Professional Documents
Culture Documents
FortiMail
Version 3.0 MR2
www.fortinet.com
Contents
Contents
Introduction ........................................................................................ 7
Register your FortiMail unit .............................................................................. 7
About the FortiMail unit .................................................................................... 7
FortiMail-100 .................................................................................................
FortiMail-400 .................................................................................................
FortiMail-2000/2000A ....................................................................................
FortiMail-4000/4000A ....................................................................................
8
8
8
8
14
15
15
15
16
16
16
17
Installing ........................................................................................... 19
Environmental specifications......................................................................... 19
Cautions and warnings ................................................................................... 19
Grounding ................................................................................................... 19
Rack mount instructions .............................................................................. 20
Contents
Mounting .......................................................................................................... 20
FortiMail-100 ............................................................................................... 20
FortiMail-400 ............................................................................................... 20
FortiMail-2000A and FortiMail-4000A ......................................................... 21
Plugging in the FortiMail unit ......................................................................... 24
FortiMail-100 ...............................................................................................
FortiMail-400 ...............................................................................................
FortiMail-2000/A and FortiMail-4000/A .......................................................
Connecting to the network ..........................................................................
24
24
25
25
30
32
35
37
37
38
40
43
44
45
46
48
50
53
53
Contents
56
57
59
59
60
61
63
64
67
68
70
72
72
74
76
77
78
80
81
84
Contents
Firmware ........................................................................................... 95
Backing up the FortiMail information ............................................................ 95
Back up the configuration ...........................................................................
Back up the Bayesian database .................................................................
Back up the Black/White list database ........................................................
Back up the FortiMail mail queue................................................................
95
95
96
96
Index................................................................................................ 105
Introduction
Introduction
Welcome, and thank you for selecting Fortinet products for your real-time network
protection.
The FortiMail Secure Messaging Platform is an integrated hardware and software
solution that provides powerful and flexible antispam, antivirus, email archiving
and logging capabilities to incoming and outgoing email traffic. The FortiMail unit
has reliable and high performance features for detecting and blocking spam
messages and malicious attachments.
Built on the Fortinet award winning FortiOS and FortiAsic technology, the
FortiMail antivirus technology extends full content inspection capabilities to detect
the most advanced email threats.
Introduction
FortiMail-100
The FortiMail-100 is an easy-to-deploy and easy-to-administer solution that
delivers exceptional value and performance for small office, home office and
branch office applications. The FortiMail-100 delivers reliable and high
performance features to detect, tag, and block spam messages and their
malicious attachments.
FortiMail-400
The FortiMail-400 is optimized for medium sized enterprise customers, delivering
a wealth of reliable and high performance features to detect, tag, and block spam
messages and their malicious attachments. The FortiMail-400 features a
high-performance hardened operating system with RAID storage system for
redundancy and supports a rich set of multi-layered spam detection and filtering
technologies with global and per-user spam policies for maximum configuration
flexibility.
FortiMail-2000/2000A
For larger installations where higher performance and better reliability is required,
the FortiMail-2000/2000A system provides the same software features as the
FortiMail-400, but with a modular chassis with hot swappable components. Ideal
for the most demanding email infrastructures, the FortiMail-2000/2000A system
delivers high performance for large enterprises and service providers, which
includes the performance capability to scan 6.8 million emails per day, with six hot
swappable disk drives with RAID for disk redundancy, and redundant power
supplies and fans. Four 10/100/1000 Base-T interfaces, provides the flexibility to
connect into many corporate or service provider environments.
FortiMail-4000/4000A
For larger installations where higher performance and better reliability is required,
the FortiMail-4000/4000A system provides the same software features as the
FortiMail-2000. Ideal for the most demanding email infrastructures, the
FortiMail-4000/4000A system delivers high performance for large enterprises and
service providers, which includes the performance capability to scan 6.8 million
emails per day, with 12 hot swappable disk drives with RAID for disk redundancy,
and redundant power supplies. Two 10/100/1000 Base-T interfaces, provides the
flexibility to connect into many corporate or service provider environments.
Email Concepts Describes the three modes you can select from to operate
the FortiMail unit and briefly describes some email terminology for
administrators and users new to email administration and setup.
Introduction
FortiMail documentation
Document conventions
The following document conventions are used in this guide:
In the examples, private IP addresses are used for both private and public IP
addresses.
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Typographic conventions
FortiGate documentation uses the following typographical conventions:
Convention
Example
Keyboard input
In the Host Name field, type a name for the remote server (for
example, Central_Office_1).
Document names
Menu commands
Program output
Welcome!
Variables
<address_ipv4>
FortiMail documentation
Information about the FortiMail unit is available from the following guides:
Introduction
10
Email Concepts
FortiMail modes
Email Concepts
If you are new to FortiMail, or new to the configuration and managing of an email
system, this chapter provides basic email concepts and terminology and to
configure your FortiMail unit.
This chapter provides an overview of the FortiMail unit, the modes it supports and
its key features. This chapter will also describe the key terms and concepts that
you will use when configuring your FortiMail unit.
If you are familiar with email concepts and terminology, you can skip to the section
FortiMail modes on page 11, which describes the modes of operation available
with FortiMail.
This chapter contains the following:
FortiMail modes
Email protocols
Definitions
FortiMail modes
The FortiMail unit can run in one of three modes:
Gateway mode
Transparent mode
Server mode.
With Gateway and Transparent mode, the FortiMail unit sits between the firewall
and email server and acts as a filter for email passing through it. Depending on
how you choose to deploy the FortiMail unit, determines which of these modes
best suits your environment.
Of the three modes, Server mode functions very differently from Gateway and
Transparent mode. With Server mode, the FortiMail unit is the email server as
well as the means of scanning the email traffic.
For all modes, the FortiMail unit scans email traffic for viruses and spam, and can
quarantine suspicious email and attachments.
Gateway mode
In gateway mode the FortiMail acts as a fully functional mail relay server. Gateway
mode does not provide local mailboxes but does provide a web user interface for
managing spam filters (black/white list), auto white lists, and per-user Bayesian
database management.
In Gateway mode, the FortiMail unit receives incoming email messages, scans for
viruses and spam, then passes (relays) the email to the email server for delivery.
In this mode, the FortiMail unit can effectively protect your email server as your
email server is not visible to outside users. The FortiMail unit can also archive
email for backup and monitoring purposes.
The FortiMail unit integrates into your existing network with only minor changes to
your network configuration. You must also change your MX record to route
incoming email to the FortiMail unit for scanning.
FortiMail Version 3.0 MR2 Install Guide
06-30002-0234-20071212
11
FortiMail modes
Email Concepts
Mail Users
(POP3/IMAP/Web Mail)
Hub
Mail Server
Internet
Gateway Mode
For example, an ISP deploys a FortiMail unit to protect their customers mail
servers. Many customers do not want their mail servers to be visible to external
users for security reasons. Therefore, the ISP installs the FortiMail unit in
Gateway mode to satisfy the need of the customers.
The ISP takes advantage of the Gateway mode deployment flexibility and places
the FortiMail unit in the DMZ, while keeping the email server safe behind the
firewall.
For sample configuration information, see the chapter Configuring gateway
mode on page 29.
Transparent mode
In Transparent mode, the FortiMail unit acts as a bridge, providing seamless
integration into existing network environments. In Transparent mode, the FortiMail
unit provides a flexible and versatile email scanning solution.
You can place the FortiMail unit in front of the existing email server without any
changes to the existing network topology. This means that all of the FortiMail
interfaces are on the same subnet.
Transparent mode also provides a web user interface for managing spam filters
(black/white list), auto white lists, and per-user Bayesian database management.
12
Email Concepts
Email protocols
Mail Server
Mail Users
(POP3/IMAP/Web Mail)
For example, a company wants to install a FortiMail unit to protect its mail server.
The company installs the FortiMail unit in Transparent mode to avoid changing its
MX record to route email to the FortiMail unit, and to simply act as a filter for spam
and virus related email.
With this mode, the companys end users do not need to change the mail server
setting on their email client. The company also wants its mail server to be visible
to the users to increase the companys popularity.
For sample configuration information, see the chapter Configuring transparent
mode on page 55.
Server mode
In server mode the FortiMail unit is a fully functional SMTP, IMAP, POP3 mail
server with local mail boxes and an optional WebMail user interface. In addition,
the FortiMail Server provides antivirus, antispam, email archiving, and logging
and reporting services.
For sample configuration information, see the chapter Configuring server mode
on page 65.
Email protocols
An email protocol is a standard method for two ends of a communication channel
to transmit and receive information. There are three standard email protocols,
POP3, IMAP and SMTP. Each has its own pros and cons, as well as application
uses.
POP3
The Post Office Protocol (version 3) enables email users to retrieve their email
stored on a mail server. Once email application retrieves the messages, the
server removes the message from the servers hard disk. POP3 transmissions
occur over port 110 by default.
The advantage of POP3 is that users download their email to their local machine,
releasing hard disk space from the server. The disadvantage, is the mail resides
on a single computer. Users who use an alternate computer to check email cannot
access the mail they viewed, and downloaded, previously.
13
Definitions
Email Concepts
The FortiMail unit supports the POP3 protocol on port 110 in server mode only. If
necessary, you can change the default port in the Mail Settings > Settings menu.
IMAP
Internet Message Access Protocol is a method of accessing email messages kept
on a remote mail server without downloading the messages to the users local
computer. All messages remain on the email servers hard disk. With IMAP only
the headers of email messages are downloaded to the users email application
inbox on their computer.
The advantage of this is that it enables a user to access new and saved
messages at any time from more than one computer. This is especially useful in
situations where more than one person may need to look at an inbox, such as a
technical support inbox where a number of technicians monitor for incoming
questions.
The disadvantage of IMAP storing email messages is the large storage capacity
required for storing email and attachments. To free up disk space requires email
users to manually clean their inbox.
The FortiMail unit supports the IMAP protocol on port 143 in server mode only.
SMTP
Simple Mail Transfer Protocol is the standard for sending email between to email
servers using port 25.
When a user sends an e-mail, a connection between the sending server and the
receiving server is established. Both servers communicate to determine whether
the recipient user exists, and if the e-mail can be sent. If the email address is
legitimate then the transfer of data/email message follows.
FortiMail only supports SMTP authentication because it has no local user
accounts. Instead, it uses external server types to authenticate e-mail such as
POP3. SMTP authentication is enabled during the installation process in server
mode only.
FortiMail also supports SMTP over SSL/TLS which allows for the exchange of
encrypted mail. This feature is available in all three modes.
Definitions
When you configure the FortiMail unit by following the steps in the subsequent
chapters of this guide, there are a number of terms that you should be familiar with
before preceding.
MX record
Mail Exchange Records are used to route e-mails to specific destinations. It is an
entry in a domain name database such as a Domain Name System or DNS
server. A DNS server acts much like a phone book containing data on how to
reach different domains and it is usually made accessible by internet server
providers (ISP). If a local DNS server exists, MX Records can be added or
changed on the DNS server using one of several user interfaces depending on the
operating system used.
14
Email Concepts
Definitions
A record
The A record is an entry that assigns an internet protocol or IP address to a
domain name. Much like a phone number is assigned to a specific name in a
phone book entry. IP addresses are used to locate devices such as computers
and servers. The A Records are stored and configured on DNS server. The
administrator can configure these records using one of several user interfaces
depending on the operating system used.
Before e-mail is sent out, the email server looks for the recipients MX and A
Records in the DNS server by the senders mail server. Then using the A record
entry, the email server sends the email to the recipient using the corresponding
domain names IP address.
Example of an A record:
(docs.example.com IN A 203.254.581)
MTA
The Mail Transfer Agent is a software agent or mail server that transfers e-mail
messages from one computer to another. It works in the background and in
conjunction with email clients.
In order to deliver e-mail to the right recipient, the MTA looks up the MX Record
and the corresponding A Records in the DNS server.
FortiMail functions as an MTA or fully functional SMTP, IMAP, POP3 mail server
when configured in server mode. It provides local mail boxes and optional Web
Mail user interfaces.
MUA
The Mail User Agent refers to a computer application or e-mail client such as
Outlook Express that enables users to send and receive e-mail.
FortiMail unit provides a web based email client interface. However, FortiMail can
be used with any other type of e-mail clients available as well as web based email
clients.
15
Definitions
Email Concepts
Grey lists
Grey listing is a means of reducing spam in a relatively low maintenance manner.
There are no IP address lists, email lists, or word lists to keep up to date. The only
required list is automatically maintained by the FortiMail unit.
When examining an email message, the grey list routine looks at three message
attributes: the sender address, the recipient address, and the IP address of the
mail server delivering the message. More specifically, the grey list routine
examines the envelope from (Mail From:), the envelope recipient (Rctp to:), and
the sender IP. If the grey list routine doesn't have a record of a message with
these three values, the message is refused and a temporary error is reported to
the server attempting delivery. If the sending server sends the message again
within a specific time frame, the FortiMail unit will consider the email valid and add
it as an accepted sender. If further attempts are not made, the FortiMail unit
considers it a spammer.
The grey list feature has two compelling attributes:
Spam detection routines do not have to be run on mail stopped by grey listing.
This can save significant processing and storage resources.
Bayesian scanning
Bayesian scanning is a method of teaching the FortiMail unit what is a spam email
and what is not. Bayesian training uses Bayes' theorem of probability. Using this
theorem the spam filters take into account the type of words used in spam
messages versus those that are not. For every word in these email messages, it
calculates the probability of a scanned message being spam based on the
proportion of spam occurrences.
Bayesian training is a manual process by the admin or email users. For each
email received, an email user will tell the filter whether it is a good email, spam,
or a false positive. The more training, that is, the more a user sends email
indicating its status, the more efficient the spam filter will be.
For details on setting up Bayesian training, see Bayesian scanning on page 90.
16
Email Concepts
Definitions
Heuristic scanning
While Bayesian training is a manual procedure of teaching the spam filters what to
look for in email messages for spam, the Heuristic filtering uses a scoring
technique based on predetermined terms and words. The rules are broken down
into 5 categories: header, body, raw body, URI, and metadata. Each rule has an
individual score used to calculate the total score for an email. To determine if an
email is spam, the heuristic filter looks at an email message and adds the score
for each rule that applies to get a total score for that email. If the total is greater
than or equal to the upper threshold, the mail is classified as spam and processed
accordingly.
For more information on configuring Heuristic scanning, see Heuristic scanning
on page 90.
17
Definitions
18
Email Concepts
Installing
Environmental specifications
Installing
This chapter provides information on mounting and connecting the FortiMail unit
to your network. This chapter includes the following topics:
Environmental specifications
Mounting
Environmental specifications
Air flow - For rack installation, make sure that the amount of air flow required
for safe operation of the equipment is not compromised.
For free-standing installation, make sure that the FortiMail unit has sufficient
clearance on each side to allow for adequate air flow and cooling.
Grounding
19
Mounting
Installing
Mounting
FortiMail-100
Adhere the rubber feet included in the package to the underside of the FortiMail
unit, near the corners of the unit if not already attached.
Place the FortiMail unit on any flat, stable surface. Ensure the FortiMail unit has
sufficient clearance on each side to ensure adequate airflow for cooling.
FortiMail-400
The FortiMail unit can be placed on any flat surface, or mounted in a standard
19-inch rack unit.
When placing the FortiMail unit on any flat, stable surface, ensure the FortiMail
unit has sufficient clearance on each side to ensure adequate airflow for cooling.
For rack mounting, use the mounting brackets and screws included with the
FortiMail unit.
20
Caution: To avoid personal injury, you may require two or more people to install the
unit in the rack.
Installing
Mounting
Attach the mounting brackets to the side to the unit so that the brackets are on the
front portion of the FortiMail unit. Ensure that the screws are tight and not loose.
The following photos illustrate how the brackets should be mounted. Note that the
screw configuration may vary.
Figure 3: Installed mounting brackets
Position the FortiMail unit in the rack to allow for sufficient air flow.
Line up the mounting bracket holes to the holes on the rack, ensuring the FortiMail
unit is level.
Finger tighten the screws to attach the FortiMail unit to the rack.
Once you verify the spacing of the FortiMail unit and that it is level, tighten the
screws with a screwdriver. Ensure that the screws are tight and not loose.
Figure 4: Mounting in a rack
Caution: To avoid personal injury or damage to the FortiMail unit, it is highly recommended
a minimum of two people perform this procedure.
21
Mounting
Installing
Sliding Rail
Extend the slide rail and locate the slide rail lock.
Rail Lock
22
Installing
Mounting
Push down on the lock while pulling the rail completely out of the slide rail
assembly.
23
Installing
Mount the slide rail housing to the rack or cabinet frame. Adjust the outside
L-shaped brackets for a proper fit. Ensure that both housings are on the same
level to ensure the FortiMail unit can easily glide into place and is level.
Use the screws and additional L-brackets if required to securely fasten the
housing.
Position the FortiMail unit so that the back of the unit is facing the rack, and the
slide rails affixed in the previous step line up with the slide rail housing.
Gently push the FortiMail unit into the rack or cabinet. You will hear a click when
the slide rail lock has been engaged.
Push the FortiMail unit until it is fully inserted into the rack.
Connect the AC adapter to the power connection at the back of the FortiMail unit.
FortiMail-400
Use the following steps to connect the power supply to the FortiMail unit.
To power on the FortiMail unit
1
Ensure the power switch, located at the back of the FortiMail unit is in the off
position, indicated by the O.
Set the power switch on the back left of the FortiMail unit to the on position
indicated by the I.
After a few seconds, SYSTEM STARTING appears on the LCD. The main menu
setting appears on the LCD when the system is running.
24
Installing
Connect the power cables to the power connections on the back of the
FortiMail unit.
In the System Command display, select Shutdown, or from the CLI enter:
execute shutdown
Turn off and/or Disconnect the power cables from the power supply.
25
Installing
Web-based manager
You can configure and manage the FortiMail unit using HTTP or a secure HTTPS
connection from any computer using a recent browser.
You can use the web-based manager to configure most FortiMail settings, and
monitor the status of the FortiMail unit.
Use the following procedure to connect to the web-based manager for the first
time. Configuration changes made with the web-based manager are effective
immediately, without interrupting service.
To connect to the web-based manager, you require:
Set the IP address of the computer with an Ethernet connection to the static IP
address 192.168.1.2 with a netmask of 255.255.255.0.
Using the crossover cable or the Ethernet hub and cables, connect the internal
interface of the FortiMail unit to the computer Ethernet connection.
26
Installing
Note: The following procedure uses Microsoft Windows HyperTerminal software. You can
apply these steps to any terminal emulation program.
Connect the console cable to the communications port of your computer and to
the FortiMail console port.
Start HyperTerminal, enter a name for the connection and select OK.
Data bits
Parity
None
Stop bits
Flow control
None
default gateways
operating modes
The front control buttons control how you enter and exit the different menus when
configuring the different ports and interfaces. The front control buttons also
enables you to increase or decrease each number for configuring IP addresses,
default gateway addresses, or netmasks. The following table defines each button
and what it does when configuring the basic settings of your FortiMail unit.
FortiMail Version 3.0 MR2 Install Guide
06-30002-0234-20071212
27
Installing
Esc
Enables you to move backward, or exit out of the menu you are in.
Up
Allows you to increase the number for an IP address, default gateway address
or netmask.
Down
Management modes
FortiMail running version 3.0 MR2 and higher of the operating system includes
two management modes: basic and advanced. Depending on your familiarity with
configuring network email or email appliances, select the mode that best suits
your abilities. You can switch between modes at any time without losing any
settings. Basic mode enables you to configure the minimum settings to enable
antispam and antivirus protection to your network email. Advanced mode provides
more robust options, including user configuration, and more detailed antispam
and antivirus options. You can use either management mode in all the FortiMail
operating modes.
28
29
Email Server
Switch
Internal
External
Internet
Router
Firewall
DNS Server
Port 2
Port 3
Port 4
Port 5
Port 6
30
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
Network settings
_____._____._____._____
_____._____._____._____
_____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet (address range) as the
network and cannot use the same address as another device or computer on the
network.
Select OK.
If you changed the IP address of the interface that you are connecting to manage
the FortiMail unit, you must reconnect to the web-based manager using the new
IP address.
Select DHCP.
If required, select Retrieve default gateway and DNS from server to disable this
option.
Select OK.
31
Configuring DNS
You need to configure Domain Name System (DNS) server addresses so that
FortiMail unit can send and receive email. DNS server IP addresses are typically
provided by your internet service provider.
In simple terms, it acts as a phone book for the Internet. A DNS server matches
domain names with the computer IP address. This enables you to use readable
locations, such as fortinet.com. The DNS server translates this name to a mail
exchange server IP address to deliver an email message.
To add DNS server IP addresses
1
Select Apply.
Configuring routing
Configure routing on the FortiMail unit to define the route that enables the
FortiMail unit to contact the DNS server. If you configured your interfaces
dynamically using DHCP, the FortiMail unit configures a default route
automatically.
The gateway address for the route is on the same network as port 1.
You need to configure additional routes if any of your email servers are on a
different subnet. The gateway you specify is the address of the next hop router
that connects to the required network.
To configure routing
1
Select OK.
32
Host Name
Enter the local domain name. It must be different from the domain
name of your email server. The FortiMail unit's Fully Qualified
Domain Name (FQDN) is <Host Name>.<Local Domain Name>.
For example mailsvr.company.com
Enter the SMTP port number. The default and standard SMTP
port number is 25.
The default port number is 465. This allows the encrypted SMTP
traffic to pass through the SMTPS Server Port. You must enable
SMTP over SSL/TLS to set this option.
Enter the relay server port number if your ISP provides a relay
email server.
mail.exampledom.com
Current MX record
IN MX <n> mail.exampledom.com
FortiMail hostname
fm.exampledom.com
FortiMail IP address
172.16.15.2
The A record
The second line in the above example is
fm.exampledom.com IN A 172.16.15.2
FortiMail Version 3.0 MR2 Install Guide
06-30002-0234-20071212
33
Adding a domain
You create domains to define the email server(s) that the FortiMail unit protects.
Usually, you configure at least one domain as part of your installation. You can
add more domains or modify the settings of existing ones as needed.
The local domain name will be used by many FortiMail features such as email
quarantine, Bayesian database training, spam reports, and DSN notifications. A
sub domain of the protected domain is recommended for the local domain
because of the domain registration savings.
To add a domain
1
Enter the domain name including the suffix. For example, company.com.
Enter the IP address or name of the SMTP Server and port number if different
than the default 25.
Entering the email server IP address or server name tells the FortiMail gateway
where the email server is to route mail to it.
Select OK.
accouting.company.com
dev.company.com.
Once created, you can add users to the local domain. For information on adding
email users to a local domain, see the FortiMail Administration Guide.
Note: Deleting a domain also deletes all email users in that domain.
Enter the domain name including the suffix. For example, company.com.
Enter the IP address of the SMTP Server and port number if different than the
default 25.
Entering the email server IP address tells the FortiMail gateway where the email
server is to route mail to it.
34
Select Is Subdomain.
Select OK.
With the FortiMail unit behind the FortiGate firewall, you must configure firewall
policies on the FortiGate unit to ensure that incoming SMTP traffic goes to the
FortiMail Gateway before reaching the email server.
To accomplish this, configure a virtual IP address (VIP) on the FortiGate unit for
the FortiMail unit. When the FortiGate unit receives traffic destined for the VIP, the
FortiGate unit automatically directs the message to the internal IP address of the
FortiMail unit.
This allows the FortiMail unit to perform antivirus scanning, antispam filtering, and
email archiving on the SMTP traffic.
External Interface
Select the virtual IP external interface from the list. The external
interface is connected to the source network and receives the
packets to be forwarded to the destination network.
Type
35
External IP
Address/Range
Mapped IP
Address/Range
Source Address
Name
ALL
Destination
Interface/Zone
Destination Address Select the FortiMail name from the list under Virtual IP.
Name
Schedule
Select ALWAYS.
Service
Select ALL.
Action
Select ACCEPT.
Source Address
Name
Select the FortiMail name from the list under Virtual IP.
Destination
Interface/Zone
36
Schedule
Select ALWAYS.
Service
Select ALL.
Action
Select ACCEPT.
Next Steps
The configuration is now complete. Using your email client software, try sending
email using the test user to verify that you can send and receive email.
If you are having difficulties, review the steps and the values entered to ensure
they are correct.
See the chapter Testing and next steps on page 79 for information on testing the
installation and the next steps to complete the installation of your FortiMail unit.
37
Email Server
Internal
External
Switch
Internet
Router
Firewall
DNS Server
Port 2
Port 3
Port 4
Port 5
Port 6
38
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
Network settings
_____._____._____._____
_____._____._____._____
_____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.
Select OK.
If you changed the IP address of the interface to which you are connecting to
manage the FortiMail unit, you must reconnect to the web-based manager using
the new IP address.
Select DHCP.
If required, select Retrieve default gateway and DNS from server to disable this
option.
Select OK.
39
Configuring DNS
You need to configure DNS server addresses so that FortiMail unit can send and
receive email. DNS server IP addresses are typically provided by your internet
service provider.
In simple terms, it acts as a phone book for the Internet. A DNS server matches
domain names with the computer IP address. This enables you to use readable
locations, such as fortinet.com. The DNS server translates this name to a mail
exchange server IP address to deliver an email message.
To add DNS server IP addresses
1
Select Apply.
Configuring routing
Configure routing on the FortiMail unit to define the route that enables the
FortiMail unit to contact the DNS server. If you configured your interfaces
dynamically using DHCP, the FortiMail unit configures a default route
automatically.
The gateway address for the route is on the same network as port 1.
You need to configure additional routes if any of your email servers are on a
different subnet. The gateway you specify is the address of the next hop router
that connects to the required network.
To configure routing
1
Select Create New to add a new route or select Modify to change the default.
Select OK.
40
Host Name
Enter the local domain name. It must be different from the domain
name of your email server. The FortiMail unit's Fully Qualified
Domain Name (FQDN) is <Host Name>.<Local Domain Name>.
For example mailsvr.company.com
Enter the SMTP port number. The default and standard SMTP
port number is 25.
The default port number is 465. This allows the encrypted SMTP
traffic to pass through the SMTPS Server Port. You must enable
SMTP over SSL/TLS to set this option.
Enter the relay server port number if your ISP provides a relay
email server.
mail.exampledom.com
Current MX record
IN MX <n> mail.exampledom.com
FortiMail hostname
fm.exampledom.com
FortiMail IP address
172.16.15.2
The A record
The second line in the above example is
fm.exampledom.com IN A 172.16.15.2
FortiMail Version 3.0 MR2 Install Guide
06-30002-0234-20071212
41
Adding a domain
You create domains to define the email server(s) that the FortiMail unit protects.
Usually, you configure at least one domain as part of your installation. You can
add more domains or modify the settings of existing ones as needed.
The local domain name will be used by many FortiMail features such as email
quarantine, Bayesian database training, spam reports, and DSN notifications. A
sub domain of the protected domain is recommended for the local domain
because of the domain registration savings.
To add a domain
1
Enter the domain name including the suffix. For example, company.com.
Enter the IP address or name of the SMTP Server and port number if different
than the default 25.
Entering the email server IP address or server name tells the FortiMail gateway
where the email server is to route mail to it.
Select OK.
accouting.company.com
dev.company.com.
Once created, you can add users to the local domain. For information on adding
email users to a local domain, see the FortiMail Administration Guide.
Note: Deleting a domain also deletes all email users in that domain.
Enter the domain name including the suffix. For example, company.com.
Enter the IP address of the SMTP Server and port number if different than the
default 25.
Entering the email server IP address tells the FortiMail gateway where the email
server is to route mail to it.
42
Select Is Subdomain.
Select OK.
Type
Interface
Type
Interface
Select the interface for the FortiGate unit connected to the email
server.
Next, create the incoming email firewall policy so the email from the FortiMail
goes to the email server.
43
Destination
Interface/zone
Destination Address
Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Source Address Name Select ALL so that all users can send email messages through
the policy.
Destination
Interface/zone
Destination Address
Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
44
Next Steps
The configuration is now complete. Using your email client software, try sending
email using the test user to verify that the FortiMail server can send and receive
email.
If you are having difficulties, review the steps and the values entered to ensure
they are correct.
See the chapter Testing and next steps on page 79 for information on testing the
installation and the next steps to complete the installation of your FortiMail unit.
Email Server
Internal
Switch
External
DMZ
Internet
Router
DNS Server
45
Port 2
Port 3
Port 4
Port 5
Port 6
Network settings
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____
_____._____._____._____
_____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to the DMZ interface of the firewall
appliance. The IP address of Port 1 must be on the same subnet as the DMZ
network and cannot use the same address as another device or computer on the
network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP if the network supports it.
46
Select OK.
If you changed the IP address of the interface to which you are connecting to
manage the FortiMail unit, you must reconnect to the web-based manager using
the new IP address.
Select DHCP.
If required, select Retrieve default gateway and DNS from server to disable this
option.
Select OK.
Configuring DNS
You need to configure Domain Name System (DNS) server addresses so that
FortiMail unit can send and receive email. DNS server IP addresses are typically
provided by your internet service provider.
In simple terms, it acts as a phone book for the Internet. A DNS server matches
domain names with the computer IP address. This enables you to use readable
locations, such as fortinet.com. The DNS server translates this name to a mail
exchange server IP address to deliver an email message.
To add DNS server IP addresses
1
Select Apply.
Configuring routing
Configure routing on the FortiMail unit to define the route that enables the
FortiMail unit to contact the DNS server. If you configured your interfaces
dynamically using DHCP, the FortiMail unit configures a default route
automatically.
The gateway address is the IP address of the firewall interface on the same
network as this FortiMail interface.
FortiMail Version 3.0 MR2 Install Guide
06-30002-0234-20071212
47
To configure routing
1
Select Create New to add a new route or select Modify to change the default.
Select OK.
Enter the local domain name. It must be different from the domain
name of your email server. The FortiMail unit's Fully Qualified
Domain Name (FQDN) is <Host Name>.<Local Domain Name>.
For example mailsvr.company.com
Enter the SMTP port number. The default and standard SMTP
port number is 25.
The default port number is 465. This allows the encrypted SMTP
traffic to pass through the SMTPS Server Port. You must enable
SMTP over SSL/TLS to set this option.
Enter the relay server port number if your ISP provides a relay
email server.
48
In order to route incoming email through the FortiMail unit for scanning, you need
to register a Fully Qualified Domain Name (FQDN), for example,
fm.exampledom.com, and a global IP address for the FortiMail unit.
Route incoming email to the FortiMail unit by changing the MX record to point to
the FortiMail domain rather than the email server.
For example, using the information from the table below, change the existing MX
record currently pointing to the email server, to point to the FortiMail unit.
Email server
mail.exampledom.com
Current MX record
IN MX <n> mail.exampledom.com
FortiMail hostname
fm.exampledom.com
FortiMail IP address
172.16.15.2
The A record
The second line in the above example is
fm.exampledom.com IN A 172.16.15.2
This is an address record, or commonly called, an A record. It is a type of DNS
entry that assigns an IP address to a domain name.
Before e-mail is sent out, the MX and A Records for the recipient are looked up in
the DNS server by the senders mail server. Then using the A record entry, the
email is sent to the recipient using the corresponding domain names IP address.
Adding a domain
You create domains to define the email server(s) that the FortiMail unit protects.
Usually, you configure at least one domain as part of your installation. You can
add more domains or modify the settings of existing ones as needed.
The local domain name will be used by many FortiMail features such as email
quarantine, Bayesian database training, spam reports, and DSN notifications. A
sub domain of the protected domain is recommended for the local domain
because of the domain registration savings.
To add a domain
1
Enter the domain name including the suffix. For example, company.com.
Enter the IP address or name of the SMTP Server and port number if different
than the default 25.
Entering the email server IP address or server name tells the FortiMail gateway
where the email server is to route mail to it.
Select OK.
49
accouting.company.com
dev.company.com.
Once created, you can add users to the local domain. For information on adding
email users to a local domain, see the FortiMail Administration Guide.
Note: Deleting a domain also deletes all email users in that domain.
Enter the domain name including the suffix. For example, company.com.
Enter the IP address of the SMTP Server and port number if different than the
default 25.
Entering the email server IP address tells the FortiMail gateway where the email
server is to route mail to it.
Select Is Subdomain.
Select OK.
50
Name
Type
Interface
Type
Interface
Select the interface for the FortiGate unit connected to the internal
network.
Next, create the incoming email firewall policies. Two policies are required for the
incoming mail. One to route the email from the external interface of the FortiGate
unit to the DMZ interface where the FortiMail unit is. A second policy enables
email scanned by the FortiMail unit to go from the DMZ interface to the internal
interface on the network.
To configure the incoming policy from the external interface to the DMZ
interface, on the FortiGate unit
1
Destination
Interface/zone
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
51
To configure the incoming policy from the DMZ interface to the internal
interface, on the FortiGate unit
1
Destination
Interface/zone
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Select ALL so that all users can send email messages through the
policy.
Destination
Interface/zone
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
To configure the outgoing policy from the DMZ interface to the external
interface, on the FortiGate unit
52
Destination
Interface/zone
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Next Steps
The configuration is now complete. Using your email client software, try sending
email using the test user to verify that the FortiMail server can send and receive
email.
If you are having difficulties, review the steps and the values entered to ensure
they are correct.
See the chapter Testing and next steps on page 79 for information on testing the
installation and the next steps to complete the installation of your FortiMail unit.
53
54
Select Apply.
The FortiMail unit reboots and resets all configuration to the factory defaults.
55
Mail Server
Mail Users
(POP3/IMAP/Web Mail)
Configuring proxies
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____
_____._____._____._____
_____._____._____._____
56
Select Apply.
Reconnect to the web-based manager using the new management IP address.
Configuring DNS
You need to configure DNS server addresses so that FortiMail unit can send and
receive email. DNS server IP addresses are typically provided by your internet
service provider.
In simple terms, it acts as a phone book for the Internet. A DNS server matches
domain names with the computer IP address. This enables you to use readable
locations, such as fortinet.com. The DNS server translates this name to a mail
exchange server IP address to deliver an email message.
To add DNS server IP addresses
1
Select Apply.
Configuring routing
At a minimum, you need to define a route that enables the FortiMail unit to contact
the DNS server. You need to configure additional routes if any of your email
servers are on a different network than the FortiMail unit and the DNS server. The
gateway you specify is the address of the next hop router that connects to the
required network.
To configure FortiMail unit routing
1
Select OK.
57
Enter the local domain name. It must be different from the domain
name of your email server. The FortiMail unit's FQDN is <Host
Name>.<Local Domain Name>.
Enter the SMTP port number. The default SMTP port number
is 25.
The default port number is 465. This allows the encrypted SMTP
traffic to pass through the SMTPS Server Port. You must enable
SMTP over SSL/TLS to set this option.
Adding a domain
You create domains to define the email server(s) that the FortiMail unit protects.
Usually, you configure at least one domain as part of your installation. You can
add more domains or modify the settings of existing ones as needed.
The local domain name will be used by many FortiMail features such as email
quarantine, Bayesian database training, spam reports, and DSN notifications. A
sub domain of the protected domain is recommended for the local domain
because of the domain registration savings.
To add a domain
1
Enter the domain name including the suffix. For example, company.com.
Enter the IP address or name of the SMTP Server and port number if different
than the default 25.
Entering the email server IP address or server name tells the FortiMail gateway
where the email server is to route mail to it.
Select OK.
accouting.company.com
dev.company.com.
Once created, you can add users to the local domain. For information on adding
email users to a local domain, see the FortiMail Administration Guide.
Note: Deleting a domain also deletes all email users in that domain.
58
Enter the domain name including the suffix. For example, company.com.
Enter the IP address of the SMTP Server and port number if different than the
default 25.
Entering the email server IP address tells the FortiMail gateway where the email
server is to route mail to it.
Select Is Subdomain.
Select OK.
Configuring proxies
Proxy servers act as a buffer between the network and the Internet. Proxy servers
between user workstations and the Internet ensure security and administrative
control and to access resources stored on the proxy.
In transparent mode, the SMTP proxy settings determine whether email is
dropped, passed through, or proxied. These settings apply to all email except
those destined for the FortiMail unit itself, such as email from users requesting
deletion or release of quarantined email.
Email can be scanned only if they are proxied. The FortiMail unit receives the
email, scans it and (if the email passes the scan) relays it to the email server.
You configure proxy operation separately for incoming and outgoing email traffic.
Regardless of the destination email address, email passing from the network to
the back end email server is considered incoming and email passing from the
back end email server to the network is considered outgoing.
For a typical transparent mode installation, the default proxy options are
appropriate. Should you need to modify the proxies, go to Mail Settings >
Proxies to configure the email connections through the ports. For details on the
proxy settings, see the FortiMail Administration Guide.
Next Steps
The configuration is now complete. Using your email client software, try sending
email using the test user to verify that you can send and receive email.
If you are having difficulties, review the steps and the values entered to ensure
they are correct.
See the chapter Testing and next steps on page 79 for information on testing the
installation and the next steps to complete the installation of your FortiMail unit.
59
Router
Internet
Port 1
Head Office
Mail Server Hub
WAN
Port 2
Mail Server
Domain A
Mail Server
Domain B
Configuring proxies
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____
60
_____._____._____._____
_____._____._____._____
Select Apply.
Reconnect to the web-based manager using the new management IP address.
Configuring DNS
You need to configure DNS server addresses so that FortiMail can send and
receive email. DNS server IP addresses are typically provided by your internet
service provider.
A DNS server matches domain names with the computer IP address. This
enables you to use readable locations, such as fortinet.com. The DNS server
translates this name to a mail exchange server IP address to deliver an email
message. In simple terms, it acts as a phone book for the Internet.
To add DNS server IP addresses
1
Select Apply.
Configuring routing
At a minimum, you need to define a route that enables the FortiMail unit to contact
the DNS server. You need to configure additional routes if any of your email
servers are on a different network than the FortiMail unit and the DNS server. The
gateway you specify is the address of the next hop router that connects to the
required network.
To configure FortiMail unit routing
1
Select OK.
61
Enter the local domain name. It must be different from the domain
name of the hub email server. The FortiMail unit's FQDN is <Host
Name>.<Local Domain Name>.
Enter the SMTP port number. The default SMTP port number
is 25.
The default port number is 465. This allows the encrypted SMTP
traffic to pass through the SMTPS Server Port. You must enable
SMTP over SSL/TLS to set this option.
Adding a domain
You create domains to define the email server(s) that the FortiMail unit protects.
Usually, you configure at least one domain as part of your installation. You can
add more domains or modify the settings of existing ones as needed.
It is good form to configure a local domain name that is different from the domain
name of your back end mail server. The local domain name will be used by many
FortiMail features such as email quarantine, Bayesian database training, spam
reports, and DSN notifications. A sub domain of the protected domain is
recommended for the local domain because of the domain registration savings.
To add a domain
1
Enter the domain name including the suffix. For example, company.com.
Enter the IP address or name of the SMTP Server and port number if different
than the default 25.
Entering the email server IP address or server name tells the FortiMail gateway
where the email server is to route mail to it.
Select OK.
62
accouting.company.com
dev.company.com.
FortiMail Version 3.0 MR2 Install Guide
06-30002-0234-20071212
Once created, you can add users to the local domain. For information on adding
email users to a local domain, see the FortiMail Administration Guide.
Note: Deleting a domain also deletes all email users in that domain.
Enter the domain name including the suffix. For example, company.com.
Enter the IP address of the SMTP Server and port number if different than the
default 25.
Entering the email server IP address tells the FortiMail gateway where the email
server is to route mail to it.
Select Is Subdomain.
Select OK.
The FortiMail unit must relay all email through the head office email hub; outgoing
and incoming. You must ensure that the FortiMail unit passes the email to the
correct domain email server.
After configuring the domain, edit the domain information to configure additional
settings to make the FortiMail unit transparent to the email servers
To configure the transparent options
Go to the Transparent Mode Options section, configure the following settings and
select OK:
This server is on
Select the port connected to the email server hub. In this example,
it is port 1.
Hide the transparent Select to enable the FortiMail unit to hide its presence by using
the IP address of the domain email server or client as required.
box
Use the domain
server to deliver the
email
Configuring proxies
Proxy servers act as a buffer between the network and the Internet. Proxy servers
between user workstations and the Internet ensure security and administrative
control and to access resources stored on the proxy.
In transparent mode, the SMTP proxy settings determine whether email is
dropped, passed through, or proxied. These settings apply to all email except
those destined for the FortiMail unit itself, such as email from users requesting
deletion or release of quarantined email.
63
Email can be scanned only if they are proxied. The FortiMail unit receives the
email, scans it and (if the email passes the scan) relays it to the email server.
You configure proxy operation separately for incoming and outgoing email traffic.
Regardless of the destination email address, email passing from the network to
the back end email server is considered incoming and email passing from the
back end email server to the network is considered outgoing.
This example requires the FortiMail interface to act as a proxy so that the FortiMail
unit can scan email passing through to the email. Also, the email must simply pass
through the FortiMail unit when the hub email server relays an email message to
another domain email server on the network or on the Intranet. It is also important
to prevent SMTP clients using the FortiMail unit itself as an SMTP server. The
proxy settings will enable this flexibility.
To configure SMTP proxy settings
1
are allowed
Port 2
Incoming SMTP connections
are proxied
are proxied
Next Steps
The configuration is now complete. Using your email client software, try sending
email using the test user to verify that you can send and receive email.
If you are having difficulties, review the steps and the values entered to ensure
they are correct.
See the chapter Testing and next steps on page 79 for information on testing the
installation and the next steps to complete the installation of your FortiMail unit.
64
65
In order to route incoming email through the FortiMail unit for scanning, you need
to register a Fully Qualified Domain Name (FQDN), for example,
fm.exampledom.com, and a global IP address for the FortiMail unit.
For example, using the information from the table below, configure the MX record
to point to the FortiMail email server.
Email server
mail.exampledom.com
FortiMail hostname
fm.exampledom.com
FortiMail IP address
172.16.15.2
For example:
IN MX <n> fm.exampledom.com
fm.exampledom.com IN A 172.16.15.2
The A record
The second line in the above example is
fm.exampledom.com IN A 172.16.15.2
This is an address record, or commonly called, an A record. It is a type of DNS
entry that assigns an IP address to a domain name.
Before e-mail is sent out, the MX and A Records for the recipient are looked up in
the DNS server by the senders mail server. Then using the A record entry, the
email is sent to the recipient using the corresponding domain names IP address.
Switch
Internal
External
Internet
Router
Firewall
DNS Server
66
Port 2
Port 3
Port 4
Port 5
Port 6
Network settings
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____
_____._____._____._____
_____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP if the network supports it.
Select OK.
If you changed the IP address of the interface that you are connected to, you must
reconnect to the web-based manager using the new IP address.
67
If required, select Retrieve default gateway and DNS from server to disable this
option.
Select OK.
Enter the default gateway address. The default gateway address will be the
firewall interface on the same network as the Fortimail interface.
Select Apply.
68
Enter the port number for the POP3 server. The default is 110.
Enter the SMTP port number. The default SMTP port number
is 25.
The default port number is 465. You can change it if needed. This
allows the encrypted SMTP traffic to pass through the SMTPS
Server Port. SMTP over SSL/TLS must be enabled.
SMTP Authentication Select to enable authentication. When a user logs into the SMTP
server, they require a user name and password.
Select the blue arrow for Relay server to expand the options.
Enter a relay server name, port and authentication if your ISP provides a relay
email server.
Select Apply.
Adding a domain
Create a domain entry for server. Ensure you use the same domain you used
when setting up the MX record.
To add a domain
1
Enter the domain name including the suffix. For example, company.com.
Select OK.
accounting.example.com
dev.example.com.
69
Once created, you can add users to the local domain. For information on adding
email users to a local domain, see the FortiMail Administration Guide.
Note: Deleting a domain also deletes all email users in that domain.
Select Is Subdomain and select the main domain the local domain is a part of.
Select OK.
Password
Display Name
Enter the name that appears in the email client as the sender.
70
Type
Interface
Destination
Interface/zone
Destination Address Select the FortiMail unit address from the list.
Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Destination
Interface/zone
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
71
Next Steps
The configuration is now complete. Using your email client software, try sending
email using the test user to verify that the FortiMail server can send and receive
email.
If you are having difficulties, review the steps and the values entered to ensure
they are correct.
See the chapter Testing and next steps on page 79 for information on testing the
installation and the next steps to complete the installation of your FortiMail unit.
To Internal
Network
Internal
External
Switch
Internet
Router
Firewall
DNS Server
Port 2
Port 3
72
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Port 4
Port 5
Port 6
Network settings
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____
_____._____._____._____
_____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP if the network supports it.
Select OK.
If you changed the IP address of the interface you are connecting to, you must
reconnect to the web-based manager using the new IP address.
73
If required, select Retrieve default gateway and DNS from server to disable this
option.
Select OK.
Enter the default gateway address. The default gateway address will be the
address of the router connected to the Internet.
Select Apply.
74
Enter the port number for the POP3 server. The default is 110.
Enter the SMTP port number. The default SMTP port number is
25.
The default port number is 465. This allows the encrypted SMTP
traffic to pass through the SMTPS Server Port. You must enable
SMTP over SSL/TLS to set this option.
SMTP Authentication Select to enable authentication. When a user logs into the SMTP
server, they require a user name and password.
Select the blue arrow for Relay server to expand the options.
Enter a relay server name, port and authentication if your ISP provides a relay
email server.
Select Apply.
Adding a domain
Create a domain entry for server. Ensure you use the same domain you used
when setting up the MX record.
To add a domain
1
Enter the domain name including the suffix. For example, company.com.
Select OK.
accouting.example.com
dev.example.com.
Once created, you can add users to the local domain. For information on adding
email users to a local domain, see the FortiMail Administration Guide.
Note: Deleting a domain also deletes all email users in that domain.
75
Select Is Subdomain and select the main domain the local domain is a part of.
Select OK.
Type
Interface
The incoming policy is a POP3 policy that allows users to send requests to the
FortiMail unit for new mail on the FortiMail server.
To configure the incoming policy
1
76
Destination
Interface/zone
Destination Address Select the FortiMail unit address from the list.
Name
Schedule
Select ALWAYS.
Service
Select POP3.
Action
Select ACCEPT.
Destination
Interface/zone
Destination Address Select the FortiMail unit address from the list.
Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Next Steps
The configuration is now complete. Using your email client software, try sending
email using the test user to verify that the FortiMail server can send and receive
email.
If you are having difficulties, review the steps and the values entered to ensure
they are correct.
See the chapter Testing and next steps on page 79 for information on testing the
installation and the next steps to complete the installation of your FortiMail unit.
77
To Internal
Network
Internal
External
DMZ
Internet
Router
DNS Server
Port 2
Port 3
Port 4
Port 5
Port 6
Network settings
78
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____
_____._____._____._____
_____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to
the network. Connect the Port 1 interface to your internal network hub or switch.
The IP address of Port 1 must be on the same subnet as the network and cannot
use the same address as another device or computer on the network.
Assign a static IP address or configure the interface for dynamic IP address
assignment using DHCP if the network supports it.
Select OK.
If you changed the IP address of the interface to which you are connecting to
manage the FortiMail unit, you must reconnect to the web-based manager using
the new IP address.
If required, select Retrieve default gateway and DNS from server to disable this
option.
Select OK.
79
Enter the default gateway address. The default gateway address will be the DMZ
address.
Select Apply.
Enter the port number for the POP3 server. The default is 110.
Enter the SMTP port number. The default SMTP port number
is 25.
The default port number is 465. This allows the encrypted SMTP
traffic to pass through the SMTPS Server Port. You must set
SMTP over SSL/TLS before setting this option.
SMTP Authentication Select to enable authentication. When a user logs into the SMTP
server, they require a user name and password.
80
Select the blue arrow for Relay server to expand the options.
Enter a relay server name and authentication if your ISP provides a relay email
server.
Select Apply.
Adding a domain
Create a domain entry for server. Ensure you use the same domain you used
when setting up the MX record.
To add a domain
1
Enter the domain name including the suffix. For example, company.com.
Select OK.
accouting.example.com
dev.example.com.
Once created, you can add users to the local domain. For information on adding
email users to a local domain, see the FortiMail Administration Guide.
Note: Deleting a domain also deletes all email users in that domain.
Select Is Subdomain and select the main domain the local domain is a part of.
Select OK.
81
Type
Interface
Select DMZ.
Destination
Interface/zone
Destination Address Select the FortiMail unit address from the list.
Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Destination
Interface/zone
82
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Destination
Interface/zone
Select DMZ.
Destination Address Select the FortiMail unit address from the list.
Name
Schedule
Select ALWAYS.
Service
Select POP3.
Action
Select ACCEPT.
Destination
Interface/zone
Select DMZ.
Destination Address Select the FortiMail unit address from the list.
Name
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
83
Next Steps
The configuration is now complete. Using your email client software, try sending
email using the test user to verify that the FortiMail server can send and receive
email.
If you are having difficulties, review the steps and the values entered to ensure
they are correct.
See the chapter Testing and next steps on page 79 for information on testing the
installation and the next steps to complete the installation of your FortiMail unit.
84
Advanced configuration
Advanced configuration
The preceding chapter described how to configure your FortiMail unit for the
network in one of the three modes.
The next step is to configure the FortiMail unit to scan email for viruses, providing
maximum protection for blended email related threats and increase your users
productivity.
This chapter describes additional configuration you should consider when
integrating the FortiMail unit into you network.
This chapter includes:
Configuring antispam
Create profiles
Create policies
Optionally, select Automatically adjust clock for daylight saving changes check
box.
Select Set Time and set the FortiMail system date and time.
Select OK.
Note: If you choose the option Automatically adjust clock for daylight saving changes, the
system time must be manually adjusted after daylight savings time ends.
Select Synchronize with NTP Server to configure the FortiMail unit to use NTP to
automatically set the system time and date.
85
Advanced configuration
Enter the IP address or domain name of the NTP server that the FortiMail unit can
use to set its time and date.
Specify how often the FortiMail unit should synchronize its time with the NTP
server.
Select OK.
86
Advanced configuration
By selecting scheduled updates, you define when the FortiMail unit receives the
latest antivirus signatures. For example, you can schedule updates every night at
2 am, or weekly on Sunday when email traffic is low. While this may leave your
network potentially vulnerable to a brand new virus, it minimizes disruption to the
email service, which may be a benefit if your business relies on timely email
communications.
Select Use override push IP if required and enter the IP address and port number.
Override push IP addresses and ports are used when there is a NAT device
between the FortiMail Unit and the FDN. The FortiMail unit sends the override
push IP address and Port to the FDN. The FDN will now use this IP address and
port for push updates to the FortiMail unit on the internal network.
Select Apply
Every
Daily
Once a day. You can specify the time of day to check for updates.
Weekly
Once a week. You can specify the day of the week and time of day
to check for updates.
Select Apply.
The FortiMail unit starts the next scheduled update according to the new update
schedule. Whenever the FortiMail unit runs a scheduled update, the event is
recorded in the FortiMail event log.
87
Configuring antispam
Advanced configuration
Select Apply.
The FortiMail unit tests the connection to the override server.
If the FDN setting changes to available, the FortiMail unit has successfully
connected to the override server.
If the FDN stays set to not available, the FortiMail unit cannot connect to the
override server. Check the FortiMail configuration and network configuration for
settings that would prevent the FortiMail unit from connecting to the override
FortiGuard server.
Configuring antispam
To combat spam, the FortiMail unit provides a number of methods of filtering
unwanted email. If you have a FortiGuard subscription, many of the spam sent is
captured using the FortiGuard filtering system. Fortinet employs a team to
continually monitor spam patterns and updates the databases daily.
There are additional system-wide antispam settings that enable you to train the
FortiMail unit as to what is, and what is not spam. These include:
Black/White lists that enable you to block or allow email from the email
addresses or domains you specify
Bayesian training to train the Bayesian databases to make the antispam email
scanning more accurate.
Once configured you can incorporate these settings into antispam profiles. The
following are a few of the antispam options that you can initiate on the FortiMail
unit to stop the flow of spam.
Black/White lists
In some cases, some mail tagged as spam is an individual you want to receive
mail from, while email that is not caught by the spam filters or users you dont want
to receive email from gets through to your inbox. White lists and blacklists enable
you and your users to maintain a list of email addresses that you want or dont
want to receive email from.
White lists contain domains and user emails of those you want to receive. It can
help to eliminate false positives. Blacklists are the opposite. Users and domains in
a blacklist are blocked from sending email to recipients on the network.
The FortiMail unit, at the system, session, and personal levels, can block or allow
email from the email addresses, domains, or IP addresses you specify. You add
the email addresses, domains, or IP addresses that you want to block in the black
list, and those that you allow to pass in the white list.
The FortiMail unit will be checked against the system and user lists whenever the
mail matches any policy, recipient-based or IP-based. Mail will be checked against
session lists only when lists are enabled in a session profile specified in an
IP-based policy that matches the message traffic, whether or not a
recipient-based policy also matches.
88
Advanced configuration
Configuring antispam
While this can be very effective in maintaining desired lists of users and domains
to allow and block, some caution must be taken. They are simple and efficient
tools for fighting spam and enhancing performance, but can also cause false
positives and false negatives if not used carefully. For example, a white list entry
of *.edu would allow all mail from the .edu top level domain to bypass the FortiMail
unit's anti-spam scanning.
Administrators and users can configure separate black/white lists. Administrators
can configure system level lists and personal level lists using the web-based
manager, while users can configure and maintain their own personal lists using
the web mail interface.
System lists precede personal lists. That is, if the FortiMail unit receives an email
that is white listed at the system level, and black listed at the personal level, the
user will still receive the email. Conversely, if the FortiMail unit receives an email
that is black listed at the system level, and white listed at the personal level, the
user will not receive the email.
To add system level black/white lists
1
Enter the email address, domain, or IP address that you want to block or allow.
Select Add.
To add personal level black/white lists
Select the domain of the SMTP server that has the user that you want to configure
the Black or White list.
If you want to configure the black or white list for an existing user, type the
user's username and select OK.
If you want to configure the black or white list for a new user, type the user's
username and select OK.
Turn on Add outgoing email addresses to "White" list if you want the FortiMail unit
to treat email sent from these addresses as non-spam email in the future.
Enter the email address, domain, or IP address that you want to block or allow.
Select Add.
89
Configuring antispam
Advanced configuration
Bayesian scanning
Bayesian scanning is a method of teaching the FortiMail unit what is a spam email
and what is not. Bayesian training uses Bayes' theorem of probability. Using this
theorem the spam filters take into account the type of words used in spam
messages versus those that are not. For every word in these email messages, it
calculates the probability of a scanned message being spam based on the
proportion of spam occurrences.
Bayesian training is a manual process by the admin or email users. For each
email received, an email user will tell the filter whether it is a good email, spam,
or a false positive. The more training, that is, the more a user sends email
indicating its status, the more efficient the spam filter will be.
Bayesian filters recognize spam messages by looking at the words (or tokens)
they contain. The Bayesian filter starts with two collections of email, one of known
spam and one of known non-spam email. For every word in these email
messages, it calculates the probability of a scanned message being spam based
on the proportion of spam occurrences.
The FortiMail unit can maintain three types of Bayesian databases: global, group,
and user. They all work in the same way with the Bayesian scanning engine, but
each is designed for a different application:
Global can be used to scan any or all mail sent and received by the FortiMail
unit. There is only one global Bayesian database on a FortiMail unit.
User are maintained on a per-user basis for each protected domain. This
allows the user Bayesian database to be fine-tuned to only the mail traffic the
user receives.
Heuristic scanning
Heuristic scanning uses a scoring technique based on predetermined terms and
words. The rules are broken down into 5 categories: header, body, raw body, URI,
and metadata. Each rule has an individual score used to calculate the total score
for an email. You can fine-tune the threshold values to meet your specific needs. If
your email systems false positive ratio is high, raise the upper level threshold until
you achieve a satisfactory ratio. If your spam catch rate is too low, lower the lower
level threshold until you achieve a satisfactory rate. The FortiMail default
threshold values are recommended as only a starting point.
Note that Heuristic scanning is resource intensive. If spam detection rates are
acceptable without heuristic scanning by using other antispam methods available
in FortiMail (black lists, FortiGuard), consider disabling it or limiting its use to
policies dealing with problem hosts.
To customize the thresholds and what rules are used, go to AntiSpam > Rules
and select and modify the values as required.
90
Advanced configuration
Create profiles
Create profiles
A profile is a collection of FortiMail settings that you specify to filter incoming and
outgoing email and to control the email flow. Profiles are selected in policies and
run on any traffic the policy controls. The FortiMail unit enables you to create
profiles for a number of features.
For an initial setup, create profiles for antispam and antivirus. As you continue to
develop your email environment, you can add additional profiles for
authentication, content and so on.
Antispam profile
After creating your antispam configurations, you can add an antispam profile,
which uses the settings you have configured and groups them into a single profile
which you can apply across various policies. Each profile you add can use
different antispam options depending on how you need to use them.
To create an antispam profile, go to Profile > AntiSpam > Incoming or
Outgoing.
When you create an antispam profile you can also define additional antispam
measures within the profile including:
DNSBL - to communicate with DNSBL (DNS Block List) servers to check the
IP address of the mail server that delivered the message. If a match is found,
the FortiMail unit treats the message as spam.
SURBL - to check every URI in the message body. If a match is found, the
FortiMail unit treats the message as spam.
Banned Word - examines words you add that you want that if in the message
should be considered as spam. The message will be considered spam if any
match is found.
Most individual spam detection methods allow the selection of an action. The
selected action determines what the FortiMail unit does with mail detected as
spam by the particular spam detection method.
The options available are:
Subject Tag - enables you to enter the information to appear in the subject line
of the spam notification email sent to the recipient by the FortiMail unit. For
example, FortiMail detected spam. Users can create rules in their client
software to direct messages with this tag to a separate folder for later review.
Reject - The FortiMail unit rejects the spam and sends reject responses to the
sender.
Discard - The FortiMail unit discards spam without sending reject responses to
the senders.
Quarantine - The FortiMail unit redirects detected spam messages to the spam
quarantine. The quarantine action is only available for incoming antispam
profiles.
91
Create policies
Advanced configuration
Antivirus profile
Antivirus profiles are used by FortiMail to scan email for viruses. FortiMail units
update virus signatures online from Fortinets update servers around the world.
When a virus is found, the FortiMail unit deletes the file that contains the virus and
replaces the file with a message notifying the user the infected file has been
deleted.
To create an antivirus profile, go to Profile > AntiVirus > AntiVirus.
As for antispam, antivirus methods also enable you to define an action when a the
FortiMail unit finds a virus. The selected action determines what the FortiMail unit
does with mail detected with a virus.
The options available are:
Replace Virus Body - This option allows the FortiMail unit to replace the
attachment of a virus email with a message that provides information about the
virus and source of the email.
Reject - The FortiMail unit rejects the email and sends reject responses to the
sender.
Discard - The FortiMail unit discards the email without sending reject
responses to the sender.
Applying profiles
After you create the profiles, you apply them to users and user groups to create
email filtering and control policies, described below. To customize your email
service, you can apply different profiles to different users or user groups. For
instance, if you are an Internet Service Provider (ISP), you can create and apply
antivirus profiles only to the users who pay for the antivirus service.
Create policies
Policies determine if and how incoming and outgoing email is scanned for spam,
viruses, and attachment types. Also, policies can determine user account settings,
such as authentication type, disk quota, and access to Webmail.
There are two types of policies you can configure in FortiMail:
92
Advanced configuration
IP-based policies that are run when the IP address matches the client address
specified in the policy in gateway and server modes, or both IP addresses
match the client and server addresses specified in the policy in transparent
mode. In server and gateway modes, IP-based policies are run on connections
initiated by a computer specified by the IP address specified in the policy. In
transparent mode, IP-based policies are run on connections between two
computers, both specified by IP address in the policy.
Recipient-based policies take priority over IP-based policies. Only have one policy
applied to any message. The FortiMail unit checks each message for recipientbased policy matches. If a match is found, the recipient-based policy is applied. If
no recipient-based policies match, the IP-based policy is applied. This is how all
aspects of the policies are applied with the exception of the session profile and
the antivirus profile.
If no recipient-based policy matches the message and no IP-based policy
matches the session, no policies are applied and the mail is delivered.
To create email policies go to the Policies menu and select Recipient Based or IP
based.
Note: Arrange policies in the policy list from most specific at the top to more general at the
bottom. Policy matches are checked from the top of the list, downward.
The options available for a policy is unique to whether you are running the
FortiMail unit in Transparent/Gateway mode or Server mode. For more details on
policy usage and configuration, see the FortiMail Administration Guide.
Adding users
You can add users in two ways. Add each user individually or import and existing
user list from a previous mail server installation. The list must be in comma
separated text file (CSV).
Adding groups
For easier user management, create user groups that contain users for a specific
department or functional group. This group does not have a unique email
address.
93
94
Advanced configuration
Firmware
Firmware
Fortinet periodically updates the FortiMail firmware to include enhancements and
address issues. After you have registered your FortiMail unit, FortiMail firmware is
available for download at http://support.fortinet.com.
Only the FortiMail administrators (whose access profiles contain system
configuration read and write privileges) and the FortiMail admin user can change
the FortiGate firmware.
This chapter includes the following topics:
Select Backup System settings and select a location to store the configuration file.
Select Download bayesian database backup file and select a location to store the
database file.
95
Firmware
Select Download Black/White list backup file and select a location to store the
database file.
Select Download Queue file and select a location to store the mail queue file.
Type the path and filename of the firmware image file, or select Browse and locate
the file.
Select OK.
The FortiMail unit uploads the firmware image file, upgrades to the new firmware
version, restarts, and displays the FortiMail login. This process takes a few
minutes.
96
Go to System > Status and check the Firmware Version to confirm the firmware
upgrade is successfully installed.
Firmware
Copy the new firmware image file to the root directory of the TFTP server.
Make sure the FortiMail unit can connect to the TFTP server using the ping
command to ping the computer running the TFTP server. For example, if the IP
address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
Enter the following command to copy the firmware image from the TFTP server to
the FortiMail unit:
execute restore image <name_str> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ip> is
the IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image.out 192.168.1.168
The FortiMail unit responds with the message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
Type y.
The FortiMail unit uploads the firmware image file, upgrades to the new firmware
version, and restarts. This process takes a few minutes.
97
Firmware
Caution: Reverting to an earlier firmware version will cause you to lose you entire
configuration. Before beginning this procedure you should backup your configurations. For
details, see Backing up the FortiMail information on page 95.
If you are reverting to a previous FortiMail version (for example, reverting from
v3.0 to v2.80), you might not be able to restore your previous configuration from
the backup configuration file.
Note: To use this procedure, you must log in using the admin administrator account, or an
administrator account that has system configuration read and write privileges.
To use the following procedure, you must have a TFTP server the FortiMail unit
can connect to.
To revert to a previous firmware version
1
Copy the firmware image file to the root directory of the TFTP server.
Make sure the FortiMail unit can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP
server. For example, if the TFTP server's IP address is 192.168.1.168:
execute ping 192.168.1.168
Enter the following command to copy the firmware image from the TFTP server to
the FortiMail unit:
execute restore image <name_str> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ip> is the
IP address of the TFTP server. For example, if the firmware image file name is
v2.80image.out and the IP address of the TFTP server is 192.168.1.168,
enter:
execute restore v2.80image.out 192.168.1.168
The FortiMail unit responds with the message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
Type y.
The FortiMail unit uploads the firmware image file. After the file uploads, a
message similar to the following is displayed:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
Type y.
The FortiMail unit reverts to the old firmware version, resets the configuration to
factory defaults, and restarts. This process takes a few minutes.
98
Firmware
Once the FortiMail unit has restarted, load your configuration information onto the
unit.
Caution: If you are reverting to a previous FortiMail version (for example, reverting from
v3.0 to v2.80), you might not be able to restore your previous configuration from the backup
configuration file.
Note: Installing firmware replaces the current antivirus definitions with the definitions
included with the firmware release you are installing. After you install new firmware, ensure
that antivirus definitions are up to date. For details, see Updating antivirus signatures on
page 86.
Connect to the CLI using the null-modem cable and FortiMail console port.
Copy the new firmware image file to the root directory of the TFTP server.
Make sure the internal interface is connected to the same network as the TFTP
server.
To confirm the FortiMail unit can connect to the TFTP server, use the following
command to ping the computer running the TFTP server. For example, if the IP
address of the TFTP server is 192.168.1.168, enter:
execute ping 192.168.1.168
Type y.
As the FortiMail units starts, a series of system startup messages is displayed.
When one of the following messages appears:
Press any key to display configuration menu.......
Immediately press any key to interrupt the system startup.
99
Firmware
Note: You have only 3 seconds to press any key. If you do not press a key soon enough,
the FortiMail unit reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, one of the following messages
appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[I]: Configuration and information.
[Q]: Quit menu and continue to boot with default
firmware.
[H]: Display this list of options.
Enter G,F,B,I,Q,or H:
8
Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
10
Type an IP address that can be used by the FortiMail unit to connect to the FTP
server.
The IP address can be any IP address that is valid for the network the interface is
connected to. Make sure you do not enter the IP address of another device on this
network.
The following message appears:
Enter File Name [image.out]:
11
12
Type D.
The FortiMail unit installs the new firmware image and restarts.
100
Firmware
After completing this procedure, the FortiMail unit operates using the new
firmware image with the current configuration. This new firmware image is not
permanently installed. The next time you restart the FortiMail unit, it operates with
the originally installed firmware image using the current configuration. If the new
firmware image operates successfully, you can install it permanently using the
procedure Upgrading the firmware on page 96.
For this procedure, you must connect to the CLI using the FortiMail console port
and a RJ-45 to DB-9 or null-modem cable. This procedure temporarily installs a
new firmware image using your current configuration.
For this procedure you require a TFTP server that you can connect to from port 1.
The TFTP server should be on the same subnet as the internal interface.
Before beginning this procedure you should backup your configuration file and
lists. See Backing up the FortiMail information on page 95 for details.
To test a new firmware image
1
Connect to the CLI using a RJ-45 to DB-9 serial cable or a null-modem cable and
FortiMail console port.
Copy the new firmware image file to the root directory of the TFTP server.
Make sure the internal interface is connected to the same network as the TFTP
server.
You can use the following command to ping the computer running the TFTP
server. For example, if the TFTP server's IP address is 192.168.1.168:
execute ping 192.168.1.168
As the FortiMail units starts, a series of system startup messages are displayed.
Press any key to display configuration menu........
Immediately press any key to interrupt the system startup.
Note: You have only 3 seconds to press any key. If you do not press a key soon enough,
the FortiMail unit reboots and you must log in and repeat the execute reboot
command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[I]: Configuration and information.
[Q]: Quit menu and continue to boot with default
firmware.
[H]: Display this list of options.
Enter G,F,B,I,Q,or H:
Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
101
Firmware
10
Type an IP address that can be used by the FortiMail unit to connect to the TFTP
server.
The following message appears:
Enter File Name [image.out]:
11
12
Type R.
The FortiMail image is installed to system memory and the FortiMail unit starts
running the new firmware image but with its current configuration.
13
You can log into the CLI or the web-based manager using any administrative
account.
14
To confirm the new firmware image has been loaded, from the CLI enter:
get system status
You can test the new firmware image as required.
Access the CLI by connecting to the FortiMail console port using a RJ-45 to
DB-9 serial cable or null-modem cable.
Install a TFTP server that you can connect to from the FortiMail as described in
the procedure Installing firmware images from a system reboot on page 99.
Connect to the CLI using a RJ-45 or DB-9 serial cable or a null-modem cable and
FortiMail console port.
Copy the new firmware image file to the root directory of your TFTP server.
To confirm the FortiMail unit can connect to the TFTP server, use the following
command to ping the computer running the TFTP server. For example, if the IP
address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
102
Firmware
If you successfully interrupt the startup process, the following message appears:
[G]:
[F]:
[Q]:
[H]:
Enter G,F,Q,or H:
7
Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
Type an IP address that can be used by the FortiMail unit to connect to the FTP
server.
The IP address can be any IP address that is valid for the network the interface is
connected to. Make sure you do not enter the IP address of another device on this
network.
The following message appears:
Enter File Name [image.out]:
10
11
Type B.
The FortiMail unit saves the backup firmware image and restarts. When the
FortiMail unit restarts it is running the previously installed firmware version.
103
104
Firmware
Index
Index
A
A record 15
advanced mode 28
air flow 19
aliases 93
ambient temperature 19
antispam profiles 91
antivirus
profiles 92
signatures 86
applying profiles 92
firmware
install, backup firmware image 102
re-installing current version 99
reverting to an older version 99
testing new firmware 100
upgrading to a new version 96
upgrading using the CLI 97, 98
FortiGuard
push updates 87
scheduling updates 87
updates 86
Fortinet
customer service 10
Knowledge Center 10
B
backup 95
banned word 91
basic mode 28
Bayesian
description 16
scanning 90
black list 88
description 16
C
certificate, security 26
comments, documentation 10
configuration backup 95
configuring time 85
conventions, documentation 9
customer service 10
D
description
A record 15
Bayesian scanning 16
black list 16
grey list 16
heuristic scanning 17
IMAP 14
MTA 15
MUA 15
MX record 14
POP3 13
SMTP 14
white list 16
discard 91, 92
DNSBL 91
documentation
commenting on 10
conventions 9
FortiMail 9
G
gateway mode
behind a firewall 30
described 11
in front of a firewall 38
in the DMZ 45
grey list description 16
H
heuristic
description 17
scanning 90
humidity 19
I
IMAP description 14
IP-based policies 93
L
logs
backup 95
M
mail transfer agent 15
mail user agent 15
mailing list 93
management mode 28
modes
advanced management 28
basic management 28
MTA description 15
MUA description 15
MX record 14
105
Index
N
NTP server 85
O
operating temperature 19
P
policies
IP-based 93
recipient-based 92
POP3 description 13
profiles
antispam 91
antivirus 92
applying 92
push updates 87
server mode
behind a firewall 66
described 13
in front of a firewall 72
in the DMZ 78
sheduling updates 87
SMTP description 14
subject tag 91
SURBL 91
T
technical support 10
time, configuring 85
transparent mode
described 12
in front of an email server 56
protecting the email hub 60
quarantine 91
Quick Start Wizard 28
upgrading
firmware 96
firmware using the CLI 97, 98
user
adding 93
alias 93
groups 93
R
recipient-based policies 92
registering FortiGate unit 7
reject 91, 92
reverting, to an older firmware version 99
S
security certificate 26
V
virtual IP 35
W
white list 88
description 16
Wizard (Quick Start) 28
106
www.fortinet.com
www.fortinet.com