1.2 ANÁLISIS DE VARIABLES:
4.2.6 AUTENTICACIÓN
4.2.6.2. SISTEMAS DE AUTENTICACIÓN
FortiMail Gateway in front of a firewall
The FortiMail unit is positioned in front of the firewall. With the FortiMail unit set up this way, if the FortiMail gateway is compromised by attacks, the email server and the internal network are not affected. The FortiMail unit however is not protected by the firewall.
Figure 7: FortiMail Gateway in front of firewall
Configuring the network settings
Use the following table to gather the information you need to customize the gateway mode settings.
Table 3: Gateway mode settings
Router Firewall DNS Server Email Server Internet Switch Internal External Administrator Password: Port 1 IP: _____._____._____._____ Netmask: _____._____._____._____ Port 2 IP: _____._____._____._____ Netmask: _____._____._____._____ Port 3 IP: _____._____._____._____ Netmask: _____._____._____._____ Port 4 IP: _____._____._____._____ Netmask: _____._____._____._____ Port 5 IP: _____._____._____._____ Netmask: _____._____._____._____ Port 6 IP: _____._____._____._____ Netmask: _____._____._____._____
Configuring gateway mode FortiMail Gateway in front of a firewall
You must configure at least one network interface to connect the FortiMail unit to the network. Connect the Port 1 interface to your internal network hub or switch. The IP address of Port 1 must be on the same subnet as the network and cannot use the same address as another device or computer on the network.
Configuring a static IP address
To configure a network interface with a static IP address 1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 Select Manual Addressing Mode.
4 Enter the IP address and netmask.
5 Select OK.
If you changed the IP address of the interface to which you are connecting to manage the FortiMail unit, you must reconnect to the web-based manager using the new IP address.
Configuring an interface for DHCP
You can configure any FortiMail interface to acquire its IP address from a Dynamic Host Configuration Protocol (DHCP) server. Your Internet Service Provider (ISP) may provide IP addresses using one of these protocols.
DHCP is used to obtain IP addresses from a DHCP server, such a from your ISP. Obtaining an IP address from a DHCP server ensures that the IP address for the FortiMail unit is unique and not assigned to another device, such as your
FortiGate unit or other firewall device that is also connected directly to the Internet.
When configured, the FortiMail unit automatically broadcasts a DHCP request. By default, the FortiMail unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server. You can disable this option if required to configure them manually.
To configure an interface for DHCP 1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 Select DHCP.
4 If required, select Retrieve default gateway and DNS from server to disable this option.
5 Select OK. Network settings
Default Gateway: _____._____._____._____ The management IP address and netmask must be valid for the network from which you will manage the Fortimail unit. Add a default gateway if the FortiMail unit must connect to a router to reach the management computer.
Primary DNS Server: _____._____._____._____ Secondary DNS Server: _____._____._____._____
FortiMail Gateway in front of a firewall Configuring gateway mode
Configuring DNS
You need to configure DNS server addresses so that FortiMail unit can send and receive email. DNS server IP addresses are typically provided by your internet service provider.
In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com. The DNS server translates this name to a mail exchange server IP address to deliver an email message.
To add DNS server IP addresses 1 Go to System > Network > DNS.
2 Enter the primary and secondary DNS server IP addresses.
3 Select Apply.
Configuring routing
Configure routing on the FortiMail unit to define the route that enables the FortiMail unit to contact the DNS server. If you configured your interfaces dynamically using DHCP, the FortiMail unit configures a default route automatically.
The gateway address for the route is on the same network as port 1.
You need to configure additional routes if any of your email servers are on a different subnet. The gateway you specify is the address of the next hop router that connects to the required network.
To configure routing
1 Go to System > Network > Routing.
2 Select Create New to add a new route or select Modify to change the default.
3 Enter the Destination IP address and netmask.
4 Enter the Gateway IP address.
5 Select OK.
Configuring the email system settings
The FortiMail unit relays email after scanning for viruses and spam. You need to configure basic email system settings and email access permissions.
Configuring basic email system settings
Configure the FortiMail unit basic email system settings, including host name and domain name.
To configure the email system settings 1 Go to Mail Settings > Settings > Local Host.
Configuring gateway mode FortiMail Gateway in front of a firewall
Configuring MX records to route incoming email
Mail Exchange (MX) Records are used to route email to specific destinations. It is an entry in a domain name database such as a DNS server. If a local DNS server exists, MX Records can be added or changed on the DNS server using one of several user interfaces depending on the operating system used.
When a user sends an e-mail, the sender’s mail server performs a DNS lookup using the recipients domain name, for example, “example.com” in the email address “[email protected]”, and acquires the MX Record.
The MX Record contains the domain and host names. The sending mail server uses this information to send the e-mail to the recipient’s mail server.
In order to route incoming email through the FortiMail unit for scanning, you need to register a Fully Qualified Domain Name (FQDN), for example,
fm.exampledom.com, and a global IP address for the FortiMail unit.
Route incoming email to the FortiMail unit by changing the MX record to point to the FortiMail domain rather than the email server.
For example, using the information from the table below, change the existing MX record currently pointing to the email server, to point to the FortiMail unit.
Change the existing MX record for mail.exampledom.com to point to the FortiMail unit. For example:
IN MX <n> fm.exampledom.com
fm.exampledom.com IN A 172.16.15.2
The A record
The second line in the above example is
fm.exampledom.com IN A 172.16.15.2
Host Name Enter the name for the FortiMail unit.
Local Domain Name Enter the local domain name. It must be different from the domain name of your email server. The FortiMail unit's Fully Qualified Domain Name (FQDN) is <Host Name>.<Local Domain Name>. For example “mailsvr.company.com”
SMTP Server Port Number
Enter the SMTP port number. The default and standard SMTP port number is 25.
SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP server receives plain text email.
SMTPS Server Port Number
The default port number is 465. This allows the encrypted SMTP traffic to pass through the SMTPS Server Port. You must enable SMTP over SSL/TLS to set this option.
Relay Server Name Enter a relay server name if your ISP provides a relay email server.
Relay Server Port Enter the relay server port number if your ISP provides a relay email server.
Email server mail.exampledom.com
Current MX record IN MX <n> mail.exampledom.com FortiMail hostname fm.exampledom.com
FortiMail Gateway in front of a firewall Configuring gateway mode
This is an address record, or commonly called, an A record. It is a type of DNS entry that assigns an IP address to a domain name.
Before e-mail is sent out, the MX and A Records for the recipient are looked up in the DNS server by the senders mail server. Then using the A record entry, the email is sent to the recipient using the corresponding domain name’s IP address.
Adding a domain
You create domains to define the email server(s) that the FortiMail unit protects. Usually, you configure at least one domain as part of your installation. You can add more domains or modify the settings of existing ones as needed.
The local domain name will be used by many FortiMail features such as email quarantine, Bayesian database training, spam reports, and DSN notifications. A sub domain of the protected domain is recommended for the local domain because of the domain registration savings.
To add a domain
1 Go to Mail Settings > Domains.
2 Select Create New.
3 Enter the domain name including the suffix. For example, company.com.
4 Enter the IP address or name of the SMTP Server and port number if different than the default 25.
Entering the email server IP address or server name tells the FortiMail gateway where the email server is to route mail to it.
5 Select OK.
Creating local domains
Add multiple local email domains on the FortiMail unit if required for different departments in your organization at the same or different locations. For example: • accouting.company.com
• dev.company.com.
Once created, you can add users to the local domain. For information on adding email users to a local domain, see the FortiMail Administration Guide.
To create a local domain 1 Go to Mail Settings > Domains.
2 Select Create New.
3 Enter the local domain name.
4 Enter the domain name including the suffix. For example, company.com.
5 Enter the IP address of the SMTP Server and port number if different than the default 25.
Configuring gateway mode FortiMail Gateway in front of a firewall
6 Select Is Subdomain.
7 Select the main domain the local domain is a part of.
8 Select OK.
Configuring the firewall
With the FortiMail unit in front of the FortiGate firewall, you must configure policies to ensure that incoming SMTP traffic scanned by the FortiMail unit goes to the email server. You also need a policy so that email sent by internal users passes through the firewall for scanning by the FortiMail unit before sending to the Internet.