Beruflich Dokumente
Kultur Dokumente
© FORTINET
FortiMail 5.3.8
Student Guide
for FortiMail 5.3.8
DO NOT REPRINT
© FORTINET
FortiMail Student Guide
for FortiMail 5.3.8
Last Updated: 9 June 2017
We would like to acknowledge the following major contributors: Carl Windsor, Khalid Hassan, Michał
Kułakowski and Laurent Blossier
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc., as
stipulated by the United States Copyright Act of 1976.
Copyright © 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare®, and FortiGuard®, and
certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be
registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks
of their respective owners. Performance and other metrics contained herein were attained in internal lab tests
under ideal conditions, and actual performance and other results may vary. Network variables, different network
environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent
Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly
warrants that the identified product will perform according to certain expressly-identified performance metrics
and, in such event, only the specific performance metrics expressly identified in such binding written contract
shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same
ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or
otherwise revise this publication without notice, and the most current version of the publication shall be
applicable.
DO NOT REPRINT
© FORTINET
Table of Contents
Logging In ...............................................................................................................................10
Disconnections/Timeouts ........................................................................................................12
Objectives ...............................................................................................................................17
Objectives ...............................................................................................................................31
Objectives ...............................................................................................................................42
Prerequisites ...........................................................................................................................42
Objectives ...............................................................................................................................59
Prerequisites ...........................................................................................................................59
Objectives ...............................................................................................................................68
Objectives ...............................................................................................................................72
Objectives ...............................................................................................................................83
Prerequisites ...........................................................................................................................83
Objectives ...............................................................................................................................93
Objectives ...............................................................................................................................105
Prerequisites ...........................................................................................................................105
Objectives ...............................................................................................................................120
Prerequisites ...........................................................................................................................120
Objectives ...............................................................................................................................128
LAB 12—MAINTENANCE..............................................................................138
Objectives ...............................................................................................................................138
LAB 13—TROUBLESHOOTING......................................................................146
Objectives ...............................................................................................................................146
Prerequisites ...........................................................................................................................146
4 Authentication .....................................................................................................................268
7 Antispam .............................................................................................................................378
10 Server Mode......................................................................................................................498
11 Transparent Mode.............................................................................................................525
© FORTINET
Virtual Lab Basics
In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to
the lab and its virtual machines. It also shows the topology of the virtual machines in the lab.
Note: If your trainer asks you to use a different lab, such as devices physically located in
your classroom, please ignore this section. This applies only to the virtual lab accessed
through the Internet. If you do not know which lab to use, please ask your trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote datacenters that allow each student
to have their own training lab environment or PoD - point of deliveries.
© FORTINET
System Checker
Before starting any class, check if your computer can successfully connect to the remote datacenters.
The System Checker fully verifies if your network connection and your web browser are reliable to
connect to the virtual lab.
You do not have to be logged into the lab portal in order to perform the System Checker.
If your computer successfully connects to the virtual lab, the Browser Check and Network
Connection Check each display a check mark icon. You can then proceed to log in.
If any of the tests fail:
Browser Check: This affects your ability to access the virtual lab environment.
Network Connection Check: This affects the usability of the virtual lab environment.
For solutions, click the Support Knowledge Base link or ask your trainer.
© FORTINET
Logging In
Once you confirm your system can successfully run the labs through System Checker, you can proceed
to log in.
https://remotelabs.training.fortinet.com/
https://virtual.mclabs.com/
2. If prompted, select the time zone for your location, and then click Update.
This ensures that your class schedule is accurate.
3. Click Enter Lab.
© FORTINET
Your system dashboard will appear, listing the virtual machines in accordance with your lab
topology.
4. From this page, open a connection to any virtual appliance by doing one of the following:
Clicking the device’s square (thumbnail)
Selecting Open from the System drop-down list associated to the VM you want to access.
© FORTINET
Note: Follow the same procedure to access any of your virtual devices.
A new web browser tab opens, granting you access to the virtual device. When you open a VM, your
browser uses HTML5 to connect to it.
Depending on the virtual machine you select, the web browser provides access to either a text-
based CLI or the GUI.
Connections to the Windows VM use a Remote Desktop-like GUI. The web-based connection should
automatically log in and then display the Windows desktop.
For most lab exercises, you will connect to this Windows VM.
Disconnections/Timeouts
If your computer’s connection with the virtual machine times out, or if you are accidentally
disconnected, to regain access, return to the initial window/tab that contains your session’s list of
VMs and open the VM again.
© FORTINET
If that does not succeed, see the Troubleshooting Tips section of this guide.
Screen Resolution
Some Fortinet devices' user interfaces require a minimum screen size.
In the HTML 5 client, to configure screen resolution, open the System menu.
International Keyboards
If characters in your language don’t display correctly, keyboard mappings may not be correct.
To solve this, open the Keyboard menu at the top of the tab of any GUI-based VM, and choose to
display an on-screen keyboard.
© FORTINET
Student Tools: View Broadcast and
Raise Hand
Your instructor is able to broadcast his lab systems in order to allow students to see any on-going task in
real-time. When an instructor begins a broadcast, you will receive an alert at the top of all open lab
pages.
To accept and view the broadcast, you may either click on the notification message or click View
Broadcast on the left side panel.
If you have any question or issue, use the Raise Hand tool, your instructor will be notified and will assist
you.
Troubleshooting Tips
Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-
bandwidth or high-latency connections.
For best performance, use a stable broadband connection such as a LAN.
Prepare your computer's settings by disabling screen savers and changing the power saving
scheme, so that your computer is always on, and does not go to sleep or hibernate.
If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal), please
attempt to reconnect. If unable to reconnect, please notify the instructor.
If you can't connect to a VM, on the VM's icon, you can force the VM to start up and by clicking
System > Power Cycle. This fixes most problems. If that does not solve the problem, revert the
VM to its initial state by System > Revert to Initial State.
© FORTINET
Note: Reverting to the VM's initial snapshot will undo all of your work. Try other solutions
first.
If during the labs, particularly when reloading configuration files, you see a limited management GUI
similar to the one shown below, the VM is waiting for a response to the authentication server.
To retry immediately, go to Maintenance > FortiGuard > Update, and click Update Now.
© FORTINET
If the authentication server response is received, you should be redirected to the login page
If you don’t see the above prompt, wait a few minutes and try again, or ask your trainer.
© FORTINET
LAB 1—Initial Setup
In this lab, you will verify the DNS MX records for both of the lab domains, perform the initial
configuration tasks for the FortiMail VMs installed in the internal.lab domain for inbound email, and
configure an email client to connect to a server mode FortiMail. Then, you will issue basic SMTP
commands and inspect email headers to understand the flow of SMTP.
Objectives
Verify DNS MX records for the lab domains
Configure the initial system and email settings on the server mode FortiMail
Configure the initial system and email settings on the gateway mode FortiMail
Manually send basic SMTP commands to an email server to understand the SMTP protocol
Time to Complete
Estimated: 45 minutes
© FORTINET
1 Verifying DNS Records
DNS is a critical component in routing email messages. In this exercise, you will use Windows DOS
commands to verify the published DNS MX records for both internal.lab and external.lab domains, to
understand the lab network mail routing.
To verify MX records
1. In Windows, open a command prompt window, and then enter the following commands to display
the MX records associated with the external.lab domain:
nslookup -type=mx external.lab
You should receive an output similar to the following:
Note: As indicated in the nslookup query output, there is only one MX record associated
with the external.lab domain.
extsrv.external.lab MX preference = 10
Therefore, all email messagess sent to the external.lab domain must be sent to the
extsrv.external.lab (10.200.1.99) host.
2. In the same command prompt window, enter the following commands to display the MX records
associated with the internal.lab domain:
nslookup -type=mx internal.lab
You should receive an output similar to the following:
© FORTINET
What is the primary MX record for the internal.lab domain? ___________________________
Caution: In the lab network, the MX records for the internal.lab domain are geared for
convenience, and should not be used as a template for real-world deployments.
Since the back-end mail server might not have the full range of email security features
enabled, publishing it as a secondary MX entry is detrimental to security. Spammers can
easily identify and exploit these servers using MX records.
Publishing the back-end mail server as a secondary MX entry will also prevent certain
FortiMail features - such as greylisting, sender reputation - from working effectively.
© FORTINET
2 Configuring a Server Mode
FortiMail
In the lab network, the IntSRV server mode FortiMail is intended to be the mail server for the
internal.lab domain. It is where the end user mailboxes are, where you will perform all user-
management tasks, and where you will perform tasks specific to server mode.
In this exercise, you will perform the basic configuration tasks required to establish inbound email flow
on the IntSRV FortiMail VM. You will verify your configuration by sending an email from the ExtSRV
FortiMail VM and then reviewing the logs. Then, you will configure a Mail User Agent (MUA) to connect
to the server mode FortiMail.
Field Value
IP/Netmask: 10.0.1.99/24
© FORTINET
Access: HTTPS PING SSH TELNET
Administrative status: Up
4. Click OK.
5. Click System > Network > Routing.
6. Click New.
7. Add a new static route using the following values:
Field Value
Interface: port1
Gateway: 10.0.1.254
Field Value
Note: There is only one DNS server in the lab network; therefore you are only configuring
only the Primary DNS server field. However, in a production FortiMail deployment, you
should configure a primary and a secondary DNS server.
Field Value
3. Keep the default values for the remaining settings, and then click Apply to save the changes.
4. Click Mail Settings > Domains > Domains.
5. Click New to add a protected domain using the following values:
6. Keep the default values for the remaining settings, and then click Create.
Field Value
Password: fortinet
Field Value
To: user1@internal.lab
4. Click Send.
5. Open a new web browser tab. Visit the IntSRV FortiMail’s webmail GUI:
https://intsrv.internal.lab/
Ignore any security warnings generated by your browser. The warnings relate to the CN field and
the signer of the self-signed FortiMail certificate.
6. Log in as user1 using the password fortinet.
7. If the test email message doesn’t appear in the inbox, click Refresh.
© FORTINET
4. Review the logs and verify that the system applied the appropriate Classifier and Disposition to
your test email message.
© FORTINET
To configure an MUA to connect to the server mode FortiMail
1. In Windows, open Mozilla Thunderbird. If the system prompts you to sign up for a new email
address, click Skip this and use my existing email.
2. After the Mail Account Setup wizard starts, enter the account information for Mail User 1.
3. Click Continue. Thunderbird attempts to auto-configure the server settings. Click Manual Config.
4. Modify the auto-discovered Server hostname values for both Incoming and Outgoing to match
the following screenshot, and then click Done.
© FORTINET
5. Thunderbird displays a warning about unencrypted passwords. Check I understand the risks and
then click Done.
Caution: While unencrypted passwords are fine for a lab network, they should be avoided
in real-world deployments.
6. Thunderbird displays a certificate security warning. Select the Permanently store this
exception check box, and then click Confirm Security Exception to complete the Mail Account
Setup wizard.
© FORTINET
7. If your configuration is correct, the test email you created in the previous exercise appears in
Thunderbird, in your local inbox.
© FORTINET
3 Configuring a Gateway Mode
FortiMail
In the lab network, the IntGW gateway mode FortiMail is intended to be the MTA for the internal.lab
domain. It will be the relay server for the IntSRV FortiMail, and also where most of the inspection
configuration tasks will be performed.
In this exercise, you will perform the configuration tasks required to establish inbound email flow on the
IntGW FortiMail VM. Then, you will verify your configuration by manually composing an email using a
telnet session, and reviewing the headers of the email in your Thunderbird mail client.
Note: Recall the DNS verification tasks you performed in the first exercise. As the MX
records show, the intgw.internal.lab (10.0.1.11) host is the primary MTA for the
internal.lab main. So, all email messages should be sent to the IntGW FortiMail first for
processing. The IntGW FortiMail will then pass the email to the IntSRV FortiMail VM for
delivery to the end user.
Field Value
Interface: port1
Gateway: 10.0.1.254
Field Value
Field Value
3. Keep the default values for the remaining settings, and then click Apply to save the changes.
4. Click Mail Settings > Domains > Domains.
5. Click New to add a protected domain using the following values:
Field Value
Note: 10.0.1.99 is the IP address of the IntSRV host. This is the server mode FortiMail
that you configured in the previous exercise. It contains the user mailboxes for the
internal.lab domain. Therefore, the IntGW host is configured with 10.0.1.99 as the
protected SMTP Server.
6. Keep the default values for the remaining settings, and then click Create.
© FORTINET Note: You can’t use the backspace or delete key to correct any typing errors. If you make
a mistake, close the connection and start over.
telnet intgw.internal.lab 25
…wait for reply…
ehlo 10.0.1.10
…wait for reply…
data
…wait for reply…
Message body
.
…wait for reply…
quit
3. In Thunderbird, open the test message that you sent in the previous step.
4. View the full headers of the message. To do this, in the More drop-down list, select View Source:
© FORTINET
5. Compare the Received: headers in the Telnet session email with the Hello World! email you sent
in the previous exercise. What differences do you see?
Note: The Hello World email’s Received header shows that the IntSRV FortiMail
received the email directly from the ExtSRV FortiMail.
Received: from extsrv.external.lab ([10.200.1.99]) by
IntSRV.internal.lab with ESMTP id v1OLZmQa002443-v1OLZmQc002443
The Telnet session email’s Received header shows that the email was processed first by
the IntGW FortiMail, and then handed off to the IntSRV FortiMail.
Received: from IntGW.internal.lab ([10.0.1.11]) by
IntSRV.internal.lab with ESMTP id v1OMw47q002651-v1OMw47s002651
© FORTINET
LAB 2—Access Control and
Policies
In this lab, you will establish outbound email flow for the internal.lab domain, as well as configure a
relay host for the server mode FortiMail. You will create IP and recipient policies, and then use logged
policy IDs to identify how policies are applied to an email.
Objectives
Configure access receive rules to allow outbound email
Configure an external relay host
Configure IP and recipient policies
Use logged policy IDs to track messages
Time to Complete
Estimated: 45 minutes
© FORTINET
1 Outbound Email Flow
In this exercise, you will configure the necessary access receive rules on both the IntGW and IntSRV
FortiMail VMs to allow outbound email.
Field Value
To: extuser@external.lab
2. Click Send. If Thunderbird displays a security warning, select the Permanently store this
exception check box, and then click Confirm Security Exception.
1. Open a web browser and visit the ExtSRV FortiMail's webmail GUI:
https://extsrv.external.lab/
2. Login as extuser with the password fortinet.
3. Verify that extuser has received the email.
Note: By default, FortiMail rejects outbound email, unless the sender is authenticated.
Since you configured Thunderbird to authenticate when sending emails using SMTP, the
IntSRV FortiMail relays it.
Field Value
User Defined
Sender Pattern:
*@internal.lab
User Defined
Sender IP/netmask:
10.0.1.0/24
© FORTINET
Action Relay
Note: While the default behavior reduces configuration requirements, it is still good
practice to configure an access receive rule with specific sender patterns, and sender
IP/netmask values in a server mode deployment to restrict filter outbound sessions.
Field Value
User Defined
Sender Pattern:
*@internal.lab
User Defined
Sender IP/netmask:
10.0.1.99/32
Action Relay
Note: On the IntGW FortiMail you are allowing only the IntSRV server mode FortiMail to
relay email. Therefore, you are configuring a /32 subnet mask. No other host is able to
relay email through IntGW.
© FORTINET
6. Review the Received: headers. What hops did the email take to reach the destination inbox?
Note: The email message was generated by Windows (10.0.1.10) and sent to IntSRV
(10.0.1.99). The IntSRV host then delivered the email message to ExtSRV (10.200.1.99).
Received: from IntSRV.internal.lab ([10.0.1.99])by
extsrv.external.lab with ESMTP id v1RL4umB001914-v1RL4umD001914
According to the headers, the email message did not pass through the IntGW FortiMail, which is
expected. The IntSRV server mode FortiMail delivered the email based on MX query results. To make
sure all outbound email from IntSRV FortiMail relays through the IntGW FortiMail, you must configure a
relay host on the IntSRV FortiMail.
© FORTINET
2 Relay Host
In this section, you will configure an external relay host on the IntSRV FortiMail so all outbound email
are sent to the IntGW gateway mode FortiMail for delivery.
Field Value
Name: IntGWRelay
6. Leave the remaining fields empty, and then click Create to save the relay host configuration.
7. Click Apply to save the Outgoing Email setting changes.
Field Value
To: extuser@external.lab
3. Click Send.
4. Visit the ExtSRV webmail GUI:
https://extsrv.external.lab/
5. Verify that the email was delivered.
6. Review the headers. Do you see any differences in the Received: headers? What hops did the
email take this time to reach the destination inbox?
© FORTINET
Note: The email was generated by Windows (10.0.1.10) and sent to IntSRV (10.0.1.99).
The IntSRV host then sent the email to IntGW (10.0.1.11). The IntGW host delivered the
email to ExtGW (10.200.1.99).
Received: from IntGW.internal.lab ([10.0.1.11]) by
extsrv.external.lab with ESMTP id v1RLvKZS002158-v1RLvKZU002158
By completing the previous configuration steps, you have successfully established bidirectional email
flow in which all inbound and outbound email must flow through the IntGW gateway mode FortiMail.
© FORTINET
3 Policy Usage Tracking
As email messages flow through FortiMail, log entries are created that show which policies were
triggered. This is extremely useful for testing new policies and troubleshooting existing ones.
In this exercise, you will send two email messages, one in each direction, and then review which policies
the messages used.
© FORTINET
5. Review the Policy IDs field, and answer the following questions:
The Policy IDs field is made up of three fields (X:Y:Z). What does each field’s value correspond to?
Note: The policy IDs for each email message are recorded in the history logs in
the format of X:Y:Z,where X is the ID of the access control rule, Y is the ID of the
IP-based policy, and Z is the ID of the recipient-based policy.
If the value in the access control rule field for an incoming email is 0, it means that
FortiMail is applying its default rule for handling inbound email. If the value of
X:Y:Z is 0 in any other case, it means that a policy or rule couldn’t be matched, or
doesn’t exist.
Note: The policy use recorded for the outbound email message is 1:1:0. It was
processed using access receive rule ID 1, which you created in the previous
exercise. Then, the email message was processed using the default IP policy ID 1.
Because you didn’t configure any outgoing recipient policy, the last field value is 0.
© FORTINET
4 Policy Creation
In this exercise, you will create IP and recipient policies. Then, you will test your configuration by
sending email messages back and forth. You will also use logs to observe the changes to the policy use
from the previous exercise.
To create IP policies
1. Visit the IntGW FortiMail’s management GUI:
https://intgw.internal.lab/admin
2. Click Policy > Policies > Policies.
3. In the IP Policies section, click New.
4. Create a new IP policy using the following values:
Field Value
Source: 10.0.1.99/32
Session: Outbound_Session
7. Click the policy to select it. In the Move drop-down list, select Before. Move IP policy ID 3 to appear
in the list before IP policy ID 1.
© FORTINET
8. The policies should appear in the following order:
IP policy ID 3 will process all email sourced from the IntSRV FortiMail (outgoing), and IP Policy ID 1
will process all other email (incoming). IP policy ID 2 is a default IPv6 policy. Since this lab is not
configured for IPv6, it is not required. You can delete it if you want to.
2. Click New.
3. Don’t modify any values. Click Create to save the policy.
© FORTINET Note: FortiMail maintains a global list of outbound recipient policies. If you manage
multiple protected domains, and you need to handle outbound email for each protected
domain differently, you must create a different outbound recipient policy for each protected
domain, and set the Sender Pattern accordingly.
3. Access the details for each log entry and review the Policy IDs field.
4. What changes can you see from the previous exercise?
Note: The policy use will reflect the new ID values for the policies you created. All
outgoing email will be processed by IP policy ID 3, and outgoing recipient policy ID 1. All
incoming email will be processed by IP policy ID 1, and incoming recipient policy ID 1.
© FORTINET
LAB 3—Authentication
In this lab, you will configure access receive rules to enforce user SMTP authentication. You will also
configure an LDAP profile to enable recipient verification, alias mapping, and user authentication.
Objectives
Enforce user SMTP authentication using access receive rules
Configure an LDAP profile
Enable recipient verification and alias mapping
Configure LDAP authentication for users
Time to Complete
Estimated: 60 minutes
Prerequisites
Before beginning this lab, you must disable sender reputation on the IntGW FortiMail.
Note: The sender reputation feature can interfere with some of the testing that you will
do in this lab.
© FORTINET
1 User Authentication
Enforcement
In this exercise you will explore how FortiMail handles SMTP authentication. You will enforce
authentication using access receive rules, and test your configuration using various outgoing server
settings in Thunderbird.
4. On the Account Settings screen, in the left pane, click Outgoing Server (SMTP), and then click
Edit.
© FORTINET
5. In the Authentication method drop-down list, select No authentication.
Note: By making these changes, you have disabled authentication for SMTP connections.
So, when you send an email message, Thunderbird won’t authenticate.
Note: The access receive rule that you configured in LAB 2—Access Control & Policies
didn’t have authentication enforcement enabled.
When you set Authentication Status to Any, FortiMail doesn’t verify whether the
sender matching the rule is authenticated or not.
© FORTINET
To enforce authentication
1. Open a new web browser tab. Visit the IntSRV FortiMail's management GUI:
https://intsrv.internal.lab/admin
2. Log in as admin and leave the password field empty.
3. Click Policy > Access Control > Receiving.
4. Select rule ID 1 and click Edit.
© FORTINET
3. Click OK to close the alert, but leave the email compose window open in the background.
4. Visit the IntSRV FortiMail's management GUI:
https://intsrv.internal.lab/admin
5. Click Monitor > Log > History.
6. Double-click the active log file. The first entry in the History log should correspond to the rejected
email message.
Note: In this log entry, you can see IntSRV has rejected (Disposition) the email because
the session violated an access control rule (Classifier). By changing the Authentication
Status value to Authenticated, you have successfully enforced authentication for users
connecting to the IntSRV FortiMail.
© FORTINET
14. Click the Session ID link to retrieve the cross search results.
15. Right-click the event log related to the authentication event to view the details
© FORTINET
2 LDAP Operations
The Windows VM has been preconfigured with Active Directory Services for the internal.lab domain. In
this exercise, you will review the Active Directory configuration and learn how to retrieve LDAP attributes
for Active Directory objects. Then, you will configure an LDAP profile on both IntSRV and IntGW
FortiMail devices to use for user authentication, alias lookup, and recipient verification.
Note: A service account for the LDAP profile is located in the Service Accounts
Organization Unit (OU). The users and groups are located in the Training Users OU
and Training Groups OU respectively.
© FORTINET
2. Right-click internal.lab, and then select Properties.
Note: You can use the previous steps to access the LDAP attributes of any
Active Directory object necessary to configure the LDAP profile on FortiMail.
© FORTINET
To configure an LDAP profile on IntGW FortiMail
1. Open a new web browser tab. Visit the IntGW FortiMail’s management GUI:
https://intgw.internal.lab/admin
2. Log in as admin and leave the password field empty.
3. Click Profile > LDAP > LDAP.
4. Click New.
5. Create an LDAP profile using the following values:
Field Value
Field Value
7. In the User Query Options section, in the Schema drop-down list, select Active Directory.
8. In the User Alias Options section, in the Schema drop-down list, select Active Directory.
9. Use the following values to modify the User Alias Options:
Field Value
© FORTINET
5. Create an LDAP profile using the following values:
Field Value
Field Value
7. In the User Query Options section, in the Schema drop-down list, select Active Directory.
8. In the User Alias Options section, in the Schema drop-down list, select Active Directory.
9. Use the following values to modify the User Alias Options:
Field Value
© FORTINET
6. If the query fails, make sure the LDAP profile configuration matches the following screenshot:
7. On the LDAP profile configuration screen, click [Test LDAP Query…] again.
8. Change the query type to Alias.
9. All of the Active Directory users have been preconfigured with aliases. Query for the following
aliases:
mailuser1@internal.lab
mailuser2@internal.lab
10. If your configuration is correct, you will receive the following Test Result message:
© FORTINET
11. If the query fails, make sure the LDAP profile User Alias Options configuration matches the
following screenshot:
© FORTINET
4. In the Use LDAP server drop-down list, select InternalLabLDAP.
5. Expand the Advanced Settings section.
6. In the LDAP user alias / address mapping profile drop-down list, select InternalLabLDAP.
7. Your configuration should match the following screenshot:
Note: You don’t need to configure recipient verification on the IntSRV FortiMail. Recipient
verification is enabled implicitly on a server mode FortiMail because the user database
exists locally.
You also don’t need to configure alias mapping on the IntSRV FortiMail because the
mapping is done by the IntGW FortiMail before it delivers an email message to the
IntSRV FortiMail.
Note: Users will use their Active Directory accounts to authenticate and gain access to the
IntGW FortiMail’s webmail interface for quarantined emails.
Note: If the LDAP profile doesn’t appear in the drop-down list, then you missed a step.
Return to the To Configure an LDAP Profile section, and then follow the listed steps to
configure the same LDAP profile on the IntSRV FortiMail.
Field Value
© FORTINET
3. If you have configured the server mode user LDAP authentication correctly, the login will be
successful.
Note: The webmail GUI in gateway mode gives users access to their Bulk folder, which
contains only quarantined email. You will configure email quarantining in a later lab. In this
section, you are verifying user access only.
Field Value
To: invaliduser@internal.lab
4. Click Send.
5. Click Refresh to update the inbox. You should receive a delivery status notification (DSN) message.
6. Open the DSN message and review the transcript details.
7. Visit the IntGW FortiMail’s management GUI.
https://intgw.internal.lab/admin
8. Click Monitor > Log > History.
9. Double-click the active log file. The first entry in the History log should correspond to email you
just sent.
© FORTINET
10. Review the log details.
Field Value
To: mailuser2@internal.lab
4. Click Send.
5. Visit the IntSRV FortiMail’s webmail GUI:
https://intsrv.internal.lab/
6. Log in as user2 using the password fortinet.
7. The email you sent to mailuser2@internal.lab should appear in the user2@internal.lab inbox.
© FORTINET
Note: Alias mapping is useful to consolidate multiple email messages for the same user
in a single email account using their primary email address as the identifier. This reduces
account management overhead for the user and the administrator. For example, if a user
has five aliases in addition to a primary email address, FortiMail can use alias mapping to
maintain a single user quarantine mailbox. Otherwise, the user would have to manage six
separate quarantine accounts, as well as the quarantine reports for each account.
© FORTINET
LAB 4—Session Management
In this lab, you will configure session profiles to inspect the envelope part of SMTP sessions. You will
also use session profiles to hide internal network information from email headers.
Objectives
Configure session profile connection settings to limit inbound connections to the IntGW FortiMail
Configure sender address rate control to limit outbound connections on the IntSRV FortiMail
Configure session profile header manipulation to hide your internal network information
Time to Complete
Estimated: 45 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file to the IntSRV FortiMail.
Note: The configuration file adds a new IP policy that causes all email delivery attempts
from the ExtSRV FortiMail to the IntSRV FortiMail to fail temporarily. This is done to
ensure that when the session limits are triggered on the IntGW FortiMail, the ExtSRV
FortiMail can’t deliver to the IntSRV FortiMail directly. The change helps in testing the
session profile settings you will be configuring on IntGW in this lab.
4. Click Restore.
5. Wait for the IntSRV FortiMail to finish rebooting before you proceed with the exercise.
© FORTINET
1 Connection Limits
Spammers usually send as many email messages as they can in a small period of time, before
legitimate email servers begin to block delivery. If blocked, the spammers won’t spend the time to retry.
Normal email servers will retry delivery if it fails the first time. One method of blocking spam, while
allowing legitimate email messages, is to limit the number of SMTP sessions that each client can
establish in a 30-minute period.
In this exercise, you will configure a session profile on the IntGW FortiMail to limit the number of
connections the ExtSRV FortiMail can establish over a 30-minute period. Then, you will test the
connection limitation by sending consecutive email messages to trigger a violation. You will also verify
your configuration by reviewing the logs.
Field Value
Note: Four connections every 30 minutes is too few to be realistic for real world
deployments. Email servers usually send many email messages to or through
FortiMail each minute. In this lab, however, you will use the 30-minute restriction to
make your rate limit easy to trigger.
Note: If there are no IP policies configured with a session profile, FortiMail will still
rate limit connections according to its default settings, which are similar to the
session_basic_predefined profile–including the 10 MB size limit, sender reputation
enabled, and so on. To disable the rate limit, you must create and apply a blank
session profile.
© FORTINET
save your settings.
Note: There will be one email sent per TCP connection. Therefore IntGW FortiMail should
allow the first four but block email number five, which exceeds your configured connection
limit.
8. Why are the From, To, and Subject fields empty in this log entry?
Note: FortiMail blocked the client’s attempt when scanning the IP layer of the initial
packets, before the SMTP session could be established. The SMTP session contains the
SMTP envelope: the sender’s email address, the recipient’s email address, and the
subject. So those parts of the email were never received.
© FORTINET
To disable connection limits
1. Visit the IntGW FortiMail’s management GUI:
https://intgw.internal.lab/admin
2. Click Policy > Policies > Policies.
3. Edit IP policy ID 1.
4. In the session profile drop-down list, select Inbound_Session.
5. Click OK.
© FORTINET
2 Sender Address Rate Control
While it is important to protect your email users from spammers sending large volumes of email, it is also
important to protect your own MX IP reputation by controlling the volume of email received from internal
users.
In this exercise, you will configure sender address rate control on the IntSRV FortiMail. Then, you will
send consecutive email messages to trigger a violation, and verify your configuration using logs.
Field Value
Action: Reject
8. Click New.
9. Create a notification profile using the following values:
Field Value
Name: NotifyUser1
© FORTINET
To validate sender address rate control
1. Open a new web browser tab. Visit the IntSRV FortiMail’s webmail GUI:
https://intsrv.internal.lab/
2. Log in as user2 using the password fortinet.
3. Send five email messages to extuser@external.lab to trigger the rate control limit.
4. Open a new web browser tab. Visit the ExtSRV FortiMail’s webmail GUI:
https://extsrv.external.lab/
5. Log in as extuser using the password fortinet.
6. Check how many email messages were delivered to the extuser@external.lab inbox.
7. By now, user1@internal.lab should have received the notification email for the rate control violation.
Open Thunderbird and view the details in the notification email.
Note: Notification profiles are a convenient feature that can allow administrators to keep
informed of events occurring on FortiMail. Many FortiMail features support notification
profiles.
8. Visit the IntSRV FortiMail’s management GUI:
https://intsrv.internal.lab/admin
9. Click Monitor > Log > History.
10. Double-click the active log file. The first entry in the History log should correspond to the rate
control violation.
Note: While session profile connection limits and sender address rate control appear to
function very similarly, there is a major difference in how these limits are applied by
FortiMail.
As you observed in the previous exercise, session profile connection limits are applied at
the IP layer. Sender address rate control limits connections based on the sender address.
This is derived from the mail from: field of the SMTP envelope. So, for sender address
rate control, FortiMail must process at least a portion of the SMTP envelope. This is also
why user2@internal.lab appears in the From field of the log entry, but the log entries from
the session profile connection limits are empty.
© FORTINET
To disable sender address rate control
1. Visit the IntSRV FortiMail’s management GUI:
https://intsrv.internal.lab/admin
2. Click Mail Settings > Domains > Domains.
3. Select the internal.lab domain and click Edit.
4. Expand the Advanced Scan Settings section and disable Sender address rate control.
© FORTINET
3 Header Manipulation
Removing internal headers is a common security practice. It hides your internal network information from
the world.
In this exercise, you will observe the effects of header manipulation settings by configuring a session
profile on the IntGW FortiMail to hide internal headers.
To review headers
1. Open a new web browser tab. Visit the ExtSRV FortiMail’s webmail GUI:
https://extsrv.external.lab/
2. Log in as extuser using the password fortinet.
3. Open any email message sent by an internal.lab user. If you deleted all the previous email
messages, open Thunderbird and send a new email message to extuser@external.lab.
4. Click More > Detailed Header. Select and copy (Ctrl + C) the header contents.
5. Open a new Notepad window and paste (Ctrl + V) the header details. Save the file on the desktop
as Header_Before.txt.
5. Expand Header Manipulation, and then select the Remove received headers check box.
6. Click OK to save the changes.
Note: The IntGW FortiMail removes all previous Received: headers from the email when
it starts processing it, using IP policy ID 1.
© FORTINET
To validate header manipulation settings
1. Open Thunderbird.
2. Send a new email message to extuser@external.lab.
3. Visit the ExtSRV FortiMail’s webmail GUI:
https://extsrv.external.lab/
4. Log in as extuser using the password fortinet.
5. Open the email message you just sent from user1@internal.lab.
6. Review the detailed headers of the email.
Note: In the Received: header you should only see details about IntGW and ExtSRV.
There should be no information about Windows (10.0.1.10), and IntSRV (10.0.1.99).
7. Open the Header_Before.txt file you saved earlier. Compare the differences.
© FORTINET
LAB 5—Antivirus
In this lab, you will apply FortiMail’s local malware detection techniques to scan for viruses in inbound
email.
Objectives
Configure an antivirus profile to enable local malware detection
Configure an antivirus action profile to replace infected content from an email
Apply antivirus scanning to inbound email
Test antivirus functionality
Time to Complete
Estimated: 15 minutes
© FORTINET
1 Antivirus Scanning for Malware
Detection
In this exercise, you will configure an antivirus profile and an antivirus action profile on the IntGW
FortiMail. Then, you will apply the antivirus profile to a recipient-based policy in order to scan all inbound
email sent to the internal.lab domain.
You shouldn’t test your antivirus configuration using a live virus. By doing so, you risk infecting your
network’s hosts if your configuration is incorrect. To test your antivirus configuration without risk of
infecting your network, you will use an EICAR file.
An EICAR file doesn’t contain a real virus. It is a harmless, industry-standard test file that is designed to
trigger all antivirus engines for testing purposes. So, if your antivirus configuration is correct, FortiMail
should detect the EICAR file as a virus.
Field Value
Domain internal.lab
Note: The action profile that you created doesn’t appear in the list. Why? The list view is
filtered by domain. If you want to show the new profile, change the selection in the
Domain drop-down list. Select internal.lab, to view the action profiles for that specific
domain, or select All to view the action profiles for all domains.
© FORTINET
3. Add a new antivirus profile using the following values:
Field Value
Domain: internal.lab
Field Value
To: user1@internal.lab
4. Click Attach.
5. Browse to and select:
Desktop\Resources\Files\eicar.com
6. Wait for the file upload to finish, and then click Send.
To verify AV functionality
1. In Windows, open Thunderbird.
2. Confirm that you received the email message sent from extuser@external.lab.
3. Note that the following actions have been applied to the email message:
The subject line contains the [VIRUS DETECTED] tag
© FORTINET
The IntGW FortiMail replaced the EICAR file and inserted a replacement message
4. Click the Session ID link to review the cross search result for more details.
© FORTINET
LAB 6—Content Inspection
In this lab, you will configure a content filter to monitor email based on dictionary word scores. You will
also configure the data loss prevention (DLP) feature to detect and block any outbound email containing
credit card numbers.
Objectives
Configure a dictionary profile to monitor words using scores
Configure a content profile monitoring and filtering to apply the dictionary profile
Apply content filtering on all inbound email
Configure DLP to detect credit card numbers in an email body and attachments
Apply DLP on all outbound email
Time to Complete
Estimated: 40 minutes
© FORTINET
1 Content Inspection
In this exercise, you will configure a content profile’s content monitoring and filtering options to scan for
specific pattern occurrences in inbound email. Then, you will configure the action to be applied after the
same word occurs three times in an email message.
Field Value
Pattern: fortimail
Note: If Enable pattern maximum weight limit is disabled, the pattern can increase an
email’s dictionary match score by more than the amount configured in Pattern max
weight field.
Field Value
Domain System
Direction Incoming
Action SysQuarantine_Inbound
© FORTINET
4. Expand the Content Monitor and Filtering section.
5. Click New.
6. Configure the content monitor profile using the following values:
Field Value
Dictionary: WordScores
Minimum score: 3
Note: Setting the Minimum score to 3 ensures that the action profile is applied only after
FortiMail has found three occurrences of the pattern in a single email message.
Desktop\Resources\Files\messagebody.txt
© FORTINET
7. Click Monitor > Log > History.
8. Double-click the active log file. The first entry in the History log should correspond to the virus
email. Notice the values for Classifier and Disposition.
© FORTINET
7. Click Monitor > Quarantine > System Quarantine.
8. Double-click the Content mailbox. The quarantined email will appear here.
© FORTINET
2 Data Loss Prevention
In this exercise, you will configure a DLP profile and DLP action profile on the IntGW FortiMail. Then,
you will apply the DLP profile to a recipient-based policy, to scan all outbound email sent from the
internal.lab domain.
end
5. Reload the IntGW FortiMail’s management GUI. When the GUI reloads, the Data Loss Prevention
menu item will appear.
Note: The DLP feature is disabled in entry-level FortiMail models (VM01, 60D, 200D)
because of performance considerations. You are enabling it to test the feature in a lab
environment. You shouldn’t enable the DLP feature in a production network on an entry-
level FortiMail.
© FORTINET
3. In the Name field, type ScanCreditCards
5. In the first Condition drop-down list, select Body and Attachment, and, in the second Condition
drop-down list, select contains sensitive data.
6. Click Edit, select the Credit_Card_Number data template, and then click OK.
© FORTINET
8. Verify that your Message Scan Rule matches the following screenshot, and then click Create to
save the rule.
© FORTINET
Field Value
© FORTINET
8. In the Scan rule drop-down list, select ScanCreditCards, and then click Create to save the DLP
Content Scan Settings.
9. Verify that your DLP profile matches the following screenshot, and then click Create to save the
profile.
To: extuser@external.lab
Note: The email message won’t be delivered to extuser@external.lab because the IntGW
FortiMail should detect the credit card numbers in the PDF file, and apply the system
quarantine action.
© FORTINET
LAB 7—Antispam
In this lab, you will configure antispam scanning for both inbound and outbound email. Then, you will
verify your configuration by sending live spam through the IntGW FortiMail VM. You will also configure
quarantine report settings, and manage user quarantine.
Objectives
Scan both incoming and outgoing email for spam
Send spam email to user quarantine
Manage quarantine report configuration
Access and explore the user quarantine mailbox
Time to Complete
Estimated: 40 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file.
Note: The configuration files disable all session profile inspection features that can
potentially interfere with the antispam testing you will do in this lab.
© FORTINET
1 Scan Incoming Email for Spam
In this exercise, you will verify the FortiGuard configuration. Then, you will configure an antispam profile
to scan all incoming email and send all spam email to the users’ personal quarantine accounts.
Field Value
Note: If the Query result is No response, or if the antispam license status on Monitor >
System Status is Trial, then change the FortiGuard service port setting, click Apply, and
then test the connection again.
Field Value
Domain: internal.lab
4. Click Create.
Field Value
Domain: internal.lab
4. Click Create.
5. In the Domain drop-down list, select internal.lab
6. Select the AS_In antispam profile and click Edit.
7. Enable the following antispam techniques:
FortiGuard
o IP Reputation
o Extract IP from Received Header
o URI filter: phishing
DMARC check
Behavior analysis
Header analysis
Heuristic
o The percentage of rules used: 100
Suspicious newsletter
Newsletter
8. Click OK to save the changes
© FORTINET
2 Testing the Antispam
Configuration
To test your antispam settings, you will use a script named spamengine.pl on the Linux VM to send
spam to user1@internal.lab.
© FORTINET
7. Click the Session ID link of a history log entry, and review the related antispam log for the session.
© FORTINET
3 User Quarantine Management
An email user can access their list of quarantined email messages using either POP3 or webmail. In this
exercise, you will access the user1@internal.lab quarantine mailbox on the IntGW FortiMail in the
webmail GUI. You will also configure quarantine report scheduling and generate an on-demand
quarantine report. Then, you will explore the options available in a quarantine report.
4. Try releasing an email from the quarantine mailbox to the user’s inbox.
5. Try deleting a quarantined email.
6. Log out of the webmail interface after you’re finished.
© FORTINET Note: FortiMail auto-generates quarantine reports on schedule only for accounts that have
quarantined email. If a user’s quarantine account is empty, then no report is generated for
that account.
5. The end of the quarantine report contains options to delete all quarantined email messages
using either an email or a web action:
© FORTINET
6. Select the web action to delete all of the quarantined email messages for user1@internal.lab.
© FORTINET
3 Scan Outgoing Email for Spam
In this exercise, you will configure outbound antispam scanning on the IntGW FortiMail. Then, you will
test the configuration by sending an outbound email message containing a banned word.
Field Value
Domain: System
Direction: Outgoing
© FORTINET
2. In the Recipient Policies section, in the Direction drop-down list, select Outgoing.
3. Select outgoing recipient policy ID 1, and then click Edit.
4. In the Profiles section, in the AntiSpam drop-down list, select AS_Out.
5. Click OK to save the changes.
554 5.7.1 This email from IP 10.0.1.99 has been rejected. The email
message was detected as spam.
4. Visit the IntGW FortiMail's management GUI:
https://intgw.internal.lab/admin
5. Click Monitor > Log > History.
6. Double-click the active log file. The first entry in the History log should correspond to the rejected
email message.
7. Review the log and verify that the appropriate action was applied to the outbound email message.
8. Click the Session ID link to review the cross search result for more details.
© FORTINET
LAB 8—Securing
Communications
In this lab, you will implement SMTPS between the IntGW and IntSRV FortiMail VMs. You will also
configure content-inspection-based identity-based encryption (IBE) and verify your configuration by
sending a secure email.
Objectives
Implement SMTPS between IntGW and IntGW FortiMail devices
Implement content-inspection-based IBE
o Configure the dictionary profile with the trigger word
o Configure an encryption profile
o Configure a content action profile to apply the encryption profile
o Apply the dictionary profile and content action profile to a content profile
o Apply the content profile to an outbound recipient-based policy
Register an IBE user, and access the IBE email
Time to Complete
Estimated: 40 minutes
© FORTINET
1 Implementing SMTPS
In this section, you will configure SMTPS between the IntGW and IntSRV FortiMail devices. You will
also compare logged details before and after implementing SMTPS.
To review logs
1. In Windows, open a web browser. Visit the ExtGW FortiMail’s webmail GUI:
https://extsrv.external.lab/
2. Log in as extuser using the password fortinet.
3. Send an email message to user1@internal.lab.
4. Open a new web browser tab. Visit the IntGW FortiMail’s management GUI:
https://intgw.internal.lab/admin
5. Log in as admin and leave the password field empty.
6. Click Monitor > Log > History.
7. Double-click the active log file. The first entry in the History log should correspond to the email you
just sent.
8. Click the Session ID to retrieve the cross search result, and then review the last two entries, which
contain details for the session between the IntGW and IntSRV FortiMail devices.
© FORTINET
Note: By default, FortiMail uses SMTP over TLS if the recipient MTA supports it. In this
session, IntSRV is the recipient MTA.
By default, SMTP over TLS is enabled on FortiMail.
To configure SMTPS
1. Visit the IntGW FortiMail’s management GUI:
https://intgw.internal.lab/admin
2. Click Mail Settings > Domains > Domains.
3. Select internal.lab and click Edit.
4. Select the Use SMTPS check box.
© FORTINET
To verify SMTPS
1. Visit the ExtSRV FortiMail’s webmail GUI:
https://extsrv.external.lab/
2. Send another email to user1@internal.lab.
3. Visit the IntGW FortiMail’s management GUI:
https://intgw.internal.lab/admin
4. Click Monitor > Log > History.
5. Double-click the active log file. The first entry in the History log should correspond to the email
message you just sent.
6. Click the Session ID to retrieve the cross search result, and then review the last two entries, which
should indicate the switchover to SMTPS from STARTTLS.
© FORTINET
Note: The underlying encryption mechanism for SMTPS and SMTP over TLS is the same.
Both protocols use SSL or TLS. In this case, the FortiMail devices negotiated TLSv1.2.
The difference exists in how and when that TLS encryption is applied.
When SMTP over TLS is used, the connection is made on the standard SMTP port — TCP
port 25. If the recipient MTA supports the STARTTLS extension, the sender chooses
whether SMTP over TLS is used by transmitting the STARTTLS message. This
STARTTLS request happens after the envelope exchange, and so, in SMTP over TLS
only a portion of the session is encrypted.
When SMTPS is used, the client initiates the SMTP session with the server over a fully-
encrypted tunnel using a separate — TCP port 465. SMTPS encrypts the full session.
© FORTINET
2 Implementing Content-
Inspection-Based IBE
In this exercise, you will configure content-inspection-based IBE. You will also verify your configuration
by sending an IBE email message and reviewing the logs.
Field Value
Field Value
Pattern: \[CONFIDENTIAL]
Field Value
Domain: System
Direction Outgoing
Enabled
Encrypt with profile:
IBE_Pull
Domain: System
Direction Outgoing
Action: CF_IBE_Pull
Field Value
To: extuser@external.lab
4. Click Send.
© FORTINET
3. Double-click the active log file. The first entry in the history log should correspond to the email you
just sent.
4. Click on the Session ID link to retrieve the cross search results and review the AntiSpam, and
Encryption logs related to the session.
© FORTINET
2 Accessing IBE Emails
In this exercise, you will register a new IBE user. Then, you will log in to the secure portal to retrieve the
IBE email. You will also see the message read notification email messages that the sender will receive
after the IBE user has read the IBE email.
4. Click the link in the notification email to access the encrypted email.
© FORTINET
5. Click Register.
© FORTINET
3. In the IBE Service configuration, you enabled secure replying. Reply to the IBE email message to
observe the behavior.
© FORTINET
LAB 9—High Availability
In this lab, you will build an active-passive FortiMail HA cluster that has two FortiMail VMs. The cluster
will operate in server mode.
You will configure the IntSRV FortiMail (10.0.1.99) as the primary and the IntGW FortiMail (10.0.1.11)
as the secondary. You will verify the HA and configuration synchronization status, configure a virtual IP,
and use the HA service monitor to detect when the SMTP service connectivity fails on the primary
FortiMail.
The lab network DNS server has the following CNAME records to aid in identifying the two clustered
devices:
Objectives
Configure a FortiMail HA group to synchronize their configuration and data
Verify cluster health
Configure HA virtual IP
Configure remote services monitoring
Time to Complete
Estimated: 50 minutes
Prerequisites
Before beginning this lab, you must change the operation mode of the IntGW FortiMail.
© FORTINET
5. The system will prompt you twice about most settings being reset to factory defaults. Click Yes in
both prompts.
Caution: When doing the lab exercises, ensure you are applying the configuration
changes to the correct FortiMail VM.
If at any point you wish to reset the configuration state for the FortiMail VMs, you can
restore the following configuration files:
IntGW: Desktop\Resources\Starting Configs\Lab 9\09_Reset_IntGW.tgz
IntSRV: Desktop\Resources\Starting Configs\Lab 9\09_Reset_InSRV.tgz
Always restore the secondary unit first, and then the primary. The configuration files will
restore the VMs to the standalone states they were in at the end of the Securing
Communications lab.
© FORTINET
1 Configure the Primary FortiMail
In this exercise, you will configure the mail server settings on the primary FortiMail. Then, you will
configure the HA settings.
Field Value
2. Expand the Backup options section, and then configure the following values:
Field Value
3. Click Apply.
4. In the Interface section, double-click port1 and configure the following settings:
Field Value
© FORTINET
2 Configure the Secondary
FortiMail
In this exercise, you will configure the mail server settings on the secondary FortiMail because they are
not synchronized. Then, you will configure the HA settings, and verify that the cluster has formed.
Field Value
Hostname: secondary
5. Click Apply.
Field Value
3. Expand the Backup options section, and then configure the following values:
Field Value
© FORTINET
4. Click Apply.
5. In the Interface section, double-click port1.
6. Configure the following values:
Field Value
Note: As soon as the two devices join in a cluster and complete synchronization, the
secondary device’s management GUI session will time out and return you to the login
prompt. This process may take a few minutes.
© FORTINET
3 Verify Cluster Health
In this exercise, you will verify the HA and configuration synchronization status.
4. You can find the same information in System > High Availability > Status.
© FORTINET
© FORTINET
7. Click Policy > Policies > Policies, and then verify that the new policy has synchronized with the
secondary device.
© FORTINET
4 Configure HA Virtual IP
In this exercise, you will configure a virtual IP for the HA cluster. You will also verify the virtual IP
function by forcing a failover.
Field Value
Field Value
© FORTINET
4. Verify the host name of the current cluster device that owns the virtual IP. It should be primary.
telnet 10.0.1.100 25
7. You should be presented with the following banner, which belongs to the primary device:
© FORTINET
telnet 10.0.1.100 25
5. The following banner, which belongs to the secondary device, should appear:
© FORTINET
5 Remote Services Monitoring
In addition to hardware failure, it’s often useful for cluster devices to monitor the network connectivity
and services of each other. This ensures a failover occurs if any of these services experience an outage.
In this exercise, you will configure remote SMTP service monitoring on both cluster devices. Then, you
will trigger a service-based failover to verify the configuration, and then verify the failover using event
logs.
Field Value
Enable Enabled
Timeout: 10
Interval: 30
Retries: 2
Note: For the purposes of this lab, you are reducing the time values to their lowest
configurable value to speed things up. In a live production environment, the default values
are a good place to start. You can fine tune them as you discover what kind of outage
your email network can tolerate.
Using this procedure, you configured the secondary device to test the primary’s device’s
port 25 connectivity every 30 seconds (Interval). If a connection attempt times out for 10
seconds (Timeout) it is considered a failure. Two (Retries) failures must occur before the
secondary device forces a failover.
Enable Enabled
Timeout: 10
Interval: 30
Retries: 2
Note: Using this procedure, you changed the SMTP service port on the primary FortiMail
to port 125. Because of this change, the secondary FortiMail can no longer detect SMTP
services on port 25 and should trigger a failover based on remote service failure.
You must to wait a few minutes for the secondary device to go through the service
monitoring check schedule before a failover is triggered.
© FORTINET
5. Event logs related to the remote SMTP service should show up when the secondary device detects
failure for the first time.
6. After the second detection, the secondary device takes over as the active member.
© FORTINET
© FORTINET
LAB 10—Server Mode
In this lab, you will configure server mode resource profiles, and see their effect on user resource
allocation. You will also populate the global address book from the LDAP server.
Objectives
Configure resource profiles
Configure LDAP mapping to import a domain address book
Time to Complete
Estimated: 40 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file.
Note: The configuration files will restore the devices to the standalone states they were
in before you completed the High Availability lab.
© FORTINET
1 Configure Resource Profiles
In this exercise you will review the IntSRV FortiMail’s existing configuration. Then, you will configure
resource profiles, and observe their effects on resource allocation for email users.
Note: If there are no resource profiles or domain level service settings configured, there is
a system default 500 MB disk limit for each user mailbox.
4. Click the Address Book icon and find the address books user1 has access to.
Note: If there are no resource profiles configured, server mode users have access to
their personal address book only.
Domain internal.lab
Field Value
Domain internal.lab
Field Value
Resource: PowerUsers
Field Value
Resource: RegularUsers
© FORTINET
Note: For larger deployments that have different levels of resource allocation
requirements, you can create recipient policies for local or LDAP groups, and assign
resource profiles using separate recipient policies.
© FORTINET
2 Address Book LDAP Import
In this exercise, you will review the existing LDAP profile you configured in Lab 3 - Authentication. Then,
you will configure an LDAP mapping profile, and use the LDAP profile to import contacts into the domain
address book.
Note: When the LDAP mapping profile uses the existing LDAP profile to import contacts,
it starts from the Base DN. To ensure the LDAP mapping profile doesn’t import Active
Directory system accounts, configure the Base DN to point to the location of the user
accounts.
Email* mail
Display name cn
Last name sn
Title title
Department department
Note: To review how to find LDAP attributes of Active Directory objects, you can refer to
the LDAP Operations exercise in Lab 3 – Authentication.
5. Click OK.
6. The system notifies you that LDAP synchronization is running. Click OK.
8. You should see all the users that were imported from the Training Users OU in the internal.lab
address book.
© FORTINET
3. In the address book, verify that domain address book contains the imported contacts.
© FORTINET
LAB 11—Transparent Mode
In this lab, you will configure the transparent mode FortiMail to process bidirectional email for the
external.lab domain using the built-in MTA. You will also configure and verify bidirectional transparency.
Objectives
Configure a transparent mode FortiMail to process bidirectional email
Verify built-in MTA functionality
Configure bidirectional transparency
Time to Complete
Estimated: 50 minutes
© FORTINET
1 Configuring a Transparent
Mode FortiMail
In this exercise. you will review the initial system configuration and the topology for the ExtTP FortiMail
VM. Then, you will perform the rest of the basic configuration tasks required to establish bidirectional
email flow. You will also verify built-in MTA functionality using logs.
© FORTINET
Field Value
5. Click OK.
6. Double-click port2.
7. Configure the following SMTP Proxy values:
Field Value
© FORTINET
8. Click OK to save the changes.
Note: Because port1 is the closest interface to the source for all inbound email, port1’s
incoming connections are proxied. Port2 is the closest interface to the source for all
outbound email, so port2’s outbound connections are proxied.
Field Value
Field Value
3. Keep the default values for the remaining settings, and then click Apply to save the changes.
4. Click Mail Settings > Domains.
5. Click New to add a protected domain using the following values:
Field Value
User Defined
Sender pattern:
*@external.lab
User Defined
Sender IP/netmask:
10.200.1.99/32
Action: Relay
Field Value
To: extuser@external.lab
4. Click Send.
5. Open a new web browser tab. Visit the ExtSRV FortiMail’s webmail GUI:
https://extsrv.external.lab/
6. Log in as extuser using the password fortinet.
7. Verify that the email message was delivered.
8. Reply to the email message.
9. In Thunderbird, verify that the reply was received.
10. Visit the ExtTP FortiMail’s management GUI:
https://exttp.external.lab/admin
11. Click Monitor > Log > History.
12. Double-click the active log file. The first two entries in the History log should correspond to the
two email messages that FortiMail just processed.
© FORTINET
13. View the details for each log, and review the Direction and Mailer fields.
Note: FortiMail is using its built-in MTA to route email in both directions. In the Mailer field,
the mta value shows this.
© FORTINET
2 Configuring Bidirectional
Transparency
You have verified that the ExtTP FortiMail is picking up email in both directions and using the built-in
MTA to route email to its intended destination successfully.
In this exercise, you will examine email headers to investigate the transparency of ExtTP FortiMail’s
email processing. Then, you will configure transparency for both incoming and outgoing email.
Note: You should see that the transparent mode FortiMail is not really transparent in the
email headers.
© FORTINET
To configure inbound transparency
1. Visit the ExtTP FortiMail’s management GUI:
https://exttp.external.lab/admin
2. Click Mail Settings > Domains > Domains.
3. Double-click the external.lab domain.
4. Expand the Transparent Mode Options section.
5. Select the Hide this transparent box check box.
6. Click OK to save the changes.
Note: The ExtTP FortiMail no longer appears in the inbound email headers.
Note: While the header is now showing the IP address of the ExtSRV FortiMail
(10.200.1.99), the hostname still shows ExtTP.external.lab. This is because the
ExtTP FortiMail uses its own hostname in the SMTP greeting. There is one more
configuration change you must make to prevent this.
© FORTINET
5. Review the Received: headers. The ExtTP FortiMailshould no longer appear in the headers:
Received: from IntGW.internal.lab ([10.0.1.11])
by IntSRV.internal.lab with ESMTP id v29MUF0s001921-v29MUF0t001921
© FORTINET
LAB 12—Maintenance
In this lab, you will configure and generate a local report, monitor system resource use, and perform
local storage management,
Objectives
Configure and generate a local report
Monitor historical and real-time system resource use
Partition a disk to allocate more space to the log disk
Time to Complete
Estimated: 25 minutes
© FORTINET
1 Configure and Generate Local
Reports
In this exercise, you will configure a local report to query the IntGW FortiMail’s mail filtering statistics.
Then, you will generate an on-demand report and review the statistics.
Field Value
Note: In a production FortiMail, you should also configure scheduling and add a
notification email so that the report is automatically generated and sent to you by email.
The scheduled reporting will help keep you up-to-date on the email trends of your
network.
© FORTINET
4. Click OK.
4. The report opens in a separate web browser tab. Use the menu on the left to navigate and review
the data.
© FORTINET
2 Monitoring System Resource
Use
In this exercise, you will view the historical and real-time resources used by the IntGW FortiMail.
© FORTINET
Note: A list of system processes is displayed, sorted by the processes consuming the
most CPU at the top of the list. The list refreshes every second, which gives you a real-
time view of the system’s resource use. To stop the output, you can press q.
To generate traffic
1. In Windows, on the taskbar, right-click the PuTTY icon, and then select Linux.
2. Log in as root using the password password.
3. Run the spam script by entering the following command:
© FORTINET
To view resource use during traffic
1. Return to the IntGW FortiMail’s PuTTY window.
2. Press the up-arrow key, and then press the Enter key. The history buffer should send the diagnose
system top delay 1 command again.
3. Make note of the resource use by the processes. Which process is using the most:
CPU:________________________________________________________________
Memory:_____________________________________________________________
4. Visit the IntGW FortiMail’s management GUI:
https://intgw.internal.lab/admin
5. Click Monitor > System Status > Status.
6. In the System Resource widget, click History.
7. Make note of the resource use trends during traffic. You must wait a few minutes before the charts
refresh with new data.
© FORTINET
3 Local Storage Management
By default, the mail disk partition size is 80% of the total disk. For a gateway mode FortiMail, this can
mean that a lot of unused space is taken up by the mail disk partition.
In this exercise, you will partition the IntGW FortiMail’s local storage, and allocate more space to the log
disk partition.
Note: You should always perform disk formatting and partitioning tasks using the console
connection. This allows you to monitor the entire process and take action in case of errors.
2. Click anywhere in the console window, and then press the Enter key. This displays the login prompt.
3. Log in as admin and leave the password field empty.
4. Type the following commands to change the log disk partition size to 50% of the total storage:
execute partitionlogdisk 50
Note: The system prompts you about data loss on the mail and log disk. Press y.
© FORTINET
© FORTINET
LAB 13—Troubleshooting
The internal.lab users are complaining that they are not able to send or receive email. In this lab, you
will use SMTP event logs and the built-in packet capture tools to investigate and remedy the mail flow
issues.
Objectives
Investigate user complaints
Use SMTP event logs and packet capturing to determine where the issue is occurring
Remedy the email flow issue
Time to Complete
Estimated: 60 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file.
© FORTINET
1 Troubleshooting the Problem
In this exercise, you will verify the problem. Then, you will use SMTP event logs and packet capturing to
determine where the issue lies.
5. View the log details. Do the details indicate that there is a problem?
© FORTINET
Note: In this particular instance, the History log details don’t provide much information.
You must dig deeper.
6. Click Close.
7. Click the Session ID link to retrieve the cross search results.
8. Review the event logs related to the session:
Note: The first two event logs relate to the external part of the session – from ExtSRV to
IntGW. The third event log relates to the internal part of the session – from IntGW to
IntSRV.
Note: The external part of the session appears to be without issues. The internal part of
the session appears to be experiencing problems. Specifically, the connection from
IntGW to IntSRV is being refused. However the reason for refusal isn’t listed.
© FORTINET
5. Click Monitor > Log > History.
6. Double-click the active log file. Try to find an entry in the History log for the outbound email
message you just tried to send.
7. Click Monitor > Log > Event.
8. Double-click the active log file.
9. In the Sub type drop-down list, select SMTP. Try to find a related SMTP event log entry for the
outbound email message you just tried to send.
Note: If you can’t find an entry in the history or event logs for a specific session, it means
there is an issue at either the IP or TCP layer. In these types of scenarios, only a traffic
capture might show you what the problem is.
Field Value
Description InboundCapture
Duration 10 minutes
Interface port1
IP/Host 10.0.1.99
Note: After investigating the inbound email flow, you established that the issue appears
to be with the internal portion of the email session. Therefore you are only interested in
seeing traffic for the IntSRV (10.0.1.99) FortiMail.
5. Click Create.
6. Visit the ExtSRV FortiMail’s webmail GUI:
https://extsrv.external.lab/
7. Send a new email message to user1@internal.lab.
8. Visit the IntGW FortiMail’s management GUI.
9. Click Maintenance > System > Traffic Capture.
10. Click Refresh until you see the Size(Byte) column populated.
© FORTINET
4. Select the first packet (Source: 10.0.1.11 Destination 10.0.1.99), and expand the Transmission
Control Protocol header. Review the details:
Note: This is the first packet of the session between IntGW (10.0.1.11) and IntSRV
(10.0.1.99) on port 465 (Dst Port). This packet has a sequence number of 0 and is
flagged as the SYN packet. This packet is expected, since all TCP sessions start with a
SYN packet.
© FORTINET
5. Select the second packet (Source: 10.0.1.99 Destination 10.0.1.11), and expand the Transmission
Control Protocol header. Review the details:
Note: This second packet is not expected. It has a RST/ACK flag. The IntSRV FortiMail
is sending a reset as soon as IntGW attempts to set up a TCP session on port 465. The
expected packet would have been a SYN/ACK, but that is not the case.
Note: From the above analysis, you can start to form an idea about the root cause. The
IntGW FortiMail is, expectedly, sending a SYN packet for port 465 (SMTPS), however,
the IntSRV FortiMail is refusing the session. You know, and can verify, that it’s not
related to IP addressing because if it was you wouldn’t see a reply packet at all. So, it
must be related to the TCP port. However, before you try to fix this issue, have a look at
the outbound session using a packet capture.
Note: The filter is set up to capture SMTP (port 25) traffic from the 10.0.1.10 host
(Windows).
© FORTINET
Note: The IntSRV FortiMail is showing similar behavior for outbound traffic. The
10.0.1.10 host is initiating the session on port 25 with a SYN packet. However, the
10.0.1.99 host is refusing the session with an RST.
© FORTINET
2 Fix the problem
In this exercise, you will review the configuration and fix any errors. Then, you will verify your changes
by sending email in both directions
4. Fix any errors you see in the Mail Server Settings section. Hint: SMTP uses port 25 and SMTPS
uses port 465.
© FORTINET
Appendix A: Additional
Resources
Training Services https://www.fortinet.com/training
Forums https://forum.fortinet.com/