Deploying FortiMail Gateway Mode


FortiMail gateway mode protects your existing mail servers from potential threats.

This recipe focuses on how to deploy FortiMail gateway mode when positioned within a private network and behind a firewall.

The FortiMail unit, the protected email server, and the email users’ computers are positioned within a private network behind a firewall. The FortiMail unit, however, is located in the demilitarized zone (DMZ) of the firewall, separated from the local email users and the protected email server, which are located on the internal network of the firewall. 

Remote email users’ computers and external email servers are located on the Internet, outside of the network protected by the firewall. The FortiMail unit protects accounts for email addresses ending in “”, which are hosted on the local email server.

Deploying FortiMail in gateway mode involves the following steps:

  1. Connecting to FortiMail
  2. Setting up FortiMail
  3. Configuring DNS records
  4. Configuring firewall policies
  5. Configuring MUAs to use FortiMail
  6. Testing the installation

1. Connecting to FortiMail

FortiMail port1’s default IP address is To access FortiMail’s web UI, make sure you PC’s IP address is on the same subnet as FortiMail ( 

  1. Go to
  2. Enter “admin” as the user name and no password by default.
  3. Select gateway mode from the Operation Mode dropdown menu. 


The FortiMail UI
The FortiMail UI

2. Setting up FortiMail

Now that you’ve loaded the FortiMail web interface, you can now run the Quick Start Wizard.

The Quick Start Wizard helps you configure some of your basic network an email settings when you load the interface for the first time.

To run the Quick Start Wizard, simply select the Quick Start Wizard Button in the corner.

Follow the onscreen instructions to configure the settings.

Accessing the Quick Start Button
Accessing the Quick Start Button

Now that the Quick Start Wizard is finished, deploy the FortiMail server into your network.

Note: This setup uses the FortiMail default IP address; however, in most cases you will need to change the IP address to deploy the unit into your network. 

3. Configuring DNS records

Regardless of your private network topology, in order for external MTAs to deliver email to the FortiMail unit, you must configure the public MX record for each protected domain to indicate that the FortiMail unit is its email gateway.

Example: If the fully qualified domain name (FQDN) of the FortiMail unit is, and is a protected domain, the MX record for would be: IN MX 10

An A record must also exist to resolve the host name of the FortiMail unit into an IP address.

fortimail IN A

If your FortiMail unit will relay outgoing email, you should also configure the public reverse DNS record. The public IP address of the FortiMail unit, or the virtual IP address on a firewall or router that maps to the private IP address of the FortiMail unit, should be globally resolvable into the FortiMail unit’s FQDN. If it is not, reverse DNS lookups by external SMTP servers will fail.

Example: If the public network IP address of the FortiMail unit is, a public DNS server’s reverse DNS zone file for the subnet might contain:


where is the FQDN of the FortiMail unit.

4. Configuring firewall policies

No matter if you put FortiMail behind a firewall, such as a FortiGate unit, or in DMZ, you must configure a few firewall policies to allow the traffic.

For more information about how to create firewall policies, see your firewall documentation.


5. Configuring MUAs to use FortiMail

Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail server (SMTP)/MTA. For local email users, this is the FortiMail IP address,; for remote email users, this is the virtual IP address on the wan1 network interface of the FortiGate unit that maps to the FortiMail unit, or

Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as

If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.


6. Testing the Installation

To test the installation, send email messages by using the following test paths.

If you have problems with email delivery and receiving, check the following:

  • Make sure the email clients use FortiMail as the incoming and outgoing email server.
  • Make sure FortiMail can access the DNS servers.
  • Make sure the Firewall policies allow SMTP traffic.

If you still have problems, please contact Fortinet Technical Support. 

  • Was this helpful?
  • Yes   No