Fortinet white logo
Fortinet white logo

Administration Guide

MTA adapter

MTA adapter

The Mail-Transfer-Agent (MTA) adapter feature allows email servers like Sendmail to relay emails to FortiSandbox via SMTP protocol.

The adapter requires a subscription license which is automatically downloaded through FortiGuard. The subscription has a limited per-mailbox seat count. Each email address of the monitored domain is counted as a seat. When the mailbox seat count limit is reached, the system logs a warning message on the event log and GUI. An additional 10% is allowed.

The FortiSandbox extracts files and URLs on the email being relayed. All email addresses in the To, CC, and BCC fields are counted and tracked for those matching the configured email domains. An email is relayed and not scanned if it meets the following criteria:

  • There is no valid MTA subscription license.
  • The FortiSandbox disk usage exceeds the defined percentage.

If quarantine is disabled and an email scan result is suspicious or malicious, a tag will be prepended to the original email subject line and is relayed to the recipient email address. The tag is configurable on the MTA configuration page. Otherwise, the email is relayed without change. You cannot delete the email address.

If quarantine is enabled and an email scan result is suspicious or malicious and matches the defined quarantine rating level, the email is quarantined and the recipient will not receive the email. If you have enabled Send alert email to receivers when email is quarantined, the recipient will receive an alert email stating that an email is quarantined. The quarantined emails will be saved in FortiSandbox until you release or delete them (see, Processing quarantined emails).

To configure the MTA adapter:
  1. Go to Security Fabric > Adapter.
  2. Select the MTA adapter and click Edit.
  3. Enable the adapter.

  4. Configure the following settings and then click Apply.

    URL number to extract from email body

    Maximum number of URLs to be extracted from one email body.

    Tag For Suspicious/Malicious Mails

    If the email scan result is malicious or suspicious, this text is prefixed to the email subject line. The next hop email server can act accordingly.

    Email Scan Timeout (Minutes)

    Maximum time FortiSandbox waits for scan result. If there is no result after timeout, the email is released to recipient.

    Message Size Limit (mb)

    Maximum size of email to accept to scan.

    Disk Usage Upper Limit(%)

    Maximum percentage disk space used before MTA stops scanning emails and only routes emails.

    Relay Emails for Domain Names

    Domain names of email server to be relayed from this FortiSandbox. When FortiSandbox receives these emails and finishes scan, FortiSandbox relays these emails if they are clean, or quarantines them if malicious.

    Note

    If you change or remove a domain, the emails submitted to that domain before they are relayed will be lost.

    Next Hop Mail Server Name

    IP address or domain name of email server to relay to for relayed emails.

    Local Interface

    Select the local interface.

    Local SMTP Port

    Specify the local SMTP port.

    Quarantine emails whose content has the following ratings

    Select the ratings of emails to quarantine.

    Send alert email to receivers when email is quarantined

    When email is quarantined, send alert email as configured.

    Email Sender

    The From field of alert email sent.

    Email Subject

    Email subject line of alert email sent.

    Email Content Template

    Text in alert email body.

Processing quarantined emails

To release or delete quarantined emails:
  1. Go to Security Fabric > Adapter.

    If there are quarantined emails, the number of quarantined emails is displayed beside the MTA adapter name.

  2. Click the Quarantined link to display the list of quarantined emails.

    • To view job details, click the View Details icon.
    • To download the job files as a zip file, click the Download Email File icon.
    • To preview the original email, click the Preview Email icon.
    • To release the quarantined email to recipient, select the emails and click the Release Email icon.
    • To delete the quarantined email, select the emails and click the Delete Email icon.

Using MTA in HA-Cluster

In HA-Cluster, the MTA adapter is only available in the primary node.

Configuration is the same as on a standalone device. When the primary node receives MTA jobs, depending on workload and VM association, it distributes the jobs to itself or worker nodes.

Note

In a cluster, configure the Local Interface to the interface of the cluster IP address so that the secondary can take over the configuration in a failover.

  • To view jobs in a cluster, go to HA-Cluster > Job Summary.
  • To view logs in the primary node, go to Log & Report > Events > Job Events.
  • To view logs in a worker node, go to Log & Report > Events > All Events.

MTA adapter

MTA adapter

The Mail-Transfer-Agent (MTA) adapter feature allows email servers like Sendmail to relay emails to FortiSandbox via SMTP protocol.

The adapter requires a subscription license which is automatically downloaded through FortiGuard. The subscription has a limited per-mailbox seat count. Each email address of the monitored domain is counted as a seat. When the mailbox seat count limit is reached, the system logs a warning message on the event log and GUI. An additional 10% is allowed.

The FortiSandbox extracts files and URLs on the email being relayed. All email addresses in the To, CC, and BCC fields are counted and tracked for those matching the configured email domains. An email is relayed and not scanned if it meets the following criteria:

  • There is no valid MTA subscription license.
  • The FortiSandbox disk usage exceeds the defined percentage.

If quarantine is disabled and an email scan result is suspicious or malicious, a tag will be prepended to the original email subject line and is relayed to the recipient email address. The tag is configurable on the MTA configuration page. Otherwise, the email is relayed without change. You cannot delete the email address.

If quarantine is enabled and an email scan result is suspicious or malicious and matches the defined quarantine rating level, the email is quarantined and the recipient will not receive the email. If you have enabled Send alert email to receivers when email is quarantined, the recipient will receive an alert email stating that an email is quarantined. The quarantined emails will be saved in FortiSandbox until you release or delete them (see, Processing quarantined emails).

To configure the MTA adapter:
  1. Go to Security Fabric > Adapter.
  2. Select the MTA adapter and click Edit.
  3. Enable the adapter.

  4. Configure the following settings and then click Apply.

    URL number to extract from email body

    Maximum number of URLs to be extracted from one email body.

    Tag For Suspicious/Malicious Mails

    If the email scan result is malicious or suspicious, this text is prefixed to the email subject line. The next hop email server can act accordingly.

    Email Scan Timeout (Minutes)

    Maximum time FortiSandbox waits for scan result. If there is no result after timeout, the email is released to recipient.

    Message Size Limit (mb)

    Maximum size of email to accept to scan.

    Disk Usage Upper Limit(%)

    Maximum percentage disk space used before MTA stops scanning emails and only routes emails.

    Relay Emails for Domain Names

    Domain names of email server to be relayed from this FortiSandbox. When FortiSandbox receives these emails and finishes scan, FortiSandbox relays these emails if they are clean, or quarantines them if malicious.

    Note

    If you change or remove a domain, the emails submitted to that domain before they are relayed will be lost.

    Next Hop Mail Server Name

    IP address or domain name of email server to relay to for relayed emails.

    Local Interface

    Select the local interface.

    Local SMTP Port

    Specify the local SMTP port.

    Quarantine emails whose content has the following ratings

    Select the ratings of emails to quarantine.

    Send alert email to receivers when email is quarantined

    When email is quarantined, send alert email as configured.

    Email Sender

    The From field of alert email sent.

    Email Subject

    Email subject line of alert email sent.

    Email Content Template

    Text in alert email body.

Processing quarantined emails

To release or delete quarantined emails:
  1. Go to Security Fabric > Adapter.

    If there are quarantined emails, the number of quarantined emails is displayed beside the MTA adapter name.

  2. Click the Quarantined link to display the list of quarantined emails.

    • To view job details, click the View Details icon.
    • To download the job files as a zip file, click the Download Email File icon.
    • To preview the original email, click the Preview Email icon.
    • To release the quarantined email to recipient, select the emails and click the Release Email icon.
    • To delete the quarantined email, select the emails and click the Delete Email icon.

Using MTA in HA-Cluster

In HA-Cluster, the MTA adapter is only available in the primary node.

Configuration is the same as on a standalone device. When the primary node receives MTA jobs, depending on workload and VM association, it distributes the jobs to itself or worker nodes.

Note

In a cluster, configure the Local Interface to the interface of the cluster IP address so that the secondary can take over the configuration in a failover.

  • To view jobs in a cluster, go to HA-Cluster > Job Summary.
  • To view logs in the primary node, go to Log & Report > Events > Job Events.
  • To view logs in a worker node, go to Log & Report > Events > All Events.