FortiMail Lab Guide-Online

DO NOT REPRINT
© FORTINET
FortiMail 5.3.8
Student Guide
for FortiMail 5.3.8
DO NOT REPRINT
© FORTINET
FortiMail Student Guide
for FortiMail 5.3.8
Last Updated: 9 June 2017
We would like to acknowledge the following major contributors: Carl Windsor, Khalid Hassan, Michał
Kułakowski and Laurent Blossier
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc., as
stipulated by the United States Copyright Act of 1976.
Copyright © 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare®, and FortiGuard®, and
certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be
registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks
of their respective owners. Performance and other metrics contained herein were attained in internal lab tests
under ideal conditions, and actual performance and other results may vary. Network variables, different network
environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent
Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly
warrants that the identified product will perform according to certain expressly-identified performance metrics
and, in such event, only the specific performance metrics expressly identified in such binding written contract
shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same
ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or
otherwise revise this publication without notice, and the most current version of the publication shall be
applicable.
DO NOT REPRINT
© FORTINET
Table of Contents
VIRTUAL LAB BASICS ...................................................................................8
Network Topology ...................................................................................................................8
Lab Environment .....................................................................................................................8
System Checker ......................................................................................................................9
Logging In ...............................................................................................................................10
Disconnections/Timeouts ........................................................................................................12
Transferring Files to the VM....................................................................................................13
Screen Resolution ...................................................................................................................13
International Keyboards ..........................................................................................................13
Student Tools: View Broadcast and Raise Hand....................................................................14
Troubleshooting Tips ..............................................................................................................14
LAB 1—INITIAL SETUP ................................................................................17
Objectives ...............................................................................................................................17
Time to Complete ....................................................................................................................17
1 Verifying DNS Records .......................................................................................................18
2 Configuring a Server Mode FortiMail ..................................................................................20
3 Configuring a Gateway Mode FortiMail ..............................................................................27
LAB 2—ACCESS CONTROL AND POLICIES ...................................................31
Objectives ...............................................................................................................................31
Time to Complete ....................................................................................................................31
1 Outbound Email Flow..........................................................................................................32

DO NOT REPRINT
© FORTINET
2 Relay Host...........................................................................................................................35
3 Policy Usage Tracking ........................................................................................................37
4 Policy Creation ....................................................................................................................39
LAB 3—AUTHENTICATION ...........................................................................42
Objectives ...............................................................................................................................42
Time to Complete ....................................................................................................................42
Prerequisites ...........................................................................................................................42
1 User Authentication Enforcement .......................................................................................43
2 LDAP Operations ................................................................................................................48
LAB 4—SESSION MANAGEMENT..................................................................59
Objectives ...............................................................................................................................59
Time to Complete ....................................................................................................................59
Prerequisites ...........................................................................................................................59
1 Connection Limits ...............................................................................................................60
2 Sender Address Rate Control .............................................................................................63
3 Header Manipulation ...........................................................................................................66
LAB 5—ANTIVIRUS .....................................................................................68
Objectives ...............................................................................................................................68
Time to Complete ....................................................................................................................68
1 Antivirus Scanning for Malware Detection ..........................................................................69
LAB 6—CONTENT INSPECTION ....................................................................72
Objectives ...............................................................................................................................72
Time to Complete ....................................................................................................................72
1 Content Inspection ..............................................................................................................73

DO NOT REPRINT
© FORTINET
2 Data Loss Prevention..........................................................................................................77
LAB 7—ANTISPAM ......................................................................................83
Objectives ...............................................................................................................................83
Time to Complete ....................................................................................................................83
Prerequisites ...........................................................................................................................83
1 Scan Incoming Email for Spam ..........................................................................................84
2 Testing the Antispam Configuration....................................................................................86
3 User Quarantine Management ...........................................................................................88
3 Scan Outgoing Email for Spam ..........................................................................................91
LAB 8—SECURING COMMUNICATIONS .........................................................93
Objectives ...............................................................................................................................93
Time to Complete ....................................................................................................................93
1 Implementing SMTPS .........................................................................................................94
2 Implementing Content-Inspection-Based IBE.....................................................................98
2 Accessing IBE Emails .........................................................................................................102
LAB 9—HIGH AVAILABILITY ........................................................................105
Objectives ...............................................................................................................................105
Time to Complete ....................................................................................................................105
Prerequisites ...........................................................................................................................105
1 Configure the Primary FortiMail ..........................................................................................107
2 Configure the Secondary FortiMail .....................................................................................108
3 Verify Cluster Health ...........................................................................................................110
4 Configure HA Virtual IP .......................................................................................................113
5 Remote Services Monitoring ...............................................................................................116

DO NOT REPRINT
© FORTINET
LAB 10—SERVER MODE .............................................................................120
Objectives ...............................................................................................................................120
Time to Complete ....................................................................................................................120
Prerequisites ...........................................................................................................................120
1 Configure Resource Profiles ...............................................................................................121
2 Address Book LDAP Import ................................................................................................124
LAB 11—TRANSPARENT MODE ...................................................................128
Objectives ...............................................................................................................................128
Time to Complete ....................................................................................................................128
1 Configuring a Transparent Mode FortiMail .........................................................................129
2 Configuring Bidirectional Transparency.............................................................................134
LAB 12—MAINTENANCE..............................................................................138
Objectives ...............................................................................................................................138
Time to Complete ....................................................................................................................138
1 Configure and Generate Local Reports ..............................................................................139
2 Monitoring System Resource Use ......................................................................................141
3 Local Storage Management ................................................................................................144
LAB 13—TROUBLESHOOTING......................................................................146
Objectives ...............................................................................................................................146
Time to Complete ....................................................................................................................146
Prerequisites ...........................................................................................................................146
1 Troubleshooting the Problem ..............................................................................................147
2 Fix the problem ...................................................................................................................153

DO NOT REPRINT
© FORTINET
APPENDIX A: ADDITIONAL RESOURCES........................................................154
APPENDIX B: PRESENTATION SLIDES ...........................................................155
1 Email Concepts ...................................................................................................................156
2 Basic Setup .........................................................................................................................191
3 Access Control and Policies ...............................................................................................237
4 Authentication .....................................................................................................................268
5 Session Management .........................................................................................................295
6 Antivirus & Content Inspection ............................................................................................324
7 Antispam .............................................................................................................................378
8 Securing Communications ..................................................................................................422
9 High Availability ...................................................................................................................474
10 Server Mode......................................................................................................................498
11 Transparent Mode.............................................................................................................525
12 Maintenance & Troubleshooting .......................................................................................555

DO NOT REPRINT  Virtual Lab Basics
© FORTINET
Virtual Lab Basics
In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to
the lab and its virtual machines. It also shows the topology of the virtual machines in the lab.
Note: If your trainer asks you to use a different lab, such as devices physically located in
your classroom, please ignore this section. This applies only to the virtual lab accessed
through the Internet. If you do not know which lab to use, please ask your trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote datacenters that allow each student
to have their own training lab environment or PoD - point of deliveries.
FortiMail Student Guide 8

© FORTINET
System Checker
Before starting any class, check if your computer can successfully connect to the remote datacenters.
The System Checker fully verifies if your network connection and your web browser are reliable to
connect to the virtual lab.
You do not have to be logged into the lab portal in order to perform the System Checker.
To run the System Checker

1. Click the URL for your location:
Region System Checker
AMER - North and South https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-

America West
EMEA - Europe, Middle https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe

East and Africa
APAC - Asia and Pacific https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC
If your computer successfully connects to the virtual lab, the Browser Check and Network
Connection Check each display a check mark icon. You can then proceed to log in.
If any of the tests fail:
 Browser Check: This affects your ability to access the virtual lab environment.
 Network Connection Check: This affects the usability of the virtual lab environment.
For solutions, click the Support Knowledge Base link or ask your trainer.

© FORTINET
Logging In
Once you confirm your system can successfully run the labs through System Checker, you can proceed
to log in.
To log in to the remote lab

1. With the user name and password provided by your trainer, you can either:
 Log in from the Login access at the bottom of the System Checker's result.
 Log into the URL for the virtual lab provided by your trainer:
https://remotelabs.training.fortinet.com/
https://virtual.mclabs.com/
2. If prompted, select the time zone for your location, and then click Update.
This ensures that your class schedule is accurate.
3. Click Enter Lab.

© FORTINET
Your system dashboard will appear, listing the virtual machines in accordance with your lab
topology.
4. From this page, open a connection to any virtual appliance by doing one of the following:
 Clicking the device’s square (thumbnail)
 Selecting Open from the System drop-down list associated to the VM you want to access.

© FORTINET
Note: Follow the same procedure to access any of your virtual devices.
A new web browser tab opens, granting you access to the virtual device. When you open a VM, your
browser uses HTML5 to connect to it.
Depending on the virtual machine you select, the web browser provides access to either a text-
based CLI or the GUI.
Connections to the Windows VM use a Remote Desktop-like GUI. The web-based connection should
automatically log in and then display the Windows desktop.
For most lab exercises, you will connect to this Windows VM.
Disconnections/Timeouts
If your computer’s connection with the virtual machine times out, or if you are accidentally
disconnected, to regain access, return to the initial window/tab that contains your session’s list of
VMs and open the VM again.

© FORTINET
If that does not succeed, see the Troubleshooting Tips section of this guide.
Transferring Files to the VM

If you store files in a cloud service such as Dropbox or SugarSync, you can use the web browser to
download them to your Windows VM.
From there, if required, you can use a web browser to upload them to Fortinet VMs' GUI.
When connecting to a VM, your browser should then open a display in a new applet window.
Screen Resolution
Some Fortinet devices' user interfaces require a minimum screen size.
In the HTML 5 client, to configure screen resolution, open the System menu.
International Keyboards
If characters in your language don’t display correctly, keyboard mappings may not be correct.
To solve this, open the Keyboard menu at the top of the tab of any GUI-based VM, and choose to
display an on-screen keyboard.

© FORTINET
Student Tools: View Broadcast and
Raise Hand
Your instructor is able to broadcast his lab systems in order to allow students to see any on-going task in
real-time. When an instructor begins a broadcast, you will receive an alert at the top of all open lab
pages.
To accept and view the broadcast, you may either click on the notification message or click View
Broadcast on the left side panel.
If you have any question or issue, use the Raise Hand tool, your instructor will be notified and will assist
you.
Troubleshooting Tips
 Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-
bandwidth or high-latency connections.
For best performance, use a stable broadband connection such as a LAN.
 Prepare your computer's settings by disabling screen savers and changing the power saving
scheme, so that your computer is always on, and does not go to sleep or hibernate.
 If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal), please
attempt to reconnect. If unable to reconnect, please notify the instructor.
 If you can't connect to a VM, on the VM's icon, you can force the VM to start up and by clicking
System > Power Cycle. This fixes most problems. If that does not solve the problem, revert the
VM to its initial state by System > Revert to Initial State.

© FORTINET
Note: Reverting to the VM's initial snapshot will undo all of your work. Try other solutions
first.
 If during the labs, particularly when reloading configuration files, you see a limited management GUI
similar to the one shown below, the VM is waiting for a response to the authentication server.
 To retry immediately, go to Maintenance > FortiGuard > Update, and click Update Now.

© FORTINET
 If the authentication server response is received, you should be redirected to the login page
 If you don’t see the above prompt, wait a few minutes and try again, or ask your trainer.

DO NOT REPRINT  LAB 1—Initial Setup
© FORTINET
LAB 1—Initial Setup
In this lab, you will verify the DNS MX records for both of the lab domains, perform the initial
configuration tasks for the FortiMail VMs installed in the internal.lab domain for inbound email, and
configure an email client to connect to a server mode FortiMail. Then, you will issue basic SMTP
commands and inspect email headers to understand the flow of SMTP.
Objectives
 Verify DNS MX records for the lab domains
 Configure the initial system and email settings on the server mode FortiMail
 Configure the initial system and email settings on the gateway mode FortiMail
 Manually send basic SMTP commands to an email server to understand the SMTP protocol
Time to Complete
Estimated: 45 minutes

© FORTINET
1 Verifying DNS Records
DNS is a critical component in routing email messages. In this exercise, you will use Windows DOS
commands to verify the published DNS MX records for both internal.lab and external.lab domains, to
understand the lab network mail routing.
To verify MX records
1. In Windows, open a command prompt window, and then enter the following commands to display
the MX records associated with the external.lab domain:
nslookup -type=mx external.lab
You should receive an output similar to the following:
What is the primary MX record for the external.lab domain? ___________________________
What is the secondary MX record for the external.lab domain? ___________________________
Note: As indicated in the nslookup query output, there is only one MX record associated
with the external.lab domain.
extsrv.external.lab MX preference = 10
Therefore, all email messagess sent to the external.lab domain must be sent to the
extsrv.external.lab (10.200.1.99) host.
2. In the same command prompt window, enter the following commands to display the MX records
associated with the internal.lab domain:
nslookup -type=mx internal.lab
You should receive an output similar to the following:

© FORTINET
What is the primary MX record for the internal.lab domain? ___________________________
What is the secondary MX record for the internal.lab domain? ___________________________

Note: As indicated in the nslookup query output, there are two MX records associated
with the internal.lab domain.
intgw.internal.lab MX preference = 10
intsrv.internal.lab MX preference = 20
The intgw.internal.lab (10.0.1.11) host is the primary MTA for the internal.lab
domain because it has the lowest preference value. However, at this point in the lab, you
haven’t configured the IntGW FortiMail VM to process email, therefore, it won’t respond to
any SMTP sessions. When the TCP connection fails, the remote sender will automatically
try to send email to the next MX record on the list -intsrv.internal.lab (10.0.1.99)
3. Close the command prompt window.
Caution: In the lab network, the MX records for the internal.lab domain are geared for
convenience, and should not be used as a template for real-world deployments.
Since the back-end mail server might not have the full range of email security features
enabled, publishing it as a secondary MX entry is detrimental to security. Spammers can
easily identify and exploit these servers using MX records.
Publishing the back-end mail server as a secondary MX entry will also prevent certain
FortiMail features - such as greylisting, sender reputation - from working effectively.

© FORTINET
2 Configuring a Server Mode
FortiMail
In the lab network, the IntSRV server mode FortiMail is intended to be the mail server for the
internal.lab domain. It is where the end user mailboxes are, where you will perform all user-
management tasks, and where you will perform tasks specific to server mode.
In this exercise, you will perform the basic configuration tasks required to establish inbound email flow
on the IntSRV FortiMail VM. You will verify your configuration by sending an email from the ExtSRV
FortiMail VM and then reviewing the logs. Then, you will configure a Mail User Agent (MUA) to connect
to the server mode FortiMail.
To verify the operation mode

1. In Windows, open a web browser. Visit the IntSRV FortiMail's management GUI:
https://intsrv.internal.lab/admin
Ignore any security warnings generated by your browser. The warnings relate to the CN field and
the signer of the self-signed FortiMail certificate.
2. Log in as admin and leave the password field empty.
3. On the System Status page, locate the System Information widget and verify that the Operation
mode is set to Server.
To configure the system settings

1. Click System > Network > Interface.
2. Select port1, and then click Edit.
3. Verify and configure the following values for port1:
Field Value
Addressing Mode: Manual
IP/Netmask: 10.0.1.99/24

© FORTINET
Access: HTTPS PING SSH TELNET
Administrative status: Up
4. Click OK.
5. Click System > Network > Routing.
6. Click New.
7. Add a new static route using the following values:
Field Value
Destination IP/netmask: 0.0.0.0/0
Interface: port1
Gateway: 10.0.1.254
8. Click Create to save the static route.

9. Click System > Network > DNS, and then configure the following DNS servers:
Field Value
Primary DNS server 10.0.1.254
Secondary DNS server 0.0.0.0
Note: There is only one DNS server in the lab network; therefore you are only configuring
only the Primary DNS server field. However, in a production FortiMail deployment, you
should configure a primary and a secondary DNS server.
10. Click Apply to save the DNS changes.
To configure the mail settings

1. Click Mail Settings > Settings > Mail Server Settings.
2. Configure the following values under Local Host:
Field Value
Host name: IntSRV
Local domain name: internal.lab
3. Keep the default values for the remaining settings, and then click Apply to save the changes.
4. Click Mail Settings > Domains > Domains.
5. Click New to add a protected domain using the following values:

© FORTINET Field Value
Domain name: internal.lab
6. Keep the default values for the remaining settings, and then click Create.
To create server mode users

1. Click User > User > User.
2. Click New to create a new mail user on the server mode FortiMail using the following values:
Field Value
User name: user1
Authentication type: Local
Password: fortinet
Display name: Mail User 1
3. Click Create to save the user configuration.
To verify the configuration

1. In Windows, open a new web browser tab. Visit the ExtSRV FortiMail's webmail GUI:
https://extsrv.external.lab/
2. Log in as extuser using the password fortinet.
3. Click the Compose Mail icon ( ), and then compose a new email message using the following
values:
Field Value
To: user1@internal.lab
Subject: Hello World!
Message Body: Your configuration is successful!
4. Click Send.
5. Open a new web browser tab. Visit the IntSRV FortiMail’s webmail GUI:
https://intsrv.internal.lab/
6. Log in as user1 using the password fortinet.
7. If the test email message doesn’t appear in the inbox, click Refresh.

© FORTINET
8. Log out of the webmail interface.

9. Close the browser tab.
To review the logs

1. Visit the IntSRV FortiMail’s management GUI:
2. Click Monitor > Log > History.
3. Double-click the current log file.
4. Review the logs and verify that the system applied the appropriate Classifier and Disposition to
your test email message.

© FORTINET
To configure an MUA to connect to the server mode FortiMail
1. In Windows, open Mozilla Thunderbird. If the system prompts you to sign up for a new email
address, click Skip this and use my existing email.
2. After the Mail Account Setup wizard starts, enter the account information for Mail User 1.
3. Click Continue. Thunderbird attempts to auto-configure the server settings. Click Manual Config.
4. Modify the auto-discovered Server hostname values for both Incoming and Outgoing to match
the following screenshot, and then click Done.

© FORTINET
5. Thunderbird displays a warning about unencrypted passwords. Check I understand the risks and
then click Done.
Caution: While unencrypted passwords are fine for a lab network, they should be avoided
in real-world deployments.
6. Thunderbird displays a certificate security warning. Select the Permanently store this
exception check box, and then click Confirm Security Exception to complete the Mail Account
Setup wizard.

© FORTINET
7. If your configuration is correct, the test email you created in the previous exercise appears in
Thunderbird, in your local inbox.

© FORTINET
3 Configuring a Gateway Mode
FortiMail
In the lab network, the IntGW gateway mode FortiMail is intended to be the MTA for the internal.lab
domain. It will be the relay server for the IntSRV FortiMail, and also where most of the inspection
configuration tasks will be performed.
In this exercise, you will perform the configuration tasks required to establish inbound email flow on the
IntGW FortiMail VM. Then, you will verify your configuration by manually composing an email using a
telnet session, and reviewing the headers of the email in your Thunderbird mail client.
Note: Recall the DNS verification tasks you performed in the first exercise. As the MX
records show, the intgw.internal.lab (10.0.1.11) host is the primary MTA for the
internal.lab main. So, all email messages should be sent to the IntGW FortiMail first for
processing. The IntGW FortiMail will then pass the email to the IntSRV FortiMail VM for
delivery to the end user.

1. On the My Systems page, click IntGW. This opens a new tab with the console of the IntGW
FortiMail VM.
2. Click anywhere in the console window, and then press the Enter key.
4. Configure the port1 IP address, subnet mask, and access options using the following CLI
commands:
config system interface
edit port1
set ip 10.0.1.11/24
set allowaccess https ping ssh telnet
next
end
5. In Windows, open a new web browser tab. Visit the IntGW FortiMail's management GUI:
https://intgw.internal.lab/admin
8. Click New, and then add a new static route using the following values:
Field Value
Destination IP/netmask: 0.0.0.0/0
Interface: port1

Gateway: 10.0.1.254
9. Click Create to save the static route.

10. Click System > Network > DNS, and then configure the following DNS servers:
Field Value
Primary DNS server: 10.0.1.254
Secondary DNS server: 0.0.0.0
11. Click Apply to save the DNS changes.

2. Configure the following values under Local Host:
Field Value
Host name: IntGW
Field Value
Domain name: internal.lab
SMTP Server: 10.0.1.99
Note: 10.0.1.99 is the IP address of the IntSRV host. This is the server mode FortiMail
that you configured in the previous exercise. It contains the user mailboxes for the
internal.lab domain. Therefore, the IntGW host is configured with 10.0.1.99 as the
protected SMTP Server.
To verify the configuration

1. In Windows, open a command prompt window.
2. Enter the following commands to start a telnet session on port 25 of the IntGW FortiMail:

© FORTINET Note: You can’t use the backspace or delete key to correct any typing errors. If you make
a mistake, close the connection and start over.
telnet intgw.internal.lab 25
…wait for reply…
ehlo 10.0.1.10
mail from: <extuser@external.lab>

rcpt to: <user1@internal.lab>

data
Subject: Test Message from Telnet
Message body
.
quit
3. In Thunderbird, open the test message that you sent in the previous step.
4. View the full headers of the message. To do this, in the More drop-down list, select View Source:

© FORTINET
5. Compare the Received: headers in the Telnet session email with the Hello World! email you sent
in the previous exercise. What differences do you see?
Note: The Hello World email’s Received header shows that the IntSRV FortiMail
received the email directly from the ExtSRV FortiMail.
Received: from extsrv.external.lab ([10.200.1.99]) by
IntSRV.internal.lab with ESMTP id v1OLZmQa002443-v1OLZmQc002443
The Telnet session email’s Received header shows that the email was processed first by
the IntGW FortiMail, and then handed off to the IntSRV FortiMail.
Received: from IntGW.internal.lab ([10.0.1.11]) by
IntSRV.internal.lab with ESMTP id v1OMw47q002651-v1OMw47s002651

DO NOT REPRINT  LAB 2—Access Control and Policies
© FORTINET
LAB 2—Access Control and
Policies
In this lab, you will establish outbound email flow for the internal.lab domain, as well as configure a
relay host for the server mode FortiMail. You will create IP and recipient policies, and then use logged
policy IDs to identify how policies are applied to an email.
Objectives
 Configure access receive rules to allow outbound email
 Configure an external relay host
 Configure IP and recipient policies
 Use logged policy IDs to track messages
Time to Complete

© FORTINET
1 Outbound Email Flow
In this exercise, you will configure the necessary access receive rules on both the IntGW and IntSRV
FortiMail VMs to allow outbound email.
To verify authenticated outbound relay

1. In Windows, open Thunderbird, and then compose a new email message to the external user
using the following values:
Field Value
To: extuser@external.lab
Subject: Testing Outbound Email
Message Body: Will this work?
2. Click Send. If Thunderbird displays a security warning, select the Permanently store this
exception check box, and then click Confirm Security Exception.
1. Open a web browser and visit the ExtSRV FortiMail's webmail GUI:
2. Login as extuser with the password fortinet.
3. Verify that extuser has received the email.
Note: By default, FortiMail rejects outbound email, unless the sender is authenticated.
Since you configured Thunderbird to authenticate when sending emails using SMTP, the
IntSRV FortiMail relays it.
To configure the server mode access receive rule

1. In Windows, open a web browser. Visit the IntSRV FortiMail's management GUI:
3. Click Policy > Access Control > Receiving.
4. Click New and configure an access receive rule using the following values:
Field Value
User Defined
Sender Pattern:
*@internal.lab
User Defined
Sender IP/netmask:
10.0.1.0/24

© FORTINET
Action Relay
5. Click Create to save the access receive rule.
Note: While the default behavior reduces configuration requirements, it is still good
practice to configure an access receive rule with specific sender patterns, and sender
IP/netmask values in a server mode deployment to restrict filter outbound sessions.
To configure the gateway mode access receive rule

1. In Windows, open a new web browser tab. Visit the IntGW FortiMail’s management GUI:
4. Click New.
5. Configure an access receive rule using the following values:
Field Value
User Defined
Sender Pattern:
*@internal.lab
User Defined
Sender IP/netmask:
10.0.1.99/32
Action Relay
Note: On the IntGW FortiMail you are allowing only the IntSRV server mode FortiMail to
relay email. Therefore, you are configuring a /32 subnet mask. No other host is able to
relay email through IntGW.
6. Click Create to save the access receive rule.
To verify the access receive rules

1. Return to the Thunderbird composing window. Click Send.
2. Open a new web browser tab and go to the ExtGW webmail GUI:
4. The email message should appear in the inbox. Click the email message to open it.
5. Click More > Detailed Header. This displays the email header in the webmail interface.

© FORTINET
6. Review the Received: headers. What hops did the email take to reach the destination inbox?
Note: The email message was generated by Windows (10.0.1.10) and sent to IntSRV
(10.0.1.99). The IntSRV host then delivered the email message to ExtSRV (10.200.1.99).
Received: from IntSRV.internal.lab ([10.0.1.99])by
extsrv.external.lab with ESMTP id v1RL4umB001914-v1RL4umD001914
Received: from [10.0.1.10] ([10.0.1.10])(user=user1@internal.lab

mech=CRAM-MD5 bits=0) by IntSRV.internal.lab with ESMTP id
v1RL4uHI001985-v1RL4uHK001985
According to the headers, the email message did not pass through the IntGW FortiMail, which is
expected. The IntSRV server mode FortiMail delivered the email based on MX query results. To make
sure all outbound email from IntSRV FortiMail relays through the IntGW FortiMail, you must configure a
relay host on the IntSRV FortiMail.

© FORTINET
2 Relay Host
In this section, you will configure an external relay host on the IntSRV FortiMail so all outbound email
are sent to the IntGW gateway mode FortiMail for delivery.
To configure a relay host

1. In Windows, visit the IntSRV FortiMail's management GUI:
3. Expand the Outgoing Email sub-section.
4. Select the Deliver to relay host check box, and then click New.
5. Create a new relay host using the follow values:
Field Value
Name: IntGWRelay
Host name/IP 10.0.1.11
6. Leave the remaining fields empty, and then click Create to save the relay host configuration.
7. Click Apply to save the Outgoing Email setting changes.
To verify the relay host

1. Open Thunderbird, and then click Write.
2. Compose a new email using the following values:
Field Value
Subject: Testing Relay Host
Message Body: Relay host is working!
3. Click Send.
4. Visit the ExtSRV webmail GUI:
5. Verify that the email was delivered.
6. Review the headers. Do you see any differences in the Received: headers? What hops did the
email take this time to reach the destination inbox?

© FORTINET
Note: The email was generated by Windows (10.0.1.10) and sent to IntSRV (10.0.1.99).
The IntSRV host then sent the email to IntGW (10.0.1.11). The IntGW host delivered the
email to ExtGW (10.200.1.99).
Received: from IntGW.internal.lab ([10.0.1.11]) by
extsrv.external.lab with ESMTP id v1RLvKZS002158-v1RLvKZU002158
Received: from IntSRV.internal.lab ([10.0.1.99]) by

IntGW.internal.lab with ESMTP id v1RLvKQj001948-v1RLvKQl001948
Received: from [10.0.1.10] ([10.0.1.10]) (user=user1@internal.lab

mech=CRAM-MD5 bits=0) by IntSRV.internal.lab with ESMTP id
v1RLvJ8k002052-v1RLvJ8m002052
By completing the previous configuration steps, you have successfully established bidirectional email
flow in which all inbound and outbound email must flow through the IntGW gateway mode FortiMail.

© FORTINET
3 Policy Usage Tracking
As email messages flow through FortiMail, log entries are created that show which policies were
triggered. This is extremely useful for testing new policies and troubleshooting existing ones.
In this exercise, you will send two email messages, one in each direction, and then review which policies
the messages used.
To generate log entries

1. In Windows, open Thunderbird.
2. Send an email message to extuser@external.lab.
3. Visit the ExtGW FortiMail’s webmail GUI:
5. Open the new email message, and then click Reply.
6. Type a reply in the message body, and then click Send.
7. In Thunderbird, verify you received the reply.
To review log entries

1. Visit the IntGW FortiMail’s management GUI:
3. Double-click the active log file. The first two entries in the History log should correspond to the two
email messages that FortiMail just processed.
4. Right-click the entry for the inbound email, and then select View Details.

© FORTINET
5. Review the Policy IDs field, and answer the following questions:
The Policy IDs field is made up of three fields (X:Y:Z). What does each field’s value correspond to?
The first policy usage value is 0. What does this mean?
The third policy usage value is 0. What does this mean?
Note: The policy IDs for each email message are recorded in the history logs in
the format of X:Y:Z,where X is the ID of the access control rule, Y is the ID of the
IP-based policy, and Z is the ID of the recipient-based policy.
If the value in the access control rule field for an incoming email is 0, it means that
FortiMail is applying its default rule for handling inbound email. If the value of
X:Y:Z is 0 in any other case, it means that a policy or rule couldn’t be matched, or
doesn’t exist.
6. Click Close to close the Log Details window.

7. Open the relevant log entry for the outbound email and review the Policy IDs field.
Note: The policy use recorded for the outbound email message is 1:1:0. It was
processed using access receive rule ID 1, which you created in the previous
exercise. Then, the email message was processed using the default IP policy ID 1.
Because you didn’t configure any outgoing recipient policy, the last field value is 0.

© FORTINET
4 Policy Creation
In this exercise, you will create IP and recipient policies. Then, you will test your configuration by
sending email messages back and forth. You will also use logs to observe the changes to the policy use
from the previous exercise.
To create IP policies
2. Click Policy > Policies > Policies.
3. In the IP Policies section, click New.
4. Create a new IP policy using the following values:
Field Value
Source: 10.0.1.99/32
Session: Outbound_Session
5. Click Create to save the policy.

6. The new policy should have an ID value of 3.
7. Click the policy to select it. In the Move drop-down list, select Before. Move IP policy ID 3 to appear
in the list before IP policy ID 1.

© FORTINET
8. The policies should appear in the following order:
IP policy ID 3 will process all email sourced from the IntSRV FortiMail (outgoing), and IP Policy ID 1
will process all other email (incoming). IP policy ID 2 is a default IPv6 policy. Since this lab is not
configured for IPv6, it is not required. You can delete it if you want to.
To create recipient policies

1. In the Recipient Policies section, in the Domain drop-down list, select internal.lab.
2. Click New.
3. Don’t modify any values. Click Create to save the policy.
4. In the Direction drop-down list select Outgoing.

5. Click New.
6. Don’t modify any values. Click Create to save the policy.

© FORTINET Note: FortiMail maintains a global list of outbound recipient policies. If you manage
multiple protected domains, and you need to handle outbound email for each protected
domain differently, you must create a different outbound recipient policy for each protected
domain, and set the Sender Pattern accordingly.
To generate log entries

2. Send an email message to extuser@external.lab.
5. Open the new email message, and then click Reply.
6. Type a reply in the message body, and then click Send.
7. In Thunderbird, verify you received the reply.
To review log entries

1. In the IntGW FortiMail’s management GUI, click Monitor > Log > History.
2. Double-click the active log file. The first two entries in the History log should correspond to the two
email messages that FortiMail just processed.
3. Access the details for each log entry and review the Policy IDs field.
4. What changes can you see from the previous exercise?
Note: The policy use will reflect the new ID values for the policies you created. All
outgoing email will be processed by IP policy ID 3, and outgoing recipient policy ID 1. All
incoming email will be processed by IP policy ID 1, and incoming recipient policy ID 1.

DO NOT REPRINT  LAB 3—Authentication
© FORTINET
LAB 3—Authentication
In this lab, you will configure access receive rules to enforce user SMTP authentication. You will also
configure an LDAP profile to enable recipient verification, alias mapping, and user authentication.
Objectives
 Enforce user SMTP authentication using access receive rules
 Configure an LDAP profile
 Enable recipient verification and alias mapping
 Configure LDAP authentication for users
Time to Complete
Prerequisites
Before beginning this lab, you must disable sender reputation on the IntGW FortiMail.
To disable sender reputation

1. In Windows, open a web browser. Visit the IntGW FortiMail’s management GUI:
4. In the IP Policies section, double-click policy ID 1.
5. Edit the Inbound_Session profile.
6. Expand the Sender Reputation section and clear the Enable sender reputation check box.
7. Click OK to save the changes.
Note: The sender reputation feature can interfere with some of the testing that you will
do in this lab.

© FORTINET
1 User Authentication
Enforcement
In this exercise you will explore how FortiMail handles SMTP authentication. You will enforce
authentication using access receive rules, and test your configuration using various outgoing server
settings in Thunderbird.
To disable SMTP authentication in Thunderbird

2. Press the Alt key to show the Menu Bar.
3. Click Tools > Account Settings.
4. On the Account Settings screen, in the left pane, click Outgoing Server (SMTP), and then click
Edit.

© FORTINET
5. In the Authentication method drop-down list, select No authentication.

7. Click OK to return to the main Thunderbird window.
Note: By making these changes, you have disabled authentication for SMTP connections.
So, when you send an email message, Thunderbird won’t authenticate.
To send an unauthenticated email message

1. In Thunderbird, send an email to extuser@external.lab.
2. Open a web browser, and then visit the ExtSRV FortiMail’s webmail GUI.
4. Why was the email delivered to the destination user even though you disabled SMTP authentication
in Thunderbird?
Note: The access receive rule that you configured in LAB 2—Access Control & Policies
didn’t have authentication enforcement enabled.
When you set Authentication Status to Any, FortiMail doesn’t verify whether the
sender matching the rule is authenticated or not.

© FORTINET
To enforce authentication
1. Open a new web browser tab. Visit the IntSRV FortiMail's management GUI:
4. Select rule ID 1 and click Edit.
5. In the Authentication status drop-down list, select Authenticated.
To verify authentication enforcement

1. In Thunderbird, send another email message to extuser@external.lab.
2. This time, an alert displays indicating that relaying is denied.

© FORTINET
3. Click OK to close the alert, but leave the email compose window open in the background.
4. Visit the IntSRV FortiMail's management GUI:
6. Double-click the active log file. The first entry in the History log should correspond to the rejected
email message.
Note: In this log entry, you can see IntSRV has rejected (Disposition) the email because
the session violated an access control rule (Classifier). By changing the Authentication
Status value to Authenticated, you have successfully enforced authentication for users
connecting to the IntSRV FortiMail.
To restore SMTP authentication on Thunderbird

1. In the main Thunderbird window, press the Alt key to show the Menu Bar.
2. Click Tools > Account Settings.
3. On the Account Settings screen, click Outgoing Server (SMTP), and then click Edit.
4. In the Authentication method drop-down list, select Normal password.
6. Click OK to return to the main Thunderbird window.
7. Send the email message again.
10. Verify that the email was delivered.
13. Double-click the active log file. The first entry in the History log should correspond to the email
message you just sent.

© FORTINET
14. Click the Session ID link to retrieve the cross search results.
15. Right-click the event log related to the authentication event to view the details

© FORTINET
2 LDAP Operations
The Windows VM has been preconfigured with Active Directory Services for the internal.lab domain. In
this exercise, you will review the Active Directory configuration and learn how to retrieve LDAP attributes
for Active Directory objects. Then, you will configure an LDAP profile on both IntSRV and IntGW
FortiMail devices to use for user authentication, alias lookup, and recipient verification.
To review the Active Directory configuration

1. In Windows, from the desktop, open the Active Directory Users and Computers management
console.
Note: A service account for the LDAP profile is located in the Service Accounts
Organization Unit (OU). The users and groups are located in the Training Users OU
and Training Groups OU respectively.
2. All account passwords have been set to fortinet.
To access the LDAP attributes of Active Directory objects

1. In the Active Directory Users and Computers management console, click View, and then verify that
Advanced Features is selected.

© FORTINET
2. Right-click internal.lab, and then select Properties.
3. In the internal.lab Properties window, click the Attribute Editor tab.
Note: You can use the previous steps to access the LDAP attributes of any
Active Directory object necessary to configure the LDAP profile on FortiMail.
4. Click OK to close the properties window.

5. Close the Active Directory Users and Computers management console.

© FORTINET
To configure an LDAP profile on IntGW FortiMail
1. Open a new web browser tab. Visit the IntGW FortiMail’s management GUI:
3. Click Profile > LDAP > LDAP.
4. Click New.
5. Create an LDAP profile using the following values:
Field Value
Profile name: InternalLabLDAP
Server name/IP: 10.0.1.10
6. Use the following values to configure the Default Bind Options:
Field Value
Base DN: OU=Training Users,DC=internal,DC=lab
Bind DN: CN=LDAP Service Account,OU=Service Accounts,

DC=internal,DC=lab
Bind password: fortinet
7. In the User Query Options section, in the Schema drop-down list, select Active Directory.
8. In the User Alias Options section, in the Schema drop-down list, select Active Directory.
9. Use the following values to modify the User Alias Options:
Field Value
Alias member query: proxyAddresses=smtp:$m
User group expansion in Disable

advance
Use Separate bind Disable
10. Click Create to save the LDAP profile.
To configure an LDAP profile on IntSRV FortiMail

1. Open a new web browser tab. Visit the IntSRV FortiMail’s management GUI:
4. Click New.

© FORTINET
5. Create an LDAP profile using the following values:
Field Value
Profile name: InternalLabLDAP
Server name/IP: 10.0.1.10
6. Use the following values to configure the Default Bind Options:
Field Value
Base DN: OU=Training Users,DC=internal,DC=lab
Bind DN: CN=LDAP Service Account,OU=Service Accounts,

DC=internal,DC=lab
Bind password: fortinet
7. In the User Query Options section, in the Schema drop-down list, select Active Directory.
8. In the User Alias Options section, in the Schema drop-down list, select Active Directory.
9. Use the following values to modify the User Alias Options:
Field Value
Alias member query: proxyAddresses=smtp:$m
User group expansion in Disable

advance
Use Separate bind Disable
10. Click Create to save the LDAP profile.
To validate the LDAP profile configuration

1. In the IntGW FortiMail management GUI, select the InternalLabLDAP profile, and then click Edit.
2. On the LDAP profile configuration screen, click [Test LDAP Query…].
3. Make sure the query type is set to User.
4. Query for the following users:
user1@internal.lab
user2@internal.lab
5. If your configuration is correct, you will receive the following Test Result message:

© FORTINET
6. If the query fails, make sure the LDAP profile configuration matches the following screenshot:
7. On the LDAP profile configuration screen, click [Test LDAP Query…] again.
8. Change the query type to Alias.
9. All of the Active Directory users have been preconfigured with aliases. Query for the following
aliases:
mailuser1@internal.lab
mailuser2@internal.lab
10. If your configuration is correct, you will receive the following Test Result message:

© FORTINET
11. If the query fails, make sure the LDAP profile User Alias Options configuration matches the
following screenshot:
12. Perform the same validation steps on the IntSRV FortiMail.
To configure recipient verification and alias mapping for

gateway mode
1. In the IntGW FortiMail management GUI, click Mail Settings > Domains > Domains.
2. Select the internal.lab domain, and then click Edit.
3. In the Recipient Address Verification section, select Use LDAP Server.

© FORTINET
4. In the Use LDAP server drop-down list, select InternalLabLDAP.
5. Expand the Advanced Settings section.
6. In the LDAP user alias / address mapping profile drop-down list, select InternalLabLDAP.
7. Your configuration should match the following screenshot:
Note: You don’t need to configure recipient verification on the IntSRV FortiMail. Recipient
verification is enabled implicitly on a server mode FortiMail because the user database
exists locally.
You also don’t need to configure alias mapping on the IntSRV FortiMail because the
mapping is done by the IntGW FortiMail before it delivers an email message to the
IntSRV FortiMail.
To configure LDAP authentication for gateway mode webmail

access
2. Select recipient policy ID 1, and then click Edit.
3. In the Authentication and Access section, configure the following values:

Authentication type: LDAP
Authentication profile: InternalLabLDAP
Allow quarantined email access through webmail Enabled
Note: Users will use their Active Directory accounts to authenticate and gain access to the
IntGW FortiMail’s webmail interface for quarantined emails.
To configure LDAP authentication for server mode users

2. Click User > User > User.
3. Select user1, and then click Edit.
4. In the Authentication type drop-down list, select LDAP.
5. In the LDAP profile drop-down list, select InternalLabLDAP.
Note: If the LDAP profile doesn’t appear in the drop-down list, then you missed a step.
Return to the To Configure an LDAP Profile section, and then follow the listed steps to
configure the same LDAP profile on the IntSRV FortiMail.

7. Click New.
8. Create a new user using the following values:
Field Value
User name: user2
Authentication type: LDAP
LDAP profile: InternalLabLDAP
Display name: Mail User 2
9. Click Create to save the new user.
To validate server mode LDAP authentication

1. In Windows, open a new web browser tab. Visit the IntSRV FortiMail’s webmail GUI:

© FORTINET
3. If you have configured the server mode user LDAP authentication correctly, the login will be
successful.
To validate gateway mode LDAP authentication

1. Open a new web browser tab. Visit the IntGW FortiMail’s webmail GUI:
https://intgw.internal.lab/
3. If you have configured the gateway mode LDAP authentication correctly, the login will be successful.
4. Log out and close the browser tab before proceeding.
Note: The webmail GUI in gateway mode gives users access to their Bulk folder, which
contains only quarantined email. You will configure email quarantining in a later lab. In this
section, you are verifying user access only.
To validate recipient verification

1. In Windows, open a new web browser tab. Visit the ExtGW FortiMail’s webmail GUI:
3. Compose a new email message using the following values:
Field Value
To: invaliduser@internal.lab
Subject: Testing Recipient Verification
Message Body: This should be rejected!
4. Click Send.
5. Click Refresh to update the inbox. You should receive a delivery status notification (DSN) message.
6. Open the DSN message and review the transcript details.
7. Visit the IntGW FortiMail’s management GUI.
9. Double-click the active log file. The first entry in the History log should correspond to email you
just sent.

© FORTINET
10. Review the log details.
To validate alias mapping

1. Visit the ExtSRV FortiMail’s webmail GUI.
3. Compose another email message using the following values:
Field Value
To: mailuser2@internal.lab
Subject: Testing Alias Mapping
Message Body: This should work!
4. Click Send.
5. Visit the IntSRV FortiMail’s webmail GUI:
7. The email you sent to mailuser2@internal.lab should appear in the user2@internal.lab inbox.

10. Double-click the active log file. The first entry in the History log should correspond to email

© FORTINET
11. Click the Session ID to retrieve the cross search result.

12. Review the AntiSpam log related to the session.
Note: Alias mapping is useful to consolidate multiple email messages for the same user
in a single email account using their primary email address as the identifier. This reduces
account management overhead for the user and the administrator. For example, if a user
has five aliases in addition to a primary email address, FortiMail can use alias mapping to
maintain a single user quarantine mailbox. Otherwise, the user would have to manage six
separate quarantine accounts, as well as the quarantine reports for each account.

DO NOT REPRINT  LAB 4—Session Management
© FORTINET
LAB 4—Session Management
In this lab, you will configure session profiles to inspect the envelope part of SMTP sessions. You will
also use session profiles to hide internal network information from email headers.
Objectives
 Configure session profile connection settings to limit inbound connections to the IntGW FortiMail
 Configure sender address rate control to limit outbound connections on the IntSRV FortiMail
 Configure session profile header manipulation to hide your internal network information
Time to Complete
Prerequisites
Before beginning this lab, you must restore a configuration file to the IntSRV FortiMail.
To restore the initial configuration file

1. In Windows, open a web browser. Visit the IntSRV FortiMail’s management GUI:
3. Click Maintenance > System > Configuration. Upload the following configuration file:
Desktop\Resources\Starting Configs\Lab 4\04_Initial_IntSRV.tgz
Note: The configuration file adds a new IP policy that causes all email delivery attempts
from the ExtSRV FortiMail to the IntSRV FortiMail to fail temporarily. This is done to
ensure that when the session limits are triggered on the IntGW FortiMail, the ExtSRV
FortiMail can’t deliver to the IntSRV FortiMail directly. The change helps in testing the
session profile settings you will be configuring on IntGW in this lab.
4. Click Restore.
5. Wait for the IntSRV FortiMail to finish rebooting before you proceed with the exercise.

© FORTINET
1 Connection Limits
Spammers usually send as many email messages as they can in a small period of time, before
legitimate email servers begin to block delivery. If blocked, the spammers won’t spend the time to retry.
Normal email servers will retry delivery if it fails the first time. One method of blocking spam, while
allowing legitimate email messages, is to limit the number of SMTP sessions that each client can
establish in a 30-minute period.
In this exercise, you will configure a session profile on the IntGW FortiMail to limit the number of
connections the ExtSRV FortiMail can establish over a 30-minute period. Then, you will test the
connection limitation by sending consecutive email messages to trigger a violation. You will also verify
your configuration by reviewing the logs.
To configure a session profile

6. In Windows, open a web browser. Visit the IntGW FortiMail's management GUI:
8. Click Profile > Session > Session.
9. Click New.
10. In the Connection Settings section, configure the following values:
Field Value
Profile name: limit_connections
Restrict the number of connections per client 4

per 30 minutes to:
11. Click Create to save the profile.
Note: Four connections every 30 minutes is too few to be realistic for real world
deployments. Email servers usually send many email messages to or through
FortiMail each minute. In this lab, however, you will use the 30-minute restriction to
make your rate limit easy to trigger.
Note: If there are no IP policies configured with a session profile, FortiMail will still
rate limit connections according to its default settings, which are similar to the
session_basic_predefined profile–including the 10 MB size limit, sender reputation
enabled, and so on. To disable the rate limit, you must create and apply a blank
session profile.
To apply the session profile to inbound connections

2. Edit IP policy ID 1.
3. In the Profiles section, in the Session drop-down list, select limit_connections. Cick OK to

© FORTINET
save your settings.
To validate the connection limits

1. Open a new tab in your browser. Visit the ExtSRV FortiMail’s webmail GUI:
3. Send five email messages to user1@internal.lab to trigger the session limit.
4. Open Thunderbird and check how many email messages were delivered to the user1@internal.lab
inbox.
Note: There will be one email sent per TCP connection. Therefore IntGW FortiMail should
allow the first four but block email number five, which exceeds your configured connection
limit.

email.
8. Why are the From, To, and Subject fields empty in this log entry?
Note: FortiMail blocked the client’s attempt when scanning the IP layer of the initial
packets, before the SMTP session could be established. The SMTP session contains the
SMTP envelope: the sender’s email address, the recipient’s email address, and the
subject. So those parts of the email were never received.
9. Click the Session ID to retrieve the cross search results.

10. Review the related AntiSpam log.

© FORTINET
To disable connection limits
3. Edit IP policy ID 1.
4. In the session profile drop-down list, select Inbound_Session.
5. Click OK.

© FORTINET
2 Sender Address Rate Control
While it is important to protect your email users from spammers sending large volumes of email, it is also
important to protect your own MX IP reputation by controlling the volume of email received from internal
users.
In this exercise, you will configure sender address rate control on the IntSRV FortiMail. Then, you will
send consecutive email messages to trigger a violation, and verify your configuration using logs.
To configure sender address rate control

1. In Windows, open a new web browser tab. Visit the IntSRV FortiMail’s management GUI:
4. Select the internal.lab domain and click Edit.
5. Expand the Advanced Scan Settings section, and then select the Sender address rate control
check box.
6. Expand the Sender address rate control section.
7. Configure the following values:
Field Value
Action: Reject
Maximum number of messages per half hour: 4
Send email notification upon rate control Enable

violations
8. Click New.
9. Create a notification profile using the following values:
Field Value
Name: NotifyUser1
Send notification to: Others
10. Click Add

11. Enter Mail User 1’s email address: user1@internal.lab
12. Click OK.
13. Click Create.
14. Click OK.

© FORTINET
To validate sender address rate control
1. Open a new web browser tab. Visit the IntSRV FortiMail’s webmail GUI:
3. Send five email messages to extuser@external.lab to trigger the rate control limit.
4. Open a new web browser tab. Visit the ExtSRV FortiMail’s webmail GUI:
6. Check how many email messages were delivered to the extuser@external.lab inbox.
7. By now, user1@internal.lab should have received the notification email for the rate control violation.
Open Thunderbird and view the details in the notification email.
Note: Notification profiles are a convenient feature that can allow administrators to keep
informed of events occurring on FortiMail. Many FortiMail features support notification
profiles.
10. Double-click the active log file. The first entry in the History log should correspond to the rate
control violation.
Note: While session profile connection limits and sender address rate control appear to
function very similarly, there is a major difference in how these limits are applied by
FortiMail.
As you observed in the previous exercise, session profile connection limits are applied at
the IP layer. Sender address rate control limits connections based on the sender address.
This is derived from the mail from: field of the SMTP envelope. So, for sender address
rate control, FortiMail must process at least a portion of the SMTP envelope. This is also
why user2@internal.lab appears in the From field of the log entry, but the log entries from
the session profile connection limits are empty.
11. Click the Session ID to retrieve the cross search results.

12. Review the related event, and antispam logs.

© FORTINET
To disable sender address rate control
3. Select the internal.lab domain and click Edit.
4. Expand the Advanced Scan Settings section and disable Sender address rate control.

© FORTINET
3 Header Manipulation
Removing internal headers is a common security practice. It hides your internal network information from
the world.
In this exercise, you will observe the effects of header manipulation settings by configuring a session
profile on the IntGW FortiMail to hide internal headers.
To review headers
3. Open any email message sent by an internal.lab user. If you deleted all the previous email
messages, open Thunderbird and send a new email message to extuser@external.lab.
4. Click More > Detailed Header. Select and copy (Ctrl + C) the header contents.
5. Open a new Notepad window and paste (Ctrl + V) the header details. Save the file on the desktop
as Header_Before.txt.
To configure header manipulation

1. Open a new web browser tab. Visit the IntGW management GUI:
4. Click the Outbound_Session link. This is the session profile currently applied to IP policy ID 3,
which processes all outbound email for the internal.lab domain.
5. Expand Header Manipulation, and then select the Remove received headers check box.
Note: The IntGW FortiMail removes all previous Received: headers from the email when
it starts processing it, using IP policy ID 1.

© FORTINET
To validate header manipulation settings
1. Open Thunderbird.
2. Send a new email message to extuser@external.lab.
3. Visit the ExtSRV FortiMail’s webmail GUI:
5. Open the email message you just sent from user1@internal.lab.
6. Review the detailed headers of the email.
Note: In the Received: header you should only see details about IntGW and ExtSRV.
There should be no information about Windows (10.0.1.10), and IntSRV (10.0.1.99).
7. Open the Header_Before.txt file you saved earlier. Compare the differences.

DO NOT REPRINT  LAB 5—Antivirus
© FORTINET
LAB 5—Antivirus
In this lab, you will apply FortiMail’s local malware detection techniques to scan for viruses in inbound
email.
Objectives
 Configure an antivirus profile to enable local malware detection
 Configure an antivirus action profile to replace infected content from an email
 Apply antivirus scanning to inbound email
 Test antivirus functionality
Time to Complete

© FORTINET
1 Antivirus Scanning for Malware
Detection
In this exercise, you will configure an antivirus profile and an antivirus action profile on the IntGW
FortiMail. Then, you will apply the antivirus profile to a recipient-based policy in order to scan all inbound
email sent to the internal.lab domain.
You shouldn’t test your antivirus configuration using a live virus. By doing so, you risk infecting your
network’s hosts if your configuration is incorrect. To test your antivirus configuration without risk of
infecting your network, you will use an EICAR file.
An EICAR file doesn’t contain a real virus. It is a harmless, industry-standard test file that is designed to
trigger all antivirus engines for testing purposes. So, if your antivirus configuration is correct, FortiMail
should detect the EICAR file as a virus.
To configure an antivirus action profile

1. In Windows, open a new web browser. Visit the IntGW FortiMial’s management GUI:
https://intgw.internal.lab/admin/
3. Click Profile > AntiVirus > Action.
4. Click New.
5. Add a new Action profile using the following values:
Field Value
Domain internal.lab
Profile name AV_Tag_Replace
Tag email’s subject line enabled
With value [VIRUS DETECTED]
Replace infected/suspicious body or attachments enabled
Note: The action profile that you created doesn’t appear in the list. Why? The list view is
filtered by domain. If you want to show the new profile, change the selection in the
Domain drop-down list. Select internal.lab, to view the action profiles for that specific
domain, or select All to view the action profiles for all domains.
To configure an antivirus profile for local malware detection

1. Click Profile > AntiVirus > AntiVirus.
2. Click New.

© FORTINET
3. Add a new antivirus profile using the following values:
Field Value
Domain: internal.lab
Profile name: AV_In
Default action AV_Tag_Replace
4. Keep the default values for the remaining settings.

5. Scroll down, and then click Create to save the profile.
6. From the Domain drop-down list, select internal.lab to see the new antivirus profile.
To configure a recipient policy to apply antivirus

3. In the Profiles section, in the Antivirus drop-down list, select AV_In.
4. Click OK to save the recipient-based policy.
To send an infected email

Field Value
To: user1@internal.lab
Subject: AV EICAR Test
Message Body This contains a virus!
4. Click Attach.
5. Browse to and select:
Desktop\Resources\Files\eicar.com
6. Wait for the file upload to finish, and then click Send.
To verify AV functionality
2. Confirm that you received the email message sent from extuser@external.lab.
3. Note that the following actions have been applied to the email message:
 The subject line contains the [VIRUS DETECTED] tag

© FORTINET
 The IntGW FortiMail replaced the EICAR file and inserted a replacement message
To monitor the logs

3. Double-click the active log file. The first entry in the History log should correspond to the virus
email.
4. Click the Session ID link to review the cross search result for more details.

DO NOT REPRINT  LAB 6—Content Inspection
© FORTINET
LAB 6—Content Inspection
In this lab, you will configure a content filter to monitor email based on dictionary word scores. You will
also configure the data loss prevention (DLP) feature to detect and block any outbound email containing
credit card numbers.
Objectives
 Configure a dictionary profile to monitor words using scores
 Configure a content profile monitoring and filtering to apply the dictionary profile
 Apply content filtering on all inbound email
 Configure DLP to detect credit card numbers in an email body and attachments
 Apply DLP on all outbound email
Time to Complete

© FORTINET
1 Content Inspection
In this exercise, you will configure a content profile’s content monitoring and filtering options to scan for
specific pattern occurrences in inbound email. Then, you will configure the action to be applied after the
same word occurs three times in an email message.
To configure a dictionary profile

3. Click Profile > Dictionary > Dictionary.
4. Click New.
5. Name the profile WordScores.
6. In the Dictionary Entries section, click New.
7. Configure the dictionary entry using the following values:
Field Value
Pattern: fortimail
Pattern type: Wildcard
8. Click Create to save the entry.

9. Click Create to save the dictionary profile.
Note: If Enable pattern maximum weight limit is disabled, the pattern can increase an
email’s dictionary match score by more than the amount configured in Pattern max
weight field.
To configure a content profile

1. Click Profile > Content > Content.
2. Click New.
3. Configure a new content profile using the following values:
Field Value
Domain System
Profile name CF_Dictionary
Direction Incoming
Action SysQuarantine_Inbound

© FORTINET
4. Expand the Content Monitor and Filtering section.
5. Click New.
6. Configure the content monitor profile using the following values:
Field Value
Dictionary: WordScores
Minimum score: 3
7. Click Create to save the content monitor profile.

8. Click Create to save the content profile.
Note: Setting the Minimum score to 3 ensures that the action profile is applied only after
FortiMail has found three occurrences of the pattern in a single email message.
To apply content inspection to inbound email

2. In Recipient Policies, select the incoming policy for internal.lab (that is, policy ID 1).
3. Click Edit.
4. In the Profiles section, change the content profile to CF_Dictionary.
5. Click OK.
To test the content profile

3. Compose a new email message to user1@internal.lab.
4. Copy the contents of the following file, and paste it into the body of the email message:
Desktop\Resources\Files\messagebody.txt
FortiMail appliances provide high-performance email routing and

security by utilizing multiple high-accuracy antispam filters. As
part of the Fortinet Security Fabric, FortiMail prevents your
email systems from becoming threat delivery systems. FortiMail
can be deployed in the cloud or on premises and gateway,
inline and server modes in a range of appliance or virtual
machine form factors.
5. Click Send.
To review the logs

6. Visit the IntGW FortiMail's management GUI:

© FORTINET
8. Double-click the active log file. The first entry in the History log should correspond to the virus
email. Notice the values for Classifier and Disposition.
9. Click the Session ID to retrieve the cross search results

10. Review the antispam log related to the session.
To access the system quarantine

1. Click AntiSpam > Quarantine > System Quarantine Settings.
2. In the Quarantine Folders section, select the Bulk folder, and then click Edit.
3. Add the admin account to the members.

5. Apply the same change to the rest of the folders - Content, DLP, and Virus.
6. Click Apply.

© FORTINET
7. Click Monitor > Quarantine > System Quarantine.
8. Double-click the Content mailbox. The quarantined email will appear here.
To perform a sanity check (optional)

1. Visit the ExtSRV webmail GUI:
2. Compose a new email to user1@internal.lab.
3. Copy and paste the same message body, but remove one occurrence of the word “FortiMail”, and
then send the email message.
4. Open Thunderbird and verify that the email message was delivered to user1@internal.lab’s inbox.

© FORTINET
2 Data Loss Prevention
In this exercise, you will configure a DLP profile and DLP action profile on the IntGW FortiMail. Then,
you will apply the DLP profile to a recipient-based policy, to scan all outbound email sent from the
internal.lab domain.
To enable the DLP feature

1. In Windows, open a web browser. Visit the IntGW FortiMail management GUI:
3. Click Monitor > System Status > Console.
4. Enable the DLP feature using the following CLI commands:
config system global
set data-loss-prevention enable
end
5. Reload the IntGW FortiMail’s management GUI. When the GUI reloads, the Data Loss Prevention
menu item will appear.
Note: The DLP feature is disabled in entry-level FortiMail models (VM01, 60D, 200D)
because of performance considerations. You are enabling it to test the feature in a lab
environment. You shouldn’t enable the DLP feature in a production network on an entry-
level FortiMail.
To configure a DLP rule to scan for credit card numbers

1. Click Data Loss Prevention > Rule and Profile > Rule.
2. Click New to create a new message scan rule.

© FORTINET
3. In the Name field, type ScanCreditCards
4. In the Conditions section, click New.
5. In the first Condition drop-down list, select Body and Attachment, and, in the second Condition
drop-down list, select contains sensitive data.
6. Click Edit, select the Credit_Card_Number data template, and then click OK.

© FORTINET
7. Click Create to save the Scan Condition.
8. Verify that your Message Scan Rule matches the following screenshot, and then click Create to
save the rule.
To configure a DLP profile to apply the DLP rule and action

profile
1. Click Data Loss Prevention > Rule and Profile > Profile.
2. Click New to create a new DLP profile.
3. In the Name field, enter DLP_Out.

© FORTINET
4. Beside the Action drop-down list, click New.

5. Create a new action profile using the following values:
Field Value
Profile name: DLP_Out_Sys_Quar
System quarantine to folder: Enable
System quarantine to folder: Dlp
6. Click Create to save the action profile.
7. In the Content Scan Settings section, click New

© FORTINET
8. In the Scan rule drop-down list, select ScanCreditCards, and then click Create to save the DLP
Content Scan Settings.
9. Verify that your DLP profile matches the following screenshot, and then click Create to save the
profile.
To apply DLP scanning for outbound email

2. In the Recipient Policies section, in the Direction drop-down list, select Outgoing.
3. Click Create.
4. In the Profiles section, in the DLP drop-down list, select DLP_Out.
Test DLP Functionality

2. Click Write to compose a new email message using the following values:

Subject: DLP Credit Card Test
Message Body DLP test email
3. Click Attach to select a file as an attachment.

4. Browse to and select:
Desktop\Resources\Files\sample.pdf
5. Click Send.
Note: The email message won’t be delivered to extuser@external.lab because the IntGW
FortiMail should detect the credit card numbers in the PDF file, and apply the system
quarantine action.
To review the logs

3. Double-click the active log file. The first entry in the history log should correspond to the email

5. Review the antispam log related to the session

DO NOT REPRINT  LAB 7—Antispam
© FORTINET
LAB 7—Antispam
In this lab, you will configure antispam scanning for both inbound and outbound email. Then, you will
verify your configuration by sending live spam through the IntGW FortiMail VM. You will also configure
quarantine report settings, and manage user quarantine.
Objectives
 Scan both incoming and outgoing email for spam
 Send spam email to user quarantine
 Manage quarantine report configuration
 Access and explore the user quarantine mailbox
Time to Complete
Prerequisites
Before beginning this lab, you must restore a configuration file.
To restore the initial configuration files

1. In Windows, open a web browser. Visit the IntSRV FortiMail’s management GUI:
Desktop\Resources\Starting Configs\Lab 7\07_Initial_IntSRV.tgz

3. Click Restore.
Desktop\Resources\Starting Configs\Lab 7\07_Initial_IntGW.cfg

6. Wait for the VMs to finish rebooting before proceeding with the exercise.
Note: The configuration files disable all session profile inspection features that can
potentially interfere with the antispam testing you will do in this lab.

© FORTINET
1 Scan Incoming Email for Spam
In this exercise, you will verify the FortiGuard configuration. Then, you will configure an antispam profile
to scan all incoming email and send all spam email to the users’ personal quarantine accounts.
To verify FortiGuard configuration

3. Click Maintenance > FortiGuard > Antispam.
4. In the FortiGuard Antispam Options section, configure the following values:
Field Value
Enable service: Enabled
Enable cache: Enabled
Cache TTL (Seconds) 300 (default)
5. Click Apply to save the changes.

6. To test the connectivity to FortiGuard, under FortiGuard Query set Query type to IP, then in
Query, enter an IP address, such as 8.8.8.8, and click Query.
7. Confirm that a Query result and Query score is returned such as Score: 0, Not spam.
Note: If the Query result is No response, or if the antispam license status on Monitor >
System Status is Trial, then change the FortiGuard service port setting, click Apply, and
then test the connection again.
8. Click Maintenance > FortiGuard > Update.

9. Click Update Now.
To configure an antispam action profile

1. Click Profile > AntiSpam > Action.
2. Click New.
3. Configure a new action profile using the following values:
Field Value
Profile name: AS_In_User_Quar
Personal quarantine Enabled

Send quarantine report Enabled
Email release Enabled
Web release Enabled
Safelist sender of released message Disabled
4. Click Create.
To create an antispam profile

1. Click Profile > AntiSpam > AntiSpam.
2. Click New.
3. Configure a new antispam profile using the following values:
Field Value
Profile name: AS_In
Default action: AS_In_User_Quar
4. Click Create.
5. In the Domain drop-down list, select internal.lab
6. Select the AS_In antispam profile and click Edit.
7. Enable the following antispam techniques:
 FortiGuard
o IP Reputation
o Extract IP from Received Header
o URI filter: phishing
 DMARC check
 Behavior analysis
 Header analysis
 Heuristic
o The percentage of rules used: 100
 Suspicious newsletter
 Newsletter
8. Click OK to save the changes
To apply antispam scanning on all inbound email

3. In the AntiSpam profile drop-down list, select AS_In, and then click OK to save the changes.

© FORTINET
2 Testing the Antispam
Configuration
To test your antispam settings, you will use a script named spamengine.pl on the Linux VM to send
spam to user1@internal.lab.
To send spam email from the Linux VM

1. In Windows, open PuTTY.
2. Double-click the preconfigured Linux session to open an SSH session to the Linux VM (10.0.1.254).
3. Log in as root using the password password.
4. Run the spam script by entering the following command:
./spamengine.pl -host 10.0.1.11 -mbox spam -recipient

user1@internal.lab -sender spam@external.lab
5. Wait until the script sends a minimum of 40 email messages, and then press Ctrl + C to stop the
script.
6. Close the PuTTY window.
To verify the antispam configuration

2. Click Monitor > System Status.
3. On the Statistics Summary widget, click the Maximize icon for a full window display.
4. The Statistics Summary opens in a separate tab so you can view the information more easily.
Here, you can see current information on the total number of email messages received, the
percentage of spam detected, and the type of antispam technique used to detect most of the spam.

6. Double-click the active log file. You should see all the history logs associated with the spam
email.

© FORTINET
7. Click the Session ID link of a history log entry, and review the related antispam log for the session.

© FORTINET
3 User Quarantine Management
An email user can access their list of quarantined email messages using either POP3 or webmail. In this
exercise, you will access the user1@internal.lab quarantine mailbox on the IntGW FortiMail in the
webmail GUI. You will also configure quarantine report scheduling and generate an on-demand
quarantine report. Then, you will explore the options available in a quarantine report.
To access the personal quarantine

1. Open a new tab in the web browser. Visit the IntGW FortiMail’s webmail GUI:
https://intgw.internal.lab/
3. In the webmail interface of the gateway mode FortiMail, a user has access to the Bulk folder for
quarantined email messages only. You should see all the quarantined spam messages in the Bulk
folder.
4. Try releasing an email from the quarantine mailbox to the user’s inbox.
5. Try deleting a quarantined email.
6. Log out of the webmail interface after you’re finished.
To configure quarantine reports

2. Click AntiSpam > Quarantine > Quarantine Report.
3. In the Schedule section, enable the following days and times only:
 These hours: 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00
 These days: Mon Tue Wed Thu Fri
4. In the Quarantine report template drop-down list, select default-with-icons.
5. Click Apply to save the changes

© FORTINET Note: FortiMail auto-generates quarantine reports on schedule only for accounts that have
quarantined email. If a user’s quarantine account is empty, then no report is generated for
that account.
To generate quarantine reports on demand

1. Click Monitor > Quarantine > Personal Quarantine.
2. Select the user1@internal.lab mailbox.
3. Click Send quarantine report to > Selected users.
4. Click OK.
To view the quarantine report

2. Open the quarantine report. The subject should contain the words “Quarantine Summary”.
3. You can release or delete each quarantined email message using ether web or email actions.
4. Try using the web delete action:
5. The end of the quarantine report contains options to delete all quarantined email messages
using either an email or a web action:

© FORTINET
6. Select the web action to delete all of the quarantined email messages for user1@internal.lab.

© FORTINET
3 Scan Outgoing Email for Spam
In this exercise, you will configure outbound antispam scanning on the IntGW FortiMail. Then, you will
test the configuration by sending an outbound email message containing a banned word.
To configure an outbound antispam profile

3. Click Profile > AntiSpam > AntiSpam.
4. Click New.
5. Configure a new antispam profile using the following values:
Field Value
Domain: System
Profile name: AS_Out
Direction: Outgoing
Default action: predefined_as_out_basic
Note: The predefined_as_out_basic action profile is a system default profile. It is

configured with the reject action.
6. Select the Banned word check box.

7. Click Configuration, and then add some words to include in your banned word list. For each word,
select whether FortiMail will scan the subject, body, or both, as follows:
8. Click OK to close the window.

To apply antispam scanning on outbound email


© FORTINET
3. Select outgoing recipient policy ID 1, and then click Edit.
4. In the Profiles section, in the AntiSpam drop-down list, select AS_Out.
To verify the antispam configuration

1. Open Thunderbird.
2. Send an email to extuser@external.lab that contains one of the banned words.
3. You should receive a Delivery Status Notification (DSN) message. Open the DSN and review the
transcript details.
Sample output:
An error occurred while sending mail. The mail server responded:
554 5.7.1 This email from IP 10.0.1.99 has been rejected. The email
message was detected as spam.
email message.
7. Review the log and verify that the appropriate action was applied to the outbound email message.
8. Click the Session ID link to review the cross search result for more details.

DO NOT REPRINT  LAB 8—Securing Communications
© FORTINET
LAB 8—Securing
Communications
In this lab, you will implement SMTPS between the IntGW and IntSRV FortiMail VMs. You will also
configure content-inspection-based identity-based encryption (IBE) and verify your configuration by
sending a secure email.
Objectives
 Implement SMTPS between IntGW and IntGW FortiMail devices
 Implement content-inspection-based IBE
o Configure the dictionary profile with the trigger word
o Configure an encryption profile
o Configure a content action profile to apply the encryption profile
o Apply the dictionary profile and content action profile to a content profile
o Apply the content profile to an outbound recipient-based policy
 Register an IBE user, and access the IBE email
Time to Complete

© FORTINET
1 Implementing SMTPS
In this section, you will configure SMTPS between the IntGW and IntSRV FortiMail devices. You will
also compare logged details before and after implementing SMTPS.
To review logs
1. In Windows, open a web browser. Visit the ExtGW FortiMail’s webmail GUI:
3. Send an email message to user1@internal.lab.
7. Double-click the active log file. The first entry in the History log should correspond to the email you
just sent.
8. Click the Session ID to retrieve the cross search result, and then review the last two entries, which
contain details for the session between the IntGW and IntSRV FortiMail devices.

© FORTINET
Note: By default, FortiMail uses SMTP over TLS if the recipient MTA supports it. In this
session, IntSRV is the recipient MTA.
By default, SMTP over TLS is enabled on FortiMail.
To configure SMTPS
3. Select internal.lab and click Edit.
4. Select the Use SMTPS check box.
5. Click OK to save the change.

© FORTINET
To verify SMTPS
2. Send another email to user1@internal.lab.
6. Click the Session ID to retrieve the cross search result, and then review the last two entries, which
should indicate the switchover to SMTPS from STARTTLS.

© FORTINET
Note: The underlying encryption mechanism for SMTPS and SMTP over TLS is the same.
Both protocols use SSL or TLS. In this case, the FortiMail devices negotiated TLSv1.2.
The difference exists in how and when that TLS encryption is applied.
When SMTP over TLS is used, the connection is made on the standard SMTP port — TCP
port 25. If the recipient MTA supports the STARTTLS extension, the sender chooses
whether SMTP over TLS is used by transmitting the STARTTLS message. This
STARTTLS request happens after the envelope exchange, and so, in SMTP over TLS
only a portion of the session is encrypted.
When SMTPS is used, the client initiates the SMTP session with the server over a fully-
encrypted tunnel using a separate — TCP port 465. SMTPS encrypts the full session.

© FORTINET
2 Implementing Content-
Inspection-Based IBE
In this exercise, you will configure content-inspection-based IBE. You will also verify your configuration
by sending an IBE email message and reviewing the logs.
To configure the IBE service

2. Click Encryption > IBE > IBE Encryption.
3. Configure the IBE Service settings using the following values:
Field Value
Enable IBE service Enabled
IBE service name: Internal Lab Secure Portal
Allow secure replying Enabled
Allow secure forwarding Enabled
Allow secure composing Enabled
IBE base URL: intgw.internal.lab
Send notification to sender when message is read Enabled
To configure a dictionary profile with the trigger word

1. Click Profile > Dictionary > Dictionary.
2. Click New.
3. Name the profile IBEDictionary
4. In the Dictionary Entries section, click New.
5. Configure the dictionary entry using the following values:
Field Value
Pattern: \[CONFIDENTIAL]
Pattern type: Wildcard

Search header Enabled
Search body Disabled
6. Click Create to save the dictionary entry.

7. Click Create to save the dictionary profile.
To configure an encryption profile for pull method delivery

1. Click Profile > Security > Encryption.
2. Select the IBE_Pull profile, and then click Edit.
3. In the Encryption algorithm drop-down list, select AES 256.
To configure a content action profile to apply IBE encryption

1. Click Profile > Content > Action.
2. Click New.
3. Configure a new content action profile using the following values:
Field Value
Domain: System
Profile name: CF_IBE_Pull
Direction Outgoing
Enabled
Encrypt with profile:
IBE_Pull
To configure a content profile to apply IBE encryption based

on dictionary match
1. Click Profile > Content > Content.
2. Click New.
3. Configure a new content profile using the following values:

Domain: System
Profile name: CF_Out
Direction Outgoing
Action: CF_IBE_Pull
4. Expand the Content Monitor and Filtering section.

5. Click New.
6. In the Dictionary drop-down list, select the IBEDictionary profile.
7. Click Create to save the Content Monitor profile.
8. Click Create to save the Content profile.
To configure an outbound recipient policy to apply the content

profile
3. Double-click outgoing recipient policy ID 1.
4. In the Content drop-down list, select CF_Out.
To send an IBE email

2. Click Write.
Field Value
Subject: [CONFIDENTIAL] Requires

immediate attention
Message body: Did you leave the stove on?
4. Click Send.
To verify IBE operations using logs


© FORTINET
3. Double-click the active log file. The first entry in the history log should correspond to the email you
just sent.
4. Click on the Session ID link to retrieve the cross search results and review the AntiSpam, and
Encryption logs related to the session.

© FORTINET
2 Accessing IBE Emails
In this exercise, you will register a new IBE user. Then, you will log in to the secure portal to retrieve the
IBE email. You will also see the message read notification email messages that the sender will receive
after the IBE user has read the IBE email.
To register an IBE user

1. In Windows, open a new web browser. Visit the ExtGW FortiMail’s webmail GUI:
3. Open the IBE notification email.
4. Click the link in the notification email to access the encrypted email.

© FORTINET
5. Click Register.
6. Complete the registration form, and then click Register.

7. When the registration is complete, webmail should display a notification that the registration was
successful. Click Continue.
To access the IBE email

1. After registration, you will be returned to a login page. Type the password that you entered during
the registration process, and then click Open.
2. The secure portal displays the contents of the IBE email.

© FORTINET
3. In the IBE Service configuration, you enabled secure replying. Reply to the IBE email message to
observe the behavior.
To access the message read notification

2. You should see a “message read” notification that was generated when extuser@external.lab read
the IBE email.

DO NOT REPRINT  LAB 9—High Availability
© FORTINET
LAB 9—High Availability
In this lab, you will build an active-passive FortiMail HA cluster that has two FortiMail VMs. The cluster
will operate in server mode.
You will configure the IntSRV FortiMail (10.0.1.99) as the primary and the IntGW FortiMail (10.0.1.11)
as the secondary. You will verify the HA and configuration synchronization status, configure a virtual IP,
and use the HA service monitor to detect when the SMTP service connectivity fails on the primary
FortiMail.
The lab network DNS server has the following CNAME records to aid in identifying the two clustered
devices:
primary CNAME intsrv.internal.lab
secondary CNAME intgw.internal.lab
Objectives
 Configure a FortiMail HA group to synchronize their configuration and data
 Verify cluster health
 Configure HA virtual IP
 Configure remote services monitoring
Time to Complete
Prerequisites
Before beginning this lab, you must change the operation mode of the IntGW FortiMail.
To change the operation mode

1. In Windows, open a web browser. Visit the IntGW FortiMail’s management GUI.
3. Click Monitor > System Status > Status.
4. In the System information widget, in the Operation mode drop-down list, select Server.

© FORTINET
5. The system will prompt you twice about most settings being reset to factory defaults. Click Yes in
both prompts.
6. Wait for the FortiMail to reboot.

7. The FortiMail will still have an IP address assigned to the port1 interface. So, after it finishes
rebooting, you should be able to access the management GUI again.
8. Log in to the management GUI, and then verify that the following system settings persisted:
 Interface (System > Network > Interface)
 Route (System > Network > Route)
 DNS (System > Network > DNS)
9. Verify the status of the following mail settings. The settings should have reset to factory default
values.
 Mail Server Settings (Mail Settings > Settings > Mail Server Settings)
 Domains (Mail Settings > Domains > Domains)
10. The IntGW FortiMail is ready to be configured as a secondary device in the cluster.
Caution: When doing the lab exercises, ensure you are applying the configuration
changes to the correct FortiMail VM.
If at any point you wish to reset the configuration state for the FortiMail VMs, you can
restore the following configuration files:
IntGW: Desktop\Resources\Starting Configs\Lab 9\09_Reset_IntGW.tgz
IntSRV: Desktop\Resources\Starting Configs\Lab 9\09_Reset_InSRV.tgz
Always restore the secondary unit first, and then the primary. The configuration files will
restore the VMs to the standalone states they were in at the end of the Securing
Communications lab.

© FORTINET
1 Configure the Primary FortiMail
In this exercise, you will configure the mail server settings on the primary FortiMail. Then, you will
configure the HA settings.
To configure mail server settings on the primary device

1. In Windows, open a web browser. Visit the primary FortiMail's management GUI:
https://primary.internal.lab/admin
Ignore any security warnings generated by your browser. These relate to the CN field and the signer
of the self-signed FortiMail certificate.
4. Change the Host name field to primary, and then click Apply to save the change.
To configure HA on the primary device

1. Click System > High Availability > Configuration, and then configure the following values:
Field Value
Mode of operation: master
On failure: wait for recovery then

restore slave role
Shared password: fortinet
2. Expand the Backup options section, and then configure the following values:
Field Value
Backup mail data directories Enabled
Backup MTA queue directories Enabled
3. Click Apply.
4. In the Interface section, double-click port1 and configure the following settings:
Field Value
Enable port monitor: Enabled
Heartbeat status: Primary
Peer IP address: 10.0.1.11
5. Click OK to save the HA interface configuration.

© FORTINET
2 Configure the Secondary
FortiMail
In this exercise, you will configure the mail server settings on the secondary FortiMail because they are
not synchronized. Then, you will configure the HA settings, and verify that the cluster has formed.
To configure mail server settings on the secondary device

1. Open a new tab in the web browser. Visit the secondary FortiMail’s management GUI:
https://secondary.internal.lab/admin
Field Value
Hostname: secondary
5. Click Apply.
To configure HA on the secondary device

1. Click System > High Availability > Configuration.
Field Value
Mode of operation: slave
On failure: wait for recovery then

restore slave role
Shared password: fortinet
3. Expand the Backup options section, and then configure the following values:
Field Value
Backup mail data directories Enabled
Backup MTA queue directories Enabled

© FORTINET
4. Click Apply.
5. In the Interface section, double-click port1.
Field Value
Enable port monitor: Enabled
Heartbeat status: Primary
Peer IP address: 10.0.1.99

8. Click System > High Availability > Status.
9. Click Refresh to update the Daemon status.
Note: As soon as the two devices join in a cluster and complete synchronization, the
secondary device’s management GUI session will time out and return you to the login
prompt. This process may take a few minutes.

© FORTINET
3 Verify Cluster Health
In this exercise, you will verify the HA and configuration synchronization status.
To verify the HA status

1. Visit the primary FortiMail's management GUI:
3. In the System Information Widget, verify that the HA mode values are Configured: master,
Effective: master
4. You can find the same information in System > High Availability > Status.
5. Visit the secondary FortiMail’s management GUI:

6. Verify the HA status of the secondary FortiMail.

© FORTINET
To verify configuration synchronization status

1. On the secondary FortiMail, verify Domains (Mail Settings > Domains > Domains), Users (User >
User > User), and LDAP (Profile > LDAP > LDAP). These are configuration elements that should
have been synchronized from the primary FortiMail.
2. Visit the primary FortiMail’s management GUI:
4. In the Recipient Policies section, click New.
5. Don’t change any values. Click Create.

© FORTINET
7. Click Policy > Policies > Policies, and then verify that the new policy has synchronized with the
secondary device.
To verify configuration synchronization status (alternate

method)
3. In the Console widget, type the following command:
# diagnose system ha showcsum

4. The console outputs the HA checksum for the primary device.
5. Open a new web browser tab, and visit the secondary FortiMail’s management GUI:
7. In the Console widget, type the following command:
# diagnose system ha showcsum

8. The console outputs the HA checksum for the secondary device.
9. Compare the checksum values of the two devices. If they match, then their configurations are in
sync.

© FORTINET
4 Configure HA Virtual IP
In this exercise, you will configure a virtual IP for the HA cluster. You will also verify the virtual IP
function by forcing a failover.
To configure a virtual IP on the primary device

Field Value
Virtual IP action: Use
Virtual IP address: 10.0.1.100/24
To configure a virtual IP on the secondary device

Field Value
Virtual IP action: Use
Virtual IP address: 10.0.1.100/24
To verify the virtual IP configuration

1. Open a new web browser tab. Use the virtual IP to access the management GUI:
https://10.0.1.100/admin
Ignore any security warnings generated by your browser. These relate to the CN field and the
signer of the self-signed FortiMail certificate.

© FORTINET
4. Verify the host name of the current cluster device that owns the virtual IP. It should be primary.

6. Initiate a telnet command to start an SMTP session to the virtual IP:
telnet 10.0.1.100 25
7. You should be presented with the following banner, which belongs to the primary device:
220 primary.internal.lab ESMTP Smtpd;
To failover to the secondary device

1. Visit the cluster management GUI:
3. In the Actions section, click click HERE to switch to SLAVE mode.
4. The system prompts you to verify this action. Click Yes. This forces a failover to the secondary
device.
5. Wait a few seconds, and then reload the management GUI. You should be returned to the login
prompt.
To verify the virtual IP after failover

2. Verify the hostname of the current cluster device that owns the virtual IP. It should be
secondary.

© FORTINET

4. Initiate a telnet command to start an SMTP session to the virtual IP:
telnet 10.0.1.100 25
5. The following banner, which belongs to the secondary device, should appear:
220 secondary.internal.lab ESMTP Smtpd;

6. Close the command prompt window.
To restore the cluster

1. Visit the cluster management GUI:
3. In the Actions section, click click HERE to restore configured operating mode.
4. The system prompts you to verify your action. Click Yes. This forces a failover to the primary device.
5. Wait a few seconds, and then reload the management GUI. You should be returned to the login
prompt.
8. Verify that the primary FortiMail was restored to the master role.

© FORTINET
5 Remote Services Monitoring
In addition to hardware failure, it’s often useful for cluster devices to monitor the network connectivity
and services of each other. This ensures a failover occurs if any of these services experience an outage.
In this exercise, you will configure remote SMTP service monitoring on both cluster devices. Then, you
will trigger a service-based failover to verify the configuration, and then verify the failover using event
logs.
To configure service monitoring on the primary device

3. In the Service Monitor section, double-click Remote SMTP.
Field Value
Enable Enabled
Remote IP: 10.0.1.11
Timeout: 10
Interval: 30
Retries: 2
Note: For the purposes of this lab, you are reducing the time values to their lowest
configurable value to speed things up. In a live production environment, the default values
are a good place to start. You can fine tune them as you discover what kind of outage
your email network can tolerate.
Using this procedure, you configured the secondary device to test the primary’s device’s
port 25 connectivity every 30 seconds (Interval). If a connection attempt times out for 10
seconds (Timeout) it is considered a failure. Two (Retries) failures must occur before the
secondary device forces a failover.
To configure service monitoring on the secondary device

3. In the Service Monitor section, double-click Remote SMTP.

Enable Enabled
Remote IP: 10.0.1.99
Timeout: 10
Interval: 30
Retries: 2
To trigger a service-based failover

2. Click Mail Settings > Settings > Mail Server Settings
3. Change the SMTP server port number value to 125.
4. Click Apply.
Note: Using this procedure, you changed the SMTP service port on the primary FortiMail
to port 125. Because of this change, the secondary FortiMail can no longer detect SMTP
services on port 25 and should trigger a failover based on remote service failure.
You must to wait a few minutes for the secondary device to go through the service
monitoring check schedule before a failover is triggered.
To verify service-based failover

2. Click Monitor > Log > Event.
3. Double-click the active log file.
4. In the Sub type drop-down list, select HA, and keep clicking the refresh icon to see the latest logs
related to HA events.

© FORTINET
5. Event logs related to the remote SMTP service should show up when the secondary device detects
failure for the first time.
6. After the second detection, the secondary device takes over as the active member.

8. In the System Information Widget, verify that the HA mode values are Configured: slave,
Effective: master.

11. In the System Information Widget, verify that the HA mode values are Configured: slave,
Effective: failed.

© FORTINET
To restore the cluster

3. Change the SMTP server port number value back to 25.
4. Click Apply.
6. In the Actions section, click click HERE to restart the HA system.
7. The system prompts you to confirm your action. Click Yes.
8. Click Refresh. The primary FortiMail reverts to the master role.
11. In the Sub type drop-down list, select HA.
12. Review the log messages related to the HA events:

DO NOT REPRINT  LAB 10—Server Mode
© FORTINET
LAB 10—Server Mode
In this lab, you will configure server mode resource profiles, and see their effect on user resource
allocation. You will also populate the global address book from the LDAP server.
Objectives
 Configure resource profiles
 Configure LDAP mapping to import a domain address book
Time to Complete
Prerequisites

Desktop\Resources\Starting Configs\Lab 10\10_Initial_IntGW.tgz

4. Click Restore.
Desktop\Resources\Starting Configs\Lab 10\10_Initial_IntSRV.cfg

Note: The configuration files will restore the devices to the standalone states they were
in before you completed the High Availability lab.

© FORTINET
1 Configure Resource Profiles
In this exercise you will review the IntSRV FortiMail’s existing configuration. Then, you will configure
resource profiles, and observe their effects on resource allocation for email users.
To review the server mode FortiMail configuration

1. In Windows, open a web browser. Visit the IntSRV FortiMail’s webmail GUI:
3. Scroll to the bottom and find the Disk Usage value for user1.
Note: If there are no resource profiles or domain level service settings configured, there is
a system default 500 MB disk limit for each user mailbox.
4. Click the Address Book icon and find the address books user1 has access to.
Note: If there are no resource profiles configured, server mode users have access to
their personal address book only.
To configure a resource profile

2. Click Profile > Resource > Resource.
3. Click New.
4. Create a new resource profile using the following values:

Domain internal.lab
Profile name: PowerUsers
Disk quota (MB): 2000
Domain address book Enabled

6. Click New again.
7. Create another resource profile using the following values:
Field Value
Domain internal.lab
Profile name: RegularUsers
Disk quota (MB): 1000
To apply the resource profile to a recipient policy

2. In the Recipient Policies section, click New.
3. Create a new recipient policy using the following values:
Field Value
Recipient Pattern user1
Resource: PowerUsers

5. Click New again.
6. Create another recipient policy using the following values:
Field Value
Recipient Pattern user2
Resource: RegularUsers

8. The following two recipient policies should appear:

© FORTINET
Note: For larger deployments that have different levels of resource allocation
requirements, you can create recipient policies for local or LDAP groups, and assign
resource profiles using separate recipient policies.
To verify the resource profile configuration

2. Log in as user1 using the password fortinet. If you were already logged in, you must log out
and log back in for the resource profile changes to apply.
3. Verify user1 has the disk quota and address book access as defined in the PowerUsers resource
profile.
4. Log out of user1’s account.
6. Verify user2 has the disk quota and address book access as defined by the RegularUsers resource
profile.

© FORTINET
2 Address Book LDAP Import
In this exercise, you will review the existing LDAP profile you configured in Lab 3 - Authentication. Then,
you will configure an LDAP mapping profile, and use the LDAP profile to import contacts into the domain
address book.
To review the existing LDAP profile

3. Double-click the InternalLabLDAP profile.
4. Verify the profile configuration matches the following screenshot below:
Note: When the LDAP mapping profile uses the existing LDAP profile to import contacts,
it starts from the Base DN. To ensure the LDAP mapping profile doesn’t import Active
Directory system accounts, configure the Base DN to point to the location of the user
accounts.
To configure an LDAP mapping profile

1. Click Mail Settings > Address Book > LDAP Mapping.
2. Click New.
3. Create a new mapping profile using the following values. To add new contact fields, click Add.

Mapping name: InternalLabMapping
Email* mail
Display name cn
First name givenName
Last name sn
Title title
Department department
Company name company
Note: To review how to find LDAP attributes of Active Directory objects, you can refer to
the LDAP Operations exercise in Lab 3 – Authentication.
4. The profile should match the following screenshot:
To import contacts from LDAP

1. Click Mail Settings > Address Book > Contacts.
2. In the Domain drop-down list, select internal.lab.
3. In the Import drop-down list, select LDAP.

Select LDAP profile: InternalLabLDAP
Select LDAP mapping: InternalLabMapping
Overwrite existing contacts Enabled
Delete nonexistent contacts Enabled
5. Click OK.
6. The system notifies you that LDAP synchronization is running. Click OK.
7. Click the refresh icon.
8. You should see all the users that were imported from the Training Users OU in the internal.lab
address book.
To verify the domain address book


© FORTINET
3. In the address book, verify that domain address book contains the imported contacts.

DO NOT REPRINT  LAB 11—Transparent Mode
© FORTINET
LAB 11—Transparent Mode
In this lab, you will configure the transparent mode FortiMail to process bidirectional email for the
external.lab domain using the built-in MTA. You will also configure and verify bidirectional transparency.
Objectives
 Configure a transparent mode FortiMail to process bidirectional email
 Verify built-in MTA functionality
 Configure bidirectional transparency
Time to Complete

© FORTINET
1 Configuring a Transparent
Mode FortiMail
In this exercise. you will review the initial system configuration and the topology for the ExtTP FortiMail
VM. Then, you will perform the rest of the basic configuration tasks required to establish bidirectional
email flow. You will also verify built-in MTA functionality using logs.
To review the initial system configuration

1. In Windows, open a web browser. Visit the ExtTP FortiMail’s management GUI:
https://exttp.external.lab/admin
3. On the System Status page, in the System Information widget, verify that the Operation mode is
set to Transparent.

5. Verify the following:
 port1/Management IP is configured using the IP address 10.200.1.98/24
 All interfaces are members of the built-in bridge
 port3 and port4 are administratively down

7. Verify that there is a default route configured through port1.

© FORTINET
To review the topology

1. Review the topology below and make note of the following:
 ExtSRV FortiMail is directly connected to ExtTP FortiMail’s bridge-member interface port2
To configure connection pickup

1. Visit the ExtTP FortiMail’s management GUI:
3. Double-click port1/Management IP.
4. Verify that the SMTP Proxy configuration has the following values:
Field Value
Incoming connections: Proxy
Outgoing connections: Pass through
Local connections: Allow
5. Click OK.
6. Double-click port2.
7. Configure the following SMTP Proxy values:
Field Value
Incoming connections: Pass through
Outgoing connections: Proxy
Local connections: Disallow

© FORTINET
Note: Because port1 is the closest interface to the source for all inbound email, port1’s
incoming connections are proxied. Port2 is the closest interface to the source for all
outbound email, so port2’s outbound connections are proxied.

1. Click System > Network > DNS.
2. Configure the following DNS servers:
Field Value
Primary DNS server 10.200.1.254
Secondary DNS server 0.0.0.0

2. Configure the following values for the Local Host:
Field Value
Host name: ExtTP
Local domain name: external.lab
4. Click Mail Settings > Domains.
Field Value
Domain name: external.lab
SMTP server: 10.200.1.99
6. Expand Transparent Mode Options.

7. In the This server is on drop-down list, select port2.
To configure an access receive rule for outbound email

2. Click New.
3. Create a new access receive rule using the following values:

User Defined
Sender pattern:
*@external.lab
User Defined
Sender IP/netmask:
10.200.1.99/32
Action: Relay
4. Click Create to save the rule.
To verify built-in MTA functionality

2. Click Write.
Field Value
Subject: Testing Transparent Mode
Message Body: Will this work?
4. Click Send.
7. Verify that the email message was delivered.
8. Reply to the email message.
9. In Thunderbird, verify that the reply was received.
12. Double-click the active log file. The first two entries in the History log should correspond to the
two email messages that FortiMail just processed.

© FORTINET
13. View the details for each log, and review the Direction and Mailer fields.
Note: FortiMail is using its built-in MTA to route email in both directions. In the Mailer field,
the mta value shows this.

© FORTINET
2 Configuring Bidirectional
Transparency
You have verified that the ExtTP FortiMail is picking up email in both directions and using the built-in
MTA to route email to its intended destination successfully.
In this exercise, you will examine email headers to investigate the transparency of ExtTP FortiMail’s
email processing. Then, you will configure transparency for both incoming and outgoing email.
To examine outgoing email headers

2. Open the last email user1 received from extuser.
3. Click More > View Source.
4. Review the Received: headers:
Received: from IntGW.internal.lab ([10.0.1.11])
by IntSRV.internal.lab with ESMTP id v29HESsx001946-v29HESt0001946
Received: from ExtTP.external.lab ([10.200.1.98])

by IntGW.internal.lab with ESMTP id v29HESm1001931-v29HESm3001931
Received: from extsrv.external.lab ([10.200.1.99])

by ExtTP.external.lab with ESMTP id v29HERuL002360-v29HERuN002360
Received: from [10.0.1.10] ([127.0.0.1])

by extsrv.external.lab with ESMTP id v29HER6G001960-v29HER6H001960
To examine incoming email headers

2. Open the last email extuser received from user1.
3. Click More > Detailed Header.
4. Review the Received: headers:
Received: from ExtTP.external.lab ([10.200.1.98])
by extsrv.external.lab with ESMTP id v29HEDnS001931-v29HEDnU00193

by ExtTP.external.lab with ESMTP id v29HEDhs002345-v29HEDhu002345
Note: You should see that the transparent mode FortiMail is not really transparent in the
email headers.

© FORTINET
To configure inbound transparency
3. Double-click the external.lab domain.
4. Expand the Transparent Mode Options section.
5. Select the Hide this transparent box check box.
To configure outbound transparency

2. In the IP Policies section, click the Inbound_Session link. This session profile is applied to IP
policy ID 1, which is currently processing all email.
3. In the Connection Settings section, select the Hide this box from the mail server check box.
4. Click OK.
To verify inbound transparency

1. In Thunderbird, send a new email message to extuser@external.lab.
http://extsrv.external.lab/
3. Open the email message you just sent.
4. Click More > Detailed Header.
5. Review the Received: headers.
by extsrv.external.lab with ESMTP id v29IUVNd002175-v29IUVNf002175
Note: The ExtTP FortiMail no longer appears in the inbound email headers.
To verify outbound transparency

http://extsrv.external.lab/
2. Send a new email message to user1@internal.lab
3. In Thunderbird, open the email message you just sent.
Review the Received: headers:
by IntSRV.internal.lab with ESMTP id v29IgrVu001966-XXXXXXX

© FORTINET Received: from ExtTP.external.lab ([10.200.1.99])

by IntGW.internal.lab with ESMTP id v29IgrJV001947-XXXXXXX
Received: from [10.0.1.10] ([127.0.0.1])

by extsrv.external.lab with ESMTP id v29IgqvA00221-XXXXXXX
Note: While the header is now showing the IP address of the ExtSRV FortiMail
(10.200.1.99), the hostname still shows ExtTP.external.lab. This is because the
ExtTP FortiMail uses its own hostname in the SMTP greeting. There is one more
configuration change you must make to prevent this.
To configure SMTP greeting rewrite

3. Double-click the external.lab domain.
4. Click Advanced Settings > SMTP Greeting (EHLO/HELO) Name (As Client).
5. Select Use other name, and then enter ExtSRV.external.lab.
To verify outbound transparency

3. In Thunderbird, open the new email message.

© FORTINET
5. Review the Received: headers. The ExtTP FortiMailshould no longer appear in the headers:
by IntSRV.internal.lab with ESMTP id v29MUF0s001921-v29MUF0t001921
Received: from ExtSRV.external.lab ([10.200.1.99])

by IntGW.internal.lab with ESMTP id v29MUEdn001911-v29MUEdp001911
Received: from [10.0.1.10] ([127.0.0.1])

by extsrv.external.lab with ESMTP id v29MUExs002184-v29MUExt002184

DO NOT REPRINT  LAB 12—Maintenance
© FORTINET
LAB 12—Maintenance
In this lab, you will configure and generate a local report, monitor system resource use, and perform
local storage management,
Objectives
 Configure and generate a local report
 Monitor historical and real-time system resource use
 Partition a disk to allocate more space to the log disk
Time to Complete

© FORTINET
1 Configure and Generate Local
Reports
In this exercise, you will configure a local report to query the IntGW FortiMail’s mail filtering statistics.
Then, you will generate an on-demand report and review the statistics.
To configure a local report

3. Click Log and Report > Report Settings > Configuration.
4. Click New.
5. Create a new report configuration using the following values:
Field Value
Report name: IntGWReport
Time Period This week
6. Expand the Query Selection section.

7. Expand the Mail Filtering Statistics query, and enable the following queries:
 Mail Category by Date
 Non-Spam Classifier by Date
 Spam Classifier by Date
 Virus Classifier by Date
8. In the Domain section, add the internal.lab domain.
9. Click Create to save the report configuration.
Note: In a production FortiMail, you should also configure scheduling and add a
notification email so that the report is automatically generated and sent to you by email.
The scheduled reporting will help keep you up-to-date on the email trends of your
network.
To generate an on-demand report

1. Click Log and Report > Report Settings > Configuration.
2. Select the IntGWReport entry, and click Generate.
3. FortiMail generates the following notification:

© FORTINET
4. Click OK.
To view the local report

1. Click Monitor > Report > Report.
2. Expand the report file entry.
3. Double-click the html file.
4. The report opens in a separate web browser tab. Use the menu on the left to navigate and review
the data.

© FORTINET
2 Monitoring System Resource
Use
In this exercise, you will view the historical and real-time resources used by the IntGW FortiMail.
To view the resource use history

3. In the System Resource widget, make note of the following values:
o CPU usage
o Memory usage
o System load
o Active sessions
4. Click History.
5. You may need to allow Flash to run in the web browser.
6. Make note of the trends in resource use.

© FORTINET
To view resource use in real-time

1. In Windows, open PuTTY.
2. Double-click the preconfigured session for IntGW.
4. To view the list of processes that are consuming the most CPU cycles or RAM, enter the following
command:
diagnose system top delay 1
Note: A list of system processes is displayed, sorted by the processes consuming the
most CPU at the top of the list. The list refreshes every second, which gives you a real-
time view of the system’s resource use. To stop the output, you can press q.
5. Make note of the processes that are using the most:

 CPU:_______________________________________________________________
 Memory:____________________________________________________________
6. Press q to stop the output but leave the PuTTY session running. You will come back to it soon.
To generate traffic
1. In Windows, on the taskbar, right-click the PuTTY icon, and then select Linux.
2. Log in as root using the password password.
3. Run the spam script by entering the following command:
./spamengine.pl -host 10.0.1.11 -mbox spam -recipient

user1@internal.lab -sender spam@external.lab
4. Leave the script running.

© FORTINET
To view resource use during traffic
1. Return to the IntGW FortiMail’s PuTTY window.
2. Press the up-arrow key, and then press the Enter key. The history buffer should send the diagnose
system top delay 1 command again.
3. Make note of the resource use by the processes. Which process is using the most:
 CPU:________________________________________________________________
 Memory:_____________________________________________________________
6. In the System Resource widget, click History.
7. Make note of the resource use trends during traffic. You must wait a few minutes before the charts
refresh with new data.
To stop the spam script

1. In the Linux VM PuTTY window, press Ctrl + C.
To stop the CLI output

1. In the IntGW PuTTY window, press q.
2. Leave this PuTTY session running. You will use it for the next exercise.

© FORTINET
3 Local Storage Management
By default, the mail disk partition size is 80% of the total disk. For a gateway mode FortiMail, this can
mean that a lot of unused space is taken up by the mail disk partition.
In this exercise, you will partition the IntGW FortiMail’s local storage, and allocate more space to the log
disk partition.
To verify partition sizes

3. In the System Information widget, make note of the Log disk and Mailbox disk sizes:
To change the partition size

1. On the My Systems page, click IntGW. This opens a new tab with the FortiMail VM’s console
session.
Note: You should always perform disk formatting and partitioning tasks using the console
connection. This allows you to monitor the entire process and take action in case of errors.
2. Click anywhere in the console window, and then press the Enter key. This displays the login prompt.
4. Type the following commands to change the log disk partition size to 50% of the total storage:
execute partitionlogdisk 50
Note: The system prompts you about data loss on the mail and log disk. Press y.
5. After partitioning completes the VM will reboot.

© FORTINET
To verify the size after partitioning

1. In Windows, return to the IntGW FortiMail’s management GUI:
4. In the System Information widget, make note of the Log disk and Mailbox disk sizes:

DO NOT REPRINT  LAB 13—Troubleshooting
© FORTINET
LAB 13—Troubleshooting
The internal.lab users are complaining that they are not able to send or receive email. In this lab, you
will use SMTP event logs and the built-in packet capture tools to investigate and remedy the mail flow
issues.
Objectives
 Investigate user complaints
 Use SMTP event logs and packet capturing to determine where the issue is occurring
 Remedy the email flow issue
Time to Complete
Prerequisites

Desktop\Resources\Starting Configs\Lab 13\13_Initial_IntGW.tgz

4. Click Restore.
Desktop\Resources\Starting Configs\Lab 13\13_Initial_IntSRV.cfg

Note: The config files introduce errors that cause the mail flow issues. Try to follow the
methodologies presented in the lab to troubleshoot and remedy the problem.

© FORTINET
1 Troubleshooting the Problem
In this exercise, you will verify the problem. Then, you will use SMTP event logs and packet capturing to
determine where the issue lies.
To investigate inbound email flow

1. In Windows, open a web browser. Visit the ExtSRV FortiMail’s webmail GUI:
3. Open Thunderbird, and then wait for the email message to arrive. Hint: It won’t arrive.
message you just sent from extuser.
5. View the log details. Do the details indicate that there is a problem?

© FORTINET
Note: In this particular instance, the History log details don’t provide much information.
You must dig deeper.
6. Click Close.
8. Review the event logs related to the session:
Note: The first two event logs relate to the external part of the session – from ExtSRV to
IntGW. The third event log relates to the internal part of the session – from IntGW to
IntSRV.
9. Do the event logs indicate that there is a problem?
Note: The external part of the session appears to be without issues. The internal part of
the session appears to be experiencing problems. Specifically, the connection from
IntGW to IntSRV is being refused. However the reason for refusal isn’t listed.
To investigate outbound email flow

2. Try to send an email message to extuser@external.lab. Hint: It won’t work!

© FORTINET
6. Double-click the active log file. Try to find an entry in the History log for the outbound email
message you just tried to send.
9. In the Sub type drop-down list, select SMTP. Try to find a related SMTP event log entry for the
outbound email message you just tried to send.
Note: If you can’t find an entry in the history or event logs for a specific session, it means
there is an issue at either the IP or TCP layer. In these types of scenarios, only a traffic
capture might show you what the problem is.
To capture inbound email traffic

2. Click Maintenance > System > Traffic Capture.
3. Click New.
Field Value
Description InboundCapture
Duration 10 minutes
Interface port1
IP/Host 10.0.1.99
Filter Capture all
Note: After investigating the inbound email flow, you established that the issue appears
to be with the internal portion of the email session. Therefore you are only interested in
seeing traffic for the IntSRV (10.0.1.99) FortiMail.
5. Click Create.
7. Send a new email message to user1@internal.lab.
9. Click Maintenance > System > Traffic Capture.
10. Click Refresh until you see the Size(Byte) column populated.

© FORTINET
11. Select the capture, and then click Stop.

12. Select the capture again, and then click Download.
13. Save the capture file to the desktop.
To review the inbound traffic capture

1. On the Windows desktop, open the capture file.
2. In the Display Filter field, type ip.addr==10.0.1.99, and then press the Enter key.
3. You should see the following packets:
4. Select the first packet (Source: 10.0.1.11 Destination 10.0.1.99), and expand the Transmission
Control Protocol header. Review the details:
Note: This is the first packet of the session between IntGW (10.0.1.11) and IntSRV
(10.0.1.99) on port 465 (Dst Port). This packet has a sequence number of 0 and is
flagged as the SYN packet. This packet is expected, since all TCP sessions start with a
SYN packet.

© FORTINET
5. Select the second packet (Source: 10.0.1.99 Destination 10.0.1.11), and expand the Transmission
Control Protocol header. Review the details:
Note: This second packet is not expected. It has a RST/ACK flag. The IntSRV FortiMail
is sending a reset as soon as IntGW attempts to set up a TCP session on port 465. The
expected packet would have been a SYN/ACK, but that is not the case.
Note: From the above analysis, you can start to form an idea about the root cause. The
IntGW FortiMail is, expectedly, sending a SYN packet for port 465 (SMTPS), however,
the IntSRV FortiMail is refusing the session. You know, and can verify, that it’s not
related to IP addressing because if it was you wouldn’t see a reply packet at all. So, it
must be related to the TCP port. However, before you try to fix this issue, have a look at
the outbound session using a packet capture.
To capture outbound email traffic

1. In Windows, open a PuTTY window.
2. Double-click the preconfigured session for IntSRV.
4. Type the following commands to start a packet capture:
diagnose sniffer packet any “host 10.0.1.10 and port 25” 4
Note: The filter is set up to capture SMTP (port 25) traffic from the 10.0.1.10 host
(Windows).

6. Try to send another email message to extuser@external.lab.
7. In the PuTTY window, review the capture output:

© FORTINET
Note: The IntSRV FortiMail is showing similar behavior for outbound traffic. The
10.0.1.10 host is initiating the session on port 25 with a SYN packet. However, the
10.0.1.99 host is refusing the session with an RST.
8. Press Ctrl + C to stop the capture.


© FORTINET
2 Fix the problem
In this exercise, you will review the configuration and fix any errors. Then, you will verify your changes
by sending email in both directions
To review the configuration

3. Try to navigate the various configuration sections and discover where there could be a potential
configuration issue for SMTP and SMTPS port numbers. Hint: Check Mail Settings > Settings >
Mail Server Settings.
4. Fix any errors you see in the Mail Server Settings section. Hint: SMTP uses port 25 and SMTPS
uses port 465.
To verify the change

1. In the main Thunderbird window, send another email message to extuser@external.lab. If your
changes are correct, the email message will be delivered to the recipient
2. Open another web browser tab. Visit the ExtSRV FortiMail’s webmail GUI:
4. Verify that the email was received.
5. Open the email message, and then reply to it.
6. In the main Thunderbird window, verify that the reply was received.

DO NOT REPRINT  Appendix A: Additional Resources
© FORTINET
Appendix A: Additional
Resources
Training Services https://www.fortinet.com/training
NSE Institute https://training.fortinet.com/
Technical Documentation http://docs.fortinet.com/fortimail/admin-guides
Knowledge Base http://kb.fortinet.com
Forums https://forum.fortinet.com/
Customer Service & Support https://support.fortinet.com
FortiGuard Threat Research & Response http://www.fortiguard.com
The Fortinet Cookbook http://cookbook.fortinet.com/fortimail/

FortiMail Lab Guide-Online

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

FortiMail Lab Guide-Online

Hochgeladen von

Copyright:

Verfügbare Formate

DO NOT REPRINT

VIRTUAL LAB BASICS ...................................................................................8

Network Topology ...................................................................................................................8

Lab Environment .....................................................................................................................8

System Checker ......................................................................................................................9

Transferring Files to the VM....................................................................................................13

Screen Resolution ...................................................................................................................13

International Keyboards ..........................................................................................................13

Student Tools: View Broadcast and Raise Hand....................................................................14

Troubleshooting Tips ..............................................................................................................14

LAB 1—INITIAL SETUP ................................................................................17

Time to Complete ....................................................................................................................17

1 Verifying DNS Records .......................................................................................................18

2 Configuring a Server Mode FortiMail ..................................................................................20

3 Configuring a Gateway Mode FortiMail ..............................................................................27

LAB 2—ACCESS CONTROL AND POLICIES ...................................................31

Time to Complete ....................................................................................................................31

1 Outbound Email Flow..........................................................................................................32

3 Policy Usage Tracking ........................................................................................................37

4 Policy Creation ....................................................................................................................39

LAB 3—AUTHENTICATION ...........................................................................42

Time to Complete ....................................................................................................................42

1 User Authentication Enforcement .......................................................................................43

2 LDAP Operations ................................................................................................................48

LAB 4—SESSION MANAGEMENT..................................................................59

Time to Complete ....................................................................................................................59

1 Connection Limits ...............................................................................................................60

2 Sender Address Rate Control .............................................................................................63

3 Header Manipulation ...........................................................................................................66

LAB 5—ANTIVIRUS .....................................................................................68

Time to Complete ....................................................................................................................68

1 Antivirus Scanning for Malware Detection ..........................................................................69

LAB 6—CONTENT INSPECTION ....................................................................72

Time to Complete ....................................................................................................................72

1 Content Inspection ..............................................................................................................73

LAB 7—ANTISPAM ......................................................................................83

Time to Complete ....................................................................................................................83

1 Scan Incoming Email for Spam ..........................................................................................84

2 Testing the Antispam Configuration....................................................................................86

3 User Quarantine Management ...........................................................................................88

3 Scan Outgoing Email for Spam ..........................................................................................91

LAB 8—SECURING COMMUNICATIONS .........................................................93

Time to Complete ....................................................................................................................93

1 Implementing SMTPS .........................................................................................................94

2 Implementing Content-Inspection-Based IBE.....................................................................98

2 Accessing IBE Emails .........................................................................................................102

LAB 9—HIGH AVAILABILITY ........................................................................105

Time to Complete ....................................................................................................................105

1 Configure the Primary FortiMail ..........................................................................................107

2 Configure the Secondary FortiMail .....................................................................................108

3 Verify Cluster Health ...........................................................................................................110

4 Configure HA Virtual IP .......................................................................................................113

5 Remote Services Monitoring ...............................................................................................116

Time to Complete ....................................................................................................................120

1 Configure Resource Profiles ...............................................................................................121

2 Address Book LDAP Import ................................................................................................124

LAB 11—TRANSPARENT MODE ...................................................................128

Time to Complete ....................................................................................................................128

1 Configuring a Transparent Mode FortiMail .........................................................................129

2 Configuring Bidirectional Transparency.............................................................................134

Time to Complete ....................................................................................................................138

1 Configure and Generate Local Reports ..............................................................................139

2 Monitoring System Resource Use ......................................................................................141