FortiMail in Gateway Mode - smtp authentication

dominikw · ‎07-13-2012

Hi ! I hava mail server (Postfix) in DMZ. Now I' m trying to deploy FortiMail in Gateway Mode. Topology is like on pic below. Situation : I have only 1 public IP and (in example) : LAN = 192.168.1.0/24 DMZ = 10.0.0.0/24 DNS is external (some provider' s server) FortiMail = 10.0.0.2 Postfix = 10.0.0.3 FQDN of server always have been mail.domain.com Users have email addresses like user@domain.com All emails are send from " users" @domain.com (NOT i.e. from user@mail.domain.com !) SMTP server require auth. Cert on server is selfsigned. Everything works OK. Now I' m trying to set up FortiMail in Gateway Mode and change settings od FortiGate firewall - forward SMTP traffic (Virtual IP) not to Postfix but to FortiMail. On Postfix I can setup FortiMail as " smarthost" - but it' s not necessary - Posftix will send mail directly to Internet (I suppose it' s OK) with my public IP. Fortimail have to have correct name (corresponding DNS record) so I setup name the same as Postfix. This configuration works ALMOST ok. Recieving is OK, mails are coming. The only problem is when users want to SEND email and they have in email client software server set to mail.domain.com (if they could have internal IP of Postfix all could works OK but there are mobile users too - so that' s not the point ). When they try to send enything they are alawys asked about user and password and never authenticated !!! I don' t want to setup FortiMail as Open Relay so how to force FortiMail to " push" authentication process to server 10.0.0.3 I setup fortimail policy to " authenticated" but it' s still not working. What I should do ? What could be wrong with it ?

Dominik Weglarz, IT System Engineer

Matthijs · ‎07-13-2012

How do the users fetch their mail when they are not in the office? You have to create some kind of user mapping on the FortiMail to the Postfix server. Can you install something like openldap on it and map user authentication with ldap? As far as i know the FortiMail will not forward the smtp auth request to another smtp server.

dominikw · ‎07-13-2012

--> How do the users fetch their mail when they are not in the office? In the same way as internal users : - pop3 & smtp = mail.domain.com - outgoing server requires authentication --> use the same settings as incoming server - port 25 (most users) and some use port 587 (both ports are configured on Postfix) --> Can you install something like openldap ... ? No I can' t install anything. All deployment must be " transparent" - postfix admin will reject changes - I can only ask him to change smart host settings. --> As far as i know the FortiMail will not forward the smtp auth request to another smtp server. FortiMail admin doc - (page 490): " ... Configuring authentication profiles The Authentication submenu lets you configure the FortiMail unit to connect to an external SMTP server in order to authenticate email users. FortiMail units support the following authentication methods: â€¢SMTP â€¢IMAP â€¢POP3 â€¢RADIUS â€¢LDAP ... "

Dominik Weglarz, IT System Engineer

dominikw · ‎07-31-2012

Any idea ? Any suggestion ?

Dominik Weglarz, IT System Engineer

dominikw · ‎08-03-2012

OK. I' ve deployed newest firmware then I set up config via quick wizard and now authentication works good when users have configured outgoing smtp server on port 25. Next question is how to configure client communication via port 587 ?

Dominik Weglarz, IT System Engineer

rockychan · ‎11-18-2018

So, How funny that I searched here and there and be directed to a post from 2012, which has not been answered properly yet. Does anyone have an answer for this? I am having the exactly same problem with version 6.x.