Uploaded by mahmo3010

fortimail-report compressed

advertisement
Basic Setup of FortiMail Mail Server
By
Dr. Hidaia Mahmood Alassouli
Hidaia_alassoli@hotmail.com
1
Dr. Hidaia Mahmood Alassouli
While every precaution has been taken in the preparation of this book, the publisher assumes no
responsibility for errors or omissions, or for damages resulting from the use of the information
contained herein.
Basic Setup of FortiMail Mail Server
Copyright © 2022 Dr. Hidaia Mahmood Alassouli
Written by Dr. Hidaia Mahmood Alassouli.
2
Dr. Hidaia Mahmood Alassouli
1. Introduction:
Email is a critical tool for everyday business communication and productivity. Fortinet's email
security solution - FortiMail delivers advanced multi-layered protection against the full spectrum
of email-borne threats. Powered by FortiGuard Labs threat intelligence and integrated into the
Fortinet Security Fabric, FortiMail helps your organization prevent, detect, and respond to emailbased threats including spam, phishing, malware, zero-day threats, impersonation, and Business
Email Compromise (BEC) attacks.
FortiMail virtual machines provide complete flexibility and portability for organizations wishing
to deploy email security infrastructure into a private or public cloud setting. FortiMail virtual
machines provide powerful scalability and ease-of-deployment.
For organizations wishing to deploy email protection in an on-premise setting or for service
providers who wish to extend email services to their customers, FortiMail appliances offer high
performance email routing and robust features for high availability.
Fortinet FortiMail provides multiple operating modes to choose from including API support for
Microsoft 365, Server Mode, Gateway Mode and Transparent Mode.
This report talks about basic setup of FortiMail Server. This report includes the following sections:
1. Part 1: Basic Concept for Sending Emails.
2. Part 2: Basic Setup of FortiMail.
3. Part 3: Access Control and Policies
4. Part 4: Sessions Management.
5. Part 5: FortiMail Authentication.
6. Part 6: Content Filtering.
7. Part 7: System Maintenance.
8. Part 8: Troubleshooting.
9. Part 9: Data Loss Prevention.
10. Part 10: Email Archiving.
11. Part 11: AntiVirus.
12. Part 12: AntiSpam.
13. Part 13: Personal Quarantine Management.
14. Part 14: Transparent Mode.
3
Dr. Hidaia Mahmood Alassouli
15. Part 15: Quick Guide for FortiMail Hardware Package Installation.
16. Part 16: Tutorial 1-Registering FortiMail Demo Account.
17. Part 17: Tutorial 2-Installing FortiMail in VMWare.
18. Part 18: Tutorial 3- Configuring FortiMail Using the Web Based Control Panel.
19. Part 19: Tutorial 4 - Creating AntiVirus, AntiSpam, Content Filtering and Session Profiles.
20. Part 20: Tutorial 5-Testing Access Control Rules.
21. Part 21: Tutorial 6- Testing Recipient Policies.
22. Part 22: Tutorial 7- Testing IP Policy.
23. Part 23: Tutorial 8 - Testing Relay Host.
24. Part 24: Tutorial 9- FortiMail Gateway Mode.
25. Part 25: Tutorial 10- FortiMail Transparent Mode.
26. Part 26: Tutorial 11- Authentication.
27. Part 27: Tutorial 12- Creating NFS Server in Ubuntu Linux Machine.
28. Part 28: Tutorial 13-Muting the NFS share from Windows.
30. Part 29: Tutorial 14- Configuration and Mail Data Backup.
29. Part 30: Tutorial 15- Upgrading the Forti IOS Images through TFTP Server.
30. Part 31: References.
4
Dr. Hidaia Mahmood Alassouli
2. Part 1: Basic Concept for Sending Emails:
a) Sending and Receiving Emails:
1. Sending Emails:
• The MUA connects to local mail server
• The MTA performs a DNS MX record lookup on domain portion of the recipient address.
• The local MTA connects to remote MTA and transit the message
• The remote MTA delivers the message to user mailbox of the destination mail server.
• Example that user1 at example1.org wants to send email to b at example3.com. send the
pos.example.org is local email server for the sender, the email will go through pos.exampl1.org
to send the email to destination.
• The post.example1.org queries the public DNS MX record for post.example3.com and uses
the entries with lowest preference which in this case relay.eample2.net with preference value
50. The relay.example2.net also queries the DNS server. This time the smallest preference is
mail.example3.com. So relay.example2.net will forward the email to mail.example3.com.
• Finally, user b@example3.com uses the email from mail.example3.com.
5
Dr. Hidaia Mahmood Alassouli
b) SMTP Standards:
1. Email in internet follows standard called SMTP, The SMTP protocol first submitted in 1982
under RFC 821.
2. Although many subsequent extensions, SMTP remains true to its name. It is relatively simple
protocol with limited number of commands and responses. The SMTP commands in this slide
shows how client, usually MUA or intermediary MTA performs various tasks.
3. Servers that can support ESMTP can be requested to use encryption of email body to use
encryption using transport layer security TLS.
4. This slide shows the commands that are typically used between client and server during email
exchange. It starts with client, sending MTA or MUA, initiating TCP session on port TC 25. If
TCP session is established, the SMTP session is established when the server which is the receiving
MTA presents the banner. The client then presents HELLO message with the server acknowledges.
At this point the client is free to start SMTP transections by providing the envelope addresses. The
client uses data command to indicate start of message, which includes the header and body. The
message header can include much more information than that shown in slide. The client sends
single period in new line to indicate end of message. Server acknowledges the end of SMTP
transection. To end SMTP session, the client sends quit message which is acknowledged by server.
Then the TCP session turns down.
5. The only exception to this interaction is between the Microsoft outlook and Microsoft exchange
servers which use a Microsoft property protocol called messaging application programming
interface Mappy. Mappy is used for both email transmission and retrieval between Microsoft
outlook and Microsoft exchange.
6
Dr. Hidaia Mahmood Alassouli
6. A message header can contain a lot of useful information. Each email client has its own
procedure to view the message header of single email. Message headers are often used to gather
information or troubleshoot email issues. The content of message header remains intact when the
email is forwarded as an attachment. Forwarding the email destroys the original message header
because the MUA creates new header from new point of origin. One of the most important parts
of an email is received header. Every time the email is generated by MUA which reverses the
MTA a received header is added. At minimum the received header contains the IP address of the
sender if it is the first hop or the receiver if it is intermediary hop as well as the day and time the
email processed by hop. Depending on the vendor, the MTA sometimes add session ID for the
email as well as TLS version and cipher information if applicable. The received headers are added
on top of each other. The bottom shows when email starts its journey. And the top show where the
email is currently located. As well as received headers, other information on message header
includes MIME header and contents headers and subject
7
Dr. Hidaia Mahmood Alassouli
c) SMTP Authentication:
1. Original RFC for SMTP did not include any requirements for security mechanisms. Email was
transmitted in plain text by unauthenticated users. The Auth extension is added in order to verify
the sender identity. MTAs that support ESMTP can enforce authentications to ensure only
authorized users can send emails. This verifies only the sender identity for outbound emails from
protected domains. But will not prevent spoofing through inbound emails coming from external
mail servers.
2. SMTPS implements a layer of security using TLS encryption. But it was never standardized.
3. MTAs need to maintain separate ports for encrypted sessions. Because SMTP uses port 25,
SMTPS uses port 465 or 587.
4. Connections made using SMTP port and TLS negotiations occur after SMTP session is
established. If both sides agree, a secure connection is established and the remaining data
exchanged securely. Many ESMTP servers enforce start TLS for encryption. This means that the
recipient MTA accepts the envelop addresses “mail from” and “rcpt to” only after TLS is
established.
5. In SMTP over TLS, the initial connection is made on standard SMTP TCP port. The client can
be MUA or MTA transmits EHLO message and is presented with list of extensions that represent
the set of supported extensions on the server side of connection. If START TLS is present in the
list and if the client wants secure connection, the client responds with STARTTLS, this initiates
the TLS negotiation between the two points. After secure connection is established, the remaining
SMTP traffic is encrypted over the network.
6. In SMTPs the server and client start SMTP session which is fully encrypted on TLS tunnel.
8
Dr. Hidaia Mahmood Alassouli
9
Dr. Hidaia Mahmood Alassouli
d) Retrieving Emails:
1. POP is used to download new messages, and stores them locally in email clients. Typically, the
messages are deleted from server after download.
2. It is important to use POP in secure way. The original RFC of POP did not implement any form
of encryption or passwords are sent in clear text unless the email server and client are configured
to support SSL/TLS extensions to POP3
3. IMAP is another mail retrieval protocol that has multiple advantages over POP3. It provides
more robust management of email inox including message retention allowing multiple managers
of inbox, folder management and so on. IMAP usually the Go To method for keeping multiple
devices synchronized with same inbox. Like POP3, the IMAP functions in two separate ports. TCP
port 143 can use a Start TLS message to upgrade the connection to be TLS encrypted. Otherwise,
it functions as clear text. TCP port 993 is used for completely end-to-end encryption.
4. Now when we look to email flow example, you should be able to identify where the SMTP
transection occurs and where POP3, IMAP, MAPPY and webmail transections occur.
10
Dr. Hidaia Mahmood Alassouli
11
Dr. Hidaia Mahmood Alassouli
e) Modes of Operation:
1. In Gateway mode, FortiMail provides full MTA functionality. In email path, the FortiMail sits
in the front of the existing mail server and scans emails. If FortiMail detects any spam email, it
discards them or stores in user Quarantine mailboxes in local FortiMail device. FortiMail delivers
all clean emails to backend mail server. A DNS MX record change or destination NAT rule on the
firewall is required to redirect all inbound email traffic to the FortiMail device for inspection. For
complete protection all outbound emails should be also routed to FortiMail for inspection.
FortiMail Gateway deployment is excellent at extending existing email infrastructure scalability.
FortiMail can offload all security-related and message-queuing tasks from backend mail servers.
2. In server mode, the FortiMail provides all typical functions of an email server as well as security
scans. You can use FortiMail operating in server mode as a drop-in replacement for retiring email
servers. It is also excellent choice for environments deploying email servers for the first time. The
same DNS MX record change or destination net rue change in firewall is needed to redirect all
inbound emails to FortiMail for inspection. After inspection, FortiMail delivers clean emails to
end user’s inboxes stored locally on FortiMail. End users use POP3, IMAP and webmail to access
their inboxes. Along with storing user’s mailboxes, the FortiMail running in the server mode
provide complete group calendar, resource scheduling, webmail and other advanced futures.
12
Dr. Hidaia Mahmood Alassouli
3. In the transparent mode, the FortiMail is physically located in the email path to intercept email
traffic transparently for inspection. When operating in Transparent mode, FortiMail is not the
intended IP destination of the email. Therefore, no DNS MX record or DNAT rule changes is
required. This allows you to deploy FortiMail in environments when you don’t want IP address or
MX DNS record changes. Transparent mode is often used in large MSSPs or carrier’s
environments.
13
Dr. Hidaia Mahmood Alassouli
3. Part 2: Basic Setup of FortiMail:
1. FortiMail has two interfaces for Web Access
a) Login to administrator interface:
https:/(FortiMail FQDN or IP address)/admin
b) Login to webmail interface:
https:/(FortiMail FQDN or IP address)/
Most of the time the administrators use GUI to configure and maintain FortiMail.
2. FortiMail Webmail:
a) The user inbox for server mode has the following folders:
Inbox, Drafts, Sent Items, Bulk, Trash, Encrypted Emails
b) The user inbox for Gateway mode has the following folders:
Drafts, Sent Items, Bulk, Trash, Encrypted Emails
14
Dr. Hidaia Mahmood Alassouli
3. Use the quick start wizard to configure he following
•
•
•
•
•
•
Password for administrator account
Network and time settings
Local host settings
Protected domains
Incoming and outgoing antispam and antivirus settings
Access control for SMTP relay
4.The password change enforced in the first logon:
15
Dr. Hidaia Mahmood Alassouli
5. The FortiMail has two views: Basic View and Advanced View.
•
•
Simple view: Commonly used options only day to day operations
Advanced view: Complete set of menu options
6. Very few configuration tasks require to use the CLI.
16
Dr. Hidaia Mahmood Alassouli
For example, to make FortiMail compiles with the security standards disable the POP3 and
IMAP services if not being used
7. User interface customization and console: You can customize elements of both webmail and
administration GUIs to apply alternate branding, color, themes, default languages and so on. And
because you already authenticated when logging to GUI, you can access the CLI by single click.
Alternatively, you can access CLI by using SSH in separate SSH client
8. Fortinet Security Fabric:
You can connect FortiMail to upper FortiGate and become part of security fabric.
FortiMail anti-spam processing helps offload other devices in security fabric that would carry out
this process.
17
Dr. Hidaia Mahmood Alassouli
9. Operation Mode and NTP Synchronization:
•
•
•
The default operation mode is Gateway mode- other modes are server and transparent mode.
Setup operation mode during initial setup
Configure time zone for accurate time stamps in logs and MTA functionality.
10. Domain Name:
•
•
Hostname+Local Domain Name=Fully Qualified Domain Name (FQDN)
FQDN should be globally resolvable, especially if FortiMAil is an outbound MTA with DNS
address (A) record and PTR record.
18
Dr. Hidaia Mahmood Alassouli
11. Network Settings:
•
•
•
•
•
•
Typically, in Server or Gateway mode only one interface is active. Transparent mode, depends
on deployment topology multiple interfaces may be active.
The default IP address and subnet mask for port 1 interface is 192.168.1.99/24.
FortiMail also supports ipv6 and DHCP addresses.
You can select access option to enable or disable access to FortiMail using http, https, ping,
ssh, smtp and telnet.
By default, there is no routes configured in FortiMail. You must define one default route to
internet to make sure that FortiMail is connected to FortiGuard and to make sure the email
traffic flow correctly. You can configure more static routes as needed to accommodate
networks that have multiple gateways. The fields in the new routing entry supports ip4 and ip6
addresses.
By default, the FortiMail is preconfigured with FortiGate DNS servers. The DNS plays vital
role in email transmission as well as FortiGuard connectivity. So, the choice of the DNS server
can have significant effect on the performance of FortiMail.
19
Dr. Hidaia Mahmood Alassouli
12. Administrator Accounts:
•
•
•
•
FortiMail is configured by default admin user and empty password field. Change the password
to secure access the device.
You can set the access profile and domain to restrict administrators to certain sections of the
GUI or to specific domains.
Configure remote authentication for the administration account. You can set authentication
type to Local or remote using LDAP, RADIUS, PKI or single sign-on authentication.
For remote authentication types, you must also configure additional profile that defines the
details of authentication. You can configure trusted hosts to restrict each account to specific IP
subnets or addresses. You can also select the language and color theme for each administrator.
13. Admin Profile:
•
•
You must associate each administrator user account with admin profile which areas the
administrator can access and provides permissions to modify elements within those areas. The
default super_admin_prof profile is assigned to default admin account.
You can also apply admin profile dynamically through radius. You will explore radius and
another authentication profiles
20
Dr. Hidaia Mahmood Alassouli
14. Enforcing Password Polices:
System>Configuration>Options
•
•
•
You can create single global password policy to enforce complex passwords, and you can
choose which mail users and IBE users to apply policy. The authentication server usually
enforces the password policies for non-local mail users. To make sure that FortiMail complies
with security standards you can reduce the idle timeout and enable to login disclaimer. You
can set the disclaimer to appear before or after the users logs in. You can also set the disclaimer
to appear when the admin webmail or IBE user logs in.
When you set the disclaimer for admin users, it also appears when the admin users access the
CLI using SSH or Telnet. You can also change the administration ports on the option tab.
If you change the default ports, you must update the applicable port forwarding rules on your
organization firewall to reflect the change.
21
Dr. Hidaia Mahmood Alassouli
15. Office 365 Threat Remediation:
•
•
•
•
Starting with FortiMail 6.4.0 , there is separate GUI view for Microsoft 365 after the license is
applied. Email messages can now be scanned in real time. The emails scanned immediately
after the email arrives to the user’s mailbox. You can also conduct on-demand search and scan
of email message already delivered to users’ inbox. Once scanned you can decide what to do
with spams or infected emails. You can also manually apply actions to email messages you
specify. Before you scan emails in Microsoft 365 mailboxes, you must connect to Microsoft
365. Note that Microsoft 365 global administrator role is required to configure Microsoft 365
in FortiMail.
Realtime scanning: A valid CA signed certificate and FortiMail device reachability by
hostname is required for this future. Email is scanned immediately on the arrival in the user’s
mailbox.
Scheduled scanning. OnDemand: Scans emails post-delivery when triggered by administrator
or scheduled (useful by POC).
Profiles: Similar to recipient policy. Apply security profile to email flows.
22
Dr. Hidaia Mahmood Alassouli
16. Protected Domains:
•
•
•
•
•
To create protected domains, you must select different options depending on the operation
mode of FortiMail.
For gateway mode, you must define the domain and the destination SMTP server.
For transparent mode, if you define a domain, you must specify the destination SMTP server.
For server mode, you must only define only the domain because the FortiMail is the only
destination of email messages.
Protected domains also specify which email messages FortiMail considers as inbound and
which email messages consider to be outbound.
23
Dr. Hidaia Mahmood Alassouli
17. Email Direction:
•
•
When FortiMail receives email, it compares the domain part of the recipient email address
with the list of protected domains. If there is a match the FortiMail considers the message to
be incoming. Otherwise, the message is outgoing.
The direction of the email is important to FortiMail because the influence is relay behavior.
-Incoming emails are relayed by default and no additional configuration required to allow
email into the organization. By default, FortiMail relays the incoming mail messages.
- By default, the FortiMail rejects the outgoing messages unless the sender is authenticated.
This behavior is hard coded to prevent FortiMail from being abused as an open relay.
18. Domain Associations:
•
Domain associations allows multiple domains to share single configuration in FortiMail. For,
example, any recipient-based policies created for the main domain applied for the associated
domains as well. This extremely convenient for environments that have more than one domain
and you want to keep FortiMail protection consistent across all the domains. This will help to
minimize the redundant configurations and speed up the deployment. Also, to eliminate errors
over time in the configuration of the domains.
24
Dr. Hidaia Mahmood Alassouli
•
When adding associated domains to FortiMail, update the MX records of the domains so all
inbound emails are delivered to FortiMail.
19. Server Mail Users:
•
•
Because the user mailboxes are managed by FortiMail in user modes, you should create user
account entries for each user. You can configure these user accounts to authenticate locally
or using LDAP or RADIUS.
In server mode, the user inbox handles both the regular email and the spam quarantine. You
can use the user tab to create users. While the user preference tab allows you to manage
25
Dr. Hidaia Mahmood Alassouli
user’s preferences. The administrator can manage user’s preferences using administration
interfaces and the end user can manage user’s preferences using the webmail interface.
20. Gateway and Transparent Mode Users:
•
In gateway and transparent modes, FortiMail maintains quarantine mailboxes. These
mailboxes are created automatically when FortiMail needs to send emails to quarantine as a
result of spam detection. You can’t manually create users in FortiMail when configured in
gateway or transparent mode. You can however manage user’s preferences such as block or
allow list entries using administration GUI. The end user can access their quarantine mailbox
and account preferences using the webmail interface.
26
Dr. Hidaia Mahmood Alassouli
21. Recipient Verification:
•
•
•
FortiMail configured in gateway or transparent mode process all emails and attempts to relay
it in backend server. So, what happened if user account does not exist. In this case the backend
server generates an error and FortiMail creates quarantine account where invalid user email is
quarantined. Over a time, this leads to excessive amount of storage space used for emails for
invalid users.
There are two ways to deal with that. Recipient address verification or automatic removal of
invalid quarantine accounts. To optimize the use of storage space, you must implement one of
these futures for gateway or transparent mode deployments.
Recipient verifications is based on to regular server mode email handling process. Therefore,
you don’t need to configure this future.
22. Recipient Address Verification:
•
Recipient address verification is the setting that you can configure for each protected domain
entry when you enable recipient address verification, FortiMail verifies the recipient email
address after the RCPT TO command for each inbound email before allowing the sender the
data portion of the email. If the recipient is found invalid, then FortiMail rejects the email. This
27
Dr. Hidaia Mahmood Alassouli
•
•
•
method keeps all invalid emails out of the FortiMail system reserving storage for valid emails
only.
There are two methods for performing recipient address verification, SMTP and LDAP.
The use of LDAP option requires you to configure LDAP profile to define LDAP server
settings.
The use of SMTP server option, requires the backend server to support either VRFY or RCPT
SMTP command. Typically, VRFY is disabled on most mail servers to prevent directory
harvesting attacks.
23. Automatic Removal of Invalid Quarantine:
•
You can use alternate method to clean up quarantine mailboxes for invalid accounts. The
automatic removal of invalid quarantine function removes all quarantine mailboxes after
FortiMail accepted emails and created accounts for invalid accounts. Invalid removal of
quarantine uses same options as recipient address verification SMTP or LDAP. By default, it
is scheduled to rum 4 am local time. You can change scheduled time using CLI.
28
Dr. Hidaia Mahmood Alassouli
24. History Log:
•
The logs shown in the history tab provided overview of what happened to email. A successful
email transmission is classified as not Spam.
25. FortiMail Queues:
•
•
•
•
It might not possible to deliver emails immediately. Delayed messages must be stored
somewhere so that MTA can try to send them in later time.
The email queue holds emails that can’t be sent immediately. That can happen because of some
circumstances such as remote MTA is busy or temporary loss of DNS or network connectivity.
If message can’t be delivered or returned to sender, it is placed in dead mail queue. Most cases
the messages end up in dead mail queue because of permeant failure.
Email moves from mail queue to dead mail queue after the MTA exhausted maximum trial
period without resolution that cause the email to fail transmission in the first place.
29
Dr. Hidaia Mahmood Alassouli
26. Mail Ques Timer
•
•
•
•
•
•
When messages placed in mail queue, several timers are used to specify how the email is
handled and when to send delivery status notifications.
Defines the maximum time for the email in queue.
Defines the number of hours that delayed emails can remain in queue.
Defines the number of hours that must expire before the email considered delayed and DSN
sent to sender.
Defines the retries interval in minutes
Defines the number of days the email can remain in Dead Mail queue
30
Dr. Hidaia Mahmood Alassouli
27. Mail Queue Summery Display:
•
Starting from FortiMail 6.4.0 new widget has been added to view mail queue status which
includes incoming, outgoing, IBE Spam and Virus outbreak and sandbox.
31
Dr. Hidaia Mahmood Alassouli
4. Part 3: Access Control and Policies:
1. There are three types of policies: Access control policies, IP-based policies, recipient-based
policies.
2. Use Access control rules and delivery rules to control which SMTP clients can send email
through SMTP relay and how SMTP delivers emails that are proxies or relays.
3. FortiMail applies recipient-based policies to individual email messages based on the recipient
email address.
4. FortiMail applies IP base policies based on the IP address of the connecting SMTP client.
5. And if FortiMail is applied in Transparent mode, the SMTP server much like firewall rules
evaluates the policies in a top-down order. Once the email flow matches a policy, FortiMail skips
any remaining policies in the list.
6. FortiMail maintains a single global list of IP policies but maintains domain specific lists for
domain-based policies if there are multiple protected domains.
7. Policies profiles define which type of inspections and actions to perform on mail flow. Different
types of profiles govern different types of inspections. Profile types includes session anti-spam,
antivirus, and so on.
8. You can enable and configure specific processing activities and profiles.
9. Each inspection profile other than session profile has the corresponding action profiles that
define the action that is taken on email as a result of scan. Possible actions include: Reject, Discard,
Personal Quarantine, System Quarantine and so on.
32
Dr. Hidaia Mahmood Alassouli
a) IP Based Policies:
1. IP based policies uses source and destination IP as selection criteria. This is useful in situations
where it is preferable to distinguish between email traffics using IP information such as when the
FortiMail server is placed between internet and large mail server. Sessions profiles are available
only through IP policies and perform actions that applied only to information gathered early in the
SMTP connection process. This action detects malicious activities even before FortiMail processes
the SMTP header. Session profile eliminates the need to conduct more resource-intensive scans.
33
Dr. Hidaia Mahmood Alassouli
2. The two policies types have different capabilities. The most significant differences are that you
can apply only from the IP based policies. But the IP based action profiles do not support user
quarantine options
3. If IP based policy and recipient-based policy match the email, the settings in the recipient-based
policy will take precedence, unless you have enabled the option take presentence over the
recipient-based policy
4. We can check all the messages rejected from the log screen:
34
Dr. Hidaia Mahmood Alassouli
b) Recipient-Based Policies:
1. FortiMail maintains separate lists for inbound and outbound recipient-based policies. If you
configure inspection profiles using recipient-based policy, you should have at least one IP-based
policy to apply session profile to all SMTP sessions. Recipient policy allows more graduality when
applying inspection to specific email flows. Note that the system recipient-based policies take
precedence over domain recipient-based policies.
2. Recipient-based policy configuration settings:
35
Dr. Hidaia Mahmood Alassouli
c) Access Rules:
1. Access receive rules specify whether an email is allowed to use FortiMail services. You can
think of these rules as Access control lists ACLs that allows or denies SMTP sessions.
2. If SMTP session does not have any rules or no rules defined and sender is unauthenticated, the
default behavior of FortiMail is based on Rcpt to of the envelope. If email is destined to protected
domain, FortiMail relays it. If email not destined to protective domain, FortiMail rejects it. The
default behavior prevents FortiMail from acting as open relay. This is a reason to define explicitly
access receive rule so FortiMail can act as outbound MTA and relay outbound emails.
3. The selection criteria of access receive rules is based on sender IP from IP header and recipient
email address from SMTP envelope. Access receive rules are applied before any message header
inspection.
In this example, the access rule allows all emails to any recipient as long as the center domain is
internal. Lab and the source IP are 10.0.1.99 host.
4. There are five actions
36
Dr. Hidaia Mahmood Alassouli
5. Access delivery rules provides control over connections that originates from FortiMail. You can
create access delivery rules to match sender or receipting patterns as well as well as destination IP
address or subnet. Access deliver rules allows you to enforce TLS for SMTP sessions. They also
allow you to apply secure MIME sMIME or identity-based encryption IBE to specific sessions.
Access deliver rules are required to establish email flow.
6. Create access receive rules for transparent and gateway deployments if you are willing to scan
outbound emails using FortiMail. In Gateway you must make configuration changes to back-end
server. These changes make sure that all outbound emails from mail server is sent to FortiMail
instead of routed to internet using its own MTA functionalities. When you create the rules, use the
matching criteria. For example, when you specify the back-end mail server, use /32 mask.
37
Dr. Hidaia Mahmood Alassouli
7. In server mode deployment, the access receive rule is very similar to Gateway and Transparent
mode example. However, in the source IP netmask field you will most likely enter the actual subnet
instead of host address because end users will connect directly to FortiMail.
38
Dr. Hidaia Mahmood Alassouli
d) Access Delivery Control:
1. MTA IP address might be block listed if sending outgoing email at high rate. Marketing mail
campaigns can cause the corporate IP addresses to be registered in DNSBL. To solve this problem,
you can rate limit email delivery at the system level. In the recipient domain field, you have to
specify the recipient domain that the policy will apply on. You can use wildcard asterisk to make
this policy applied to all policies domains. Starting from FortiMail 6.4, you can restrict the number
of recipients per message in the access control delivery configuration
39
Dr. Hidaia Mahmood Alassouli
e) History Log Policy ID:
.
40
Dr. Hidaia Mahmood Alassouli
5. Part 4: Sessions Management:
a) Sessions Management:
1. The overall objective of session profile inspection is to detect suspicious activities as soon as
possible. Early protection allows FortiMail to take action early and eliminates the need to perform
some or all resource intensive scans that are required after the email message arrives.
2. Sessions profiles are unique as they can be only referenced by IP policies. You should create
separate IP policies for inbound and outbound emails. Regardless of deployment mode you are
using.
41
Dr. Hidaia Mahmood Alassouli
3. Sessions profiles allow you setup allow you to specify specific profile futures for your internal
assets such as sender reputations while still enforcing these futures for all inbound emails
4. The settings in the connection settings section allow you to set the number of connections,
messages, recipients and concurrent connections per client. Since each connection consumes
resources, you can use limit to prevent single MTA from exhausting resources of FortiMail
services.
5. FortiMail operating as Transparent mode has two additional options appears in GUI that governs
low-level connections behaviors.
6. As FortiMail processes and scans emails, it may maintain sender reputation score for IP address
of each external MTA that opens an inbound SMTP connection. This score is calculated as
percentage of email from the sender that are SPAM, contains virus or has invalid senders or
recipient during 12 hr. period. The higher score, the worse the sender reputation. You can set the
sender reputation future in the session profile to set score thresholds to FortiMail to throttle the
client, issue fail message or rejects a client at this early stage. The FortiMail also can check the
reputation of the sender IP against the FortiGuard block list database. The FortiGuard IP reputation
check drop down list has three possible settings. If you select “Use Antispam Profile” settings,
FortiMail processes the entire message before applying the action. If you select “When client
connects”, the FortiMail applies FortiGuard” IP reputation check during connection phase.
42
Dr. Hidaia Mahmood Alassouli
7.You can view the current sender reputation statuses in the sender reputation page
“Monitor/reputation/sender reputation”. By default, this view shows the score sorted in descending
order with worst reputation in the top.
8. Use CLI to clear the sender reputation database.
# execute db reset sender-reputation
43
Dr. Hidaia Mahmood Alassouli
9. Endpoint Reputation:
Because the IP address of mobile devices can change frequently, you can use endpoint reputation
to track reputation scores of the devices. The endpoint reputation uses the unique MSISDN
number associated with the device SIM card to identify the mobile devices that could be
compromised or sending SPAMS or infected message. The “End Point” reputation futures are
mainly used by carriers to block messages by compromised mobile devices. By blocking messages,
the carriers protect the internet reputation of their own IP address space. You must integrate
FortiMail with back-end radius server in order to map IP addresses to their MSISDN values.
10. Sender validation:
The common sender validation technique is to use SPF. Using SPF, the domain owner publishes
special formatted DNS txt record. The record contains the Authorized MTAs in the domain. The
domain security relies in the fact that only domain administrators are allowed to make changes to
domain DNS records. If you enable DNS SPF verification in the session profile, The FortiMail
will perform DNS txt lookup for the sending domain of any email session. If SPF entry exists, the
FortiMail compares the address with the address of sending MTA. The sender reputation decreases
for authorized and increases for non-authorized clients.
44
Dr. Hidaia Mahmood Alassouli
11. While SPF is not universally adopted, it is effective way to validate sender IP addresses.
Enabling SPF check on session profile for all emails is not decremental because FortiMail does
not receive any responses for all DNS. DNS check for all emails is not detrimental. Because if the
FortiMail does not receive any response for DNS txt lookup, it skips SPF check and continues
processing email. SPF check can be enables in both Session profile, or Antipas profile or both
profiles. However, if you select “Bypass SPF checking”, SPF checking will be bypassed even
though you enable it in the Antispam profile.
12. DKIM:
DKIM validates that the sending server is authorized to send mail for the domain. It also validates
the mail content has not changed since it was sent by the server. DKIM uses public private key
signing process using DKIM key stored in DNS. With DKIM the sending MTA uses its DKIM
private key to generate a signature. The sending MTA then inserts its generated signature in the
email header. The receiving MTA queries the DNS txt record which contains the DKI M public
key. The receiving MTA uses the DKIM public key to validate the DKIM signature in email
header. DKIM validation requires more processing thank SPF validation.
45
Dr. Hidaia Mahmood Alassouli
13. DKIM Signing for Outbound Email:
To configure DKIM signing for outgoing method, you must generate public and private signature
for domain. DKIM signature are domain specific. FortiMail generates and stores private key and
uses it to generate DKIM signature. After DKIM key generated and activate, you must download
public key and publish it to your external DNS sever. Then in session profile select enable DKIM
signing for outgoing messages to start affixing the DKIM signature to all outbound email headers.
46
Dr. Hidaia Mahmood Alassouli
14. The sessions settings sections contain the settings that you use to inspect and control many
aspects of the smtp protocol. Most legitimate MTA implementations are based on mature core
bases and are compliant with standards. The chance of smtp errors occurring is almost zero.
Spammers on other hand use home on grown scripting codes that often exhibit protocol errors.
You can use strict syntax and invalid character checking to identify suspicious behavior and rejects
sessions that show abnormalities. You can have FortiMail acknowledge end of message or if using
transparent mode switch to splice mode to prevent session from timing out because of antispam
inspection.
47
Dr. Hidaia Mahmood Alassouli
15. FortiMail instances operating in Transparent mode have additional options that you can use to
manipulate the SMTP session. These options include the ability to rewrite the EHLO or HELO
greeting strings and prevents session encryption negations so the messages sent in clear text. This
enables FortiMail to scan the content of mail messages that would otherwise being encrypted.
16. Unauthenticated Session Settings:
Unauthenticated session settings are used to control sessions that are not authenticated using SMTP
Auth. These settings enable you to enforce stricter checks. When domain checks are used, the
domain claimed by EHLO or HELO, sender domain (mail from column), recipient domain
(RCPTO column) must be resolvable at DNS for either A or MX record type. If the domain can’t
be resolved, the SMTP command is rejected with appropriate error code.
48
Dr. Hidaia Mahmood Alassouli
17. SMTP Limits:
You can set limits on SMTP sessions to restrict common spamming techniques. The default
settings work well, but you can adjust them if necessary. Noteworthy settings include restrictions
on the number of SMTP greetings EHLO or HELO, RESETs, NOOPs. Legitimate connections
require only few of these commands in a given session and spammers my require to abuse them.
Closing the sessions when these limits are reached forces spammers to reconnect if they want to
continue. However, they are just likely to abandon the attack and move to next target. The CAP
message size (KB) option is commonly used to control email size.
49
Dr. Hidaia Mahmood Alassouli
18. Error Handling:
SMTP servers don’t generate errors. So, SMTP errors can indicate server miss use. FortiMail can
penalize misbehaving clients including disconnecting them if they exceed maximum number of
errors. The first limit you can set is the number of SMTP errors that can be tolerated before delay
can be imposed on client. After this value is reached, the client is delayed for number of seconds
specified in the delay for non-free error (seconds) field. During this time, FortiMail would not
accept any SMTP commands from remote MTA in the sessions. Any subsequent errors result in
additional incremental delays as specified in the delay increment for subsequent errors (seconds)
field. After the number of errors exceed the value of maximum number of errors allowed for each
connection field, FortiMail drops the connection.
50
Dr. Hidaia Mahmood Alassouli
19. Header Manipulation:
As an email travel from MTA to MTA, adds new received header entry to email. This not only
increases the size of the header, but also reveals the details of the internal network that you want
to keep private. You can use header manipulation settings of session profile to remove these
headers typically on all outbound emails. Be careful not to violate SMTP standards when deleting
specific headers because there are maybe unintended consequences if other mail processing
devices require or verify these headers
20. Session Lists:
You can also configure each session profile to use independent senders and recipient block and
safe lists. The lists contain email addresses to block or allow certain senders or recipients when
specific session profile is used. FortiMAil applies session profile list very early in its order of
execution which are overridden only buy system safe and block lists
51
Dr. Hidaia Mahmood Alassouli
b) Understanding FortiMail Geo IP:
FortiMail utilizes the GeoIP database the Geo Locations of the clients IP addresses. You can use
GeoIP groups in access rules and IP based polices. The Geo IP services looks up the IP Geo
locations in the Geo IP database. However, in some cases the lookup might not accurate. For
example, when clients use proxies. With FortiMail you can override the GeoIP lookup by manually
specifying the Geo locations of some IP addresses and IP ranges. When you create Geo IP groups,
you can use the override Geo locations in the groups.
52
Dr. Hidaia Mahmood Alassouli
c) Understanding Sender Address Rate Control:
1. By using sender address rate control, you will be able to control outbound email rate based on
sender address. Without any rate limit, single sender can potentially monopolize FortiMail session
capabilities by sending unlimited number of messages which in some circumstances could result
in poor reputation being assigned to the MX IP address of the organization. In worst scenario the
MX IP address could be placed on internet block list if a compromised endpoint which has been
infected with spam bot starts sending out mass spam emails. The sender address control settings
are part of the domain entry for each protected domain. They provide granular control message
sent in terms of number of messages, the total size (in MB), and even the ability to notify someone
when the rate limit function is triggered. You can select to reject sessions from senders that
triggered the rate limits or temporally fail them to allow to allow transmission at later time
53
Dr. Hidaia Mahmood Alassouli
2. In FortiMail log you can see sender address rate control and action The search results contain
information about rate limit violations as well as how long the user will be blocked from sending
new messages.
54
Dr. Hidaia Mahmood Alassouli
6. Part 5: FortiMail Authentication:
a) Authentication Profiles:
1. On FortiMail, you can use Authentication profiles to define the server details and protocol
options that supports Authentication.
2. FortiMail supports SMTP, IMAP, POP3, Radius integration. All deployment modes can also
use LDAP profiles for LDAP sever integration. LDAP profiles provide more advanced
functionality such as Alias in group lookup which can’t be achieved using authentication profiles.
3. FortiMail supports Radius access challenge message to allow for two factor authentications.
Radius authentication profiles can also be used to define the administrator accounts domain and
access profiles dynamically using vendor specific attributes.
55
Dr. Hidaia Mahmood Alassouli
4. There are two methods of enabling authentication. You can use IP based policies, and you can
use inbound recipient-based policies. You don’t need to explicitly enable the user authentication
in server mode deployments because it is enabled by defaults. Policies enable authentications but
they don’t enforce it. You can enforce using access receive rules.
5. You can configure administrative accounts individually using Radius PKI and LDAP
authentication profiles. You can configure wildcard authentication if you use Radius or LDAP.
56
Dr. Hidaia Mahmood Alassouli
6. Source and destination IP information triggers IP based policies. IP policy supports SMTP,
POP3, IMAP, LDAP and RADIUS authentication.
7.Incoming recipient-based policies offer more flexibility. You can use recipient-based policy
authentication to allow SMTP, POP3, RADIUS, IMAP, LDAP, Webmail access,
57
Dr. Hidaia Mahmood Alassouli
8. Policies enable but do not force authentication. To enforce SMTP authentication, you must
create appropriate access receive rules. For Gateway deployments, access control receive rules
could apply to individual hosts such as Auto-Mailers that use FortiMail as mail relay. However,
for server mode deployments, you should enable access control receive rules for entire user base
to ensure that FortiMail is not being used by non-authorized users to relay potential spams.
9. SMTP authentication mitigates the problem of SMTP brute force attack by tracking the IP
address of the offending client attempting to connect to the box (SMTP attackers). If user has
consequent successful logins within specified period of time, the user IP address will be added
auto-dynamic exempt list.
58
Dr. Hidaia Mahmood Alassouli
10. FortiMail tracks failed login attempts made from CLI mail and web. Blocked IP addresses can
be deleted manually or added to exempt list. Starting with 6.4 new violation column is added to
reputation table to show the cause of access violation.
11. If SMTP authentication attempt was un successful, the system creates entry in the history log
and assigns it Authentication failure classifier.
59
Dr. Hidaia Mahmood Alassouli
60
Dr. Hidaia Mahmood Alassouli
b) Understanding Maximum Email Size:
1. FortiMail rejects all emails larger than 10 MB. The size limit is enforced by the kernel. It
includes message header size and message body size which includes attachments. You can
override this value in two places, the session profile or each protected domain definition.
2. For outgoing email, FortiMail uses only the session profile value assuming the session profile
matches the email. If no session profile matches the email, the FortiMail uses the default limit of
10 MB. For incoming messages, the FortiMail evaluates both the session profile and protected
domain values and selects smallest value.
61
Dr. Hidaia Mahmood Alassouli
7. Part 6: Content Filtering:
a) Configuring AntiVirus Profile to use FortiSandbox inspection
1. FortiSandbox integrates with FortiMail to provide protection against email threats. Unlike
network traffic, FortiMail handles email traffic in store and forward system. So, it is generally ok
to introduce small amount of latency into the system. Because of this you can use FortiMail with
FortiSandbox and FortiGuard to prevent advanced threats contained in emails from reaching end
users. When you make this simple integration at risk email traffic is sent to FortiSandbox and held
until it has been analyzed if suspicious or malicious item is found, that email can be blocked from
being delivered.
2, To enable FortiSandbox integration, you must choose FortiSandbox that is running on the
network or in cloud-based device. When you perform an initial configuration, use the test function
to validate communications between FortiMail and FortiSandbox
3. Starting from 6.4.3, FortiSandbox cloud provides two types services
62
Dr. Hidaia Mahmood Alassouli
•
•
You can use one account to register multiple FortiMail devices
Enhanced cloud: You can register one FortiMail device with one account to guarantee
dedicated FortiSandbox services in high performance.
4. The value in scan timeout and scan result expiring field are 30 Minute and 60 Minutes
respectively. The “Scan timeout” value indicates how long the FortiMail must wait for response
form FortiSandbox. And “The scan result expires in” value specifies how long the FortiMail cashes
the scan results.
5. You can expand the file scan settings section to view and select the file types that FortiMail
submits to FortiSandbox. You can also create custom file definitions and limit file submission by
size.
63
Dr. Hidaia Mahmood Alassouli
6. In URL settings section, you can specify to scan URLS in all emails or suspicious emails only.
Suspicious emails messages are those received during spam outbreak. URL settings provide
control over which type of URLs FortiMail submits to FortiSandbox. Select unrated or all to set
the type of URLS that are sent for scanning. To limit number of URLS, enter a value in the number
of URLs per email field.
7. After FortiMail connects to FortiSandbox, you can define what scan mode used by FortiSandbox
under antivirus profile. If you select “Submit only”, FortiMail submits all files to FortiSandbox
and delivers email to intended recipient without waiting for response. In this mode the
FortiSandbox is monitoring device. The FortiMail does not perform actions based on scan results
from FortiSandbox. If you select “Submit and wait results”, FortiMail submits all files to
FortiSandbox and waits for duration of time set in Scan timeout field. You can select this option
to protect your network from email-born threats. Optionally, you can select different action profiles
to different threat levels or select the global default action. If antivirus profile is referenced by IP
or recipient policy, FortiMail starts to send files to FortiSandbox as it starts to process emails using
policy.
64
Dr. Hidaia Mahmood Alassouli
8. AntiVirus Logs:
The logs show what type of file that triggers FortiSandbox scan, file checksum and scan results.
FortiMail also logs how long it took to process the email. The URL submission logs are similar to
file submission logs.
65
Dr. Hidaia Mahmood Alassouli
b) Content Profiles:
1. Content profiles support attachment detection based on MIME. Content profiles also support
dictionary profile to detect the content of words or phrase using regular or wildcard expressions.
2. You can use scan options to detect various properties of emails or attachments. You configure
content profile to detect and take action on password protected office or pdf document. If you
enable password decrypt future, the FortiMail will try to brute force all password protected
documents to attempt to scan the content
3. Another common use of Content profile is attachment limiting. You can configure the
maximum number of attachments to limit how many attachments per email. Sometimes attached
documents will have embedded content which can be exploited by remote hacker if the user
mistakenly enables the macros after opening document. If you enable the “Detect embedded
component” setting, FortiMail can detect and take action on such documents,
66
Dr. Hidaia Mahmood Alassouli
4. For password protected PDF and achieve attachments, if you want to decrypt and scan them,
you can specify what type of passwords you want to use to decrypt the file. When you enable
“Words in email contents”, the FortiMail will search the message body for keywords to use as
passwords to attempt to decrypt password decrypted files. You can enable “Built in password list”
to use the predefined passwords in FortiMail. The built-in password list contains more than 1000
popular passwords and is hidden. You can also create your own list of passwords. To use your
own list of passwords for decryption enable the “User-defined password list” option in password
decryption settings.
67
Dr. Hidaia Mahmood Alassouli
5. You can use file filters to match email attachments based on the file extensions or type. The
predefined file type definitions can detect files based on their MIME header. This allows FortiMail
to detect for example executable files messed with .txt extensions. If predefined set of file filters
does not include the file type you need, you can add entries on the file filter type and specify mime
types, file extensions or both
6. Add file filters to the content profile attachment scan rule and select default action profile. You
can also override the default action profile for each file filter individually
7. Dictionary profile is a list of word or phrases defined using either regular or wildcard
expressions. FortiMail has three predefined dictionaries. You can also add your dictionary profile
to use the predefined smart identifiers or user defined dictionary entries. Dictionary profiles allow
you to inspect email content in deeper level. You can search for word or phrases in email body,
header or attachment. Dictionary matching while general is very resource intensive
68
Dr. Hidaia Mahmood Alassouli
8. Content Monitor and Filtering:
You can add dictionary profiles to content profiles in content monitoring and filtering section. You
can also enable scan options to apply dictionary lookup for pdf or Microsoft office or achieve
contents. When you create dictionary profile, you can associate each entry with score. For each
content monitoring and filtering entry, FortiMail runs the defined action if total score exceeds the
minimum score value. A minimum score of 1 cause the FortiMail to run the action if it finds any
of the dictionary words or phrases in message
9. Content Disarm and Construction:
69
Dr. Hidaia Mahmood Alassouli
HTML content in the email body or attachment might contain potentially hazardous tags and
attributes as hyperlinks and scripts. MS word and pdf attachments might contain hazardous
macros, active scripts and other active or other active contents. The FortiMail can perform content
disarm and reconstructions CDR features to remove or neutralize the potentially hazardous content
and reconstruct the email body and attachment files. You can also remove all html URLS in email
body or apply click protection or FortiIsolator inspection. For text contents such as URLS on email
body, FortiMail can use CDR to remove all URLs or apply click protection and FortiIsolator
inspection. FortiMail can also apply CDR for MS Word and PDF files
10. If you are using the click protection, FortiMail rewrites any URLs in email body that are
categorized as non-malicious or unrated when email is initially received to FortiMail to point to
70
Dr. Hidaia Mahmood Alassouli
itself. When user clicks at the URL at later time, the URL request will go for second rating query.
If the URL rating changes from non-malicious to malicious, FortiMail will block the URL.
11. In this scenario spammer send email messages contain URL. When FortiMail initially process
the message, the URL rating query might come back with non-malicious rating or unrated rating.
FortiMail will rewrite the URL in the email body to FortiMail to deliver to end user. The end user
clicks the URL at later time and because the URL is being rewritten; the request goes through u
FortiMail. At this time the FortiMail requires the rating of URL and based the malicious rating
reply blocks the request. URL click protection is available for html content and txt contents to
protect users from harmful and spam URLs such as phishing or advertising websites.
12. FortiMail uses FortiGuard URL filter in FortiSandbox to scan URLs after the user clicks the
URL. Depending on inspection results from FortiGuard and FortiSandbox scans you can decide to
allow the users to access or block URL. When you select “Allow with confirmation”, FortiMail
allows access to URL with warning. Selecting “Block” means FortiMail blocks access. And
“Submit only”, FortiMail allows access while it sends URLs for scanning. When FortiMail sends
URLs to FortiSandbox for scanning, it might take time for FortiSandbox to return the results. In
“timeout (sec)” field, indicate how long you want to wait the results. Before you must select
“block”, “allow”, “allow with confirmation” in timeout action drop down list.
71
Dr. Hidaia Mahmood Alassouli
13. Starting with FortiMail 6.4 when you enable redirect to click protection the original and
rewritten URLs are logged.
14. FortiIsolator is browser isolation solution that protects users against zero-day malware and
phishing threats that are delivered over the web and emails. These threats might result in in data
loss and compromise and ransomware. This protection is achieved by creating visual airgap
between users’ browsers and websites which prevents contents from breaching the gap. With
72
Dr. Hidaia Mahmood Alassouli
FortiIsolator the content is executed in remote disposable container displayed to users visually. To
configure the FortiIsolator in FortiMail, configure the URL category you want to scan to
FortiIsolator. You must use URL filter profile to configure this. To configure FortiIsolator on
FortiMail, configure the URL category you want to scan using FortiIsolator. You must use the
URL filter profile to configure this. To configure the FortiIsolator or IP address, select which type
of content you want to scan txt or html. Select whether to use FortiIsolator only or use it along
with click protection. When you select redirect to FortiIsolator, FortiMail will redirect the user to
FortiIsolator. The user can browse the URL using FortiIsolator itself. FortiIsolator will provide all
isolation necessary to lock down potential threats. When you select click protection plus
FortiIsolator, FortiMail will rewrite the URL to point it itself. When user clicks the URL, it will
be redirected to FortiMail for scanning. If URL is malicious, FortiMail will block it. If URL is
clean, FortiMail will redirect the user to FortiIsolator and user will browse the URL in FortiIsolator
73
Dr. Hidaia Mahmood Alassouli
15. You can use personal quarantine option only for incoming content action profiles. The rest of
actions are identical. The most commonly actions used are reject and system quarantine to
quarantine content to the content folder. Another common action is encrypting with profile. You
can use dictionary match of specific word or phrase trigger identity-based encryption.
74
Dr. Hidaia Mahmood Alassouli
16. You can configure how certain content action settings are applied. The action profile preference
settings change how to deliver to alternate host, deliver to original host, personal quarantine,
system quarantine actions handle content of the messages. If you select modified copy, the
FortiMail will deliver or quarantine email message after modifying the content., If you select
unmodified copy, FortiMail will deliver the quarantine email message without modifying the
content.
75
Dr. Hidaia Mahmood Alassouli
76
Dr. Hidaia Mahmood Alassouli
c) Notification Profile:
1. When FortiMail takes action against email. You might want to inform email senders, recipients
and any other users for the action what happened to email. To do this, you need to create
notifications profiles and use them in content and antispam and antivirus action profiles. You can
use generic notification profile for antispam and antivirus and content profiles to notify the sender
and recipient or other emails that. If you want to configure the sender address rate control
notifications in the domain, set the type to sender address rate control in the notification profile.
In this case you only need to notify the senders not recipient. You don’t need to include original
message as an attachment. So, these two options grayed out.
2. Similar to any inspection profile, you can apply the content profiles to email flows by enabling
them in ip or recipient-based policies. As general rule, recipient-based policy overrides the IP
based policy unless you enable take precedence over the recipient base policy in IP based policy.
The log generated by content profile will show whether the log triggered by attachment scan rule
or dictionary match, The cross-search result includes details as file name, attachment, filter rue,
dictionary profile and dictionary word or phrase
3. Content filter log generated by content disarm and construction rule which detected suspicious
html content within attachment and reconstructs the file by removing offending content. The end
user received email that is safe
77
Dr. Hidaia Mahmood Alassouli
8. Part 7: System Maintenance:
1. FortiMail Storage Details:
2. Storage Partitioning:
3. FortiGuard Service Status:
78
Dr. Hidaia Mahmood Alassouli
4. FortiGuard Rating Queries:
5. CPU and Memory Usage:
79
Dr. Hidaia Mahmood Alassouli
6. Resource Usage:
7. Network Interface status:
80
Dr. Hidaia Mahmood Alassouli
8. Configuration Backup and Restore:
9. Scheduled Configuration Backup:
81
Dr. Hidaia Mahmood Alassouli
10. Mail Data Backup:
11. Mail Data Restore:
82
Dr. Hidaia Mahmood Alassouli
12. RAID:
13. Software RAID Status:
83
Dr. Hidaia Mahmood Alassouli
14. Hardware RAID Status:
84
Dr. Hidaia Mahmood Alassouli
15. Reset FortiMail Configuration:
16. System Information:
17. System Status:
85
Dr. Hidaia Mahmood Alassouli
18. Statistic History:
86
Dr. Hidaia Mahmood Alassouli
18. Reports:
87
Dr. Hidaia Mahmood Alassouli
19. SNMP
88
Dr. Hidaia Mahmood Alassouli
9. Part 8: Troubleshooting:
a) Troubleshooting Tools:
1. Connectivity Tests:
2. DNS Connectivity:
3. SMTP Connectivity:
89
Dr. Hidaia Mahmood Alassouli
4. GUI Traffic Capture:
5. CLI Traffic Capture:
90
Dr. Hidaia Mahmood Alassouli
6. FortiMail Log Type:
7. History Logs:
91
Dr. Hidaia Mahmood Alassouli
8. System Event Logs:
9. Log Message Correlation:
92
Dr. Hidaia Mahmood Alassouli
10. Gateway and Transparent Moe SMTP Event Log:
93
Dr. Hidaia Mahmood Alassouli
11. Server Mode Event Log:
12. Log Settings:
94
Dr. Hidaia Mahmood Alassouli
b) Troubleshooting Methodologies’:
1. Troubleshooting Basics:
2. FortiGuard Antivirus and Antispam Updates:
3. FortiGuard Rating Queries:
95
Dr. Hidaia Mahmood Alassouli
4. False Positive:
5. False Negative:
96
Dr. Hidaia Mahmood Alassouli
6. No incoming emails:
7. No outbound emails:
97
Dr. Hidaia Mahmood Alassouli
8. Block listed MX IP Address:
9. Open Relay:
98
Dr. Hidaia Mahmood Alassouli
10. High Memory and CPU Utilization:
11. SMTP Disconnections and Timeout
12. Delayed Emails:
99
Dr. Hidaia Mahmood Alassouli
13. Hard Disk Issues:
100
Dr. Hidaia Mahmood Alassouli
10. Part 9: Data Loss Prevention:
1. With DLP, you can control the type of data that allowed to enter or leave your organization by
email.
2. You can define custom patterns or use pre-defined data templates or file filters to build DLP
rules. A single DLP profile can contain multiple rules. The DLP future is disabled in entry levels
such as vm01 or 200f. Starting from version 6.4.1, dictionary and DLP scan rules aggressiveness
can be controlled. The higher the level, the more aggressive the scan, more resources are required.
The default settings are medium. In old releases is equivalent to low.
3. To configure DLP, you need to define sensitive data first. You can define sensitive data using
pre-defined patterns, such as file filter and data templates. User-defined bitterns such as document
fingerprints and strings or regular expression-based patterns.
4. Next you must configure DLP scan rules that defines where to look for sensitive data in email.
For example, email header or body.
5. Then you must add DLP scan rules to DLP profiles to define what action to take.
6. After DLP profile is complete, you can apply it to IP-based or Recipient base policy.
101
Dr. Hidaia Mahmood Alassouli
7. You can use file filters to match mail attachments base on file extensions or file types. FortiMail
comes with 9 predefined file filter. You can also create new filters. [File filters are used by DLP
and Content Filters and Content Filters futures.
8. FortiMail comes with some set of pre-defined data types such as credit cards, social security
numbers, social insurance numbers. You can use these data templates to define sensitive data based
on file content in DLP rules. Using these templates, means you don’t need have to perform extra
configuration steps.
102
Dr. Hidaia Mahmood Alassouli
9. Another technique you can use to detect sensitive data is to use fingerprinting. When you use
fingerprinting, you must provide the file. FortiMail generates and stores file checksum fingerprint.
FortiMail compares the fingerprint with all future email attachments for match. You can manually
upload files to FortiMail to generate fingerprints. You can also create SMB or CIFs fingerprint
source that FortiMail can use to generate fingerprints automatically from the contents of the shared
folder. This manual method is sufficient if you have few documents to fingerprint. If you have
large list of documents that go to many versions’ changes, you must use a fingerprint source.
10. starting from version 6.4, new column is added to show the fingerprint status when the file is
added manually. In the fingerprint status column one of the following statuses will be displayed.
“To be generated”, which will be displayed when you have uploaded the file to the fingerprint list
before clicking create. “Being generated”, which is displayed when the fingerprint generating
process is executing. “Generated” which is displayed when the fingerprint being generated. “Not
generated” which is displayed when no fingerprinting has been generated for the file because no
enough text where the fingerprint generation is in progress. “File types not supported”, which is
generated when the file type is not supported to generate fingerprint.
103
Dr. Hidaia Mahmood Alassouli
11. A single DLP scan rule can have multiple condones you can specify whether the rule is
triggered after matching any or all conditions in the DLP scan rule. You can define string based or
regular expression-based patterns to match any part of email. You can select “Contain sensitive
data” to apply the sensitive data definitions such as finger print source or data templates
12. FortiMail currently contains metadata string matching for MS Office, open office, pdf, gif, tiff
and txt files.
104
Dr. Hidaia Mahmood Alassouli
13. This slide shows an example DLP scan rule. The DLP rules matches if the following
conditions, the sender is internal from protected domain, the body and attachments contain credit
card numbers. You can use exceptions to exempt specific emails from DLP scan rules. In this
example, FortiMail ignores the rule for all emails sent by sales@example.lab.
14. After you define the DLP scan rules, you can add them to DLP profiles. You can also modify
the action profile to specify how to handle emails identified by DLP profile. This example shows
that identified mail messages sent to the system are quarantined in DLP folder. DLP profiles uses
the same action profiles as content profiles. To configure an action profile for DLP, click profile,
content. action.
15.The DLP profile can be reference by IP-based or Recipient-based policies. Because the DLP
profile is intended to inspect outbound emails, FortiMail applies it to outbound recipient-based
policy. As general rule, the recipient-based policy override IP-based policy. That means if email
105
Dr. Hidaia Mahmood Alassouli
message matches both recipient-based policy and IP-based policy, FortiMail will apply the settings
in the Recipient-based policy unless you enable take precedence over the recipient-based policy.
16. Logs generated by DLP events are assigned the data loss prevention classifier. To see what
email content the FortiMail caught, click session ID to view the cross-search results of that event.
106
Dr. Hidaia Mahmood Alassouli
11. Part 10: Email Archiving:
1. To use the FortiMail Email Archiving, you must create Archive Mailboxes by adding an
archive account. You can use the default account or create new one.
2. You can define the Archive account password, access options, mailbox rotation schedules and
disk quota. You can also define the Archive storage location which can be either local or remote.
3. FTP or SFTP are only supported remote storage options. The rotation period can be
configured in days for archive rotation
107
Dr. Hidaia Mahmood Alassouli
4. Archive policy allows you to define which email messages the FortiMail archives. The account
option allows you to define where the FortiMail save the archived email messages. The pattern
option allows you to define a string the FortiMail searches to make archiving decision. You can
search for defined pattern in an email message sender address, recipient address, subject, body or
attachment file name by configuring the policy type settings appropriately.
5. You can use exempt policies to exempt specific email messages from being archived. You
typically configure an exempt policy to exclude Spam email from being archived in order to use
the archive email professionally.
108
Dr. Hidaia Mahmood Alassouli
6. You can also use Anti-spam action profile and content action profile to archive email messages.
For each action profile. select archive to account and select account destination archive account.
A typical use case scenario is to use dictionary profiles which are supported by AntiSpam and
AntiVirus profiles to monitor and archive email messages that contain specific words or phrases.
7. You can use the search cross search results to verify that FortiMail is archiving emails correctly.
109
Dr. Hidaia Mahmood Alassouli
8. You can access the archived emails using the management GUI. You can also access archive
mailbox using IMAP if relevant access options configured in Archive account option. You can
export the archived email messages in .mbox or .eml formats. You can’t delete messages from
archive The only way is to delete messages is to format mail disk.
110
Dr. Hidaia Mahmood Alassouli
12. Part 11: AntiVirus:
1. Local Malware detection:
FortiGuard AntiVirus is included in FortiGuard antivirus subscription. FortiMail uses the
FortiGuard AntiVirus Service to protect against latest threads. The Fortinet unique content pattern
recognition language CPL allows single signatures to protect against multiple malware strains.
FortiMail antivirus Scanning uses same FortiGuard Virus signature databases that are used in
Firewalls. The databases are kept regular update from FortiGuard distribution network.
2. The FortiGuard real time Sandbox is also included in FortiGuard AntiVirus subscription.
FortiMail uses the local Sandbox to evaluate executable contents that have passed the FortiGuard
AntiVirus signatures. The local Sandbox the constructions of files to look for characteristics
commonly found in viruses. It also emulates the execution of the content to look for typical virus
behavior.
3. FortiGuard labs receive global requests for ratings of senders Ips, Content and attachments.
Using data analytic techniques, FortiGuard can quickly detect and respond to new outbreaks,
blocking suspicious virus objects without the need for AntiVirus signature.
4. Local Malware Detection Flow:
This slide shows the process flow for anti-malware detection.
111
Dr. Hidaia Mahmood Alassouli
5. AntiVirus Profile Configuration:
To enable AntiVirus scanning techniques and actions, you must create AntiVirus profile first.
AntiVirus profile specifies the default action that FortiMail runs when it detects a Virus. You can
override the default action if you select a different action on technique-by-technique basis.
6. When you create Antivirus profile, set the domain attribute to determine the visibility of the
profile within the system. You can set the domain attribute to be available to use across the
system or only a specific domain.
7. FortiMail scans email header, body and attachments including compressed files such as zip,
pkzip, lha, arj and rar files for virus infections. If FortiMail detects a Virus, it takes the action
defined in antivirus action profiles.
8. FortiMail keeps it AntiVirus scan engine and Virus signature database up to date by
connecting to FDN antivirus services.
9. Enable File signature check if you already have hash values of some known virus infected
files. You can add those checksums in security another file signature.
112
Dr. Hidaia Mahmood Alassouli
10. Antivirus Action Profile Configuration:
You can create new action profile in antivirus profile. The most commonly used action “Replace
infected body or attachment”. This option allows the body of the email to be delivered to
intended recipient without the malicious attachment. Other commonly used include “Reject” and
“Discard”. Note there is no personal quarantine option in AntiVirus action profile. This protects
the end user from releasing the infected content accidently under local computer.
113
Dr. Hidaia Mahmood Alassouli
11. Applying AntiVirus:
Anti-Virus profile can be referenced by IP based policy or Recipient based policy. For complete
protection enable AntiVirus scanning on outbound policies to prevent malicious contents from
accidently leaving tour organization. As a general rule, recipient-based policy overrides the IPbased policy unless you enabled take precedence over recipient-based policy match over the IP
based policy.
12. AntiVirus Log:
The history log provided overview of the events that have occurred including classifier, disposition
and virus name. For more details, click the session ID link to see the cross-search results for all
logs for that single event. This slide shows an example of “Reject” action in response detection
of a Virus.
13. FortiMail generates a SMTP 554 message that explains the reason for rejection.
114
Dr. Hidaia Mahmood Alassouli
14. AntiVirus Customized Message:
When you enable repackage email with customized content, the FortiMail detects an infected
attachment. FortiMail replaces the infected attachment with text attachment that contains the
details of the original file and detected virus. This allows the recipient to stay informed.
115
Dr. Hidaia Mahmood Alassouli
13. Part 12: AntiSpam:
1. Spam Detection:
The industry standard definition of email antispam has two components. First the email messages
are unsolicited, that is the recipient has not requested or granted a permission for the email. Second
the email messages are considered bulk mailings because they are sent out in bulk quantities and
contains identical or nearly identical contents. The industry term for that, unsolicited bulk email
UBE.
2. FortiMail AntiSpam service is combination for two tiers of spam defends. The FortiGuard
antispam service combined with FortiMail built in AntiSpam detection techniques. By leveraging
FortiGuard Antispam service, FortiMail has access to the latest knowledge of emerging spam
threats and outbreaks.
3. Email messages are inspected in two distinct layers. The session layer an application layer.
4. The session layer analyses the attributes and behaviors of IP connection and SMTP session for
threats that are common to SPAM activity. FortiMail can detect spam even before the message
headers and message body are sent. This saves valuable resources and improves the performance
of FortiMail server.
5. The application layer analyses the content of the message header and message body after they
arrive. FortiMail uses this data to perform many different types of spam detection.
6. Antispam Profile:
When an email message matches the selection, criteria specified by in an IP or recipient policy,
you can activate Antispam profile to perform any of the available antispam techniques. In antispam
profile, select the default action to be executed if the message is verified to be spam. Or associate
116
Dr. Hidaia Mahmood Alassouli
different action profiles with AntiSpam techniques. In scan option section, you can specify the size
limit for the messages to be scanned. If email is larger than the specified value, the FortiMail skips
antispam inspections on that email. You can also bypass the email from AntiSpam inspections if
the user is Authenticated. Be careful with this setting because the authenticated user is not always
safer seder.
7. Superseded and less recommended features are removed from the antispam profile in simple
view.
8. AntiSpam Action Profile:
If email detected as spam, you can tag the subject field to warn the user is potential spam. You can
also insert header or disclaimer into email. If you want to deliver the spam email to alternate
recipient such as administrator you can configure that in antispam action profile as well. There are
other options that you can configure in antispam action profile. Such as archiving email or sending
notification to any valid email address. These actions are considered non final actions because
FortiMail continues Antispam scanning. You can also configure final action. Final action makes
final decision to the action applied to spam email. There five decisions for final action: Discard,
Reject, Personal quarantine, System quarantine and Rewrite recipient email address. When final
action has been taken, no other antispam scanning is performed.
117
Dr. Hidaia Mahmood Alassouli
9. FortiGuard IP Reputation:
When you enable FortiMail Ip reputation option, FortiMail queries FortiGuard spam service to
determine if remote MTA IP address is in FortiGuard blocklist database. FortiGuard divides the
blocklist IP addresses into three levels:
118
Dr. Hidaia Mahmood Alassouli
- Level 1 has worst reputation
-Level 2 has better reputation
-Level 3 has even better reputation.
To help to prevent false positive, you can choose to take different actions to different IP levels.
Usually, you should take strict actions such as reject to discard in level 1 IP addresses. And take
less actions such as quarantine or tags in level 3 ip addresses. The default action for level 1 and 2
and 3 is the IP reputation action. If you use default level for IP reputation, the FortiGuard action
is used. If you use default level for FortiGuard action, the antispam action is used. If you want to
check all SMTP servers in received lines in message header, enable extract IP in received header
options.
10. FortiGuard URL Filter:
FortiGuard URL filtering sorts URLs in the category such as phishing, spams and malicious. You
can configure URL category profile to check for specific category. If email message contains any
119
Dr. Hidaia Mahmood Alassouli
URLs that match the categories enabled in URL filter profile, FortiMail treats that message as
spam. You can also customize URL filters on most deployments. You should enable security risks
category. However, you can customize URL category profile to filter email messages with URLs
that traditionally not considered spam.
11. FortiGuard Spam Outbreak Protection:
Regular FortiGuard update ensures that FortiMail has the most current threat information
available. Even though it is possible for FortiMail to receive spam message that has not seen before
and has little or no information about. This feature is effective against zero-day spam outbreaks.
When spam outbreak protection enabled, the suspicious email is held in dedicated queue for
specific period of time and then re-evaluated. This gives FortiGuard the opportunity to learn about
potential spam outbreak and update its databases. After timeout value for the email expires,
FortiMail queries the FortiGuard service again. If the rating comes back is clean, FortiMail releases
the email to recipient. Otherwise, it applies antispam action. When set to monitor only, email is
not deferred. Instead “xfees spam outbreak monitor only” is inserted at its header and email is
logged. By default, the hold period is 30 min and outbreak protection level are medium.
120
Dr. Hidaia Mahmood Alassouli
12. SPF and DMARC Validation
SPF is technique that can be used to validate senders. Using SPF, the domain owner publishes
specially formatted DNS txt record. The records contain the authorized MTAs of the domain.
Using MTA check feature, FortiMail performs DNS txt lookup for the sending domain of any
email session. If SPF entry exists, FortiMail compares the address of the SPF entry with the address
of sending MTA. And if no matches found, it treats the email as spam. In antispam profile you can
configure the various general settings available with SPF validation.
Configure no settings to deal with domains for which there are no SPF records. Configure neutral
setting for SPF records that don’t want to assert particular IP address is authorized to send from
sending domain. A neutral result treated as no result. SPF record with neutral results is typically
using the question marks qualifiers
Configure the “Pass” setting to deal with IP addresses that authorized to send from sending domain.
This result is generated when sender IP is correctly identified in the DNS record of sending domain
with correct syntax. Configure “Fail” setting with IP addresses that is not authorized to send from
sending domain. This means that SPF record of sending domain does not contain sending server
or IP address.
DMARC is much more comprehensive. Using DMARC, the FortiMail validates both SPF and
DKIM. However, the email must pass only one of these checks. If email fails both DKIM and SPF
checks, it is treated as spam. DMARC validation is not universally adopted yet. However, it is
slowly becoming more popular.
13. Behavior and Header Analysis:
Behavior analysis uses verity of methods to identify spams that are not caught directly by
FortiGuard. By applying elements of heuristics and fuzzy matching algorithm which compares
spam recently detected within past 6 hours by FortiGuard signatures on the device of question.
Behavioral analysis can detect changing spam samples. Behavioral analysis is useful for detecting
and preventing zero-day spam outbreak.
121
Dr. Hidaia Mahmood Alassouli
Header analysis will look for presence of header entries that are commonly found in spam email.
14. Impersonation Analysis:
Email impersonation is a type of email spoofing attack that attempts to deceive the recipient by
using forged header to make the message appears from trusted sender. Often the impersonated
individuals are key executive personal whose mail and email addresses are publicly posted or
122
Dr. Hidaia Mahmood Alassouli
easily available. This technique is often called as wailing in email security world. Using the
impersonation analysis feature in FortiMail, you can map high value target display names with
specific allowable email addresses. In order to activate impersonation analysis, you require a
license this is available only as a part of enterprise ATP bundle. There are two types of mapping.
Dynamic and manual. All impersonation analysis is manual. All impersonation analysis matches
are case insensitive.
a) Manual: Enter display name of high-profile user that the impersonation profile will protect. You
can enter this name using either a wildcard or regular expression. Next enter the email address that
is associated with user display name. Then click create. If user wants to associate multiple email
addresses with their display names, create impersonation entry for each email address.
123
Dr. Hidaia Mahmood Alassouli
b) Dynamic mode matches learned entries where is in manual mode you have to specify both
explicitly. In addition to manually entering mapping entries, and creating impersonation analysis
profiles. FortiMail mail statistic service can automatically learn the mapping in incoming emails
header 2 fields and track mapping dynamically.
c) To use FortiMail mail manual impersonation scanning, dynamic impersonation scanning or both
use the commands shown in slide. By default, FortiMail uses the manual analysis only. You can
also enable FortiMail mail statistics service in the command shown in slide. Thus, service is also
disabled by default.
124
Dr. Hidaia Mahmood Alassouli
15. Heuristic Scan:
FortiGuard maintains a set of Heuristic rules based on spam contents. These heuristic rules use
compatible regular expressions. PCRE is a powerful form of regular expression matching to locate
spam identified attributes within each message. These rules are continuously updated as new spam
threats emerge. As each rule is evaluated against the message a score is generated reflecting how
much of the rule criteria is fund in the message. When FortiMail finishes the processing the rule,
it adds the score to total score of the message. If the total score meets or exceeds the set threshold,
FortiMail determines that the message is SPAM. Heuristic scanning can be very resource intensive.
16. When you enable Heuristic scanning in an Antispam profile, you use two settings to fine-tune
the behavior. The first setting threshold determines what total score is necessary to decide that the
email is spam. The default value might be appropriate for most environments. But you can increase
it if there are false positives or decrease it as necessary. Expect to tune this value multiple times
because no universal values that suite all deployments. If threshold not set correctly, it can generate
unnecessarily false positives or negatives.
17. The second setting is the percentage of rules used specifies how much of the rule list is applied
to each message. The rule ordering is maintained by FortiGuard. The rules that detect the most
prevalent spam are at the top of the list. The rules for older ore obscure spam are lower. The rule
ordering change over time. As FortiGuard responds to ever changing spam landscape.
18. Heuristic rule processing is fairly resource intensive process. So, you can use this setting to
strike a balance between performance
125
Dr. Hidaia Mahmood Alassouli
19. SURBL and DNSBL:
SURBL and DNSBL are similar in concept to FortiGuard URL filter. But URL filter uses third
party SURBL servers. FortiMail extract URLs from email messages and send them to SURBL
servers. The SURBL servers identify if the URLs are known to be associated with spam.
20. The DNSBL is similar to FortiGuard IP reputation feature but it uses third party DNSBL
servers. FortiMail will include the IPs of received headers in DNSL scans if you select extract IP
from received header in Antispam profile. Just like FortiGuard IP reputation scan, the DNSBL
scan ignores any RFC 1918 addresses. If IP address is block listed by DNSBL server, FortiMAil
treats the email as spam and executes the configured action.
126
Dr. Hidaia Mahmood Alassouli
21. Banned and Safe Word Lists:
When you enable banned word scan option in Antispam profile, the FortiMail scan the subject and
message body for presence of any word from the list of prohibited words. If the message contains
one or more of the words in the list. The FortiMail treats the message as Spam. The Safe list word
scan option scans the subject and body of the email for presence of any work in the list of safe
words. If matches found, FortiMail exempts the email from Antispam inspections. Other
inspection profiles that you enabled still apply. To maintain efficiency.
22. The world lists support wildcard characters, but not regular expressions or extended character
set encodings.
23. Dictionary Scan:
Dictionary scan provides flexible way to identify messages that contain specific words or phrases.
To use this feature, you must create a dictionary profile containing words or phrases of interest.
This can include regular expressions as well as extended character set encoding. If scan finds one
or more dictionary entries in email message, FortiMail adds xFeees dictionary header to email
header, followed by the dictionary pattern or word that was found. Dictionary scans are more
resource intensive than banned word scans because they provide more flexibility. For simple list
of word, consider using banned word scans to improve performance.
127
Dr. Hidaia Mahmood Alassouli
24. Image Spam Scan:
FortiMail is capable of detecting spam messages that consist of embedded jpeg, gif, or png images
with little or no text. In message body. Many of spam message techniques have difficulties with
messages like this because of lack of text. Image spam scan feature analyzes the characteristic of
embedded images using Fuzzy logic developed by FortiGuard to determine if message is spam. If
you enable aggressive, FortiMail analyzes the image attachments too. Image spam scanning can
be resource intensive especially if you enable aggressive. However, you should use image spam
scanning if image spam-based spam messages are passing through other spam techniques
undetected.
128
Dr. Hidaia Mahmood Alassouli
25. Newsletter Detection:
Newsletter scan scans messages that likely to be legitimate newsletter and treats them as spam.
One interesting possibility is to tag the subject line of these email messages with quote bracket
newsletter bracket quote so the end user can filter them at MUA email client. Spammers sometime
disguise emails that look like legitimate newsletter. The suspicious newsletters scan examines the
contents to detect spam characteristics and execute the configure Antispam action.
26. PDF Scanning:
129
Dr. Hidaia Mahmood Alassouli
Similar to image-based spam scan, spammers may try to evade detection by sending messages that
contains only PDF attachment. PDF scanning converts first page of PDF attachment to a format
that is suitable for analysis by banned word, heuristic, and image scanning. Methods. You must
enable at least one of these three methods in antispam profile.
27. Block and Safe Lists:
FortiMail uses four levels of block listing and safe listing. The order of processing priority is
system, then session then domain and finally personal. System list level entries applies to all
protected domains. Domain list entries apply to all users in that protected domain. Personal list
entries are relevant for the user only.
28. You can also configure Block lists and Safe list entries in session profile. The list entries will
affect only email messages handled by IP policy that uses that session profile.
29. For any messages matching the safe list, FortiMail bypasses all AntiSpam checks and the
message is processed through any other configure inspection profiles.
30. List entries can take the form of IP addresses, email addresses, domains.
31. If message matching an entry on block list, the message is processed by the block list action
setting. You can set the block list action to reject or discard the message or to invoke the action in
the matching antispam profile.
130
Dr. Hidaia Mahmood Alassouli
32. Spoofed Header Detection:
Spammers use many tricks to bypass the security mechanism. One of these tricks is to spoof SMTP
header addresses. The spammer may use legitimate sender in the envelope mail from address. But
when they craft the header, they spoof the from mail address. Since MUAs use the header addresses
to display email information, such as from and to fields, the recipient sees the spoofed email
sender. In the SPF section of an AntiSpam profile, you can configure the sender alignment setting
to verify the email messages from domain with the authorized domain of the SPF record. This will
verify whether or not the from domain is listed as authorized sender in the sending domain SPF
records.
131
Dr. Hidaia Mahmood Alassouli
33. Backscatter:
Spammers sometimes try to bypass antispam measures by hiding spam contents in delivery status
notifications DSN or bounced messages. DSB messages don’t undergo same level of AntiSpam
processing as regular email if any at all. In clever abuse of SMTP spammers forge the email
addresses of the intended target as “mail from” address and uses nonexistent recipient in “rcpt to”
address.
34. Then the spammer sends the messages out to a relay MTA which since it can’t deliver the
message, creates DSN and sends it out to the spammer intended target with the original spam
content attached. This technique is typically referred as Backscatter.
35. If you look to same Backscatter attack but this time with bounce tag validation between BATV
enabled at a.com MTA, the outcome looks very different. BATV enabled MTA searches for the
BATV tag in the DSN email header. If it does not find the tag, the MTA drops the DSN message
instead of delivering it to end user. BATV provides mechanism that can distinguish between the
DSN legitimate messages and backscatter spam. Provided that the DSN was generated because of
a message by particular FortiMail protected domain.
132
Dr. Hidaia Mahmood Alassouli
36. DSN Email with Spam attached.
On the email client when you open the DSN email, you see the DSN transcript along with the
original email which is attached
133
Dr. Hidaia Mahmood Alassouli
37. BATV Configuration:
To configure BATV in FortiMail, you must first enter a key. The key can be any sequence of
ASCII characters. The key along with the cryptographic salt value generates unique tag for each
message. You can create new keys as necessary. But only one key in the list can be active at any
time. Once an active key is available, enable BATV and set the action to execute if tags validation
fails. After you enable BATV, the FortiMail starts to prepend the key in the sender email address
in the SMTP envelope “mail from” field. FortiMail does not alter the sender email address. If the
tagged message is undeliverable, the resulting DSN contains the tagged version of the sender’s
address since the original message is appended to the DSN. When the DSN arrives to the FortiMail,
FortiMail searches for the tag. If the tag exists, it means the DSN was generated for an email sent
out from one of the protected domains and FortiMail delivers the DSN to the recipient. If the tag
does not exist, then FortiMail drops the DSN. For inbound DSN messages, the envelope “Mail
from” must be blank, otherwise FortiMail would not perform Bounce verification on it. The “Mail
from:” address of the DSN message is typically blank. To avoid protentional to create continuous
bounce messages that bounce back fourth forever.
38. BATV Exemptions:
Certain MTAs reject email messages that have BATV tags in the email header either deliberately
or because the configuration mistakes. To allow successful email transmissions between FortiMail
and these MTAs, you must exclude the MTAs from BATV tagging. Emails sent from FortiMail to
the MTAs in the tagging exempt list would not have BATV tags added to their headers.
39. Other MTAs would not append the original email to the DSN email. If original email is not
appended to the DSN, the email would not have BATV tag and tag verification fails. To excludes
these MTAs from tag verification, add them to the verification exempt list.
134
Dr. Hidaia Mahmood Alassouli
40. The log shows that the email was discarded because it failed bounce verification.
41. FortiMail performs each of the AntiSpam scanning actions and other actions in specific order.
Actions that are taken as result of scanning can be categorized as either final or non-final. When
no other actions can be applied to email after taken an action, then it is considered as final action.
For example, reject, discard, personal quarantine, and system quarantine.
42. If FortiMail, applies final action, no more further scanning will be processed. FortiMail can
apply multiple non final actions to an email, but one final action.
43. The execution sequence of antispam techniques can be found in FortiMail administration
guide.
135
Dr. Hidaia Mahmood Alassouli
136
Dr. Hidaia Mahmood Alassouli
14. Part 13: Personal Quarantine Management:
1. FortiMail can generate quarantine report for each end user to notify them if there is any email
in quarantine mailbox.
2. FortiMail sends the reports in schedules. The reports are generated only for mailboxes that
contains quarantined email. Depending on the action profile configuration, users can use either
email actions or web action to release or delete quarantined messages.
3. Uses can access their personal quarantine through the web. The quarantined mailbox for
FortiMail has additional folders such as drafts, sent items, trash and encrypted emails in addition
to bulk folder.
4. In addition to personal quarantine access in server mode, FortiMail webmail also provides
access to inbox, address box and other features.
5. Quarantine Report Settings:
The quarantined report tab lets you configure various system-wide aspects of quarantined reports
including scheduling when FortiMail sends reports. Configuring alternate hostname for web
release and delete the links can be useful if the local domain name or management IP of FortiMail
is not resolvable from everywhere that email users use their quarantine reports. In that case you
can override the web release link to use globally resolvable hostname or IP address
137
Dr. Hidaia Mahmood Alassouli
6. Quarantine Mailbox Message Tracking:
When you configure FortiMail to send spam email to user’s personal quarantine, the user can
delete quarantined email or release it to inbox. The administrator GUI can display the messages
contained in the user’s quarantine and distinguishes between released and un released messages.
When use releases email messages from personal quarantine, the messages re tagged as released.
7. By logging to webmail GUI, users can review the email messages details and release any email
messages that are false positives. The email messages will be released from the quarantine and
delivered to user’s inbox.
138
Dr. Hidaia Mahmood Alassouli
139
Dr. Hidaia Mahmood Alassouli
15. Part 14: Transparent Mode:
1. In transparent mode, FortiMail physically set in the email path to intercept email traffic
transparently based on the destination IP address, and performs the Antispam and Antivirus scans.
2. In the example deployment shown in the slide, the FortiMAil is not the intended IP destination
of the email messages. So, no DNS or DNAT rule changes required.
3. In some environments, such as large managed service providers MSP and carriers, the
infrastructure changes required by other deployment modes are impractical. Because of these
constraints, the MSPs and carriers usually deploy FortiMail in transparent mode.
4. In transparent mode, like all other deployment modes, no access receive rules are required for
inbound emails. By default, FortiMail accepts all emails destined to protected domains.
5. However, to allow outbound emails, you must configure the appropriate access receive rules.
You must create access receive rules if you plane to scan outbound emails. r
6. By default, all interfaces are configured as bridge in transparent mode. You must assign the
management IP statistically to port 1. The management IP is used for all management related traffic
as well as FortiGuard communication. Bridge member communication belongs to same subnet as
management IP of Port 1.
140
Dr. Hidaia Mahmood Alassouli
7. The built-in bridge, forwards everything. Not only SMTP traffic. This is why you apply the
transparent mode, without having to make extensive topology changes. All SMTP traffic is picked
up for inspection and any non-SMTP traffic is bridged.
8. You can remove any interface except port 1 from built in bridge. This allows FortiMail to access
more than one subnet. If the topology design requires it.
141
Dr. Hidaia Mahmood Alassouli
9. Make sure to configure any static routes to define gateway address for new subnet.
10. In the example deployment, port 1 and port 2 are still bridge members and are processing
emails for examplea.com domain in 10.200.1.98/24 subnet.
11. Port 3 has been removed from bridge and connected to 192.168.3,99/24 subnet top process
emails for exampleb.com domain.
12. Configuring a transparent protected domain, a gateway mode protected domain. You must
configure domain name and provide backend server Ip in the smtp server field. However, the smtp
server in transparent mode you must define the interface that smtp server connected to. Expand
the transparent mode options a then in this server drop down list, select an interface. This ensures
that FortiMail forwards all inspected emails using the correct interface.
142
Dr. Hidaia Mahmood Alassouli
13. When operating in transparent mode, FortiMail has two methods for handling SMTP session,
relay or proxy. Depending on topology setup, these two methods vastly different results in email
routing. When using the built in MTA to relay emails, the FortiMail uses the mx record lookups
to deliver emails. Using this method, the FortiMail can queue undeliverable messages and generate
DSNs.
14. The built in MTA is used implicitly. This means SMTP clients don’t establish explicitly
connection to it. This is also the default method for handling the SMTP sessions in transparent
mode.
15. FortiMail has two transparent proxies. An incoming proxy and outgoing proxy. When
configured to use proxies, the FortiMail does not do any DNS lookup at all and only attempts to
deliver the message to destination specified by SMTP client. The incoming proxy supports
message queuing. However, the outgoing proxy does not. Therefore, when using the outgoing
proxy, the FortiMail can queue undeliverable messages or generate DSN email messages.
143
Dr. Hidaia Mahmood Alassouli
16. You can enable proxies separately for each message flow direction. For outgoing sessions on
proxy’s tab, “use client specified SMTP server to send email”. For incoming sessions, select “Use
domain’s SMTP server to deliver the email”.
17. If you disable these options, the FortiMail uses the built in MTA to relay the emails.
18. At the network connection level directionality is determined by destination Ip address of the
Ip header. If the destination Ip address matches a protected domains smtp server Ip address, then
it is incoming connection. If the destination Ip does not match any protected domain Ip server
address then it is outgoing connection. Unlike application layer directionality, connection level
directionality does not consider the email recipient’s domains “rcpt to” column. This can
sometimes mean that the session direction is not the email direction.
19. The example deployment scenario illustrates the difference between the application layer and
network layer conventionality. In this network, there is internal mail relay server with the Ip
address 10.200.1.252. All inbound email from remote MTAs for internal.lab domain is delivered
to this relay server. All outbound emails generated from internal mail servers also must flow
through this relay sever. Therefore, the transparent mode FortiMail is deployed in front of internal
mail relay server and configured to protect the internal. Lab domain with smtp server 10.200.1.252.
20. Users connect to internal mail server to send external email. When the email is sent to the
internal relay server, it arrives at FortiMail with the destination IP of 10.200.1.252 and recipient
domain external. Lab. According to FortiMail directionality rules this is an inbound connection
sending an outbound email. The internal mail relay server will query the public DNS server to
resolve external.lab domain. If “use client specified smtp server to send email” is enabled, then
the transparent mode FortiMail will route the email message based on the destination Ip that has
been resolved by internal mail relay server which is in this example is 10.200.1.252.
144
Dr. Hidaia Mahmood Alassouli
21. When the email message is sent to remote MTA server, it arrives at FortiMail with the
destination IP 10.200.1.252 and recipient domain of external.lab. According to FortiMail
directionality rule, this is an outbound connection sending outbound email.
22. The table in this slide shows which sessions are handled by built in mats and which sessions
are handled by proxies. Any inbound session with inbound email is always processed by built in
MTA regardless of proxy configuration. Any inbound session with outbound email processing
depends on proxy configuration. Any outbound session processing also depends on proxy
configuration.
145
Dr. Hidaia Mahmood Alassouli
23. To determine whether the connection is handled by built-in MTA or one of the proxies, in the
history log messages, view the mail columns.
24. Connection Pickup:
Each interface SMTP proxy settings defines which email flows are picked up by FortiMail. The
terminology here can be confusing because the settings reference proxy. Don’t confuse this with
previous discussion about the transparent proxy versus built-in MTA. For each interface you can
select an action for each direction of smtp sessions. When you select proxy, FortiMail will inspect
the email messages that arrives at the interface. When you select “pass through”, the FortiMail
forward the message to its original destination without any inspection. When you select drops, the
FortiMail drops the messages. The local connection settings control whether or not the clients can
connect to that interface for webmail access, IBE access and so on. How to control these settings,
depends on FortiMail setup.
146
Dr. Hidaia Mahmood Alassouli
25. When configuring SMTP proxy pickup, you must make sure that you are not scanning same
email traffic twice. A good rule to follow is to pick up sessions closest to source.
26. In the example shown port1 is the closest interface to the source of all inbound emails.
Therefore, port1 incoming connections are proxied. Port2 is the closest interface to the source of
all outbound emails. Therefore, the port2 outbound connections are proxied.
27. Configuring Transparency:
By default, the FortiMail in transparent mode not truly transparent. Evidence of this existence can
be found in the IP headers, SMTP session banner, Ehlo hello greetings, and Ip sessions heeders.
28. Ip sessions are sourced from the management if using bridge member interface. Or out of
bridge interface, if using out of bridge interface. This will be evident in any packet captures of
email messages traversing transparent mode FortiMail. The SMTP session banner and EHLO
HELO greeting are also replaced by transparent mode FortiMail IP address. The email message
headers will also include information about the transparent mode interface that processed the
email. You must explicitly configure transparency whether using proxies or built in MTA.
147
Dr. Hidaia Mahmood Alassouli
29. To hide FortiMail in all inbound sessions, on the domain tabs in the transparent mode options
section enable the “hide transparent” box. This reserves the session originator source Ip in the Ip
header, the smtp greeting messages in the envelope and the email messages headers.
30. Outbound Transparency:
To hide FortiMail in outbound sessions, you need to configure a session profile. This preserves
the protected SMTP server source IP and IP header. You can apply the session profiles only
through the IP based policies. To replicate the back-end server SMTP greetings and preserve email
message headers, you must configure the protected domain settings as shown in the slide.
Typically, this value must be same as hello and Ehlo greeting that backed server uses.
148
Dr. Hidaia Mahmood Alassouli
31. Encrypted Sessions:
Transparent mode FortiMail can’t scan encrypted sessions. If backed server supports start TTLS,
you have to configure the session profile and deploy it using the IP based policy. When you enable
“prevent encryption of the session”, FortiMail blocks the start TTLS commands during the SMTP
messages exchanges. You can enable this option in the session profile and apply it using IP based
policies.
32. SMB Deployment:
In SMB deployment, the networks are less complicated. Deploying FortiMail in transparent mode,
is simply positioning FortiMail directly in front of local mail server. If there are no relay mail
servers, you must use the built-in server MTA for outbound connections. If there are relay servers,
you should proxy connections in both directions.
149
Dr. Hidaia Mahmood Alassouli
33. Enterprise Network Deployment:
Enterprise networks might have multiple branch offices with their own mail servers connected to
the corporate network. The challenge of these deployments is to locate FortiMail where it can
inspect all inbounds and outbounds connections. If there is global relay server for the whole
cooperate network then you should position FortiMail in front of the global relay sever and proxy
connections in both directions
34. If there are no relay servers then you can use a methodology that is similarly used in smb
deployment.
35. Service Provider Example:
For service providers, it is more common to find FortiMail devices deployed without any protected
domains. The scope of theses deployments is so large that is not feasible to maintain full lists of
protected domains. These types of deployments also use strict Ip based policy inspection.
Clustering is used also to increase session handling capacity. Load balancers are used to maintain
persistence. Policy based routing is used. To redirect all smtp traffic to the FortiMail cluster. When
not configured with any domains, all emails are considered outbound by transparent mode
FortiMail. Since there are hundreds of subscribers with MUA settings. The FortiMail devices are
usually configured to use outbound proxy with full transparency
150
Dr. Hidaia Mahmood Alassouli
151
Dr. Hidaia Mahmood Alassouli
16. Part 15: Quick Guide for FortiMail Hardware Package Installation:
1. FortiMail hardware package contents:
2. Installation Overview
Installation and configuration of the FortiMail unit involves the following steps:
a. Place the unit on a stable surface.
b. Connecting the unit to the network. For details, see the FortiMail Install Guide.
c. Powering up the unit.
d. Connecting to the web-based manager.
e. Selecting an operation mode: Gateway, Transparent, or Server. For details, see the FortiMail
Install Guide.
f. Running the QuickStart wizard to configure the basic settings. For details, see the FortiMail
Install Guide.
g. For all other installation instructions, see the FortiMail Install Guide on the documentation CD.
h. For all the configuration instructions, see the FortiMail Administration Guide and the FortiMail
online help.
i. If you want to use the CLI commands to configure the unit, see the FortiMail CLI Reference on
the documentation CD.
152
Dr. Hidaia Mahmood Alassouli
3. Collecting Information:
4. Powering On
To power on the FortiMail unit
a. Ensure the unit is placed on a stable surface.
b. Ensure the power is not connection.
c. Connect the network cable to port 1.
d. Connect the power cable.
5. Configuration Tool Overview
You can use one of the following tools to configure the FortiMail unit. If you are connecting and
using the unit for the first time, it is
153
Dr. Hidaia Mahmood Alassouli
recommended you use the web-based manager only, because it comes with a quick start
configuration wizard which can guide you
through the initial setup.
• Web-based manager
The web-based manager is an easy-to-use management tool that you can access from a web
browser.
• Command Line Interface (CLI)
The FortiMail unit has a console port and you can use a console cable to connect it directly to your
management computer.
6. Using the web-based manager
The web-based manager has two display modes: Basic and advanced. The default mode when you
first log on is Advanced. You can switch between the two modes by clicking
Basic Mode >> or Advanced Mode >>.
In either mode, you can run the quick start configuration wizard to configure the basic network
and antispam settings.
Configuration changes made with the web-based manager are effective immediately.
The FortiMail unit has the operation mode: gateway, transparent, and server.
The default operation mode is gateway mode. You can change to transparent mode or server mode
after connecting to the unit. Changing operation mode causes system reboot.
To connect to the web-based manager, you need:
• An Ethernet connection between the FortiMail unit and your management computer.
• A web browser such as Firefox or Internet Explorer with Adobe Flash Player 10 or greater plugin.
To connect to the web-based manager for the first time
a. On your management computer, configure the Ethernet port with the static IP address
192.168.1.2 and a netmask of 255.255.255.0.
b. Using the Ethernet cable, connect your computer’s Ethernet port to the FortiMail unit’s port 1.
Use a cross-over Ethernet cable to connect the devices directly. Use straight-through Ethernet
cables to connect the devices through a hub or switch.
c. Start your web browser and go to https://192.168.1.99/admin
154
Dr. Hidaia Mahmood Alassouli
(include the “s” in https:// and “/admin” after the IP address).
d. Type admin in the Name field and select Login.
e. Go to Monitor > System Status > Status (the dashboard) to set the operation mode. The system
will reboot.
f. Log on to the system again.
g. Click Quick Start Wizard to run the quick start configuration wizard and follow the steps to
configure the system’s basic network and antispam settings.
7. Deploying the FortiMail unit
Now that the FortiMail unit is up and running, you can start to deploy the unit into your network
by configuring the system settings and mail settings. The FortiMail Install Guide will help you
with this task.
8. Configuring the FortiMail unit
Then you can configure detailed antispam, antivirus, and logging settings to protect your mail
servers and users. For details, see the FortiMail online help or the FortiMail Administration Guide
on the documentation CD.
155
Dr. Hidaia Mahmood Alassouli
17. Part 16: Tutorial 1-Registering FortiMail Demo Account:
1. I registered for demo account at https://www.fortinet.com/demo-center/fortimail-demo
2. I was sent the following links to login and try to learn
•
https://fortimail.fortidemo.com/admin/Admin.html#!/system_grp/mailserver
Account: Demo
Password: Demo
•
https://fortimailcloud.fortidemo.com/admin/Admin.html
Account: Demo
Password: Demo
156
Dr. Hidaia Mahmood Alassouli
18. Part 17: Tutorial 2-Installing FortiMail in VMWare:
1. Open VMWare Network Editor.
I left the default configuration
•
VMnet0
•
VMNet 1
157
Dr. Hidaia Mahmood Alassouli
•
VMNet 8
2. Download FortiMail from https://support.fortinet.com/download/FirmwareImages.aspx.
Extract the zip file. Import the .ovf file into VMware workstation. Select the name and folder to
save the FortiMail VM.
3. Configure the Virtual Network in the Virtual Machine: Network adapter 1 on VM connected to
VMnet0-Wan1
158
Dr. Hidaia Mahmood Alassouli
4. Install and configure FortiMail in VMware
Power on the FortiMail device
Login as admin, password is empty
Set new password for admin
Check the status of interfaces by the command:
# show system interface
Configure the port 1 interface as Wan1
# config system interface
#edit port1
#set mode static
#set IP 10.0.0.9 255.255.255.0
#set allowaccess http https telnet ssh ping
# end
159
Dr. Hidaia Mahmood Alassouli
# show system interface port1
160
Dr. Hidaia Mahmood Alassouli
19. Part 18: Tutorial 3- Configuring FortiMail Using the Web Based
Control Panel:
1. Access FortiMail web-based manager at IP address http://10.0.0.9/admin. You get the
following dashboard.
2. You can view license information from license widget. In my case I had trial license.
161
Dr. Hidaia Mahmood Alassouli
3. The FortiGuard is basically responsible about:
•
•
•
•
•
•
•
•
•
•
•
•
•
AntiVirus
AntiSpam
Virus Outbreak
URL Click Protection
Content Disarm and Reconstruction
IP Geography
Internet Service Database
Internet Service Database
Microsoft 365 Protection (No license)
Email Continuity (No license)
FortiSandbox Cloud
Advanced Management (No license)
Adult Image Analysis
You can check the status of licenses of the FortiGuard elements from “System/FortiGuard”
4. The System/FortiGuard/AntiVirus settings:
162
Dr. Hidaia Mahmood Alassouli
5. The System/FortiGuard/AntiSpam settings:
6. The System/FortiGuard/URL Protection settings:
163
Dr. Hidaia Mahmood Alassouli
7. Setup the system time according to your country from “System/Configuration/Time".
164
Dr. Hidaia Mahmood Alassouli
8. From “System/Configuration/Option”, you can setup the password policy and the
administration ports.
9. Mail server settings are configured on “System/Mail Setting”. I accepted the default
configuration.
165
Dr. Hidaia Mahmood Alassouli
10. The system interfaces can be shown in “System/Network/Interface”
11. Configure Port1 interface details:
•
IP Address
•
Access: HTTPS, PING, SSH, SNMP. HTTP, TRLNET
•
Web Access: Admin, Webmail
•
Mail Access: SMTP, SMTPS, IMAP, IMAPS, POP3, POP3S
12. You can configure the routing details from “System/Network/Routing”
166
Dr. Hidaia Mahmood Alassouli
13. You can configure the DNS details from “System/Network/DNS”
14. You can create new domains from “Domain&User/Domain”. I created domain name
“fortimailtest.com”. You can configure the message size and the Maximum user Quota. The
default setting of the message size is 20 MB and the default setting of domain user quota is 1 GB.
Note: FortiMail rejects all emails larger than 10 MB. The size limit is enforced by the kernel. It
includes message header size and message body size which includes attachments. You can
override this value in two places, the session profile or each protected domain definition. The CAP
message size (KB) option in SMTP Limits in Session profile; is commonly used to control email
size. For outgoing email, FortiMail uses only the session profile value assuming the session profile
matches the email. If no session profile matches the email, the FortiMail uses the default limit of
10 MB. For incoming messages, the FortiMail evaluates both the session profile and protected
domain values and selects smallest value.
167
Dr. Hidaia Mahmood Alassouli
15. You can create new users from “You can create new domains from “Domain&User/User”. I
created users: hidaia, samia, sana under the domain fortimailtest.com.
168
Dr. Hidaia Mahmood Alassouli
16. You can administer the mail folder of each user from “Domain&User /User/Maintenance”
17. The user preferences can be shown from ““Domain&User /User/User Preference”
169
Dr. Hidaia Mahmood Alassouli
18. You can add email alias from “Domain&User/User Alias”. As example I created email alias
group1@fortimailtest.com that includes both uses, hidaia and samia. So, any email sent to
group1@fortimailtest.com, will be received by both hidaia and samia.
19. You can check the History log, System Event, Mail Event, AntiVirus log, AntiSpam log, and
Encryption log from “Monitor/Log” menu.
•
History Log:
170
Dr. Hidaia Mahmood Alassouli
•
System Log:
•
Mail Log:
171
Dr. Hidaia Mahmood Alassouli
•
AntiVirus Log:
•
AntiSpam Log:
20. You can check
“Monitor/Quarantine”
the
“Personal
Quarantine”
172
Dr. Hidaia Mahmood Alassouli
and
“System
Quarantine”
from
21. You can monitor the Mail Queue from “Monitor/Mail Queue”. It shows the Mail Queue,
Spam Outbreak, Virus Outbreak, FortiSandbox, Dead Mail.
22. You can check the safe and block list from “Security/Block/Safe List”.
173
Dr. Hidaia Mahmood Alassouli
23. You can backup and setup scheduled backup for the system configuration from
“System/Maintenance”:
24. You can do and setup scheduled backup for the mail data from “System/Mail Data”:
174
Dr. Hidaia Mahmood Alassouli
25. The user can compose emails and retrieve the messages in all mail folders from
https://10.0.0.9/mail in our example.
175
Dr. Hidaia Mahmood Alassouli
20. Part 19: Tutorial 4 - Creating AntiVirus, AntiSpam, Content Filtering
and Session Profiles:
1. In this tutorial I will give idea about:
•
•
•
•
•
•
•
•
•
System/FortiGuard
AntiVirus Profile
AntiSpam Profile
Content Filtering Profile
Session Profile
FortiSandbox
Access Control Rules
Recipient Policy
IP Policy
2. The FortiGuard is basically responsible about:
•
•
•
•
•
•
•
•
•
•
•
•
•
AntiVirus
AntiSpam
Virus Outbreak
URL Click Protection
Content Disarm and Reconstruction
IP Geography
Internet Service Database
Internet Service Database
Microsoft 365 Protection (No license)
Email Continuity (No license)
FortiSandbox Cloud
Advanced Management (No license)
Adult Image Analysis
You can check the status of licenses of the FortiGuard elements from “System/FortiGuard”
176
Dr. Hidaia Mahmood Alassouli
3. The System/FortiGuard/AntiVirus settings:
4. The System/FortiGuard/AntiSpam settings:
177
Dr. Hidaia Mahmood Alassouli
5. The System/FortiGuard/URL Protection settings:
178
Dr. Hidaia Mahmood Alassouli
6. Check that the FortiMail has connection with FortiGuard using the following URLs:
# execute ping service.fortiguard.net
# execute ping update.fortiguard.net
# execute telnet update.fortiguard.net: 443
7. Use this command to manually request updates to the FortiGuard Antivirus and FortiGuard
Antispam engine and definitions from the FortiGuard Distribution Network (FDN). You can
alternatively or additionally configure scheduled updates and push updates.
# execute update {as | av | now}
8. Test from command line
#telnet 10.0.0.9 25
Helo
mail from: xyz@test.com
rcpt to: hidaia@fortimailtest.com
data
Hi world
.
Quit
179
Dr. Hidaia Mahmood Alassouli
9. FortiGuard AntiVirus:
a) FortiGuard AntiVirus is included in FortiGuard antivirus subscription. FortiMail uses the
FortiGuard AntiVirus Service to protect against latest threats. FortiGuard Virus signature
databases are kept regular update from FortiGuard distribution network.
b) FortiGuard labs receive global requests for ratings of senders Ips, Content and attachments.
Using data analytic techniques, FortiGuard can quickly detect and respond to new outbreaks,
blocking suspicious virus objects without the need for AntiVirus signature.
10. Malware Detection:
180
Dr. Hidaia Mahmood Alassouli
11. FortiSandbox:
FortiSandbox integrates with FortiMail to provide protection against email threats. Email is sent
to FortiSandbox and held until it has been analyzed if suspicious or malicious item is found, that
email can be blocked from being delivered.
12. You can configure FortiSandbox from “System/FortiSandbox”
181
Dr. Hidaia Mahmood Alassouli
13. You can setup the AntiVirus action profile from “Profile/AntiVirus/Action”. There are some
default AntiVirus action profiles: Discard, Discard, System Quarantine.
182
Dr. Hidaia Mahmood Alassouli
14. Create the AntiVirus profile from “Profile/AntiVirus/Profile”.
183
Dr. Hidaia Mahmood Alassouli
15. Spam Detection:
FortiMail AntiSpam service is combination for two tiers of spam defends. The FortiGuard
antispam service combined with FortiMail built in AntiSpam detection techniques. By leveraging
FortiGuard Antispam service, FortiMail has access to the latest knowledge of emerging spam
threats and outbreaks.
184
Dr. Hidaia Mahmood Alassouli
16. You can setup the AntiSpam profile action from “Profile/AntiSpam/Action”. There are some
default AntiSpam action profiles.
185
Dr. Hidaia Mahmood Alassouli
186
Dr. Hidaia Mahmood Alassouli
17. Create the AntiSpam profile from “Profile/AntiSpam/Profile”.
18. FortiGuard IP Reputation:
When you enable FortiMail Ip reputation option, FortiMail queries FortiGuard spam service to
determine if remote MTA IP address is in FortiGuard blocklist database. FortiGuard divides the
blocklist IP addresses into three levels:
- Level 1 has worst reputation
187
Dr. Hidaia Mahmood Alassouli
-Level 2 has better reputation
-Level 3 has even better reputation.
To help to prevent false positive, you can choose to take different actions to different IP levels.
Usually, you should take strict actions such as reject to discard in level 1 IP addresses. And take
less actions such as quarantine or tags in level 3 IP addresses.
19. Heuristic Scan:
FortiGuard maintains a set of Heuristic rules based on spam contents. These rules are continuously
updated as new spam threats emerge. As each rule is evaluated against the message a score is
generated reflecting how much of the rule criteria is fund in the message. When FortiMail finishes
the processing the rule, it adds the score to total score of the message. If the total score meets or
exceeds the set threshold, FortiMail determines that the message is SPAM.
20. Sender Validation:
188
Dr. Hidaia Mahmood Alassouli
The common sender validation technique is to use SPF. Using SPF, the domain owner publishes
special formatted DNS txt record. The record contains the Authorized MTAs in the domain. If you
enable DNS SPF verification in the session profile, The FortiMail will perform DNS txt lookup
for the sending domain of any email session. If SPF entry exists, the FortiMail compares the
address with the address of sending MTA.
21. Content Profile:
•
•
•
Content profiles support attachment detection based on MIME. Content profiles also support
dictionary profile to detect the content of words or phrase using regular or wildcard
expressions.
You can use scan options to detect various properties of emails or attachments. You configure
content profile to detect and take action on password protected office or pdf document. If you
enable password decrypt future, the FortiMail will try to brute force all password protected
documents to attempt to scan the content.
Another common use of Content profile is attachment limiting. You can configure the
maximum number of attachments to limit how many attachments per email. Sometimes
attached documents will have embedded content which can be exploited by remote hacker if
the user mistakenly enables the macros after opening document. If you enable the “Detect
embedded component” setting, FortiMail can detect and take action on such documents.
189
Dr. Hidaia Mahmood Alassouli
22. You can setup the Content action profile from “Profile/Content/Action”. There are some
default Content action profiles.
190
Dr. Hidaia Mahmood Alassouli
23. Create the Content profile from “Profile/Content/Profile”.
191
Dr. Hidaia Mahmood Alassouli
24. Click protection:
If you are using the click protection, FortiMail rewrites any URLs in email body that are
categorized as non-malicious or unrated when email is initially received to FortiMail to point to
itself. When user clicks at the URL at later time, the URL request will go for second rating
query. If the URL rating changes from non-malicious to malicious, FortiMail will block the
URL.
25. Session Profile:
You can setup session profiles from “Profile/Session”
26. Resources Profile:
You can setup resources profiles from “Profile/Resource”
192
Dr. Hidaia Mahmood Alassouli
193
Dr. Hidaia Mahmood Alassouli
21. Part 20: Tutorial 5-Testing Access Control Rules:
1. Access Receive Rule:
Access Rule applies an action from email sender to email recipient and defined source IP address
194
Dr. Hidaia Mahmood Alassouli
2. Access Receive Rule Actions:
3. For testing Access Control rule, create receiving access control rule to reject all sessions from
any sender to any recipient from any email address.
195
Dr. Hidaia Mahmood Alassouli
•
I tried to send email through webmail to samia@fortimailtest.com. You get message “Access
Denied”
•
Delete the Access Control rule created previously as this test completed.
4. Relaying outbound emails
•
•
If SMTP session does not have any rules or no rules defined and sender is unauthenticated, the
default behavior of FortiMail is based on Rcpt to of the envelope. If email is destined to
protected domain, FortiMail relays it. If email not destined to protective domain, FortiMail
rejects it. The default behavior prevents FortiMail from acting as open relay. This is a reason
to define explicitly access receive rule so FortiMail can act as outbound MTA and relay
outbound emails.
Make sure there is no enabled Access control rules. Try to send message a temporary email
from https://temp-mail.org/en/ (as example: goxeroy449@dmonies.com) from Webmail
where the use is logged on and authenticated
196
Dr. Hidaia Mahmood Alassouli
•
•
The outbound email will be received to goxeroy449@dmonies.com because the user
hidaia@fortimailtest.com is local user of protected domain and is logged on and authenticated
when sending the message.
Try to send the same message from command line. You will get error message that “Relay is
Denied” because the sender is not logged on and authenticated. That prevents the FortiMail
server to act as open relay.
197
Dr. Hidaia Mahmood Alassouli
•
Create receiving access control rule to relay all sessions from any sender to any recipient
from any email address. That rule allows to the FortiMail to act as open relay which is not
desired. But it is made for testing only.
•
Make sure that the created access control rule is enabled. Try to send message a temporary
email from https://temp-mail.org/en/ (as example: goxeroy449@dmonies.com) from
command line where the user is not Authenticated. You can use any sender address. The
message will be relayed to goxeroy449@dmonies.com as the created access control rule
allowed that.
198
Dr. Hidaia Mahmood Alassouli
•
Remove the created Access Control rule after completing the test.
199
Dr. Hidaia Mahmood Alassouli
22. Part 21: Tutorial 6- Testing Recipient Policies:
1. For AntiSpam test:
•
Using a special test string known as GTUBE (Generic Test for Unsolicited Bulk Email), you
can verify that Antispam feature of ESET Mail Security works and detects incoming spam
messages.
•
To test Antispam functionality, send an email with the following 68-byte string in the message
body:
•
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TESTEMAIL*C.34X
•
Use the string as is (one line, without any whitespace or line breaks). You can download
suitable
email
message
in
RFC-822
format
from
http://spamassassin.apache.org/gtube/gtube.txt.
2. The spam message I am using in the tests:
((
Subject: Test spam mail (GTUBE)
Message-ID: <GTUBE1.1010101@example.net>
Date: Wed, 23 Jul 2003 23:30:00 +0200
From: Sender <sender@example.net>
To: Recipient <recipient@example.net>
Precedence: junk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
This is the GTUBE, the
Generic
Test for
Unsolicited
Bulk
Email
If your spam filter supports it, the GTUBE provides a test by which you
can verify that the filter is installed correctly and is detecting incoming
spam. You can send yourself a test mail containing the following string of
characters (in upper case and with no white spaces and line breaks):
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TESTEMAIL*C.34X
200
Dr. Hidaia Mahmood Alassouli
You should send this test mail from an account outside of your network.
))
3. For AntiVirus test:
•
To test virus functionality, create a text file that contain the following string:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
•
For more information, also to download
http://2016.eicar.org/85-0-Download.html .
test
files
in
different
forms,
visit
4. Create AntiVirus profile with the action set to be reject.
5. From “Policy/Recipient Policy”, create inbound recipient policy to do AntiVirus scan to
inbound emails sent to any email. And select AntiVirus profile with the action set to be reject.
201
Dr. Hidaia Mahmood Alassouli
6. Try to send message with virus signature from the Webmail. The message is sent to local user
in protected domain as samia@fortimailtest.com. The email will not be delivered as it is infected
by virus. The virus signature used:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
7. Modify AntiVirus profile with the action set to be “System Quarantine”.
202
Dr. Hidaia Mahmood Alassouli
8. Try to send message with virus signature from the Webmail. The message is sent to local user
in protected domain as samia@fortimailtest.com. The email will be delivered to “System
Quarantine”. The virus signature used:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
9. Delete the inbound recipient policy created for AntiVirus Scan.
10. Create AntiSpam profile with the action set to be Reject.
203
Dr. Hidaia Mahmood Alassouli
11. From “Policy/Recipient Policy”, create inbound recipient policy to do AntiSpam scan to
inbound emails sent to any email. And select AntiSpam profile with the action set to be reject.
12. Try to send message with Spam signature from the command line, as the FortiMail will pass
the antispam scan for authenticated users when logged from webmail. The message is sent to local
204
Dr. Hidaia Mahmood Alassouli
user in protected domain as samia@fortimailtest.com. The email will not be delivered as it is spam.
The spam signature used:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TESTEMAIL*C.34X
13. Modify AntiSpam profile with the action set to be “User Quarantine”.
14. Try to send message with Spam signature from the command line, as the FortiMail will pass
the antispam scan for authenticated users when logged from webmail. The message is sent to local
user in protected domain as samia@fortimailtest.com. The email will be user quarantined as it is
spam. The spam signature used:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TESTEMAIL*C.34X
205
Dr. Hidaia Mahmood Alassouli
User samia@fortimailtest.com can access the spam email in user quarantine from the Webmail in
the balk folder and can release it to the inbox or move it to any folder.
15. Delete the inbound recipient policy created for AntiSpam Scan.
16. Create Content Filtering profile that scans email if they include executable attachments and
set the action to be Reject.
206
Dr. Hidaia Mahmood Alassouli
17. From “Policy/Recipient Policy”, create inbound recipient policy to do Content Filtering scan
to inbound emails sent to any email. And select Content Filtering profile that scans email
attachments with executable files with the action set to be reject.
207
Dr. Hidaia Mahmood Alassouli
18. Try to send message with executable attachment from the Webmail. The message is sent to
local user in protected domain as samia@fortimailtest.com. The email will not be delivered as it
includes executable attachment.
19. You can test modifying Content Filtering profile with action set to be “User Quarantine”.
When sending email to samia@fortimailtest.com with executable attachment, you will find it in
user quarantines.
20. Delete the inbound recipient policy created for Content Filtering.
21 Tests can be applied on the outbound recipient policies. But the outbound recipient policies
apply on outbound traffic, if example email sent to external user. As example, from
“Policy/Recipient Policy”, create outbound recipient policy to do AntiVirus scan to inbound emails
sent to any email. And select AntiVirus profile with the action set to be Reject.
208
Dr. Hidaia Mahmood Alassouli
22. Try to send outbound message with virus signature from the Webmail. The message is sent to
outbound email address as goxeroy449@dmonies.com. The email will be rejected because it is
infected by virus. The virus signature used:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
23. You can check all transactions through the FortiMail server from “Monitor/Log/History”
209
Dr. Hidaia Mahmood Alassouli
23. Part 22: Tutorial 7- Testing IP Policy:
1. The IP policy gives the option to reject sessions from certain IP to certain IP address, or to scan
the session from certain IP address to certain IP address and applies the action of certain Session
Profile or AntiVirus Profile or Content Filtering Profile.
2. Create a session profile that limits the message size to be 5 MB instead of the default settings
of 10 MB.
Note: FortiMail rejects all emails larger than 10 MB. The size limit is enforced by the kernel. It
includes message header size and message body size which includes attachments. You can
override this value in two places, the session profile or each protected domain definition. The CAP
message size (KB) option in SMTP Limits in Session profile is commonly used to control email
size. For outgoing email, FortiMail uses only the session profile value assuming the session profile
matches the email. If no session profile matches the email, the FortiMail uses the default limit of
10 MB. For incoming messages, the FortiMail evaluates both the session profile and protected
domain values and selects smallest value.
210
Dr. Hidaia Mahmood Alassouli
3. Create IP policy that scans emails from any source IP to any destination IP against the created
session profile.
4. Try to send message with attachment greater than size of 5 MB from the Webmail. The message
is sent to local user in protected domain as samia@fortimailtest.com. The email will not be
delivered as the message size greater than 5 MB.
211
Dr. Hidaia Mahmood Alassouli
5. Modify the Session profile so that under “Unauthenticated Session Setting”, enable the setting
“Check sender domain”
6. From the command line, test “Check sender domain” settings by sending email to any recipient
with random nonexistent domain. Error message will appear that could not resolve the sender
domain.
212
Dr. Hidaia Mahmood Alassouli
7. Delete the previous IP policy created that scans messages for certain session profile.
8. Create AntiVirus profile with the action set to be reject.
9. Create IP policy that scans emails from any source IP to any destination IP against the created
AntiVirus profile with Reject action for any emails that contain viruses.
213
Dr. Hidaia Mahmood Alassouli
10. Try to send message with virus signature from the Webmail. The message is sent to local user
in protected domain as samia@fortimailtest.com. The email will not be delivered as it is infected
by virus. The virus signature used:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
11. Delete the previous IP policy created that scans messages for certain AntiVirus profile.
12. Create AntiSpam profile with the action set to be Reject.
214
Dr. Hidaia Mahmood Alassouli
13. Create IP policy that scans emails from any source IP to any destination IP against the created
AntiSpam profile with Reject action for any emails that contain spams.
14. Try to send message with Spam signature from the command line, as the FortiMail will pass
the antispam scan for authenticated users when logged from webmail. The message is sent to local
user in protected domain as samia@fortimailtest.com. The email will be rejected as it is spam
215
Dr. Hidaia Mahmood Alassouli
according to the action of the AntiSpam profile set to Reject the email that contains Spam. The
spam signature used:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TESTEMAIL*C.34X
15. Delete the previous IP policy created that scans messages for certain AntiSpam profile.
16. Create Content Filtering profile that scans email if they include executable attachments and
set the action to be Reject.
17. Create IP policy that scans emails from any source IP to any destination IP against the created
Content Filtering profile with Reject action for any emails that contain executable attachment.
18. Try to send message with executable attachment from the Webmail. The message is sent to
local user in protected domain as samia@fortimailtest.com. The email will not be delivered as it
includes executable attachment.
19. Delete the previous IP policy created that scans messages for certain Content Filtering profile.
216
Dr. Hidaia Mahmood Alassouli
24. Part 23: Tutorial 8 - Testing Relay Host:
1. Use this command to configure the FortiMail unit’s built-in MTA’s connection to an SMTP
relay, if any, to which the FortiMail unit will relay outgoing email. You can configure up to eight
relays.
This is typically provided by your Internet service provider (ISP), but could be a mail relay on
your internal network.
If you do not configure a relay server, for outgoing email delivered by the built-in MTA, the
FortiMail unit will instead query the DNS server for the MX record of the mail domain in the
recipient’s email address (RCPT TO:), and relay the email directly to that mail gateway.
Ex:
SMTP Server Hostname: smtp.freesmtpservers.com
Port: 25
2. From “System/Mail Setting”, setup the relay host smtp.freesmtpservers.com
3. Try to send message a temporary email from https://temp-mail.org/en/ (as example:
sosab77366@edinel.com) from Webmail where the use is logged on and authenticated. The email
will be delivered through the relay host. Which means the relay host smtp.freesmtpservers.com
will query the DNS server and will do the DNS resolution for the recipient domain and will forward
the email. The relay host does not do any type of security scans such as Antivirus or AntiSpam or
Content Filtering check. It just forwards the email to destination.
4. After completing the test remove the setting of relay host.
217
Dr. Hidaia Mahmood Alassouli
25. Part 24: Tutorial 9- FortiMail Gateway Mode:
1. In server mode, the FortiMail provides all typical functions of an email server as well as security
scans. FortiMail delivers clean emails to end user’s inboxes stored locally on FortiMail. End users
use POP3, IMAP and webmail to access their inboxes. Along with storing user’s mailboxes, the
FortiMail running in the server mode provide complete group calendar, resource scheduling,
webmail and other advanced futures.
2. In Gateway mode, FortiMail provides full MTA functionality. In email path, the FortiMail sits
in the front of the existing mail server and scans emails. If FortiMail detects any spam email, it
discards them or stores in user Quarantine mailboxes in local FortiMail device. FortiMail delivers
all clean emails to backend mail server. A DNS MX record change or destination NAT rule on the
firewall is required to redirect all inbound email traffic to the FortiMail device for inspection. For
complete protection all outbound emails should be also routed to FortiMail for inspection.
FortiMail Gateway deployment is excellent at extending existing email infrastructure scalability.
FortiMail can offload all security-related and message-queuing tasks from backend mail servers.
3. Mail server settings are configured on “System/Mail Setting”. I accepted the default
configuration.
218
Dr. Hidaia Mahmood Alassouli
4. I installed the trial version of FortiMail Gateway mode in VMware. I setup the port1 IP
address to be 10.0.0.10. Configure the FortiMail Gateway from VMWare console:
Login as admin, password is empty
Set new password for admin
Check the status of interfaces by the command:
# show system interface
Configure the port 1 interface as Wan1
# config system interface
#edit port1
#set mode static
#set IP 10.0.0.10 255.255.255.0
#set allowaccess http https telnet ssh ping
# end
# show system interface port1
5. Login to admin control panel from https://10.0.0.10/admin
6. Change the time to be your country time from “System/Configuration”
7. Mail server settings are configured on “System/Mail Setting”. I accepted the default
configuration.
219
Dr. Hidaia Mahmood Alassouli
8. The system interfaces can be shown in “System/Network/Interface”
9. Configure Port1 interface details:
•
IP Address
•
Access: HTTPS, PING, SSH, SNMP. HTTP, TRLNET
•
Web Access: Admin, Webmail
220
Dr. Hidaia Mahmood Alassouli
10. You can configure the routing details from “System/Network/Routing”
11. You can configure the DNS details from “System/Network/DNS”
221
Dr. Hidaia Mahmood Alassouli
12. You can create new domains from “Domain&User/Domain”. I created domain name
“fortimailtest.com”. I setup the relay type as a “Host” and the SMTP IP address 10.0.0.9 and the
port 25. I setup “Recipient Address Verification “to “Use SMTP Sever” option. You can configure
the message size. The default setting of the message size is 20 MB.
222
Dr. Hidaia Mahmood Alassouli
13. Test sending email through the gateway server smtp port 10.0.0.10:25 from command line.
The email can be checked by logging the user to his account in the webmail of the main mail server
10.0.0.9/mail.
223
Dr. Hidaia Mahmood Alassouli
14. Create AntiVirus profile with the action set to be reject.
15. From “Policy/Recipient Policy”, create inbound recipient policy to do AntiVirus scan to
inbound emails sent to any email. And select AntiVirus profile with the action set to be reject.
224
Dr. Hidaia Mahmood Alassouli
16. Test sending email through the gateway server smtp port 10.0.0.1:25 from command line. Try
to send message with virus signature. The message is sent to local user in protected domain as
hidaia@fortimailtest.com. The email will not be delivered as it is infected by virus. The virus
signature used:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
17. Delete the inbound recipient policy created for AntiVirus Scan.
18. Create AntiSpam profile with the action set to be Reject.
225
Dr. Hidaia Mahmood Alassouli
19. From “Policy/Recipient Policy”, create inbound recipient policy to do AntiSpam scan to
inbound emails sent to any email. And select AntiSpam profile with the action set to be reject.
20. Test sending email through the gateway server smtp port 10.0.0.1:25 from command line. Try
to send message with Spam signature from the command line. The message is sent to local user in
226
Dr. Hidaia Mahmood Alassouli
protected domain as sana@fortimailtest.com. The email will not be delivered as it is spam and the
AntiSpam profile setup to reject any spam messages. The spam signature used:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TESTEMAIL*C.34X
21. FortiMail Gateway Server does security scans only for inbound traffic through the Policies.
For outbound traffic you must create outbound recipient polices in the Server Mode FortiMail
Server
227
Dr. Hidaia Mahmood Alassouli
26. Part 25: Tutorial 10- FortiMail Transparent Mode:
1. In the transparent mode, the FortiMail is physically located in the email path to intercept email
traffic transparently for inspection. When operating in Transparent mode, FortiMail is not the
intended IP destination of the email. Therefore, no DNS MX record or DNAT rule changes is
required. This allows you to deploy FortiMail in environments when you don’t want IP address or
MX DNS record changes. Transparent mode is often used in large MSSPs or carrier’s
environments.
2. I installed the trial version of FortiMail Transparent mode in VMware. I setup the port1 IP
address to be 10.0.0.11. Configure the FortiMail Gateway from VMWare console:
Login as admin, password is empty
Set new password for admin
Check the status of interfaces by the command:
# show system interface
Configure the port 1 interface as Wan1
# config system interface
#edit port1
#set mode static
#set IP 10.0.0.11 255.255.255.0
#set allowaccess http https telnet ssh ping
# end
# show system interface port1
228
Dr. Hidaia Mahmood Alassouli
3. Login to admin control panel from https://10.0.0.11/admin
4. Change the time to be your country time from “System/Configuration”
5. Mail server settings are configured on “System/Mail Setting”. I accepted the default
configuration.
6. The system interfaces can be shown in “System/Network/Interface”
229
Dr. Hidaia Mahmood Alassouli
7. Configure Port1 interface details:
•
IP Address
•
Access: HTTPS, PING, SSH, SNMP. HTTP, TRLNET
•
Web Access: Admin, Webmail
8. You can configure the routing details from “System/Network/Routing”
230
Dr. Hidaia Mahmood Alassouli
9. You can configure the DNS details from “System/Network/DNS”
10. You can create new domains from “Domain&User/Domain”. I created domain name
“fortimailtest.com”. I setup the relay type as a “Host” and the SMTP IP address 10.0.0.9 and the
port 25. I setup “Recipient Address Verification “to “Use SMTP Sever” option. You can configure
the message size. The default setting of the message size is 20 MB.
231
Dr. Hidaia Mahmood Alassouli
11. Test sending email through the gateway server smtp port 10.0.0.11:25 from command line.
The email can be checked by logging the user to his account in the webmail of the main mail server
10.0.0.9/mail.
232
Dr. Hidaia Mahmood Alassouli
12. Connection pickup:
Each interface SMTP proxy settings defines which email flows are picked up by FortiMail. For
each interface you can select an action for each direction of smtp sessions.
When you select proxy, FortiMail will inspect the email messages that arrives at the interface.
When you select “pass through”, the FortiMail forward the message to its original destination
without any inspection.
When you select drops, the FortiMail drops the messages.
The local connection settings control whether or not the clients can connect to that interface for
webmail access, IBE access and so on. How to control these settings, depends on FortiMail setup.
13. When operating in transparent mode, FortiMail has two methods for handling SMTP session,
relay or proxy. Depending on topology setup, these two methods vastly different results in email
routing. When using the built in MTA to relay emails, the FortiMail uses the mx record lookups
to deliver emails. Using this method, the FortiMail can queue undeliverable messages and generate
DSNs.
14. FortiMail has two transparent proxies. An incoming proxy and outgoing proxy. When
configured to use proxies, the FortiMail does not do any DNS lookup at all and only attempts to
deliver the message to destination specified by SMTP client. The incoming proxy supports
message queuing. However, the outgoing proxy does not. Therefore, when using the outgoing
proxy, the FortiMail can queue undeliverable messages or generate DSN email messages.
You can enable proxies separately for each message flow direction. For outgoing sessions on
proxy’s tab, “use client specified SMTP server to send email”. For incoming sessions, select “Use
domain’s SMTP server to deliver the email”.
233
Dr. Hidaia Mahmood Alassouli
If “use client specified smtp server to send email” is enabled, then the transparent mode FortiMail
will route the email message based on the destination Ip that has been resolved by internal mail
relay server
234
Dr. Hidaia Mahmood Alassouli
27. Part 26: Tutorial 11- Authentication:
1. Authentication Profiles
On FortiMail, you can use Authentication profiles to define the server details and protocol options
that supports Authentication.
FortiMail supports SMTP, IMAP, POP3, Radius integration. All deployment modes can also use
LDAP profiles for LDAP sever integration. LDAP profiles provide more advanced functionality
such as Alias in group lookup which can’t be achieved using authentication profiles.
2. There are two methods of enabling authentication. You can use IP based policies, and you can
use inbound recipient-based policies. You don’t need to explicitly enable the user authentication
in server mode deployments because it is enabled by defaults. Policies enable authentications but
they don’t enforce it. You can enforce using access receive rules.
3. IP based policy authentication
Source and destination IP information triggers IP based policies. IP policy supports SMTP,
POP3, IMAP, LDAP and RADIUS authentication.
235
Dr. Hidaia Mahmood Alassouli
4. Incoming recipient-based policies
Incoming recipient-based policies offer more flexibility. You can use recipient-based policy
authentication to allow SMTP, POP3, RADIUS, IMAP, LDAP, Webmail access,
5. Access receive rules:
Policies enable but do not force authentication. To enforce SMTP authentication, you must create
appropriate access receive rules. For Gateway deployments, access control receive rules could
apply to individual hosts such as Auto-Mailers that use FortiMail as mail relay. However, for
server mode deployments, you should enable access control receive rules for entire user base to
ensure that FortiMail is not being used by non-authorized users to relay potential spams.
236
Dr. Hidaia Mahmood Alassouli
6. In the trial version I am using in these tutorials the Authentication Profile has an option only to
configure Radius Authentication. No SMTP or IMAP Authentication can be configured. So, the
Authentication could not be tested in this tutorial. Also In my trial version, there was no
Authentication options in Recipient policies and IP policies. So, it was not possible to me to test
Authentication with Recipient and IP policies in trial version.
237
Dr. Hidaia Mahmood Alassouli
7. I just tested Authentication with Access control rule. In the FortiMail Server mode Admin
control panel https://10.0.0.9/admin/, I created Access control rule that will allow messages from
any senders to recipients and from any source IP for only Authenticated senders. The
Authenticated user logs on with his credentials through Webmail.
238
Dr. Hidaia Mahmood Alassouli
8. Make sure that the Access control rule is enabled. From command line where the sender is not
Authenticated, try to send message to a temporary email from https://temp-mail.org/en/ (as
example: vowigi8358@eilnews.com). The email will not be relayed because it is sent from un
authenticated sender.
9. Try to send the email from Webmail where the user is logged on and authenticated. The email
will be sent.
10. Modify the Access control rule to will allow messages from any senders to recipients and from
any source IP for any type of users whether Authenticated or Non-Authenticated.
239
Dr. Hidaia Mahmood Alassouli
11. Make sure that the Access control rule is enabled. From command line where the sender is not
Authenticated, try to send message to a temporary email from https://temp-mail.org/en/ (as
example: vowigi8358@eilnews.com). The email will be relayed because the Access control rule
allowed relaying messages for Non-Authenticated senders.
12. Delete the created Access Control Rule.
240
Dr. Hidaia Mahmood Alassouli
28. Part 27: Tutorial 11- Creating NFS Server in Ubuntu Linux Machine:
1. In this tutorial we will create NFS Server in Ubuntu Linux machine to be used for mail data
backup: Ubuntu Linux server is used in this tutorial.
2. The Network File System (NFS) is a client/server application that lets a computer user view
and optionally store and update files on a remote computer as though they were on the user's own
computer. The NFS protocol is one of several distributed file system standards for networkattached storage (NAS). NFS allows the user or system administrator to mount (designate as
accessible) all or a portion of a file system on a server. The portion of the file system that is
mounted can be accessed by clients with whatever privileges are assigned to each file (read-only
or read-write). NFS uses Remote Procedure Calls (RPC) to route requests between clients and
servers.
3. Check the OS version by using the following command
# lsb_release -a
4. Install NFS server nfs-kernel-server . You can also install nfs-common rpcbind
# sudo apt-get upgrade
# sudo apt-get update
# sudo apt install nfs-kernel-server nfs-common rpcbind
5. Make the share directory:
# sudo mkdir /public -p
NFS will translate any root operations on the client to the nobody:nogroup credentials as a security
measure. Therefore, you need to change the directory ownership to match those credentials.
# sudo chown nobody:nogroup /public
# sudo chmod 777 -R /public
# ls -dl /public
6. Export the share directory. In the file /etc/exports add the following line “
# sudo vi /etc/exports
Add line: /public
client_ip(rw,sync,no_subtree_check). Ex
241
Dr. Hidaia Mahmood Alassouli
/public
*(rw,sync,no_subtree_check)
* Means it allows any client to access the share directory.
7. Then type the commands,
# sudo exportfs -arvf
# showmount -e
# sudo systemctl restart nfs-kernel-server
# sudo systemctl enable nfs-kernel-server
# sudo systemctl status nfs-kernel-server
The command “sudo systemctl restart nfs-kernel-server” will start the NFS service.
The command “sudo systemctl enable nfs-kernel-server” will start the NFS services at the boot.
The command “sudo systemctl status nfs-kernel-server” will show the status of the NFS service.
8. Enable the NFS server to start on Boot by using the following command:
# systemctl enable nfs-kernel-server
9. For testing, create a file in the share directory /public.
#sudo touch /public/general.test
242
Dr. Hidaia Mahmood Alassouli
28. Part 27: Tutorial 12- Creating Mount Points and Mounting Directories
on the NFS Client on Linux Machine:
1. Install NFS client package in client machine
# apt install nfs-common
2. You’ll create directory for your mount:
#sudo mkdir -p /mnt/public
# sudo chmod 777 -R /mnt/public
3. Mount the remote directory to the local directory. These commands will mount temporary the
shares from the host computer onto the client machine.
#sudo mount (nfs_server_ip):(share_folder)
(mount_folder_at_nfs_client)
As example,
#sudo mount 35.246.111.40:/public /mnt/public
Or,
# sudo mount -t nfs 35.246.111.40:/public /mnt/public
4. You can double-check that they mounted successfully in several ways. You can check this with
a mount or findmnt command, but df -h provides a more readable output:
#df -h
5. Check the files in mount folders are same as the share folder created by client on server machine
# ls /mnt/public
6. You can mount the remote NFS shares automatically at boot by adding them to /etc/fstab file
on the client. Open this file with root privileges in your text editor:
# sudo nano /etc/fstab
At the bottom of the file, add a line for each of your shares. To mount permanently:
# nano /etc/fstab
243
Dr. Hidaia Mahmood Alassouli
Add the line
(nfs_server_ip):(share_folder)
(mount_folder_at_nfs_client) nfs
defaults,_netdev 0 0
In our example, add the following line to /etc/fstab
35.246.111.40:/public /mnt/public
nfs
Then type the command
#sudo mount -a
244
Dr. Hidaia Mahmood Alassouli
defaults,_netdev 0 0
29. Part 28: Tutorial 23-Muting the NFS share from Windows:
1. Enable NFS Client in Windows 10 from Control Panel/Programs/Programs and Futures. Then
choose “Turn Windows Futures On or Off”. Then enable “Services for NFS”,“Administrative
Tools” and "Client for NFS” options.
2. The following command from command line will mount from Windows a share on the NFS
system at /public.
mount -o anon \\(NFS_Server_IO)\(Share_Directory) (Drive_to_Mount)
Ex:
mount -o anon \\10.0.0.20\public Z:
245
Dr. Hidaia Mahmood Alassouli
30. Part 29: Tutorial 14- Configuration and Mail Data Backup:
1. In this tutorial, the trial version of the FortiMail server is used that setup with Port1 IP address
10.0.0.9. The admin control panel is accessed from the web interface https://10.0.0.9/admin/.
2. From “System/Monitor”, you can do Configuration Backup, Mail Data Backup, Block/Safe List
Maintenance, Database Maintenance.
3. You can backup system configuration by doing backup of the configuration file from
“System/Maintenance/Configuration”. You can setup scheduled back for the configuration file
also.
4. You can backup and restore mail data by doing backup of the mail data from “System/
Maintenance/Mail Data”. You can setup scheduled back for Mail Data also. You can restore the
mail data any time.
246
Dr. Hidaia Mahmood Alassouli
5. You can select between the following Mail Data backup options: Backup to NFS Server,
Backup to SMB/CIFS Server, Backup to SSH File System, Backup to External USB, Backup to
USB (auto detect), Backup to iSCSI Server.
247
Dr. Hidaia Mahmood Alassouli
6. I chose the Mail Data Backup to NFS server and setup the IP address of the NFS server and the
NFS service Port and the share folder. For example, according to previous tutorials , NFS Server
IP:” 35.246.111.40”, Port:2049, Share folder: /public.
7. You can setup scheduled backup for Mail Data either Weekly or Monthly. You can schedule
also the Incremental Backup. As example, in this example it does two full backups Weekly and
does every day incremental backup.
248
Dr. Hidaia Mahmood Alassouli
8. You can restore the Mail Data from the Backup from the Restore Options section. It restores
Mail Data from last backup it does. You can select between restoring the Mail Data for all domains
hosted by FortiMail Server , or for all users in certain domain such as fortimailtest.com, or for
certain user in the domain such as hidaia@fortimailtest.com
249
Dr. Hidaia Mahmood Alassouli
31. Part 30: Tutorial 15- Upgrading the Forti IOS Images through TFTP
Server:
1. Download the FortiMail image you want to upgrade from
https://support.fortinet.com/download/FirmwareImages.aspx
Or
https://support.fortinet.com/download/vmimages.aspx
2. Download TFTP server from net. I downloaded and installed TFTP from solarwinds.com
https://downloads.solarwinds.com/solarwinds/Release/FreeTool/SolarWinds-TFTP-Server.zip
3. Check the TFTP server folder. In my case it was C:\TFTP-Root
4. Copy the upgraded FortiMail file with extension .ovf extension to the TFTP server folder. As
example in my case file fortimail-vm-64bit-hw10.ovf
5. Write in the console the command
# execute restore image tftp fortimail-vm-64bit-hw10.ovf (IP address of TFTP server)
Ex
# execute restore image tftp fortimail-vm-64bit-hw10.ovf 10.0.0.4
250
Dr. Hidaia Mahmood Alassouli
32. Part 31: References:
1. Fortinet: Global Leader of Cyber Security Solutions and Services, https://www.fortinet.com/
2.
WE-Learns YouTube channel,
https://www.facebook.com/we.learns/
https://www.youtube.com/@we-learns/featured,
3. Email Security Solution: FortiMail, https://www.fortinet.com/products/email-security
4. VMware Workstation is the industry standard desktop hypervisor for running virtual machines
on Linux or Windows PCs , https://www.vmware.com/
5.
FortiMail
7.2.1
Administration
Guide,
https://docs.fortinet.com/document/fortimail/7.2.1/administration-guide/313415/email-conceptsand-process-workflow
6. FortiMail 7.0.0 VM Install Guide, https://docs.fortinet.com/document/fortimail/7.0.0/vminstall-guide/337386/fortimail-vm-overview
7. FortiMail documentation, https://docs.fortinet.com/product/fortimail/7.2
251
Dr. Hidaia Mahmood Alassouli
Download