FORTIMAIL Gateway mode - Not seeing email traffic in FortiMail VM

NeoRant · ‎02-20-2024

Good day,

I am new to Fortinet, I am use to the Cisco product line and wish to expand my knowledge further, using Fortinet products way forward.

Mode chosen: Gateway mode

Deployment type: Forti mail in the DMZ or Behind the FortiGate

Could someone kindly assist me step by step(probably u did for your environment/similar if possible) how to carefully deploy a Forti mail VM to manage and monitor my email traffic in Gateway mode. I have read via the 7.4.1 admin guide, other admin guides, watched a few YouTube videos and NO real guidance, step by step solution, not even a workable template based setup for Forti mail, just a bunch of webinars, chatting and simple setups(telling/referring you to go read this entire document(admin guide), no real lab scenarios at all. I have configured/setup and deployed many devices, network solutions in infrastructure environments/datacenters, some all by myself, others with help of comrades, video guides and straightforward - coherent reading material. But I am stuck here and need your guidance

Network Environment Details but not limited to below(If you need more information, such as a simple network diagram of the intended setup, let me know):

1. One(1) email/exchange server behind the firewall/internal LAN e.g. 192.168.5.6

2. One(1) HW FortiGate Firewall (with both WAN, LAN, DMZ interface etc. setup)

3. 1 Private DNS server/PDC behind the firewall/on internal LAN e.g. 192.168.5.2

4. One(1) mail relay server(VM) running Postfix in the DMZ in front of FortiGate e.g. on diff subnet 192.168.70.3

5. A public/WAN IP address already mapped to the email relay VM internal IP

6. Firewall Policies for SMTP traffic to flow between email server, mail relay and internet(incoming-outgoing)

Intention: Is to replace the email relay VM(putting it offline) with the newly installed Forti mail VM in DMZ for email traffic flow/ protection or keep Forti mail behind firewall and continue using email relay.

What I have done so far:

1. Registered Forti mail license and VM in Fortinet Asset management

2. Downloaded Forti mail VM

3. Configured/setup VM via Hyper V successfully.

4. Started VM and deployed successfully

5. Configured VM nic1 interface via CLI with IP e.g. 192.168.5.7

6. Ran/followed via wizard, entered protected domain, DNS, Mail server settings, Admin credentials etc. input gateway IP so that Forti mail can ping externally.

7. Applied Fortinet registered license to Forti mail VM successfully

8.Connected Forti mail to Forti guard successfully.

Now for the concerns/queries:

1. I watched this video and it provided no real help. How did he even achieve to get mail event logs/email traffic, what am i missing, i copied all his steps but using my network details/IPs of course) - https://www.youtube.com/watch?v=4AAWRrryzX0

2. I watched this video and it is not fully informative, just superficial - https://www.youtube.com/watch?v=jdemC9cGvdM

3. I am confused about some details on this page - https://docs.fortinet.com/document/fortimail/7.4.1/administration-guide/932807/gateway-mode-deployme...

Such as:

You must configure public DNS records for the protected domains and for the Forti Mail unit itself
Configuring DNS records for the protected domains?
Configuring the firewall policies for email traffic (incoming and outgoing) between the Forti mail, FortiGate and Email Server.

I know about DNS records on AD, creating/configuring them etc. But it says in this document public DNS etc.

I do not have a public DNS server in front of the firewall/on the internet
I only have a private DNS server
For .e.g. in my environment, I have a "Batteries. Local" domain on the Domain Controller/s, but our users at the batteries company uses the "batteries.com.au" domain from the Local Email Server. In the admin document it refers to protected domain, what should I enter for protected domain during Forti mail wizard setup the .local or the .com.au domain?
Also which Host A record on my private DNS should i use for the Forti mail VM, a wan/public IP or local/Lan IP for the Forti mail?

On the FortiGate I see the address entry for the following :

1. Email Relay VM(DMZ IP)

2. Email Server(local/private IP)

3. DMZ subnet

4. LAN/Internal Subnet

On the FortiGate I see IPv4 Policy entries as follows but not limited to:

1. (WAN to DMZ)allow smtp to relay - (source: all , destination: mail relay , schedule: always , service: smtp , action: accept)

2. (DMZ to LAN) - (source: all, destination: local mail server , schedule: always, service: smtp, action: accept)

Please note:

-On my DC, there are no mx records, so how is name resolution taking place? There is only a Host A record for the Exchange server.

-Whenever I do a NSLOOKUP or PING on mail.batteries.com.au, I see the public/wan mapped IP of the mail relay(postfix VM) that is on the DMZ

- There are no FortiGate entries for the Forti Mail VM

Currently, the deployed Forti mail VM is just sitting there doing nothing. Anyone, please help!

AEK · ‎02-23-2024

Hello

Are you deploying FML just in lab for internal test and usage or for sending/receiving emails to/from internet?

If it is for internal lab the required DNS entries should be on your local DNS .local.

In cas it is for email communication with internet then the DNS records must be on your public DNS server. E.g: if your public domain name is domain.com and your public email address is neorant@domain.com then the protected domain is domain.com, and you need to add the following dns records to your public DNS server of domain.com.

spf record: to allow your SMTP gateway's public address to send on behalf of domain.com
mx record: to indicate to other mail servers that the SMTP gateway of domain.com is e.g. mail.domain.com
A record: mail.domain.com will resolve to your SMTP gateway 's public IP address
rDNS/PTR record: your SMTP gateway's public IP address will resolve to mail.domain.com

You may read more on mx, rdns/ptr and spf records on wiki or any other DNS related documentation.

Regarding firewall rules, the main required rules are:

Allow SMTP/SMTPs from FML to your mail server and vice versa
Allow SMTP/SMTPs from FML to internet
Allow SMTP/SMTPs from internet to FML
Allow DNS queries from FML to DNS server
Allow ports 443 and 53 to FortiGuard service

Hope this helps.

AEK

View solution in original post

AEK · ‎02-27-2024

Hi NeoRant

You did very well by reading these docs, you'll certainly master FML very quickly. I see you are doing much effort, so I'll try help from my side with the below info.

Here are some recommendations that may help, summarizing from beginning to the end.

Set all required DNS mentioned in my previous post. This is required mostly for functioning and delivrability purpose, otherwise you will not receive e-mails and your e-mails will be considered as spam
- 86400 seconds TTL is recommended
- Standard: MX public DNS name should start with 'mx', 'smtp', or 'mail'. E.g.: mail1.domain.com
- Example of a good SPF record: "v=spf1 +mx +a -all". Do not use "~all", always use "-all"
- Having 2 MX records (with 2 FML) is better for redundancy
Set all required firewall rules mentioned above. Additionally it is good security practice (and to preserve you delivrability as well) to deny all internal network to send anything to outside through port 25 and 465 except FortiMail. This will ensure that nothing from inside will send spam to external mail servers leading to block-list your FML public IP
Check if your MX public IP is not block-listed (you may use mxtoolbox.com), and unblock-list it if required, otherwise your e-mails can be considered as spam by some servers
When you deploy your VM use one single interface and put it in the DMZ
Run quick wizard in FML
- Set hostname & domain name exactly like rDNS, otherwise you will be considered as spammer, e.g.: mail1.domain.com
- Relay type: Host
- SMTP server: local IP of your mail server
- Inbound email scan: Enable
- Outbound email scan: Enable
- Email relay for protected domain: Yes
The wizard creates the required policies (IP policy, Access Ctrl and Recipient Policy) with almost everything configured with the recommended values, so you'll have very few things to modify
- Access Control: Purpose of this is to avoid open relay except for mail server. That means only your mail server can send to any domain other than your domain.com
- IP Policy: Should manage only session profile. The other profile are managed at Recipient Policy level, except if you are ISP. The top-most rule (created by wizard) applies "Outbound-Session" to the e-mails that are sent from your mail server to outside. In case this rule was not created by wizard then you have to create it
- Recipient Policy: Manages the other profiles (AV, Antispam, ...) and is sender/recipient aware, not like IP policy
- You may ask why we don't use only IP Policy, in short because IP policy is aware of source and destination IPs and not aware of sender/recipient, while Recipient Policy is aware of the opposite. If you are ISP and you host multiple domains but you don't know the hosted mail addresses then you will use only IP policy managing all profiles
Good practice is to clone profile (AV, Antispam, ...) instead of modifying directly the default profiles. This is particularly useful when you need to know what are the default values (which are actually good and recommended values)
Enable Advanced View in top-right menu
Configure NTP and check if it is working well
Go to System > Configuration > Option, and harden the admin password policy
Configure nominative administrators (security good practice)
Log setting: 30 days is usually good
Some useful tuning in your custom Outbound_Session profile:
- Restrict number of connections per client per 30 mn: 2000
- Max concurrent connections per client: 30
- Connection idle timeout: 30
- Cap message size (KB): 30000
- Remove received header
- Remove headers inserted by this unit
Some useful tuning in your custom AS_Inbound profile:
- Enable FortiGuard scan, enable IP reputation, enable URL filter "Default"
- Enable SPF fail and soft fail
- Enable Behavior Analysis
- Enable Heuristic
- Leave others with default values
Some useful tuning in your custom AS_Outbound profile:
- Enable FortiGuard scan, enable URL filter "Default"
- Enable Behavior Analysis
- Enable Heuristic
- Leave all others disabled
Other tuning
- Go to Security > Bounce Verification > Setting, and enable Bounce Verification
- Do this in CLi:
      config system mailserver
          set timeout-connect 60
          set timeout-greeting 120
      end
- Configure trusted_hosts in order to restrict access to admin console

Once all of this is done, test both sending and receiving e-mails.

Test the delivrability so you ensure that you are not considered as spammer:

Open in your browser: www.mail-tester.com
Copy the mail address displayed on the page
Send a test mail (well formed) to this mail address from your mailbox hosted on your mail server
Click the "Check your score" button
If your score is 10/10 then you are ok, otherwise check what is wrong with your score in the report and fix it then redo the test until you have 10/10

I think all is said, but feel free to ask any related question if needed.

AEK

View solution in original post

Anthony_E · ‎02-22-2024

Hello NeoRant,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

NeoRant · ‎02-23-2024

Thank you Anthony, God bless, I will wait.

AEK · ‎02-23-2024

Hello

Are you deploying FML just in lab for internal test and usage or for sending/receiving emails to/from internet?

If it is for internal lab the required DNS entries should be on your local DNS .local.

In cas it is for email communication with internet then the DNS records must be on your public DNS server. E.g: if your public domain name is domain.com and your public email address is neorant@domain.com then the protected domain is domain.com, and you need to add the following dns records to your public DNS server of domain.com.

spf record: to allow your SMTP gateway's public address to send on behalf of domain.com
mx record: to indicate to other mail servers that the SMTP gateway of domain.com is e.g. mail.domain.com
A record: mail.domain.com will resolve to your SMTP gateway 's public IP address
rDNS/PTR record: your SMTP gateway's public IP address will resolve to mail.domain.com

You may read more on mx, rdns/ptr and spf records on wiki or any other DNS related documentation.

Regarding firewall rules, the main required rules are:

Allow SMTP/SMTPs from FML to your mail server and vice versa
Allow SMTP/SMTPs from FML to internet
Allow SMTP/SMTPs from internet to FML
Allow DNS queries from FML to DNS server
Allow ports 443 and 53 to FortiGuard service

Hope this helps.

AEK

NeoRant · ‎02-23-2024

Thanks AEK, I will look into this and provide feedback. I will appreciate all the help I can get. This is indeed for production, so essentially, I am treading softly. I realize that the admin guides especially for later models such as Fortimail 7.4.1 gives a WHOLE lot of information, but no real guide on what/how to do things properly, especially for new customers. So in essence as a first step, I need the public dns server to add those records basically. It was confusing, because I am saying, I just know that we have an internal mail server behind fortigate firewall, the internal/lan behind firewall, postfix server for mail relay, i see firewall entries between mail server and postfix, but where is the public dns server located. I nslookup or email domain e.g. neorant@domain.com and get the local IP for our mail server, but when i ping the mail.domain.com, it resolves to a virtual/public IP on the fortigate that maps to the postfix/mail relay vm private IP(which is on the dmz). I appreciate the response.

AEK · ‎02-23-2024

Hi @NeoRant

As it is a production mail gateway I recommend to ask the help of an experienced integrator if this is your first time. Otherwise it may take you a lot of time and you may run in trouble with spam, phishing mails, getting some legitimate mails quarantined and other delivrability issues.

Since this is prod I think it is safer to avoid such risks.

Once you follow this first integration and take note of all steps you will be able to handle the next integration easier, faster and safer.

AEK

NeoRant · ‎02-27-2024

Hi AEK, thank you for the help and all others who stepped in, glad to be apart of the Fortinet community. My job really was to:

configure the fortimail vm in hyper-v
configure network interface
input necessary configurations such as gw, dns etc
adding the email server,
adding protected email domain
also for the vm to be discoverable in the LAN and able to ping externally.

Above part of the job was done by me easily. I am Systems/Server Engineer/Administrator, not a cybersecurity expert, rather i am a fortinet newbie lol. Though i understand the basic-intermediary concepts and some advanced areas in network security/networking, the learning never stops. I was told today, that someone else will be doing the fortigate fwl rule, public dns, mx and A records stuff for smtp traffic to flow via the fml for final/production deployment. I say thank God. However I need some guidance below(should i create a new community post to get help?).

My manager now asked me to just focus on enhancing the Fortimail VM with recommended features located in the dashboard for Fortimail 7.4( and believe me, I do not understand MOST of the features in Fortimail - as someone said in a video, features are TOO vast/plenty):

1. Policy (Access control, ip policy, recipient policy etc)

2. Profile (session, antispam, antivirus, content, replacement message, resource, auth, ldap, dictionary, security, ip pool, group, notification)

3. Security(url filter, quarantine, greylist etc)

4. Encryption ( IBE etc)

5. Log & Report

Could I kindly get a set template/industry standard for a good Fortimail Deployment( a step by step guide) so that i can use on my fortimail? I know many admins have their options tweaked to their environment, but I will use anyone's recommended options, take time tweak mine accordingly.

I already know my LAN/WAN net configs. The only thing i would do is just use my IP details, replacing what ever I get.

I have done some of reading, but no real recommendation or "how to" guide in setting up Fortimail with great antispam, antivirus etc features. Most settings in these dashboard sections have been set to default, but I welcome any recommendations PLEASE.

Resources that I have read so far:

https://www.fortinetguru.com/2016/04/configuring-policies/3/

https://www.youtube.com/watch?v=nTPA8YTd9Zg

https://www.youtube.com/watch?v=kEPTTPznJRA&t=321s

https://www.isp-tools.de/fileadmin/media/Produkte/pdf/FortiMail_Install_Guide_v4_0_1_rev2.pdf

https://docs.fortinet.com/document/fortimail/7.4.1/administration-guide/338745/configuring-policies

AEK · ‎02-27-2024

Hi NeoRant

You did very well by reading these docs, you'll certainly master FML very quickly. I see you are doing much effort, so I'll try help from my side with the below info.

Here are some recommendations that may help, summarizing from beginning to the end.

Set all required DNS mentioned in my previous post. This is required mostly for functioning and delivrability purpose, otherwise you will not receive e-mails and your e-mails will be considered as spam
- 86400 seconds TTL is recommended
- Standard: MX public DNS name should start with 'mx', 'smtp', or 'mail'. E.g.: mail1.domain.com
- Example of a good SPF record: "v=spf1 +mx +a -all". Do not use "~all", always use "-all"
- Having 2 MX records (with 2 FML) is better for redundancy
Set all required firewall rules mentioned above. Additionally it is good security practice (and to preserve you delivrability as well) to deny all internal network to send anything to outside through port 25 and 465 except FortiMail. This will ensure that nothing from inside will send spam to external mail servers leading to block-list your FML public IP
Check if your MX public IP is not block-listed (you may use mxtoolbox.com), and unblock-list it if required, otherwise your e-mails can be considered as spam by some servers
When you deploy your VM use one single interface and put it in the DMZ
Run quick wizard in FML
- Set hostname & domain name exactly like rDNS, otherwise you will be considered as spammer, e.g.: mail1.domain.com
- Relay type: Host
- SMTP server: local IP of your mail server
- Inbound email scan: Enable
- Outbound email scan: Enable
- Email relay for protected domain: Yes
The wizard creates the required policies (IP policy, Access Ctrl and Recipient Policy) with almost everything configured with the recommended values, so you'll have very few things to modify
- Access Control: Purpose of this is to avoid open relay except for mail server. That means only your mail server can send to any domain other than your domain.com
- IP Policy: Should manage only session profile. The other profile are managed at Recipient Policy level, except if you are ISP. The top-most rule (created by wizard) applies "Outbound-Session" to the e-mails that are sent from your mail server to outside. In case this rule was not created by wizard then you have to create it
- Recipient Policy: Manages the other profiles (AV, Antispam, ...) and is sender/recipient aware, not like IP policy
- You may ask why we don't use only IP Policy, in short because IP policy is aware of source and destination IPs and not aware of sender/recipient, while Recipient Policy is aware of the opposite. If you are ISP and you host multiple domains but you don't know the hosted mail addresses then you will use only IP policy managing all profiles
Good practice is to clone profile (AV, Antispam, ...) instead of modifying directly the default profiles. This is particularly useful when you need to know what are the default values (which are actually good and recommended values)
Enable Advanced View in top-right menu
Configure NTP and check if it is working well
Go to System > Configuration > Option, and harden the admin password policy
Configure nominative administrators (security good practice)
Log setting: 30 days is usually good
Some useful tuning in your custom Outbound_Session profile:
- Restrict number of connections per client per 30 mn: 2000
- Max concurrent connections per client: 30
- Connection idle timeout: 30
- Cap message size (KB): 30000
- Remove received header
- Remove headers inserted by this unit
Some useful tuning in your custom AS_Inbound profile:
- Enable FortiGuard scan, enable IP reputation, enable URL filter "Default"
- Enable SPF fail and soft fail
- Enable Behavior Analysis
- Enable Heuristic
- Leave others with default values
Some useful tuning in your custom AS_Outbound profile:
- Enable FortiGuard scan, enable URL filter "Default"
- Enable Behavior Analysis
- Enable Heuristic
- Leave all others disabled
Other tuning
- Go to Security > Bounce Verification > Setting, and enable Bounce Verification
- Do this in CLi:
      config system mailserver
          set timeout-connect 60
          set timeout-greeting 120
      end
- Configure trusted_hosts in order to restrict access to admin console

Once all of this is done, test both sending and receiving e-mails.

Test the delivrability so you ensure that you are not considered as spammer:

Open in your browser: www.mail-tester.com
Copy the mail address displayed on the page
Send a test mail (well formed) to this mail address from your mailbox hosted on your mail server
Click the "Check your score" button
If your score is 10/10 then you are ok, otherwise check what is wrong with your score in the report and fix it then redo the test until you have 10/10

I think all is said, but feel free to ask any related question if needed.

AEK

NeoRant · ‎02-28-2024

I thank you for your knowledge and assistance, you are kind, this community is awesome. Should I have more queries, I will ask.

I made a post yesterday

Re: Initial Fortimail configuration and tuning

I know not one solution/template fits all, but a general set of recommended feature/ option settings would be great. Whatever i learn in this forum, i will help others and encourage more people to use the Fortinet product line.

Kindly refer to post below(It is not me alone):

*https://www.reddit.com/r/fortinet/comments/awn1kz/initial_fortimail_configuration_and_tuning/*