Basic Setup of FortiMail Mail Server E-Book

Basic Setup of FortiMail Mail Server

By

Dr. Hidaia Mahmood Alassouli

[email protected]

While every precaution has been taken in the preparation of this book, the publisher assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

Basic Setup of FortiMail Mail Server

Copyright © 2022 Dr. Hidaia Mahmood Alassouli

Written by Dr. Hidaia Mahmood Alassouli.

1. Introduction:

Email is a critical tool for everyday business communication and productivity. Fortinet's email security solution - FortiMail delivers advanced multi-layered protection against the full spectrum of email-borne threats. Powered by FortiGuard Labs threat intelligence and integrated into the Fortinet Security Fabric, FortiMail helps your organization prevent, detect, and respond to email-based threats including spam, phishing, malware, zero-day threats, impersonation, and Business Email Compromise (BEC) attacks.

FortiMail virtual machines provide complete flexibility and portability for organizations wishing to deploy email security infrastructure into a private or public cloud setting. FortiMail virtual machines provide powerful scalability and ease-of-deployment.

For organizations wishing to deploy email protection in an on-premise setting or for service providers who wish to extend email services to their customers, FortiMail appliances offer high performance email routing and robust features for high availability.

Fortinet FortiMail provides multiple operating modes to choose from including API support for Microsoft 365, Server Mode, Gateway Mode and Transparent Mode.

This report talks about basic setup of FortiMail Server. This report includes the following sections:

1. Part 1: Basic Concept for Sending Emails.

2. Part 2: Basic Setup of FortiMail.

3. Part 3: Access Control and Policies

4. Part 4: Sessions Management.

5. Part 5: FortiMail Authentication.

6. Part 6: Content Filtering.

7. Part 7: System Maintenance.

8. Part 8: Troubleshooting.

9. Part 9: Data Loss Prevention.

10. Part 10: Email Archiving.

11. Part 11: AntiVirus.

12. Part 12: AntiSpam.

13. Part 13: Personal Quarantine Management.

14. Part 14: Transparent Mode.

15. Part 15: Quick Guide for FortiMail Hardware Package Installation.

16. Part 16: Tutorial 1-Registering FortiMail Demo Account.

17. Part 17: Tutorial 2-Installing FortiMail in VMWare.

18. Part 18: Tutorial 3- Configuring FortiMail Using the Web Based Control Panel.

19. Part 19: Tutorial 4 - Creating AntiVirus, AntiSpam, Content Filtering and Session Profiles.

20. Part 20: Tutorial 5-Testing Access Control Rules.

21. Part 21: Tutorial 6- Testing Recipient Policies.

22. Part 22: Tutorial 7- Testing IP Policy.

23. Part 23: Tutorial 8 - Testing Relay Host.

24. Part 24: Tutorial 9- FortiMail Gateway Mode.

25. Part 25: Tutorial 10- FortiMail Transparent Mode.

26. Part 26: Tutorial 11- Authentication.

27. Part 27: Tutorial 12- Creating NFS Server in Ubuntu Linux Machine.

28. Part 28: Tutorial 13-Muting the NFS share from Windows.

30. Part 29: Tutorial 14- Configuration and Mail Data Backup.

29. Part 30: Tutorial 15- Upgrading the Forti IOS Images through TFTP Server.

30. Part 31: References.

2. Part 1: Basic Concept for Sending Emails:

a) Sending and Receiving Emails:

1. Sending Emails:

The MUA connects to local mail server

The MTA performs a DNS MX record lookup on domain portion of the recipient address.

The local MTA connects to remote MTA and transit the message

The remote MTA delivers the message to user mailbox of the destination mail server.

Example that user1 at example1.org wants to send email to b at example3.com. send the pos.example.org is local email server for the sender, the email will go through pos.exampl1.org to send the email to destination.

The post.example1.org queries the public DNS MX record for post.example3.com and uses the entries with lowest preference which in this case relay.eample2.net with preference value 50. The relay.example2.net also queries the DNS server. This time the smallest preference is mail.example3.com. So relay.example2.net will forward the email to mail.example3.com.

Finally, user

[email protected]

uses the email from mail.example3.com.

b) SMTP Standards:

1. Email in internet follows standard called SMTP, The SMTP protocol first submitted in 1982 under RFC 821.

2. Although many subsequent extensions, SMTP remains true to its name. It is relatively simple protocol with limited number of commands and responses. The SMTP commands in this slide shows how client, usually MUA or intermediary MTA performs various tasks.

3. Servers that can support ESMTP can be requested to use encryption of email body to use encryption using transport layer security TLS.

4. This slide shows the commands that are typically used between client and server during email exchange. It starts with client, sending MTA or MUA, initiating TCP session on port TC 25. If TCP session is established, the SMTP session is established when the server which is the receiving MTA presents the banner. The client then presents HELLO message with the server acknowledges. At this point the client is free to start SMTP transections by providing the envelope addresses. The client uses data command to indicate start of message, which includes the header and body. The message header can include much more information than that shown in slide. The client sends single period in new line to indicate end of message. Server acknowledges the end of SMTP transection. To end SMTP session, the client sends quit message which is acknowledged by server. Then the TCP session turns down.

5. The only exception to this interaction is between the Microsoft outlook and Microsoft exchange servers which use a Microsoft property protocol called messaging application programming interface Mappy. Mappy is used for both email transmission and retrieval between Microsoft outlook and Microsoft exchange.

6. A message header can contain a lot of useful information. Each email client has its own procedure to view the message header of single email. Message headers are often used to gather information or troubleshoot email issues. The content of message header remains intact when the email is forwarded as an attachment. Forwarding the email destroys the original message header because the MUA creates new header from new point of origin. One of the most important parts of an email is received header. Every time the email is generated by MUA which reverses the MTA a received header is added. At minimum the received header contains the IP address of the sender if it is the first hop or the receiver if it is intermediary hop as well as the day and time the email processed by hop. Depending on the vendor, the MTA sometimes add session ID for the email as well as TLS version and cipher information if applicable. The received headers are added on top of each other. The bottom shows when email starts its journey. And the top show where the email is currently located. As well as received headers, other information on message header includes MIME header and contents headers and subject

c) SMTP Authentication:

1. Original RFC for SMTP did not include any requirements for security mechanisms. Email was transmitted in plain text by unauthenticated users. The Auth extension is added in order to verify the sender identity. MTAs that support ESMTP can enforce authentications to ensure only authorized users can send emails. This verifies only the sender identity for outbound emails from protected domains. But will not prevent spoofing through inbound emails coming from external mail servers.

2. SMTPS implements a layer of security using TLS encryption. But it was never standardized.

3. MTAs need to maintain separate ports for encrypted sessions. Because SMTP uses port 25, SMTPS uses port 465 or 587.

4. Connections made using SMTP port and TLS negotiations occur after SMTP session is established. If both sides agree, a secure connection is established and the remaining data exchanged securely. Many ESMTP servers enforce start TLS for encryption. This means that the recipient MTA accepts the envelop addresses “mail from” and “rcpt to” only after TLS is established.

5. In SMTP over TLS, the initial connection is made on standard SMTP TCP port. The client can be MUA or MTA transmits EHLO message and is presented with list of extensions that represent the set of supported extensions on the server side of connection. If START TLS is present in the list and if the client wants secure connection, the client responds with STARTTLS, this initiates the TLS negotiation between the two points. After secure connection is established, the remaining SMTP traffic is encrypted over the network.

6. In SMTPs the server and client start SMTP session which is fully encrypted on TLS tunnel.

d) Retrieving Emails:

1. POP is used to download new messages, and stores them locally in email clients. Typically, the messages are deleted from server after download.

2. It is important to use POP in secure way. The original RFC of POP did not implement any form of encryption or passwords are sent in clear text unless the email server and client are configured to support SSL/TLS extensions to POP3

3. IMAP is another mail retrieval protocol that has multiple advantages over POP3. It provides more robust management of email inox including message retention allowing multiple managers of inbox, folder management and so on. IMAP usually the Go To method for keeping multiple devices synchronized with same inbox. Like POP3, the IMAP functions in two separate ports. TCP port 143 can use a Start TLS message to upgrade the connection to be TLS encrypted. Otherwise, it functions as clear text. TCP port 993 is used for completely end-to-end encryption.

4. Now when we look to email flow example, you should be able to identify where the SMTP transection occurs and where POP3, IMAP, MAPPY and webmail transections occur.

e) Modes of Operation:

1. In Gateway mode, FortiMail provides full MTA functionality. In email path, the FortiMail sits in the front of the existing mail server and scans emails. If FortiMail detects any spam email, it discards them or stores in user Quarantine mailboxes in local FortiMail device. FortiMail delivers all clean emails to backend mail server. A DNS MX record change or destination NAT rule on the firewall is required to redirect all inbound email traffic to the FortiMail device for inspection. For complete protection all outbound emails should be also routed to FortiMail for inspection. FortiMail Gateway deployment is excellent at extending existing email infrastructure scalability. FortiMail can offload all security-related and message-queuing tasks from backend mail servers.

2. In server mode, the FortiMail provides all typical functions of an email server as well as security scans. You can use FortiMail operating in server mode as a drop-in replacement for retiring email servers. It is also excellent choice for environments deploying email servers for the first time. The same DNS MX record change or destination net rue change in firewall is needed to redirect all inbound emails to FortiMail for inspection. After inspection, FortiMail delivers clean emails to end user’s inboxes stored locally on FortiMail. End users use POP3, IMAP and webmail to access their inboxes. Along with storing user’s mailboxes, the FortiMail running in the server mode provide complete group calendar, resource scheduling, webmail and other advanced futures.

3. In the transparent mode, the FortiMail is physically located in the email path to intercept email traffic transparently for inspection. When operating in Transparent mode, FortiMail is not the intended IP destination of the email. Therefore, no DNS MX record or DNAT rule changes is required. This allows you to deploy FortiMail in environments when you don’t want IP address or MX DNS record changes. Transparent mode is often used in large MSSPs or carrier’s environments.

3. Part 2: Basic Setup of FortiMail:

1. FortiMail has two interfaces for Web Access

a) Login to administrator interface:

https:/(FortiMail FQDN or IP address)/admin

b) Login to webmail interface:

https:/(FortiMail FQDN or IP address)/

Most of the time the administrators use GUI to configure and maintain FortiMail.

2. FortiMail Webmail:

a) The user inbox for server mode has the following folders:

Inbox, Drafts, Sent Items, Bulk, Trash, Encrypted Emails

b) The user inbox for Gateway mode has the following folders:

Drafts, Sent Items, Bulk, Trash, Encrypted Emails

3. Use the quick start wizard to configure he following

Password for administrator account

Network and time settings

Local host settings

Protected domains

Incoming and outgoing antispam and antivirus settings

Access control for SMTP relay

4.The password change enforced in the first logon:

5. The FortiMail has two views: Basic View and Advanced View.

Simple view: Commonly used options only day to day operations

Advanced view: Complete set of menu options

6. Very few configuration tasks require to use the CLI.

For example, to make FortiMail compiles with the security standards disable the POP3 and IMAP services if not being used

7. User interface customization and console: You can customize elements of both webmail and administration GUIs to apply alternate branding, color, themes, default languages and so on. And because you already authenticated when logging to GUI, you can access the CLI by single click. Alternatively, you can access CLI by using SSH in separate SSH client

8. Fortinet Security Fabric:

You can connect FortiMail to upper FortiGate and become part of security fabric.

FortiMail anti-spam processing helps offload other devices in security fabric that would carry out this process.

9. Operation Mode and NTP Synchronization:

The default operation mode is Gateway mode- other modes are server and transparent mode.

Setup operation mode during initial setup

Configure time zone for accurate time stamps in logs and MTA functionality.

10. Domain Name:

Hostname+Local Domain Name=Fully Qualified Domain Name (FQDN)

FQDN should be globally resolvable, especially if FortiMAil is an outbound MTA with DNS address (A) record and PTR record.

11. Network Settings:

Typically, in Server or Gateway mode only one interface is active. Transparent mode, depends on deployment topology multiple interfaces may be active.

The default IP address and subnet mask for port 1 interface is 192.168.1.99/24.

FortiMail also supports ipv6 and DHCP addresses.

You can select access option to enable or disable access to FortiMail using http, https, ping, ssh, smtp and telnet.

By default, there is no routes configured in FortiMail. You must define one default route to internet to make sure that FortiMail is connected to FortiGuard and to make sure the email traffic flow correctly. You can configure more static routes as needed to accommodate networks that have multiple gateways. The fields in the new routing entry supports ip4 and ip6 addresses.

By default, the FortiMail is preconfigured with FortiGate DNS servers. The DNS plays vital role in email transmission as well as FortiGuard connectivity. So, the choice of the DNS server can have significant effect on the performance of FortiMail.

12. Administrator Accounts:

FortiMail is configured by default admin user and empty password field. Change the password to secure access the device.

You can set the access profile and domain to restrict administrators to certain sections of the GUI or to specific domains.

Configure remote authentication for the administration account. You can set authentication type to Local or remote using LDAP, RADIUS, PKI or single sign-on authentication.

For remote authentication types, you must also configure additional profile that defines the details of authentication. You can configure trusted hosts to restrict each account to specific IP subnets or addresses. You can also select the language and color theme for each administrator.

13. Admin Profile:

You must associate each administrator user account with admin profile which areas the administrator can access and provides permissions to modify elements within those areas. The default super_admin_prof profile is assigned to default admin account.

You can also apply admin profile dynamically through radius. You will explore radius and another authentication profiles

14. Enforcing Password Polices:

System>Configuration>Options

You can create single global password policy to enforce complex passwords, and you can choose which mail users and IBE users to apply policy. The authentication server usually enforces the

password policies for non-local mail users. To make sure that FortiMail complies with security standards you can reduce the idle timeout and enable to login disclaimer. You can set the disclaimer to appear before or after the users logs in. You can also set the

disclaimer to appear when the admin webmail or IBE user logs in.

When you set the disclaimer for admin users, it also appears when the admin users access the CLI using SSH or Telnet. You can also change the administration ports on the option tab.

If you change the default ports, you must update the applicable port forwarding rules on your organization firewall to reflect the change.

15. Office 365 Threat Remediation:

Starting with FortiMail 6.4.0 , there is separate GUI view for Microsoft 365 after the license is applied. Email messages can now be scanned in real time. The emails scanned immediately after the email arrives to the user’s mailbox. You can also conduct on-demand search and scan of email message already delivered to users’ inbox. Once scanned you can decide what to do with spams or infected emails. You can also manually apply actions to email messages you specify. Before you scan emails in Microsoft 365 mailboxes, you must connect to Microsoft 365. Note that Microsoft 365 global administrator role is required to configure Microsoft 365 in FortiMail.

Realtime scanning: A valid CA signed certificate and FortiMail device reachability by hostname is required for this future. Email is scanned immediately on the arrival in the user’s mailbox.

Scheduled scanning. OnDemand: Scans emails post-delivery when triggered by administrator or scheduled (useful by POC).

Profiles: Similar to recipient policy. Apply security profile to email flows.

16. Protected Domains:

To create protected domains, you must select different options depending on the operation mode of FortiMail.

For gateway mode, you must define the domain and the destination SMTP server.

For transparent mode, if you define a domain, you must specify the destination SMTP server.

For server mode, you must only define only the domain because the FortiMail is the only destination of email messages.

Protected domains also specify which email messages FortiMail considers

as inbound and which email messages consider to be outbound.

17. Email Direction:

When FortiMail receives email, it compares the domain part of the recipient email address with the list of protected domains. If there is a match the FortiMail considers the message to be incoming. Otherwise, the message is outgoing.

The direction of the email is important to FortiMail because the influence is relay behavior.

-Incoming emails are relayed by default and no additional configuration required to allow email into the organization. By default, FortiMail relays the incoming mail messages.

- By default, the FortiMail rejects the outgoing messages unless the sender is authenticated. This behavior is hard coded to prevent FortiMail from being abused as an open relay.

18. Domain Associations:

Domain associations allows multiple domains to share single configuration in FortiMail. For, example, any recipient-based policies created for the main domain applied for the associated domains as well. This extremely convenient for environments that have more than one domain and you want to keep FortiMail protection consistent across all the domains. This will help to minimize the redundant configurations and speed up the deployment. Also, to eliminate errors over time in the configuration of the domains.

When adding associated domains to FortiMail, update the MX records of the domains so all inbound emails are delivered to FortiMail.

19. Server Mail Users:

Because the user mailboxes are managed by FortiMail in user modes, you should create user account entries for each user. You can configure these user accounts to authenticate locally or using LDAP or RADIUS.

In server mode, the user inbox handles both the regular email and the spam quarantine. You can use the user tab to create users. While the user preference tab allows you to manage user’s preferences. The administrator can manage user’s preferences using administration interfaces and the end user can manage user’s

preferences using the webmail interface.

20. Gateway and Transparent Mode Users:

In gateway and transparent modes, FortiMail maintains quarantine mailboxes. These mailboxes are created automatically when FortiMail

needs to send emails to quarantine as a result of spam detection. You can’t manually create users in FortiMail when configured in gateway or transparent mode. You can however manage user’s preferences such as block or allow list entries using administration GUI. The end user can access their quarantine mailbox and account preferences using the webmail interface.

21. Recipient Verification:

FortiMail configured in gateway or transparent mode process all emails and attempts to relay it in backend server. So, what happened if user account does not exist. In this case the backend server generates an error and FortiMail creates quarantine account where invalid user email is quarantined. Over a time, this leads to excessive amount of storage space used for emails for invalid users.

There are two ways to deal with that. Recipient address verification or automatic removal of invalid quarantine accounts. To optimize the use of storage space, you must implement

one of these futures for gateway or transparent mode deployments.