FortiMail: Preventing ISPs from Being Blacklisted

System Settings

In order for FortiMail to intercept all SMTP sessions, regardless of the destination address, FortiMail must operate as a transparent proxy.  

For the follow procedure to work, set your FortiMail unit to transparent mode and enable proxies.

1. Go to System > System Status > Status.
2. Select Transparent from the Operation mode dropdown menu.
3. Go to Mail Settings > Proxies > Proxies.
4. Select the For outgoing SMTP connections checkbox.
5. Select Apply.

Network Configuration

With FortiMail in transparent mode we can now configure some general network settings.

First we will need to configure the SMTP interfaces in route mode and set their IP addresses.

1. Go to System > Network > Interface.
2. Select New or right click an existing port and select Edit.
3. Enter the desired IP addresses for port1, port2, and port3. For example, port1 will be the management IP address, port2 private, and port3 the internet. All other interfaces except port1 can be removed from the bridge.

Next we will need to configure gateway settings.

1. Go to System > Network > Routing.
2. Select New or right click an existing port and select Edit.
3. Enter the desired gateway number for each port and for port2 and por3, enter the destination IP/netmask.

Interfaces have two proxies listening to SMTP sessions: 
– the incoming proxies that listens to sessions destined to internal mail server.
– the outgoing proxy that picks up any other sessions.

The outgoing proxy should be enabled on the internal interface, the one that receives outgoing sessions from subscribers (for example, port2).

1. Go to System > Network > Interface.
2. Right click port2 and select Edit.
3. Select Proxy from the Outgoing connections dropdown menu in the SMTP Proxy section and then select OK.
4. Right click port3 and select Edit.
5. Select Pass through form the Outgoing connections dropdown menu in the SMTP Proxy section and then select OK.

FortiMail should be configured with two DNS servers. Fast answers from DNS servers are critical to maximize performance. 

1. Go to System > Network > DNS.
2. Enter both the primary DNS server and the Secondary DNS server in their respective fields.
3. Select Apply.

Access Control Configuration

Access control rules specify whether the FortiMail unit processes and relays, rejects, or discards email messages for SMTP sessions initiated by SMTP clients.

To configure the SMTP access controls

1. Go to Policy > Access Control > Receiving.
2. Select New. 
3. Enter the necessary IP in the Sender IP/netmask field.
4. Select Authenticated from the Authentication status dropdown menu
5. Select Relay from the Action dropdown menu.
6. Select OK.
7. Select New.
8. Enter the necessary IP in the Sender ip/netmask field.
9. Select Any from the Authentication status dropdown menu.
10. Select Reject from the Action dropdown menu.
11. Select OK.

Log Setting Configuration

To configure logging to the local hard disk

1. Go to Log and Reporting > Log Settings > Local Log Settings.
2. Enable Log to Local Disk.
3. Enter the file size limit of the current log file in megabytes in the Log file size field
4. Select Information from the Log level dropdown menu.
5. Enable Event Log in the Logging Policy Configuration section.
6. Enable AntiVirus Log, AntiSpam Log, History Log, and Encryption Log in the Logging Policy Configuration section.
7. Select Apply. 

Radius Configuration

FortiMail uses your RADIUS accounting records to combat spam and viruses, which reduces the likelihood of spam and viruses being sent from your network to other networks. By configuring the connection with the RADIUS server, we can greatly reduce the possibility of having your public IP address blacklisted.

To configure your RADIUS server

1. Configure the FortiMail unit as an auxiliary RADIUS server on your RADIUS server, to which it will send copies when its accounting records change.
2. Configure the server to send the Calling-Station-ID and the Framed-IP-Address attributes to the FortiMail unit.

   The data type of the value of Calling-Station-ID may vary. For 3G subscribers, the RADIUS server typically uses Calling-Station-ID to contain an MSISDN. For ADSL subscribers, the RADIUS server typically contains a login ID, such as an email address.

3. Determine whether your RADIUS server sends the Framed-IP-Address attribute’s value in network order (e.g. 192.168.1.10) or host order (e.g. 10.1.168.192).
4. Verify that routing and firewall policies permit RADIUS accounting records to reach the FortiMail unit.

With your RADIUS server properly configured, we now need to enable the FortiMail unit to receive RADIUS records.

1. Connect to the CLI.
2. Enter the following command to enable the FortiMail unit to receive RADIUS records by starting the endpoint reputation daemon:
   config antispam settings
       set carrier-endpoint-status enable
   end
3. Enter the following command to configure the RADIUS secret:
   config antispam settings
       set carrier-endpoint-acc-secret <secret_str>
   end
4. Enter the following command to configure whether to enable or disable the FortiMail unit to validate RADIUS requests using teh RADIUS secret:
   config antispam settings
       set carrier-endpoint-acc-validate <enable | disable>
   end
5. Enter the following command to configure whether or not the FortiMail unit will acknowledge accounting records:
   config antispam settings
       set carrier-endpoint-acc-response <enable | disable>
   end
6. Enter the following command to indicate that the RADIUS server will send the value of the Framed-IP-Address attribute in network order:
   config antispam settings
      set carrier-endpoint-framed-ip-order <host-order | network-order>

Policy and Profile Settings

Use session profiles to control outgoing traffic. To configure the session profile for connections from external SMTP clients:

1. Go to Profile > Session > Session. 
2. Select New.
3. Enter a name for the session profile in the Profile Name field (e.g. external_session_profile).
4. Enable Hide this box from the mail server.
5. Enable Enable sender reputation and enter the appropriate information.
6. Enable Prevent encryption of the session under the Session Settings section. 
7. Enable Prevent open relaying under the Unauthenticated Session Settings section.
8. Select Create. 

Before continuing, be sure to create an ntispam and antivirus profile by going to Profile > AntiSpam > AntiSpam or Profile > AntiVirus > AntiVirus.

Your session profile, once configured, applies to IP based policies governing SMTP client connections. 

To configure the IP-based policy for connections

1. Go to Policy > Policies > IP Policies
2. Select Edit for the default policy whose Match column contains 0.0.0.0/0 — > 0.0.0.0/0.
3. Select your previously created session profile from the Session dropdown menu in the Profiles section. 
4. Select your antispam and antivirus profiles from their respective dropdown menus.
5. Select OK.