Server mode deployment
The following procedures and examples show you how to deploy the FortiMail unit in server mode.
- Configuring DNS records
- Example 1: FortiMail unit behind a firewall
- Example 2: FortiMail unit in front of a firewall
- Example 3: FortiMail unit in DMZ
Configuring DNS records
You must configure public DNS records for the protected domains and for the FortiMail unit itself.
If you are unfamiliar with configuring DNS and related MX and A records, first read DNS role in email delivery. |
For performance reasons, you may also want to provide a private DNS server for use exclusively by the FortiMail unit.
This section includes the following:
- Configuring DNS records for protected domains
- Configuring DNS records for the FortiMail unit itself
- Configuring a private DNS server
Configuring DNS records for protected domains
Regardless of your private network topology, in order for external MTAs to deliver email to the FortiMail unit, you must configure the public MX record for each protected domain to indicate that the FortiMail unit is its email server.
For example, if the fully qualified domain name (FQDN) of the FortiMail unit is fortimail.example.com, and example.com is a protected domain, the MX record for example.com would be:
example.com IN MX 10 fortimail.example.com
If your FortiMail unit will operate in server mode, configure the MX record to refer to the FortiMail unit, and remove other MX records. If you fail to do so, external MTAs may not be able to deliver email to or through the FortiMail unit, or may be able to bypass the FortiMail unit by using the other MX records. If you have configured secondary MX records for failover reasons, consider configuring FortiMail high availability (HA) instead. For details, see FortiMail high availability. |
An A record must also exist to resolve the host name of the FortiMail unit into an IP address.
For example, if the MX record indicates that fortimail.example.com is the email gateway for a domain, you must also configure an A record in the example.com zone file to resolve fortimail.example.com into a public IP address:
fortimail IN A 10.10.10.1
where 10.10.10.1
is either the public IP address of the FortiMail unit, or a virtual IP address on a firewall or router that maps to the private IP address of the FortiMail unit.
If your FortiMail unit will relay outgoing email, you should also configure the public reverse DNS record. The public IP address of the FortiMail unit, or the virtual IP address on a firewall or router that maps to the private IP address of the FortiMail unit, should be globally resolvable into the FortiMail unit’s FQDN. If it is not, reverse DNS lookups by external SMTP servers will fail.
For example, if the public network IP address of the FortiMail unit is 10.10.10.1, a public DNS server’s reverse DNS zone file for the 10.10.10.0/24 subnet might contain:
1 IN PTR fortimail.example.com.
where fortimail.example.com
is the FQDN of the FortiMail unit.
Configuring DNS records for the FortiMail unit itself
In addition to that of protected domains, the FortiMail unit must be able to receive web connections, and send and receive email, for its own domain name. Dependent features include:
- delivery status notification (DSN) email
- spam reports
- email users’ access to their per-recipient quarantines
- FortiMail administrators’ access to the GUI by domain name
- alert email
- report generation notification email
For this reason, you should also configure public DNS records for the FortiMail unit itself.
Appropriate records vary by whether or not Web release host name/IP (located in Security > Quarantine > Quarantine Report in the advanced mode of the GUI) is configured:
Case 1: Web release host name/IP is empty/default
If Web release host name/IP is not configured (the default), the web release/delete links that appear in spam reports will use the fully qualified domain name (FQDN) of the FortiMail unit.
For example, if the FortiMail unit’s host name is fortimail
, and its local domain name is example.net
, resulting in the FQDN fortimail.example.net
, a spam report’s default web release link might look like (FQDN highlighted in bold):
https://fortimail.example.net/releasecontrol?release=0%3Auser2%40example.com%3AMTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0YjUyM2NTkjRSxVMzoyLA%3D%3D%3Abf3db63dab53a291ab53a291ab53a291
In the DNS configuration to support this and the other DNS-dependent features, you would configure the following three records:
example.net IN MX 10 fortimail.example.net
fortimail IN A 10.10.10.1
1 IN PTR fortimail.example.net.
where:
example.net
is the local domain name to which the FortiMail unit belongs; in the MX record, it is the local domain for which the FortiMail is the mail gatewayfortimail.example.net
is the FQDN of the FortiMail unitfortimail
is the host name of the FortiMail unit; in the A record of the zone file for example.net, it resolves to the IP address of the FortiMail unit for the purpose of administrators’ access to the GUI, email users’ access to their per-recipient quarantines, to resolve the FQDN referenced in the MX record when email users send Bayesian and quarantine control email to the FortiMail unit, and to resolve to the IP address of the FortiMail unit for the purpose of the web release/delete hyperlinks in the spam report10.10.10.1
is the public IP address of the FortiMail unit
Case 2: Web release host name/IP is configured
You could configure Web release host name/IP to use an alternative fully qualified domain name (FQDN) such as webrelease.example.info
instead of the configured FQDN, resulting in the following web release link (web release FQDN highlighted in bold):
https://webrelease.example.info/releasecontrol?release=0%3Auser2%40example.com%3AMTIyMDUzOTQzOC43NDJfNjc0MzE1LkZvcnRpTWFpbC00MDAsI0YjUyM2NTkjRSxVMzoyLA%3D%3D%3Abf3db63dab53a291ab53a291ab53a291
Then, in the DNS configuration to support this and the other DNS-dependent features, you would configure the following MX record, A records, and PTR record (unlike Case 1: Web Release Host Name/IP is empty/default, in this case, two A records are required; the difference is highlighted in bold):
example.net IN MX 10 fortimail.example.net
fortimail IN A 10.10.10.1
webrelease IN A 10.10.10.1
1 IN PTR fortimail.example.net.
where:
example.net
is the local domain name to which the FortiMail unit belongs in the MX record, it is the local domain for which the FortiMail is the mail gatewayfortimail.example.net
is the FQDN of the FortiMail unitfortimail
is the host name of the FortiMail unit; in the A record of the zone file for example.net, it resolves to the IP address of the FortiMail unit for the purpose of administrators’ access to the GUI and to resolve the FQDN referenced in the MX record when email users send Bayesian and quarantine control email to the FortiMail unitwebrelease
is the web release host name; in the A record of the zone file for example.info, it resolves to the IP address of the FortiMail unit for the purpose of the web release/delete hyperlinks in the spam report10.10.10.1
is the public IP address of the FortiMail unit
Configuring a private DNS server
In addition to the public DNS server, consider providing a private DNS server on your local network to improve performance with features that use DNS queries.
Public and private DNS servers (server mode)
If the FortiMail unit is operating in server mode, the private DNS server should contain identical records to a public DNS server.
If you choose to add a private DNS server, to configure the FortiMail unit to use it, go to System > Network > DNS in the advanced mode of the GUI.
Example 1: FortiMail unit behind a firewall
In this example, a FortiMail unit operating in server mode and email users’ computers are both positioned within a private network, behind a firewall. Remote email users’ computers and external email servers are located on the Internet, outside of the network protected by the firewall. The FortiMail unit hosts and protects accounts for email addresses ending in “@example.com”.
Server mode deployment behind a NAT device
To deploy the FortiMail unit behind a NAT device such as a firewall or router, you must complete the following:
- Configuring the firewall
- Configuring the email user accounts
- Configuring the MUAs
- Testing the installation
This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see Running the Quick Start Wizard and Configuring DNS records. |
Configuring the firewall
In order to create the outgoing firewall policy that governs the IP address of the FortiMail unit, you must first define the IP address of the FortiMail unit by creating a firewall address entry.
In order to create the firewall policy that forwards email-related traffic to the FortiMail unit, you must first define a static NAT mapping from a public IP address on the FortiGate unit to the IP address of the FortiMail unit by creating a virtual IP entry.
Once the firewall address and VIPs are configured, you must create firewall policies that
- allow incoming email and other FortiMail services that are received at the virtual IP address, then applies a static NAT when forwarding the traffic to the private network IP address of the FortiMail unit.
- allow outgoing email and other connections from the FortiMail unit to the Internet.
For more information about how to configure the firewall address, virtual IPs, and firewall policies, see the FortiGate documentation.
Configuring the email user accounts
Create email user accounts for each protected domain on the FortiMail unit.
You may choose to create additional email user accounts later, but you should create at least one email user account for each protected domain that you can use in order to verify connectivity for the domain.
To add an email user (Server mode only)
- Go to Domain & User > User > User.
- From the Domain list, select example.com.
- Either select New to add an email user, or double-click an email user you want to modify.
- In User name, enter the user name portion, such as
user1
, of the email address that will be locally deliverable on the FortiMail unit (user1@example.com). - Select Password, then enter the password for this email account.
- In Display Name, enter the name of the user as it should appear in a MUA, such as
"Test User 1"
. - Select Create for a new user or OK for an existing user.
A dialog appears.
Configuring the MUAs
Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail server (SMTP)/MTA. For local email users, this is the private network IP address of the FortiMail unit, 172.16.1.5; for remote email users, this is the virtual IP on the FortiGate unit that maps to the FortiMail unit, 10.10.10.1 or fortimail.example.com.
If you do not configure the email clients to send email through the FortiMail unit, incoming email can be scanned, but outgoing email cannot.
Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as user1@example.com.
If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.
Testing the installation
Basic configuration is now complete, and the installation may be tested. For testing instructions, see Testing the installation.
Example 2: FortiMail unit in front of a firewall
In this example, a FortiMail unit operating in server mode within a private network, but is separated from local email users’ computers by a firewall. Remote email users’ computers and external email servers are located on the Internet, outside of the private network. The FortiMail unit hosts and protects accounts for email addresses ending in “@example.com”.
Server mode deployment in front of a NAT device
To deploy the FortiMail unit in front of a NAT device such as a firewall or router, you must complete the following:
- Configuring the firewall
- Configuring the email user accounts
- Configuring the MUAs
- Testing the installation
This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see Running the Quick Start Wizard and Configuring DNS records. |
Configuring the firewall
In order to create the outgoing firewall policy that governs traffic from the IP addresses of local email users to the IP address of the FortiMail unit, you must first define the IP addresses of the local email users and the FortiMail unit by creating firewall address entries.
Once the firewall address is configured, create a firewall policy that allows outgoing email and other FortiMail connections from the local email users to the FortiMail unit.
For more information about how to configure the firewall address and firewall policies, see the FortiGate documentation.
Configuring the email user accounts
Create email user accounts for each protected domain on the FortiMail unit.
You may choose to create additional email user accounts later, but you should create at least one email user account for each protected domain in order to verify connectivity for the domain.
To add an email user (Server mode only)
- Go to Domain & User > User > User.
- From the Domain list, select example.com.
- Either select New to add an email user, or double-click an email user you want to modify.
- In User Name, enter the user name portion, such as
user1
, of the email address that will be locally deliverable on the FortiMail unit (user1@example.com). - Select Password, then enter the password for this email account.
- In Display Name, enter the name of the user as it should appear in a MUA, such as
"Test User 1"
. - Select Create for a new user or OK for an existing user.
A dialog appears.
Configuring the MUAs
Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail server (SMTP)/MTA. For local email users, this is the virtual IP address on the FortiGate unit that maps to the FortiMail unit, 172.16.1.2; for remote email users, this is the public IP address of the FortiMail unit, 10.10.10.5 or fortimail.example.com.
If you do not configure the email clients to send email through the FortiMail unit, incoming email can be scanned, but outgoing email cannot.
Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as user1@example.com.
If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.
Testing the installation
Basic configuration is now complete, and the installation may be tested. For testing instructions, see Testing the installation.
Example 3: FortiMail unit in DMZ
In this example, a FortiMail unit operates in server mode within the demilitarized zone (DMZ). It is protected by a firewall but also separated from local email users’ computers by it. Remote email users’ computers and external email servers are located on the Internet, outside of the private network. The FortiMail unit hosts and protects accounts for email addresses ending in “@example.com”.
Server mode deployment in a DMZ
To deploy the FortiMail unit in the DMZ of a NAT device such as a firewall or router, you must complete the following:
- Configuring the firewall
- Configuring the email user accounts
- Configuring the MUAs
- Testing the installation
This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see Running the Quick Start Wizard and Configuring DNS records. |
Configuring the firewall
In order to create the firewall policies that govern traffic to and from the IP addresses of local email users and the IP address of the FortiMail unit, you must first define the IP addresses of the local email users and the IP address of the FortiMail unit by creating firewall address entries.
In order to create the firewall policies that forward email-related traffic to the FortiMail unit from the internal network and from the Internet, you must first define two static NAT mappings:
- from a public IP address on the FortiGate unit to the IP address of the FortiMail unit
- from a virtual IP address on the 172.16.1.* network to the IP address of the FortiMail unit by creating a virtual IP entries
Once the firewall address and VIPs are configured, you must create firewall policies that:
- allow incoming email and other FortiMail services that are received at the virtual IP address, then applies a static NAT when forwarding the traffic to the private network IP address of the FortiMail unit.
- allow outgoing email and other FortiMail connections from the FortiMail unit to the Internet.
- allow outgoing email and other FortiMail connections from the local email users to the FortiMail unit.
For more information about how to configure the firewall address, virtual IPs, and firewall policies, see the FortiGate documentation.
Configuring the email user accounts
Create email user accounts for each protected domain on the FortiMail unit.
You may choose to create additional email user accounts later, but you should create at least one email user account for each protected domain in order to verify connectivity for the domain.
To add an email user (Server mode only)
- Go to Domain & User > User > User.
- From the Domain list, select example.com.
- Either select New to add an email user, or double-click an email user you want to modify.
- In User Name, enter the user name portion, such as
user1
, of the email address that will be locally deliverable on the FortiMail unit (user1@example.com). - Select Password, then enter the password for this email account.
- In Display Name, enter the name of the user as it should appear in a MUA, such as
"Test User 1"
. - Select Create for a new user or OK for an existing user.
A dialog appears.
Configuring the MUAs
Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail server (SMTP)/MTA. For local email users, this is the FortiMail address, 192.168.1.5; for remote email users, this is the virtual IP address on the wan1 network interface of the FortiGate unit that maps to the FortiMail unit, 10.10.10.1 or fortimail.example.com.
If you do not configure the email clients to send email through the FortiMail unit, incoming email can be scanned, but outgoing email cannot.
Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as user1@example.com.
If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.
Testing the installation
Basic configuration is now complete, and the installation may be tested. For testing instructions, see Testing the installation.