Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
orani
Contributor II

2 Domains / gateway mode

My scenario

2 VIPs

1. x.x.x.x --> mx = smtp.domaina.com 2. z.z.z.z --> mx = smtp.domainb.com

I have configured my firewall to NAT traffic to port 25 to Fortimail so the incoming mails to be checked from fortimail. Also i configured fortimail to forward mails to my 2 internal mail servers, servera for domaina.com and serverb for domainb. So all incoming traffic is ok. Also any internal mail traffic is ok. My question is about outgoing traffic.

I configured fortimail to internet traffic throw one vip. So any mail from domaina.com or domainb.com goes throw one vip. Assuming i choose x.x.x.x ip for outgoing traffic, mails from domainb are characterized as spam because there are getting out from wrong ip.

Is there a way to configure fortimail sending mails from domaina.com throw x.x.x.x and mails from domainb.com throw z.z.z.z?

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
7 REPLIES 7
Dirty_Wizard_FTNT

Yeah, you need to differentiate the outgoing traffic by changing the source IP from FML for email from that domain.

Then you can NAT it accordingly on your firewall to z.z.z.z since you have an alternate source IP to work with.

With an IP Pool if using FortiGate.

 

To change source IP for server B; create an IP Policy with server B as the source IP. Consider ordering (place above any policy which would encompass that IP). Then apply an IP Pool on this IP Policy so that traffic matching this IP policy will be sourced as the IP Pool IP when hitting your firewall. Set IP Pool IP in the same subnet as the FortiMail interface for the egress traffic to your firewall.

 

E.g.: If FML traffic to firewall leaves port1 with interface IP 10.10.10.1/24, you could set IP Pool IP to 10.10.10.2/32.

orani

This part of configuration i can understand it and i am ok wih this.

jwilkins wrote:

Then you can NAT it accordingly on your firewall to z.z.z.z since you have an alternate source IP to work with.

With an IP Pool if using FortiGate.

 

To change source IP for server B; create an IP Policy with server B as the source IP. Consider ordering (place above any policy which would encompass that IP). Then apply an IP Pool on this IP Policy so that traffic matching this IP policy will be sourced as the IP Pool IP when hitting your firewall. Set IP Pool IP in the same subnet as the FortiMail interface for the egress traffic to your firewall.

 

E.g.: If FML traffic to firewall leaves port1 with interface IP 10.10.10.1/24, you could set IP Pool IP to 10.10.10.2/32.

 

but this part how can it be configured?

jwilkins wrote:

Yeah, you need to differentiate the outgoing traffic by changing the source IP from FML for email from that domain.

 

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
Dirty_Wizard_FTNT

This section was all in reference to FortiMail configuration:

'To change source IP for server B; create an IP Policy with server B as the source IP. Consider ordering (place above any policy which would encompass that IP). Then apply an IP Pool on this IP Policy so that traffic matching this IP policy will be sourced as the IP Pool IP when hitting your firewall. Set IP Pool IP in the same subnet as the FortiMail interface for the egress traffic to your firewall.'

 

I understand the structure of my comment made it a bit unclear.

orani

I think i understood. But i have to create also an ip pool on fortigate and the ip policy should be an outbound session policy. Am i right?

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
Fullmoon
Contributor III

I'm not sure if my assessment was correct.

 

these are your FortiGate VIP settings?

VIP1: 1.1.1.1 --> mx = smtp.domaina.com -->192.168.1.10 [smtp server1] VIP2: 2.2.2.2--> mx = smtp.domainb.com -->192.168.1.11 [smtp server2]

 

Then your FortiGate Policies would look likes these.

1. Source 192.168.1.10 -->SDWAN / WAN1 (Dynamic IP Pool -->1.1.1.1)

   in this case, all outgoing traffic for  smtp.domaina.com will traverse on this policy and

2. Source 192.168.1.11 -->SDWAN / WAN2 (Dynamic IP Pool -->2.2.2.2)

  all outgoing traffic for  smtp.domainb.com will traverse on this policy

Fortigate Newbie

Fortigate Newbie
orani

No those are not my settings. For outgoing traffic it is something like 

 

192.168.1.10 -->192.168.2.2(fortimail)-->192.168.2.1(fortigate)-->SDWAN

192.168.1.11 -->192.168.2.2(fortimail)-->192.168.2.1(fortigate)-->SDWAN

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
Fullmoon
Contributor III

orani wrote:

No those are not my settings. For outgoing traffic it is something like  

192.168.1.10 -->192.168.2.2(fortimail)-->192.168.2.1(fortigate)-->SDWAN

192.168.1.11 -->192.168.2.2(fortimail)-->192.168.2.1(fortigate)-->SDWAN

 

I'm just supplying how Dirty_Wizard gave his first response.

 

Again, if you are using SDWAN you can craft your policies to look like these.

In your policy instead of using Use Outgoing Interface address, Choose Use Dynamic IP Pool instead. Repeat as well in policy 2 which uses diff IP Pool assigned on  smtp.domainb.com.

 

1. Source 192.168.1.10 -->SDWAN / WAN1 (Dynamic IP Pool -->1.1.1.1)    in this case, all outgoing traffic for  smtp.domaina.com will traverse on this policy and 2. Source 192.168.1.11 -->SDWAN / WAN2 (Dynamic IP Pool -->2.2.2.2)   all outgoing traffic for  smtp.domainb.com will traverse on this policy

 

 

Fortigate Newbie

Fortigate Newbie
Labels
Top Kudoed Authors