Hot!2 Domains / gateway mode

Author
orani
Silver Member
  • Total Posts : 108
  • Scores: 1
  • Reward points: 0
  • Joined: 2019/07/11 12:54:18
  • Location: Athens
  • Status: offline
2020/03/19 02:57:55 (permalink)
0

2 Domains / gateway mode

My scenario
2 VIPs
1. x.x.x.x --> mx = smtp.domaina.com
2. z.z.z.z --> mx = smtp.domainb.com
I have configured my firewall to NAT traffic to port 25 to Fortimail so the incoming mails to be checked from fortimail.
Also i configured fortimail to forward mails to my 2 internal mail servers, servera for domaina.com and serverb for domainb.
So all incoming traffic is ok. Also any internal mail traffic is ok.
My question is about outgoing traffic.
I configured fortimail to internet traffic throw one vip. So any mail from domaina.com or domainb.com goes throw one vip. Assuming i choose x.x.x.x ip for outgoing traffic, mails from domainb are characterized as spam because there are getting out from wrong ip.
Is there a way to configure fortimail sending mails from domaina.com throw x.x.x.x and mails from domainb.com throw z.z.z.z?

Orestis Nikolaidis
Network Engineer/IT Administrator
#1
Dirty_Wizard
Bronze Member
  • Total Posts : 53
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/05/23 07:32:52
  • Status: offline
Re: 2 Domains / gateway mode 2020/03/19 18:17:48 (permalink)
0
Yeah, you need to differentiate the outgoing traffic by changing the source IP from FML for email from that domain.
Then you can NAT it accordingly on your firewall to z.z.z.z since you have an alternate source IP to work with.
With an IP Pool if using FortiGate.
 
To change source IP for server B; create an IP Policy with server B as the source IP. Consider ordering (place above any policy which would encompass that IP). Then apply an IP Pool on this IP Policy so that traffic matching this IP policy will be sourced as the IP Pool IP when hitting your firewall. Set IP Pool IP in the same subnet as the FortiMail interface for the egress traffic to your firewall.
 
E.g.: If FML traffic to firewall leaves port1 with interface IP 10.10.10.1/24, you could set IP Pool IP to 10.10.10.2/32.
#2
orani
Silver Member
  • Total Posts : 108
  • Scores: 1
  • Reward points: 0
  • Joined: 2019/07/11 12:54:18
  • Location: Athens
  • Status: offline
Re: 2 Domains / gateway mode 2020/03/21 04:03:41 (permalink)
0
This part of configuration i can understand it and i am ok wih this.
jwilkins
Then you can NAT it accordingly on your firewall to z.z.z.z since you have an alternate source IP to work with.
With an IP Pool if using FortiGate.
 
To change source IP for server B; create an IP Policy with server B as the source IP. Consider ordering (place above any policy which would encompass that IP). Then apply an IP Pool on this IP Policy so that traffic matching this IP policy will be sourced as the IP Pool IP when hitting your firewall. Set IP Pool IP in the same subnet as the FortiMail interface for the egress traffic to your firewall.
 
E.g.: If FML traffic to firewall leaves port1 with interface IP 10.10.10.1/24, you could set IP Pool IP to 10.10.10.2/32.


 
but this part how can it be configured?
jwilkins
Yeah, you need to differentiate the outgoing traffic by changing the source IP from FML for email from that domain.
 





Orestis Nikolaidis
Network Engineer/IT Administrator
#3
Dirty_Wizard
Bronze Member
  • Total Posts : 53
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/05/23 07:32:52
  • Status: offline
Re: 2 Domains / gateway mode 2020/03/24 23:39:06 (permalink)
0
This section was all in reference to FortiMail configuration:
'To change source IP for server B; create an IP Policy with server B as the source IP. Consider ordering (place above any policy which would encompass that IP). Then apply an IP Pool on this IP Policy so that traffic matching this IP policy will be sourced as the IP Pool IP when hitting your firewall. Set IP Pool IP in the same subnet as the FortiMail interface for the egress traffic to your firewall.'
 
I understand the structure of my comment made it a bit unclear.
#4
orani
Silver Member
  • Total Posts : 108
  • Scores: 1
  • Reward points: 0
  • Joined: 2019/07/11 12:54:18
  • Location: Athens
  • Status: offline
Re: 2 Domains / gateway mode 2020/03/26 07:41:59 (permalink)
0
I think i understood. But i have to create also an ip pool on fortigate and the ip policy should be an outbound session policy. Am i right?

Orestis Nikolaidis
Network Engineer/IT Administrator
#5
Fullmoon
Platinum Member
  • Total Posts : 883
  • Scores: 13
  • Reward points: 0
  • Joined: 2010/08/02 18:02:10
  • Status: offline
Re: 2 Domains / gateway mode 2020/03/27 03:58:02 (permalink)
0
I'm not sure if my assessment was correct.
 
these are your FortiGate VIP settings?
VIP1: 1.1.1.1 --> mx = smtp.domaina.com -->192.168.1.10 [smtp server1]
VIP2: 2.2.2.2--> mx = smtp.domainb.com -->192.168.1.11 [smtp server2]
 
Then your FortiGate Policies would look likes these.
1. Source 192.168.1.10 -->SDWAN / WAN1 (Dynamic IP Pool -->1.1.1.1)
   in this case, all outgoing traffic for  smtp.domaina.com will traverse on this policy and
2. Source 192.168.1.11 -->SDWAN / WAN2 (Dynamic IP Pool -->2.2.2.2)
  all outgoing traffic for  smtp.domainb.com will traverse on this policy

Fortigate Newbie
#6
orani
Silver Member
  • Total Posts : 108
  • Scores: 1
  • Reward points: 0
  • Joined: 2019/07/11 12:54:18
  • Location: Athens
  • Status: offline
Re: 2 Domains / gateway mode 2020/03/27 13:14:03 (permalink)
0
No those are not my settings. For outgoing traffic it is something like 
 
192.168.1.10 -->192.168.2.2(fortimail)-->192.168.2.1(fortigate)-->SDWAN
192.168.1.11 -->192.168.2.2(fortimail)-->192.168.2.1(fortigate)-->SDWAN
post edited by orani - 2020/03/27 13:17:31

Orestis Nikolaidis
Network Engineer/IT Administrator
#7
Fullmoon
Platinum Member
  • Total Posts : 883
  • Scores: 13
  • Reward points: 0
  • Joined: 2010/08/02 18:02:10
  • Status: offline
Re: 2 Domains / gateway mode 2020/03/28 18:57:08 (permalink)
0
orani
No those are not my settings. For outgoing traffic it is something like  
192.168.1.10 -->192.168.2.2(fortimail)-->192.168.2.1(fortigate)-->SDWAN
192.168.1.11 -->192.168.2.2(fortimail)-->192.168.2.1(fortigate)-->SDWAN

 
I'm just supplying how Dirty_Wizard gave his first response.
 
Again, if you are using SDWAN you can craft your policies to look like these.
In your policy instead of using Use Outgoing Interface address, Choose Use Dynamic IP Pool instead. Repeat as well in policy 2 which uses diff IP Pool assigned on  smtp.domainb.com.
 
1. Source 192.168.1.10 -->SDWAN / WAN1 (Dynamic IP Pool -->1.1.1.1)
   in this case, all outgoing traffic for  smtp.domaina.com will traverse on this policy and
2. Source 192.168.1.11 -->SDWAN / WAN2 (Dynamic IP Pool -->2.2.2.2)
  all outgoing traffic for  smtp.domainb.com will traverse on this policy
 
 

Fortigate Newbie
#8
Jump to:
© 2020 APG vNext Commercial Version 5.5