INFRAESTRUCTURA DE LLAVES PÚBLICAS

Deploying to protect an email hub

In this configuration, the email servers (Domain “A” and Domain “B”) in each WAN location are required to send email externally through the head office email server only. The head office mail server encrypts the outgoing email. The firewall will only pass SMTP traffic from the headquarters email server.

This configuration requires a modification of the default operation of the FortiMail unit. By default, the FortiMail unit acts as an SMTP server to relay email, even if the email client names a domain email server as its SMTP server. With this configuration, the domain mail servers send email to the hub email server for encryption. The FortiMail unit must be configured to pass the encrypted email messages.

Figure 10: FortiMail unit deployed to protect an email hub

This section includes the following topics: • Configuring the network settings • Configuring the email system settings • Configuring proxies

Configuring the network settings

Use Table 6 on page 60 to gather the information you need to customize transparent mode settings.

Table 6: Transparent mode settings Head Office Mail Server Hub

Router Port 1 Port 2 Mail Server Domain “B” Mail Server Domain “A” Internet WAN Administrator Password: Management IP IP: _____._____._____._____ Netmask: _____._____._____._____ Default Gateway: _____._____._____._____ The management IP address and netmask must be valid for the network from which you will manage the Fortimail unit. Add a default gateway if the FortiMail unit must connect to a router to reach the management computer.

Configuring transparent mode Deploying to protect an email hub

Configuring the management IP

In transparent mode, the FortiMail unit has a management IP address for administrative access. The FortiMail unit also uses this IP address to connect to the FortiGuard Distribution Network for virus definition updates. Configure the management IP.

To configure the management interface

1 Connect to the web-based manager using the default address, https://192.168.1.99/admin.

2 Go to System > Network > Management IP.

3 Enter the new management IP address and netmask.

4 Select Apply.

Reconnect to the web-based manager using the new management IP address.

Configuring DNS

You need to configure DNS server addresses so that FortiMail can send and receive email. DNS server IP addresses are typically provided by your internet service provider.

A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com. The DNS server translates this name to a mail exchange server IP address to deliver an email message. In simple terms, it acts as a phone book for the Internet.

To add DNS server IP addresses 1 Go to System > Network > DNS.

2 Enter the primary and secondary DNS server IP addresses.

3 Select Apply.

Configuring routing

At a minimum, you need to define a route that enables the FortiMail unit to contact the DNS server. You need to configure additional routes if any of your email servers are on a different network than the FortiMail unit and the DNS server. The gateway you specify is the address of the next hop router that connects to the required network.

To configure FortiMail unit routing 1 Go to System > Network > Routing.

2 Select Create New.

3 Enter the Destination IP, Netmask and Gateway.

4 Select OK.

Configuring the email system settings

The FortiMail unit can scan email for viruses and spam as they come and go to the email server. You need to configure basic email system settings and email access permissions so that the email messages pass through the FortiMail unit.

Deploying to protect an email hub Configuring transparent mode

Configuring basic email system settings

Configure the basic email system settings, including host name and domain name to provide successful email routing.

To configure the basic email system settings 1 Go to Mail Settings > Settings > Local Host.

2 Enter the following information and select Apply:

Adding a domain

You create domains to define the email server(s) that the FortiMail unit protects. Usually, you configure at least one domain as part of your installation. You can add more domains or modify the settings of existing ones as needed.

It is good form to configure a local domain name that is different from the domain name of your back end mail server. The local domain name will be used by many FortiMail features such as email quarantine, Bayesian database training, spam reports, and DSN notifications. A sub domain of the protected domain is recommended for the local domain because of the domain registration savings.

To add a domain

1 Go to Mail Settings > Domains.

2 Select Create New.

3 Enter the domain name including the suffix. For example, company.com.

4 Enter the IP address or name of the SMTP Server and port number if different than the default 25.

Entering the email server IP address or server name tells the FortiMail gateway where the email server is to route mail to it.

5 Select OK.

Creating local domains

Add multiple local email domains on the FortiMail unit if required for different Host Name Enter the name for the FortiMail unit.

Local Domain Name Enter the local domain name. It must be different from the domain name of the hub email server. The FortiMail unit's FQDN is <Host Name>.<Local Domain Name>.

Relay Server Name Enter a relay server name if your ISP provides a relay email server.

SMTP Server Port Number

Enter the SMTP port number. The default SMTP port number is 25.

SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP server receives plain text email.

SMTPS Server Port Number

The default port number is 465. This allows the encrypted SMTP traffic to pass through the SMTPS Server Port. You must enable SMTP over SSL/TLS to set this option.

Configuring transparent mode Deploying to protect an email hub

Once created, you can add users to the local domain. For information on adding email users to a local domain, see the FortiMail Administration Guide.

To create a local domain 1 Go to Mail Settings > Domains.

2 Select Create New.

3 Enter the local domain name.

4 Enter the domain name including the suffix. For example, company.com.

5 Enter the IP address of the SMTP Server and port number if different than the default 25.

Entering the email server IP address tells the FortiMail gateway where the email server is to route mail to it.

6 Select Is Subdomain.

7 Select the main domain the local domain is a part of.

8 Select OK.

The FortiMail unit must relay all email through the head office email hub; outgoing and incoming. You must ensure that the FortiMail unit passes the email to the correct domain email server.

After configuring the domain, edit the domain information to configure additional settings to make the FortiMail unit transparent to the email servers

To configure the transparent options 1 Go to Mail Settings > Domains.

2 Select the Edit icon for the email domain.

3 Go to the Transparent Mode Options section, configure the following settings and select OK: