Often times companies can unknowingly find themselves blacklisted. One infected computer could lead to an entire company having its email blocked.
This recipe guides you through the process of configuring FortiMail to help prevent your IP from being blacklisted.
Protecting the public range of IP addresses form being blacklisted is essential for Service Providers to guarantee the right level of service to subscribers. Protection is achieved by filtering outgoing mail of the ISP network before traffic reaches the internet and before sessions are eventually NATed by the firewall.
For more information on filtering techniques please consult the FortiMail Administrator Guide.
In order for FortiMail to intercept all SMTP sessions, regardless of the destination address, FortiMail must operate as a transparent proxy.
For the follow procedure to work, set your FortiMail unit to transparent mode and enable proxies.
Go to System > System Status > Status.
Select Transparent from the Operation mode dropdown menu.
Go to Mail Settings > Proxies > Proxies.
Select the For outgoing SMTP connections checkbox.
With FortiMail in transparent mode we can now configure some general network settings.
First we will need to configure the SMTP interfaces in route mode and set their IP addresses.
Select New or right click an existing port and select Edit.
Enter the desired IP addresses for port1, port2, and port3. For example, port1 will be the management IP address, port2 private, and port3 the internet. All other interfaces except port1 can be removed from the bridge.
Select New or right click an existing port and select Edit.
Enter the desired gateway number for each port and for port2 and por3, enter the destination IP/netmask.
Interfaces have two proxies listening to SMTP sessions: – the incoming proxies that listens to sessions destined to internal mail server. – the outgoing proxy that picks up any other sessions.
The outgoing proxy should be enabled on the internal interface, the one that receives outgoing sessions from subscribers (for example, port2).
Go to System > Network > Interface.
Right click port2 and select Edit.
Select Proxy from the Outgoing connections dropdown menu in the SMTP Proxy section and then select OK.
Right click port3 and select Edit.
Select Pass through form the Outgoing connections dropdown menu in the SMTP Proxy section and then select OK.
FortiMail should be configured with two DNS servers. Fast answers from DNS servers are critical to maximize performance.
Go to System > Network > DNS.
Enter both the primary DNS server and the Secondary DNS server in their respective fields.
Access Control Configuration
Access control rules specify whether the FortiMail unit processes and relays, rejects, or discards email messages for SMTP sessions initiated by SMTP clients.
To configure the SMTP access controls
Go to Policy > Access Control>Receiving.
Enter the necessary IP in theSender IP/netmaskfield.
Select Authenticated from the Authentication status dropdown menu
Select Relay from the Action dropdown menu.
Enter the necessary IP in the Sender ip/netmask field.
Select Any from the Authentication status dropdown menu.
Select Reject from the Action dropdown menu.
Log Setting Configuration
To configure logging to the local hard disk
Go to Log and Reporting > Log Settings > Local Log Settings.
Enable Log to Local Disk.
Enter the file size limit of the current log file in megabytes in the Log file size field
Select Information from the Log level dropdown menu.
Enable Event Log in the Logging Policy Configuration section.
Enable AntiVirus Log, AntiSpam Log, History Log, and Encryption Log in the Logging Policy Configuration section.
FortiMail uses your RADIUS accounting records to combat spam and viruses, which reduces the likelihood of spam and viruses being sent from your network to other networks. By configuring the connection with the RADIUS server, we can greatly reduce the possibility of having your public IP address blacklisted.
To configure your RADIUS server
Configure the FortiMail unit as an auxiliary RADIUS server on your RADIUS server, to which it will send copies when its accounting records change.
Configure the server to send the Calling-Station-ID and the Framed-IP-Address attributes to the FortiMail unit.
The data type of the value of Calling-Station-ID may vary. For 3G subscribers, the RADIUS server typically uses Calling-Station-ID to contain an MSISDN. For ADSL subscribers, the RADIUS server typically contains a login ID, such as an email address.
Determine whether your RADIUS server sends the Framed-IP-Address attribute’s value in network order (e.g. 192.168.1.10) or host order (e.g. 10.1.168.192).
Verify that routing and firewall policies permit RADIUS accounting records to reach the FortiMail unit.
With your RADIUS server properly configured, we now need to enable the FortiMail unit to receive RADIUS records.
Enter the following command to enable the FortiMail unit to receive RADIUS records by starting the endpoint reputation daemon: config antispam settings set carrier-endpoint-status enable end
Enter the following command to configure the RADIUS secret: config antispam settings set carrier-endpoint-acc-secret <secret_str> end
Enter the following command to configure whether to enable or disable the FortiMail unit to validate RADIUS requests using teh RADIUS secret: config antispam settings set carrier-endpoint-acc-validate <enable | disable> end
Enter the following command to configure whether or not the FortiMail unit will acknowledge accounting records: config antispam settings set carrier-endpoint-acc-response <enable | disable> end
Enter the following command to indicate that the RADIUS server will send the value of the Framed-IP-Address attribute in network order: config antispam settings set carrier-endpoint-framed-ip-order <host-order | network-order>
Policy and Profile Settings
Use session profiles to control outgoing traffic. To configure the session profile for connections from external SMTP clients:
Go to Profile > Session > Session.
Enter a name for the session profile in the Profile Name field (e.g. external_session_profile).
Enable Hide this box from the mail server.
Enable Enable sender reputation and enter the appropriate information.
Enable Prevent encryption of the session under the Session Settings section.
Enable Prevent open relaying under the Unauthenticated Session Settings section.
Before continuing, be sure to create an ntispam and antivirus profile by going to Profile > AntiSpam > AntiSpam or Profile > AntiVirus > AntiVirus.
Your session profile, once configured, applies to IP based policies governing SMTP client connections.
To configure the IP-based policy for connections
Go to Policy > Policies > IP Policies
Select Edit for the default policy whose Match column contains 0.0.0.0/0 — > 0.0.0.0/0.
Select your previously created session profile from the Session dropdown menu in the Profiles section.
Select your antispam and antivirus profiles from their respective dropdown menus.