the firewall addresses

In order to create the outgoing firewall policy that governs traffic from the IP addresses of local email users to the IP address of the FortiMail unit, you must first define the IP addresses of the local email users and the FortiMail unit by creating firewall address entries.

To add a firewall address for local email users
  1. Access FortiGate.
  2. Go to Firewall > Address > Address.
  3. Select Create New.
  4. Complete the following:
  5. Name

    Enter a name to identify the firewall address entry, such as local_email_users_address.

    Type

    Select Subnet/IP Range.

    Subnet /IP Range

    Enter 172.16.1.0/24.

    Interface

    Select internal.

  6. Select OK.
To add a firewall address for the FortiMail unit
  1. Access FortiGate.
  2. Go to Firewall > Address > Address.
  3. Select Create New.
  4. Complete the following:
  5. Name

    Enter a name to identify the firewall address entry, such as FortiMail_address.

    Type

    Select Subnet/IP Range.

    Subnet /IP Range

    Enter 10.10.10.5/32.

    Interface

    Select wan1.

  6. Select OK.
Configuring the service group

In order to create a firewall policy that governs only FortiMail-related traffic, you must first a create service group that contains services that define protocols and port numbers used in that traffic.

To add a service group for email user traffic to the FortiMail unit
  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as local_email_users_services.
  5. In the Available Services area, select HTTP, HTTPS, SMTP, POP3, and IMAP, then select the right arrow to move them to the Members area.
  6. Select OK.
Configuring the firewall policy

Create a firewall policy that allows outgoing email and other FortiMail connections from the local email users to the FortiMail unit.

To add the internal-to-FortiMail policy
  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:
  5. Source Interface/zone

    Select internal.

    Source Address Name

    Select local_email_users_address.

    Destination Interface/zone

    Select wan1.

    Destination Address Name

    Select FortiMail_address.

    Schedule

    Select ALWAYS.

    Service

    Select local_email_users_services.

    Action

    Select ACCEPT.

  6. Select NAT.
  7. Select OK.

Configuring the email user accounts

Create email user accounts for each protected domain on the FortiMail unit.

You may choose to create additional email user accounts later, but you should create at least one email user account for each protected domain in order to verify connectivity for the domain.

To add an email user
  1. Go to Domain & User > User > User. (The User tab appears only when FortiMail operates in server mode.)
  2. From the Domain list, select example.com.
  3. Either select New to add an email user, or double-click an email user you want to modify.
  4. A dialog appears.

  5. In User Name, enter the user name portion, such as user1, of the email address that will be locally deliverable on the FortiMail unit (user1@example.com).
  6. Select Password, then enter the password for this email account.
  7. In Display Name, enter the name of the user as it should appear in a MUA, such as "Test User 1".
  8. Select Create for a new user or OK for an existing user.

Configuring the MUAs

Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail server (SMTP)/MTA. For local email users, this is the virtual IP address on the FortiGate unit that maps to the FortiMail unit, 172.16.1.2; for remote email users, this is the public IP address of the FortiMail unit, 10.10.10.5 or fortimail.example.com.

If you do not configure the email clients to send email through the FortiMail unit, incoming email can be scanned, but outgoing email cannot.

Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as user1@example.com.

If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing instructions, see Testing the installation.

Example 3: FortiMail unit in DMZ

In this example, a FortiMail unit operates in server mode within the demilitarized zone (DMZ). It is protected by a firewall but also separated from local email users’ computers by it. Remote email users’ computers and external email servers are located on the Internet, outside of the private network. The FortiMail unit hosts and protects accounts for email addresses ending in “@example.com”.

Server mode deployment in a DMZ

To deploy the FortiMail unit in the DMZ of a NAT device such as a firewall or router, you must complete the following:

Note

This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see Running the Quick Start Wizard and Configuring DNS records.

Configuring the firewall

With the FortiMail unit located in the DMZ of a FortiGate unit which is between the FortiMail unit and local email users, you must configure policies to allow traffic:

  • from local email users to the FortiMail unit
  • from the FortiMail unit to the Internet
  • from the Internet to the FortiMail unit

To create the required policies, complete the following:

Note

The following procedures use a FortiGate unit running FortiOS v3.0 MR7. If you are using a different firewall appliance, consult the appliance’s documentation for completing similar configurations.

Configuring the firewall addresses

In order to create the firewall policies that govern traffic to and from the IP addresses of local email users and the IP address of the FortiMail unit, you must first define the IP addresses of the local email users and the IP address of the FortiMail unit by creating firewall address entries.

To add a firewall address for the FortiMail unit
  1. Access FortiGate.
  2. Go to Firewall > Address > Address.
  3. Select Create New.
  4. Complete the following:
  5. Name

    Enter a name to identify the firewall address entry, such as FortiMail_address.

    Type

    Select Subnet/IP Range.

    Subnet /IP Range

    Enter 192.168.1.5.

    Interface

    Select dmz.

  6. Select OK.
To add a firewall address for local email users
  1. Go to Firewall > Address > Address.
  2. Select Create New.
  3. Complete the following:
  4. Name

    Enter a name to identify the firewall address entry, such as local_email_users_address.

    Type

    Select Subnet/IP Range.

    Subnet /IP Range

    Enter 172.168.1.0/24.

    Interface

    Select internal.

  5. Select OK.
Configuring the service groups

In order to create firewall policies that govern only FortiMail-related traffic, you must first create groups of services that define protocols and port numbers used in that traffic.

Because FortiGuard-related services for FortiMail units are not predefined, you must define them before you can create a service group that contains those services.

Note

For more information on protocols and port numbers used by FortiMail units, see the Fortinet Knowledge Center article FortiMail Traffic Types and TCP/UDP Ports.

To add a custom service for FortiGuard Antivirus push updates
  1. Access FortiGate.
  2. Go to Firewall > Service > Custom.
  3. Select Create New.
  4. Configure the following:
  5. Name

    Enter a name to identify the custom service entry, such as FortiMail_antivirus_push_updates.

    Protocol Type

    Select TCP/UDP.

    Protocol

    Select UDP.

    Destination Port

    Low

    Enter 9443.

    High

    Enter 9443.

  6. Select OK.
To add a custom service for FortiGuard Antispam rating queries
  1. Access FortiGate.
  2. Go to Firewall > Service > Custom.
  3. Select Create New.
  4. Configure the following:
  5. Name

    Enter a name to identify the custom service entry, such as FortiMail_antispam_rating_queries.

    Protocol Type

    Select TCP/UDP.

    Protocol

    Select UDP.

    Destination Port

    Low

    Enter 8889.

    High

    Enter 8889.

  6. Select OK.
To add a service group for incoming FortiMail traffic
  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as FortiMail_incoming_services.
  5. In the Available Services area, select HTTP, HTTPS, SMTP, POP3, IMAP, and your custom service for FortiGuard Antivirus push updates, FortiMail_antivirus_push_updates, then select the right arrow to move them to the Members area.
  6. Select OK.
To add a service group for outgoing FortiMail traffic
  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as FortiMail_outgoing_services.
  5. In the Available Services area, select DNS, NTP, HTTPS, SMTP, and your custom service for FortiGuard Antispam rating queries, FortiMail_antispam_rating_queries, then select the right arrow to move them to the Members area.
  6. Select OK.
To add a service group for email user traffic to the FortiMail unit
  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as local_email_users_services.
  5. In the Available Services area, select HTTP, HTTPS, SMTP, POP3, and IMAP, then select the right arrow to move them to the Members area.
  6. Select OK.
Configuring the virtual IPs

In order to create the firewall policies that forward email-related traffic to the FortiMail unit from the internal network and from the Internet, you must first define two static NAT mappings:

  • from a public IP address on the FortiGate unit to the IP address of the FortiMail unit
  • from a virtual IP address on the 172.16.1.* network to the IP address of the FortiMail unit by creating a virtual IP entries
To add a wan1 virtual IP for the FortiMail unit
  1. Access FortiGate.
  2. Go to Firewall > Virtual IP > Virtual IP.
  3. Select Create New.
  4. Complete the following:
  5. Name

    Enter a name to identify the virtual IP entry, such as FortiMail_VIP_wan1.

    External Interface

    Select wan1.

    Type

    Select Static NAT.

    External IP Address/Range

    Enter 10.10.10.1.

    Mapped IP Address/Range

    Enter 192.168.1.5.

  6. Select OK.
Configuring the firewall policies

First, create a firewall policy that allows incoming email and other FortiMail services that are received at the virtual IP address, then applies a static NAT when forwarding the traffic to the private network IP address of the FortiMail unit.

Second, create a firewall policy that allows outgoing email and other FortiMail connections from the FortiMail unit to the Internet.

Last, create a firewall policy that allows outgoing email and other FortiMail connections from the local email users to the FortiMail unit.

To add the Internet-to-FortiMail policy
  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:
  5. Source Interface/zone

    Select wan1.

    Source Address Name

    Select all.

    Destination Interface/zone

    Select dmz.

    Destination Address Name

    Select FortiMail_VIP_wan1.

    Schedule

    Select ALWAYS.

    Service

    Select FortiMail_incoming_services.

    Action

    Select ACCEPT.

  6. Select OK.
To add the FortiMail-to-Internet policy
  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:
  5. Source Interface/zone

    Select dmz.

    Source Address Name

    Select FortiMail_address.

    Destination Interface/zone

    Select wan1.

    Destination Address Name

    Select all.

    Schedule

    Select ALWAYS.

    Service

    Select FortiMail_outgoing_services.

    Action

    Select ACCEPT.

  6. Select NAT.
  7. Select OK.
To add the internal-to-FortiMail policy
  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:
  5. Source Interface/zone

    Select internal.

    Source Address Name

    Select local_email_users_address.

    Destination Interface/zone

    Select dmz.

    Destination Address Name

    Select FortiMail_address.

    Schedule

    Select ALWAYS.

    Service

    Select local_email_users_services.

    Action

    Select ACCEPT.

  6. Select OK.

Configuring the email user accounts

Create email user accounts for each protected domain on the FortiMail unit.

You may choose to create additional email user accounts later, but you should create at least one email user account for each protected domain in order to verify connectivity for the domain.

To add an email user
  1. Go to Domain & User > User > User. (The User tab appears only when FortiMail operates in server mode.)
  2. From the Domain list, select example.com.
  3. Either select New to add an email user, or double-click an email user you want to modify.
  4. A dialog appears.

  5. In User Name, enter the user name portion, such as user1, of the email address that will be locally deliverable on the FortiMail unit (user1@example.com).
  6. Select Password, then enter the password for this email account.
  7. In Display Name, enter the name of the user as it should appear in a MUA, such as "Test User 1".
  8. Select Create for a new user or OK for an existing user.

Configuring the MUAs

Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail server (SMTP)/MTA. For local email users, this is the FortiMail address, 192.168.1.5; for remote email users, this is the virtual IP address on the wan1 network interface of the FortiGate unit that maps to the FortiMail unit, 10.10.10.1 or fortimail.example.com.

If you do not configure the email clients to send email through the FortiMail unit, incoming email can be scanned, but outgoing email cannot.

Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as user1@example.com.

If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing instructions, see Testing the installation.

Server mode deployment

The following procedures and examples show you how to deploy the FortiMail unit in server mode.

Configuring DNS records

You must configure public DNS records for the protected domains and for the FortiMail unit itself.

Note

If you are unfamiliar with configuring DNS and related MX and A records, first read DNS role in email delivery.

For performance reasons, you may also want to provide a private DNS server for use exclusively by the FortiMail unit.

This section includes the following:

Configuring DNS records for protected domains

Regardless of your private network topology, in order for external MTAs to deliver email to the FortiMail unit, you must configure the public MX record for each protected domain to indicate that the FortiMail unit is its email server.

For example, if the fully qualified domain name (FQDN) of the FortiMail unit is fortimail.example.com, and example.com is a protected domain, the MX record for example.com would be:

example.com IN MX 10 fortimail.example.com

Note

If your FortiMail unit will operate in server mode, configure the MX record to refer to the FortiMail unit, and remove other MX records. If you fail to do so, external MTAs may not be able to deliver email to or through the FortiMail unit, or may be able to bypass the FortiMail unit by using the other MX records. If you have configured secondary MX records for failover reasons, consider configuring FortiMail high availability (HA) instead. For details, see FortiMail high availability modes.

An A record must also exist to resolve the host name of the FortiMail unit into an IP address.

For example, if the MX record indicates that fortimail.example.com is the email gateway for a domain, you must also configure an A record in the example.com zone file to resolve fortimail.example.com into a public IP address:

fortimail IN A 10.10.10.1

where 10.10.10.1 is either the public IP address of the FortiMail unit, or a virtual IP address on a firewall or router that maps to the private IP address of the FortiMail unit.

If your FortiMail unit will relay outgoing email, you should also configure the public reverse DNS record. The public IP address of the FortiMail unit, or the virtual IP address on a firewall or router that maps to the private IP address of the FortiMail unit, should be globally resolvable into the FortiMail unit’s FQDN. If it is not, reverse DNS lookups by external SMTP servers will fail.

For example, if the public network IP address of the FortiMail unit is 10.10.10.1, a public DNS server’s reverse DNS zone file for the 10.10.10.0/24 subnet might contain:

1 IN PTR fortimail.example.com.

where fortimail.example.com is the FQDN of the FortiMail unit.

Configuring DNS records for the FortiMail unit itself

In addition to that of protected domains, the FortiMail unit must be able to receive web connections, and send and receive email, for its own domain name. Dependent features include:

  • delivery status notification (DSN) email
  • spam reports
  • email users’ access to their per-recipient quarantines
  • FortiMail administrators’ access to the web UI by domain name
  • alert email
  • report generation notification email

For this reason, you should also configure public DNS records for the FortiMail unit itself.

Appropriate records vary by whether or not Web release host name/IP (located in AntiSpam > Quarantine > Quarantine Report in the advanced mode of the web UI) is configured:

Case 1: Web release host name/IP is empty/default

If Web release host name/IP is not configured (the default), the web release/delete links that appear in spam reports will use the fully qualified domain name (FQDN) of the FortiMail unit.

For example, if the FortiMail unit’s host name is fortimail, and its local domain name is example.net, resulting in the FQDN fortimail.example.net, a spam report’s default web release link might look like (FQDN highlighted in bold):

https://fortimail.example.net/releasecontrol?release=0%3Auser2%40example.com%3AMTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0YjUyM2NTkjRSxVMzoyLA%3D%3D%3Abf3db63dab53a291ab53a291ab53a291

In the DNS configuration to support this and the other DNS-dependent features, you would configure the following three records:

example.net IN MX 10 fortimail.example.net

fortimail IN A 10.10.10.1

1 IN PTR fortimail.example.net.

where:

  • example.net is the local domain name to which the FortiMail unit belongs; in the MX record, it is the local domain for which the FortiMail is the mail gateway
  • fortimail.example.net is the FQDN of the FortiMail unit
  • fortimail is the host name of the FortiMail unit; in the A record of the zone file for example.net, it resolves to the IP address of the FortiMail unit for the purpose of administrators’ access to the web UI, email users’ access to their per-recipient quarantines, to resolve the FQDN referenced in the MX record when email users send Bayesian and quarantine control email to the FortiMail unit, and to resolve to the IP address of the FortiMail unit for the purpose of the web release/delete hyperlinks in the spam report
  • 10.10.10.1 is the public IP address of the FortiMail unit
Case 2: Web release host name/IP is configured

You could configure Web release host name/IP to use an alternative fully qualified domain name (FQDN) such as webrelease.example.info instead of the configured FQDN, resulting in the following web release link (web release FQDN highlighted in bold):

https://webrelease.example.info/releasecontrol?release=0%3Auser2%40example.com%3AMTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0YjUyM2NTkjRSxVMzoyLA%3D%3D%3Abf3db63dab53a291ab53a291ab53a291

Then, in the DNS configuration to support this and the other DNS-dependent features, you would configure the following MX record, A records, and PTR record (unlike Case 1: Web Release Host Name/IP is empty/default, in this case, two A records are required; the difference is highlighted in bold):

example.net IN MX 10 fortimail.example.net

fortimail IN A 10.10.10.1

webrelease IN A 10.10.10.1

1 IN PTR fortimail.example.net.

where:

  • example.net is the local domain name to which the FortiMail unit belongs in the MX record, it is the local domain for which the FortiMail is the mail gateway
  • fortimail.example.net is the FQDN of the FortiMail unit
  • fortimail is the host name of the FortiMail unit; in the A record of the zone file for example.net, it resolves to the IP address of the FortiMail unit for the purpose of administrators’ access to the web UI and to resolve the FQDN referenced in the MX record when email users send Bayesian and quarantine control email to the FortiMail unit
  • webrelease is the web release host name; in the A record of the zone file for example.info, it resolves to the IP address of the FortiMail unit for the purpose of the web release/delete hyperlinks in the spam report
  • 10.10.10.1 is the public IP address of the FortiMail unit

Configuring a private DNS server

In addition to the public DNS server, consider providing a private DNS server on your local network to improve performance with features that use DNS queries.

Public and private DNS servers (server mode)

If the FortiMail unit is operating in server mode, the private DNS server should contain identical records to a public DNS server.

If you choose to add a private DNS server, to configure the FortiMail unit to use it, go to System > Network > DNS in the advanced mode of the web UI.

Example 1: FortiMail unit behind a firewall

In this example, a FortiMail unit operating in server mode and email users’ computers are both positioned within a private network, behind a firewall. Remote email users’ computers and external email servers are located on the Internet, outside of the network protected by the firewall. The FortiMail unit hosts and protects accounts for email addresses ending in “@example.com”.

Server mode deployment behind a NAT device

To deploy the FortiMail unit behind a NAT device such as a firewall or router, you must complete the following:

Note

This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see Running the Quick Start Wizard and Configuring DNS records.

Configuring the firewall

With the FortiMail unit behind a FortiGate unit, you must configure policies to allow traffic:

  • from the Internet to the FortiMail unit
  • from the FortiMail unit to the Internet

To create the required policies, complete the following:

Note

The following procedures use a FortiGate unit running FortiOS v3.0 MR7. If you are using a different firewall appliance, consult the appliance’s documentation for completing similar configurations.

Configuring the firewall address

In order to create the outgoing firewall policy that governs the IP address of the FortiMail unit, you must first define the IP address of the FortiMail unit by creating a firewall address entry.

To add a firewall address for the FortiMail unit
  1. Access FortiGate.
  2. Go to Firewall > Address > Address.
  3. Select Create New.
  4. Complete the following:
  5. Name

    Enter a name to identify the firewall address entry, such as FortiMail_address.

    Type

    Select Subnet/IP Range.

    Subnet /IP Range

    Enter 172.16.1.5.

    Interface

    Select internal.

  6. Select OK.
Configuring the service groups

In order to create firewall policies that govern only FortiMail-related traffic, you must first create groups of services that define protocols and port numbers used in that traffic.

Because FortiGuard-related services for FortiMail units are not predefined, you must define them before you can create a service group that contains those services.

Note

For more information on protocols and port numbers used by FortiMail units, see the Fortinet Knowledge Center article FortiMail Traffic Types and TCP/UDP Ports.

To add a custom service for FortiGuard Antivirus push updates
  1. Access FortiGate.
  2. Go to Firewall > Service > Custom.
  3. Select Create New.
  4. Configure the following:
  5. Name

    Enter a name to identify the custom service entry, such as FortiMail_antivirus_push_updates.

    Protocol Type

    Select TCP/UDP.

    Protocol

    Select UDP.

    Destination Port

    Low

    Enter 9443.

    High

    Enter 9443.

  6. Select OK.
To add a custom service for FortiGuard Antispam rating queries
  1. Access FortiGate.
  2. Go to Firewall > Service > Custom.
  3. Select Create New.
  4. Configure the following:
  5. Name

    Enter a name to identify the custom service entry, such as FortiMail_antispam_rating_queries.

    Protocol Type

    Select TCP/UDP.

    Protocol

    Select UDP.

    Destination Port

    Low

    Enter 8889.

    High

    Enter 8889.

  6. Select OK.
To add a service group for incoming FortiMail traffic
  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as FortiMail_incoming_services.
  5. In the Available Services area, select HTTP, HTTPS, SMTP, POP3, IMAP, and your custom service for FortiGuard Antivirus push updates, FortiMail_antivirus_push_updates, then select the right arrow to move them to the Members area.
  6. Select OK.
To add a service group for outgoing FortiMail traffic
  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as FortiMail_outgoing_services.
  5. In the Available Services area, select DNS, NTP, HTTPS, SMTP, and your custom service for FortiGuard Antispam rating queries, FortiMail_antispam_rating_queries, then select the right arrow to move them to the Members area.
  6. Select OK.
Configuring the virtual IPs

In order to create the firewall policy that forwards email-related traffic to the FortiMail unit, you must first define a static NAT mapping from a public IP address on the FortiGate unit to the IP address of the FortiMail unit by creating a virtual IP entry.

Note

To add virtual IPs, the FortiGate unit must be operating in NAT mode.

To add a virtual IP for the FortiMail unit
  1. Access FortiGate.
  2. Go to Firewall > Virtual IP > Virtual IP.
  3. Select Create New.
  4. Complete the following:
  5. Name

    Enter a name to identify the virtual IP entry, such as FortiMail_VIP.

    External Interface

    Select wan1.

    Type

    Select Static NAT.

    External IP Address/Range

    Enter 10.10.10.1.

    Mapped IP Address/Range

    Enter 172.16.1.5.

  6. Select OK.
Configuring the firewall policies

First, create a firewall policy that allows incoming email and other FortiMail services that are received at the virtual IP address, then applies a static NAT when forwarding the traffic to the private network IP address of the FortiMail unit.

Second, create a firewall policy that allows outgoing email and other connections from the FortiMail unit to the Internet.

To add the Internet-to-FortiMail policy
  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:
  5. Source Interface/zone

    Select wan1.

    Source Address Name

    Select all.

    Destination Interface/zone

    Select internal.

    Destination Address Name

    Select FortiMail_VIP.

    Schedule

    Select ALWAYS.

    Service

    Select FortiMail_incoming_services.

    Action

    Select ACCEPT.

  6. Select OK.
To add the FortiMail-to-Internet policy
  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:
  5. Source Interface/zone

    Select internal.

    Source Address Name

    Select FortiMail_address.

    Destination Interface/zone

    Select wan1.

    Destination Address Name

    Select all.

    Schedule

    Select ALWAYS.

    Service

    Select FortiMail_outgoing_services.

    Action

    Select ACCEPT.

  6. Select NAT.
  7. Select OK.

Configuring the email user accounts

Create email user accounts for each protected domain on the FortiMail unit.

You may choose to create additional email user accounts later, but you should create at least one email user account for each protected domain that you can use in order to verify connectivity for the domain.

To add an email user
  1. Go to Domain & User > User > User. (The User tab appears only when FortiMail operates in server mode.)
  2. From the Domain list, select example.com.
  3. Either select New to add an email user, or double-click an email user you want to modify.
  4. A dialog appears.

  5. In User name, enter the user name portion, such as user1, of the email address that will be locally deliverable on the FortiMail unit (user1@example.com).
  6. Select Password, then enter the password for this email account.
  7. In Display Name, enter the name of the user as it should appear in a MUA, such as "Test User 1".
  8. Select Create for a new user or OK for an existing user.

Configuring the MUAs

Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail server (SMTP)/MTA. For local email users, this is the private network IP address of the FortiMail unit, 172.16.1.5; for remote email users, this is the virtual IP on the FortiGate unit that maps to the FortiMail unit, 10.10.10.1 or fortimail.example.com.

If you do not configure the email clients to send email through the FortiMail unit, incoming email can be scanned, but outgoing email cannot.

Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as user1@example.com.

If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing instructions, see Testing the installation.

Example 2: FortiMail unit in front of a firewall

In this example, a FortiMail unit operating in server mode within a private network, but is separated from local email users’ computers by a firewall. Remote email users’ computers and external email servers are located on the Internet, outside of the private network. The FortiMail unit hosts and protects accounts for email addresses ending in “@example.com”.

Server mode deployment in front of a NAT device

To deploy the FortiMail unit in front of a NAT device such as a firewall or router, you must complete the following:

Note

This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see Running the Quick Start Wizard and Configuring DNS records.

Configuring the firewall

With the FortiMail unit in front of a FortiGate unit which is between the FortiMail unit and local email users, you must configure a policy to allow from local email users to the FortiMail unit.

To create the required policies, complete the following:

Note

The following procedures use a FortiGate unit running FortiOS v3.0 MR7. If you are using a different firewall appliance, consult the appliance’s documentation for completing similar configurations.

Configuring the firewall addresses

In order to create the outgoing firewall policy that governs traffic from the IP addresses of local email users to the IP address of the FortiMail unit, you must first define the IP addresses of the local email users and the FortiMail unit by creating firewall address entries.

To add a firewall address for local email users
  1. Access FortiGate.
  2. Go to Firewall > Address > Address.
  3. Select Create New.
  4. Complete the following:
  5. Name

    Enter a name to identify the firewall address entry, such as local_email_users_address.

    Type

    Select Subnet/IP Range.

    Subnet /IP Range

    Enter 172.16.1.0/24.

    Interface

    Select internal.

  6. Select OK.
To add a firewall address for the FortiMail unit
  1. Access FortiGate.
  2. Go to Firewall > Address > Address.
  3. Select Create New.
  4. Complete the following:
  5. Name

    Enter a name to identify the firewall address entry, such as FortiMail_address.

    Type

    Select Subnet/IP Range.

    Subnet /IP Range

    Enter 10.10.10.5/32.

    Interface

    Select wan1.

  6. Select OK.
Configuring the service group

In order to create a firewall policy that governs only FortiMail-related traffic, you must first a create service group that contains services that define protocols and port numbers used in that traffic.

To add a service group for email user traffic to the FortiMail unit
  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as local_email_users_services.
  5. In the Available Services area, select HTTP, HTTPS, SMTP, POP3, and IMAP, then select the right arrow to move them to the Members area.
  6. Select OK.
Configuring the firewall policy

Create a firewall policy that allows outgoing email and other FortiMail connections from the local email users to the FortiMail unit.

To add the internal-to-FortiMail policy
  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:
  5. Source Interface/zone

    Select internal.

    Source Address Name

    Select local_email_users_address.

    Destination Interface/zone

    Select wan1.

    Destination Address Name

    Select FortiMail_address.

    Schedule

    Select ALWAYS.

    Service

    Select local_email_users_services.

    Action

    Select ACCEPT.

  6. Select NAT.
  7. Select OK.

Configuring the email user accounts

Create email user accounts for each protected domain on the FortiMail unit.

You may choose to create additional email user accounts later, but you should create at least one email user account for each protected domain in order to verify connectivity for the domain.

To add an email user
  1. Go to Domain & User > User > User. (The User tab appears only when FortiMail operates in server mode.)
  2. From the Domain list, select example.com.
  3. Either select New to add an email user, or double-click an email user you want to modify.
  4. A dialog appears.

  5. In User Name, enter the user name portion, such as user1, of the email address that will be locally deliverable on the FortiMail unit (user1@example.com).
  6. Select Password, then enter the password for this email account.
  7. In Display Name, enter the name of the user as it should appear in a MUA, such as "Test User 1".
  8. Select Create for a new user or OK for an existing user.

Configuring the MUAs

Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail server (SMTP)/MTA. For local email users, this is the virtual IP address on the FortiGate unit that maps to the FortiMail unit, 172.16.1.2; for remote email users, this is the public IP address of the FortiMail unit, 10.10.10.5 or fortimail.example.com.

If you do not configure the email clients to send email through the FortiMail unit, incoming email can be scanned, but outgoing email cannot.

Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as user1@example.com.

If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing instructions, see Testing the installation.

Example 3: FortiMail unit in DMZ

In this example, a FortiMail unit operates in server mode within the demilitarized zone (DMZ). It is protected by a firewall but also separated from local email users’ computers by it. Remote email users’ computers and external email servers are located on the Internet, outside of the private network. The FortiMail unit hosts and protects accounts for email addresses ending in “@example.com”.

Server mode deployment in a DMZ

To deploy the FortiMail unit in the DMZ of a NAT device such as a firewall or router, you must complete the following:

Note

This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see Running the Quick Start Wizard and Configuring DNS records.

Configuring the firewall

With the FortiMail unit located in the DMZ of a FortiGate unit which is between the FortiMail unit and local email users, you must configure policies to allow traffic:

  • from local email users to the FortiMail unit
  • from the FortiMail unit to the Internet
  • from the Internet to the FortiMail unit

To create the required policies, complete the following:

Note

The following procedures use a FortiGate unit running FortiOS v3.0 MR7. If you are using a different firewall appliance, consult the appliance’s documentation for completing similar configurations.

Configuring the firewall addresses

In order to create the firewall policies that govern traffic to and from the IP addresses of local email users and the IP address of the FortiMail unit, you must first define the IP addresses of the local email users and the IP address of the FortiMail unit by creating firewall address entries.

To add a firewall address for the FortiMail unit
  1. Access FortiGate.
  2. Go to Firewall > Address > Address.
  3. Select Create New.
  4. Complete the following:
  5. Name

    Enter a name to identify the firewall address entry, such as FortiMail_address.

    Type

    Select Subnet/IP Range.

    Subnet /IP Range

    Enter 192.168.1.5.

    Interface

    Select dmz.

  6. Select OK.
To add a firewall address for local email users
  1. Go to Firewall > Address > Address.
  2. Select Create New.
  3. Complete the following:
  4. Name

    Enter a name to identify the firewall address entry, such as local_email_users_address.

    Type

    Select Subnet/IP Range.

    Subnet /IP Range

    Enter 172.168.1.0/24.

    Interface

    Select internal.

  5. Select OK.
Configuring the service groups

In order to create firewall policies that govern only FortiMail-related traffic, you must first create groups of services that define protocols and port numbers used in that traffic.

Because FortiGuard-related services for FortiMail units are not predefined, you must define them before you can create a service group that contains those services.

Note

For more information on protocols and port numbers used by FortiMail units, see the Fortinet Knowledge Center article FortiMail Traffic Types and TCP/UDP Ports.

To add a custom service for FortiGuard Antivirus push updates
  1. Access FortiGate.
  2. Go to Firewall > Service > Custom.
  3. Select Create New.
  4. Configure the following:
  5. Name

    Enter a name to identify the custom service entry, such as FortiMail_antivirus_push_updates.

    Protocol Type

    Select TCP/UDP.

    Protocol

    Select UDP.

    Destination Port

    Low

    Enter 9443.

    High

    Enter 9443.

  6. Select OK.
To add a custom service for FortiGuard Antispam rating queries
  1. Access FortiGate.
  2. Go to Firewall > Service > Custom.
  3. Select Create New.
  4. Configure the following:
  5. Name

    Enter a name to identify the custom service entry, such as FortiMail_antispam_rating_queries.

    Protocol Type

    Select TCP/UDP.

    Protocol

    Select UDP.

    Destination Port

    Low

    Enter 8889.

    High

    Enter 8889.

  6. Select OK.
To add a service group for incoming FortiMail traffic
  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as FortiMail_incoming_services.
  5. In the Available Services area, select HTTP, HTTPS, SMTP, POP3, IMAP, and your custom service for FortiGuard Antivirus push updates, FortiMail_antivirus_push_updates, then select the right arrow to move them to the Members area.
  6. Select OK.
To add a service group for outgoing FortiMail traffic
  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as FortiMail_outgoing_services.
  5. In the Available Services area, select DNS, NTP, HTTPS, SMTP, and your custom service for FortiGuard Antispam rating queries, FortiMail_antispam_rating_queries, then select the right arrow to move them to the Members area.
  6. Select OK.
To add a service group for email user traffic to the FortiMail unit
  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as local_email_users_services.
  5. In the Available Services area, select HTTP, HTTPS, SMTP, POP3, and IMAP, then select the right arrow to move them to the Members area.
  6. Select OK.
Configuring the virtual IPs

In order to create the firewall policies that forward email-related traffic to the FortiMail unit from the internal network and from the Internet, you must first define two static NAT mappings:

  • from a public IP address on the FortiGate unit to the IP address of the FortiMail unit
  • from a virtual IP address on the 172.16.1.* network to the IP address of the FortiMail unit by creating a virtual IP entries
To add a wan1 virtual IP for the FortiMail unit
  1. Access FortiGate.
  2. Go to Firewall > Virtual IP > Virtual IP.
  3. Select Create New.
  4. Complete the following:
  5. Name

    Enter a name to identify the virtual IP entry, such as FortiMail_VIP_wan1.

    External Interface

    Select wan1.

    Type

    Select Static NAT.

    External IP Address/Range

    Enter 10.10.10.1.

    Mapped IP Address/Range

    Enter 192.168.1.5.

  6. Select OK.
Configuring the firewall policies

First, create a firewall policy that allows incoming email and other FortiMail services that are received at the virtual IP address, then applies a static NAT when forwarding the traffic to the private network IP address of the FortiMail unit.

Second, create a firewall policy that allows outgoing email and other FortiMail connections from the FortiMail unit to the Internet.

Last, create a firewall policy that allows outgoing email and other FortiMail connections from the local email users to the FortiMail unit.

To add the Internet-to-FortiMail policy
  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:
  5. Source Interface/zone

    Select wan1.

    Source Address Name

    Select all.

    Destination Interface/zone

    Select dmz.

    Destination Address Name

    Select FortiMail_VIP_wan1.

    Schedule

    Select ALWAYS.

    Service

    Select FortiMail_incoming_services.

    Action

    Select ACCEPT.

  6. Select OK.
To add the FortiMail-to-Internet policy
  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:
  5. Source Interface/zone

    Select dmz.

    Source Address Name

    Select FortiMail_address.

    Destination Interface/zone

    Select wan1.

    Destination Address Name

    Select all.

    Schedule

    Select ALWAYS.

    Service

    Select FortiMail_outgoing_services.

    Action

    Select ACCEPT.

  6. Select NAT.
  7. Select OK.
To add the internal-to-FortiMail policy
  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:
  5. Source Interface/zone

    Select internal.

    Source Address Name

    Select local_email_users_address.

    Destination Interface/zone

    Select dmz.

    Destination Address Name

    Select FortiMail_address.

    Schedule

    Select ALWAYS.

    Service

    Select local_email_users_services.

    Action

    Select ACCEPT.

  6. Select OK.

Configuring the email user accounts

Create email user accounts for each protected domain on the FortiMail unit.

You may choose to create additional email user accounts later, but you should create at least one email user account for each protected domain in order to verify connectivity for the domain.

To add an email user
  1. Go to Domain & User > User > User. (The User tab appears only when FortiMail operates in server mode.)
  2. From the Domain list, select example.com.
  3. Either select New to add an email user, or double-click an email user you want to modify.
  4. A dialog appears.

  5. In User Name, enter the user name portion, such as user1, of the email address that will be locally deliverable on the FortiMail unit (user1@example.com).
  6. Select Password, then enter the password for this email account.
  7. In Display Name, enter the name of the user as it should appear in a MUA, such as "Test User 1".
  8. Select Create for a new user or OK for an existing user.

Configuring the MUAs

Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail server (SMTP)/MTA. For local email users, this is the FortiMail address, 192.168.1.5; for remote email users, this is the virtual IP address on the wan1 network interface of the FortiGate unit that maps to the FortiMail unit, 10.10.10.1 or fortimail.example.com.

If you do not configure the email clients to send email through the FortiMail unit, incoming email can be scanned, but outgoing email cannot.

Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as user1@example.com.

If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing instructions, see Testing the installation.