Technical Note

FORTIMAIL Configuration
For Enterprise Deployment

Rev 2.1

April 7, 2009
Fortinet Inc. Technical Note - FortiMail Configuration for Enterprise

Table of Contents

1
 Introduction ................................................................................................................... 3

1.1
 Objective .................................................................................................................. 3

1.2
 Network deployment ................................................................................................ 3

1.3
 Convention............................................................................................................... 3

2
 System settings .............................................................................................................. 4

2.1
 DNS settings............................................................................................................. 4

2.2
 SMTP access control ................................................................................................. 4

2.2.1
 Inbound traffic .................................................................................................. 4

2.2.2
 Outbound traffic ............................................................................................... 4

2.2.3
 Enforcing authentication for roaming users....................................................... 4

2.3
 FortiGuard queries.................................................................................................... 4

2.4
 Log settings ............................................................................................................. 5

3
 Domain settings ............................................................................................................. 6

3.1
 Domain creation ....................................................................................................... 6

3.2
 Recipient verification ................................................................................................ 6

4
 Protection profile settings............................................................................................... 7

4.1
 Session profile settings ............................................................................................ 7

4.1.1
 Session profile for inbound traffic ..................................................................... 7

4.1.2
 Session profile for outbound traffic ................................................................... 7

4.2
 Antispam profile settings ......................................................................................... 8

4.2.1
 Antispam profile for inbound traffic .................................................................. 8

4.2.2
 Antispam profile for outbound traffic................................................................ 9

4.3
 Antivirus profile...................................................................................................... 10

5
 Policies ......................................................................................................................... 11

5.1
 IP based policies..................................................................................................... 11

5.2
 Recipient based policies ......................................................................................... 11

5.3
 Authentication policies (Webmail & SMTP)............................................................... 11


Change Log

Revision Description
1.0 2009/03/05 Initial Draft Release
1.5 2009/03/09
1.6 2009/03/10
2.0 2009/03/18 General Availability
2.1 2009/04/07 FortiMail 3.0 MR3 Patch 5

Comments

Nathalie Rivat
[email protected]

© Copyright 2009 Fortinet Inc. All rights reserved.

Trademarks
Products mentioned in this document are trademarks or registered trademarks of their
respective holders.

April 7, 2009 2
Fortinet Inc. Technical Note - FortiMail Configuration for Enterprise

1 Introduction
1.1 Objective
The purpose of this document is to provide recommendation for FortiMail antispam settings
in enterprise environment.

This document is destined to administrators who already have a good understanding of

FortiMail features and positioning.

The intention is not to explain filtering techniques. Please refer to the Administration Guide
for that.

1.2 Network deployment

FortiMail is deployed in gateway mode (default mode).

Incoming mail filtering

The MX resolution of “mycompany.com” returns the IP address of the platform.

This way, the corporate mail server is not directly connected to the Internet and does not
receive unfiltered/unwanted sessions. FortiMail filters incoming traffic for spam and
malicious traffic.

Outgoing mail filtering

We recommend to use FortiMail as an outgoing relay for the backend mailserver in order to
policy and filter outbound traffic.

1.3 Convention
For an easy description FortiMail configuration is presented with command lines, based on
the recommended release as of today: FortiMail Release 3.0 Minor Release 4 Patch 5.

Providing CLI commands also helps replication of settings with copy/paste.

Parameters that are written in red should be modified to fit the local network and system
environment.

April 7, 2009 3
Fortinet Inc. Technical Note - FortiMail Configuration for Enterprise

2 System settings
2.1 DNS settings
FortiMail should to be configured with two local DNS servers. Fast answers from DNS servers
is critical to maximize FortiMail performances.

Adapt the following IP addresses to the corporate environment:

set system dns primary 192.168.1.1 secondary 192.168.1.2

2.2 SMTP access control

The main purpose of the access list is to control if mail should be relayed while policies
control how mail should be processed and filtered (authentication, antivirus, antispam,
content filters).

2.2.1 Inbound traffic

The definition of internal domains to be protected by FortiMail implicitely creates access-list
entries to accept and relay mail to these domains.

Refer to the chapter “Domain definition” for this.

There is no need to define any additional access list to relay inbound traffic.

2.2.2 Outbound traffic

An explicit access list must be defined to allow outgoing traffic from the backend mail server
to the Internet. Adapt the following command with the IP address of the backend mail server.

set mailserver access rule 0 set sender_pattern * no recipient_pattern * no ip_mask

192.168.2.100/32 reverse_dns_pattern * no authenticated no tlsprofile / action RELAY

2.2.3 Enforcing authentication for roaming users

If there are roaming users sending mail through FortiMail from the Internet, you may
consider enforcing authentication for these MUA sessions. This would avoid spammers
spoofing internal email addresses.

set mailserver access rule 1 set sender_pattern *@mydomain.com no recipient_pattern * no

ip_mask 0.0.0.0/0 reverse_dns_pattern * no authenticated yes tlsprofile / action RELAY

set mailserver access rule 2 set sender_pattern *@mydomain.com no recipient_pattern * no

ip_mask 0.0.0.0/0 reverse_dns_pattern * no authenticated no tlsprofile / action REJECT

2.3 FortiGuard queries

FortiMail queries FortiGuard:
• For antivirus engine and definition updates
• For SHASH/URI/IP check to filter spam from SMTP sessions.

To maximize FortiMail performances, SHASH/URI/IP query results can be cached locally on

FortiMail.
set fshd cache status enabled
set fshd cache ttl 600

Schedule antivirus database and engine updates every hour:

set system autoupdate schedule enable every 1:0

April 7, 2009 4
Fortinet Inc. Technical Note - FortiMail Configuration for Enterprise

2.4 Log settings

Configure the following events to be logged locally:

set log policy destination local event status enable category system smtp ha update
set log policy destination local virus status enable category infected
set log policy destination local history status enable
set log policy destination local spam status enable category detected

April 7, 2009 5
Fortinet Inc. Technical Note - FortiMail Configuration for Enterprise

3 Domain settings
3.1 Domain creation
Define internal domains that should be protected by FortiMail:

set policy mydomain.com modify ip 192.168.2.100 port 25 usessl disabled

3.2 Recipient verification

Before relaying incoming mail to the backend mailserver(s) FortiMail optionally validates if a
mailbox exists for the recipient mail address.
• This off-loads the mail server from processing a significant amount of mail destined
to unknown users.
• This helps the spam catch rate as the local sender reputation algorithm automatically
adjusts the score of the sender IP address by learning from those failures.

The best option to implement this check is to use the corporate LDAP directory as FortiMail:
• is able to cache LDAP answers
• and supports redundant LDAP configuration for automatic failover.

If LDAP is not available, it is possible to use the backend SMTP server to validate the
recipient addresses. FortiMail sends a RCPT TO command and expects in return a message
validating the user address.
Verify that the backend mail server is configured to provide a valid status. It sometimes
requires an additional option configuration on the mail server.

Define the LDAP profile:

set ldap_profile profile ldap_server server 192.168.2.100 port 636 secure none
set ldap_profile profile ldap_server user schema inetorgperson basedn
dc=mycompany.com,dc=com binddn cn=Manager,dc=mycompany,dc=com bindpw fortinet deref never
scope sub query '(& (objectClass=inetOrgPerson) (mail=$m))'
set ldap_profile profile ldap_server auth authstate enable upnstatus disable upnsuffix ''
cnidstatus disable cnidname uid searchstatus enable
set ldap_profile profile ldap_server option timelimit 10 version ver3 unauthbind disable
cachestate enable cachettl 1440

Enable recipient check using the LDAP profile:

set policy mydomain.com modify verify_addr ldap profile ldap_server

April 7, 2009 6
Fortinet Inc. Technical Note - FortiMail Configuration for Enterprise

4 Protection profile settings

4.1 Session profile settings
A session profile should always be added to policy traffic in both directions.

Two different profiles are defined, one for incoming traffic, one for outgoing traffic.

4.1.1 Session profile for inbound traffic

Take into account the recommended settings as listed below.
• Adapt the connection rate and the number of concurrent connections to the local
environment.
• Modify the maximum message size according to the company policy.

set ip_profile inbound

set ip_profile inbound connection rate 100 5
set ip_profile inbound connection concurrent 2

set ip_profile inbound check domain enable

set ip_profile inbound check helo disable

set ip_profile inbound check sender enable
set ip_profile inbound check recipient disable
set ip_profile inbound check stop_empty_domains enable
set ip_profile inbound check 3_way enable

set ip_profile inbound limit recipient 500

set ip_profile inbound limit helo 3
set ip_profile inbound limit email 10
set ip_profile inbound limit message_size 10485760
set ip_profile inbound limit header_size 32768
set ip_profile inbound limit NOOP 10
set ip_profile inbound limit RSET 20

set ip_profile inbound error free 1

set ip_profile inbound error initial_delay 4
set ip_profile inbound error increment 4
set ip_profile inbound error total 5

set ip_profile inbound senderreputation status enable

set ip_profile inbound senderreputation throttle 45
set ip_profile inbound senderreputation throttle_number 5
set ip_profile inbound senderreputation throttle_percent 1
set ip_profile inbound senderreputation tempfail 55
set ip_profile inbound senderreputation reject 80

set ip_profile inbound sendervalidation dkim disable signing disable authenticated disable
domainkey disable spf enable bypassbounceverify disable

4.1.2 Session profile for outbound traffic

It is recommended to policy the outgoing traffic from the backend mail server.
• From the standard settings listed below, adapt the connection rate and the number of
concurrent connections to the network environment.
• Modify the maximum message size according to the company policy.
• Note that the domain name validation (with MX and A record query) now applies to
the recipient mail address. SPF check and sender reputation are disabled.

April 7, 2009 7
Fortinet Inc. Technical Note - FortiMail Configuration for Enterprise

set ip_profile outbound

set ip_profile outbound connection rate 200 5
set ip_profile outbound connection concurrent 10

set ip_profile outbound check domain enable

set ip_profile outbound check helo disable

set ip_profile outbound check sender enable
set ip_profile outbound check recipient enable
set ip_profile outbound check stop_empty_domains enable
set ip_profile outbound check open_relay disable
set ip_profile outbound check 3_way enable

set ip_profile outbound limit recipient 500

set ip_profile outbound limit helo 3
set ip_profile outbound limit email 10
set ip_profile outbound limit message_size 10485760
set ip_profile outbound limit header_size 32768
set ip_profile outbound limit NOOP 10
set ip_profile outbound limit RSET 20

set ip_profile outbound error free 1

set ip_profile outbound error initial_delay 4
set ip_profile outbound error increment 4
set ip_profile outbound error total 5

set ip_profile outbound senderreputation status disable

set ip_profile outbound sendervalidation dkim disable signing disable authenticated

disable domainkey disable spf disable bypassbounceverify disable

4.2 Antispam profile settings

4.2.1 Antispam profile for inbound traffic
A specific antispam profile is defined to filter incoming mail and store spam in user
quarantine.
• A discard or reject action should be considered for FortiGuard filters. Other antispam
techniques can be configured to trigger quarantine.
• A maximum size for scanning should be set. This helps to control False Positives and
improve performances.
• Eventually consider bypassing scanning for authenticated sessions (roaming users).
However valid accounts may have been hacked by spammers.
• Note that Forged IP is disabled.
• Consider grey listing whenever possible. This is a good technique but has some
drawbacks.

set as profile inbound modify actions discard dis reject dis summary en
set as profile inbound modify auto-release dis webrelease en autowhitelist dis

set as profile inbound modify scanoptions maxsize 80

set as profile inbound modify scanoptions bypass_on_auth dis
set as profile inbound modify scanoptions attachment_type pdf en
set as profile inbound modify whitelist dis
set as profile inbound modify virus en
set as profile inbound modify forgedip dis
set as profile inbound modify greylist dis
set as profile inbound modify bayesian scanner dis userdb dis usertrain en autotrain en
set as profile inbound modify deepheader scanner en checkip en headeranalysis en
set as profile inbound modify fortishield scanner en checkip en

April 7, 2009 8
Fortinet Inc. Technical Note - FortiMail Configuration for Enterprise

set as profile inbound modify heuristic scanner en lower-level -20.000000 upper-level

3.500000 rules-percentage 100
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
set as profile inbound modify
quarantine queue en days 14
dnsbl en
surbl en
dictionary scanner dis
bannedword dis
whitelistword dis
imagespam scanner en aggressive dis
tags header dis subject dis
dnsblserver sbl-xbl.spamhaus.org add
surblserver multi.surbl.org add
individualaction scanner dnsbl action default
individualaction scanner surbl action default
individualaction scanner fortishield action reject
individualaction scanner bayesian action default
individualaction scanner heuristic action default
individualaction scanner dictionary action default
individualaction scanner bannedword action default
individualaction scanner deepheader action default
individualaction scanner forgedip action default
individualaction scanner imagespam action default
individualaction scanner virus action default

If grey listing is enabled, consider the following parameters:

set as greylist ttl 20

set as greylist greylistperiod 1
set as greylist initial_expiry_period 4
set as greylist capacity 125000

• Adapt the expiry period to the environment. It may be necessary to increase this
timer if there are too many MTAs trying again too late - after the 4 hours window.
• You may want to increase the table size of greylist entries according to your
hardware and the max value matrix:
http://kc.forticare.com/default.asp?id=3756&Lang=1&SID=

Adjust the deepheader confidence degre to 96 (95 being the default value). If needed, you
can later increase the filter aggressiveness by gradually reducing the confidence degree to
95.
set spam deepheader confidence 96

4.2.2 Antispam profile for outbound traffic

We have seen situation where mailboxes or the mailserver itself were compromised and
spam were sent out to the Internet. This has caused the outgoing IP address of the company
to be blacklisted by well-known DNSBL services.

To avoid such situations, an antispam profile is applied to the outgoing traffic.

The following profile detects and stores spam into the system quarantine for later review by
the administrator.
• Adapt the maximum mail size for scanning as desired.
• Note that IP reputation check have been disabled (FortiGuard IP, DNSBL, and deep
header IP scan)

set out_profile profile outbound modify actions discard dis reject dis review en

set out_profile profile outbound modify scanoptions maxsize 80

set out_profile profile outbound modify scanoptions bypass_on_auth dis

April 7, 2009 9
Fortinet Inc. Technical Note - FortiMail Configuration for Enterprise

set out_profile profile outbound modify scanoptions attachment_type pdf en

set out_profile profile outbound modify greylist dis
set out_profile profile outbound modify virus en
set out_profile profile outbound modify deepheader scanner en checkip dis headeranalysis
en
set out_profile profile outbound modify fortishield scanner en checkip dis
set out_profile profile outbound modify heuristic scanner en lower-level -20.000000 upper-
level 3.500000 rules-percentage 100
set out_profile profile outbound modify dnsbl dis
set out_profile profile outbound modify surbl en
set out_profile profile outbound modify dictionary scanner dis
set out_profile profile outbound modify bayesian dis
set out_profile profile outbound modify bannedword dis
set out_profile profile outbound modify whitelistword dis
set out_profile profile outbound modify imagespam scanner dis aggressive dis
set out_profile profile outbound modify tags header dis subject dis
set out_profile profile outbound modify surblserver multi.surbl.org add
set out_profile profile outbound modify individualaction scanner dnsbl action default
set out_profile profile outbound modify individualaction scanner surbl action default
set out_profile profile outbound modify individualaction scanner fortishield action
default
set out_profile profile outbound modify individualaction scanner bayesian action default
set out_profile profile outbound modify individualaction scanner heuristic action default
set out_profile profile outbound modify individualaction scanner dictionary action default
set out_profile profile outbound modify individualaction scanner bannedword action default
set out_profile profile outbound modify individualaction scanner deepheader action default
set out_profile profile outbound modify individualaction scanner imagespam action default
set out_profile profile outbound modify individualaction scanner virus action default

4.3 Antivirus profile

Create an antivirus profile and enable virus detection by signatures:
set av antivirus modify scanner en
set av antivirus modify heuristic dis

April 7, 2009 10
Fortinet Inc. Technical Note - FortiMail Configuration for Enterprise

5 Policies
5.1 IP based policies
Two IP policies should be set:
• A default policy to enforce an inbound session profile for all incoming traffic.
• A second specific policy to identify outgoing traffic from the backend mail server and
apply the dedicated outbound session profile and the outbound antispam profile.

Rules are ordered so that the more specific rules are listed at the top.

set ip_policy 0
set ip_policy 0 match 192.168.2.100/32
set ip_policy 0 action SCAN
set ip_policy 0 ip outbound
set ip_policy 0 as outbound

set ip_policy 1
set ip_policy 1 match 0.0.0.0/0
set ip_policy 1 action SCAN
set ip_policy 1 ip inbound

5.2 Recipient based policies

Traffic destined to the internal domain is filtered through the antispam and antivirus profiles
thanks to the following recipient based policy:

set policy mydomain.com modify user * modify groupmode user as inbound av antivirus
content content_def

5.3 Authentication policies (Webmail & SMTP)

Users have access to their web-based quarantine using LDAP authentication. SMTP would be
the alternate choice if LDAP is not available.

If roaming users can send mail from the Internet using FortiMail as an outgoing SMTP server,
sessions should be authenticated to avoid spammers relaying mail by spoofing sender mail
addresses. The LDAP server is used to process this authentication, or the backend SMTP
server if LDAP is not available.

set spam retrieval policy mydomain.com user *@mydomain.com auth LDAP ldap_server
senddomain enable allowaccess http smtpauth

April 7, 2009 11