1.2 ANÁLISIS DE VARIABLES:
4.2.7. CIFRADO
The FortiMail unit is positioned in the DMZ of the firewall appliance. With the FortiMail unit set up this way, the FortiMail is protected by the firewall, and if the FortiMail unit is compromised by attacks, the internal network and email server are not affected.
Figure 8: FortiMail Gateway in DMZ
Router Internal DMZ External DNS Server Email Server Internet Switch
FortiMail Gateway in the DMZ Configuring gateway mode
Configuring the network settings
Use the following table to gather the information you need to customize the gateway mode settings.
Table 4: Gateway mode settings
You must configure at least one network interface to connect the FortiMail unit to the network. Connect the Port 1 interface to the DMZ interface of the firewall appliance. The IP address of Port 1 must be on the same subnet as the DMZ network and cannot use the same address as another device or computer on the network.
Assign a static IP address or configure the interface for dynamic IP address assignment using DHCP if the network supports it.
Configuring a static IP address
To configure a network interface with a static IP address 1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 Select Manual Addressing Mode.
4 Enter the IP address and netmask. Administrator Password: Port 1 IP: _____._____._____._____ Netmask: _____._____._____._____ Port 2 IP: _____._____._____._____ Netmask: _____._____._____._____ Port 3 IP: _____._____._____._____ Netmask: _____._____._____._____ Port 4 IP: _____._____._____._____ Netmask: _____._____._____._____ Port 5 IP: _____._____._____._____ Netmask: _____._____._____._____ Port 6 IP: _____._____._____._____ Netmask: _____._____._____._____ Network settings Default Gateway: _____._____._____._____ The management IP address and netmask must be valid for the network from which you will manage the Fortimail unit. Add a default gateway if the FortiMail unit must connect to a router to reach the management computer.
Primary DNS Server: _____._____._____._____ Secondary DNS Server: _____._____._____._____
Configuring gateway mode FortiMail Gateway in the DMZ
If you changed the IP address of the interface to which you are connecting to manage the FortiMail unit, you must reconnect to the web-based manager using the new IP address.
Configuring an interface for DHCP
You can configure any FortiMail interface to acquire its IP address from a Dynamic Host Configuration Protocol (DHCP) server. Your Internet Service Provider (ISP) may provide IP addresses using one of these protocols.
DHCP is used to obtain IP addresses from a DHCP server, such a from your ISP. Obtaining an IP address from a DHCP server ensures that the IP address for the FortiMail unit is unique and not assigned to another device, such as your
FortiGate unit or other firewall device that is also connected directly to the Internet.
When configured, the FortiMail unit automatically broadcasts a DHCP request. By default, the FortiMail unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server. You can disable this option if required to configure them manually.
To configure an interface for DHCP 1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 Select DHCP.
4 If required, select Retrieve default gateway and DNS from server to disable this option.
5 Select OK.
Configuring DNS
You need to configure Domain Name System (DNS) server addresses so that FortiMail unit can send and receive email. DNS server IP addresses are typically provided by your internet service provider.
In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com. The DNS server translates this name to a mail exchange server IP address to deliver an email message.
To add DNS server IP addresses 1 Go to System > Network > DNS.
2 Enter the primary and secondary DNS server IP addresses.
3 Select Apply.
Configuring routing
Configure routing on the FortiMail unit to define the route that enables the FortiMail unit to contact the DNS server. If you configured your interfaces dynamically using DHCP, the FortiMail unit configures a default route automatically.
The gateway address is the IP address of the firewall interface on the same network as this FortiMail interface.
FortiMail Gateway in the DMZ Configuring gateway mode
To configure routing
1 Go to System > Network > Routing.
2 Select Create New to add a new route or select Modify to change the default.
3 Enter the Destination IP address and netmask.
4 Enter the Gateway IP address.
5 Select OK.
Configuring the email system settings
The FortiMail unit relays email after scanning for viruses and spam. You need to configure basic email system settings and email access permissions.
Configuring basic email system settings
Configure the FortiMail unit basic email system settings, including host name and domain name.
To configure the basic email system settings 1 Go to Mail Settings > Settings > Local Host.
2 Enter the following information and select Apply:
Configuring MX records to route incoming email
Mail Exchange (MX) Records are used to route email to specific destinations. It is an entry in a domain name database such as a DNS server. If a local DNS server exists, MX Records can be added or changed on the DNS server using one of several user interfaces depending on the operating system used.
When a user sends an e-mail, the sender’s mail server performs a DNS lookup using the recipients domain name, for example, “example.com” in the email address “[email protected]”, and acquires the MX Record.
Host Name Enter the name for the FortiMail unit.
Local Domain Name Enter the local domain name. It must be different from the domain name of your email server. The FortiMail unit's Fully Qualified Domain Name (FQDN) is <Host Name>.<Local Domain Name>. For example “mailsvr.company.com”
SMTP Server Port Number
Enter the SMTP port number. The default and standard SMTP port number is 25.
SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP server receives plain text email.
SMTPS Server Port Number
The default port number is 465. This allows the encrypted SMTP traffic to pass through the SMTPS Server Port. You must enable SMTP over SSL/TLS to set this option.
Relay Server Name Enter a relay server name if your ISP provides a relay email server.
Relay Server Port Enter the relay server port number if your ISP provides a relay email server.
Configuring gateway mode FortiMail Gateway in the DMZ
In order to route incoming email through the FortiMail unit for scanning, you need to register a Fully Qualified Domain Name (FQDN), for example,
fm.exampledom.com, and a global IP address for the FortiMail unit.
Route incoming email to the FortiMail unit by changing the MX record to point to the FortiMail domain rather than the email server.
For example, using the information from the table below, change the existing MX record currently pointing to the email server, to point to the FortiMail unit.
Change the existing MX record for mail.exampledom.com to point to the FortiMail unit. For example:
IN MX <n> fm.exampledom.com
fm.exampledom.com IN A 172.16.15.2
The A record
The second line in the above example is
fm.exampledom.com IN A 172.16.15.2
This is an address record, or commonly called, an A record. It is a type of DNS entry that assigns an IP address to a domain name.
Before e-mail is sent out, the MX and A Records for the recipient are looked up in the DNS server by the senders mail server. Then using the A record entry, the email is sent to the recipient using the corresponding domain name’s IP address.
Adding a domain
You create domains to define the email server(s) that the FortiMail unit protects. Usually, you configure at least one domain as part of your installation. You can add more domains or modify the settings of existing ones as needed.
The local domain name will be used by many FortiMail features such as email quarantine, Bayesian database training, spam reports, and DSN notifications. A sub domain of the protected domain is recommended for the local domain because of the domain registration savings.
To add a domain
1 Go to Mail Settings > Domains.
2 Select Create New.
3 Enter the domain name including the suffix. For example, company.com.
4 Enter the IP address or name of the SMTP Server and port number if different than the default 25.
Entering the email server IP address or server name tells the FortiMail gateway where the email server is to route mail to it.
5 Select OK.
Email server mail.exampledom.com
Current MX record IN MX <n> mail.exampledom.com FortiMail hostname fm.exampledom.com
FortiMail Gateway in the DMZ Configuring gateway mode
Creating local domains
Add multiple local email domains on the FortiMail unit if required for different departments in your organization at the same or different locations. For example: • accouting.company.com
• dev.company.com.
Once created, you can add users to the local domain. For information on adding email users to a local domain, see the FortiMail Administration Guide.
To create a local domain 1 Go to Mail Settings > Domains.
2 Select Create New.
3 Enter the local domain name.
4 Enter the domain name including the suffix. For example, company.com.
5 Enter the IP address of the SMTP Server and port number if different than the default 25.
Entering the email server IP address tells the FortiMail gateway where the email server is to route mail to it.
6 Select Is Subdomain.
7 Select the main domain the local domain is a part of.
8 Select OK.
Configuring the firewall
With the FortiMail unit in the DMZ of the FortiGate firewall, you must configure policies to ensure that incoming SMTP traffic scanned by the FortiMail unit goes to the email server, and email sent by internal users via the email server passes through the firewall for scanning by the FortiMail unit before sending to the Internet.
Configuring the FortiMail policy
Create a firewall policy that permits all SMTP traffic on port 25 to pass from the FortiMail unit, through the firewall and direct it to the email server.
First, you must create address entries for the FortiMail unit and the email server.
To create an address for the FortiMail unit, on the FortiGate unit 1 Go to Firewall > Address.
2 Select Create New.
Note: Deleting a domain also deletes all email users in that domain.
Note: The following steps use a FortiGate firewall device. If you are using an alternate firewall appliance, consult the appliance’s documentation for completing similar configurations.
Configuring gateway mode FortiMail Gateway in the DMZ
To create an address for the email server, on the FortiGate unit 1 Go to Firewall > Address.
2 Select Create New.
3 Complete the following and select OK:
Next, create the incoming email firewall policies. Two policies are required for the incoming mail. One to route the email from the external interface of the FortiGate unit to the DMZ interface where the FortiMail unit is. A second policy enables email scanned by the FortiMail unit to go from the DMZ interface to the internal interface on the network.
To configure the incoming policy from the external interface to the DMZ interface, on the FortiGate unit
1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:
Name Enter the name of the FortiMail unit. Type Select Subnet/IP Range.
Subnet /IP Range Enter the IP address of the FortiMail unit. Interface Select the DMZ interface on the FortiGate unit.
Name Enter the name of the email server. Type Select Subnet/IP Range.
Subnet /IP Range Enter the IP address of the email server.
Interface Select the interface for the FortiGate unit connected to the internal network.
Source Interface/zoneSelect the external interface connected to the Internet. Source Address
Name
Select the external address for the internet. Destination
Interface/zone
Select the DMZ interface connected to the network. Destination Address
Name
Select FortiMail from the list. Schedule Select ALWAYS.
Service Select SMTP. Action Select ACCEPT.
FortiMail Gateway in the DMZ Configuring gateway mode
To configure the incoming policy from the DMZ interface to the internal interface, on the FortiGate unit
1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:
Configure the user send policy
You also need to add a firewall policy for end users to send email to the FortiMail unit for scanning before sending an email message over the Internet.Two policies are required for the outgoing mail. One to route the email from the internal interface of the FortiGate unit to the DMZ interface where the FortiMail unit is. A second policy enables email scanned by the FortiMail unit to go from the DMZ interface to the external interface and out to the Internet.
To configure the outgoing policy from the internal interface to the DMZ interface, on the FortiGate unit
1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:
To configure the outgoing policy from the DMZ interface to the external interface, on the FortiGate unit
Source Interface/zoneSelect the DMZ interface connected to the FortiMail unit. Source Address
Name
Select the FortiMail address from the list. Destination
Interface/zone
Select the internal interface connected to the network. Destination Address
Name
Select the email server from the list. Schedule Select ALWAYS.
Service Select SMTP. Action Select ACCEPT.
Source Interface/zoneSelect the internal interface connected to the network. Source Address
Name
Select ALL so that all users can send email messages through the policy.
Destination Interface/zone
Select the DMZ interface connected to the FortiMail unit. Destination Address
Name
Select the FortiMail unit from the list. Schedule Select ALWAYS.
Service Select SMTP. Action Select ACCEPT.
Configuring gateway mode FortiMail Gateway in the DMZ
Routing outgoing email to the FortiMail Gateway
The firewall and FortiMail unit are now configured to receive incoming email, scan and send to the recipient as required. You must also configure the email clients so that the client software sends outgoing email to the FortiMail unit to scan outgoing email, whether its destined for an internal user or a user on the Internet.
To configure a email client to send email to the FortiMail unit, in the email client, configure the outgoing mail server (SMTP) to be the FortiMail unit.
Next Steps
The configuration is now complete. Using your email client software, try sending email using the test user to verify that the FortiMail server can send and receive email.
If you are having difficulties, review the steps and the values entered to ensure they are correct.
See the chapter “Testing and next steps” on page 79 for information on testing the installation and the next steps to complete the installation of your FortiMail unit. Source Interface/zoneSelect the DMZ interface connected to the network.
Source Address Name
Select the FortiMail unit from the list. Destination
Interface/zone
Select the external interface connected to the FortiMail unit. Destination Address
Name
Select the external address for the internet. Schedule Select ALWAYS.
Service Select SMTP. Action Select ACCEPT.