FortiMail: Preventing ISPs from Being Blacklisted


Often times companies can unknowingly find themselves blacklisted. One infected computer could lead to an entire company having its email blocked.

This recipe guides you through the process of configuring FortiMail to help prevent your IP from being blacklisted.

Protecting the public range of IP addresses form being blacklisted is essential for Service Providers to guarantee the right level of service to subscribers. Protection is achieved by filtering outgoing mail of the ISP network before traffic reaches the internet and before sessions are eventually NATed by the firewall.

IP Blacklisting

For more information on filtering techniques please consult the FortiMail Administrator Guide.

System Settings

In order for FortiMail to intercept all SMTP sessions, regardless of the destination address, FortiMail must operate as a transparent proxy.  

For the follow procedure to work, set your FortiMail unit to transparent mode and enable proxies.

  1. Go to System > System Status > Status.
  2. Select Transparent from the Operation mode dropdown menu.
  3. Go to Mail Settings > Proxies > Proxies.
  4. Select the For outgoing SMTP connections checkbox.
  5. Select Apply.

transparent mode

Network Configuration

With FortiMail in transparent mode we can now configure some general network settings.

First we will need to configure the SMTP interfaces in route mode and set their IP addresses.

  1. Go to System > Network > Interface.
  2. Select New or right click an existing port and select Edit.
  3. Enter the desired IP addresses for port1, port2, and port3. For example, port1 will be the management IP address, port2 private, and port3 the internet. All other interfaces except port1 can be removed from the bridge.
network configuration diagram
network interface
network interface
Edit interface
editing an existing address



Next we will need to configure gateway settings.

  1. Go to System > Network > Routing.
  2. Select New or right click an existing port and select Edit.
  3. Enter the desired gateway number for each port and for port2 and por3, enter the destination IP/netmask.
configuring gateway settings

Interfaces have two proxies listening to SMTP sessions: 
– the incoming proxies that listens to sessions destined to internal mail server.
– the outgoing proxy that picks up any other sessions.

The outgoing proxy should be enabled on the internal interface, the one that receives outgoing sessions from subscribers (for example, port2).

  1. Go to System > Network > Interface.
  2. Right click port2 and select Edit.
  3. Select Proxy from the Outgoing connections dropdown menu in the SMTP Proxy section and then select OK.
  4. Right click port3 and select Edit.
  5. Select Pass through form the Outgoing connections dropdown menu in the SMTP Proxy section and then select OK.
Editing the interface of port2
Editing the interface of port2

FortiMail should be configured with two DNS servers. Fast answers from DNS servers are critical to maximize performance. 

  1. Go to System > Network > DNS.
  2. Enter both the primary DNS server and the Secondary DNS server in their respective fields.
  3. Select Apply.
Entering the necessary DNS information
Entering the necessary DNS information

Access Control Configuration

Access control rules specify whether the FortiMail unit processes and relays, rejects, or discards email messages for SMTP sessions initiated by SMTP clients.

To configure the SMTP access controls

  1. Go to Policy > Access Control > Receiving.
  2. Select New. 
  3. Enter the necessary IP in the Sender IP/netmask field.
  4. Select Authenticated from the Authentication status dropdown menu
  5. Select Relay from the Action dropdown menu.
  6. Select OK.
  7. Select New.
  8. Enter the necessary IP in the Sender ip/netmask field.
  9. Select Any from the Authentication status dropdown menu.
  10. Select Reject from the Action dropdown menu.
  11. Select OK.
Creating the relay access control rule
Creating the relay access control rule

Log Setting Configuration

To configure logging to the local hard disk

  1. Go to Log and Reporting > Log Settings > Local Log Settings.
  2. Enable Log to Local Disk.
  3. Enter the file size limit of the current log file in megabytes in the Log file size field
  4. Select Information from the Log level dropdown menu.
  5. Enable Event Log in the Logging Policy Configuration section.
  6. Enable AntiVirus Log, AntiSpam Log, History Log, and Encryption Log in the Logging Policy Configuration section.
  7. Select Apply
Configuring the log settings
Configuring the log settings

Radius Configuration

FortiMail uses your RADIUS accounting records to combat spam and viruses, which reduces the likelihood of spam and viruses being sent from your network to other networks. By configuring the connection with the RADIUS server, we can greatly reduce the possibility of having your public IP address blacklisted.

To configure your RADIUS server

  1. Configure the FortiMail unit as an auxiliary RADIUS server on your RADIUS server, to which it will send copies when its accounting records change.
  2. Configure the server to send the Calling-Station-ID and the Framed-IP-Address attributes to the FortiMail unit.

    The data type of the value of Calling-Station-ID may vary. For 3G subscribers, the RADIUS server typically uses Calling-Station-ID to contain an MSISDN. For ADSL subscribers, the RADIUS server typically contains a login ID, such as an email address.

  3. Determine whether your RADIUS server sends the Framed-IP-Address attribute’s value in network order (e.g. or host order (e.g.
  4. Verify that routing and firewall policies permit RADIUS accounting records to reach the FortiMail unit.
RADIUS illustration
RADIUS illustration


With your RADIUS server properly configured, we now need to enable the FortiMail unit to receive RADIUS records.

  1. Connect to the CLI.
  2. Enter the following command to enable the FortiMail unit to receive RADIUS records by starting the endpoint reputation daemon:
    config antispam settings
        set carrier-endpoint-status enable
  3. Enter the following command to configure the RADIUS secret:
    config antispam settings
        set carrier-endpoint-acc-secret <secret_str>
  4. Enter the following command to configure whether to enable or disable the FortiMail unit to validate RADIUS requests using teh RADIUS secret:
    config antispam settings
        set carrier-endpoint-acc-validate <enable | disable>
  5. Enter the following command to configure whether or not the FortiMail unit will acknowledge accounting records:
    config antispam settings
        set carrier-endpoint-acc-response <enable | disable>
  6. Enter the following command to indicate that the RADIUS server will send the value of the Framed-IP-Address attribute in network order:
    config antispam settings
       set carrier-endpoint-framed-ip-order <host-order | network-order>

Policy and Profile Settings

Use session profiles to control outgoing traffic. To configure the session profile for connections from external SMTP clients:

  1. Go to Profile > Session > Session
  2. Select New.
  3. Enter a name for the session profile in the Profile Name field (e.g. external_session_profile).
  4. Enable Hide this box from the mail server.
  5. Enable Enable sender reputation and enter the appropriate information.
  6. Enable Prevent encryption of the session under the Session Settings section. 
  7. Enable Prevent open relaying under the Unauthenticated Session Settings section.
  8. Select Create. 

Before continuing, be sure to create an ntispam and antivirus profile by going to Profile > AntiSpam > AntiSpam or Profile > AntiVirus > AntiVirus.

Creating session profile settings
Creating session profile settings

Your session profile, once configured, applies to IP based policies governing SMTP client connections. 

To configure the IP-based policy for connections

  1. Go to Policy > Policies > IP Policies
  2. Select Edit for the default policy whose Match column contains — >
  3. Select your previously created session profile from the Session dropdown menu in the Profiles section. 
  4. Select your antispam and antivirus profiles from their respective dropdown menus.
  5. Select OK.
creating an ip-based policy
creating an ip-based policy