You are on page 1of 14

FortiMail Gateway Setup and

Configuration
Technical Note

FortiMail Gateway Setup and Configuration Technical Note


Document Version: Version 1
Publication Date: 04 April 2005
Description: This technical note highlights some FortiMail Gateway installation and
configuration issues and provides additional practical background information not
available in the FortiMail Administration Guide.
Product: FortiMail v2.0
Document Number: 06-20000-0198-20050404
Fortinet Inc.

© Copyright 2005 Fortinet Inc. All rights reserved.

No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiMail Gateway Setup and Configuration Technical Note


v2.0
04 April 2005
06-20000-0198-20050404

Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective holders.

Regulatory Compliance
FCC Class A Part 15 CSA/CUS
Contents

Table of Contents
Overview ............................................................................................................................. 3
Configuring DNS ................................................................................................................. 4
DNS tools........................................................................................................................ 4
Using the host (UNIX) tool......................................................................................................................... 5
Using the nslookup (UNIX or Windows) tool ............................................................................................. 5
DNS troublshooting using nslookup................................................................................ 6
Configuring the FortiMail Gateway...................................................................................... 6
Network settings ............................................................................................................. 7
DNS entries ............................................................................................................................................... 7
Routing entries .......................................................................................................................................... 8
Mail server entries........................................................................................................... 8
Profile entries .................................................................................................................. 8
Policy entries................................................................................................................... 9
Testing the FortiMail Gateway .......................................................................................... 10
Sending an email .......................................................................................................... 10
Using commands .......................................................................................................... 10
Telneting to the FortiMail Gateway.......................................................................................................... 10
Communicating with the SMTP service................................................................................................... 11

Technical Note 06-20000-0198-20050404 1


Contents

2 06-20000-0198-20050404 Fortinet Inc.


FortiMail Gateway Setup and Configuration

This document highlights some FortiMail Gateway installation and configuration


issues and provides additional practical background information not available in the
FortiMail Administration Guide. This technical note contains the following sections:
• Overview
• Configuring DNS
• Configuring the FortiMail Gateway
• Testing the FortiMail Gateway

Overview
The FortiMail Gateway can effectively protect your email server by scanning the
SMTP traffic going through it for viruses and spam messages. It can also archive
emails for backup and monitoring purposes. The FortiMail unit integrates into your
existing network with only minor changes to your network configuration.
While there are multiple possible combinations when implementing both internal and
external email systems with the FortiMail Gateway, this technical note will use a
simple network design as shown in Figure 1.
This network design uses an internal server for user email storage. The FortiMail
Gateway acts as a relay server that receives and screens any incoming emails from
the Internet before delivering them to the internal email system for final delivery.

Figure 1: Network design

Firewal

Internal mail / DNS server


(10.10.10.1 – mail.inside.com)

Internal

FortiMail
(20.20.20.99 – fortimail.dmz.inside.com)

External mail / DNS servers DMZ


(30.30.30.1 – mail.outside.com)

04 April 2005 06-20000-0198-20050404 3


FortiMail Gateway Setup and Configuration Configuring DNS

Setting up and configuring the FortiMail Gateway by:


• Configuring DNS
• Configuring the FortiMail Gateway
• Testing the FortiMail Gateway

Configuring DNS
DNS is used to identify IP addresses and their related host names. For example,
when you type ping www.fortinet.com, the ping program attempts to reach an IP
address. A DNS server (or multiple servers) identifies the IP address associated with
the server that hosts www.fortinet.com and provides the IP to the ping program.
While DNS has multiple record types, this technical note only focuses on the following:
• MX records: The record type that identifies a mail server responsible for a
particular domain.
• A records: The record type that identifies an IP address associated with a Fully
Qualified Domain Name (FQDN), for example, www.fortinet.com.
To successfully implement the network design in Figure 1, you must ensure that the
DNS MX record on each domain identifies the FQDN of the FortiMail system. There
must also be a corresponding A record that identifies the IP address of the FortiMail
Gateway’s FQDN. The following is an example of the MX and A records based on
network design in Figure 1:
MX record: inside.com.IN MX 0 fortimail.inside.com
A record: fortimail.inside.com IN A 10.10.10.1
The “0” for the MX record identifies a “weight”. This is commonly 0, but can be used to
distribute emails among multiple mail relays, or provide an alternate mail server in
case the primary fails.
While there are many different types of DNS servers available, and a multitude of
interfaces that allow administrators to configure the database, this technical note is
based on a system running Suse Lunix 9.2 system as the operating system, utilizing
the embedded DNS server. In this case, the DNS file location is at
/var/lib/named/master and the file name is inside.com.
To configure the DNS, edit the inside.com file and add or modify the MX record and
A record as described above. Once you have modified the DNS entries, restart the
DNS server. On the Suse 9.2 system, this can be achieved by entering
/etc/init.d/named restart and pressing Enter.

DNS tools
It is important to ensure that the MX and corresponding A records have been set
correctly for the domain supporting the FortiMail Gateway. In our example, make sure
that the mail server handling mail for inside.com is shown as
fortimail.inside.com (the FQDN for the FortiMail system), and the IP address is
correct for the FQDN.

4 06-20000-0198-20050404 Fortinet Inc.


Configuring DNS FortiMail Gateway Setup and Configuration

There are a number of tools you can use to test the DNS records. In this document,
the tool set is limited to commands available on UNIX or Windows based systems.

Using the host (UNIX) tool


The host tool is a simple utility for performing DNS lookups to ensure the DNS settings
are correct. It is normally used to convert names to IP addresses and vice versa. To
test the MX settings in our example, from a UNIX prompt, enter:

Command Response
host -t mx fortimail.inside.com <return> inside.com mail is
handled by 0
fortimail.inside.com

Note: In the command, “-t” is used to specify which record type to locate for the domain; “mx”
identifies the record type as mail.

The response shows that the DNS entry is correct, and incoming emails will be
forwarded to the IP address associated with fortimail.inside.com. To test that
the A record is also correct, from a UNIX prompt, enter:

Command Response
host fortimail.inside.com <return> fortimail.inside.com has
address 20.20.20.99

Using the nslookup (UNIX or Windows) tool


Unlike the host command, nslookup is an interactive tool with its own CLI. This
document only introduces the commands responsible for identifying MX records and
testing A records.

Identifying MX records
To identify a MX record, from a UNIX or Windows command prompt, type: nslookup
and press Return.
The response should be a prompt (“>”). From that prompt, you can issue commands
to the DNS server. To identify the mail server responsible for a domain, you must first
set the type of record to find, then type the domain you are looking for.
For example, to find the MX record for inside.com, you type:
set type=mx <return>
inside.com <return>
The most important information to look for in the response is “mail exchanger”. For
example:
inside.com mail exchanger = 0 fortimail.inside.com
This response shows that the MX record for inside.com is correct and identifies the
FortiMail FQDN as the system responsible for incoming emails.

Technical Note 06-20000-0198-20050404 5


FortiMail Gateway Setup and Configuration Configuring the FortiMail Gateway

Testing A records
To test the A record using our example, from a UNIX or Windows prompt, type:
nslookup <return>
fortimail.inside.com
The important information to look for in the response is “Name:” and “Address:”, such
as:
Name: fortimail.inside.com
Address: 20.20.20.99

DNS troublshooting using nslookup


If you get an unexpected response when using the nslookup tool, try stopping and
restarting the DNS server you modified, which should always be done when modifying
anything in the DNS database.
If you are sure you have entered the right information but are still getting the wrong
responses, identify which DNS server your client is using. DNS servers cache entries,
and if you have multiple DNS servers, it may take a while before the update is
distributed between all of them.
A simple method of testing DNS updates on the server you modified is forcing the
nslookup tool to get the DNS information from a specific server. The following is an
example of a client that is assigned an alternate DNS than the one you modified, but
you still need to ensure that the entries are correct. From a command prompt (UNIX or
Windows), type:
nslookup <return>
server x.x.x.x <return>
x.x.x.x is the IP address of the DNS server you modified. This command forces the
nslookup tool to get the DNS record information from that specific server. This
overrides the client's DNS settings (while using nslookup only). The response will be:
Default server: x.x.x.x
Address: x.x.x.x#53
This response means that the DNS you will be using (until you exit nslookup) is
x.x.x.x. Retry the nslookup commands. If you still get a wrong response, restart the
DNS server your client is using, or recheck that the DNS server you modified is the
correct one and the changes were saved.

Configuring the FortiMail Gateway


With the DNS server correctly configured, you can now configure the FortiMail
system. See the FortiMail Administration Guide for detailed configuration information.
Configure the IP address of an interface so you can the FortiMail Gateway via the
Web-based manager (see the FortiMail Administration Guide).
Make sure the FortiMail is in Gateway mode (System > Status > Operation Mode).

6 06-20000-0198-20050404 Fortinet Inc.


Configuring the FortiMail Gateway FortiMail Gateway Setup and Configuration

Network settings
Configure the network properties of the system:
• DNS
• Routing (default gateway)

DNS entries
Specify the DNS server(s) that allows the FortiMail Gateway to access the internal
mail server (A record for the FQDN of the mail server). The DNS settings must allow
the FortiMail Gateway to access DNS entries for the Internet. This can be achieved by
adding an additional DNS server (typically the ISP's), or making sure that your internal
DNS server has a “forwarder” defined as an external DNS server for entries it cannot
resolve.
System > Network > DNS

Technical Note 06-20000-0198-20050404 7


FortiMail Gateway Setup and Configuration Configuring the FortiMail Gateway

Routing entries
Specify a default route for the FortiMail system. Otherwise you will have problems
receiving and/or delivering mail if you have multiple IP networks defined in your
environment.
System > Network > DNS

Mail server entries


Configure Mail Server to provide the host name of the FortiMail system and the
domain name to which the FortiMail Gateway belongs. You can also choose to modify
the application port (25) used for SMTP communications to the internal mail server,
define a maximum message size for incoming emails, and enable SSL support (this
just tells the FortiMail Gateway that SSL is an available option, it does not force SSL
communications).

Note: The domain entry of the FortiMail system MUST be different from the domain entry used
by the receiving mail server. As you can see from the Network design used in this document, a
sub domain within inside.com is created to accommodate the FortiMail requirement.

System > Mail Server > Setting

Profile entries
Profiles need to be available for both antispam and antivirus services. See the
FortiMail Administration Guide for details on profile creation.

8 06-20000-0198-20050404 Fortinet Inc.


Configuring the FortiMail Gateway FortiMail Gateway Setup and Configuration

Profile > Anti-Spam

Policy entries
Policies are important settings that define which domains will be serviced by FortiMail
Gateway and which users will receive mails within each domain.
Policy > Policy > Create New

Domain FQDN: Enter the domain to which the email server belongs (in our example, it
is inside.com) and the IP address of the email server.
The domain used in this field must be different from the Local Domain Name under
“Mail server entries” on page 8.
Once you have created the policy, you need to edit it and add users that are allowed to
receive email from this domain. Select the edit icon for the policy you created and
select Create New. To ensure all of your users will receive emails, enter “*” in the User
Name field. Then select the Antispam and Antivirus profiles you created (or were
available by default). You can leave Authentication as the defaults and select OK.

Technical Note 06-20000-0198-20050404 9


FortiMail Gateway Setup and Configuration Testing the FortiMail Gateway

Testing the FortiMail Gateway


After installing and configuring the FortiMail Gateway, you can test the installation by:

• Sending an email
• Using commands

Sending an email
Send an email from an external email system to an internal user. If the user receives
the email without any problems, the installation is successful.

Using commands
You can use some simple commands to test that the FortiMail Gateway accepts
SMTP communications and the server policies are configured correctly.

Telneting to the FortiMail Gateway


From a command prompt (UNIX or Windows) on your management computer, telnet
to the SMTP port (for example, 25) of the FortiMail Gateway to test the connection to
the SMTP service on the FortiMail Gateway. For example, if your FortiMail host name
is FortiMail.com, you enter:

10 06-20000-0198-20050404 Fortinet Inc.


Testing the FortiMail Gateway FortiMail Gateway Setup and Configuration

Command Response
telnet FortiMail.com 25 <return> Connected to fortimail.com
Escape character is '^]’
220 fortimail.com ESMTP Smtpd;
<date and time>

This response means you are connected to the SMTP service on the FortiMail
Gateway. You are now able to communicate with the SMTP service using SMTP
commands.

Communicating with the SMTP service


After connecting to the SMTP service on the FortiMail Gateway (see “Telneting to the
FortiMail Gateway” on page 10), you can use SMTP commands to simulate sending
emails from an external email server to an internal user. This will verify that the
FortiMail Gateway receives emails from external email servers and forwards the
emails to internal users via the internal mail server or relays the emails to other email
servers based on the recipient addresses.
For example, if your client host name is mail.example.com and you want to
simulate generating an email sent by an outside user (user@outside.com) to an
internal user (user@inside.com), enter:

Commands Responses
ehlo mail.example.com <return> 250-mail.example.com Hello
<client_hostname>
<client_ip>, pleased to meet
you
mail from:user@outside.com <return> 250 2.1.0 user@outside.com...
Sender ok
rcpt to:user@inside.com <return> 250 2.1.0 user@inside.com...
Recipient ok
data <return> 354 Enter mail, end with "."
on a line by itself
this is a test message <return>
. <return> 250 2.0.0 j2TIw3MK026986
Message accepted for delivery

The above commands and responses show that the FortiMail Gateway is accepting
emails from external SMTP services and will deliver the emails to the internal users.
You should now be able to send and receive emails between external email servers
and your internal email server. The incoming emails are routed via the FortiMail
Gateway.

Technical Note 06-20000-0198-20050404 11


FortiMail Gateway Setup and Configuration Testing the FortiMail Gateway

12 06-20000-0198-20050404 Fortinet Inc.