Professional Documents
Culture Documents
Configuration
Technical Note
No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Fortinet Inc.
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective holders.
Regulatory Compliance
FCC Class A Part 15 CSA/CUS
Contents
Table of Contents
Overview ............................................................................................................................. 3
Configuring DNS ................................................................................................................. 4
DNS tools........................................................................................................................ 4
Using the host (UNIX) tool......................................................................................................................... 5
Using the nslookup (UNIX or Windows) tool ............................................................................................. 5
DNS troublshooting using nslookup................................................................................ 6
Configuring the FortiMail Gateway...................................................................................... 6
Network settings ............................................................................................................. 7
DNS entries ............................................................................................................................................... 7
Routing entries .......................................................................................................................................... 8
Mail server entries........................................................................................................... 8
Profile entries .................................................................................................................. 8
Policy entries................................................................................................................... 9
Testing the FortiMail Gateway .......................................................................................... 10
Sending an email .......................................................................................................... 10
Using commands .......................................................................................................... 10
Telneting to the FortiMail Gateway.......................................................................................................... 10
Communicating with the SMTP service................................................................................................... 11
Overview
The FortiMail Gateway can effectively protect your email server by scanning the
SMTP traffic going through it for viruses and spam messages. It can also archive
emails for backup and monitoring purposes. The FortiMail unit integrates into your
existing network with only minor changes to your network configuration.
While there are multiple possible combinations when implementing both internal and
external email systems with the FortiMail Gateway, this technical note will use a
simple network design as shown in Figure 1.
This network design uses an internal server for user email storage. The FortiMail
Gateway acts as a relay server that receives and screens any incoming emails from
the Internet before delivering them to the internal email system for final delivery.
Firewal
Internal
FortiMail
(20.20.20.99 – fortimail.dmz.inside.com)
Configuring DNS
DNS is used to identify IP addresses and their related host names. For example,
when you type ping www.fortinet.com, the ping program attempts to reach an IP
address. A DNS server (or multiple servers) identifies the IP address associated with
the server that hosts www.fortinet.com and provides the IP to the ping program.
While DNS has multiple record types, this technical note only focuses on the following:
• MX records: The record type that identifies a mail server responsible for a
particular domain.
• A records: The record type that identifies an IP address associated with a Fully
Qualified Domain Name (FQDN), for example, www.fortinet.com.
To successfully implement the network design in Figure 1, you must ensure that the
DNS MX record on each domain identifies the FQDN of the FortiMail system. There
must also be a corresponding A record that identifies the IP address of the FortiMail
Gateway’s FQDN. The following is an example of the MX and A records based on
network design in Figure 1:
MX record: inside.com.IN MX 0 fortimail.inside.com
A record: fortimail.inside.com IN A 10.10.10.1
The “0” for the MX record identifies a “weight”. This is commonly 0, but can be used to
distribute emails among multiple mail relays, or provide an alternate mail server in
case the primary fails.
While there are many different types of DNS servers available, and a multitude of
interfaces that allow administrators to configure the database, this technical note is
based on a system running Suse Lunix 9.2 system as the operating system, utilizing
the embedded DNS server. In this case, the DNS file location is at
/var/lib/named/master and the file name is inside.com.
To configure the DNS, edit the inside.com file and add or modify the MX record and
A record as described above. Once you have modified the DNS entries, restart the
DNS server. On the Suse 9.2 system, this can be achieved by entering
/etc/init.d/named restart and pressing Enter.
DNS tools
It is important to ensure that the MX and corresponding A records have been set
correctly for the domain supporting the FortiMail Gateway. In our example, make sure
that the mail server handling mail for inside.com is shown as
fortimail.inside.com (the FQDN for the FortiMail system), and the IP address is
correct for the FQDN.
There are a number of tools you can use to test the DNS records. In this document,
the tool set is limited to commands available on UNIX or Windows based systems.
Command Response
host -t mx fortimail.inside.com <return> inside.com mail is
handled by 0
fortimail.inside.com
Note: In the command, “-t” is used to specify which record type to locate for the domain; “mx”
identifies the record type as mail.
The response shows that the DNS entry is correct, and incoming emails will be
forwarded to the IP address associated with fortimail.inside.com. To test that
the A record is also correct, from a UNIX prompt, enter:
Command Response
host fortimail.inside.com <return> fortimail.inside.com has
address 20.20.20.99
Identifying MX records
To identify a MX record, from a UNIX or Windows command prompt, type: nslookup
and press Return.
The response should be a prompt (“>”). From that prompt, you can issue commands
to the DNS server. To identify the mail server responsible for a domain, you must first
set the type of record to find, then type the domain you are looking for.
For example, to find the MX record for inside.com, you type:
set type=mx <return>
inside.com <return>
The most important information to look for in the response is “mail exchanger”. For
example:
inside.com mail exchanger = 0 fortimail.inside.com
This response shows that the MX record for inside.com is correct and identifies the
FortiMail FQDN as the system responsible for incoming emails.
Testing A records
To test the A record using our example, from a UNIX or Windows prompt, type:
nslookup <return>
fortimail.inside.com
The important information to look for in the response is “Name:” and “Address:”, such
as:
Name: fortimail.inside.com
Address: 20.20.20.99
Network settings
Configure the network properties of the system:
• DNS
• Routing (default gateway)
DNS entries
Specify the DNS server(s) that allows the FortiMail Gateway to access the internal
mail server (A record for the FQDN of the mail server). The DNS settings must allow
the FortiMail Gateway to access DNS entries for the Internet. This can be achieved by
adding an additional DNS server (typically the ISP's), or making sure that your internal
DNS server has a “forwarder” defined as an external DNS server for entries it cannot
resolve.
System > Network > DNS
Routing entries
Specify a default route for the FortiMail system. Otherwise you will have problems
receiving and/or delivering mail if you have multiple IP networks defined in your
environment.
System > Network > DNS
Note: The domain entry of the FortiMail system MUST be different from the domain entry used
by the receiving mail server. As you can see from the Network design used in this document, a
sub domain within inside.com is created to accommodate the FortiMail requirement.
Profile entries
Profiles need to be available for both antispam and antivirus services. See the
FortiMail Administration Guide for details on profile creation.
Policy entries
Policies are important settings that define which domains will be serviced by FortiMail
Gateway and which users will receive mails within each domain.
Policy > Policy > Create New
Domain FQDN: Enter the domain to which the email server belongs (in our example, it
is inside.com) and the IP address of the email server.
The domain used in this field must be different from the Local Domain Name under
“Mail server entries” on page 8.
Once you have created the policy, you need to edit it and add users that are allowed to
receive email from this domain. Select the edit icon for the policy you created and
select Create New. To ensure all of your users will receive emails, enter “*” in the User
Name field. Then select the Antispam and Antivirus profiles you created (or were
available by default). You can leave Authentication as the defaults and select OK.
• Sending an email
• Using commands
Sending an email
Send an email from an external email system to an internal user. If the user receives
the email without any problems, the installation is successful.
Using commands
You can use some simple commands to test that the FortiMail Gateway accepts
SMTP communications and the server policies are configured correctly.
Command Response
telnet FortiMail.com 25 <return> Connected to fortimail.com
Escape character is '^]’
220 fortimail.com ESMTP Smtpd;
<date and time>
This response means you are connected to the SMTP service on the FortiMail
Gateway. You are now able to communicate with the SMTP service using SMTP
commands.
Commands Responses
ehlo mail.example.com <return> 250-mail.example.com Hello
<client_hostname>
<client_ip>, pleased to meet
you
mail from:user@outside.com <return> 250 2.1.0 user@outside.com...
Sender ok
rcpt to:user@inside.com <return> 250 2.1.0 user@inside.com...
Recipient ok
data <return> 354 Enter mail, end with "."
on a line by itself
this is a test message <return>
. <return> 250 2.0.0 j2TIw3MK026986
Message accepted for delivery
The above commands and responses show that the FortiMail Gateway is accepting
emails from external SMTP services and will deliver the emails to the internal users.
You should now be able to send and receive emails between external email servers
and your internal email server. The incoming emails are routed via the FortiMail
Gateway.