1.2 ANÁLISIS DE VARIABLES:
4.2.11 TECNOLOGÍAS VPN
4.2.11.3. TUNELES
Next Steps
The configuration is now complete. Using your email client software, try sending email using the test user to verify that the FortiMail server can send and receive email.
If you are having difficulties, review the steps and the values entered to ensure they are correct.
See the chapter “Testing and next steps” on page 79 for information on testing the installation and the next steps to complete the installation of your FortiMail unit.
FortiMail Server in front of a firewall
The FortiMail unit is positioned in front of the firewall. The benefit of this setup is that if the Server is compromised by attacks, your internal network is not
jeopardized. However, the Server is not protected by the firewall. Figure 12: FortiMail Server in front of firewall
Configuring the network settings
Use the following table to gather the information you need to customize the server mode settings.
Table 8: Gateway mode settings
Router Firewall DNS Server To Internal Network Internet Switch Internal External Administrator Password: Port 1 IP: _____._____._____._____ Netmask: _____._____._____._____ Port 2 IP: _____._____._____._____ Netmask: _____._____._____._____ Port 3 IP: _____._____._____._____ Netmask: _____._____._____._____
Configuring server mode FortiMail Server in front of a firewall
You must configure at least one network interface to connect the FortiMail unit to the network. Connect the Port 1 interface to your internal network hub or switch. The IP address of Port 1 must be on the same subnet as the network and cannot use the same address as another device or computer on the network.
Assign a static IP address or configure the interface for dynamic IP address assignment using DHCP if the network supports it.
Configuring a static IP address
To configure a network interface with a static IP address 1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 Select Manual Addressing Mode.
4 Enter the IP address and netmask.
5 Select OK.
If you changed the IP address of the interface you are connecting to, you must reconnect to the web-based manager using the new IP address.
Configuring an interface for DHCP
You can configure any FortiMail interface to acquire its IP address from a Dynamic Host Configuration Protocol (DHCP) server. Your Internet Service Provider (ISP) may provide IP addresses using one of these protocols.
DHCP is used to obtain IP addresses from a DHCP server, such a from your ISP. Obtaining an IP address from a DHCP server ensures that the IP address for the FortiMail unit is unique and not assigned to another device, such as your
FortiGate unit or other firewall device that is also connected directly to the Internet. Port 4 IP: _____._____._____._____ Netmask: _____._____._____._____ Port 5 IP: _____._____._____._____ Netmask: _____._____._____._____ Port 6 IP: _____._____._____._____ Netmask: _____._____._____._____ Network settings Default Gateway: _____._____._____._____ The management IP address and netmask must be valid for the network from which you will manage the Fortimail unit. Add a default gateway if the FortiMail unit must connect to a router to reach the management computer.
Primary DNS Server: _____._____._____._____ Secondary DNS Server: _____._____._____._____
FortiMail Server in front of a firewall Configuring server mode
When configured, the FortiMail unit automatically broadcasts a DHCP request. By default, the FortiMail unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server. You can disable this option if required to configure them manually.
To configure an interface for DHCP 1 Go to System > Network > Interface.
2 Select Modify for Port 1.
3 In the Addressing Mode section, select DHCP.
The FortiMail unit attempts to contact the DHCP server to set the IP address, netmask, default gateway IP address, and DNS server IP addresses.
4 If required, select Retrieve default gateway and DNS from server to disable this option.
5 Select OK.
Configuring DNS and default gateway
You need to configure DNS server addresses and default gateway so that FortiMail unit can send and receive email. DNS server IP addresses are typically provided by your internet service provider.
In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com. The DNS server translates this name to a mail exchange server IP address to deliver an email message.
To add DNS server IP addresses 1 Go to System > Network > Network.
2 Enter the primary and secondary DNS server IP addresses.
3 Enter the default gateway address. The default gateway address will be the address of the router connected to the Internet.
4 Select Apply.
Configuring the email system settings
The FortiMail unit relays email after scanning for viruses and spam. You need to configure basic email system settings and email access permissions.
Configuring basic email system settings
Configure the FortiMail unit basic email system settings, including host name and domain name.
Configuring server mode FortiMail Server in front of a firewall
To configure the basic email system settings 1 Go to Mail Settings > Settings > Local Host.
2 Enter the following information and select Apply:
3 Select the blue arrow for Relay server to expand the options.
4 Enter a relay server name, port and authentication if your ISP provides a relay email server.
5 Select Apply.
Adding a domain
Create a domain entry for server. Ensure you use the same domain you used when setting up the MX record.
To add a domain
1 Go to Mail Settings > Domains.
2 Select Create New.
3 Enter the domain name including the suffix. For example, company.com.
4 Select Advanced Settings to configure LDAP mail routing.
5 Select Advanced AS/AV to configure anti-spam and anti-virus options.
6 Select OK.
Creating local domains
Add multiple local email domains on the FortiMail unit if required for different departments in your organization at the same or different locations. For example: • accouting.example.com
• dev.example.com.
Once created, you can add users to the local domain. For information on adding email users to a local domain, see the FortiMail Administration Guide.
Host Name Enter the name for the FortiMail unit. POP3 Server Port
Number
Enter the port number for the POP3 server. The default is 110. SMTP Server Port
Number
Enter the SMTP port number. The default SMTP port number is 25.
SMTP over SSL/TLS Enable to accept SSL/TLS encrypted email from servers that have enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP server receives plain text email.
SMTPS Server Port Number
The default port number is 465. This allows the encrypted SMTP traffic to pass through the SMTPS Server Port. You must enable SMTP over SSL/TLS to set this option.
SMTP Authentication Select to enable authentication. When a user logs into the SMTP server, they require a user name and password.
FortiMail Server in front of a firewall Configuring server mode
To create a local domain 1 Go to Mail Settings > Domains.
2 Select Create New.
3 Enter the local domain name.
4 Select Is Subdomain and select the main domain the local domain is a part of.
5 Complete the LDAP authentications if required.
6 Select OK.
Configuring the firewall
With the FortiMail unit in front of the FortiGate firewall, you must configure policies and to ensure that incoming and outgoing SMTP traffic passes through the firewall to the users on the network. You also need a policy to pass traffic from the users to the FortiMail unit, which then sends the message on to the Internet.
Both policies have the internal users as the source of the email traffic. In both receiving and sending email, the user’s email client initiates the connection to the FortiMail server, thus starting the communication (the source).
Configuring the incoming mail policy
Create a firewall policy that permits all SMTP traffic from the FortiMail unit to pass to users on the internal network.
First, you must create an address entry for the FortiMail unit and the email server.
To create an address for the FortiMail unit 1 Go to Firewall > Address.
2 Select Create New.
3 Complete the following and select OK:
The incoming policy is a POP3 policy that allows users to send requests to the FortiMail unit for new mail on the FortiMail server.
To configure the incoming policy 1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:
Note: The following steps use a FortiGate firewall device. If you are using an alternate firewall appliance, consult the appliance’s documentation for completing similar configurations.
Name Enter the name of the FortiMail unit. Type Select Subnet/IP Range.
Subnet /IP Range Enter the IP address of the FortiMail unit.
Interface Select the interface for the FortiGate unit connected to the Internet.
Configuring server mode FortiMail Server in front of a firewall
Configure the outgoing mail policy
Add a firewall policy for internal users to send email messages to the FortiMail mail server for scanning and sending to destinations on the Internet.
To configure the outgoing policy 1 Go to Firewall > Policy.
2 Select Create New.
3 Complete the following and select OK:
Next Steps
The configuration is now complete. Using your email client software, try sending email using the test user to verify that the FortiMail server can send and receive email.
If you are having difficulties, review the steps and the values entered to ensure they are correct.
See the chapter “Testing and next steps” on page 79 for information on testing the installation and the next steps to complete the installation of your FortiMail unit. Destination
Interface/zone
Select the external interface connected to the Internet or router. Destination Address
Name
Select the FortiMail unit address from the list. Schedule Select ALWAYS.
Service Select POP3. Action Select ACCEPT.
Source Interface/zoneSelect the internal interface connected to the network. Source Address
Name
Select ALL for all internal users on the internal network. Destination
Interface/zone
Select the external interface connected to the Internet or router. Destination Address
Name
Select the FortiMail unit address from the list. Schedule Select ALWAYS.
Service Select SMTP. Action Select ACCEPT.