Upload
yousef512
View
266
Download
4
Embed Size (px)
Citation preview
8/10/2019 FortiMail 03 Email Setup
1/12
Email Se
06-50000-0221-20130726
Course 221 - FortiMail Email Filtering
1
2013 Fortinet Inc. All r ights reserved.
The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc. 06-50000-0221-20130726
Email Setup
Module 3
2
Module Objectives
By the end of this module, you will be able to:
Explain how the FortiMail system classifies email as either incoming or outgoing
Configure necessary system and email settings to enable commonly used
security features
Illustrate main steps of sending email using SMTP and test email operation in the
classroom lab environment
8/10/2019 FortiMail 03 Email Setup
2/12
Email Se
06-50000-0221-20130726
Course 221 - FortiMail Email Filtering
3
Email Handling
Any email received by the FortiMail unit is considered either incomingor outgoing depending on the recipient domain
If the recipient domain matches a domain in the protected domain list,
the email is considered incoming, otherwise it is outgoing
Incoming emails are relayed by default
Outgoing emails are rejected by default
4
Protected Domains Configuration
Email domains protected byFortiMail Unit
8/10/2019 FortiMail 03 Email Setup
3/12
Email Se
06-50000-0221-20130726
Course 221 - FortiMail Email Filtering
5
Recipient Verification
To verify the validity of a recipient email address, the FortiMail unit canuse the following techniques:
Recipient Address Verification
Automatic Removal of Invalid Quarantine Accounts
To optimize the usage of system resources, it is recommended to
enable one of the above techniques
6
Recipient Address Verification
The FortiMail unit checks the validity of all incoming email and it
rejects those for invalid recipients
The technique used to verify the recipient address varies depending
on the back-end server queried:
LDAP Verification: The FortiMail unit queries the LDAP tree looking for an object
with the matching attribute
SMTP Verification: The FortiMail unit initiates an SMTP session to the back-end
server with the recipient that must be verified
8/10/2019 FortiMail 03 Email Setup
4/12
Email Se
06-50000-0221-20130726
Course 221 - FortiMail Email Filtering
7
Automatic Removal of Invalid Quarantine
Technique used to free up mail disk space by removing emailquarantined for invalid recipients
By default, the quarantine list is checked at 4:00 am but this can be
modified through the CLI as follows:config antispam settings
(settings) # set backend-verify
end
8
Outgoing Mail Rate Limiting for Blacklisting Protection
Provides the ability to limit number or volume (in Mbytes) of email by
sender
Useful for hosting environment to prevent customers from sending out
large volumes of email in too short of a time period which can result in
the mail servers IP to be blacklisted
Control email accounts that have been compromised and are sending
spam
Subsequent sessions are temp failed
Configured per domain
8/10/2019 FortiMail 03 Email Setup
5/12
Email Se
06-50000-0221-20130726
Course 221 - FortiMail Email Filtering
9
Outgoing Mail Rate Limiting for Blacklisting Protection
History Log Trace: Classifier Sender Address Rate Control
Disposition Delay
From [email protected]
Antispam Log Trace: From [email protected]
Message [email protected] exceeded sender rate control
message limit. Messages Sent = 3
Event Log Trace: Message Milter: from=, reject=451
4.3.2 Please try again later
10
Domain Association
Eliminates the need to configure multiple protected domains with
identical settings
8/10/2019 FortiMail 03 Email Setup
6/12
Email Se
06-50000-0221-20130726
Course 221 - FortiMail Email Filtering
11
Local Domain
The local domain is used by features such as: quarantine report,Bayesian database training, email quarantine and DSN
If the FortiMail unit is used as an outgoing MTA, the IP address should
be globally resolvable to the FQDN
FortiMail FQDN
12
Default Domain Name for User Authentication
If more than one domain
is defined, a default
domain name can be
configured so it is
appended to the user
name
Useful where the end
user has only specified
the local part of the email
address (webmail, SMTP
Auth, IMAP, POP3)
8/10/2019 FortiMail 03 Email Setup
7/12
Email Se
06-50000-0221-20130726
Course 221 - FortiMail Email Filtering
13
Maximum Email Size
By default, the FortiMail unit will reject all email messages that exceed10 MB
The administrator can override this limit by increasing one of the
following settings: Cap message size value in the session profile
Maximum message size value in the protected domain
If both are configured, the smallest value is applied
14
Users
When the FortiMail unit is operating in servermode, user inboxes can
be defined locally or retrieved through LDAP
8/10/2019 FortiMail 03 Email Setup
8/12
Email Se
06-50000-0221-20130726
Course 221 - FortiMail Email Filtering
15
User Group Management
Email user accounts that are part of the same domain can be groupedtogether for easier management
16
User Alias
Email addresses in the alias can be part of the protected domain or
they can belong to an external domain
One-to-one or one-to-many relationship
Unidirectional email translation
8/10/2019 FortiMail 03 Email Setup
9/12
Email Se
06-50000-0221-20130726
Course 221 - FortiMail Email Filtering
17
Address Map
Bidirectional email translation one to one or many to many
Generally used to hide a protected domain from the external
Both email domains must be defined on the FortiMail unit
18
Mail Data Storage
Mail data (MTA spool, mail queues, email archives, email users
mailboxes, quarantined email messages) can be stored to local disk or
to a remote NAS
NFS and iSCSI
protocols
supported
8/10/2019 FortiMail 03 Email Setup
10/12
Email Se
06-50000-0221-20130726
Course 221 - FortiMail Email Filtering
19
FortiMail Queues
Mail Queue Deferred queue, holds mail the MTA could not send
In the case of temporary failure due to server being down or network connectivity
MTA will attempt to resend the message later
If greylisting is in use on the upstream server, the message is held here
Dead Mail
Mail that cannot be
delivered or
returned as the
sender and recipient
names are invalid
20
Mail Queue Timers
After 6 hours a DSN
message will be removedfrom the deferred queue
and returned asundeliverable
Zero means that only one
resend attempt will be
made before returning the
message
Retry for sending
message every 15
minutes
After 1 day the
message will be
removed from thedeferred or spam
queue and returned
as undeliverable
Wait 1 hourbefore sending
a DSNdeferred
message to
sender
8/10/2019 FortiMail 03 Email Setup
11/12
Email Se
06-50000-0221-20130726
Course 221 - FortiMail Email Filtering
21
Lab Network
22
Lab1 Initial Setup
Objectives
Understand the main steps of sending an email message using the SMTP
protocol and test email operation in the classroom lab environment
Tasks
Ex 1: Introduction to the Classroom Mail Network
Ex 2: Mail Transfer Agent and Mail User Agent Configuration
Ex 3: Understanding an SMTP Connection
Estimated time to complete the lab: 20 minutes
8/10/2019 FortiMail 03 Email Setup
12/12
Email Se
06 50000 0221 20130726
Course 221 - FortiMail Email Filtering
23
Lab2 Gateway Mode MTA Configuration
Objectives Configure system and email section of a gateway mode FortiMail system
Understand how the DNS records are populated
Understand email routing between internal and external domains
Tasks
Ex 1: Smarthost Gateway Configuration
Ex 2: Understanding DNS Record
Ex 3: Local and Protected Domain Configuration
Estimated time to complete the lab: 30 minutes