Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Running the Quick Start Wizard

The Quick Start Wizard leads you through required configuration steps, helping you to quickly set up your FortiMail unit.

While all settings configured by the Quick Start Wizard can also be configured through the standard and advanced modes of the web UI, the wizard presents each setting in the necessary order. The wizard also provides descriptions to assist you in configuring each setting. These descriptions are not available in the web UI.

Note

The Quick Start Wizard allows you to set up FortiMail in server mode or gateway mode, but not in the transparent mode.

The following topics describe how to use the Quick Start Wizard:

Starting the wizard

  1. Open the web UI in a browser.
  2. In either standard mode or advanced mode, select Wizard from the dropdown list in the top right corner of the web UI.
  3. Select OK when prompted to continue. The first page of the wizard appears in a new window over the web UI. You cannot access the web UI when the wizard is open.
  4. You can navigate through the wizard using the Next and Back buttons at the lower corners of the window.

Note

None of the settings you make on the wizard take effect until you click OK on the last step.

Step 1: Time Settings

Select the time zone.

Step 2: Network Settings

Configure the following network settings.

Port1 IP

Enter the IP address of the port1 network interface, such as 192.168.1.99.

This option does not appear if the FortiMail unit is operating in transparent mode.

Primary DNS

Enter the IP address of the primary server to which the FortiMail unit will make DNS queries.

Caution: Verify connectivity with the DNS servers. Failure to verify connectivity could result in many issues, including the inability of the FortiMail unit to process email.

Secondary DNS

Enter the IP address of the secondary server to which the FortiMail unit will make DNS queries.

Default Gateway

Enter the IP address of the default gateway router.

Step 3: Local Host Settings

You usually should configure the FortiMail unit with a local domain name that is different from that of protected email servers, such as mail.example.com for the FortiMail unit and server.mail.example.com for the protected email server. The local domain name of the FortiMail unit will be used in many features such as email quarantine, Bayesian database training, spam report, and delivery status notification (DSN) email messages, and if the FortiMail unit uses the same domain name as your mail server, it may become difficult to distinguish email messages that originate from the FortiMail unit.

Note

The local domain name must be globally DNS-resolvable only if the FortiMail unit is used as a relay server for outgoing email.

 

Host name

Enter the host name of the FortiMail unit.

You should use a different host name for each FortiMail unit, especially when you are managing multiple FortiMail units of the same model, or when configuring a FortiMail high availability (HA) cluster. This will enable you to distinguish between different members of the cluster. If the FortiMail unit is in HA mode:

  • when you connect to the web UI, your web browser will display the host name of that cluster member in its status bar.
  • the FortiMail unit will add the host name to the subject line of alert email messages.

Local domain name

Enter the local domain name to which the FortiMail unit belongs. The FortiMail unit’s fully qualified domain name (FQDN) is in the format:

<Host Name>.<Local Domain Name>

This option does not appear if the FortiMail unit is operating in server mode.

Note: The local domain name can be a subdomain of an internal domain if the MX record for the domain on the DNS server can direct the mail destined for the subdomain to the intended FortiMail unit.

Step 4: Edit Administrator Password

By default, it has no password. Adding a password is optional for this account, but for security reasons, you should provide a password.

Note

Failure to configure a strong administrator password could compromise the security of your FortiMail unit.

To change the password
  1. Select Change password.
  2. Enter and confirm a new password.
  3. Select Next to move to the next step.

Step 5: Operation Mode

Select either the gateway mode or server mode. Note that if you want to run FortiMail in transparent mode, you cannot run the wizard.

Step 6: Domain Configuration

Step 6of the Quick Start Wizard configures the protected domains.

Protected domains define connections and email messages for which the FortiMail unit can perform protective email processing by describing both:

  • the IP address of an SMTP server
  • the domain name portion (the portion which follows the “@” symbol) of recipient email addresses in the envelope

Both of which the FortiMail unit compares to connections and email messages when looking for traffic that involves the protected domain.

For example, if you wanted to scan email from email addresses such as user.one@example.com that are hosted on the SMTP server 10.10.10.10, you would configure a protected domain of example.com whose SMTP server is 10.10.10.10.

You must configure at least one protected domain. FortiMail units can be configured to protect one or more email domains that are hosted on one or more email servers.

Exceptions include if you will not apply recipient-based policies or authentication profiles, such as in Example 3: FortiMail unit for an ISP or carrier.

Domain name

Enter the fully qualified domain name (FQDN) of the protected domain.

For example, if you want to protect email addresses such as user1@example.com, you would enter the protected domain name example.com.

Use MX record

(gateway mode only)

Select to enable the FortiMail unit to query the DNS server’s MX record for the FQDN or IP address of the SMTP server for this domain name.

Note: If enabled, you may also be required to configure the FortiMail unit to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode of the FortiMail unit. For details, see Configuring DNS records (gateway mode) or Configuring DNS records (transparent mode).

SMTP server

(gateway mode only)

Enter the fully qualified domain name (FQDN) host name or IP address of the primary SMTP server for this protected domain, then also configure Port.

If you have an internal mail relay that is located on a physically separate server from your internal mail server, this could be your internal mail relay, instead of your internal mail server. Consider your network topology, directionality of the mail flow, and the operation mode of the FortiMail unit.

Port

(gateway mode only)

Enter the port number on which the SMTP server listens.

The default SMTP port number is 25.

Use SMTPS

(gateway mode only)

Enable to use SMTPS for connections originating from or destined for this protected server.

Use SMTP for recipient verification

(gateway mode only)

Enable it if you want to use the SMTP server to verify the recipients.

Step 7: Policy Settings

Policy settings decides how to apply the scan policies. By default, FortiMail comes with system wide IP and recipient based policies.

Inbound email scan

Enable to scan the inbound email destined to the protected domains.

Outbound email scan

Enable to scan the outbound email destined to the unprotected domains.

Email relay for protected domain

(gateway mode only)

If you specify the SMTP server’s IP address in the previous step, the option appears. Enable it to add the protected domain to the ACL and set the action to relay.

Step 8: Reviewing and saving the configuration

Step 8 presents a list of all settings you have made in the wizard.

  • Review the configuration.
  • To change a setting, click Back until you reach the applicable step.
  • If all settings are correct, select OK.
Note

None of the settings you made on the wizard take effect until you click OK on the final page.

The wizard and the dashboard disappear, and FortiMail prompts you to log in.

Continuing the installation

After using the Quick Start Wizard:

  1. If you have multiple FortiMail units, and you want to configure them in high availability (HA) mode, configure the HA settings before physically connecting the FortiMail units to your network.
  2. For instructions on configuring HA, see Using high availability (HA)

  3. If you have subscribed to FortiGuard Antivirus or FortiGuard Antispam services, connect the FortiMail unit to the Fortinet Distribution Network (FDN) to update related packages. For details, see Connecting to FortiGuard services.
  4. You may need to configure additional features that may be specific to your operation mode and network topology, such as configuring your router or firewall, and records on your public DNS server. For instructions applicable to your operation mode, see:
  • Verify that email clients can connect to or through the FortiMail unit. For details, see Testing the installation.
  • Running the Quick Start Wizard

    The Quick Start Wizard leads you through required configuration steps, helping you to quickly set up your FortiMail unit.

    While all settings configured by the Quick Start Wizard can also be configured through the standard and advanced modes of the web UI, the wizard presents each setting in the necessary order. The wizard also provides descriptions to assist you in configuring each setting. These descriptions are not available in the web UI.

    Note

    The Quick Start Wizard allows you to set up FortiMail in server mode or gateway mode, but not in the transparent mode.

    The following topics describe how to use the Quick Start Wizard:

    Starting the wizard

    1. Open the web UI in a browser.
    2. In either standard mode or advanced mode, select Wizard from the dropdown list in the top right corner of the web UI.
    3. Select OK when prompted to continue. The first page of the wizard appears in a new window over the web UI. You cannot access the web UI when the wizard is open.
    4. You can navigate through the wizard using the Next and Back buttons at the lower corners of the window.

    Note

    None of the settings you make on the wizard take effect until you click OK on the last step.

    Step 1: Time Settings

    Select the time zone.

    Step 2: Network Settings

    Configure the following network settings.

    Port1 IP

    Enter the IP address of the port1 network interface, such as 192.168.1.99.

    This option does not appear if the FortiMail unit is operating in transparent mode.

    Primary DNS

    Enter the IP address of the primary server to which the FortiMail unit will make DNS queries.

    Caution: Verify connectivity with the DNS servers. Failure to verify connectivity could result in many issues, including the inability of the FortiMail unit to process email.

    Secondary DNS

    Enter the IP address of the secondary server to which the FortiMail unit will make DNS queries.

    Default Gateway

    Enter the IP address of the default gateway router.

    Step 3: Local Host Settings

    You usually should configure the FortiMail unit with a local domain name that is different from that of protected email servers, such as mail.example.com for the FortiMail unit and server.mail.example.com for the protected email server. The local domain name of the FortiMail unit will be used in many features such as email quarantine, Bayesian database training, spam report, and delivery status notification (DSN) email messages, and if the FortiMail unit uses the same domain name as your mail server, it may become difficult to distinguish email messages that originate from the FortiMail unit.

    Note

    The local domain name must be globally DNS-resolvable only if the FortiMail unit is used as a relay server for outgoing email.

     

    Host name

    Enter the host name of the FortiMail unit.

    You should use a different host name for each FortiMail unit, especially when you are managing multiple FortiMail units of the same model, or when configuring a FortiMail high availability (HA) cluster. This will enable you to distinguish between different members of the cluster. If the FortiMail unit is in HA mode:

    • when you connect to the web UI, your web browser will display the host name of that cluster member in its status bar.
    • the FortiMail unit will add the host name to the subject line of alert email messages.

    Local domain name

    Enter the local domain name to which the FortiMail unit belongs. The FortiMail unit’s fully qualified domain name (FQDN) is in the format:

    <Host Name>.<Local Domain Name>

    This option does not appear if the FortiMail unit is operating in server mode.

    Note: The local domain name can be a subdomain of an internal domain if the MX record for the domain on the DNS server can direct the mail destined for the subdomain to the intended FortiMail unit.

    Step 4: Edit Administrator Password

    By default, it has no password. Adding a password is optional for this account, but for security reasons, you should provide a password.

    Note

    Failure to configure a strong administrator password could compromise the security of your FortiMail unit.

    To change the password
    1. Select Change password.
    2. Enter and confirm a new password.
    3. Select Next to move to the next step.

    Step 5: Operation Mode

    Select either the gateway mode or server mode. Note that if you want to run FortiMail in transparent mode, you cannot run the wizard.

    Step 6: Domain Configuration

    Step 6of the Quick Start Wizard configures the protected domains.

    Protected domains define connections and email messages for which the FortiMail unit can perform protective email processing by describing both:

    • the IP address of an SMTP server
    • the domain name portion (the portion which follows the “@” symbol) of recipient email addresses in the envelope

    Both of which the FortiMail unit compares to connections and email messages when looking for traffic that involves the protected domain.

    For example, if you wanted to scan email from email addresses such as user.one@example.com that are hosted on the SMTP server 10.10.10.10, you would configure a protected domain of example.com whose SMTP server is 10.10.10.10.

    You must configure at least one protected domain. FortiMail units can be configured to protect one or more email domains that are hosted on one or more email servers.

    Exceptions include if you will not apply recipient-based policies or authentication profiles, such as in Example 3: FortiMail unit for an ISP or carrier.

    Domain name

    Enter the fully qualified domain name (FQDN) of the protected domain.

    For example, if you want to protect email addresses such as user1@example.com, you would enter the protected domain name example.com.

    Use MX record

    (gateway mode only)

    Select to enable the FortiMail unit to query the DNS server’s MX record for the FQDN or IP address of the SMTP server for this domain name.

    Note: If enabled, you may also be required to configure the FortiMail unit to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode of the FortiMail unit. For details, see Configuring DNS records (gateway mode) or Configuring DNS records (transparent mode).

    SMTP server

    (gateway mode only)

    Enter the fully qualified domain name (FQDN) host name or IP address of the primary SMTP server for this protected domain, then also configure Port.

    If you have an internal mail relay that is located on a physically separate server from your internal mail server, this could be your internal mail relay, instead of your internal mail server. Consider your network topology, directionality of the mail flow, and the operation mode of the FortiMail unit.

    Port

    (gateway mode only)

    Enter the port number on which the SMTP server listens.

    The default SMTP port number is 25.

    Use SMTPS

    (gateway mode only)

    Enable to use SMTPS for connections originating from or destined for this protected server.

    Use SMTP for recipient verification

    (gateway mode only)

    Enable it if you want to use the SMTP server to verify the recipients.

    Step 7: Policy Settings

    Policy settings decides how to apply the scan policies. By default, FortiMail comes with system wide IP and recipient based policies.

    Inbound email scan

    Enable to scan the inbound email destined to the protected domains.

    Outbound email scan

    Enable to scan the outbound email destined to the unprotected domains.

    Email relay for protected domain

    (gateway mode only)

    If you specify the SMTP server’s IP address in the previous step, the option appears. Enable it to add the protected domain to the ACL and set the action to relay.

    Step 8: Reviewing and saving the configuration

    Step 8 presents a list of all settings you have made in the wizard.

    • Review the configuration.
    • To change a setting, click Back until you reach the applicable step.
    • If all settings are correct, select OK.
    Note

    None of the settings you made on the wizard take effect until you click OK on the final page.

    The wizard and the dashboard disappear, and FortiMail prompts you to log in.

    Continuing the installation

    After using the Quick Start Wizard:

    1. If you have multiple FortiMail units, and you want to configure them in high availability (HA) mode, configure the HA settings before physically connecting the FortiMail units to your network.
    2. For instructions on configuring HA, see Using high availability (HA)

    3. If you have subscribed to FortiGuard Antivirus or FortiGuard Antispam services, connect the FortiMail unit to the Fortinet Distribution Network (FDN) to update related packages. For details, see Connecting to FortiGuard services.
    4. You may need to configure additional features that may be specific to your operation mode and network topology, such as configuring your router or firewall, and records on your public DNS server. For instructions applicable to your operation mode, see:
  • Verify that email clients can connect to or through the FortiMail unit. For details, see Testing the installation.