Solution Brief
FortiMail for Service Providers
Nathalie Rivat
Agenda
FortiMail for Internet Service Providers
Outbound antispam to prevent blacklisting
MMS routing for Mobile Operators
Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers
Corporate employee mailboxes
FortiMail for Mail Service Providers
Inbound antispam for enterprise customers
Deployment options:
Hosted AV/AS - In the cloud
Remote AV/AS - As a CPE device
Key Features
FortiMail Product Line
ISP Blacklisting Context
When a spammer uses ADSL/3G connection to support his
illegal activities:
The computer is identified as a source of spam by popular
DNSBL services (DNS BlackList)
As a result, its IP address is registered in a blacklist database
Most Internet MTAs refuse mail from blacklisted IP addresses
DNSBL is a popular technique, widely used by antispam GWs
BLACK IP
ADSL
NETWORK
SOURCE OF SPAM
OUTGOING
MAIL
DNSBL SERVER
DATABASE OF BLACK IPs
INTERNET
DNSBL QUERY
REPLY = IP ADDRESS IS LISTED
MOBILE
NETWORK
3G
SOURCE OF SPAM
SMTP CONNECTION
IS DENIED
MTA
ANTISPAM GW
ISP Blacklisting Subscriber impact
Case #1: the black IP is reassigned to a clean 3G/ADSL subscriber
The latter can not send mail
Case #2: Even more critical (picture below)
Multiple subscribers are NATed behind the same public IP address
A single infected computer sends out spam
The public IP address is blacklisted
All subscribers are impacted and can not send mail
ALL SOURCES ARE
NATED BEHIND THE
SAME PUBLIC IP
MTA
3G
CLEAN SOURCE
3G
SOURCE OF SPAM
MOBILE
NETWORK
SMTP CONNECTIONS
ARE DENIED
REFUSED
INTERNET
FW
BLACK IP
MTA
ISP Blacklisting Cost
Cost of de-registrating IPs from DNSBL databases
Fee paid to DNSBL organizations
Recurrent / on a weekly basis / Never ending process
Management cost
Collecting backlisted IPs
Contacting DNSBL services
Justifying registration end
Etc.
User experience
Bad quality of service
Risk to unsubscribe
IP Blacklisting protection is business critical
This is achieved by filtering outbound mail flow with FortiMail
Outbound antispam User
Transparency
Outbound scanning must not impact users
It is not desirable to change the mail client configuration with
an explicit outgoing relay
User mobility and ease of use
Subscribers should be able to send mail directly to the
Internet
As they were doing before the antispam deployment
The antispam solution must be a transparent
Unique and prioprietary FortiMail transparent proxy
FortiMail intercepts SMTP sessions even though it is not the
destination MTA
Destination IP = Internet MTA, not FortiMail
Outbond antispam Topology
Policy-based routing makes sure SMTP sessions of
subscribers are redirected to FortiMail for scanning
No need for FortiMail to process web, ftp, pop3, etc. traffic
This would result in unecessary resource usage
No need to redirect/scan incoming mail flow
I.E sessions initiated by Internet MTAs
SMTP CLIENTS
SUBSCRIBER
NETWORK
OUTGOING MAIL
INTERNET
INCOMING MAIL
ROUTERS
POLICY-BASED ROUTING
OUTGOING SESSIONS --> FORTIMAIL
MTAs
FIREWALL
DESTINATION MTAs
OF OUTGOING MAIL
Outbound antispam Protocol
Transparency
Unique to FortiMail
Transparent in the IP layer
FortiMail does not change the client source IP address when
relaying sessions
No interference in the SMTP negotiation
SMTP commands are not altered
SMTP AUTH is performed by the destination MTA
FortiMail does not queue mail if the destination MTA is
unreachable
The ISP is not in charge of compensating MTA availability
by queueing mail
Transparent in the SMTP envelop and headers
There are no visibles trace of FortiMail processing
Outbound antispam Protocol
Transparency
SMTP-envelope transparency
SMTP COMMANDS
ARE NOT ALTERED
SMTP CLIENT
MYDOMAIN.COM
220 MAILSERVER.FORTINET.COM
220 MAILSERVER.FORTINET.COM
EHLO ME.MYDOMAIN.COM
EHLO ME.MYDOMAIN.COM
250 MAILSERVER.FORTINET.COM
250 MAILSERVER.FORTINET.COM
SMTP SERVER
FORTINET.COM
IP-layer transparency
SOURCE AND DESTINATION IP
ADDRESSES ARE NOT ALTERED
SMTP CLIENT
1.2.3.4
SOURCE IP =
1.2.3.4
SOURCE IP =
1.2.3.4
DESTINATION IP =
5.6.7.8
DESTINATION IP =
5.6.7.8
SMTP SERVER
5.6.7.8
Outbound antispam Filters
Dedicated antispam techniques are required
Traditional antispam GWs rely on reputation/score of
public IP addresses
This technique is not relevant for outbound antispam
Subscribers may have private IP addresses
Not known by central Internet databases
Spam should be blocked before the IP address is
blacklisted /score is bad
Fortinet research team developed specific techniques
to efficiently identify outbound spam
Identifying 3G subscribers
3G mobile operators: SIM card and MSISDN
An MSISDN is the number associated with a SIM card
It uniquely identifies subscribers
As opposed to IP addresses that are dynamically assigned
FortiMail: the only AS GW that retrieves and processes MSISDN
Benefit: MSISDN Realtime monitoring/blocking
FortiMail dynamically calculates MSISDN reputation
And automatically alerts or blocks offending MSISDNs
Benefit: MSISDN Reporting
MSISDN statistics: Top senders / Src of spam / Src of virus
Thanks to FortiMail MSISDN support ISPs can track bad
subscribers
Identifying 3G subscribers
SUBSCRIBER
CONNECTS
SUBSCRIBER
SENDS A MAIL
SGSN
GGSN
ROUTER
3G
INTERNET
DESTINATION
MTA
SUBSCRIBER
IP ADDRESS
IS ASSIGNED
RADIUS
SERVER
RADIUS SERVER
SENDS MSISDN +
IP ADDRESS
SMTP SESSION IS LOGGED WITH
MSISDN
MSISDN REPUTATION IS UPDATED
FOR OFFENDING MSISDN, ALERT IS
SENT OR SESSION IS BLOCKED
Agenda
FortiMail for Internet Service Providers
Outbound antispam to prevent blacklisting
MMS routing for Mobile Operators
Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers
Corporate employee mailboxes
FortiMail for Mail Service Providers
Inbound antispam for enterprise customers
Deployment options:
Hosted AV/AS - In the cloud
Remote AV/AS - As a CPE device
Key Features
FortiMail Product Line
MMS routing for Mobile Operator
MMS format
MM3: SMTP-based MMS between MMSC and Internet MTAs
Used to send out MMS to the Internet
MM4: SMTP-based MMS between MMSCs
Used to send out MMS to another mobile operator
FortiMail relays MM3/MM4 traffic
MMSC relays outgoing traffic to FortiMail
Incoming traffic is sent to FortiMail before reaching the MMSC
MMSC is not directly connected to the Internet or other MMSCs
Improved security
MM3
ING
MM1
INCOM
GRX
SUBSCRIBER
PHONE
INTERNET
OUTGO
ING
MMSC
THE SECURE GATEWAY TO CONNECT
TO INTERNET & OHTER MMSCs
OTHER
OPERATOR
MM4
MMSC
Agenda
FortiMail for Internet Service Providers
Outbound antispam to prevent blacklisting
MMS routing for Mobile Operators
Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers
Corporate employee mailboxes
FortiMail for Mail Service Providers
Inbound antispam for enterprise customers
Deployment options:
Hosted AV/AS - In the cloud
Remote AV/AS - As a CPE device
Key Features
FortiMail Product Line
Inbound antispam for ISPs
Incoming mail filtering to protect local mailboxes
FortiMail provides AV/AS services to filter incoming flow that
receives the internal mail servers
ISP internal mail server protection
Free mailboxes offered to 3G/ADSL subscribers
ISP corporate mail server protection
Employee mailboxes
SUBSCRIBER MAILBOXES
EMPLOYEE MAILBOXES
SERVICE PROVIDER LOCATION
MAIL SERVERS
SUBSCRIBER
NETWORK
OUTG
O
ING S
SMTP CLIENTS
MTP
CORPORATE
NETWORK
SMTP CLIENTS
INTERNET
INCOMING SMTP
Agenda
FortiMail for Internet Service Providers
Outbound antispam to prevent blacklisting
MMS routing for Mobile Operators
Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers
Corporate employee mailboxes
FortiMail for Mail Service Providers
Inbound antispam for enterprise customers
Deployment options:
Hosted AV/AS - In the cloud
Remote AV/AS - As a CPE device
Key Features
FortiMail Product Line
FortiMail for Mail Service Providers
Incoming mail filtering
AV/AS Protection for enterprise customer domains
Deployment option: FortiMail in the cloud
Scenario 1: Full hosted services
Customer mail servers & FortiMail are located at the ISP site
FortiMail protects several customers
Scenario 2: Clean pipe only
Mailserver located at the customer site
FortiMail located at the ISP site protecting several customers
Deployment option: FortiMail as CPE device
Scenario 3: outsourcing without hosting
Mailserver and FortiMail are located at the customer site
FortiMail protects a single customer
Remote management from Service Provider SOC
Mail Service Providers Scenario 1
In the cloud AV/AS services
FortiMail is located at the ISP site and handles multiple domains
Service Provider delivers clean hosted mailboxes to enterprises
Full suite of hosted services (mailserver + AV/AS)
ISP offers clean & free hosted mailboxes to ADSL/3G subscribers
Internal domain protection
Service Provider offers clean mailboxes to employees
Corporate domain protection
SERVICE PROVIDER LOCATION
MAIL SERVERS
OUTG
OING
SMTP CLIENTS
CUSTOMER LOCATION
INTERNET
SMTP
INCOMING SMTP
CUSTOMER
MAILBOXES
Mail Service Providers Scenario 2
In the cloud AV/AS services
FortiMail is located at the ISP site and handles multiple domains
Mail Service Provider delivers clean mail flow to customers
= Clean pipes
Mailserver is located at the customer premise
Hosted AV/AS services
FortiMail provides services to remote mail servers
MAIL SERVER
OUTG
OING
SMTP CLIENTS
SERVICE PROVIDER LOCATION
SMTP
CUSTOMER LOCATION
ING
COM
IN
INTERNET
P
SMT
PROTECTION OF
MULTIPLE CUSTOMER
DOMAINS
Mail Service Providers Scenario 3
CPE approach (Customer Premise Equipment)
Mail Service Provider remotely managed customer equipments
Dedicated FortiMail per customer
FortiMail is located at the customer site
Remotely managed from Service Provider SOC
MAIL SERVER
INCOMING SMTP
INTERNET
OUTGOING SMTP
SERVICE PROVIDER SOC
SMTP CLIENTS
CUSTOMER LOCATION
SINGLE CUSTOMER
PROTECTION
REMOTE
MANAGEMENT
Agenda
FortiMail for Internet Service Providers
Outbound antispam to prevent blacklisting
MMS routing for Mobile Operators
Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers
Corporate employee mailboxes
FortiMail for Mail Service Providers
Inbound antispam for enterprise customers
Deployment options:
Hosted AV/AS - In the cloud
Remote AV/AS - As a CPE device
Key Features
FortiMail Product Line
FortiMail key features for MSP
Scalability from SMB to large enterprises & Service
Providers
Hardware scalability
Optional redundant PS, optional hardware RAID, etc.
Performance scalability
Supports three modes of operation
Explicit relay, transparent relay, mail server
Supports a high number of domains
Up to 20,000 listed domains per box
If not explicitely listed: unlimited number of domains
Role-based management
Per domain configuration rights
Per domain logging and reporting
FortiMail key features for MSP
Same level of features and management through the
range
Encryption, antispam, antivirus, content filtering, etc.
Access to the configuration by GUI or command lines for
scripting
Large amount of disk storage for logging and spam
quarantine even on small appliances
From 250GB to several TeraBytes
Embedded reporting engine
Centralized logging and reporting provided by
FortiAnalyzer
FortiMail key features for MSP
Unique feature-rich HA implementation
In addition to traditional configuration synchronization
+FortiMail synchronizes mail data for transparent
failover
Mail queues
Mailboxes of quarantined spam
+FortiMail provides automatic failover
Service availability check (WEB, SMTP, etc.)
Interface availability check
FortiMail key features for MSP
High performance
Due to a proprietary MTA development
Mail are not queued but processed in real-time
Minimizes transmission delay
Real-time AV/AS filtering
In relay mode, mail are queued ONLY if the destination
MTA is not available
Minimize size of the queue
Simplify queue management
FortiMail key features for MSP
100% Fortinet technology
No third party agreement for AS engine or AV engine
High optimization of the code
Highest possible integration of tasks
Such as mail routing + antispam filtering + virus blocking
Benefit: Performances & Investment protection
Mailbox licence free
No headhache tracking number of users
Cost performance
Agenda
FortiMail for Internet Service Providers
Outbound antispam to prevent blacklisting
MMS routing for Mobile Operators
Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers
Corporate employee mailboxes
FortiMail for Mail Service Providers
Inbound antispam for enterprise customers
Deployment options:
Hosted AV/AS - In the cloud
Remote AV/AS - As a CPE device
Key Features
FortiMail Product Line
FortiMail Product Line
SMALL ENTERPRISE
MEDIUM ENTERPRISE
FORTIMAIL 100
FORTIMAIL 400B
4x 10/100 + 2x 10/100/1000
500GB HD
OPTIONAL HD
SW RAID 0/1
FORTIMAIL 2000A / 4000A
4x 10/100/1000
REDUNDANT FANs & PS
6x / 12x 250GB HD
HD RAID 0/1/5/10/50
< 250
< 1000
> 1000
20000
180k
380k
7k
50k
160k
4x 10/100
250GB HD
RECOMMENDED
USERS
FORTIGUARD
MAIL / HOUR
FULL AV/AS
MAIL / HOUR
LARGE ENTERPRISE
SERVICE PROVIDER
FortiMail SKUs
MODEL
SKU
DESCRIPTION
FML-100-BDL-X
4x 10/100 ports
Single 250GB HDD
FML-400B-BDL-X
2x 10/100
4x 10/100/1000
SW RAID 0/1
Single 500GB HDD (additional disk in option)
FML-2000A-BDL-X
4x 10/100/1000
Dual CPU
Dual Redundant PS
HW RAID 0/1/
6x 250GB HDD
FortiMail 4000A
FML-4000A-BDL-X
4x 10/100/1000
Dual CPU
Dual Redundant PS
HW RAID 0/1/5/10/50
12x 250GB HDD
250GB HD
FL-400D2
250GB Hard Drive for FML-2000A and FML-4000A
500GB HD
SP-D500
500GB Hard drive for FML-400B
FortiMail 100
FortiMail 400B
FortiMail 2000A
Thank you