The FortiMail unit can be bypassed in a complex network environment if the network is not carefully planned and deployed.
To ensure maximum safety:
- Configure routers and firewalls to send all SMTP traffic to or through the FortiMail unit for scanning.
- If the FortiMail unit will operate in gateway mode, on public DNS servers, modify the MX records for each protected domain to contain only a single MX record entry that refers to the FortiMail unit. Spammers can easily determine the lowest priority mail server (highest preference number in MX record) and deliver spam to it, instead of the FortiMail unit, in an attempt to avoid spam defenses.
- If the FortiMail unit will operate in transparent mode, deploy it directly in front of your protected email servers so that all email can be scanned.
- If the FortiMail unit will operate in transparent mode, do not connect two ports to the same VLAN on a switch or to the same hub. Some Layer 2 switches become unstable when they detect the same media access control (MAC) address originating on more than one switch interface or from more than one VLAN.