Configuring network settings
The Network submenu provides options to configure network connectivity and administrative access to the GUI or CLI of the FortiMail unit through each network interface.
This section includes:
- About IPv6 Support
- About the management IP
- About FortiMail logical interfaces
- Configuring the network interfaces
- Configuring link status monitoring
- Configuring static routes
- Configuring DNS
- Configuring dynamic DNS
- Configuring port forwarding
- Scanning SMTP traffic redirected from FortiGate
About IPv6 Support
IP version 6 (IPv6) handles issues that did not exist when IPv4 was created, such as running out of IP addresses, fair distribution of IP addresses, built-in quality of service (QoS) features, better multimedia support, and improved handling of fragmentation. A bigger address space, bigger default packet size, and more optional header extensions provide these features with flexibility to customize IPv6 packets to future needs.
IPv6 has 128-bit addresses compared to IPv4's 32-bit addresses, effectively eliminating address exhaustion. This new very large address space reduces the need for network address translation (NAT) since IPv6 provides more than a billion IP addresses for each person on Earth. All hardware and software network components must support this new address size, so an upgrade that may take a while to complete and will force IPv6 and IPv4 to work side-by-side during the transition period.
FortiMail supports the following IPv6 features:
- Network interface
- Network routing
- High availability
- DNS
- Administrative access
- Webmail access
- Mail routing — multiple combinations of IPv4/6 server, IPv4/6 remote gateway
- Access control lists
- Grey list
- Local sender reputation
- IPv6 based policies
- Block/safe list
- LDAP
- IP pools
FortiMail will support the following IPv6 feature in future releases:
- Port forwarding for IPv6
- FortiGuard Antispam database populated with IPv6 addresses
About the management IP
When a FortiMail unit operates in transparent mode, you can configure one or more of its network interfaces to act as a Layer 2 bridge, without IP addresses of their own. However, the FortiMail unit must have an IP address for administrators to configure it through a network connection rather than a local console. The management IP address enables administrators to connect to the FortiMail unit through port1 or other network ports, even when they are currently bridging.
By default, the management IP address is indirectly bound to port1 through the bridge. If other network interfaces are also included in the bridge with port1, you can configure the FortiMail unit to respond to connections to the management IP address that arrive on those other network interfaces. For more information, see Do not associate with management IP.
Unless you configured an override server IP address, FortiMail units use this IP address to connect to the FortiGuard Distribution Network (FDN). Depending on your network topology, the management IP may be a private network address. In this case, it is not routable from the FDN and is unsuitable for use as the destination IP address of push update connections from the FDN. For push updates to function correctly, you must configure an override server. For details, see Configuring FortiGuard Antivirus service.
You can access the GUI, FortiMail webmail, and the per-recipient quarantines remotely using the management IP address.
About FortiMail logical interfaces
In addition to the FortiMail physical network interfaces, you can create the following types of logical interfaces on FortiMail:
VLAN subinterfaces
A Virtual LAN (VLAN) subinterface, also called a VLAN, is a virtual interface on a physical interface. The subinterface allows routing of VLAN tagged packets using that physical interface, but it is separate from any other traffic on the physical interface.
VLANs use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network security.
One example of an application of VLANs is a company’s accounting department. Accounting computers may be located at both main and branch offices. However, accounting computers need to communicate with each other frequently and require increased security. VLANs allow the accounting network traffic to be sent only to accounting computers and to connect accounting computers in different locations as if they were on the same physical subnet.
For information about adding VLAN subinterfaces, see Configuring the network interfaces.
Redundant interfaces
On the FortiMail unit, you can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails.
In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.
A physical interface is available to be in a redundant interface if:
- it is a physical interface, not a VLAN interface
- it is not already part of a redundant interface
- it has no defined IP address and is not configured for DHCP
- it does not have any VLAN subinterfaces
- it is not monitored by HA
When a physical interface is included in a redundant interface, it is not listed on System > Network > Interface . You cannot configure the interface anymore.
For information about adding redundant interfaces, see Configuring the network interfaces.
Loopback interfaces
A loopback interface is a logical interface that is always up (no physical link dependency) and the attached subnet is always present in the routing table.
The FortiMail unit's loopback IP address does not depend on one specific external port, and is therefore possible to access it through several physical or VLAN interfaces. In the current release, you can only add one loopback interface on the FortiMail unit.
The loopback interface is useful when you use a Layer 2 load balancer in front of several FortiMail units. In this case, you can set the FortiMail loopback interface’s IP address the same as the load balancer's IP address and thus the FortiMail unit can pick up the traffic forwarded to it from the load balancer.
For information about adding a loopback interface, see Configuring the network interfaces.
Configuring the network interfaces
The System > Network > Interface tab displays the FortiMail unit’s network interfaces.
You must configure at least one network interface for the FortiMail unit to connect to your network. Depending on your network topology and other considerations, you can connect the FortiMail unit to your network using two or more of the network interfaces. You can configure each network interface separately. You can also configure advanced interface options, including VLAN sub-interfaces, redundant interfaces, and loopback interfaces. For more information, see About FortiMail logical interfaces, and Editing network interfaces.
If your FortiMail unit is not properly deployed and configured for the topology of your network, including network interface connections, email may bypass the FortiMail unit. |
To view the list of network interfaces, go to System > Network > Interface>.
GUI item |
Description |
Interface name |
Displays the name of the network interface, such as port1>. If the FortiMail unit is operating in transparent mode, this column also indicates that the management IP address is that of port1. For more information, see About the management IP. |
Type |
Displays the interface type: physical, VLAN, redundant, or loopback. For details, see About FortiMail logical interfaces. |
In transparent mode, this column indicates if the port is on the same bridge as the management IP. By default, all ports are on the bridge. For information on bridged networks in transparent mode, see Editing network interfaces |
|
Displays the IP address and netmask of the network interface. If the FortiMail unit is in transparent mode, this field may display Bridging instead. This means that Do not associate with management IP has been disabled, and the network interface is acting as a Layer 2 bridge. If high availability (HA) is enabled, this field may display instead either:
|
|
IPv6/Netmask |
Displays the IPv6 address and netmask of the network interface. For more information about IPv6 support, see About IPv6 Support. |
Access |
Displays the administrative access and webmail access services that are enabled on the network interface, such as HTTPS for the GUI. |
Indicates the up (available) or down (unavailable) administrative status for the network interface.
To change the administrative status (that is, bring up or down a network interface), see Editing network interfaces. |
Editing network interfaces
You can edit the FortiMail physical network interfaces to change their IP addresses, netmasks, administrative access protocols, and other settings. You can also create or edit logical interfaces, such as VLANs, redundant interfaces and the loopback interface.
Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiMail unit. |
If your FortiMail unit operates in transparent mode and depending on your network topology, you may need to configure the network interfaces of the FortiMail unit.
- If all email servers protected by the FortiMail unit are located on the same subnet, no network interface configuration is necessary. Bridging is the default configuration for network interfaces when the FortiMail unit operates in transparent mode, and the FortiMail unit will bridge all connections occurring through it from the network to the protected email servers.
- If email servers protected by the FortiMail unit are located on different subnets, you must connect those email servers through separate physical ports on the FortiMail unit, and configure the network interfaces associated with those ports, assigning IP addresses and removing them from the bridge.
It is possible to configure a mixture of bridging and non-bridging network interfaces. For example, if some email servers belong to the same subnet, network interfaces for those email servers may remain in the bridge group; email servers belonging to other subnets may be attached to network interfaces that are not associated with the bridge.
You can restrict which IP addresses are permitted to log in as a FortiMail administrator through network interfaces. For details, see Configuring administrator accounts. |
To create or edit a network interface
-
Go to System > Network > Interface>.
-
Double-click a network interface to modify it or select the interface and click Edit>. If you want to create a logical interface, click New.
The Edit Interface dialog appears. Its appearance varies by:
- the operation mode of the FortiMail unit (gateway, transparent, or server)
- if the FortiMail unit is operating in transparent mode, by whether the network interface is port1, which is required to be configured as a Layer 2 bridge and associated with the management IP, and therefore cannot be configured with its own IP and Netmask
-
For gateway mode or server mode, configure the following:
GUI item
Description
If you are editing an existing interface, this field displays the name (such as port2) and media access control (MAC) address for this network interface.
If you are creating a logical interface, enter a name for the interface.
If you are creating a logical interface, select which type of interface you want to create. For information about logical interface types, see About FortiMail logical interfaces.
VLAN
If you want to create a VLAN subinterface, select the interface for which you want to create the subinterface for.
Then specify a VLAN ID. Valid VLAN ID numbers are from 1 to 4094. (0 is used for high priority frames, and 4095 is reserved.)
Redundant
If you want to create a redundant interface, select the interface members from the available interfaces. Usually, you need to include two or more interfaces as the redundant interface members.
Loopback
If you want to add a loopback interface, select the Loopback type and the interface name will be automatically reset to “loopback”. You can only add one loopback interface on FortiMail.
Select to enter a static IP address, then enter the IP address and netmask for the network interface.
Enter the IP address and netmask for the network interface. If the FortiMail unit is operating in gateway mode or server mode, this option is available only if Manual is selected.
Note: IP addresses of different interfaces cannot be on the same subnet.
Select to retrieve a dynamic IP address using DHCP.
This option appears only if the FortiMail unit is operating in gateway mode or server mode.
Enable to retrieve both the default gateway and DNS addresses from the DHCP server, replacing any manually configured values.
Enable for the FortiMail unit to attempt to obtain DHCP addressing information from the DHCP server.
Disable this option if you are configuring the network interface offline, and do not want the unit to attempt to obtain addressing information at this time.
Advanced Setting
Enable protocols that this network interface should accept for connections to the FortiMail unit itself (these options do not affect connections that will travel through the FortiMail unit).
- HTTPS: Enable to allow secure HTTPS connections to the GUI, webmail, and per-recipient quarantine through this network interface.
- HTTP: Enable to allow HTTP connections to the GUI, webmail, and per-recipient quarantine through this network interface.
For information on redirecting HTTP requests for webmail and per-recipient quarantines to HTTPS, see Configuring global quarantine report settings. - PING: Enable to allow ICMP
ECHO
(ping) responses from this network interface.
For information on configuring the network interface from which the FortiMail unit itself will send pings, see the FortiMail CLI Reference. - SSH: Enable to allow SSH connections to the CLI through this network interface.
- SNMP: Enable to allow SNMP connections (queries) to this network interface.
For information on further restricting access, or on configuring the network interface that will be the source of traps, see Configuring the network interfaces. - TELNET: Enable to allow Telnet connections to the CLI through this network interface.
Caution: HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiMail unit. For information on further restricting access of administrative connections, see Configuring administrator accounts.
Enable the GUI access type that this network interface should accept.
- Admin: Enable to allow access the administrative GUI through this interface.
- Webmail: Enable to allow webmail access through this interface.
Enable the email access protocols that this network interface should accept: SMTP, SMTPS, IMAP, IMAPS, POP3, or POP3S.
This is also required by HA remote service monitoring. See Service Monitor section.
Enter the maximum packet or Ethernet frame size in bytes.
If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.
The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value; for example, RFC 2516 prescribes a value of 1492 for the PPPoE protocol.
Select either:
- Up: Enable (that is, bring up) the network interface so that it can send and receive traffic.
- Down: Disable (that is, bring down) the network interface so that it cannot send or receive traffic.
If the FortiMail unit is operating in transparent mode, configure the following:
GUI item
Description
Interface Name
Displays the name (such as port2) and media access control (MAC) address for this network interface.
If you are creating a logical interface, enter a name for the interface.
Type
If you are creating a logical interface, select which type of interface you want to create. For information about logical interface types, see About FortiMail logical interfaces.
VLAN
If you want to create a VLAN subinterface, select the interface for which you want to create the subinterface for.
Then specify a VLAN ID. Valid VLAN ID numbers are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved.
Redundant
If you want to create a redundant interface, select the interface members from the available interfaces. Usually, you need to include two or more interfaces as the redundant interface members.
Loopback
If you want to add a loopback interface, select the Loopback type and the interface name will be automatically reset to “loopback”. You can only add one loopback interface on FortiMail.
Addressing mode
Enable to configure an IP address and netmask for this network interface, separate from the management IP, then configure IP/Netmask.
This option appears only if the network interface is notport1, which is required to be a member of the bridge.
Enter the IP address and netmask for the network interface. If the FortiMail unit is operating in transparent mode, this option is available only if Do not associate with management IP is enabled.
Access
Enable protocols that this network interface should accept for connections to the FortiMail unit itself (these options do not affect connections that will travel through the FortiMail unit).
- HTTPS: Enable to allow secure HTTPS connections to the GUI, webmail, and per-recipient quarantine through this network interface.
- HTTP: Enable to allow HTTP connections to the GUI, webmail, and per-recipient quarantine through this network interface.
For information on redirecting HTTP requests for webmail and per-recipient quarantines to HTTPS, see Configuring global quarantine report settings. - PING: Enable to allow ICMP
ECHO
(ping) responses from this network interface.
For information on configuring the network interface from which the FortiMail unit itself will send pings, see the FortiMail CLI Reference. - SSH: Enable to allow SSH connections to the CLI through this network interface.
- SNMP: Enable to allow SNMP connections (queries) to this network interface.
For information on further restricting access, or on configuring the network interface that will be the source of traps, see Configuring the network interfaces. - TELNET: Enable to allow Telnet connections to the CLI through this network interface.
Caution: HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiMail unit. For information on further restricting access of administrative connections, see Configuring administrator accounts.
MTU
Override default MTU value (1500)
Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes.
If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.
The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value; for example, RFC 2516 prescribes a value of 1492 for the PPPoE protocol.
Administrative status
Select either:
- Up: Enable (that is, bring up) the network interface so that it can send and receive traffic.
- Down: Disable (that is, bring down) the network interface so that it cannot send or receive traffic.
When operating in transparent mode, the FortiMail unit can use either transparent proxies or an implicit relay to inspect SMTP connections. If connection pick-up is enabled for connections on that network interface, the FortiMail unit can scan and process the connection. If not enabled, the FortiMail unit can either block or permit the connection to pass through unmodified.
Exceptions to SMTP connections that can be proxied or relayed include SMTP connections destined for the FortiMail unit itself. For those local connections, such as email messages from email users requesting deletion or release of their quarantined email, you must choose to either allow or block the connection.
For more information about FortiMail transparent mode proxy and implicit SMTP relay, see Characteristics of transparent mode.
Note: When a FortiMail unit proxies or relays traffic, whether the email will be scanned or not depends on the policies you specify. For more information about policies, see Configuring policies.
Select how the proxy or built-in MTA will handle SMTP connections for that interface that are incoming to the IP addresses of email servers belonging to a protected domain.
- Pass through: Permit connections but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.
- Drop: Drop connections.
- Proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see Configuring policies.
Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have selected Proxy more than once on this page. For an example, see For details, see Avoiding scanning email multiple times.
Select how the proxy or built-in MTA will handle SMTP connections for that interface that are outgoing to the IP addresses of email servers that are not a protected domain.
- Pass through: Permit connections but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.
- Drop: Drop connections.
- Proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see Configuring policies.
Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have selected Proxy more than once on this page. For an example, see Avoiding scanning email multiple times.
Select how the FortiMail unit will handle SMTP connections on each network interface that are destined for the FortiMail unit itself, such as quarantine release or delete messages and Bayesian training messages.
To configure a non-bridging network interface
-
Go to System > Network > Interface.
-
Double-click the network interface to modify it or select the interface and click Edit.
port1 is required to be a member of the bridge and cannot be removed from it.
-
Enable Do not associate with management IP.
This option appears only when the FortiMail unit is operating in transparent mode and the network interface is notport1, which is required to be a member of the bridge.
-
In IP/Netmask, enter the IP address and netmask of the network interface.
-
Click OK.
-
Repeat this procedure for each network interface that is connected to an email server on a distinct subnet. When complete, configure static routes for those email servers. For details, see Configuring static routes . Also configure each protected domain to indicate through which network interface its email servers are connected. For details, see Configuring protected domains.
Configuring link status monitoring
Link status monitoring enables the FortiMail unit to track the status of its network interfaces and to bring an interface down or up based on the state of another associated interface.
Interface tracking
FortiMail units can process email before delivering it to your company’s internal mail server. In this configuration, mail comes from an external interface into the FortiMail unit. Then the mail is processed for spam, viruses, and such. The mail is then forwarded over an internal interface to a company internal mail server for internal distribution.
For redundancy, companies can configure a secondary FortiMail unit that is connected to a secondary internal mail server. In this configuration the secondary FortiMail unit is normally not active with all mail going through the primary FortiMail unit. The secondary system is activated when the external interface on the primary FortiMail unit is unreachable. Mail is routed to the secondary system until the primary unit is can be reached and then the mail is delivered to the primary FortiMail unit once again. In this configuration the mail only goes to one FortiMail unit or the other - it is never divided between the two.
If the internal mail server becomes unreachable from the primary FortiMail unit's internal interface, the primary FortiMail unit needs to stop the incoming email or the email will continue to accumulate and not be delivered.
The FortiMail unit can track the status of the internal interface. When interface tracking sees the internal interface go down, it brings down the FortiMail external interface. This stops email from accumulating on the primary FortiMail unit. If your company has the redundant secondary FortiMail unit configured, email can be routed to it until the primary FortiMail unit can be reached again. Interface tracking also brings the external interface up when the internal interface comes back up.
With interface tracking, you can set which interfaces are associated. You can also set how often interface tracking checks the status of the interfaces. This is the maximum delay before the interfaces associated with the downed interface are brought down as well.
Configuring link status propagation
The Propagate Link Status to Ports section of the Link Status screen shows any interfaces whose status is linked to this interface.
Linking the state of an internal link to the external link prevents an accumulation of undeliverable mail from building up on the FortiMail unit when the internal link goes down.
To configure link status propagation
-
Go to System > Network > Link Monitor.
-
Select the enable button.
-
Enter the number of seconds between checks of the link status. If this is set to zero, the link status will not propagate to the other ports.
-
Enter the number of seconds to delay after a link state operation before checking the status.
-
Under Link Status, select the interface you want to propagate the status from, then click Edit for the interface.
-
In the Link Status Setting dialog, specify the ports you want to propagate the status to by moving the ports from the text area on the left to the right.
-
Click OK.
Configuring static routes
The System > Network > Routing tab displays a list of routes and lets you configure static routes and gateways used by the FortiMail unit.
Static routes direct traffic exiting the FortiMail unit. You can specify through which network interface a packet will leave, and the IP address of a next-hop router that is reachable from that network interface. The router is aware of which IP addresses are reachable through various network pathways, and can forward those packets along pathways capable of reaching the packets’ ultimate destinations.
A default route is a special type of static route. A default route matches all packets, and defines a gateway router that can receive and route packets if no other, more specific static route is defined for the packet’s destination IP address.
You should configure at least one static route, a default route, that points to your gateway. However, you may configure multiple static routes if you have multiple gateway routers, each of which should receive packets destined for a different subset of IP addresses.
To determine which route a packet will be subject to, the FortiMail unit compares the packet’s destination IP address to those of the static routes and forward the packet to the route with the largest prefix match.
For example, if an SMTP server is directly attached to one of the network interfaces, but all other destinations, such as connecting clients, are located on distant networks such as the Internet, you might need to add only one route: a default route for the gateway router through which the FortiMail unit connects to the Internet.
To configure static routes
-
Go to System > Network > Routing.
-
Either click New to add a route or double-click a route to modify it.
-
In Destination IP/netmask, enter the destination IP address and netmask of packets that will be subject to this static route.
To create a default route that will match all packets, enter
0.0.0.0/0.0.0.0
. -
Select the interface that this route applies to.
-
In Gateway, type the IP address of the next-hop router to which the FortiMail unit will forward packets subject to this static route. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/netmask. For an Internet connection, the next hop routing gateway routes traffic to the Internet.
-
Click Create.
Configuring DNS
FortiMail units require DNS servers for features such as reverse DNS lookups, FortiGuard connectivity, and other aspects of email processing. Your ISP may supply IP addresses of DNS servers, or you may want to use the IP addresses of your own DNS servers.
For improved FortiMail unit performance, use DNS servers on your local network. |
Go to System > Network > DNS to configure the DNS servers that the FortiMail unit queries to resolve domain names into IP addresses.
Configuring dynamic DNS
If the FortiMail unit has a static domain name but a dynamic public IP address, you can configure the FortiMail unit to use dynamic DNS (DDNS) to update DNS servers on the Internet when the public IP address for its domain name changes. For information on setting a dynamic public IP address, see DHCP.
To configure dynamic DNS accounts
-
Go to System > Network > DDNS.
-
If you have not yet configured the dynamic DNS account that the FortiMail unit will use when it connects to the DDNS service provider, click New.
GUI item
Description
Select a DDNS service provider to which the FortiMail unit will send DDNS updates.
Enter the user name of your account with the DDNS service provider. The FortiMail unit will provide this to authenticate itself with the service when sending updates.
Enter the password for the DDNS user name.
Enter the interval in hours between each time that the FortiMail unit will query the DDNS service provider’s IP detection page if IP mode is Auto detect.
Caution: Do not exceed the recommended frequency published by your DDNS service provider. Some DDNS service providers consider excessive connections to be abusive, and may ignore further queries from the FortiMail unit.
-
Click Create.
-
Double-click the row corresponding to the new DDNS account.
The Host/Domain Name Setting area is now visible.
-
In the Host/Domain Name Setting area, click Create New, or, to modify an existing host/domain name, select its row and click Edit.
-
Configure the following:
GUI item
Description
Server
Displays the dynamic DNS service provider of this account.
Status
Enable to update the DDNS service provider when the FortiMail unit’s public IP address changes.
Disable to notify the DDNS service provider that this FQDN should use its offline redirect, if you configured any. If the FortiMail unit’s public IP address changes, it will not notify the DDNS service provider.
Enter the public fully qualified domain name (FQDN) whose records the DDNS provider should update.
Public DNS records for this domain name are updated by the DDNS service provider when the FortiMail unit sends its current public IP address. As such, it might not be the same as the host name and local domain name that you configured in Host name and Local domain name, which could be valid only for your internal network.
Select which of the following ways the FortiMail unit should use to determine its current publicly routable IP address.
- Auto detect: Periodically query the DDNS service provider’s IP address detection web page to see if the FortiMail unit’s public IP address has changed. The IP detection web page returns the apparent source IP address of the query. If this IP address has changed, the FortiMail unit then sends an update request to the DDNS service provider, causing it to update DNS records for the FQDN in Host name.
This option is the most common choice. Also configure the interval of DDNS IP detection queries in Update time.
Note: If this query occurs through a NAT device such as a router or firewall, its apparent source IP address will not be the private network IP address of any of the FortiMail unit’s network interfaces. Instead, it will be the IP address of the NAT device’s externally facing network interface.
For example, a public virtual IP (VIP) on a FortiGate unit in NAT mode might be used to route email from the Internet to a FortiMail unit. DDNS updates are also routed out from the VIP to the DDNS service provider on the Internet. From the DDNS service provider’s perspective, the DDNS update connection appears to come from the VIP, and therefore it updates the DNS records with the IP address of the VIP. The DDNS service provider does not know the private network address of the FortiMail unit.- Bind interface: Use the current IP address of one of the FortiMail unit’s network interfaces. Choose this option only if the network interface has an IP address that is routable from the Internet — that is, it is not an RFC 1918 private network address.
- Static IP: Use an IP address that you configure. You must manually update the accompanying field if the FortiMail unit’s public IP address changes.
Select one of the following:
- dynamic (this is the default)
- static
- custom
- Auto detect: Periodically query the DDNS service provider’s IP address detection web page to see if the FortiMail unit’s public IP address has changed. The IP detection web page returns the apparent source IP address of the query. If this IP address has changed, the FortiMail unit then sends an update request to the DDNS service provider, causing it to update DNS records for the FQDN in Host name.
-
To verify your DDNS configuration and connectivity, do not query DNS servers: depending on DNS caching, record propagation, and other effects, DNS queries may not be able to determine whether the update actually reached your DDNS service provider.
Instead, log in to your DDNS service provider account and verify whether its host records have been updated. You can also view the FortiMail event log. Log messages such as this indicate DDNS update failure:
DDNS daemon failed on update members.dyndns.org, domain fortimail.example.com, next try at 1251752285\n
Configuring port forwarding
Similar to port forwarding on FortiGate or third party routers and firewalls, FortiMail port forwarding allows computers on external networks such as the Internet to connect to a computer on a private local area network (LAN) that is behind the FortiMail unit. Port forwarding can be useful if FortiMail is deployed as a gateway, and you want external users to access an internal server through FortiMail.
For example, FortiMail port1 may be connected to the Internet. Its public IP address is 192.168.37.4. Behind the FortiMail unit, there is a private network: 10.10.10.0/24. Remote users need to access a device on the private network. The device is 10.10.10.42, and it listens on port 8000. To allow this, you configure port forwarding on FortiMail. When computers on the Internet try to communicate with 192.168.37.4 port 7000, FortiMail translates the connection and forwards it to to 10.10.10.42 port 8000. Computers on the Internet are unaware of this translation and see one host at the public IP address, rather than the private network behind the FortiMail unit.
To configure port forwarding
-
Go to System > Network > Port Forwarding.
-
Select New to configure a new forwarding rule or double-click a rule to modify it.
-
Configure the following settings:
GUI item
Description
Select which protocols will receive port forwarding: TCP , UDP, or Both.
Enter the IP address where FortiMail will listen for communications to forward..
This is usually the IP address of the receiving network interface on FortiMail. In the previous example, it is 192.168.37.4.
Enter the port number where FortiMail will listen for communications to forward.
In the previous example, it is 7000.
See also Appendix C: Port Numbers.
Enter the IP address of the computer or other device that will receive communications.
In the previous example, it is 10.10.10.42.
Enter the listening port number on the computer or other device that will receive communications.
In the previous example, it is 8000.
-
Click Create.
Scanning SMTP traffic redirected from FortiGate
FortiMail and FortiGate support Web Cache Communication Protocol (WCCP) to redirect SMTP traffic from FortiGate to FortiMail. If the FortiGate unit is configured to redirect SMTP traffic to FortiMail for antispam scanning (for details, see the FortiGate documentation), on the FortiMail side, you must do corresponding configurations to accept the SMTP traffic from FortiGate.
To configure the WCCP communication with FortiGate
-
Go to System > Network > FortiGate.
-
Configure the following settings:
GUI item
Description
Enabled
Enable WCCP communication with FortiGate. See also Appendix C: Port Numbers.
Tunnel ID
Enter the WCCP tunnel ID assigned by FortiGate.
Local IP
Enter the IP address of the FortiMail interface that communicates with FortiGate.
Remote IP
Enter the IP address of the FortiGate interface that communicate with FortiMail.
Enable if authentication is required on both sides.
Enter the authentication password.