FortiMail Best Practices: Network Topology

Although your FortiMail unit will catch almost all threats that are sent to your network, there are some things you should be aware of if you want to maximize security. 

The Best Practices recipes will cover specific tips to ensure the most secure and reliable operation of your FortiMail unit.

This recipe covers the best practices for network topology.

There are instances when your FortiMail unit, when placed in a complex network environment, can be bypassed by spammers if the network is not carefully planned and deployed.

Network Topology Tips

The following are some tips to ensure maximum safety for your network.

1. Make sure to configure your routers and firewalls to send all SMTP traffic to or through the FortiMail unit for scanning.

2. If your FortiMail unit operates in gateway mode, on public DNS servers, modify the MX records for each protected domain so that they contain only a single MX record entry that refers to the FortiMail unit.

In an attempt to avoid spam defenses, spammers will determine the lowest priority mail server and deliver spam to that server instead of to the FortiMail unit.

3. If your FortiMail unit operates in transparent mode, make sure to deploy it directly in front of your protected email servers.

If you don’t place the unit in the front it greatly limits your protection. If it is in the front, all emails can be scanned.

4. If your FortiMail unit operates in transparent mode, do not connect two ports to the same VLAN on a switch or to the same hub. Some Layer 2 switches become unstable when they detect the same media access control address originating on more than one switch interface or from more than on VLAN.