Welcome! Today we will tell you how to make the initial settings of the mail gateway β Fortinet email security solutions. In the course of the article, we will consider the layout with which we will work, we will perform the configuration , which is necessary for receiving and checking letters, and also test its performance. Based on our experience, we can safely say that the process is very simple, and even after minimal configuration, you can see the results.
Let's start with the current layout. It is shown in the figure below.
On the right, we see the external user's computer, from which we will send mail to the user on the internal network. The user's computer, a domain controller with a DNS server and a mail server are located on the internal network. At the edge of the network there is a firewall - FortiGate, the main feature of which is the configuration of forwarding SMTP and DNS traffic.
Let's pay special attention to DNS.
Two DNS records are used to route email on the Internet, an A record and an MX record. Usually, these DNS records are configured on a public DNS server, but due to layout restrictions, we simply forward DNS through the firewall (that is, the external user has the address 10.10.30.210 as the DNS server).
MX record - a record containing the name of the mail server serving the domain, as well as the priority of this mail server. In our case, it looks like this: test.local -> mail.test.local 10.
A record is a record that converts a domain name into an IP address, we have this: mail.test.local -> 10.10.30.210.
When our external user tries to send an email to [email protected], it will query its DNS MX server for the test.local domain record. Our DNS server will respond with the name of the mail server - mail.test.local. Now the user needs to get the IP address of this server, so he goes back to DNS for the A record and gets the IP address 10.10.30.210 (yes, his again :) ). You can send a letter. Therefore, he tries to establish a connection with the received IP address on port 25. With the help of rules on the firewall, this connection is forwarded to the mail server.
Let's check the functionality of mail in the current state of the layout. To do this, on the computer of an external user, we will use the swaks utility. With its help, you can test the performance of SMTP by sending an email to the recipient with a set of various parameters. Previously, a user with a mailbox has already been set up on the mail server [email protected]. Let's try to send him an email:
Now let's go to the internal user's machine and make sure that the letter has arrived:
The letter really came (it is highlighted in the list). So the layout is working correctly. It's time to move on to FortiMail. Let's add our layout:
FortiMail can be deployed in three modes:
- Gateway - acts as a full-fledged MTA: it takes all the mail on itself, checks it, and then forwards it to the mail server;
- Transparent - or otherwise, transparent mode. Installed in front of the server and checks incoming and outgoing mail. After that, it sends it to the server. Requires no network configuration changes.
- Server - in this case, FortiMail is a full-fledged mail server with the ability to create mailboxes, receive and send mail, as well as with other functionality.
We will be deploying FortiMail in Gateway mode. Let's go to the virtual machine settings. Login is admin, password is not set. When you first log in, you must set a new password.
Now let's configure the virtual machine to access the web interface. It is also necessary that the machine has access to the Internet. Let's set up the interface. We only need port1. With it, we will connect to the web interface, and it will also be used to access the Internet. Internet access is needed to update services (antivirus signatures, etc.). To configure, enter the commands:
config system interface
edit port 1
set ip 192.168.1.40 255.255.255.0
set allowaccess https http ssh ping
end
Now let's set up the routing. To do this, enter the following commands:
config system route
edit 1
set gateway 192.168.1.1
set interface port1
end
When entering commands, you can use tabs to avoid typing them in full. Also, if you forgot which command should go next, you can use the β?β key.
Now let's check your internet connection. To do this, ping the Google DNS:
As you can see, we have the Internet. The initial settings that are specific to all Fortinet devices have been completed, now you can proceed to the configuration via the web interface. To do this, open the control page:
Please note that you need to follow the link in the format /admin. Otherwise, you will not be able to get to the control page. By default, the page is in standard configuration mode. For settings, we need Advanced mode. Let's go to the admin->View menu and switch the mode to Advanced:
Now we need to download the trial license. You can do this in the menu License Information β VM β Update:
If you do not have a trial license, you can request one by contacting .
After entering the license, the device should reboot. In the future, it will start pulling updates of its databases from the servers. If this does not happen automatically, you can go to the System β FortiGuard menu and click the Update Now button in the Antivirus, Antispam tabs.
If this does not help, you can change the ports used for updates. Usually after that all licenses appear. In the end it should look like this:
Let's set the correct time zone, this will come in handy when examining the logs. To do this, go to the System β Configuration menu:
We will also configure DNS. As the main DNS server, we will set up an internal DNS server, and as a backup, we will leave the DNS server provided by Fortinet.
Now let's move on to the most interesting. As you may have noticed, by default the device is set to Gateway mode. So we don't need to change it. Let's go to the Domain & User β Domain field. Let's create a new domain that needs to be protected. Here we only need to specify the domain name and mail server address (you can also specify its domain name, in our case mail.test.local):
Now we need to provide a name for our mail gateway. It will be used in MX and A records, which we will need to change later:
The Host Name and Local Domain Name items form the FQDN, which is used in DNS records. In our case, FQDN = fortimail.test.local.
Now let's set up the receive rule. We need all emails that come from outside and are assigned to a user in the domain to be forwarded to the mail server. To do this, go to the menu Policy β Access Control. An example setup is shown below:
Let's look at the Recipient Policy tab. Here you can set certain rules for checking messages: if mail comes from the example1.com domain, you need to check it with mechanisms configured specifically for this domain. There is already a default rule set for all mail, and for now it suits us. You can see this rule in the figure below:
This completes the setup on FortiMail. In fact, there are many more possible parameters, but if we start considering all of them, we can write a book :) And our goal is to run FortiMail in test mode with minimal effort.
There are two things left - change the MX and A records, and also change the port forwarding rules on the firewall.
The MX record test.local -> mail.test.local 10 needs to be changed to test.local -> fortimail.test.local 10. But usually a second higher priority MX record is added during pilots. For example:
test.local -> mail.test.local 10
test.local -> fortimail.test.local 5
Let me remind you that the lower the preference number of the mail server in the MX record, the higher its priority.
A record cannot be changed, so let's just create a new one: fortimail.test.local -> 10.10.30.210. The external user will address 10.10.30.210 on port 25 and the firewall will forward the connection to FortiMail.
In order to change the forwarding rule on FortiGate, you need to change the address in the corresponding Virtual IP object:
All is ready. Let's check. Let's send an email from the external user's computer again. Now let's go to FortiMail in the Monitor β Logs menu. In the History field, you can see a record that the letter was accepted. For more information, you can right-click on the entry and select Details:
To complete the picture, let's check if FortiMail in the current configuration can block emails containing spam and viruses. To do this, let's send a test eicar virus and a test email found in one of the spam databases (http://untroubled.org/spam/). After that, let's go back to the log view menu:
As you can see, both spam and a letter with a virus were successfully identified.
This configuration is enough to provide basic protection against viruses and spam. But the functionality of FortiMail is not limited to this. For more effective protection, you need to study the available mechanisms and customize them to your needs. In the future, we plan to cover other, more advanced features of this mail gateway.
If you have any difficulties or questions regarding the solution, write them in the comments, we will try to answer them promptly.
You can leave a request for a trial license to test the solution .
Author: Alexey Nikulin. Fortiservice information security engineer.
Source: habr.com