Professional Documents
Culture Documents
FortiMail 6.0 Lab Guide-Online
FortiMail 6.0 Lab Guide-Online
FortiMail 6.0 Lab Guide-Online
© FORTINET
Fortinet Document Library
http://docs.fortinet.com
Fortinet Knowledge Base
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Feedback
Email: courseware@fortinet.com
1/9/2019
DO NOT REPRINT
© FORTINET
TABLE OF CONTENTS
© FORTINET
Virtual Lab Basics
In this course, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab
and its virtual machines. It also shows the topology of the virtual machines in the lab.
If your trainer asks you to use a different lab, such as devices physically located in your
classroom, then ignore this section. This section applies only to the virtual lab
accessed through the Internet. If you do not know which lab to use, please ask your
trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote data centers that allow each student to have their
own training lab environment or point of deliveries (PoD).
© FORTINET
Before starting any course, check if your computer can connect to the remote data center successfully. The
remote access test fully verifies if your network connection and your web browser can support a reliable
connection to the virtual lab.
You do not have to be logged in to the lab portal in order to run the remote access test.
If your computer connects successfully to the virtual lab, you will see the message All tests passed!:
© FORTINET
Logging In
After you run the remote access test to confirm that your system can run the labs successfully, you can proceed to
log in.
You will receive an email from your trainer with an invitation to auto-enroll in the class. The email will contain a
link and a passphrase.
© FORTINET
Your system dashboard appears, listing the virtual machines (VMs) in your lab topology.
l From the box of the VM you want to open, click View VM.
When you open a VM, your browser uses HTML5 to connect to it. Depending on the VM you select, the web
browser provides access to either the GUI of a Windows or Linux VM, or the CLI-based console access of a
Fortinet VM.
© FORTINET
For most lab exercises, you will connect to a jumpbox VM, that could be either a Windows or a Linux VM.
From the jumpbox VM, you will connect over HTTPS and SSH to all other Fortinet VMs in the lab
environment.
If your computer’s connection to the VM times out or closes, to regain access, return to the window or tab that
contains the list of VMs for your session, and reopen the VM.
Screen Resolution
To configure screen resolution in the HTML5 client, use the Resolution drop-down list on the left. You can also
change the color depth:
© FORTINET
You can use the Virtual Keyboard panel to either send the Ctrl-Alt-Del combination, or the Windows key:
From the Virtual Keyboard panel, you can also copy text to the guest VM's clipboard:
© FORTINET
Student Tools
There are three icons on the left for messaging the instructor, chatting with the class, and requesting assistance:
Troubleshooting Tips
l Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-bandwidth or high-
latency connections.
l Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that your
computer is always on, and does not go to sleep or hibernate.
l For best performance, use a stable broadband connection, such as a LAN.
© FORTINET
l You can run a remote access test from within your lab dashboard. It will measure your bandwidth, latency and
general performance:
l If the connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. If you can't reconnect,
notify the instructor.
l If you can't connect to a VM, on the dashboard, open the VM action menu, and select Reset:
l If that does not solve the access problem, you can try to revert the VM back to its initial state. Open the VM action
menu, and select Revert:
Reverting to the VM's initial state will undo all of your work. Try other solutions first.
© FORTINET
l During the labs, if the VM is waiting for a response from the authentication server, a license message similar to the
following example appears:
In this lab, you will verify the DNS MX records for both of the lab domains, perform the initial configuration tasks
for the FortiMail VMs installed in the internal.lab domain for inbound email, and configure an email client to
connect to a server mode FortiMail. Then, you will issue basic SMTP commands and inspect email headers to
understand the flow of SMTP.
Objectives
l Verify DNS MX records for the lab domains
l Configure the initial system and email settings on the server mode FortiMail
l Configure the initial system and email settings on the gateway mode FortiMail
l Manually send basic SMTP commands to an email server to understand the SMTP protocol
Time to Complete
Estimated: 45 minutes
DNS is a critical component in routing email messages. In this exercise, you will use Windows DOS commands to
verify the published DNS MX records for both internal.lab and external.lab domains, to understand the lab
network mail routing.
To verify MX records
1. In Windows, open a command prompt window, and then enter the following commands to display the MX records
associated with the external.lab domain:
nslookup -type=mx external.lab
As indicated in the nslookup query output, there is only one MX record associated
with the external.lab domain.
extsrv.external.lab MX preference = 10
Therefore, all email messages sent to the external.lab domain must be sent to the
extsrv.external.lab (10.200.1.99) host.
2. In the same command prompt window, enter the following commands to display the MX records associated with
the internal.lab domain:
nslookup -type=mx internal.lab
© FORTINET
As indicated in the nslookup query output, there are two MX records associated with
the internal.lab domain.
intgw.internal.lab MX preference = 10
intsrv.internal.lab MX preference = 20
In the lab network, the MX records for the internal.lab domain are geared for
convenience, and should not be used as a template for real-world deployments.
Since the back-end mail server might not have the full range of email security
features enabled, publishing it as a secondary MX entry is detrimental to security.
Spammers can easily identify and exploit these servers using MX records.
Publishing the back-end mail server as a secondary MX entry will also prevent certain
FortiMail features—such as greylisting, or sender reputation—from working
effectively.
In the lab network, the IntSRV server mode FortiMail is intended to be the mail server for the internal.lab domain.
It is where the end user mailboxes are, where you will perform all user-management tasks, and where you will
perform tasks specific to server mode.
In this exercise, you will perform the basic configuration tasks required to establish inbound email flow on the
IntSRV FortiMail VM. You will verify your configuration by sending an email from the ExtSRV FortiMail VM and
then reviewing the logs. Then, you will configure a mail user agent (MUA) to connect to the server mode
FortiMail.
Field Value
IP/Netmask 10.0.1.99/24
© FORTINET
Field Value
Advanced Setting
Administrative status Up
4. Click OK.
5. Click System > Network > Routing.
6. Click New.
7. Add a new static route using the following values:
Field Value
Interface port1
Gateway 10.0.1.254
Field Value
There are two DNS servers in the lab network; a primary and a secondary DNS server.
The primary DNS server is the Windows server and the secondary DNS server is the
Linux server.
Field Value
3. Keep the default values for the remaining settings, and then click Apply to save the changes.
4. Click Domain & User > Domain > Domain.
© FORTINET
5. Click New to add a protected domain using the following values:
Field Value
6. Keep the default values for the remaining settings, and then click Create.
Field Value
Password fortinet
Field Value
To user1@internal.lab
4. Click Send.
5. Open a new web browser tab, and visit the IntSRV FortiMail webmail GUI:
https://intsrv.internal.lab/
© FORTINET
Field Value
Password fortinet
© FORTINET
4. Click Continue.
Thunderbird attempts to auto-configure the server settings.
5. Click Manual Config if it does not take you to the manual config mode automatically.
6. Modify the auto-discovered Server hostname values for both Incoming and Outgoing to match the following
example, and then click Done.
© FORTINET
7. Select the I understand the risks check box, and then click Done.
While unencrypted passwords are fine for a lab network, you should avoid using them
in real-world deployments.
8. Select the Permanently store this exception check box, and then click Confirm Security Exception to
complete the Mail Account Setup wizard.
Thunderbird displays a certificate security warning.
© FORTINET
9. If your configuration is correct, the test email you created in the previous exercise appears in Thunderbird, in your
local inbox.
In the lab network, the IntGW gateway mode FortiMail is intended to be the MTA for the internal.lab domain. It
will be the relay server for the IntSRV FortiMail, and also where most of the inspection configuration tasks will be
performed.
In this exercise, you will perform the configuration tasks required to establish inbound email flow on the IntGW
FortiMail VM. Then, you will verify your configuration by manually composing an email using a telnet session, and
reviewing the headers of the email in your Thunderbird mail client.
Recall the DNS verification tasks you performed in the first exercise. As the MX
records show, the intgw.internal.lab (10.0.1.11) host is the primary MTA for the
internal.lab main. So, all email messages should be sent to the IntGW FortiMail first
for processing. The IntGW FortiMail will then pass the email to the IntSRV FortiMail
VM for delivery to the end user.
5. In Windows, open a new web browser tab, and visit the IntGW FortiMail management GUI:
https://intgw.internal.lab/admin
Field Value
Interface port1
Gateway 10.0.1.254
© FORTINET
Field Value
Field Value
3. Keep the default values for the remaining settings, and then click Apply to save the changes.
4. Click Domain & User > Domain > Domain.
5. Click New to add a protected domain using the following values:
Field Value
10.0.1.99 is the IP address of the IntSRV host. This is the server mode FortiMail
that you configured in the previous exercise. It contains the user mailboxes for the
internal.lab domain. Therefore, the IntGW host is configured with 10.0.1.99 as the
protected SMTP Server.
6. Keep the default values for the remaining settings, and then click Create.
You can also just enter the IP address of the Linux machine, which is 10.0.1.254
and click Open.
© FORTINET
6. Run the following swaks command to test the gateway mode FortiMail configuration. A copy of the command is in
a text file named commands.txt, which is located in the Resources folder on the Windows desktop.
swaks -f extuser@external.lab -t user1@internal.lab -s 10.0.1.11 --body 'Gateway mode
FortiMail configuration is successful'
7. In Thunderbird, open the test message that you sent in the previous step.
8. In the More drop-down list, select View Source to view the full headers of the message:
9. Compare the Received: headers in the Telnet session email with the Hello World! email you sent in the
previous exercise.
What differences do you see?
The Hello World email’s Received header shows that the IntSRV FortiMail received
the email directly from the ExtSRV FortiMail.
Received: from extsrv.external.lab ([10.200.1.99])
by IntSRV.internal.lab
The swaks session email’s Received header shows that the email was processed first
by the IntGW FortiMail, and then handed off to the IntSRV FortiMail.
Received: from IntGW.internal.lab ([10.0.1.11]) by
IntSRV.internal.lab
In this lab, you will establish outbound email flow for the internal.lab domain, as well as configure a relay host for
the server mode FortiMail. You will create IP and recipient policies, and then use logged policy IDs to identify how
policies are applied to an email.
Objectives
l Configure access receive rules to allow outbound email
l Configure an external relay host
l Configure IP and recipient policies
l Use logged policy IDs to track messages
Time to Complete
Estimated: 45 minutes
In this exercise, you will configure the necessary access receive rules on both the IntGW and IntSRV FortiMail
VMs to allow outbound email.
Field Value
To extuser@external.lab
2. Click Send. If Thunderbird displays a security warning, select the Permanently store this exception check box,
and then click Confirm Security Exception.
3. Open a web browser and visit the ExtSRV FortiMail webmail GUI:
https://extsrv.external.lab/
Field Value
*@internal.lab
© FORTINET
Field Value
10.0.1.0/24
Action Relay
Field Value
*@internal.lab
10.0.1.99/32
Action Relay
On the IntGW FortiMail you are allowing only the IntSRV server mode FortiMail to
relay email. Therefore, you are configuring a /32 subnet mask. No other host is able
to relay email through IntGW.
© FORTINET
3. Log in as extuser using the password fortinet.
The email message should appear in the inbox.
The email message was generated by Windows (10.0.1.10) and sent to IntSRV
(10.0.1.99). The IntSRV host then delivered the email message to ExtSRV
(10.200.1.99).
According to the headers, the email message did not pass through the IntGW FortiMail, which is expected.
The IntSRV server mode FortiMail delivered the email based on MX query results. To make sure all outbound
email from IntSRV FortiMail relays through the IntGW FortiMail, you must configure a relay host on the
IntSRV FortiMail.
In this section, you will configure an external relay host on the IntSRV FortiMail so all outbound email are sent to
the IntGW gateway mode FortiMail for delivery.
Field Value
Name IntGWRelay
6. Leave the remaining fields empty, and then click Create to save the relay host configuration.
7. Click Apply to save the Outgoing Email setting changes.
Field Value
To extuser@external.lab
3. Click Send.
4. Visit the ExtSRV webmail GUI:
https://extsrv.external.lab/
© FORTINET
The email was generated by Windows (10.0.1.10) and sent to IntSRV
(10.0.1.99). The IntSRV host then sent the email to IntGW (10.0.1.11). The
IntGW host delivered the email to ExtGW (10.200.1.99).
By completing the previous configuration steps, you have successfully established bidirectional email flow in
which all inbound and outbound email must flow through the IntGW gateway mode FortiMail.
As email messages flow through FortiMail, log entries are created that show which policies were triggered. This is
extremely useful for testing new policies and troubleshooting existing ones.
In this exercise, you will send two email messages, one in each direction, and then review which policies the
messages used.
© FORTINET
5. Review the Policy IDs field, and answer the following questions:
The Policy IDs field is made up of three fields (X:Y:Z). What does each field’s value correspond to?
© FORTINET
The policy IDs for each email message are recorded in the history logs in the format
of X:Y:Z, where X is the ID of the access control rule, Y is the ID of the IP-based
policy, and Z is the ID of the recipient-based policy.
If the value in the access control rule field for an incoming email is 0, it means that
FortiMail is applying its default rule for handling inbound email. If the value of X:Y:Z
is 0 in any other case, it means that a policy or rule couldn’t be matched, or doesn’t
exist.
The policy use recorded for the outbound email message is 1:1:0. It was processed
using access receive rule ID 1, which you created in the previous exercise. Then, the
email message was processed using the default IP policy ID 1. Because you didn’t
configure any outgoing recipient policy, the last field value is 0.
In this exercise, you will create IP and recipient policies. Then, you will test your configuration by sending email
messages back and forth. You will also use logs to observe the changes to the policy use from the previous
exercise.
To create IP policies
1. Visit the IntGW FortiMail management GUI:
https://intgw.internal.lab/admin
Field Value
Source 10.0.1.99/32
Session Outbound_Session
© FORTINET
The policies should appear in the following order:
IP policy ID 3 will process all email sourced from the IntSRV FortiMail (outgoing), and IP Policy ID 1 will
process all other email (incoming). IP policy ID 2 is a default IPv6 policy. Since this lab is not configured for
IPv6, it is not required. You can delete it if you want to.
© FORTINET
4. Click Outbound.
5. Click New and, in the Domain drop-down list, select internal.lab.
Don’t modify any other values.
© FORTINET
4. Log in as extuser using the password fortinet.
5. Open the new email message, and then click Reply.
6. Type a reply in the message body, and then click Send.
7. In Thunderbird, verify you received the reply.
3. Access the details for each log entry and review the Policy IDs field.
What changes can you see from the previous exercise?
The policy use will reflect the new ID values for the policies you created. All outgoing
email will be processed by IP policy ID 3, and outgoing recipient policy ID 2. All
incoming email will be processed by IP policy ID 1, and incoming recipient policy ID 1.
In this lab, you will configure access receive rules to enforce user SMTP authentication. You will also configure an
LDAP profile to enable recipient verification, alias mapping, and user authentication.
Objectives
l Enforce user SMTP authentication using access receive rules
l Configure an LDAP profile
l Enable recipient verification and alias mapping
l Configure LDAP authentication for users
Time to Complete
Estimated: 60 minutes
Prerequisites
Before beginning this lab, you must disable sender reputation on the IntGW FortiMail.
The sender reputation feature can interfere with some of the testing that you will do in
this lab.
In this exercise you will explore how FortiMail handles SMTP authentication. You will enforce authentication
using access receive rules, and test your configuration using various outgoing server settings in Thunderbird.
4. On the Account Settings screen, in the left pane, click Outgoing Server (SMTP), and then click Edit.
© FORTINET
By making these changes, you have disabled authentication for SMTP connections.
So, when you send an email message, Thunderbird won’t authenticate.
© FORTINET
To send an unauthenticated email message
1. In Thunderbird, send an email to extuser@external.lab.
2. Open a web browser, and then go to the ExtSRV FortiMail webmail GUI.
https://extsrv.external.lab/
The access receive rule that you configured in Access Control and Policies on page 27
didn’t have authentication enforcement enabled.
When you set Authentication Status to Any, FortiMail doesn’t verify whether the
sender matching the rule is authenticated or not.
To enforce authentication
1. Open a new web browser tab, and go to the IntSRV FortiMail management GUI:
https://intsrv.internal.lab/admin
© FORTINET
2. Click OK to close the alert, but leave the email compose window open in the background.
3. Visit the IntSRV FortiMail management GUI:
https://intsrv.internal.lab/admin
© FORTINET
In this log entry, you can see IntSRV has rejected (Disposition) the email because
the session violated an access control rule (Classifier). By changing the
Authentication Status value to Authenticated, you have successfully enforced
authentication for users connecting to the IntSRV FortiMail.
14. Click the Session ID link to retrieve the cross search results.
15. Right-click the event log related to the authentication event to view the details.
The Windows VM has been preconfigured with Active Directory devices for the internal.lab domain. In this
exercise, you will review the Active Directory configuration and learn how to retrieve LDAP attributes for Active
Directory objects. Then, you will configure an LDAP profile on both IntSRV and IntGW FortiMail devices to use for
user authentication, alias lookup, and recipient verification.
A service account for the LDAP profile is located in the Service Accounts
organization unit (OU). The users and groups are located in the Training Users OU
and Training Groups OU respectively.
© FORTINET
© FORTINET
You can use the previous steps to access the LDAP attributes of any Active Directory
object necessary to configure the LDAP profile on FortiMail.
Field Value
© FORTINET
Field Value
7. In the User Query Options section, in the Schema drop-down list, select Active Directory.
8. In the User Alias Options section, in the Schema drop-down list, select Active Directory.
9. Use the following values to modify the User Alias Options:
Field Value
Field Value
Field Value
7. In the User Query Options section, in the Schema drop-down list, select Active Directory.
8. In the User Alias Options section, in the Schema drop-down list, select Active Directory.
© FORTINET
9. Use the following values to modify the User Alias Options:
Field Value
6. If the query fails, make sure the LDAP profile configuration matches the following example:
© FORTINET
7. On the LDAP profile configuration screen, click [Test LDAP Query…] again.
8. Change the query type to Alias.
9. All of the Active Directory users have been preconfigured with aliases.
Query for the following aliases:
l mailuser1@internal.lab
l mailuser2@internal.lab
10. If your configuration is correct, you will receive the following Test Result message:
© FORTINET
11. If the query fails, make sure the LDAP profile User Alias Options configuration matches the following example:
© FORTINET
To configure recipient verification and alias mapping for gateway mode
1. In the IntGW FortiMail management GUI, click Domain & User > Domain > Domain.
2. Select the internal.lab domain, and then click Edit.
3. In the Recipient Address Verification section, select Use LDAP Server.
4. In the Use LDAP server drop-down list, select InternalLabLDAP.
5. Expand the LDAP Options section.
6. In the User alias / address mapping profile drop-down list, select InternalLabLDAP.
7. Your configuration should match the following example:
You don’t need to configure recipient verification on the IntSRV FortiMail. Recipient
verification is enabled implicitly on a server mode FortiMail because the user
database exists locally.
You also don’t need to configure alias mapping on the IntSRV FortiMail because the
mapping is done by the IntGW FortiMail before it delivers an email message to the
IntSRV FortiMail.
© FORTINET
Field Value
Users will use their Active Directory accounts to authenticate and gain access to the
IntGW FortiMail’s webmail interface for quarantined emails.
If the LDAP profile doesn’t appear in the drop-down list, then you missed a step.
Return to the To configure an LDAP profile on IntSRV FortiMail on page 49 section,
and then follow the listed steps to configure the same LDAP profile on the IntSRV
FortiMail.
Field Value
© FORTINET
If you have configured the server mode user LDAP authentication correctly, the login will be successful.
The webmail GUI in gateway mode gives users access to their Bulk folder, which
contains only quarantined email. You will configure email quarantining in a later lab. In
this section, you are verifying user access only.
Field Value
To invaliduser@internal.lab
4. Click Send.
5. Click Refresh to update the inbox.
You should receive a delivery status notification (DSN) message.
© FORTINET
10. Review the log details.
Field Value
To mailuser2@internal.lab
4. Click Send.
5. Visit the IntSRV FortiMail’s webmail GUI:
https://intsrv.internal.lab/
© FORTINET
10. Click the Session ID to retrieve the cross search result.
11. Review the AntiSpam log related to the session.
Alias mapping is useful to consolidate multiple email messages for the same user in a
single email account using their primary email address as the identifier. This reduces
account management overhead for the user and the administrator. For example, if a
user has five aliases in addition to a primary email address, FortiMail can use alias
mapping to maintain a single user quarantine mailbox. Otherwise, the user would
have to manage six separate quarantine accounts, as well as the quarantine reports
for each account.
In this exercise, you will explore how FortiMail handles a failed SMTP authentication. You will generate an SMTP
brute force attack and block the offending IP address.
The default block period for an offending IP address is 10 minutes. You can set the
block period to a maximum of 60 minutes and minimum of 5 minutes.
You can also just enter the IP address of the Linux machine, which is 10.0.1.254,
and click Open.
© FORTINET
FortiMail uses a variety of adaptive factors to detect and block brute forcing (not just consecutive failures)
and temporarily locks out (tarpits) the user. FortiMail detected a brute force attack and blocked that IP. New
TCP connections from that attacker were denied.
© FORTINET
If you do not see the IP address on the Authentication Reputation tab, then run the
following command on the CLI/console of the gateway mode FortiMail. To access the
console, click Dashboard >Console.
# execute db reset sender-reputation
In this lab, you will configure session profiles to inspect the envelope part of SMTP sessions. You will also use
session profiles to hide internal network information from email headers.
Objectives
l Configure session profile connection settings to limit inbound connections to the IntGW FortiMail
l Configure sender address rate control to limit outbound connections on the IntSRV FortiMail
l Configure session profile header manipulation to hide your internal network information
Time to Complete
Estimated: 45 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file to the IntSRV FortiMail.
The configuration file adds a new IP policy that causes all email delivery attempts from
the ExtSRV FortiMail to the IntSRV FortiMail to fail temporarily. This is done to ensure
that when the session limits are triggered on the IntGW FortiMail, the ExtSRV
FortiMail can’t deliver to the IntSRV FortiMail directly. The change helps in testing the
session profile settings you will be configuring on IntGW in this lab.
4. Click Restore.
5. Wait for the IntSRV FortiMail to finish rebooting before you proceed with the exercise.
Spammers usually send as many email messages as they can in a small period of time, before legitimate email
servers begin to block delivery. If blocked, the spammers won’t spend the time to retry. Normal email servers will
retry delivery if it fails the first time. One method of blocking spam, while allowing legitimate email messages, is
to limit the number of SMTP sessions that each client can establish in a 30-minute period.
In this exercise, you will configure a session profile on the IntGW FortiMail to limit the number of connections the
ExtSRV FortiMail can establish over a 30-minute period. Then, you will test the connection limitation by sending
consecutive email messages to trigger a violation. You will also verify your configuration by reviewing the logs.
Field Value
If there are no IP policies configured with a session profile, FortiMail will still rate limit
connections according to its default settings, which are similar to the session_basic_
predefined profile–including the 10 MB size limit, sender reputation enabled, and so
on. To disable the rate limit, you must create and apply a blank session profile.
© FORTINET
To validate the connection limits
1. Open a new tab in your browser, and go to the ExtSRV FortiMail webmail GUI:
https://extsrv.external.lab/
There will be one email sent per TCP connection. Therefore, the IntGW FortiMail
should allow the first four but block the fifth, which exceeds your configured connection
limit.
Why are the From, To, and Subject fields empty in this log entry?
FortiMail blocked the client’s attempt when scanning the IP layer of the initial packets
before the SMTP session could be established. The SMTP session contains the SMTP
envelope: the sender’s email address, the recipient’s email address, and the subject.
So those parts of the email were never received.
© FORTINET
2. Click Policy > IP Policy > IP Policy.
3. Edit IP policy ID 1.
4. In the session profile drop-down list, select Inbound_Session.
5. Click OK.
While it is important to protect your email users from spammers sending large volumes of email, it is also
important to protect your own MX IP reputation by controlling the volume of email received from internal users.
In this exercise, you will configure sender address rate control on the IntSRV FortiMail. Then, you will send
consecutive email messages to trigger a violation, and verify your configuration using logs.
Field Value
Action Reject
Maximum number of 4
messages per half hour
7. Click New.
8. Create a notification profile using the following values:
Field Value
Name NotifyUser1
© FORTINET
2. Log in as user2 using the password fortinet.
3. Send five email messages to extuser@external.lab to trigger the rate control limit.
4. Open a new web browser tab, and visit the ExtSRV FortiMail webmail GUI:
https://extsrv.external.lab/
Notification profiles are a convenient feature that can allow administrators to keep
informed of events occurring on FortiMail. Many FortiMail features support notification
profiles.
While session profile connection limits and sender address rate control appear to
function very similarly, there is a major difference in how these limits are applied by
FortiMail.
As you observed in the previous exercise, session profile connection limits are applied
at the IP layer. Sender address rate control limits connections based on the sender
address. This is derived from the mail From: field of the SMTP envelope. So, for
sender address rate control, FortiMail must process at least a portion of the SMTP
envelope. This is also why user2@internal.lab appears in the From: field of the log
entry, but the log entries from the session profile connection limits are empty.
© FORTINET
https://intsrv.internal.lab/admin
Removing internal headers is a common security practice. It hides your internal network information from the
world.
In this exercise, you will observe the effects of header manipulation settings by configuring a session profile on
the IntGW FortiMail to hide internal headers.
To review headers
1. Open a new web browser tab, and go to the ExtSRV FortiMail webmail GUI:
https://extsrv.external.lab/
5. Expand Header Manipulation, and then select the Remove received headers check box.
6. Click OK to save the changes.
© FORTINET
The IntGW FortiMail removes all previous Received: headers from the email when
it starts processing it, using IP policy ID 3.
In the Received: header you should only see details about IntGW and ExtSRV.
There should be no information about Windows (10.0.1.10), and IntSRV
(10.0.1.99).
© FORTINET
In this lab, you will apply FortiMail’s local malware detection techniques to scan for viruses in inbound email.
Objectives
l Configure an antivirus profile to enable local malware detection
l Configure an antivirus action profile to replace infected content from an email
l Apply antivirus scanning to inbound email
l Test antivirus functionality
Time to Complete
Estimated: 15 minutes
In this exercise, you will configure an antivirus profile and an antivirus action profile on the IntGW FortiMail. Then,
you will apply the antivirus profile to a recipient-based policy in order to scan all inbound email sent to the
internal.lab domain.
You shouldn’t test your antivirus configuration using a live virus. By doing so, you risk infecting your network’s
hosts if your configuration is incorrect. To test your antivirus configuration without risk of infecting your network,
you will use an EICAR file.
An EICAR file doesn’t contain a real virus. It is a harmless, industry-standard test file that is designed to trigger all
antivirus engines for testing purposes. So, if your antivirus configuration is correct, FortiMail should detect the
EICAR file as a virus.
Field Value
Domain internal.lab
[VIRUS DETECTED]
The action profile that you created doesn’t appear in the list. Why? The list view is
filtered by domain. If you want to show the new profile, change the selection in the
Domain drop-down list. Select internal.lab to view the action profiles for that specific
domain, or select All to view the action profiles for all domains.
© FORTINET
Field Value
Domain internal.lab
Field Value
To user1@internal.lab
4. Click Attach.
5. Browse to and select:
Desktop\Resources\Files\eicar.com
6. Wait for the file upload to finish, and then click Send.
To verify AV functionality
1. In Windows, open Thunderbird.
2. Confirm that you received the email message sent from extuser@external.lab.
3. Note that the following actions have been applied to the email message:
l The subject line contains the [VIRUS DETECTED] tag
l The IntGW FortiMail replaced the EICAR file and inserted a replacement message.
© FORTINET
To monitor the logs
1. Go to the IntGW FortiMail management GUI:
https://intgw.internal.lab/admin
4. Click the Session ID link to review the cross search result for more details.
In this lab, you will configure antispam scanning for both inbound and outbound email. Then, you will verify your
configuration by sending live spam through the IntGW FortiMail VM. You will also configure quarantine report
settings, and manage user quarantine.
Objectives
l Scan both incoming and outgoing email for spam
l Send spam email to user quarantine
l Manage quarantine report configuration
l Access and explore the user quarantine mailbox
Time to Complete
Estimated: 60 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file.
2. Click System > Maintenance > Configuration, and upload the following configuration file:
Desktop\Resources\Starting Configs\Lab 6\06_Initial_IntSRV.tgz
3. Click Restore.
4. Open a new web browser tab, and visit the IntGW FortiMail management GUI:
https://intgw.internal.lab/admin
5. Click System > Maintenance > Configuration, and upload the following configuration file:
Desktop\Resources\Starting Configs\Lab 6\06_Initial_IntGW.tgz
6. Wait for the VMs to finish rebooting before proceeding with the exercise.
The configuration files disable all session profile inspection features that can
potentially interfere with the antispam testing you will do in this lab.
In this exercise, you will verify the FortiGuard configuration. Then, you will configure an antispam profile to scan
all incoming email and send all spam email to the users’ personal quarantine accounts.
Field Value
© FORTINET
Field Value
Domain internal.lab
4. Click Create.
Field Value
Domain internal.lab
4. Click Create.
Field Value
Domain internal.lab
4. Click Create.
5. In the Domain drop-down list, select internal.lab.
6. Select the AS_In antispam profile, and click Edit.
7. Enable the following antispam techniques:
© FORTINET
l FortiGuard
l IP Reputation
l Extract IP from Received Header
l URI filter:Primary: phishing
l DMARC check
l Behavior analysis
l Header analysis
l Heuristic
l The percentage of rules used: 100
l Suspicious newsletter
l Newsletter
8. Click OK to save the changes.
To test your antispam settings, you will use the swaks tool on the Linux VM to send spam to
user1@internal.lab.
You can also just enter the IP address of the Linux machine, which is 10.0.1.254
and click Open.
© FORTINET
for ii in `ls`; do swaks -s 10.0.1.11 -f spam@external.lab -t user1@internal.lab -d
$ii; done
9. Wait until all the spam emails are sent.
10. Close the PuTTY window
© FORTINET
6. Click the Session ID link of a history log entry, and review the related antispam log for the session.
In this exercise, you will configure outbound antispam scanning on the IntGW FortiMail. Then, you will test the
configuration by sending an outbound email message containing a banned word.
Field Value
Domain System
© FORTINET
3. In the Profiles section, in the AntiSpam drop-down list, select AS_Out.
4. Click OK to save the changes.
6. Review the log and verify that the appropriate action was applied to the outbound email message.
7. Click the Session ID link to review the cross search result for more details.
An email user can access their list of quarantined email messages using either POP3 or webmail. In this exercise,
you will access the user1@internal.lab quarantine mailbox on the IntGW FortiMail on the webmail GUI.
You will also configure quarantine report scheduling and generate an on-demand quarantine report. Then, you
will explore the options available in a quarantine report.
3. Try releasing an email from the quarantine mailbox to the user’s inbox.
4. Try deleting a quarantined email.
5. Log out of the webmail interface after you’re finished.
FortiMail auto-generates quarantine reports on schedule only for accounts that have
quarantined email. If a user’s quarantine account is empty, then no report is generated
for that account.
© FORTINET
To generate quarantine reports on demand
1. Click Monitor > Quarantine > Personal Quarantine.
2. Select the user1@internal.lab mailbox.
3. Click Send quarantine report to > Selected users.
4. Click OK.
4. The end of the quarantine report contains options to delete all quarantined email messages using either an email
or a web action:
© FORTINET
5. Select the web action to delete all of the quarantined email messages for user1@internal.lab.
In this exercise, you will configure Fortimail to inspect all email communications for messages designed to
impersonate critical personnel and to take appropriate action on these types of messages.
Impersonation analysis is used to detect an email spoofing attack that attempts to deceive the recipient by using
a forged header to make the message appear as though it comes from a trusted sender
Field Value
© FORTINET
Assuming that you have completed the previous exercises in this lab, the antispam
profile AS_In should already be applied to the inbound recipient policy. Policy >
Recipient Policy > Inbound.
To test impersonation
1. In Windows, on the taskbar, click the PuTTY icon, and then select Linux from the saved sessions.
2. Click Load.
3. Click Open.
You can also just enter the IP address of the Linux machine, which is 10.0.1.254
and click Open.
© FORTINET
6. Run the following swaks command to impersonate a high-target user. A copy of the command is in a text file
named commands.txt, which is located in the Resources folder on the Windows desktop.
swaks -f extuser@external.lab -t user1@internal.lab -s 10.0.1.11 --header-
From "Corporate CEO <extuser@external.lab>"
In this exercise, you will configure backscatter to detect spam contents in delivery status notifications (DSN).
You will need to disable recipient address verification on the FortiMail IntGW so that you can test backscatter.
You can also just enter the IP address of the Linux machine, which is 10.0.1.254,
and click Open.
© FORTINET
© FORTINET
6. Click Create.
7. Enable Enable bounce verification.
8. Set Bounce verification action: to Discard.
9. Leave the rest to default settings.
10. Click Apply.
11. Verify your settings:
You can also just enter the IP address of the Linux machine, which is 10.0.1.254,
and click Open.
© FORTINET
2. Log in as admin with password password.
3. Click Monitor > Log > History.
4. The first log should correspond to the email you just sent.
5. Verify the Classifier and Disposition.
You will need to disable bounce verification because it could interfere with the next lab exercise.
In this lab, you will configure a content filter to monitor email based on dictionary word scores. You will also
configure the data loss prevention (DLP) feature to detect and block any outbound email containing credit card
numbers. Finally, you will configure and verify the content disarm and reconstruction (CDR) feature on FortiMail.
CDR neutralizes suspicious content in an email and delivers a clean copy of the email to the end user.
Objectives
l Configure a dictionary profile to monitor words using scores
l Configure a content profile to monitor and filter the dictionary profile
l Apply content filtering on all inbound email
l Configure DLP to detect credit card numbers in an email body and attachments
l Apply DLP on all outbound email
l Configure CDR to detect HTML tags and URIs in an email body and attachments
l Apply CDR to all inbound email
Time to Complete
Estimated: 60 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file.
2. Click System > Maintenance > Configuration, and upload the following configuration file:
Desktop\Resources\Starting Configs\Lab 7\07_Initial_IntSRV.tgz
3. Click Restore.
4. Open a new web browser tab, and go to the IntGW FortiMail management GUI:
https://intgw.internal.lab/admin
5. Click System > Maintenance > Configuration, and upload the following configuration file:
Desktop\Resources\Starting Configs\Lab 7\07_Initial_IntGW.tgz
6. Wait for the VMs to finish restarting before proceeding with the exercise.
The configuration files disable bounce verification on IntSRV and the antispam profile
on IntGW that can potentially interfere with the content inspection testing you will do
in this lab.
In this exercise, you will configure the content monitoring and filtering options of a content profile to scan for
specific pattern occurrences in inbound email. Then, you will configure the action to be applied after the same
word occurs three times in an email message.
Field Value
Pattern fortimail
If Enable pattern maximum weight limit is disabled, the pattern can increase an
email’s dictionary match score by more than the amount entered in the Pattern max
weight field.
Field Value
Domain System
Action SysQuarantine_Inbound
© FORTINET
4. Expand the Content Monitor and Filtering section.
5. Click New.
6. Configure the content monitor profile using the following values:
Field Value
Dictionary profile
WordScores
Minimum score 3
Setting the Minimum score to 3 ensures that the action profile is applied only after
FortiMail has found three occurrences of the pattern in a single email message.
FortiMail appliances provide high-performance email routing and security by utilizing multiple high-accuracy
antispam filters. As part of the Fortinet Security Fabric, FortiMail prevents your email systems from
becoming threat delivery systems. FortiMail can be deployed in the cloud or on premises and gateway, inline
and server modes in a range of appliance or virtual machine form factors.
5. Click Send.
© FORTINET
The first entry in the Historylog should correspond to the email that was sent. Notice the values in
theClassifier and Disposition columns.
3. In the Session ID column, click the link to retrieve the cross-search results.
4. Review the antispam log related to the session.
© FORTINET
2. Compose a new email to user1@internal.lab.
3. Copy and paste the same message body, but remove two occurrence of the word FortiMail, and then send the
email message.
4. Open Thunderbird, and verify that the email message was delivered to the user1@internal.lab inbox.
In this exercise, you will configure a DLP profile and DLP action profile on the IntGW FortiMail. Then, you will
apply the DLP profile to a recipient-based policy, to scan all outbound email sent from the internal.lab domain.
© FORTINET
8. In the second Condition drop-down list, select contains sensitive data.
9. Click Edit.
10. Select the Credit_Card_Number data template, and then click OK.
12. Verify that your Message Scan Rule matches the following example, and then click Create to save the rule.
© FORTINET
To configure a DLP profile to apply the DLP rule and action profile
1. Click Data Loss Prevention > Rule & Profile > Profile.
2. Click New to create a new DLP profile.
3. In the Name field, enter DLP_Out.
4. Beside the Action drop-down list, click New.
© FORTINET
Field Value
System quarantine
© FORTINET
10. Verify that your DLP profile matches the following screenshot, and then click Create to save the profile.
© FORTINET
3. In the Profiles section, in the DLP drop-down list, select DLP_Out.
4. Click OK to save the changes.
Field Value
To extuser@external.lab
5. Click Send.
© FORTINET
2. Click Monitor > Log > History.
3. Double-click the active log file.
The first entry in the history log should correspond to the email message you just sent.
4. In the Session ID column, click the link to retrieve the cross-search results.
5. Review the antispam log related to the session.
You can also view the logs in Monitor > Quarantine > System Quarantine.
In this exercise, you will configure CDR options in a content profile to scan the HTML content within email bodies
and attachments that may contain potentially hazardous tags and attributes, such as hyperlinks and scripts.
FortiMail provides the capability to remove or neutralize potentially hazardous contents and reconstruct the email
messages and attachment files.
Field Value
Domain internal.lab
[Sanitized Content]
Personal quarantine
6. Click Create.
Field Value
Domain internal.lab
Action CDR_User_Quar
© FORTINET
4. Expand the Content Disarm and Reconstruction section.
5. Configure the following values
Filed Value
Action Default
Enable
HTML content
Sanitize HTML content
Remove URIs
PDF Enable
When CDR is configured, the user receives a reconstructed email and attachment. If the user wants to view the
original email, then they can quarantine an unmodified copy of the email for review.
In this exercise, you will test and verify CDR features that you configured in the previous exercise.
You will test sanitizing a PDF file containing HTML links, URL removal, and HTML email sanitation.
4. In the Session ID column, click the link to retrieve the cross-search results.
5. Review the log message.
© FORTINET
The recipient will receive the disarmed email.
6. Open theThunderbird client and verify that user1 received the sanitized email with the attachment.
© FORTINET
Stop and think!
Compare the two pdf files: the one that was quarantined and the other email that the user received in the
email client.
Case 1: Open the pdf labdoc file that was attached to the email in Thunderbird and click on the URL
links. Do the links redirect you to the websites?
Case 2: Open the pdf labdoc file that was attached to the email in the personal quarantine folder and
click on the URL links. Do the links redirect you to the websites?
In case 1, the links have been neutralized by CDR; therefore, you are unable to visit the websites
corresponding to those links.
You will test the URI removal feature which detects URIs in email messages. If the feature finds URIs, FortiMail
removes them from the text portion of the email message.
You can also enter the IP address of the Linux machine, which is 10.0.1.254 and
click Open.
A copy of the command is available in a text file named commands.txtwhich is located in the Resources
folder on the Windows desktop.
swaks -f extuser@external.lab -t user1@internal.lab -s 10.0.1.11 --ehlo
10.0.1.254 --body 'please visit http://www.fortinet.com and
http://www.wicar.org and http://www.cnn.com'
7. On Thunderbird, open the email and verify that the malicious URL has been removed.
© FORTINET
8. Go to the IntGW webmail GUI:
https://intgw.internal.lab/
You will send an email with HTML body content and verify that the user receives a clean email from which all
potentially hazardous tags and attributes (such as hyperlinks and scripts) are removed.
You can also just enter the IP address of the Linux machine, which is 10.0.1.254
and click Open
Swak takes the contents of the file tosanitize.dat, which contains HTML links
and attributes, and sends it to the user named in the body of the email.
© FORTINET
7. Open Thunderbird and review the email.
8. Click in the body of the email.
All links in the body of the email have been neutralized by CDR.
12. Open Thunderbird and open the original email that was just released.
13. Click on the body of the email.
HTML links within the body of the email will redirect the user to various websites.
In this lab, you will implement SMTPS between the IntGW and IntSRV FortiMail VMs. You will also configure
content inspection-based identity-based encryption (IBE) and verify your configuration by sending a secure email.
Objectives
l Implement SMTPS between IntGW and IntGW FortiMail devices
l Implement content inspection-based IBE
l Configure the dictionary profile with the trigger word
l Configure an encryption profile
l Configure a content action profile to apply the encryption profile
l Apply the dictionary profile and content action profile to a content profile
l Apply the content profile to an outbound recipient-based policy
l Register an IBE user, and access the IBE email
Time to Complete
Estimated: 40 minutes
In this section, you will configure SMTPS between the IntGW and IntSRV FortiMail devices. You will also
compare logged details before and after implementing SMTPS.
To review logs
1. On Windows, open a web browser, and got to the ExtSRV FortiMail’s webmail GUI:
https://extsrv.external.lab/
8. Click the Session ID to retrieve the cross search result, and then review the last two entries, which contain details
about the session between the IntGW and IntSRV FortiMail devices.
© FORTINET
© FORTINET
By default, FortiMail uses SMTP over TLS if the recipient MTA supports it. In this
session, IntSRV is the recipient MTA.
To configure SMTPS
1. Go to the IntGW FortiMail’s management GUI:
https://intgw.internal.lab/admin
To verify SMTPS
1. Go to the ExtSRV FortiMail webmail GUI:
https://extsrv.external.lab/
© FORTINET
5. Click the session ID to retrieve the cross-search result, and then review the last two entries, which should
indicate the switchover to SMTPS from STARTTLS.
© FORTINET
The underlying encryption mechanism for SMTPS and SMTP over TLS is the same.
Both protocols use SSL or TLS. In this case, the FortiMail devices negotiated
TLSv1.2. The difference exists in how and when that TLS encryption is applied.
When SMTP over TLS is used, the connection is made on the standard SMTP port—
TCP port 25. If the recipient MTA supports the STARTTLS extension, the sender
chooses whether SMTP over TLS is used by transmitting the STARTTLS message.
This STARTTLS request happens after the envelope exchange, and so, in SMTP over
TLS only a portion of the session is encrypted.
When SMTPS is used, the client initiates the SMTP session with the server over a
fully-encrypted tunnel using a separateTCP port: port 465. SMTPS encrypts the full
session.
In this exercise, you will configure content inspection-based IBE. You will also verify your configuration by sending
an IBE email message and reviewing the logs.
Field Value
Field Value
Pattern \[CONFIDENTIAL]
© FORTINET
Field Value
Field Value
Domain System
IBE_Pull
Field Value
Domain System
Action CF_IBE_Pull
© FORTINET
7. Click Create to save the Content Monitor profile.
8. Click Create to save the Content profile.
Field Value
To extuser@external.lab
4. Click Send.
3. Click the Session ID link to retrieve the cross search results and review the antispam, and encryption logs related
to the session.
© FORTINET
In this exercise, you will register a new IBE user. Then, you will log in to the secure portal to retrieve the IBE
email. You will also see the message read notification email messages that the sender receives after the IBE user
has read the IBE email.
4. Click the link in the notification email to access the encrypted email.
5. Click Register.
© FORTINET
During registration if you get an invalid user error, you can ignore it, the user has
been created even though you get the error.
7. Click Continue.
© FORTINET
In this lab, you will build an active-passive FortiMail HA cluster that has two FortiMail VMs. The cluster will
operate in server mode.
You will configure the IntSRV FortiMail (10.0.1.99) as the primary and the IntGW FortiMail (10.0.1.11) as
the secondary. You will verify the HA and configuration synchronization status, configure a virtual IP, and use the
HA service monitor to detect when the SMTP service connectivity fails on the primary FortiMail.
The lab network DNS server has the following CNAME records to aid in identifying the two clustered devices:
Objectives
l Configure a FortiMail HA group to synchronize their configuration and data
l Verify cluster health
l Configure HA virtual IP
l Configure remote services monitoring
Time to Complete
Estimated: 50 minutes
Prerequisites
Before beginning this lab, you must change the operation mode of the IntGW FortiMail.
© FORTINET
7. Log in to the management GUI, and then verify that the following system settings persisted:
l Interface (System > Network > Interface)
l Route (System > Network > Routing)
l DNS (System > Network > DNS)
9. Verify the status of the following mail settings. The settings should have reset to factory default values.
l Mail server settings (System > Mail Settings > Mail Server Settings)
l Domains (Domain & User > Domain > Domain)
10. The IntGW FortiMail is ready to be configured as a secondary device in the cluster.
Caution: When doing the lab exercises, ensure you are applying the configuration
changes to the correct FortiMail VM.
If at any point you wish to reset the configuration state for the FortiMail VMs, you can
restore the following configuration files:
Always restore the secondary unit first, and then the primary. The configuration files
will restore the VMs to the standalone states they were in at the end of the Securing
Communications on page 112 lab.
In this exercise, you will configure the mail server settings on the primary FortiMail. Then, you will configure the
HA settings.
Ignore any security warnings generated by your browser. These relate to the CN field and the signer of the
self-signed FortiMail certificate.
Field Value
2. Expand the Advanced options section, and then configure the following values:
Field Value
3. Click Apply.
4. In the Interface section, double-click port1 and configure the following settings:
Field Value
In this exercise, you will configure the mail server settings on the secondary FortiMail because they are not
synchronized. Then, you will configure the HA settings, and verify that the cluster has formed.
Ignore any security warnings generated by your browser. These relate to the CN field and the signer of the
self-signed FortiMail certificate.
4. Click OK.
5. Click System > Mail Settings > Mail Server Settings.
6. Configure the following values:
Field Value
Hostname secondary
7. Click Apply.
Field Value
© FORTINET
3. Expand the Advanced options section, and then configure the following values:
Field Value
4. Click Apply.
5. In the Interface section, double-click port1.
6. Configure the following values:
Field Value
As soon as the two devices join in a cluster and complete synchronization, the
secondary device’s management GUI session will time out and return you to the login
prompt. This process may take a few minutes.
In this exercise, you will verify the HA and configuration synchronization status.
4. You can find the same information by clicking System > High Availability > Status.
© FORTINET
© FORTINET
7. Click Create.
8. Go to the secondary FortiMail management GUI:
https://secondary.internal.lab/admin
© FORTINET
9. Click Policy > Recipient Policy > Inbound, and then verify that the new policy has synchronized with the
secondary device.
4. Open a new web browser tab, and visit the secondary FortiMail’s management GUI:
https://secondary.internal.lab/admin
In this exercise, you will configure a virtual IP for the HA cluster. You will also verify the virtual IP function by
forcing a failover.
Field Value
Field Value
Ignore any security warnings generated by your browser. These relate to the CN field and the signer of the
self-signed FortiMail certificate.
© FORTINET
2. Log in as admin and leave the password field empty.
3. Click System > Mail Settings > Mail Server Settings.
4. Verify the host name of the current cluster device that owns the virtual IP. It should be primary.
7. You should be presented with the following banner, which belongs to the primary device:
220 primary.internal.lab ESMTP Smtpd;
4. Click OK.
This forces a failover to the secondary device.
© FORTINET
5. The following banner, which belongs to the secondary device, should appear:
220 secondary.internal.lab ESMTP Smtpd;
4. Click OK.
This forces a failover to the primary device.
In addition to hardware failure, it’s often useful for cluster devices to monitor the network connectivity and
services of each other. This ensures a failover occurs if any of these services experience an outage.
In this exercise, you will configure remote SMTP service monitoring on both cluster devices. Then, you will trigger
a service-based failover to verify the configuration, and then verify the failover using event logs.
Field Value
Enable Enabled
Remote IP 10.0.1.11
Timeout 10
Interval 30
Retries 2
For the purposes of this lab, you are reducing the time values to their lowest
configurable value to speed things up. In a live production environment, the default
values are a good place to start. You can fine tune them as you discover what kind of
outage your email network can tolerate.
Using this procedure, you configured the secondary device to test the primary’s
device’s port 25 connectivity every 30 seconds (Interval). If a connection attempt
times out for 10 seconds (timeout) it is considered a failure. Two (retries) failures
must occur before the secondary device forces a failover.
© FORTINET
4. Configure the following values:
Field Value
Enable Enabled
Remote IP 10.0.1.99
Timeout 10
Interval 30
Retries 2
Using this procedure, you changed the SMTP service port on the primary FortiMail to
port 125. Because of this change, the secondary FortiMail can no longer detect SMTP
services on port 25 and should trigger a failover based on remote service failure.
You must to wait a few minutes for the secondary device to go through the service
monitoring check schedule before a failover is triggered.
© FORTINET
Event logs related to the remote SMTP service should show up when the secondary device detects failure for
the first time.
After the second detection, the secondary device takes over as the active member.
© FORTINET
© FORTINET
2. Click System > Mail Settings > Mail Server Settings.
3. Change the SMTP server port number value back to 25.
4. Click Apply.
5. Click System > High Availability > Status.
6. In the Actions section, click Restart the HA system.
The system prompts you to confirm your action.
7. Click OK.
8. Click Refresh.
The primary FortiMail reverts to the master role.
In this lab, you will configure server mode resource profiles, and see their effect on user resource allocation. You
will also populate the global address book from the LDAP server.
Objectives
l Configure resource profiles
l Configure LDAP mapping to import a domain address book
Time to Complete
Estimated: 40 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file.
4. Click Restore.
5. Open a new web browser tab, and go to the IntSRV FortiMail management GUI:
https://intsrv.internal.lab/admin
8. Click OK.
9. Wait for the VMs to finish restarting before proceeding with the exercise.
The configuration files will restore the devices to the standalone states they were in
before you completed High Availability on page 125.
In this exercise, you will review the IntSRV FortiMai configuration. Then, you will configure resource profiles, and
observe their effects on resource allocation for email users.
4. Click the address book icon and find the address books that user1 has access to.
If there are no resource profiles configured, server mode users have access to their
personal address book only.
© FORTINET
2. Click Profile > Resource > Resource.
3. Click New.
4. Create a new resource profile using the following values:
Field Value
Domain internal.lab
Field Value
Domain internal.lab
Field Value
Domain internal.lab
user1
Resource PowerUsers
© FORTINET
Field Value
Domain internal.lab
user2
Resource RegularUsers
For larger deployments that have different levels of resource allocation requirements,
you can create recipient policies for local or LDAP groups, and assign resource profiles
using separate recipient policies.
3. Verify user1 has the disk quota and address book access as defined in the PowerUsers resource profile.
4. Log out of user1’s account.
5. Log in as user2 using the password fortinet.
6. Verify user2 has the disk quota and address book access as defined by the RegularUsers resource profile.
In this exercise, you will review the existing LDAP profile you configured in Authentication on page 40. Then, you
will configure an LDAP mapping profile, and use the LDAP profile to import contacts into the domain address
book.
5. Click Cancel.
When the LDAP mapping profile uses the existing LDAP profile to import contacts, it
starts from the base DN. To ensure the LDAP mapping profile doesn’t import Active
Directory system accounts, configure the base DN to point to the location of the user
accounts.
© FORTINET
To configure an LDAP mapping profile
1. Click Domain & User > Address Book > LDAP Mapping.
2. Click New.
3. Create a new mapping profile using the values shown here. To add new contact fields, click +.
Field Value
Display name cn
Last name sn
Title title
Department department
To review how to find LDAP attributes of Active Directory objects, you can refer to the
LDAP Operations exercise in Authentication on page 40.
© FORTINET
To import contacts from LDAP
1. Click Domain & User > Address Book > Contact.
2. In the Domain drop-down list, select internal.lab.
3. In the More drop-down list, select Import and then select LDAP.
4. Configure the following values:
Field Value
5. Click OK.
The system notifies you that LDAP synchronization is running.
6. Click OK.
You should see all the users that were imported from the Training Users OU in the internal.lab address book.
© FORTINET
In this lab, you will configure a transparent mode FortiMail to process bidirectional email for the external.lab
domain using the built-in MTA. You will also configure and verify bidirectional transparency.
Objectives
l Configure a transparent mode FortiMail to process bidirectional email
l Verify built-in MTA functionality
l Configure bidirectional transparency
Time to Complete
Estimated: 50 minutes
In this exercise, you will review the initial system configuration and the topology for the ExtTP FortiMail VM.
Then, you will perform the rest of the basic configuration tasks required to establish bidirectional email flow. You
will also verify built-in MTA functionality using logs.
Ignore any security warnings generated by your browser. These relate to the CN field and the signer of the
self-signed FortiMail certificate.
© FORTINET
Field Value
© FORTINET
Field Value
5. Click Cancel.
6. Double-click port2.
7. Configure the following SMTP proxy values:
Field Value
Because port1 is the closest interface to the source for all inbound email, port1’s
incoming connections are proxied. Port2 is the closest interface to the source for all
outbound email, so port2’s outbound connections are proxied.
Field Value
Field Value
3. Keep the default values for the remaining settings, and then click Apply to save the changes.
4. Click Domain & User > Domain > Domain.
5. Click New to add a protected domain using the following values:
© FORTINET
Field Value
Field Value
*@external.lab
10.200.1.99/32
Action Relay
Field Value
To extuser@external.lab
4. Click Send.
5. Open a new web browser tab, and go to the ExtSRV FortiMail webmail GUI:
https://extsrv.external.lab/
© FORTINET
9. On Thunderbird, verify that the reply was received.
10. Visit the ExtTP FortiMail management GUI:
https://exttp.external.lab/admin
13. View the details for each log, and review the values beside Direction and Mailer.
© FORTINET
FortiMail is using its built-in MTA to route email in both directions. The value
mtabeside Mailer, shows this.
You have verified that the ExtTP FortiMail is picking up email in both directions, and using the built-in MTA to
route email to its intended destination successfully.
In this exercise, you will examine email headers to investigate the transparency of ExtTP FortiMail’s email
processing. Then, you will configure transparency for both incoming and outgoing email.
You should see that the transparent mode FortiMail is not really transparent in the
email headers.
© FORTINET
5. Enable the Hide the transparent box.
6. Click OK to save the changes.
3. In the Connection Settings section, enable Hide this box from the mail server.
4. Click OK.
© FORTINET
While the header is now showing the IP address of the ExtSRV FortiMail
(10.200.1.99), the hostname still shows ExtTP.external.lab. This is because the
ExtTP FortiMail uses its own hostname in the SMTP greeting. There is one more
configuration change you must make to prevent this.
6. Click OK.
7. Click OK.
In this lab, you will configure and generate a local report, monitor system resource use, and perform local storage
management.
Objectives
l Configure and generate a local report
l Monitor historical and real-time system resource use
l Partition a disk to allocate more space to the log disk
Time to Complete
Estimated: 25 minutes
In this exercise, you will configure a local report to query the IntGW FortiMail’s mail filtering statistics. Then, you
will generate an on-demand report and review the statistics.
Field Value
© FORTINET
In a production FortiMail, you should also configure scheduling and add a notification
email so that the report is automatically generated and sent to you by email. The
scheduled reporting will help keep you up-to-date on the email trends of your network.
3. Click OK.
4. Use the menu on the left to navigate and review the data.
© FORTINET
In this exercise, you will view the historical and real-time resources used by the IntGW FortiMail.
© FORTINET
A list of system processes is displayed. The processes consuming the most CPU at the
top of the list. The list refreshes every second, which gives you a real-time view of the
system’s resource use. To stop the output, press Q.
© FORTINET
To generate traffic
1. On Windows, on the taskbar, click the PuTTY icon, and then select Linux from the saved sessions.
2. Click Load.
3. Click Open.
You can also enter the IP address of the Linux machine, which is 10.0.1.254 and
click Open.
A copy of the command is in a text file name commands.txt, which is located in the Resourcesfolder on
the Windows desktop.
© FORTINET
By default, the mail disk partition size is 80% of the total disk. For a gateway mode FortiMail, this can mean that
a lot of unused space is taken up by the mail disk partition.
In this exercise, you will partition the IntGW FortiMail local storage, and allocate more space to the log disk
partition.
You should always perform disk formatting and partitioning tasks using the console
connection. This allows you to monitor the entire process and take action, in case of
errors.
© FORTINET
3. Log in as admin and leave the password field empty.
4. Type the following commands to change the log disk partition size to 50% of the total storage:
execute partitionlogdisk 50
The system warns you about data loss on the mail and log disk. Press Y.
© FORTINET
The internal.lab users are complaining that they are not able to send or receive email. In this lab, you will use
SMTP event logs and the built-in packet capture tools to investigate and remedy the mail flow issues.
Objectives
l Investigate user complaints
l Use SMTP event logs and packet capturing to determine where the issue is occurring
l Remedy the email flow issue
Time to Complete
Estimated: 60 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file.
4. Click Restore.
5. Open a new web browser tab, and go to the IntSRV FortiMail management GUI:
https://intsrv.internal.lab/admin
8. Wait for the VMs to finish restarting before proceeding with the exercise.
The config files introduce errors that cause the mail flow issues. Try to follow the
methodologies presented in the lab to troubleshoot and remedy the problem.
In this exercise, you will verify the problem. Then, you will use SMTP event logs and packet capturing to
determine where the issue lies.
5. Open a new web browser tab and go to the IntGW FortiMail management GUI:
https://intgw.internal.lab/admin
© FORTINET
In this particular instance, the history log details don’t provide much information. You
must dig deeper.
© FORTINET
The first two event logs relate to the external part of the session–from ExtSRV to
IntGW. The third event log relates to the internal part of the session–from IntGW to
IntSRV.
The external part of the session appears to be without issues. The internal part of the
session appears to be experiencing problems. Specifically, the connection from IntGW
to IntSRV is being refused. However the reason for refusal isn’t listed.
© FORTINET
Hint: It won’t work!
3. Open a new web browser tab, and go to the IntSRV FortiMail management GUI:
https://intsrv.internal.lab/admin
If you can’t find an entry in the history or event logs for a specific session, it means
there is an issue at either the IP or TCP layer. In these types of scenarios, only a traffic
capture might show you what the problem is.
Field Value
Description InboundCapture
Duration 10 minutes
Interface port1
IP/Host 10.0.1.99
Filter None
After investigating the inbound email flow, you established that the issue appears to
be with the internal portion of the email session. Therefore, you are only interested in
seeing traffic for the IntSRV (10.0.1.99) FortiMail.
5. Click Create.
6. Visit the ExtSRV FortiMail webmail GUI:
https://extsrv.external.lab/
© FORTINET
7. Send a new email message to user1@internal.lab.
8. Visit the IntGW FortiMail management GUI.
9. Click System > Network > Traffic Capture.
10. Click Refresh until you see the Size(Byte) column populated.
11. Select the capture, and then click Stop.
12. Select the capture again, and then click Export.
13. Save the capture file to the desktop.
4. Select the first packet (Source: 10.0.1.11 Destination 10.0.1.99), and expand the Transmission Control
Protocol header.
5. Review the details:
© FORTINET
This is the first packet of the session between IntGW (10.0.1.11) and IntSRV
(10.0.1.99) on port 465 (Dst Port). This packet has a sequence number of 0 and is
flagged as the SYN packet. This packet is expected, since all TCP sessions start with a
SYN packet.
6. Select the second packet (Source: 10.0.1.99 Destination 10.0.1.11), and expand the Transmission
Control Protocol header.
7. Review the details:
© FORTINET
This second packet is not expected. It has a RST/ACK flag. The IntSRV FortiMail is
sending a reset as soon as IntGW attempts to set up a TCP session on port 465. The
expected packet would have been a SYN/ACK, but that is not the case.
From the above analysis, you can start to form an idea about the root cause. The
IntGW FortiMail is sending a SYN packet for port 465 (SMTPS); however, the IntSRV
FortiMail is refusing the session. You know, and can verify, that it’s not related to IP
addressing because if it was you wouldn’t see a reply packet at all. So, it must be
related to the TCP port. However, before you try to fix this issue, have a look at the
outbound session using a packet capture.
© FORTINET
To capture outbound email traffic
1. On Windows, open a PuTTY window.
2. Double-click the preconfigured session for IntSRV.
3. Log in as admin and leave the password field empty.
4. Type the following commands to start a packet capture:
diagnose sniffer packet any “host 10.0.1.10 and port 25” 4
The filter is set up to capture SMTP (port 25) traffic from the 10.0.1.10 host
(Windows).
The IntSRV FortiMail is showing similar behavior for outbound traffic. The
10.0.1.10 host is initiating the session on port 25 with a SYN packet. However, the
10.0.1.99 host is refusing the session with an RST.
In this exercise, you will review the configuration and fix any errors. Then, you will verify your changes by sending
email in both directions.
Hint: Check System > Mail Settings > Mail Server Settings.
4. Fix any errors you see on the Mail Server Settings tab.
© FORTINET
If your changes are correct, the email message will be delivered to the recipient.
2. Open another web browser tab, and go to the ExtSRV FortiMai webmail GUI:
https://extsrv.external.lab/
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.