FortiMail Install Guide V 3

Install Guide
FortiMail
Version 3.0 MR2
www.fortinet.com
FortiMail Install Guide

Version 3.0 MR2
12 December 2007
06-30002-0234-20071212
Copyright 2007 Fortinet, Inc. All rights reserved. No part of this
publication including text, examples, diagrams or illustrations may be
reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose,
without prior written permission of Fortinet, Inc.
Trademarks
ABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus,
FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, Fortinet,
FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse,
FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the
United States and/or other countries. The names of actual companies and
products mentioned herein may be the trademarks of their respective
owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type.

Dispose of Used Batteries According to the Instructions.
Contents
Contents
Introduction ........................................................................................ 7
Register your FortiMail unit .............................................................................. 7
About the FortiMail unit .................................................................................... 7
FortiMail-100 .................................................................................................
FortiMail-400 .................................................................................................
FortiMail-2000/2000A ....................................................................................
FortiMail-4000/4000A ....................................................................................
8
8
8
8
About this document......................................................................................... 8

Document conventions.................................................................................. 9
FortiMail documentation ................................................................................... 9
Fortinet Knowledge Center ........................................................................ 10
Comments on Fortinet technical documentation ........................................ 10
Customer service and technical support ...................................................... 10
Email Concepts ................................................................................ 11

FortiMail modes ............................................................................................... 11
Gateway mode ............................................................................................ 11
Transparent mode ....................................................................................... 12
Server mode................................................................................................ 13
Email protocols................................................................................................ 13
POP3........................................................................................................... 13
IMAP ........................................................................................................... 14
SMTP .......................................................................................................... 14
Definitions ........................................................................................................ 14
MX record....................................................................................................
A record.......................................................................................................
MTA.............................................................................................................
MUA ............................................................................................................
White and Black lists ...................................................................................
Grey lists .....................................................................................................
Bayesian scanning ......................................................................................
Heuristic scanning .......................................................................................
14
15
15
15
16
16
16
17
Installing ........................................................................................... 19
Environmental specifications......................................................................... 19
Cautions and warnings ................................................................................... 19
Grounding ................................................................................................... 19
Rack mount instructions .............................................................................. 20
FortiMail Version 3.0 MR2 Install Guide

06-30002-0234-20071212
Contents
Mounting .......................................................................................................... 20
FortiMail-100 ............................................................................................... 20
FortiMail-400 ............................................................................................... 20
FortiMail-2000A and FortiMail-4000A ......................................................... 21
Plugging in the FortiMail unit ......................................................................... 24
FortiMail-100 ...............................................................................................
FortiMail-400 ...............................................................................................
FortiMail-2000/A and FortiMail-4000/A .......................................................
Connecting to the network ..........................................................................
24
24
25
25
Turning off the FortiMail unit.......................................................................... 25

Connecting to the FortiMail unit .................................................................... 25
Web-based manager .................................................................................. 26
Command line interface .............................................................................. 26
LCD front control buttons ............................................................................ 27
Configuring the FortiMail unit ........................................................................ 28
Management modes ................................................................................... 28
Quick Start wizard ....................................................................................... 28
Configuring gateway mode............................................................. 29

Switching to gateway mode ........................................................................... 29
FortiMail Gateway behind a firewall............................................................... 30
Configuring the network settings.................................................................
Configuring the email system settings ........................................................
Configuring the firewall ...............................................................................
Routing outgoing email to the FortiMail Gateway .......................................
Next Steps ..................................................................................................
30
32
35
37
37
FortiMail Gateway in front of a firewall.......................................................... 38

Next Steps ..................................................................................................
38
40
43
44
45
FortiMail Gateway in the DMZ ........................................................................ 45

Next Steps ..................................................................................................
46
48
50
53
53
Configuring transparent mode ....................................................... 55

Switching to transparent mode...................................................................... 55

06-30002-0234-20071212
Contents
Deploying in front of an email server ............................................................ 56

Configuring the network settings .................................................................
Configuring proxies .....................................................................................
Next Steps...................................................................................................
56
57
59
59
Deploying to protect an email hub................................................................. 60

Configuring proxies .....................................................................................
Next Steps...................................................................................................
60
61
63
64
Configuring server mode ................................................................ 65

Switching to server mode ............................................................................... 65
Configuring MX records to route incoming email ........................................ 65
FortiMail Server behind a firewall .................................................................. 66
Configuring the firewall................................................................................
Next Steps...................................................................................................
67
68
70
72
FortiMail Server in front of a firewall ............................................................. 72

Next Steps...................................................................................................
72
74
76
77
FortiMail Server in DMZ................................................................................... 78

Next Steps...................................................................................................
78
80
81
84
Advanced configuration .................................................................. 85

Set the date and time....................................................................................... 85
Updating antivirus signatures ........................................................................ 86
Receiving regular antivirus updates.............................................................. 86
Configuring push updates ........................................................................... 87
Scheduling antivirus updates ...................................................................... 87
Configuring antispam...................................................................................... 88
Black/White lists .......................................................................................... 88
Bayesian scanning ...................................................................................... 90
Heuristic scanning ....................................................................................... 90

06-30002-0234-20071212
Contents
Create profiles ................................................................................................. 91

Antispam profile .......................................................................................... 91
Antivirus profile ........................................................................................... 92
Applying profiles.......................................................................................... 92
Create policies ................................................................................................. 92
Add users (Server mode)................................................................................ 93
Adding users ............................................................................................... 93
Adding groups............................................................................................. 93
Adding user alias ........................................................................................ 93
Firmware ........................................................................................... 95
Backing up the FortiMail information ............................................................ 95
Back up the configuration ...........................................................................
Back up the Bayesian database .................................................................
Back up the Black/White list database ........................................................
Back up the FortiMail mail queue................................................................
95
95
96
96
Using the web-based manager....................................................................... 96

Upgrading the firmware............................................................................... 96
Reverting to a previous firmware version.................................................... 97
Using the CLI ................................................................................................... 97
Upgrading the firmware............................................................................... 97
Reverting to a previous firmware version.................................................... 98
Installing firmware images from a system reboot........................................ 99
Testing a new firmware image before installing it ..................................... 100
Installing and using a backup firmware image........................................... 102
Index................................................................................................ 105

06-30002-0234-20071212
Introduction
Register your FortiMail unit
Introduction
Welcome, and thank you for selecting Fortinet products for your real-time network
protection.
The FortiMail Secure Messaging Platform is an integrated hardware and software
solution that provides powerful and flexible antispam, antivirus, email archiving
and logging capabilities to incoming and outgoing email traffic. The FortiMail unit
has reliable and high performance features for detecting and blocking spam
messages and malicious attachments.
Built on the Fortinet award winning FortiOS and FortiAsic technology, the
FortiMail antivirus technology extends full content inspection capabilities to detect
the most advanced email threats.
Register your FortiMail unit

Before your begin, take a moment to register your FortiMail unit(s) by visiting
http://support.fortinet.com and select Product Registration.
To register, enter your contact information and the serial numbers of the FortiMail
units that you or your organization have purchased. You can register multiple
FortiMail units in a single session without re-entering your contact information.
By registering your FortiMail unit, you will receive antivirus updates and will also
ensure your access to technical support, as well as access to new firmware
releases.
For more information, see the Fortinet Knowledge Centre article Registration
Frequently Asked Questions (http://kc.forticare.com/default.asp?id=2071).
About the FortiMail unit

The FortiMail family of appliances are designed for any business size and
requirement, from a Small Business or Small Office Home Office (SOHO) to larger
businesses, and deliver the same enterprise-class network-based antivirus and
antispam features.
FortiMail is an email security system that provides multi-layered protection against
blended threats comprised of spam, viruses, worms and spyware.
To ensure up to date email protection, FortiMail relies on Fortinet FortiGuard
antivirus, antispyware and antispam security subscription services that are
powered by a worldwide 24x7 Global Threat Research Team. FortiMail provides
bi-directional email routing, Quality of Service (QoS), virtualization and archiving
capabilities with a lower total cost of ownership.

06-30002-0234-20071212
About this document
Introduction
FortiMail-100
The FortiMail-100 is an easy-to-deploy and easy-to-administer solution that
delivers exceptional value and performance for small office, home office and
branch office applications. The FortiMail-100 delivers reliable and high
performance features to detect, tag, and block spam messages and their
malicious attachments.
FortiMail-400
The FortiMail-400 is optimized for medium sized enterprise customers, delivering
a wealth of reliable and high performance features to detect, tag, and block spam
messages and their malicious attachments. The FortiMail-400 features a
high-performance hardened operating system with RAID storage system for
redundancy and supports a rich set of multi-layered spam detection and filtering
technologies with global and per-user spam policies for maximum configuration
flexibility.
FortiMail-2000/2000A
For larger installations where higher performance and better reliability is required,
the FortiMail-2000/2000A system provides the same software features as the
FortiMail-400, but with a modular chassis with hot swappable components. Ideal
for the most demanding email infrastructures, the FortiMail-2000/2000A system
delivers high performance for large enterprises and service providers, which
includes the performance capability to scan 6.8 million emails per day, with six hot
swappable disk drives with RAID for disk redundancy, and redundant power
supplies and fans. Four 10/100/1000 Base-T interfaces, provides the flexibility to
connect into many corporate or service provider environments.
FortiMail-4000/4000A
For larger installations where higher performance and better reliability is required,
the FortiMail-4000/4000A system provides the same software features as the
FortiMail-2000. Ideal for the most demanding email infrastructures, the
FortiMail-4000/4000A system delivers high performance for large enterprises and
service providers, which includes the performance capability to scan 6.8 million
emails per day, with 12 hot swappable disk drives with RAID for disk redundancy,
and redundant power supplies. Two 10/100/1000 Base-T interfaces, provides the
flexibility to connect into many corporate or service provider environments.
About this document

This document explains how to install and configure your FortiMail unit onto your
network.
This document contains the following chapters:
Installing Describes setting up, and powering on a FortiMail unit.
Email Concepts Describes the three modes you can select from to operate
the FortiMail unit and briefly describes some email terminology for
administrators and users new to email administration and setup.

06-30002-0234-20071212
Introduction
FortiMail documentation
Configuring gateway mode Describes a number of network configuration

scenarios and how to configure the FortiMail unit and network to operate in this
mode.
Configuring transparent mode Describes a number of network configuration

scenarios and how to configure the FortiMail unit to operate in this mode.
Configuring server mode Describes a number of network configuration

scenarios and how to configure the FortiMail unit and network to operate in this
mode.
Advanced configuration Describes next step configurations you need to

consider to ensure email is scanned and protected from viruses.
Document conventions
The following document conventions are used in this guide:
In the examples, private IP addresses are used for both private and public IP
addresses.
Notes and Cautions are used to provide important information:
Note: Highlights useful additional information.
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Typographic conventions
FortiGate documentation uses the following typographical conventions:
Convention
Example
Keyboard input
In the Host Name field, type a name for the remote server (for
example, Central_Office_1).
CLI command syntax
execute restore image <name_str> <tftp_ipv4>
Document names
FortiMail Administration Guide
Menu commands
Go to Mail Settings > Domains and select Create New.
Program output
Welcome!
Variables
<address_ipv4>
FortiMail documentation
Information about the FortiMail unit is available from the following guides:
FortiMail QuickStart Guide

Provides basic information about connecting and installing a FortiMail unit and
configuring the unit for use on your network.

06-30002-0234-20071212
Customer service and technical support
Introduction
FortiMail Administration Guide

Describes how to install, configure, and manage a FortiMail unit in
Transparent, Gateway, and Server modes, including how to configure the unit,
create profiles and policies, configure antispam and antivirus filters, create
user accounts, configure email archiving, and set up logging and reporting.
FortiMail Installation Guide

Describes how to set up the FortiMail unit in Transparent, Gateway, and Server
modes. It also provides information on how to use system settings to view
FortiMail unit status and configure how the FortiMail unit connects to your
network and to the Internet.
FortiMail Online Help

Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the web-based manager as you work.
FortiMail Webmail Online Help

Describes how to use the FortiMail web-based email client, including how to
send and receive email; how to add, import, and export addresses; how to
configure message display preferences, and how to manage quarantined
email.
Fortinet Knowledge Center

Additional Fortinet technical documentation is available from the Fortinet
Knowledge Center. The knowledge center contains troubleshooting and how-to
articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at
http://kc.forticare.com.
Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@fortinet.com.
Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your
Fortinet systems install quickly, configure easily, and operate reliably in your
network.
Please visit the Fortinet Technical Support web site at http://support.fortinet.com
to learn about the technical support services that Fortinet provides.
10

06-30002-0234-20071212
Email Concepts
FortiMail modes
Email Concepts
If you are new to FortiMail, or new to the configuration and managing of an email
system, this chapter provides basic email concepts and terminology and to
configure your FortiMail unit.
This chapter provides an overview of the FortiMail unit, the modes it supports and
its key features. This chapter will also describe the key terms and concepts that
you will use when configuring your FortiMail unit.
If you are familiar with email concepts and terminology, you can skip to the section
FortiMail modes on page 11, which describes the modes of operation available
with FortiMail.
This chapter contains the following:
FortiMail modes
Email protocols
Definitions
FortiMail modes
The FortiMail unit can run in one of three modes:
Gateway mode
Transparent mode
Server mode.
With Gateway and Transparent mode, the FortiMail unit sits between the firewall
and email server and acts as a filter for email passing through it. Depending on
how you choose to deploy the FortiMail unit, determines which of these modes
best suits your environment.
Of the three modes, Server mode functions very differently from Gateway and
Transparent mode. With Server mode, the FortiMail unit is the email server as
well as the means of scanning the email traffic.
For all modes, the FortiMail unit scans email traffic for viruses and spam, and can
quarantine suspicious email and attachments.
Gateway mode
In gateway mode the FortiMail acts as a fully functional mail relay server. Gateway
mode does not provide local mailboxes but does provide a web user interface for
managing spam filters (black/white list), auto white lists, and per-user Bayesian
database management.
In Gateway mode, the FortiMail unit receives incoming email messages, scans for
viruses and spam, then passes (relays) the email to the email server for delivery.
In this mode, the FortiMail unit can effectively protect your email server as your
email server is not visible to outside users. The FortiMail unit can also archive
email for backup and monitoring purposes.
The FortiMail unit integrates into your existing network with only minor changes to
your network configuration. You must also change your MX record to route
incoming email to the FortiMail unit for scanning.
06-30002-0234-20071212
11
FortiMail modes
Email Concepts
Figure 1: Gateway mode topology
Mail Users
(POP3/IMAP/Web Mail)
Hub
Mail Server
Internet
Gateway Mode
For example, an ISP deploys a FortiMail unit to protect their customers mail
servers. Many customers do not want their mail servers to be visible to external
users for security reasons. Therefore, the ISP installs the FortiMail unit in
Gateway mode to satisfy the need of the customers.
The ISP takes advantage of the Gateway mode deployment flexibility and places
the FortiMail unit in the DMZ, while keeping the email server safe behind the
firewall.
For sample configuration information, see the chapter Configuring gateway
mode on page 29.
Transparent mode
In Transparent mode, the FortiMail unit acts as a bridge, providing seamless
integration into existing network environments. In Transparent mode, the FortiMail
unit provides a flexible and versatile email scanning solution.
You can place the FortiMail unit in front of the existing email server without any
changes to the existing network topology. This means that all of the FortiMail
interfaces are on the same subnet.
Transparent mode also provides a web user interface for managing spam filters
(black/white list), auto white lists, and per-user Bayesian database management.
12

06-30002-0234-20071212
Email Concepts
Email protocols
Figure 2: Transparent mode topology

Transparent mode
Internet
Router
Mail Server
Mail Users
For example, a company wants to install a FortiMail unit to protect its mail server.
The company installs the FortiMail unit in Transparent mode to avoid changing its
MX record to route email to the FortiMail unit, and to simply act as a filter for spam
and virus related email.
With this mode, the companys end users do not need to change the mail server
setting on their email client. The company also wants its mail server to be visible
to the users to increase the companys popularity.
For sample configuration information, see the chapter Configuring transparent
mode on page 55.
Server mode
In server mode the FortiMail unit is a fully functional SMTP, IMAP, POP3 mail
server with local mail boxes and an optional WebMail user interface. In addition,
the FortiMail Server provides antivirus, antispam, email archiving, and logging
and reporting services.
For sample configuration information, see the chapter Configuring server mode
on page 65.
Email protocols
An email protocol is a standard method for two ends of a communication channel
to transmit and receive information. There are three standard email protocols,
POP3, IMAP and SMTP. Each has its own pros and cons, as well as application
uses.
POP3
The Post Office Protocol (version 3) enables email users to retrieve their email
stored on a mail server. Once email application retrieves the messages, the
server removes the message from the servers hard disk. POP3 transmissions
occur over port 110 by default.
The advantage of POP3 is that users download their email to their local machine,
releasing hard disk space from the server. The disadvantage, is the mail resides
on a single computer. Users who use an alternate computer to check email cannot
access the mail they viewed, and downloaded, previously.

06-30002-0234-20071212
13
Definitions
Email Concepts
The FortiMail unit supports the POP3 protocol on port 110 in server mode only. If
necessary, you can change the default port in the Mail Settings > Settings menu.
IMAP
Internet Message Access Protocol is a method of accessing email messages kept
on a remote mail server without downloading the messages to the users local
computer. All messages remain on the email servers hard disk. With IMAP only
the headers of email messages are downloaded to the users email application
inbox on their computer.
The advantage of this is that it enables a user to access new and saved
messages at any time from more than one computer. This is especially useful in
situations where more than one person may need to look at an inbox, such as a
technical support inbox where a number of technicians monitor for incoming
questions.
The disadvantage of IMAP storing email messages is the large storage capacity
required for storing email and attachments. To free up disk space requires email
users to manually clean their inbox.
The FortiMail unit supports the IMAP protocol on port 143 in server mode only.
SMTP
Simple Mail Transfer Protocol is the standard for sending email between to email
servers using port 25.
When a user sends an e-mail, a connection between the sending server and the
receiving server is established. Both servers communicate to determine whether
the recipient user exists, and if the e-mail can be sent. If the email address is
legitimate then the transfer of data/email message follows.
FortiMail only supports SMTP authentication because it has no local user
accounts. Instead, it uses external server types to authenticate e-mail such as
POP3. SMTP authentication is enabled during the installation process in server
mode only.
FortiMail also supports SMTP over SSL/TLS which allows for the exchange of
encrypted mail. This feature is available in all three modes.
Definitions
When you configure the FortiMail unit by following the steps in the subsequent
chapters of this guide, there are a number of terms that you should be familiar with
before preceding.
MX record
Mail Exchange Records are used to route e-mails to specific destinations. It is an
entry in a domain name database such as a Domain Name System or DNS
server. A DNS server acts much like a phone book containing data on how to
reach different domains and it is usually made accessible by internet server
providers (ISP). If a local DNS server exists, MX Records can be added or
changed on the DNS server using one of several user interfaces depending on the
operating system used.
14

06-30002-0234-20071212
Email Concepts
Definitions
In FortiMail, MX Records are configured by the administrator by going to Mail

Settings > Domains. When gateway and server mode are used, the MX Records
are changed so that e-mails are routed to the FortiMail unit for scanning before
they reach the mail server.
In gateway and transparent modes, FortiMail can be set up to protect multiple
domains. MX Records are used to identify these domains and are configured by
going to Mail Settings > Domains.
When an e-mail is sent out, the senders mail server performs a DNS lookup using
the recipients domain name, for example, user1@example.com and acquires the
MX Record.
Example of MX Record entry:
(example.com 3600 IN MX 50 docs.example.com)
The MX Record contains the domain and host names (docs.example.com). This
information is used to send the e-mail to the recipients mail server which stores it
until it is downloaded.
A record
The A record is an entry that assigns an internet protocol or IP address to a
domain name. Much like a phone number is assigned to a specific name in a
phone book entry. IP addresses are used to locate devices such as computers
and servers. The A Records are stored and configured on DNS server. The
administrator can configure these records using one of several user interfaces
depending on the operating system used.
Before e-mail is sent out, the email server looks for the recipients MX and A
Records in the DNS server by the senders mail server. Then using the A record
entry, the email server sends the email to the recipient using the corresponding
domain names IP address.
Example of an A record:
(docs.example.com IN A 203.254.581)
MTA
The Mail Transfer Agent is a software agent or mail server that transfers e-mail
messages from one computer to another. It works in the background and in
conjunction with email clients.
In order to deliver e-mail to the right recipient, the MTA looks up the MX Record
and the corresponding A Records in the DNS server.
FortiMail functions as an MTA or fully functional SMTP, IMAP, POP3 mail server
when configured in server mode. It provides local mail boxes and optional Web
Mail user interfaces.
MUA
The Mail User Agent refers to a computer application or e-mail client such as
Outlook Express that enables users to send and receive e-mail.
FortiMail unit provides a web based email client interface. However, FortiMail can
be used with any other type of e-mail clients available as well as web based email
clients.

06-30002-0234-20071212
15
Definitions
Email Concepts
White and Black lists

While the FortiMail unit and FortiGuard services maintain a large list of known
spammers, it is not perfect. In some cases, some mail tagged as spam is an
individual you want to receive mail from, while email that is not caught by the
spam filters or users you dont want to receive email from gets through to your
inbox.
White lists and black lists enable you and users to maintain a list of email
addresses that you want (white list) or dont want (black list) to receive email from.
FortiMail enables you and your users to maintain these lists to meet their
requirements. Addresses can be added or removed from lists as required.
For details on adding a white list and black list, see Black/White lists on page 88.
Grey lists
Grey listing is a means of reducing spam in a relatively low maintenance manner.
There are no IP address lists, email lists, or word lists to keep up to date. The only
required list is automatically maintained by the FortiMail unit.
When examining an email message, the grey list routine looks at three message
attributes: the sender address, the recipient address, and the IP address of the
mail server delivering the message. More specifically, the grey list routine
examines the envelope from (Mail From:), the envelope recipient (Rctp to:), and
the sender IP. If the grey list routine doesn't have a record of a message with
these three values, the message is refused and a temporary error is reported to
the server attempting delivery. If the sending server sends the message again
within a specific time frame, the FortiMail unit will consider the email valid and add
it as an accepted sender. If further attempts are not made, the FortiMail unit
considers it a spammer.
The grey list feature has two compelling attributes:
Extremely low administrator maintenance.
Spam detection routines do not have to be run on mail stopped by grey listing.
This can save significant processing and storage resources.
Bayesian scanning
Bayesian scanning is a method of teaching the FortiMail unit what is a spam email
and what is not. Bayesian training uses Bayes' theorem of probability. Using this
theorem the spam filters take into account the type of words used in spam
messages versus those that are not. For every word in these email messages, it
calculates the probability of a scanned message being spam based on the
proportion of spam occurrences.
Bayesian training is a manual process by the admin or email users. For each
email received, an email user will tell the filter whether it is a good email, spam,
or a false positive. The more training, that is, the more a user sends email
indicating its status, the more efficient the spam filter will be.
For details on setting up Bayesian training, see Bayesian scanning on page 90.
16

06-30002-0234-20071212
Email Concepts
Definitions
Heuristic scanning
While Bayesian training is a manual procedure of teaching the spam filters what to
look for in email messages for spam, the Heuristic filtering uses a scoring
technique based on predetermined terms and words. The rules are broken down
into 5 categories: header, body, raw body, URI, and metadata. Each rule has an
individual score used to calculate the total score for an email. To determine if an
email is spam, the heuristic filter looks at an email message and adds the score
for each rule that applies to get a total score for that email. If the total is greater
than or equal to the upper threshold, the mail is classified as spam and processed
accordingly.
For more information on configuring Heuristic scanning, see Heuristic scanning
on page 90.

06-30002-0234-20071212
17
Definitions
18
Email Concepts

06-30002-0234-20071212
Installing
Environmental specifications
Installing
This chapter provides information on mounting and connecting the FortiMail unit
to your network. This chapter includes the following topics:
Cautions and warnings
Mounting
Plugging in the FortiMail unit
Turning off the FortiMail unit
Connecting to the FortiMail unit
Operating temperature: 32 to 104F (0 to 40C)

If you install the FortiMail unit in a closed or multi-unit rack assembly, the
operating ambient temperature of the rack environment may be greater than
room ambient temperature. Therefore, make sure to install the equipment in
an environment compatible with the manufacturer's maximum rated ambient
temperature.
Storage temperature: -13 to 158F (-25 to 70C)
Humidity: 5 to 90% non-condensing
Air flow - For rack installation, make sure that the amount of air flow required
for safe operation of the equipment is not compromised.
For free-standing installation, make sure that the FortiMail unit has sufficient
clearance on each side to allow for adequate air flow and cooling.
Cautions and warnings

Review the following cautions before installing your FortiMail unit.
Grounding
Ensure the FortiMail unit is connected and properly grounded to a lightning

and surge protector. WAN or LAN connections that enter the premises from
outside the building should be connected to an Ethernet CAT5 (10/100 Mb/s)
surge protector.
Shielded Twisted Pair (STP) Ethernet cables should be used whenever

possible rather than Unshielded Twisted Pair (UTP).
Do not connect or disconnect cables during lightning activity to avoid damage

to the FortiMail unit or personal injury.

06-30002-0234-20071212
19
Mounting
Installing
Rack mount instructions

Elevated Operating Ambient - If installed in a closed or multi-unit rack assembly,
the operating ambient temperature of the rack environment may be greater than
room ambient temperature. Therefore, consideration should be given to installing
the equipment in an environment compatible with the maximum ambient
temperature (Tma) specified by the manufacturer.
Reduced Air Flow - Installation of the equipment in a rack should be such that the
amount of air flow required for safe operation of the equipment is not
compromised.
Mechanical Loading - Mounting of the equipment in the rack should be such that
a hazardous condition is not achieved due to uneven mechanical loading.
Circuit Overloading - Consideration should be given to the connection of the
equipment to the supply circuit and the effect that overloading of the circuits might
have on overcurrent protection and supply wiring. Appropriate consideration of
equipment nameplate ratings should be used when addressing this concern.
Reliable Earthing - Reliable earthing of rack-mounted equipment should be
maintained.
Particular attention should be given to supply connections other than direct
connections to the branch circuit (e.g. use of power strips).
If required to fit into a rack unit, remove the rubber feet from the bottom of the
FortiMail unit.
Mounting
FortiMail-100
Adhere the rubber feet included in the package to the underside of the FortiMail
unit, near the corners of the unit if not already attached.
Place the FortiMail unit on any flat, stable surface. Ensure the FortiMail unit has
sufficient clearance on each side to ensure adequate airflow for cooling.
FortiMail-400
The FortiMail unit can be placed on any flat surface, or mounted in a standard
19-inch rack unit.
When placing the FortiMail unit on any flat, stable surface, ensure the FortiMail
unit has sufficient clearance on each side to ensure adequate airflow for cooling.
For rack mounting, use the mounting brackets and screws included with the
FortiMail unit.
20
Caution: To avoid personal injury, you may require two or more people to install the
unit in the rack.

06-30002-0234-20071212
Installing
Mounting
To install the FortiMail unit into a rack

1
Attach the mounting brackets to the side to the unit so that the brackets are on the
front portion of the FortiMail unit. Ensure that the screws are tight and not loose.
The following photos illustrate how the brackets should be mounted. Note that the
screw configuration may vary.
Figure 3: Installed mounting brackets
Position the FortiMail unit in the rack to allow for sufficient air flow.
Line up the mounting bracket holes to the holes on the rack, ensuring the FortiMail
unit is level.
Finger tighten the screws to attach the FortiMail unit to the rack.
Once you verify the spacing of the FortiMail unit and that it is level, tighten the
screws with a screwdriver. Ensure that the screws are tight and not loose.
Figure 4: Mounting in a rack
FortiMail-2000A and FortiMail-4000A

To mount the FortiMail unit on a 19 in rack or cabinet, use the slide rails included
with the product.
Caution: To avoid personal injury or damage to the FortiMail unit, it is highly recommended
a minimum of two people perform this procedure.

06-30002-0234-20071212
21
Mounting
Installing
Mounting requires three steps:
disassembling the slide rail from the slide housing
attaching the slide rail to the sides of the FortiMail unit
mounting the FortiMail unit to the rack or cabinet.
Disassembling the slide rail

The slide rail assembly has two moving rails within the housing. You need to
remove the innermost rail. This rail will attach to the sides of the FortiMail unit.
Figure 5: FortiMail side rail
Rail housing
Sliding Rail
To remove the side rail

1
Open the slide rails package and remove the rails.
Extend the slide rail and locate the slide rail lock.
Rail Lock
22

06-30002-0234-20071212
Installing
Mounting
Push down on the lock while pulling the rail completely out of the slide rail
assembly.
Repeat these steps for the other slide rail assembly.

You will attach this part to the side of the FortiMail unit.
Attaching the slide rail to the FortiMail unit

Attach the disconnected slide rails from the previous step to the sides of the
FortiMail unit. Use the screws provided with the slide rail package, being sure to
securely fasten the rail to the FortiMail chassis.
Mounting the FortiMail unit

Mounting the FortiMail-2000A or FortiMail-4000A is a two step process. First, you
must attached the slide rail housing to the rack or cabinet, then insert the FortiMail
unit.

06-30002-0234-20071212
23
Installing
To mount the FortiMail unit

1
Mount the slide rail housing to the rack or cabinet frame. Adjust the outside
L-shaped brackets for a proper fit. Ensure that both housings are on the same
level to ensure the FortiMail unit can easily glide into place and is level.
Use the screws and additional L-brackets if required to securely fasten the
housing.
Position the FortiMail unit so that the back of the unit is facing the rack, and the
slide rails affixed in the previous step line up with the slide rail housing.
Gently push the FortiMail unit into the rack or cabinet. You will hear a click when
the slide rail lock has been engaged.
Push the FortiMail unit until it is fully inserted into the rack.

FortiMail-100
The FortiMail-100 does not have a power switch.
To power on the FortiMail unit
1
Connect the AC adapter to the power connection at the back of the FortiMail unit.
Connect the AC adapter to the power cable.
Connect the power cable to a power outlet.

The FortiMail unit starts and the Power and Status LEDs light up. The Status LEDs
flash while the FortiMail unit starts up, and remain lit when the system is running.
FortiMail-400
Use the following steps to connect the power supply to the FortiMail unit.
1
Ensure the power switch, located at the back of the FortiMail unit is in the off
position, indicated by the O.
Connect the power cord at the back of the FortiMail unit.
Connect the power cable to a power outlet.
Set the power switch on the back left of the FortiMail unit to the on position
indicated by the I.
After a few seconds, SYSTEM STARTING appears on the LCD. The main menu
setting appears on the LCD when the system is running.
24

06-30002-0234-20071212
Installing
FortiMail-2000/A and FortiMail-4000/A

The FortiMail unit does not have an on/off switch.
1
Connect the power cables to the power connections on the back of the
FortiMail unit.
Connect the power cables to power outlets.

Each power cable should be connected to a different power source. If one power
source fails, the other may still be operative.
After a few seconds, SYSTEM STARTING appears on the LCD. The main menu
setting appears on the LCD when the system is running.
The FortiMail unit starts and the Power and Status LEDs light up. The Status
LEDs flash while the FortiMail unit starts up, and remain lit when the system is
running.
Note: If only one power supply is connected, an audible alarm sounds to indicate a failed
power supply. Press the red alarm cancel button on the rear panel next to the power supply
to stop the alarm.
Connecting to the network

Using the supplied Ethernet cable, connect one end of the cable to your router or
switch. Connect the other end to port 1 on the FortiMail unit.

Always shut down the FortiMail unit properly before turning off the power switch to
avoid potential hardware problems. This enables the hard drives to spin down and
park correctly and avoid losing data.
To power off the FortiMail unit
1
From the web-based manager, go to System > Status.
In the System Command display, select Shutdown, or from the CLI enter:
execute shutdown
Turn off and/or Disconnect the power cables from the power supply.

There are three methods of connecting and configuring the basic FortiMail
settings:
the web-based manager
the command line interface (CLI)
the front control buttons and LCD (FortiMail-400 and FortiMail-2000A)

06-30002-0234-20071212
25
Installing
Web-based manager
You can configure and manage the FortiMail unit using HTTP or a secure HTTPS
connection from any computer using a recent browser.
You can use the web-based manager to configure most FortiMail settings, and
monitor the status of the FortiMail unit.
Use the following procedure to connect to the web-based manager for the first
time. Configuration changes made with the web-based manager are effective
immediately, without interrupting service.
To connect to the web-based manager, you require:
a computer with an Ethernet connection
any recent version of most popular web browser
a crossover Ethernet cable or an Ethernet hub with two Ethernet cables
To connect to the web-based manager

1
Set the IP address of the computer with an Ethernet connection to the static IP
address 192.168.1.2 with a netmask of 255.255.255.0.
Using the crossover cable or the Ethernet hub and cables, connect the internal
interface of the FortiMail unit to the computer Ethernet connection.
Start the web browser and browse to the address https://192.168.1.99/admin.

(remember to include the s in https://)
To support a secure HTTPS authentication method, the FortiMail unit ships with a
self-signed security certificate, and is offered to remote clients whenever they
initiate a HTTPS connection to the FortiMail unit. When you connect, the FortiMail
unit displays two security warnings in the browser.
The first warning prompts you to accept and optionally install the FortiMail units
self-signed security certificate. If you do not accept the certificate, the FortiMail
unit refuses the connection. If you accept the certificate, the FortiMail login page
appears. The credentials entered are encrypted before they are sent to the
FortiMail unit. If you choose to accept the certificate permanently, the warning is
not displayed again.
Just before the FortiMail login page is displayed, a second warning informs you
that the FortiMail certificate distinguished name differs from the original request.
This warning occurs because the FortiMail unit redirects the connection. This is an
informational message. Select OK to continue logging in.
Type admin in the Name field and select Login.
Command line interface

You can access the FortiMail command line interface (CLI) by connecting a
management computer serial port to the FortiMail serial console connector. You
can also use Telnet or an SSH connection to connect to the CLI from any network
that is connected to the FortiMail unit, including the Internet.
As an alternative to the web-based manager, you can install and configure the
FortiMail unit using the CLI. Configuration changes made with the CLI are
effective immediately, without interrupting service.
26

06-30002-0234-20071212
Installing
To connect to the FortiMail CLI you require:
a computer with an available communications port
the DB-9 or RJ-45 to DB-9 cable included in your FortiMail package
terminal emulation software such as HyperTerminal for Microsoft Windows
Note: The following procedure uses Microsoft Windows HyperTerminal software. You can
apply these steps to any terminal emulation program.
To connect to the CLI

1
Connect the console cable to the communications port of your computer and to
the FortiMail console port.
Start HyperTerminal, enter a name for the connection and select OK.
Configure HyperTerminal to connect directly to the communications port on your

computer and select OK.
Select the following port settings and select OK:

Bits per second 9600
Data bits
Parity
None
Stop bits
Flow control
None
Press Enter to connect to the FortiMail CLI.

The login prompt appears.
Type admin and press Enter twice.

The following prompt is displayed:
Welcome!
Type ? to list available commands. For information about how to use the CLI, see
the FortiMail CLI Reference.
LCD front control buttons

You can use the front control buttons and LCD on the FortiMail-400 and
FortiMail-2000A to configure IP addresses, default gateways and switch operating
modes. The LCD shows you what mode you are in without having to go to the
command line interface or the web-based manager.
This configuration method provides an easy and fast method to configure your
FortiMail unit. You can configure:
IP addresses and netmasks
default gateways
operating modes
restore factory default settings
The front control buttons control how you enter and exit the different menus when
configuring the different ports and interfaces. The front control buttons also
enables you to increase or decrease each number for configuring IP addresses,
default gateway addresses, or netmasks. The following table defines each button
and what it does when configuring the basic settings of your FortiMail unit.
06-30002-0234-20071212
27
Configuring the FortiMail unit
Installing
Table 1: Front control button definitions

Enter
Enables you to move forward through the configuration process.
Esc
Enables you to move backward, or exit out of the menu you are in.
Up
Allows you to increase the number for an IP address, default gateway address
or netmask.
Down
Allows you to decrease the number for an IP address, default gateway

address or netmask.
Configuring the FortiMail unit

Once the FortiMail unit is properly mounted, plugged in and connected to the
network, you can configure it onto your network. The FortiMail unit can run in three
different modes. Each mode has multiple configuration options depending on
where you place the unit within your network infrastructure. Each configuration
has unique options and settings.This Install Guide contains a chapter for each
mode and their configuration options.
Management modes
FortiMail running version 3.0 MR2 and higher of the operating system includes
two management modes: basic and advanced. Depending on your familiarity with
configuring network email or email appliances, select the mode that best suits
your abilities. You can switch between modes at any time without losing any
settings. Basic mode enables you to configure the minimum settings to enable
antispam and antivirus protection to your network email. Advanced mode provides
more robust options, including user configuration, and more detailed antispam
and antivirus options. You can use either management mode in all the FortiMail
operating modes.
Quick Start wizard

If you are new to FortiMail, and this is your first installation, you can use the Quick
Start Wizard, available in basic management mode. The Quick Start wizard guides
you through the settings necessary to configure the FortiMail unit onto the
network, including network configuration, email server configuration, and basic
antispam and antivirus options.
The Quick Start Wizard is available in all FortiMail operating modes. It is
recommended that you select the operating mode before running the Quick Start
Wizard, as some options are specific to the operating mode. If you switch
operating modes after using the Quick Start Wizard, some configuration settings
may be lost or be incomplete.
28

06-30002-0234-20071212
Configuring gateway mode
Switching to gateway mode

This chapter describes how to configure a FortiMail unit to operate in gateway
mode. In gateway mode the FortiMail unit acts as a fully functional mail relay
server. The FortiMail unit receives incoming email messages, scans for viruses
and spam, then passes (relays) the email to the email server for delivery.
This chapter describes common deployment options for a FortiMail unit running in
gateway mode. Use these deployment and configuration examples to install the
FortiMail unit on your network, or use them as a guide for your own network
topology. Additional configuration information and details are available in the
Fortimail Administration Guide.
All examples use a FortiGate firewall device. If you are using an alternate firewall
appliance, consult the appliances documentation for completing similar
configurations.
Note: This chapter uses the FortiMail unit in the advanced management mode.
This chapter includes the following:
FortiMail Gateway behind a firewall
FortiMail Gateway in front of a firewall
FortiMail Gateway in the DMZ
Switching to gateway mode

Use the web-based manager to complete the configuration of the FortiMail unit.
You can continue to use the web-based manager for all FortiMail settings.
Before you being configuring the FortiMail unit, ensure the mode is in gateway
mode. To verify, go to System > Status and check the Operation Mode.
To change the operation mode
1
Go to System > Status.
Select Change for the Operation Mode.
Select Gateway from the list and select OK.

06-30002-0234-20071212
29

The FortiMail unit is positioned behind a FortiGate firewall. With the FortiMail unit
set up this way, the firewall blocks any attacks on the FortiMail unit and the email
server. Incoming and outgoing email is routed through the FortiMail unit for
scanning before being sent to the email server or the Internet.
Figure 6: FortiMail Gateway behind firewall
Email Server
Switch
Internal
External
Internet
Router
Firewall
DNS Server
Configuring the network settings

Use the following table to gather the information you need to customize the
gateway mode settings.
Table 2: Gateway mode settings
Administrator Password:
Port 1
Port 2
Port 3
Port 4
Port 5
Port 6
30
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____

06-30002-0234-20071212
Default Gateway:
Network settings
_____._____._____._____
The management IP address and netmask must be valid for the

network from which you will manage the Fortimail unit. Add a
default gateway if the FortiMail unit must connect to a router to
reach the management computer.
Primary DNS Server:
_____._____._____._____
Secondary DNS Server:
_____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet (address range) as the
network and cannot use the same address as another device or computer on the
network.
Configuring a static IP address

To configure a network interface with a static IP address
1
Go to System > Network > Interface.
Select Modify for Port 1.
Select Manual Addressing Mode.
Enter the IP address and netmask.
Select OK.
If you changed the IP address of the interface that you are connecting to manage
the FortiMail unit, you must reconnect to the web-based manager using the new
IP address.
Configuring an interface for DHCP

You can configure any FortiMail interface to acquire its IP address from a
Dynamic Host Configuration Protocol (DHCP) server. Your Internet Service
Provider (ISP) may provide IP addresses using one of these protocols.
DHCP is used to obtain IP addresses from a DHCP server, such a from your ISP.
Obtaining an IP address from a DHCP server ensures that the IP address for the
FortiMail unit is unique and not assigned to another device, such as your
FortiGate unit or other firewall device that is also connected directly to the
Internet.
When configured, the FortiMail unit automatically broadcasts a DHCP request. By
default, the FortiMail unit also retrieves a default gateway IP address and DNS
server IP addresses from the DHCP server. You can disable this option if required
to configure them manually.
To configure an interface for DHCP
1
Select DHCP.
If required, select Retrieve default gateway and DNS from server to disable this
option.
Select OK.

06-30002-0234-20071212
31
Configuring DNS
You need to configure Domain Name System (DNS) server addresses so that
FortiMail unit can send and receive email. DNS server IP addresses are typically
provided by your internet service provider.
In simple terms, it acts as a phone book for the Internet. A DNS server matches
domain names with the computer IP address. This enables you to use readable
locations, such as fortinet.com. The DNS server translates this name to a mail
exchange server IP address to deliver an email message.
To add DNS server IP addresses
1
Go to System > Network > DNS.
Enter the primary and secondary DNS server IP addresses.
Select Apply.
Configuring routing
Configure routing on the FortiMail unit to define the route that enables the
FortiMail unit to contact the DNS server. If you configured your interfaces
dynamically using DHCP, the FortiMail unit configures a default route
automatically.
The gateway address for the route is on the same network as port 1.
You need to configure additional routes if any of your email servers are on a
different subnet. The gateway you specify is the address of the next hop router
that connects to the required network.
To configure routing
1
Go to System > Network > Routing.
Select Create New to add a new route.
Enter the Destination IP address and netmask.
Enter the Gateway IP address.
Select OK.
Configuring the email system settings

The FortiMail unit relays email after scanning for viruses and spam. You need to
configure basic email system settings to have this relay occur.
Configuring basic email system settings

Configure the FortiMail unit basic email system settings, including host name and
domain name.
To configure the email system settings
32
Go to Mail Settings > Settings > Local Host.
Enter the following information and select OK:

06-30002-0234-20071212
Host Name
Enter the name for the FortiMail unit.
Local Domain Name
Enter the local domain name. It must be different from the domain
name of your email server. The FortiMail unit's Fully Qualified
Domain Name (FQDN) is <Host Name>.<Local Domain Name>.
For example mailsvr.company.com
SMTP Server Port

Number
Enter the SMTP port number. The default and standard SMTP
port number is 25.
SMTP over SSL/TLS
Enable to accept SSL/TLS encrypted email from servers that have

enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP
server receives plain text email.
SMTPS Server Port

Number
The default port number is 465. This allows the encrypted SMTP
traffic to pass through the SMTPS Server Port. You must enable
SMTP over SSL/TLS to set this option.
Relay Server Name
Enter a relay server name if your ISP provides a relay email

server.
Relay Server Port
Enter the relay server port number if your ISP provides a relay
email server.
Configuring MX records to route incoming email

Mail Exchange (MX) Records are used to route email to specific destinations. It is
an entry in a domain name database such as a DNS server. If a local DNS server
exists, MX Records can be added or changed on the DNS server using one of
several user interfaces depending on the operating system used.
When a user sends an e-mail, the senders mail server performs a DNS lookup
using the recipients domain name, for example, example.com in the email
address user@example.com, and acquires the MX Record.
The MX Record contains the domain and host names. The sending mail server
uses this information to send the e-mail to the recipients mail server.
In order to route incoming email through the FortiMail unit for scanning, you need
to register a Fully Qualified Domain Name (FQDN), for example,
fm.exampledom.com, and a global IP address for the FortiMail unit.
Route incoming email to the FortiMail unit by changing the MX record to point to
the FortiMail domain rather than the email server.
For example, using the information from the table below, change the existing MX
record currently pointing to the email server, to point to the FortiMail unit.
Email server
mail.exampledom.com
Current MX record
IN MX <n> mail.exampledom.com
FortiMail hostname
fm.exampledom.com
FortiMail IP address
172.16.15.2
Change the existing MX record for mail.exampledom.com to point to the

FortiMail unit. For example:
IN MX <n> fm.exampledom.com
fm.exampledom.com IN A 172.16.15.2
The A record
The second line in the above example is
06-30002-0234-20071212
33
This is an address record, or commonly called, an A record. It is a type of DNS

entry that assigns an IP address to a domain name.
Before e-mail is sent out, the MX and A Records for the recipient are looked up in
the DNS server by the senders mail server. Then using the A record entry, the
email is sent to the recipient using the corresponding domain names IP address.
Adding a domain
You create domains to define the email server(s) that the FortiMail unit protects.
Usually, you configure at least one domain as part of your installation. You can
add more domains or modify the settings of existing ones as needed.
The local domain name will be used by many FortiMail features such as email
quarantine, Bayesian database training, spam reports, and DSN notifications. A
sub domain of the protected domain is recommended for the local domain
because of the domain registration savings.
To add a domain
1
Go to Mail Settings > Domains.
Select Create New.
Enter the domain name including the suffix. For example, company.com.
Enter the IP address or name of the SMTP Server and port number if different
than the default 25.
Entering the email server IP address or server name tells the FortiMail gateway
where the email server is to route mail to it.
Select OK.
Creating local domains

Add multiple local email domains on the FortiMail unit if required for different
departments in your organization at the same or different locations. For example:
accouting.company.com
dev.company.com.
Once created, you can add users to the local domain. For information on adding
email users to a local domain, see the FortiMail Administration Guide.
Note: Deleting a domain also deletes all email users in that domain.
To create a local domain

1
Select Create New.
Enter the local domain name.
Enter the IP address of the SMTP Server and port number if different than the
default 25.
Entering the email server IP address tells the FortiMail gateway where the email
server is to route mail to it.
34

06-30002-0234-20071212
Select Is Subdomain.
Select the main domain the local domain is a part of.
Select OK.
Configuring the firewall

Note: The following steps use a FortiGate firewall device. If you are using a different
firewall appliance, consult the appliances documentation for completing similar
configurations.
With the FortiMail unit behind the FortiGate firewall, you must configure firewall
policies on the FortiGate unit to ensure that incoming SMTP traffic goes to the
FortiMail Gateway before reaching the email server.
To accomplish this, configure a virtual IP address (VIP) on the FortiGate unit for
the FortiMail unit. When the FortiGate unit receives traffic destined for the VIP, the
FortiGate unit automatically directs the message to the internal IP address of the
FortiMail unit.
This allows the FortiMail unit to perform antivirus scanning, antispam filtering, and
email archiving on the SMTP traffic.
How Virtual IPs work

Virtual IP (VIP) addresses enable users from outside a private network to access
services inside that network. Under normal circumstances, this is not possible
because Internet routers generally do not connect to private IP addresses. For
example, a user on the Internet is not able to send an email directly to the
FortiMail unit on a company internal network. However, you can configure the
FortiGate unit to allow an email message to a company employee to reach the
FortiMail unit on a private network from the Internet.
The packets sent from the client computer have a source IP of 192.168.37.55 and
a destination IP of 192.168.37.4. The FortiGate unit receives these packets at its
external interface. The virtual IP settings indicate a mapping from 192.168.37.4 to
10.10.10.42 so the packets' addresses are changed. The source address is
changed to 10.10.10.2 and the destination is changed to 10.10.10.42. The
FortiGate unit makes a note of this translation in the firewall session table it
maintains internally. The packets are then sent on their way and arrive at the
server computer.
Note that the FortiGate unit must be in NAT/Route mode to add VIPs.
For more information on Virtual IPs, see the FortiGate Administration Guide.
To configure a VIP on a FortiGate unit
1
Got to Firewall > Virtual IP.
Select Create New.
Complete the following and select OK:

Name
Enter a name for the FortiMail unit.
External Interface
Select the virtual IP external interface from the list. The external
interface is connected to the source network and receives the
packets to be forwarded to the destination network.
Type
Select Static NAT.

06-30002-0234-20071212
35
External IP
Address/Range
Enter the external IP address that you want to map to an address

on the destination network.
Mapped IP
Address/Range
Enter the real IP address on the destination network to which the

external IP address is mapped.
Create a incoming traffic firewall policy

With the VIP established, create a firewall policy to allow traffic from the FortiGate
external interface to the VIP mapping on the internal interface.
To create the firewall policy
1
Go to Firewall > Policy.
Select Create New.
Set the following and select OK:

Source
Interface/Zone
The FortiGate external interface connected to the Internet.
Source Address
Name
ALL
Destination
Interface/Zone
The FortiGate internal interface to the network.
Destination Address Select the FortiMail name from the list under Virtual IP.
Name
Schedule
Select ALWAYS.
Service
Select ALL.
Action
Select ACCEPT.
Create an outgoing traffic firewall policy

Create an outgoing policy that allows the email from the Fortimail unit to pass
through the FortiGate onto the Internet.
To create the firewall policy
1
Select Create New.
Set the following and select OK:

Source
Interface/Zone
The FortiGate internal interface connected to the network.
Source Address
Name
Select the FortiMail name from the list under Virtual IP.
Destination
Interface/Zone
The FortiGate external interface connected to the Internet.
Destination Address Select ALL.

Name
36
Schedule
Select ALWAYS.
Service
Select ALL.
Action
Select ACCEPT.

06-30002-0234-20071212
Routing outgoing email to the FortiMail Gateway

The FortiMail unit is now configured to receive incoming email, scan it and send it
to the recipient as required. You must also configure the email environment so
that the FortiMail unit scans outgoing email, whether its destined for an internal
user or a user on the Internet.
To do this, you must configure the email client of the user to send email messages
to the FortiMail unit. When the FortiMail unit receives the email message, it scans
the message for viruses or spam and routes the message to it next destination.
To configure a email client to send email to the FortiMail unit, in the email client,
configure the outgoing mail server (SMTP) to be the FortiMail unit.
Next Steps
The configuration is now complete. Using your email client software, try sending
email using the test user to verify that you can send and receive email.
If you are having difficulties, review the steps and the values entered to ensure
they are correct.
See the chapter Testing and next steps on page 79 for information on testing the
installation and the next steps to complete the installation of your FortiMail unit.

06-30002-0234-20071212
37

The FortiMail unit is positioned in front of the firewall. With the FortiMail unit set up
this way, if the FortiMail gateway is compromised by attacks, the email server and
the internal network are not affected. The FortiMail unit however is not protected
by the firewall.
Figure 7: FortiMail Gateway in front of firewall
Email Server
Internal
External
Switch
Internet
Router
Firewall
DNS Server

Port 1
Port 2
Port 3
Port 4
Port 5
Port 6
38
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____

06-30002-0234-20071212
Default Gateway:
Network settings
_____._____._____._____

Primary DNS Server:
_____._____._____._____
_____._____._____._____
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.

1
Select OK.
If you changed the IP address of the interface to which you are connecting to
manage the FortiMail unit, you must reconnect to the web-based manager using
the new IP address.

Internet.
1
Select DHCP.
option.
Select OK.

06-30002-0234-20071212
39
Configuring DNS
You need to configure DNS server addresses so that FortiMail unit can send and
receive email. DNS server IP addresses are typically provided by your internet
service provider.
1
Select Apply.
Configuring routing
automatically.
The gateway address for the route is on the same network as port 1.
You need to configure additional routes if any of your email servers are on a
different subnet. The gateway you specify is the address of the next hop router
that connects to the required network.
1
Select Create New to add a new route or select Modify to change the default.
Select OK.

configure basic email system settings and email access permissions.

domain name.
40
Enter the following information and select Apply:

06-30002-0234-20071212
Host Name
Local Domain Name
SMTP Server Port

Number
port number is 25.
SMTP over SSL/TLS

SMTPS Server Port

Number
Relay Server Name

server.
Relay Server Port
email server.

Email server
mail.exampledom.com
Current MX record
FortiMail hostname
fm.exampledom.com
172.16.15.2

The A record
06-30002-0234-20071212
41

Adding a domain
To add a domain
1
Select Create New.
Select OK.

dev.company.com.

1
Select Create New.
default 25.
42

06-30002-0234-20071212
Select OK.

With the FortiMail unit in front of the FortiGate firewall, you must configure policies
to ensure that incoming SMTP traffic scanned by the FortiMail unit goes to the
email server. You also need a policy so that email sent by internal users passes
through the firewall for scanning by the FortiMail unit before sending to the
Internet.
Note: The following steps use a FortiGate firewall device. If you are using an alternate
configurations.
Configuring the FortiMail policy

Create a firewall policy that permits all SMTP traffic on port 25 to pass from the
FortiMail unit, through the firewall and direct it to the email server.
First, you must create an address entries on the FortiGate unit that identifies the
FortiMail unit and the email server.
To create an address for the FortiMail unit, on the FortiGate unit
1
Go to Firewall > Address.
Select Create New.

Name
Enter the name of the FortiMail unit.
Type
Select Subnet/IP Range.
Subnet /IP Range
Enter the IP address of the FortiMail unit.
Interface
Select the interface for the FortiGate unit connected to the

Internet.
To create an address for the email server, on the FortiGate unit

1
Select Create New.

Name
Enter the name of the email server.
Type
Subnet /IP Range
Enter the IP address of the email server.
Interface
Select the interface for the FortiGate unit connected to the email
server.
Next, create the incoming email firewall policy so the email from the FortiMail
goes to the email server.

06-30002-0234-20071212
43
To configure the incoming policy, on the FortiGate unit

1
Select Create New.

Source Interface/zone
Select the external interface connected to the Internet.
Source Address Name
Select the FortiMail address from the list.
Destination
Interface/zone
Select the internal interface connected to the network.
Destination Address
Name
Select the Email server from the list.
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Configure the user send policy

You also need to add a firewall policy so that email users can send email to the
FortiMail unit for scanning before sending an email message over the Internet.
Note that the policy is not using the email server address. All traffic passes
through the FortiMail unit before going through the firewall.
To configure the outgoing policy
1
Select Create New.

Source Interface/zone
Source Address Name Select ALL so that all users can send email messages through
the policy.
Destination
Interface/zone
Destination Address
Name
Select the FortiMail unit from the list.
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.

The firewall and FortiMail unit are now configured to receive incoming email, scan
and send to the recipient as required, and email users can send email, which the
FortiMail unit will scan before sending it to the Internet.
You must also configure the email client software so that it sends outgoing email
to the FortiMail unit to scan outgoing email, whether its destined for an internal
user or a user on the Internet.
44

06-30002-0234-20071212
Next Steps
email using the test user to verify that the FortiMail server can send and receive
email.
they are correct.

The FortiMail unit is positioned in the DMZ of the firewall appliance. With the
FortiMail unit set up this way, the FortiMail is protected by the firewall, and if the
FortiMail unit is compromised by attacks, the internal network and email server
are not affected.
Figure 8: FortiMail Gateway in DMZ
Email Server
Internal
Switch
External
DMZ
Internet
Router
DNS Server

06-30002-0234-20071212
45

Port 1
Port 2
Port 3
Port 4
Port 5
Port 6
Network settings
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____

Primary DNS Server:
_____._____._____._____
_____._____._____._____
the network. Connect the Port 1 interface to the DMZ interface of the firewall
appliance. The IP address of Port 1 must be on the same subnet as the DMZ
network and cannot use the same address as another device or computer on the
network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP if the network supports it.

46
Select OK.

06-30002-0234-20071212
the new IP address.

You can configure any FortiMail interface to acquire its IP address from a Dynamic
Host Configuration Protocol (DHCP) server. Your Internet Service Provider (ISP)
may provide IP addresses using one of these protocols.
Internet.
1
Select DHCP.
option.
Select OK.
Configuring DNS
You need to configure Domain Name System (DNS) server addresses so that
1
Select Apply.
Configuring routing
automatically.
The gateway address is the IP address of the firewall interface on the same
network as this FortiMail interface.
06-30002-0234-20071212
47
1
Select Create New to add a new route or select Modify to change the default.
Select OK.


domain name.
To configure the basic email system settings
1

Host Name
Local Domain Name
SMTP Server Port

Number
port number is 25.
SMTP over SSL/TLS

SMTPS Server Port

Number
Relay Server Name

server.
Relay Server Port
email server.

48

06-30002-0234-20071212
Email server
mail.exampledom.com
Current MX record
FortiMail hostname
fm.exampledom.com
172.16.15.2

The A record
Adding a domain
To add a domain
1
Select Create New.
Select OK.

06-30002-0234-20071212
49

dev.company.com.

1
Select Create New.
default 25.
Select OK.

With the FortiMail unit in the DMZ of the FortiGate firewall, you must configure
policies to ensure that incoming SMTP traffic scanned by the FortiMail unit goes to
the email server, and email sent by internal users via the email server passes
through the firewall for scanning by the FortiMail unit before sending to the
Internet.
configurations.
Configuring the FortiMail policy

FortiMail unit, through the firewall and direct it to the email server.
First, you must create address entries for the FortiMail unit and the email server.
To create an address for the FortiMail unit, on the FortiGate unit
50
Select Create New.

06-30002-0234-20071212
Name
Type
Subnet /IP Range
Interface
Select the DMZ interface on the FortiGate unit.
To create an address for the email server, on the FortiGate unit

1
Select Create New.

Name
Enter the name of the email server.
Type
Subnet /IP Range
Enter the IP address of the email server.
Interface
Select the interface for the FortiGate unit connected to the internal
network.
Next, create the incoming email firewall policies. Two policies are required for the
incoming mail. One to route the email from the external interface of the FortiGate
unit to the DMZ interface where the FortiMail unit is. A second policy enables
email scanned by the FortiMail unit to go from the DMZ interface to the internal
interface on the network.
To configure the incoming policy from the external interface to the DMZ
interface, on the FortiGate unit
1
Select Create New.

Source Interface/zone Select the external interface connected to the Internet.
Source Address
Name
Select the external address for the internet.
Destination
Interface/zone
Select the DMZ interface connected to the network.
Destination Address Select FortiMail from the list.

Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.

06-30002-0234-20071212
51
To configure the incoming policy from the DMZ interface to the internal
1
Select Create New.

Source Interface/zone Select the DMZ interface connected to the FortiMail unit.
Source Address
Name
Select the FortiMail address from the list.
Destination
Interface/zone
Destination Address Select the email server from the list.

Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Configure the user send policy

You also need to add a firewall policy for end users to send email to the FortiMail
unit for scanning before sending an email message over the Internet.Two policies
are required for the outgoing mail. One to route the email from the internal
interface of the FortiGate unit to the DMZ interface where the FortiMail unit is. A
second policy enables email scanned by the FortiMail unit to go from the DMZ
interface to the external interface and out to the Internet.
To configure the outgoing policy from the internal interface to the DMZ
1
Select Create New.

Source Interface/zone Select the internal interface connected to the network.
Source Address
Name
Select ALL so that all users can send email messages through the
policy.
Destination
Interface/zone
Select the DMZ interface connected to the FortiMail unit.
Destination Address Select the FortiMail unit from the list.

Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
To configure the outgoing policy from the DMZ interface to the external
52
Select Create New.

06-30002-0234-20071212
Source Interface/zone Select the DMZ interface connected to the network.

Source Address
Name
Destination
Interface/zone
Select the external interface connected to the FortiMail unit.
Destination Address Select the external address for the internet.

Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.

The firewall and FortiMail unit are now configured to receive incoming email, scan
and send to the recipient as required. You must also configure the email clients so
that the client software sends outgoing email to the FortiMail unit to scan outgoing
email, whether its destined for an internal user or a user on the Internet.
Next Steps
email.
they are correct.

06-30002-0234-20071212
53
54

06-30002-0234-20071212
Configuring transparent mode
Switching to transparent mode

This chapter describes how to configure a FortiMail unit to operate in transparent
mode. In transparent mode, the FortiMail unit acts as a bridge, providing
seamless integration into existing network environments as the FortiMail unit
scans email traffic to and from the email server.
Both offer effective email scanning and security. Use these deployment and
configuration examples to install the FortiMail unit on your network, or use them
as a guide for your own network topology. Additional configuration information and
details are available in the Fortimail Administration Guide.
Deploying in front of an email server
Deploying to protect an email hub
Switching to transparent mode

Use the web-based manager to complete the configuration of the FortiMail unit.
You can continue to use the web-based manager for all FortiMail settings.
Before you begin, ensure the FortiMail unit is in transparent mode. If not, switch
over to this mode.
To switch to transparent mode
1
Select Change beside the Operation Mode.
Select Transparent in the Operation Mode list.
Select Apply.
The FortiMail unit reboots and resets all configuration to the factory defaults.

06-30002-0234-20071212
55

A common configuration of the FortiMail unit in transparent mode is to place the
Fortimail unit in front of the mail server. The FortiMail unit scans email travelling to
and from the email server. You can use the FortiMail unit using many of the default
settings and only minor configuration.
Figure 9: Typical FortiMail deployment in transparent mode
Transparent mode
Internet
Router
Mail Server
Mail Users
This section includes the following topics:
Configuring proxies

Use the following table to gather the information you need to customize
transparent mode settings.
Table 5: Transparent mode settings
Management IP
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____

network from which you will manage the Fortimail unit. Add a default
gateway if the FortiMail unit must connect to a router to reach the
management computer.
DNS Settings
Primary DNS Server:
_____._____._____._____
_____._____._____._____
Configuring the management IP

In transparent mode, the FortiMail unit has a management IP address for
administrative access. The FortiMail unit also uses this IP address to connect to
the FortiGuard Distribution Network for virus definition updates.
56

06-30002-0234-20071212
To configure the management interface

1
Connect to the web-based manager using the default address,

https://192.168.1.99/admin.
Go to System > Network > Management IP.
Enter the new management IP address and netmask.
Select Apply.
Reconnect to the web-based manager using the new management IP address.
Configuring DNS
You need to configure DNS server addresses so that FortiMail unit can send and
service provider.
1
Select Apply.
Configuring routing
At a minimum, you need to define a route that enables the FortiMail unit to contact
the DNS server. You need to configure additional routes if any of your email
servers are on a different network than the FortiMail unit and the DNS server. The
gateway you specify is the address of the next hop router that connects to the
required network.
To configure FortiMail unit routing
1
Select Create New.
Enter the Destination IP, Netmask and Gateway.
Select OK.

The FortiMail unit can scan email for viruses and spam as they come and go to
the email server. You need to configure basic email system settings and email
access permissions so that the email messages pass through the FortiMail unit.

Configure the basic email system settings, including host name and domain name
to provide successful email routing.

06-30002-0234-20071212
57

1

Host Name
Local Domain Name
name of your email server. The FortiMail unit's FQDN is <Host
Name>.<Local Domain Name>.
SMTP Server Port

Number
Enter the SMTP port number. The default SMTP port number
is 25.
SMTP over SSL/TLS

SMTPS Server Port

Number
Adding a domain
To add a domain
1
Select Create New.
Select OK.

dev.company.com.
58

06-30002-0234-20071212

1
Select Create New.
default 25.
Select OK.
Configuring proxies
Proxy servers act as a buffer between the network and the Internet. Proxy servers
between user workstations and the Internet ensure security and administrative
control and to access resources stored on the proxy.
In transparent mode, the SMTP proxy settings determine whether email is
dropped, passed through, or proxied. These settings apply to all email except
those destined for the FortiMail unit itself, such as email from users requesting
deletion or release of quarantined email.
Email can be scanned only if they are proxied. The FortiMail unit receives the
email, scans it and (if the email passes the scan) relays it to the email server.
You configure proxy operation separately for incoming and outgoing email traffic.
Regardless of the destination email address, email passing from the network to
the back end email server is considered incoming and email passing from the
back end email server to the network is considered outgoing.
For a typical transparent mode installation, the default proxy options are
appropriate. Should you need to modify the proxies, go to Mail Settings >
Proxies to configure the email connections through the ports. For details on the
proxy settings, see the FortiMail Administration Guide.
Next Steps
they are correct.

06-30002-0234-20071212
59

In this configuration, the email servers (Domain A and Domain B) in each WAN
location are required to send email externally through the head office email server
only. The head office mail server encrypts the outgoing email. The firewall will only
pass SMTP traffic from the headquarters email server.
This configuration requires a modification of the default operation of the FortiMail
unit. By default, the FortiMail unit acts as an SMTP server to relay email, even if
the email client names a domain email server as its SMTP server. With this
configuration, the domain mail servers send email to the hub email server for
encryption. The FortiMail unit must be configured to pass the encrypted email
messages.
Figure 10: FortiMail unit deployed to protect an email hub
Router
Internet
Port 1
Head Office
Mail Server Hub
WAN
Port 2
Mail Server
Domain A
Mail Server
Domain B
This section includes the following topics:
Configuring proxies

Use Table 6 on page 60 to gather the information you need to customize
transparent mode settings.
Table 6: Transparent mode settings
Management IP
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____

network from which you will manage the Fortimail unit. Add a default
gateway if the FortiMail unit must connect to a router to reach the
management computer.
DNS Settings
60
Primary DNS Server:
_____._____._____._____
_____._____._____._____

06-30002-0234-20071212
Configuring the management IP

In transparent mode, the FortiMail unit has a management IP address for
administrative access. The FortiMail unit also uses this IP address to connect to
the FortiGuard Distribution Network for virus definition updates. Configure the
management IP.
To configure the management interface
1
Connect to the web-based manager using the default address,

https://192.168.1.99/admin.
Go to System > Network > Management IP.
Enter the new management IP address and netmask.
Select Apply.
Reconnect to the web-based manager using the new management IP address.
Configuring DNS
You need to configure DNS server addresses so that FortiMail can send and
service provider.
A DNS server matches domain names with the computer IP address. This
enables you to use readable locations, such as fortinet.com. The DNS server
translates this name to a mail exchange server IP address to deliver an email
message. In simple terms, it acts as a phone book for the Internet.
1
Select Apply.
Configuring routing
At a minimum, you need to define a route that enables the FortiMail unit to contact
the DNS server. You need to configure additional routes if any of your email
servers are on a different network than the FortiMail unit and the DNS server. The
gateway you specify is the address of the next hop router that connects to the
required network.
To configure FortiMail unit routing
1
Select Create New.
Enter the Destination IP, Netmask and Gateway.
Select OK.

The FortiMail unit can scan email for viruses and spam as they come and go to
the email server. You need to configure basic email system settings and email
access permissions so that the email messages pass through the FortiMail unit.

06-30002-0234-20071212
61

Configure the basic email system settings, including host name and domain name
to provide successful email routing.
1

Host Name
Local Domain Name
name of the hub email server. The FortiMail unit's FQDN is <Host
Name>.<Local Domain Name>.
Relay Server Name

server.
SMTP Server Port

Number
is 25.
SMTP over SSL/TLS

SMTPS Server Port

Number
Adding a domain
It is good form to configure a local domain name that is different from the domain
name of your back end mail server. The local domain name will be used by many
FortiMail features such as email quarantine, Bayesian database training, spam
reports, and DSN notifications. A sub domain of the protected domain is
recommended for the local domain because of the domain registration savings.
To add a domain
1
Select Create New.
Select OK.

62
dev.company.com.
06-30002-0234-20071212

1
Select Create New.
default 25.
Select OK.
The FortiMail unit must relay all email through the head office email hub; outgoing
and incoming. You must ensure that the FortiMail unit passes the email to the
correct domain email server.
After configuring the domain, edit the domain information to configure additional
settings to make the FortiMail unit transparent to the email servers
To configure the transparent options
Select the Edit icon for the email domain.
Go to the Transparent Mode Options section, configure the following settings and
select OK:
This server is on
Select the port connected to the email server hub. In this example,
it is port 1.
Hide the transparent Select to enable the FortiMail unit to hide its presence by using
the IP address of the domain email server or client as required.
box
Use the domain
server to deliver the
email
Select to relay email to the domain server the email sender

specified WAN domain.
If not selected, the FortiMail unit relays the email directly to the
email destination domain, which is not desired in this example.
Configuring proxies
Proxy servers act as a buffer between the network and the Internet. Proxy servers
between user workstations and the Internet ensure security and administrative
control and to access resources stored on the proxy.
In transparent mode, the SMTP proxy settings determine whether email is
dropped, passed through, or proxied. These settings apply to all email except
those destined for the FortiMail unit itself, such as email from users requesting
deletion or release of quarantined email.

06-30002-0234-20071212
63
Email can be scanned only if they are proxied. The FortiMail unit receives the
email, scans it and (if the email passes the scan) relays it to the email server.
You configure proxy operation separately for incoming and outgoing email traffic.
Regardless of the destination email address, email passing from the network to
the back end email server is considered incoming and email passing from the
back end email server to the network is considered outgoing.
This example requires the FortiMail interface to act as a proxy so that the FortiMail
unit can scan email passing through to the email. Also, the email must simply pass
through the FortiMail unit when the hub email server relays an email message to
another domain email server on the network or on the Intranet. It is also important
to prevent SMTP clients using the FortiMail unit itself as an SMTP server. The
proxy settings will enable this flexibility.
To configure SMTP proxy settings
1
Go to Mail Settings > Proxies.
Configure the following and select Apply:

Port 1
Incoming SMTP connections
are passed through
Outgoing SMTP connections
are passed through
Local SMTP connections
are allowed
Port 2
Incoming SMTP connections
are proxied
Outgoing SMTP connections
are proxied
Local SMTP connections
are not allowed
Next Steps
they are correct.
64

06-30002-0234-20071212
Configuring server mode
Switching to server mode

This chapter describes how to configure a FortiMail unit to operate in server
mode. In server mode the FortiMail acts as a fully functional email server.
Use these deployment and configuration examples to install the FortiMail unit on
your network, or use them as a guide for your own network topology. Additional
configuration information and details are available in the Fortimail Administration
Guide.
All examples use a FortiGate firewall device. If you are using an alternate firewall,
consult the appliances documentation for completing similar configurations.
FortiMail Server behind a firewall
FortiMail Server in front of a firewall
FortiMail Server in DMZ

Before you being configuring the FortiMail unit, ensure the mode is in server
mode. To verify, go to System > Status and check the Operation Mode.
To change the operation mode
1
Select Change for the Operation Mode.
Select Server from the list and select OK.

06-30002-0234-20071212
65
For example, using the information from the table below, configure the MX record
to point to the FortiMail email server.
Email server
mail.exampledom.com
FortiMail hostname
fm.exampledom.com
172.16.15.2
For example:
The A record

The FortiMail unit is positioned behind a firewall. With the FortiMail unit set up this
way, the firewall blocks any attacks on the FortiMail unit.
Figure 11: FortiMail Server behind firewall
Switch
Internal
External
Internet
Router
Firewall
DNS Server
66

06-30002-0234-20071212

Use the following table to gather the information you need to customize the server
mode settings.
Port 1
Port 2
Port 3
Port 4
Port 5
Port 6
Network settings
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____

Primary DNS Server:
_____._____._____._____
_____._____._____._____

1
Select OK.
If you changed the IP address of the interface that you are connected to, you must
reconnect to the web-based manager using the new IP address.

06-30002-0234-20071212
67

You can configure any FortiMail interface to acquire its IP address from a Dynamic
Host Configuration Protocol (DHCP) server. Your Internet Service Provider (ISP)
may provide IP addresses using one of these protocols.
Internet.
1
In the Addressing Mode section, select DHCP.

The FortiMail unit attempts to contact the DHCP server from the interface to set
the IP address, netmask, default gateway IP address, and DNS server IP
addresses.
option.
Select OK.
Configuring DNS and default gateway

You need to configure DNS server addresses and default gateway so that
1
Go to System > Network > Network.
Enter the default gateway address. The default gateway address will be the
firewall interface on the same network as the Fortimail interface.
Select Apply.

68

06-30002-0234-20071212

domain name.
1
Enter the following information:

Host Name
POP3 Server Port

Number
Enter the port number for the POP3 server. The default is 110.
SMTP Server Port

Number
is 25.
SMTP over SSL/TLS

SMTPS Server Port

Number
The default port number is 465. You can change it if needed. This
allows the encrypted SMTP traffic to pass through the SMTPS
Server Port. SMTP over SSL/TLS must be enabled.
SMTP Authentication Select to enable authentication. When a user logs into the SMTP
server, they require a user name and password.
Select the blue arrow for Relay server to expand the options.
Enter a relay server name, port and authentication if your ISP provides a relay
email server.
Select Apply.
Adding a domain
Create a domain entry for server. Ensure you use the same domain you used
when setting up the MX record.
To add a domain
1
Select Create New.
Select Advanced Settings to configure LDAP mail routing.
Select Advanced AS/AV to configure anti-spam and anti-virus options.
Select OK.

accounting.example.com
dev.example.com.

06-30002-0234-20071212
69

1
Select Create New.
Select Is Subdomain and select the main domain the local domain is a part of.
Complete the LDAP authentications if required.
Select OK.
Add a test user

Add one or two test users to the FortiMail server so you can verify that an email
client can send and receive mail with FortiMail.
To add a test user
1
Go to User > Mail User.
Select Create New.

User Name
Enter the username with no spaces.
Password
Enter a password for the user.
Display Name
Enter the name that appears in the email client as the sender.

With the FortiMail unit behind the FortiGate firewall, you must configure policies
and to ensure that incoming SMTP traffic goes to the FortiMail unit, and outgoing
SMTP traffic passes through the firewall.
To accomplish this, configure a virtual IP address (VIP) on the FortiGate unit for
the FortiMail unit. When the FortiGate unit receives traffic destined for the VIP, the
FortiGate unit automatically directs the message to the internal IP address of the
FortiMail unit.
configurations.
Configuring the incoming mail policy

internet to the FortiMail unit.
First, you must create an address entry for the FortiMail unit.
70

06-30002-0234-20071212
To create an address for the FortiMail unit

1
Select Create New.

Name
Type
Subnet /IP Range
Interface

Internet.
To configure the incoming policy

1
Select Create New.

Source Interface/zone Select the external interface connected to the Internet.
Source Address
Name
Select ALL to enable all incoming email messages.
Destination
Interface/zone
Destination Address Select the FortiMail unit address from the list.
Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Configure the outgoing mail policy

You also need to add a firewall policy for FortiMail unit to send email to the
Internet.
1
Select Create New.

Source Address
Name
Destination
Interface/zone
Select the external interface.

Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.

06-30002-0234-20071212
71
Next Steps
email.
they are correct.

The FortiMail unit is positioned in front of the firewall. The benefit of this setup is
that if the Server is compromised by attacks, your internal network is not
jeopardized. However, the Server is not protected by the firewall.
Figure 12: FortiMail Server in front of firewall
To Internal
Network
Internal
External
Switch
Internet
Router
Firewall
DNS Server

mode settings.
Port 1
Port 2
Port 3
72
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____

06-30002-0234-20071212
Port 4
Port 5
Port 6
Network settings
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____

Primary DNS Server:
_____._____._____._____
_____._____._____._____

1
Select OK.
If you changed the IP address of the interface you are connecting to, you must
reconnect to the web-based manager using the new IP address.

Internet.

06-30002-0234-20071212
73

1

The FortiMail unit attempts to contact the DHCP server to set the IP address,
netmask, default gateway IP address, and DNS server IP addresses.
option.
Select OK.

1
Enter the default gateway address. The default gateway address will be the
address of the router connected to the Internet.
Select Apply.


domain name.
74

06-30002-0234-20071212

1

Host Name
POP3 Server Port

Number
SMTP Server Port

Number
Enter the SMTP port number. The default SMTP port number is
25.
SMTP over SSL/TLS

SMTPS Server Port

Number
Enter a relay server name, port and authentication if your ISP provides a relay
email server.
Select Apply.
Adding a domain
To add a domain
1
Select Create New.
Select OK.

accouting.example.com
dev.example.com.

06-30002-0234-20071212
75

1
Select Create New.
Select OK.

With the FortiMail unit in front of the FortiGate firewall, you must configure policies
and to ensure that incoming and outgoing SMTP traffic passes through the firewall
to the users on the network. You also need a policy to pass traffic from the users
to the FortiMail unit, which then sends the message on to the Internet.
Both policies have the internal users as the source of the email traffic. In both
receiving and sending email, the users email client initiates the connection to the
FortiMail server, thus starting the communication (the source).
configurations.

Create a firewall policy that permits all SMTP traffic from the FortiMail unit to pass
to users on the internal network.
First, you must create an address entry for the FortiMail unit and the email server.
1
Select Create New.

Name
Type
Subnet /IP Range
Interface

Internet.
The incoming policy is a POP3 policy that allows users to send requests to the
FortiMail unit for new mail on the FortiMail server.
1
Select Create New.

Source Address
Name
76
Select ALL for all internal users on the internal network.

06-30002-0234-20071212
Destination
Interface/zone
Select the external interface connected to the Internet or router.
Name
Schedule
Select ALWAYS.
Service
Select POP3.
Action
Select ACCEPT.

Add a firewall policy for internal users to send email messages to the FortiMail
mail server for scanning and sending to destinations on the Internet.
1
Select Create New.

Source Address
Name
Destination
Interface/zone
Select the external interface connected to the Internet or router.
Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Next Steps
email.
they are correct.

06-30002-0234-20071212
77

The FortiMail unit is positioned in the DMZ. The benefit of this setup is that the
FortiMail unit is protected by the firewall, and if the Server is compromised by
attacks, the internal network is not jeopardized.
Figure 13: FortiMail Server in DMZ
To Internal
Network
Internal
External
DMZ
Internet
Router
DNS Server

mode settings.
Port 1
Port 2
Port 3
Port 4
Port 5
Port 6
Network settings
78
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____

Primary DNS Server:
_____._____._____._____
_____._____._____._____

06-30002-0234-20071212

1
Select OK.
the new IP address.

Internet.
1

The FortiMail unit attempts to contact the DHCP server from the interface to set
the IP address, netmask, default gateway IP address, and DNS server IP
addresses.
option.
Select OK.

06-30002-0234-20071212
79

1
Enter the default gateway address. The default gateway address will be the DMZ
address.
Select Apply.


domain name.
1
Go to Mail Settings > Settings > Settings.

Host Name
POP3 Server Port

Number
SMTP Server Port

Number
is 25.
SMTP over SSL/TLS

SMTPS Server Port

Number
traffic to pass through the SMTPS Server Port. You must set
SMTP over SSL/TLS before setting this option.
80
Enter a relay server name and authentication if your ISP provides a relay email
server.
Select Apply.

06-30002-0234-20071212
Adding a domain
To add a domain
1
Select Create New.
Select OK.

accouting.example.com
dev.example.com.

1
Select Create New.
Select OK.

With the FortiMail unit in the DMZ, you must configure policies to ensure that
incoming POP3 and outgoing SMTP traffic passes through the firewall to the
users on the network and so that the FortiMail unit can send and receive SMTP
traffic to and from the Internet.
configurations.

Create a firewall policy that permits all SMTP traffic from the Internet to pass
through the firewall and arrive at the FortiMail unit on the DMZ interface.
First, you must create an address entry for the FortiMail unit.

06-30002-0234-20071212
81

1
Select Create New.

Name
Type
Subnet /IP Range
Interface
Select DMZ.

1
Select Create New.

Source Interface/zone Select the external interface connected to the network.
Source Address
Name
Select ALL for all external sources on the Internet.
Destination
Interface/zone
Select the DMZ interface.
Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.

Add a firewall policy for the FortiMail unit to send email messages to destinations
on the Internet.
1
Select Create New.

Source Interface/zone Select the DMZ interface.
Source Address
Name
Select the FortiMail unit address from the list.
Destination
Interface/zone

Name
82
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.

06-30002-0234-20071212
Configuring the users incoming mail policy

Create a firewall policy that permits all SMTP traffic from the FortiMail unit to pass
to users on the internal network. Both of the following policies have the internal
users as the source of the email traffic. In both receiving and sending email, the
users email client initiates the connection to the FortiMail server, thus starting the
communication (the source).
The incoming policy is a POP3 policy that allows users to send requests to the
FortiMail unit for new mail on the server.
1
Select Create New.

Source Address
Name
Destination
Interface/zone
Select DMZ.
Name
Schedule
Select ALWAYS.
Service
Select POP3.
Action
Select ACCEPT.
Configure the users outgoing mail policy

Add a firewall policy for internal users to send email messages to the FortiMail
mail server for scanning and sending to destinations on the Internet.
1
Select Create New.

Source Address
Name
Destination
Interface/zone
Select DMZ.
Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.

06-30002-0234-20071212
83
Next Steps
email.
they are correct.
84

06-30002-0234-20071212
Advanced configuration
Set the date and time
The preceding chapter described how to configure your FortiMail unit for the
network in one of the three modes.
The next step is to configure the FortiMail unit to scan email for viruses, providing
maximum protection for blended email related threats and increase your users
productivity.
This chapter describes additional configuration you should consider when
integrating the FortiMail unit into you network.
This chapter includes:
Updating antivirus signatures
Receiving regular antivirus updates
Configuring antispam
Create profiles
Create policies
Add users (Server mode)

For effective scheduling and logging, the FortiMail system date and time must be
accurate. You can either manually set the system date and time or configure the
FortiMail unit to automatically keep its time correct by synchronizing with a
Network Time Protocol (NTP) server.
To set the date and time
1
Go to System > Config > Time.
Select your Time Zone from the list.
Optionally, select Automatically adjust clock for daylight saving changes check
box.
Select Set Time and set the FortiMail system date and time.
Select OK.
Note: If you choose the option Automatically adjust clock for daylight saving changes, the
system time must be manually adjusted after daylight savings time ends.
To use NTP to set the FortiMail date and time

1
Go to System > Config > Time.
Select Synchronize with NTP Server to configure the FortiMail unit to use NTP to
automatically set the system time and date.

06-30002-0234-20071212
85
Enter the IP address or domain name of the NTP server that the FortiMail unit can
use to set its time and date.
Specify how often the FortiMail unit should synchronize its time with the NTP
server.
Select OK.

You can configure the FortiMail unit to connect to the FortiGuard Distribution
Network (FDN) to update the antivirus and antispam definitions.
The FDN is a world wide network of FortiGuard Distribution Servers (FDS). When
the FortiMail unit connects to the FDN, it connects to the nearest FDS. To do this,
all FortiMail units are programmed with a list of FDS addresses sorted by nearest
time zone according to the time zone configured for the FortiMail unit.
Before you can begin receiving updates, you must register your FortiMail unit on
the Fortinet web page. For information on registering your FortiMail unit, see
Register your FortiMail unit on page 7.
The FortiGuard Center enables you to receive push updates, allow push update to
a specific IP address, and schedule updates for daily, weekly, or hourly intervals.
To update antivirus definitions
1
Go to System > Update.
Select Update Now to update the antivirus definitions.

If the connection to the FDN is successful, the web-based manager displays a
message similar to the following:
Your update request has been sent. Your database will be
updated in a few minutes. Please check your update page
for the status of the update.
After a few minutes, if an update is available, the System FortiGuard Center page
lists new version information for antivirus definitions. The System Status page
also displays new dates and version numbers for the antivirus definitions.
Messages are recorded to the event log indicating whether the update was
successful or not.
Note: Updating antivirus definitions can cause a very short disruption in traffic currently
being scanned while the FortiMail unit applies the new signature database. To minimize
any disruption, schedule updates when traffic is light, for example overnight.

The FortiMail unit enables you to select when and how you want to receive
antivirus signature updates. You can either use the FortiGuard push service or
scheduled updates. The push service will automatically send the FortiMail unit
new antivirus definitions as soon as they are available. While this can slight email
scanning disruptions during the update, it ensures that the virus definitions are
current, minimizing the possibility of a new virus breaching the network.
86

06-30002-0234-20071212
By selecting scheduled updates, you define when the FortiMail unit receives the
latest antivirus signatures. For example, you can schedule updates every night at
2 am, or weekly on Sunday when email traffic is low. While this may leave your
network potentially vulnerable to a brand new virus, it minimizes disruption to the
email service, which may be a benefit if your business relies on timely email
communications.
Configuring push updates

Enable push updates to ensure your FortiMail unit has the most current antivirus
signatures available for scanning email.
To enable push updates
1
Select Allow Push Update.
Select Use override push IP if required and enter the IP address and port number.
Override push IP addresses and ports are used when there is a NAT device
between the FortiMail Unit and the FDN. The FortiMail unit sends the override
push IP address and Port to the FDN. The FDN will now use this IP address and
port for push updates to the FortiMail unit on the internal network.
Select Apply
Scheduling antivirus updates

Configure a schedule for the frequency of the antivirus updates.
To enable scheduled updates
1
Select the Scheduled Update check box.
Select one of the following to check for and download updates.
Every
Once every 1 to 23 hours. Select the number of hours and

minutes between each update request.
Daily
Once a day. You can specify the time of day to check for updates.
Weekly
Once a week. You can specify the day of the week and time of day
to check for updates.
Select Apply.
The FortiMail unit starts the next scheduled update according to the new update
schedule. Whenever the FortiMail unit runs a scheduled update, the event is
recorded in the FortiMail event log.
Adding an override server

If you cannot connect to the FDN, or if your organization provides updates using
their own FortiGuard server, use the following procedures to add the IP address of
an override FortiGuard server.
To add an override server from the web-based manager
1
Select the Use override server address check box.

06-30002-0234-20071212
87
Type the fully qualified domain name or IP address of a FortiGuard server.
Select Apply.
The FortiMail unit tests the connection to the override server.
If the FDN setting changes to available, the FortiMail unit has successfully
connected to the override server.
If the FDN stays set to not available, the FortiMail unit cannot connect to the
override server. Check the FortiMail configuration and network configuration for
settings that would prevent the FortiMail unit from connecting to the override
FortiGuard server.
To combat spam, the FortiMail unit provides a number of methods of filtering
unwanted email. If you have a FortiGuard subscription, many of the spam sent is
captured using the FortiGuard filtering system. Fortinet employs a team to
continually monitor spam patterns and updates the databases daily.
There are additional system-wide antispam settings that enable you to train the
FortiMail unit as to what is, and what is not spam. These include:
Black/White lists that enable you to block or allow email from the email
addresses or domains you specify
Bayesian training to train the Bayesian databases to make the antispam email
scanning more accurate.
Heuristic training using predefined rules.
Once configured you can incorporate these settings into antispam profiles. The
following are a few of the antispam options that you can initiate on the FortiMail
unit to stop the flow of spam.
Black/White lists
In some cases, some mail tagged as spam is an individual you want to receive
mail from, while email that is not caught by the spam filters or users you dont want
to receive email from gets through to your inbox. White lists and blacklists enable
you and your users to maintain a list of email addresses that you want or dont
want to receive email from.
White lists contain domains and user emails of those you want to receive. It can
help to eliminate false positives. Blacklists are the opposite. Users and domains in
a blacklist are blocked from sending email to recipients on the network.
The FortiMail unit, at the system, session, and personal levels, can block or allow
email from the email addresses, domains, or IP addresses you specify. You add
the email addresses, domains, or IP addresses that you want to block in the black
list, and those that you allow to pass in the white list.
The FortiMail unit will be checked against the system and user lists whenever the
mail matches any policy, recipient-based or IP-based. Mail will be checked against
session lists only when lists are enabled in a session profile specified in an
IP-based policy that matches the message traffic, whether or not a
recipient-based policy also matches.
88

06-30002-0234-20071212
While this can be very effective in maintaining desired lists of users and domains
to allow and block, some caution must be taken. They are simple and efficient
tools for fighting spam and enhancing performance, but can also cause false
positives and false negatives if not used carefully. For example, a white list entry
of *.edu would allow all mail from the .edu top level domain to bypass the FortiMail
unit's anti-spam scanning.
Administrators and users can configure separate black/white lists. Administrators
can configure system level lists and personal level lists using the web-based
manager, while users can configure and maintain their own personal lists using
the web mail interface.
System lists precede personal lists. That is, if the FortiMail unit receives an email
that is white listed at the system level, and black listed at the personal level, the
user will still receive the email. Conversely, if the FortiMail unit receives an email
that is black listed at the system level, and white listed at the personal level, the
user will not receive the email.
To add system level black/white lists
1
Go to AntiSpam > Black/White List > System.
Do one of the following:
To block email, select Black List.
To allow email, select White List.
Enter the email address, domain, or IP address that you want to block or allow.
Select Add.
To add personal level black/white lists
Go to AntiSpam > Black/White List > Personal.
Select the domain of the SMTP server that has the user that you want to configure
the Black or White list.
If you want to configure the black or white list for an existing user, type the
user's username and select OK.
If you want to configure the black or white list for a new user, type the user's
username and select OK.
Turn on Add outgoing email addresses to "White" list if you want the FortiMail unit
to treat email sent from these addresses as non-spam email in the future.
To block email, select Black List.
To allow email, select White List.
Enter the email address, domain, or IP address that you want to block or allow.
Select Add.

06-30002-0234-20071212
89
Bayesian scanning
Bayesian scanning is a method of teaching the FortiMail unit what is a spam email
and what is not. Bayesian training uses Bayes' theorem of probability. Using this
theorem the spam filters take into account the type of words used in spam
messages versus those that are not. For every word in these email messages, it
calculates the probability of a scanned message being spam based on the
proportion of spam occurrences.
Bayesian training is a manual process by the admin or email users. For each
email received, an email user will tell the filter whether it is a good email, spam,
or a false positive. The more training, that is, the more a user sends email
indicating its status, the more efficient the spam filter will be.
Bayesian filters recognize spam messages by looking at the words (or tokens)
they contain. The Bayesian filter starts with two collections of email, one of known
spam and one of known non-spam email. For every word in these email
messages, it calculates the probability of a scanned message being spam based
on the proportion of spam occurrences.
The FortiMail unit can maintain three types of Bayesian databases: global, group,
and user. They all work in the same way with the Bayesian scanning engine, but
each is designed for a different application:
Global can be used to scan any or all mail sent and received by the FortiMail
unit. There is only one global Bayesian database on a FortiMail unit.
Group are maintained on a per-protected-domain basis. This allows the

flexibility of a database tailored to filter the mail to each domain.
User are maintained on a per-user basis for each protected domain. This
allows the user Bayesian database to be fine-tuned to only the mail traffic the
user receives.
To configure Bayesian scanning, go to AntiSpam > Bayesian.

Configuring Bayesian databases is more involved to ensure it can learn spam
from real email. For complete details on Bayesian scanning and how to train the
FortiMail unit, see the FortiMail Administration Guide.
Heuristic scanning
Heuristic scanning uses a scoring technique based on predetermined terms and
words. The rules are broken down into 5 categories: header, body, raw body, URI,
and metadata. Each rule has an individual score used to calculate the total score
for an email. You can fine-tune the threshold values to meet your specific needs. If
your email systems false positive ratio is high, raise the upper level threshold until
you achieve a satisfactory ratio. If your spam catch rate is too low, lower the lower
level threshold until you achieve a satisfactory rate. The FortiMail default
threshold values are recommended as only a starting point.
Note that Heuristic scanning is resource intensive. If spam detection rates are
acceptable without heuristic scanning by using other antispam methods available
in FortiMail (black lists, FortiGuard), consider disabling it or limiting its use to
policies dealing with problem hosts.
To customize the thresholds and what rules are used, go to AntiSpam > Rules
and select and modify the values as required.
90

06-30002-0234-20071212
Create profiles
Create profiles
A profile is a collection of FortiMail settings that you specify to filter incoming and
outgoing email and to control the email flow. Profiles are selected in policies and
run on any traffic the policy controls. The FortiMail unit enables you to create
profiles for a number of features.
For an initial setup, create profiles for antispam and antivirus. As you continue to
develop your email environment, you can add additional profiles for
authentication, content and so on.
Antispam profile
After creating your antispam configurations, you can add an antispam profile,
which uses the settings you have configured and groups them into a single profile
which you can apply across various policies. Each profile you add can use
different antispam options depending on how you need to use them.
To create an antispam profile, go to Profile > AntiSpam > Incoming or
Outgoing.
When you create an antispam profile you can also define additional antispam
measures within the profile including:
DNSBL - to communicate with DNSBL (DNS Block List) servers to check the
IP address of the mail server that delivered the message. If a match is found,
the FortiMail unit treats the message as spam.
SURBL - to check every URI in the message body. If a match is found, the
FortiMail unit treats the message as spam.
Banned Word - examines words you add that you want that if in the message
should be considered as spam. The message will be considered spam if any
match is found.
Most individual spam detection methods allow the selection of an action. The
selected action determines what the FortiMail unit does with mail detected as
spam by the particular spam detection method.
The options available are:
Subject Tag - enables you to enter the information to appear in the subject line
of the spam notification email sent to the recipient by the FortiMail unit. For
example, FortiMail detected spam. Users can create rules in their client
software to direct messages with this tag to a separate folder for later review.
Reject - The FortiMail unit rejects the spam and sends reject responses to the
sender.
Discard - The FortiMail unit discards spam without sending reject responses to
the senders.
Forward - The FortiMail unit forwards spam to a configured email address.
Quarantine - The FortiMail unit redirects detected spam messages to the spam
quarantine. The quarantine action is only available for incoming antispam
profiles.

06-30002-0234-20071212
91
Create policies
Antivirus profile
Antivirus profiles are used by FortiMail to scan email for viruses. FortiMail units
update virus signatures online from Fortinets update servers around the world.
When a virus is found, the FortiMail unit deletes the file that contains the virus and
replaces the file with a message notifying the user the infected file has been
deleted.
To create an antivirus profile, go to Profile > AntiVirus > AntiVirus.
As for antispam, antivirus methods also enable you to define an action when a the
FortiMail unit finds a virus. The selected action determines what the FortiMail unit
does with mail detected with a virus.
The options available are:
Replace Virus Body - This option allows the FortiMail unit to replace the
attachment of a virus email with a message that provides information about the
virus and source of the email.
Reject - The FortiMail unit rejects the email and sends reject responses to the
sender.
Discard - The FortiMail unit discards the email without sending reject
responses to the sender.
Applying profiles
After you create the profiles, you apply them to users and user groups to create
email filtering and control policies, described below. To customize your email
service, you can apply different profiles to different users or user groups. For
instance, if you are an Internet Service Provider (ISP), you can create and apply
antivirus profiles only to the users who pay for the antivirus service.
Create policies
Policies determine if and how incoming and outgoing email is scanned for spam,
viruses, and attachment types. Also, policies can determine user account settings,
such as authentication type, disk quota, and access to Webmail.
There are two types of policies you can configure in FortiMail:
92
Recipient-based policies that are run on messages sent to a user or user

group specified in a policy. Recipient-based policies enable you to define
which policies are run on individual messages based on who the message is
sent to. Depending on your needs, you can create different recipient-based
policies for different email recipients. For example, if you are an ISP, you can
create and apply antispam and antivirus profiles only if the customers have
paid for those services. In all operating modes, you can create incoming and
outgoing recipient-based email policies to protect both the local and remote
email recipients.

06-30002-0234-20071212
IP-based policies that are run when the IP address matches the client address
specified in the policy in gateway and server modes, or both IP addresses
match the client and server addresses specified in the policy in transparent
mode. In server and gateway modes, IP-based policies are run on connections
initiated by a computer specified by the IP address specified in the policy. In
transparent mode, IP-based policies are run on connections between two
computers, both specified by IP address in the policy.
Recipient-based policies take priority over IP-based policies. Only have one policy
applied to any message. The FortiMail unit checks each message for recipientbased policy matches. If a match is found, the recipient-based policy is applied. If
no recipient-based policies match, the IP-based policy is applied. This is how all
aspects of the policies are applied with the exception of the session profile and
the antivirus profile.
If no recipient-based policy matches the message and no IP-based policy
matches the session, no policies are applied and the mail is delivered.
To create email policies go to the Policies menu and select Recipient Based or IP
based.
Note: Arrange policies in the policy list from most specific at the top to more general at the
bottom. Policy matches are checked from the top of the list, downward.
The options available for a policy is unique to whether you are running the
FortiMail unit in Transparent/Gateway mode or Server mode. For more details on
policy usage and configuration, see the FortiMail Administration Guide.

If you are using the FortiMail unit as your email server, you need to add user
names to the FortiMail user list so that people can send email from. FortiMail
enables you to add users, create groups of users and mailing lists. Each of these
configurations are located in the User menu.
Adding users
You can add users in two ways. Add each user individually or import and existing
user list from a previous mail server installation. The list must be in comma
separated text file (CSV).
Adding groups
For easier user management, create user groups that contain users for a specific
department or functional group. This group does not have a unique email
address.
Adding user alias

User aliases are similar to mailing lists. It enables you to add users to specific
groupings that use a unique email address. When a user wants to send an email
to this group of people, they can send it to one address, rather than try to
remember all the recipients individually. For example, marketing@example.com.

06-30002-0234-20071212
93
94

06-30002-0234-20071212
Firmware
Backing up the FortiMail information
Firmware
Fortinet periodically updates the FortiMail firmware to include enhancements and
address issues. After you have registered your FortiMail unit, FortiMail firmware is
available for download at http://support.fortinet.com.
Only the FortiMail administrators (whose access profiles contain system
configuration read and write privileges) and the FortiMail admin user can change
the FortiGate firmware.
This chapter includes the following topics:
Using the web-based manager
Reverting to a previous firmware version
Installing firmware images from a system reboot

Before upgrading the FortiMail firmware, it is good practice to backup your
configuration information, Bayesian database, Black/White list in the event
something goes wrong during the upgrade.
Back up the configuration

Backup the FortiMail configuration to a local PC using the web-based manager.
To back up the configuration
1
Go to System > Status > Status.
In the System Settings area, select Backup.
Select Backup System settings and select a location to store the configuration file.
Back up the Bayesian database

To backup the bayesian database
1
Go to AntiSpam > Bayesian > DB Maintenance.
Select Backup bayesian database.
Select Download bayesian database backup file and select a location to store the
database file.

06-30002-0234-20071212
95
Firmware
Back up the Black/White list database

To backup the Black/White database
1
Go to AntiSpam > Black/White > Black/White List Maintenance.
Select Backup Black/White List.
Select Download Black/White list backup file and select a location to store the
database file.
Back up the FortiMail mail queue

The mail queue contains the email held because it was contains email that the
FortiMail unit could not send or cannot return.
To back up the mail queue
1
Go to Mail Settings > Mail Queue > Queue Maintenance.
Select Backup Queue.
Select Download Queue file and select a location to store the mail queue file.

The web-based manager provides an easy to use method of upgrading or
downgrading the firmware on the FortiMail unit.
Upgrading the firmware

Note: To use this procedure, you must log in using the admin administrator account, or an
administrator account that has system configuration read and write privileges.
To upgrade the firmware

1
Download the firmware from the Fortinet Support web site.
Copy the firmware image file to your management computer.
Log into the web-based manager as the admin administrative user.
Under System Information > Firmware Version, select Update.
Type the path and filename of the firmware image file, or select Browse and locate
the file.
Select OK.
The FortiMail unit uploads the firmware image file, upgrades to the new firmware
version, restarts, and displays the FortiMail login. This process takes a few
minutes.
96
Log into the web-based manager.
Go to System > Status and check the Firmware Version to confirm the firmware
upgrade is successfully installed.

06-30002-0234-20071212
Firmware
Using the CLI

Use the same procedure as above to revert your FortiMail unit to a previous
firmware version. This procedure reverts the FortiMail unit to its factory default
configuration.
Using the CLI

The CLI provides an easy to use method of upgrading or downgrading the
firmware on the FortiMail unit.
Upgrading the firmware

You must have a TFTP server the FortiMail unit can connect to and running to
complete the upgrade procedure.
To upgrade the firmware using the CLI

1
Make sure the TFTP server is running.
Copy the new firmware image file to the root directory of the TFTP server.
Log into the CLI.
Make sure the FortiMail unit can connect to the TFTP server using the ping
command to ping the computer running the TFTP server. For example, if the IP
address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
Enter the following command to copy the firmware image from the TFTP server to
the FortiMail unit:
Where <name_str> is the name of the firmware image file and <tftp_ip> is
the IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image.out 192.168.1.168
The FortiMail unit responds with the message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
Type y.
The FortiMail unit uploads the firmware image file, upgrades to the new firmware
version, and restarts. This process takes a few minutes.

06-30002-0234-20071212
97
Using the CLI
Firmware

This procedure reverts the FortiMail unit to its factory default configuration and
deletes all white lists, black lists, and bayesian databases.
Caution: Reverting to an earlier firmware version will cause you to lose you entire
configuration. Before beginning this procedure you should backup your configurations. For
details, see Backing up the FortiMail information on page 95.
If you are reverting to a previous FortiMail version (for example, reverting from
v3.0 to v2.80), you might not be able to restore your previous configuration from
the backup configuration file.
To use the following procedure, you must have a TFTP server the FortiMail unit
can connect to.
To revert to a previous firmware version
1
Copy the firmware image file to the root directory of the TFTP server.
Log into the FortiMail CLI.
Make sure the FortiMail unit can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP
server. For example, if the TFTP server's IP address is 192.168.1.168:
Enter the following command to copy the firmware image from the TFTP server to
the FortiMail unit:
Where <name_str> is the name of the firmware image file and <tftp_ip> is the
IP address of the TFTP server. For example, if the firmware image file name is
v2.80image.out and the IP address of the TFTP server is 192.168.1.168,
enter:
execute restore v2.80image.out 192.168.1.168
The FortiMail unit responds with the message:
This operation will replace the current firmware version!
Type y.
The FortiMail unit uploads the firmware image file. After the file uploads, a
message similar to the following is displayed:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Type y.
The FortiMail unit reverts to the old firmware version, resets the configuration to
factory defaults, and restarts. This process takes a few minutes.
98

06-30002-0234-20071212
Firmware
Using the CLI
Once the FortiMail unit has restarted, load your configuration information onto the
unit.
Installing firmware images from a system reboot

You can use this procedure to upgrade to a new firmware version, revert to an
older firmware version, or re-install the current firmware version. This is a useful
procedure when you are unable to connect to the FortiMail unit using the
web-based manager or the CLI login.
To use this procedure, you must connect to the CLI using the FortiMail console
port and a RJ-45 to DB-9 or null-modem cable. This procedure reverts the
FortiMail unit to its factory default configuration.
For this procedure you require a TFTP server that you can connect to from port 1.
The TFTP server should be on the same subnet as the internal interface.
Before beginning this procedure you should backup your configuration file and
lists. See Backing up the FortiMail information on page 95 for details.
Caution: If you are reverting to a previous FortiMail version (for example, reverting from
v3.0 to v2.80), you might not be able to restore your previous configuration from the backup
configuration file.
Note: Installing firmware replaces the current antivirus definitions with the definitions
included with the firmware release you are installing. After you install new firmware, ensure
that antivirus definitions are up to date. For details, see Updating antivirus signatures on
page 86.
To install firmware from a system reboot

1
Connect to the CLI using the null-modem cable and FortiMail console port.
Make sure the internal interface is connected to the same network as the TFTP
server.
To confirm the FortiMail unit can connect to the TFTP server, use the following
address of the TFTP server is 192.168.1.168, enter:
Enter the following command to restart the FortiMail unit:

execute reboot
The FortiMail unit responds with the following message:
This operation will reboot the system !
Type y.
As the FortiMail units starts, a series of system startup messages is displayed.
When one of the following messages appears:
Press any key to display configuration menu.......
Immediately press any key to interrupt the system startup.

06-30002-0234-20071212
99
Testing a new firmware image before installing it
Firmware
Note: You have only 3 seconds to press any key. If you do not press a key soon enough,
the FortiMail unit reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, one of the following messages
appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[I]: Configuration and information.
[Q]: Quit menu and continue to boot with default
firmware.
[H]: Display this list of options.
Enter G,F,B,I,Q,or H:
8
Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
Type the address of the TFTP server and press Enter.

Enter Local Address [192.168.1.188]:
10
Type an IP address that can be used by the FortiMail unit to connect to the FTP
server.
The IP address can be any IP address that is valid for the network the interface is
connected to. Make sure you do not enter the IP address of another device on this
network.
Enter File Name [image.out]:
11
Enter the firmware image filename and press Enter.

The TFTP server uploads the firmware image file to the FortiMail unit and
messages similar to the following are displayed:
Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]
12
Type D.
The FortiMail unit installs the new firmware image and restarts.

You can test a new firmware image by installing the firmware image from a system
reboot and saving it to system memory. This enables you to try a new firmware
image before loading it permanently onto the system.
100

06-30002-0234-20071212
Firmware
After completing this procedure, the FortiMail unit operates using the new
firmware image with the current configuration. This new firmware image is not
permanently installed. The next time you restart the FortiMail unit, it operates with
the originally installed firmware image using the current configuration. If the new
firmware image operates successfully, you can install it permanently using the
procedure Upgrading the firmware on page 96.
For this procedure, you must connect to the CLI using the FortiMail console port
and a RJ-45 to DB-9 or null-modem cable. This procedure temporarily installs a
new firmware image using your current configuration.
For this procedure you require a TFTP server that you can connect to from port 1.
The TFTP server should be on the same subnet as the internal interface.
Before beginning this procedure you should backup your configuration file and
lists. See Backing up the FortiMail information on page 95 for details.
To test a new firmware image
1
Connect to the CLI using a RJ-45 to DB-9 serial cable or a null-modem cable and
FortiMail console port.
Make sure the internal interface is connected to the same network as the TFTP
server.
You can use the following command to ping the computer running the TFTP
server. For example, if the TFTP server's IP address is 192.168.1.168:

execute reboot
As the FortiMail units starts, a series of system startup messages are displayed.
Press any key to display configuration menu........
the FortiMail unit reboots and you must log in and repeat the execute reboot
command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[I]: Configuration and information.
[Q]: Quit menu and continue to boot with default
firmware.
[H]: Display this list of options.
Enter G,F,B,I,Q,or H:

06-30002-0234-20071212
101
Installing and using a backup firmware image
Firmware

10
Type an IP address that can be used by the FortiMail unit to connect to the TFTP
server.
11
Enter the firmware image file name and press Enter.

The TFTP server uploads the firmware image file to the FortiMail unit and
messages similar to the following appear.
saving:[D/B/R]
12
Type R.
The FortiMail image is installed to system memory and the FortiMail unit starts
running the new firmware image but with its current configuration.
13
You can log into the CLI or the web-based manager using any administrative
account.
14
To confirm the new firmware image has been loaded, from the CLI enter:
get system status
You can test the new firmware image as required.

Once the backup firmware image is installed you can switch to this backup image
when required.
To run this procedure you:
Access the CLI by connecting to the FortiMail console port using a RJ-45 to
DB-9 serial cable or null-modem cable.
Install a TFTP server that you can connect to from the FortiMail as described in
the procedure Installing firmware images from a system reboot on page 99.
To install a backup firmware image

1
Connect to the CLI using a RJ-45 or DB-9 serial cable or a null-modem cable and
FortiMail console port.
Copy the new firmware image file to the root directory of your TFTP server.
To confirm the FortiMail unit can connect to the TFTP server, use the following
address of the TFTP server is 192.168.1.168:
102

06-30002-0234-20071212
Firmware

execute reboot
As the FortiMail unit starts, a series of system startup messages are displayed.
When of the following message appears:
Press any key to enter configuration menu........

the FortiMail unit reboots and you must log in and repeat the execute reboot
command.
If you successfully interrupt the startup process, the following message appears:
[G]:
[F]:
[Q]:
[H]:
Get firmware image from TFTP server.

Format boot device.
Quit menu and continue to boot with default firmware.
Display this list of options.
Enter G,F,Q,or H:
7

Type an IP address that can be used by the FortiMail unit to connect to the FTP
server.
The IP address can be any IP address that is valid for the network the interface is
connected to. Make sure you do not enter the IP address of another device on this
network.
10
Enter the firmware image file name and press Enter.

The TFTP server uploads the firmware image file to the FortiMail unit and the
following message is displayed.
saving:[D/B/R]
11
Type B.
The FortiMail unit saves the backup firmware image and restarts. When the
FortiMail unit restarts it is running the previously installed firmware version.

06-30002-0234-20071212
103
104
Firmware

06-30002-0234-20071212
Index
Index
A
A record 15
advanced mode 28
air flow 19
aliases 93
ambient temperature 19
antispam profiles 91
antivirus
profiles 92
signatures 86
applying profiles 92
firmware
install, backup firmware image 102
re-installing current version 99
reverting to an older version 99
testing new firmware 100
upgrading to a new version 96
upgrading using the CLI 97, 98
FortiGuard
push updates 87
scheduling updates 87
updates 86
Fortinet
customer service 10
Knowledge Center 10
B
backup 95
banned word 91
basic mode 28
Bayesian
description 16
scanning 90
black list 88
description 16
C
certificate, security 26
comments, documentation 10
configuration backup 95
configuring time 85
conventions, documentation 9
customer service 10
D
description
A record 15
Bayesian scanning 16
black list 16
grey list 16
heuristic scanning 17
IMAP 14
MTA 15
MUA 15
MX record 14
POP3 13
SMTP 14
white list 16
discard 91, 92
DNSBL 91
documentation
commenting on 10
conventions 9
FortiMail 9

06-30002-0234-20071212
G
gateway mode
behind a firewall 30
described 11
in front of a firewall 38
in the DMZ 45
grey list description 16
H
heuristic
description 17
scanning 90
humidity 19
I
IMAP description 14
IP-based policies 93
L
logs
backup 95
M
mail transfer agent 15
mail user agent 15
mailing list 93
management mode 28
modes
advanced management 28
basic management 28
MTA description 15
MUA description 15
MX record 14
105
Index
N
NTP server 85
O
operating temperature 19
P
policies
IP-based 93
recipient-based 92
POP3 description 13
profiles
antispam 91
antivirus 92
applying 92
push updates 87
server mode
behind a firewall 66
described 13
in front of a firewall 72
in the DMZ 78
sheduling updates 87
SMTP description 14
subject tag 91
SURBL 91
T
technical support 10
time, configuring 85
transparent mode
described 12
in front of an email server 56
protecting the email hub 60
quarantine 91
Quick Start Wizard 28
upgrading
firmware 96
firmware using the CLI 97, 98
user
adding 93
alias 93
groups 93
R
recipient-based policies 92
registering FortiGate unit 7
reject 91, 92
reverting, to an older firmware version 99
S
security certificate 26
V
virtual IP 35
W
white list 88
description 16
Wizard (Quick Start) 28
106

06-30002-0234-20071212
www.fortinet.com
www.fortinet.com

FortiMail Install Guide V 3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiMail Install Guide V 3

Uploaded by

Copyright:

Available Formats

Install Guide

FortiMail Install Guide

CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type.

About this document......................................................................................... 8

Email Concepts ................................................................................ 11

FortiMail Version 3.0 MR2 Install Guide

Turning off the FortiMail unit.......................................................................... 25

Configuring gateway mode............................................................. 29

FortiMail Gateway in front of a firewall.......................................................... 38

FortiMail Gateway in the DMZ ........................................................................ 45

Configuring transparent mode ....................................................... 55

FortiMail Version 3.0 MR2 Install Guide

Deploying in front of an email server ............................................................ 56

Deploying to protect an email hub................................................................. 60

Configuring server mode ................................................................ 65

FortiMail Server in front of a firewall ............................................................. 72

FortiMail Server in DMZ................................................................................... 78

Advanced configuration .................................................................. 85

FortiMail Version 3.0 MR2 Install Guide

Create profiles ................................................................................................. 91

Using the web-based manager....................................................................... 96

FortiMail Version 3.0 MR2 Install Guide

Register your FortiMail unit

Register your FortiMail unit

About the FortiMail unit

FortiMail Version 3.0 MR2 Install Guide

About this document

About this document

Installing Describes setting up, and powering on a FortiMail unit.

FortiMail Version 3.0 MR2 Install Guide

Configuring gateway mode Describes a number of network configuration

Configuring transparent mode Describes a number of network configuration

Configuring server mode Describes a number of network configuration

Advanced configuration Describes next step configurations you need to

Notes and Cautions are used to provide important information:

Note: Highlights useful additional information.

CLI command syntax

execute restore image <name_str> <tftp_ipv4>

FortiMail Administration Guide

Go to Mail Settings > Domains and select Create New.

FortiMail QuickStart Guide

FortiMail Version 3.0 MR2 Install Guide

Customer service and technical support

FortiMail Administration Guide

FortiMail Installation Guide

FortiMail Online Help

FortiMail Webmail Online Help

Fortinet Knowledge Center

Comments on Fortinet technical documentation

Customer service and technical support

FortiMail Version 3.0 MR2 Install Guide

Figure 1: Gateway mode topology

FortiMail Version 3.0 MR2 Install Guide

Figure 2: Transparent mode topology

FortiMail Version 3.0 MR2 Install Guide

FortiMail Version 3.0 MR2 Install Guide

In FortiMail, MX Records are configured by the administrator by going to Mail

FortiMail Version 3.0 MR2 Install Guide

White and Black lists

Extremely low administrator maintenance.

FortiMail Version 3.0 MR2 Install Guide

FortiMail Version 3.0 MR2 Install Guide

FortiMail Version 3.0 MR2 Install Guide