Course 221 - FortiMail Email Email Filtering
Email Setup
Email Setup Module 3
© 2013 Fortinet Inc. All r ights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams 1 or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 06-50000-0221-20130726
Module Objectives • By the end of this module, you will be able to: » Explain how the FortiMail system classifies email as either incoming or outgoing » Configure necessary system and email settings to enable commonly used security features » Illustrate main steps of sending email using SMTP and test email operation in the classroom lab environment
2
06-50000-0221-20130726
1
Course 221 - FortiMail Email Filtering
Email Setup
Email Handling • Any email received by the FortiMail unit is considered either incoming or outgoing depending on the recipient domain • If the recipient domain matches a domain in the protected domain list, the email is considered ‘incoming’, otherwise it is ‘outgoing’ • Incoming emails are relayed by default • Outgoing emails are rejected by default
3
Protected Domains Configuration
• Email domains protected by FortiMail Unit
4
06-50000-0221-20130726
2
Course 221 - FortiMail Email Filtering
Email Setup
Recipient Verification • To verify the validity of a recipient email address, the FortiMail unit can use the following techniques: » Recipient Address Verification » Automatic Removal of Invalid Quarantine Accounts
• To optimize the usage of system resources, it is recommended to enable one of the above techniques
5
Recipient Address Verification • The FortiMail unit checks the validity of all incoming email and it rejects those for invalid recipients • The technique used to verify the recipient address varies depending on the back-end server queried: » LDAP Verification: The FortiMail unit queries the LDAP tree looking for an object with the matching attribute » SMTP Verification: The FortiMail unit initiates an SMTP session to the back-end server with the recipient that must be verified
6
06-50000-0221-20130726
3
Course 221 - FortiMail Email Filtering
Email Setup
Automatic Removal of Invalid Quarantine • Technique used to free up mail disk space by removing email quarantined for invalid recipients
• By default, the quarantine list is checked at 4:00 am but this can be modified through the CLI as follows: config antispam settings (settings) # set backend-verify
end
7
Outgoing Mail Rate Limiting for Blacklisting Protection • Provides the ability to limit number or volume (in Mbytes) of email by sender • Useful for hosting environment to prevent customers from sending out large volumes of email in too short of a time period which can result in the mail server’s IP to be blacklisted • Control email accounts that have been compromised and are sending spam • Subsequent sessions are temp failed • Configured per domain
8
06-50000-0221-20130726
4
Course 221 - FortiMail Email Filtering
Email Setup
Outgoing Mail Rate Limiting for Blacklisting Protection • History Log Trace: » Classifier
Sender Address Rate Control
» Disposition
Delay
» From
[email protected]
• Antispam Log Trace: » From
[email protected]
» Message
[email protected] exceeded sender rate control
message limit. Messages Sent = 3
• Event Log Trace: » Message
Milter: from=, reject=451
4.3.2 Please try again later
9
Domain Association • Eliminates the need to configure multiple protected domains with identical settings
10
06-50000-0221-20130726
5
Course 221 - FortiMail Email Filtering
Email Setup
Local Domain • The local domain is used by features such as: quarantine report, Bayesian database training, email quarantine and DSN • If the FortiMail unit is used as an outgoing MTA, the IP address should be globally resolvable to the FQDN
FortiMail FQDN
11
Default Domain Name for User Authentication • If more than one domain is defined, a default domain name can be configured so it is appended to the user name • Useful where the end user has only specified the local part of the email address (webmail, SMTP Auth, IMAP, POP3)
12
06-50000-0221-20130726
6
Course 221 - FortiMail Email Filtering
Email Setup
Maximum Email Size • By default, the FortiMail unit will reject all email messages that exceed 10 MB • The administrator can override this limit by increasing one of the following settings: » “Cap message size” value in the session profile » “Maximum message size” value in the protected domain
• If both are configured, the smallest value is applied
13
Users • When the FortiMail unit is operating in server mode, user inboxes can be defined locally or retrieved through LDAP
14
06-50000-0221-20130726
7
Course 221 - FortiMail Email Filtering
Email Setup
User Group Management • Email user accounts that are part of the same domain can be grouped together for easier management
15
User Alias • Email addresses in the alias can be part of the protected domain or they can belong to an external domain • One-to-one or one-to-many relationship • Unidirectional email translation
16
06-50000-0221-20130726
8
Course 221 - FortiMail Email Filtering
Email Setup
Address Map • Bidirectional email translation one to one or many to many • Generally used to hide a protected domain from the external • Both email domains must be defined on the FortiMail unit
17
Mail Data Storage • Mail data (MTA spool, mail queues, email archives, email users’ mailboxes, quarantined email messages) can be stored to local disk or to a remote NAS • NFS and iSCSI protocols supported
18
06-50000-0221-20130726
9
Course 221 - FortiMail Email Filtering
Email Setup
FortiMail Queues • Mail Queue » Deferred queue, holds mail the MTA could not send • In the case of temporary failure due to server being down or network connectivity
» MTA will attempt to resend the message later » If greylisting is in use on the upstream server, the message is held here
• Dead Mail » Mail that cannot be delivered or returned as the sender and recipient names are invalid
19
Mail Queue Timers
After 1 day the message will be removed from the deferred or spam queue and returned as undeliverable
Wait 1 hour before sending a DSN deferred message to sender
Retry for sending message every 15 minutes
After 6 hours a DSN message will be removed from the deferred queue and returned as undeliverable Zero means that only one resend attempt will be made before returning the message
20
06-50000-0221-20130726
10
Course 221 - FortiMail Email Filtering
Email Setup
Lab Network
21
Lab1 Initial Setup • Objectives » Understand the main steps of sending an email message using the SMTP protocol and test email operation in the classroom lab environment
• Tasks » Ex 1: Introduction to the Classroom Mail Network » Ex 2: Mail Transfer Agent and Mail User Agent Configuration » Ex 3: Understanding an SMTP Connection
• Estimated time to complete the lab: 20 minutes
22
06-50000-0221-20130726
11
Course 221 - FortiMail Email Filtering
Email Setup
Lab2 – Gateway Mode MTA Configuration • Objectives » Configure system and email section of a gateway mode FortiMail system » Understand how the DNS records are populated » Understand email routing between internal and external domains
• Tasks » Ex 1: Smarthost Gateway Configuration » Ex 2: Understanding DNS Record » Ex 3: Local and Protected Domain Configuration
• Estimated time to complete the lab: 30 minutes
23
06-50000-0221-20130726
12
