do not reprint © fortinet

FortiMail Lab Guidefor FortiMail 6.0

DO NOT REPRINT© FORTINET

Fortinet Training

http://www.fortinet.com/training

Fortinet Document Library

http://docs.fortinet.com

Fortinet Knowledge Base

http://kb.fortinet.com

Fortinet Forums

https://forum.fortinet.com

Fortinet Support

https://support.fortinet.com

FortiGuard Labs

http://www.fortiguard.com

Fortinet Network Security Expert Program (NSE)

https://www.fortinet.com/support-and-training/training/network-security-expert-program.html

Feedback

Email: [email protected]

1/9/2019


http://training.fortinet.com/

http://docs.fortinet.com/

http://kb.fortinet.com/

https://forum.fortinet.com/

https://support.fortinet.com/

http://www.fortiguard.com/

https://www.fortnet.com/support-and-training/training/network-security-expert-program.html

mailto:[email protected]

TABLE OF CONTENTS

Virtual Lab Basics 5Network Topology 5Lab Environment 5Remote Access Test 6Logging In 7Disconnections and Timeouts 9Screen Resolution 9Sending Special Keys 10Student Tools 11Troubleshooting Tips 11

Lab 1: Initial Setup 14Exercise 1: Verifying DNS Records 15Exercise 2: Configuring a Server Mode FortiMail 17Exercise 3: Configuring a Gateway Mode FortiMail 24Lab 2: Access Control and Policies 27Exercise 1: Outbound Email Flow 28Exercise 2: Relay Host 31Exercise 3: Policy Usage Tracking 33Exercise 4: Policy Creation 36Lab 3: Authentication 40Exercise 1: User Authentication Enforcement 41Exercise 2: LDAP Operations 46Exercise 3: SMTP Brute Force Attack 58Lab 4: Session Management 61Exercise 1: Connection Limits 62Exercise 2: Sender Address Rate Control 65Exercise 3: Header Manipulation 68Lab 5: Antivirus 71Exercise 1: Antivirus Scanning for Malware Detection 72Lab 6: Antispam 75Exercise 1: Scan Incoming Email for Spam 76

Test the AntispamConfiguration 78


Exercise 2: Scan Outgoing Email for Spam 81Exercise 3: User Quarantine Management 83Exercise 4: Impersonation Analysis 86Exercise 5: Bounce Verification (Backscatter) 89

Disable Recipient Address Verification 89Disable Bounce Verification 92

Lab 7: Content Inspection 93Exercise 1: Configuring Content Inspection 94Exercise 2: Configuring DLP 98Exercise 3: Configuring CDR 105

Quarantine an Unmodified Copy 106Exercise 4: Verifying CDR 107

Verify URI Removal 109Verify HTMLSanitization 110

Lab 8: Securing Communications 112Exercise 1: Implementing SMTPS 113Exercise 2: Implementing Content Inspection-Based IBE 118Exercise 3: Accessing IBE Emails 122Lab 9: High Availability 125Exercise 1: Configuring the Primary FortiMail 127Exercise 2: Configuring the Secondary FortiMail 128Exercise 3: Verifying Cluster Health 130Exercise 4: Configuring HA Virtual IP 134Exercise 5: Monitoring Remote Services 137Lab 10: Server Mode 142Exercise 1: Configuring Resource Profiles 143Exercise 2: Address Book LDAP Import 146Lab 11: Transparent Mode 150Exercise 1: Configuring a Transparent Mode FortiMail 151Exercise 2: Configuring Bidirectional Transparency 157Lab 12: Maintenance 160Exercise 1: Configuring and Generating Local Reports 161Exercise 2: Monitoring System Resource Use 164Exercise 3: Managing Local Storage 168Lab 13: Troubleshooting 171Exercise 1: Troubleshooting the Problem 172Exercise 2: Fixing the Problem 180


Virtual Lab Basics Network Topology

Virtual Lab Basics

In this course, you will use a virtual lab for hands-on exercises. This section explains how to connect to the laband its virtual machines. It also shows the topology of the virtual machines in the lab.

If your trainer asks you to use a different lab, such as devices physically located in yourclassroom, then ignore this section. This section applies only to the virtual labaccessed through the Internet. If you do not know which lab to use, please ask yourtrainer.

Network Topology

Lab Environment

Fortinet's virtual lab for hands-on exercises is hosted on remote data centers that allow each student to have theirown training lab environment or point of deliveries (PoD).

FortiMail 6.0 Lab GuideFortinet Technologies Inc.

5


Remote Access Test Virtual Lab Basics

Remote Access Test

Before starting any course, check if your computer can connect to the remote data center successfully. Theremote access test fully verifies if your network connection and your web browser can support a reliableconnection to the virtual lab.

You do not have to be logged in to the lab portal in order to run the remote access test.

To run the remote access test

1. From a browser, access the following URL:https://use.cloudshare.com/test.mvc

If your computer connects successfully to the virtual lab, you will see the message All tests passed!:

2. Inside the Speed Test box, clickRun.The speed test begins. Once complete, you will get an estimate for your bandwidth and latency. If thoseestimations are not within the recommended values, you will get any error message:

6 FortiMail 6.0 Lab GuideFortinet Technologies Inc.


Virtual Lab Basics Logging In

Logging In

After you run the remote access test to confirm that your system can run the labs successfully, you can proceed tolog in.

You will receive an email from your trainer with an invitation to auto-enroll in the class. The email will contain alink and a passphrase.

To log in to the remote lab

1. Click the login link provided by your instructor over email.2. Enter your email address and the class passphrase provided by your trainer over email, and then click Login.

3. Enter your first and last name.4. ClickRegister and Login.


7


Logging In Virtual Lab Basics

Your system dashboard appears, listing the virtual machines (VMs) in your lab topology.

5. To open a VM from the dashboard, do one of the following:l From the top navigation bar, click a VM's tab.

l From the box of the VM you want to open, clickView VM.

Follow the same procedure to access any of your VMs.

When you open a VM, your browser uses HTML5 to connect to it. Depending on the VM you select, the webbrowser provides access to either the GUI of a Windows or Linux VM, or the CLI-based console access of aFortinet VM.



Virtual Lab Basics Disconnections and Timeouts

For most lab exercises, you will connect to a jumpbox VM, that could be either a Windows or a Linux VM.From the jumpbox VM, you will connect over HTTPS and SSH to all other Fortinet VMs in the labenvironment.

Disconnections and Timeouts

If your computer’s connection to the VM times out or closes, to regain access, return to the window or tab thatcontains the list of VMs for your session, and reopen the VM.

If that fails, see Troubleshooting Tips on page 11.

Screen Resolution

The GUIs of some Fortinet devices require a minimum screen size.

To configure screen resolution in the HTML5 client, use the Resolution drop-down list on the left. You can alsochange the color depth:


9


Sending Special Keys Virtual Lab Basics

Sending Special Keys

You can use the Virtual Keyboard panel to either send the Ctrl-Alt-Del combination, or the Windows key:

From the Virtual Keyboard panel, you can also copy text to the guest VM's clipboard:



Virtual Lab Basics Student Tools

Student Tools

There are three icons on the left for messaging the instructor, chatting with the class, and requesting assistance:

Troubleshooting Tips

l Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-bandwidth or high-latency connections.

l Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that yourcomputer is always on, and does not go to sleep or hibernate.

l For best performance, use a stable broadband connection, such as a LAN.


11


Troubleshooting Tips Virtual Lab Basics

l You can run a remote access test from within your lab dashboard. It will measure your bandwidth, latency andgeneral performance:

l If the connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. If you can't reconnect,notify the instructor.

l If you can't connect to a VM, on the dashboard, open the VM action menu, and select Reset:

l If that does not solve the access problem, you can try to revert the VM back to its initial state. Open the VM actionmenu, and select Revert:

Reverting to the VM's initial state will undo all of your work. Try other solutions first.



Virtual Lab Basics Troubleshooting Tips

l During the labs, if the VM is waiting for a response from the authentication server, a license message similar to thefollowing example appears:

To expedite the response, enter the following command in the CLI:

execute update-now


13


Lab 1: Initial Setup

In this lab, you will verify the DNSMX records for both of the lab domains, perform the initial configuration tasksfor the FortiMail VMs installed in the internal.lab domain for inbound email, and configure an email client toconnect to a server mode FortiMail. Then, you will issue basic SMTP commands and inspect email headers tounderstand the flow of SMTP.

Objectivesl Verify DNSMX records for the lab domainsl Configure the initial system and email settings on the server mode FortiMaill Configure the initial system and email settings on the gateway mode FortiMaill Manually send basic SMTP commands to an email server to understand the SMTP protocol

Time to CompleteEstimated: 45 minutes



Exercise 1: Verifying DNS Records

DNS is a critical component in routing email messages. In this exercise, you will use Windows DOS commands toverify the published DNSMX records for both internal.lab and external.lab domains, to understand the labnetwork mail routing.

To verify MX records

1. In Windows, open a command prompt window, and then enter the following commands to display the MX recordsassociated with the external.lab domain:

nslookup -type=mx external.lab

You should receive an output similar to the following:

C:\Users\Administrator>nslookup -type=mx external.labexternal.lab MX preference = 10, mail exchanger = extsrv.external.labextsrv.external.lab internet address = 10.200.1.99

What is the primary MX record for the external.lab domain? ___________________________

As indicated in the nslookup query output, there is only one MX record associatedwith the external.lab domain.

extsrv.external.lab MX preference = 10

Therefore, all email messages sent to the external.lab domain must be sent to theextsrv.external.lab (10.200.1.99) host.

2. In the same command prompt window, enter the following commands to display the MX records associated withthe internal.lab domain:

nslookup -type=mx internal.lab

You should receive an output similar to the following:

C:\Users\Administrator>nslookup -type=mx internal.labinternal.lab MX preference = 20, mail exchanger = intsrv.internal.labinternal.lab MX preference = 10, mail exchanger = intgw.internal.labintsrv.internal.lab internet address = 10.0.1.99intgw.internal.lab internet address = 10.0.1.11

What is the primary MX record for the internal.lab domain? ___________________________

What is the secondary MX record for the internal.lab domain? ___________________________


15


Exercise 1: Verifying DNSRecords

As indicated in the nslookup query output, there are two MX records associated withthe internal.lab domain.

intgw.internal.lab MX preference = 10intsrv.internal.lab MX preference = 20

The intgw.internal.lab (10.0.1.11) host is the primary MTA for theinternal.lab domain because it has the lowest preference value. However, at thispoint in the lab, you haven’t configured the IntGW FortiMail VM to process email,therefore, it won’t respond to any SMTP sessions. When the TCP connection fails,the remote sender will automatically try to send email to the next MX record on thelist intsrv.internal.lab (10.0.1.99)

3. Close the command prompt window.

In the lab network, the MX records for the internal.lab domain are geared forconvenience, and should not be used as a template for real-world deployments.

Since the back-end mail server might not have the full range of email securityfeatures enabled, publishing it as a secondary MX entry is detrimental to security.Spammers can easily identify and exploit these servers using MX records.

Publishing the back-end mail server as a secondary MX entry will also prevent certainFortiMail features—such as greylisting, or sender reputation—from workingeffectively.



Exercise 2: Configuring a Server Mode FortiMail

In the lab network, the IntSRV server mode FortiMail is intended to be the mail server for the internal.lab domain.It is where the end user mailboxes are, where you will perform all user-management tasks, and where you willperform tasks specific to server mode.

In this exercise, you will perform the basic configuration tasks required to establish inbound email flow on theIntSRV FortiMail VM. You will verify your configuration by sending an email from the ExtSRV FortiMail VM andthen reviewing the logs. Then, you will configure a mail user agent (MUA) to connect to the server modeFortiMail.

To verify the operation mode

1. In Windows, open a web browser , and go to the IntSRV FortiMail management GUI:https://intsrv.internal.lab/admin

2. Log in as admin and leave the password field empty.3. On the Dashboard, on the Status tab, locate the System Information widget and verify that theOperation

mode is set to Server.

To configure the system settings

1. ClickSystem >Network > Interface.2. Select port1, and then clickEdit.3. Verify and configure the following values for port1:

Field Value

Addressing Mode Manual

IP/Netmask 10.0.1.99/24


17


https://internalserver.internal.lab/admin


Field Value

Advanced Setting

Access HTTPS PING SSH TELNET

Administrative status Up

4. ClickOK.5. ClickSystem >Network >Routing.6. ClickNew.7. Add a new static route using the following values:

Field Value

Destination IP/netmask 0.0.0.0/0

Interface port1

Gateway 10.0.1.254

8. ClickCreate to save the static route.9. ClickSystem >Network >DNS, and then configure the following DNS servers:

Field Value

Primary DNS server 10.0.1.10

Secondary DNS server 10.0.1.254

There are two DNS servers in the lab network; a primary and a secondary DNS server.The primary DNS server is the Windows server and the secondary DNS server is theLinux server.

10. ClickApply to save the DNS changes.

To configure the mail settings

1. ClickSystem > Mail Settings >Mail Server Settings.2. Configure the following values under Local Host:

Field Value

Host name IntSRV

Local domain name internal.lab

3. Keep the default values for the remaining settings, and then clickApply to save the changes.4. ClickDomain & User >Domain >Domain.




5. ClickNew to add a protected domain using the following values:

Field Value

Domain name internal.lab

6. Keep the default values for the remaining settings, and then clickCreate.

To create server mode users

1. ClickDomain & User >User >User.2. ClickNew to create a new mail user on the server mode FortiMail using the following values:

Field Value

User name user1

Authentication type Local

Password fortinet

Display name Mail User 1

3. ClickCreate to save the user configuration.

To verify the configuration

1. In Windows, open a new web browser tab, and go to the ExtSRV FortiMail's webmail GUI:https://extsrv.external.lab/

2. Log in as extuser using the password fortinet.3. Click the Compose Mail icon ( ), and then compose a new email message using the following values:

Field Value

To [email protected]

Subject Hello World!

Message Body Your configuration is successful!

4. ClickSend.5. Open a new web browser tab, and visit the IntSRV FortiMail webmail GUI:

https://intsrv.internal.lab/

6. Log in as user1 using the password fortinet.7. If the test email message doesn’t appear in the inbox, clickRefresh.


19


https://extsrv.external.lab/m/webmail


https://intsrv.internal.lab/m/webmail


8. Log out of the webmail interface.9. Close the browser tab.

To review the logs

1. Visit the IntSRV FortiMail management GUI:https://intsrv.internal.lab/admin

2. ClickMonitor > Log >History.3. Review the first log and verify that the system applied the appropriate Classifier and Disposition to your test

email message.

To configure an MUA to connect to the server mode FortiMail

1. In Windows, open Mozilla Thunderbird and create a new email account.2. If the system prompts you to sign up for a new email address, clickSkip this and use my existing email.3. After theMail Account Setup wizard starts, enter the following account information for Mail User 1.

Field Value

Your name Mail User 1

Email Address [email protected]

Password fortinet



https://intsrv.internal.lab/admin


4. ClickContinue.Thunderbird attempts to auto-configure the server settings.

5. ClickManual Config if it does not take you to the manual config mode automatically.

6. Modify the auto-discovered Server hostname values for both Incoming andOutgoing to match the followingexample, and then clickDone.

Filed Protocol Server hostname Port SSL Authentication

Incoming IMAP intsrv.internal.lab 143 STARTTLS Normal Password

Outgoing SMTP intsrv.internal.lab 25 None Normal Password


21



7. Select the I understand the risks check box, and then clickDone.

While unencrypted passwords are fine for a lab network, you should avoid using themin real-world deployments.

8. Select the Permanently store this exception check box, and then clickConfirm Security Exception tocomplete theMail Account Setup wizard.Thunderbird displays a certificate security warning.




9. If your configuration is correct, the test email you created in the previous exercise appears in Thunderbird, in yourlocal inbox.


23


Exercise 3: Configuring a Gateway Mode FortiMail

In the lab network, the IntGW gateway mode FortiMail is intended to be the MTA for the internal.lab domain. Itwill be the relay server for the IntSRV FortiMail, and also where most of the inspection configuration tasks will beperformed.

In this exercise, you will perform the configuration tasks required to establish inbound email flow on the IntGWFortiMail VM. Then, you will verify your configuration by manually composing an email using a telnet session, andreviewing the headers of the email in your Thunderbird mail client.

Recall the DNS verification tasks you performed in the first exercise. As the MXrecords show, the intgw.internal.lab (10.0.1.11) host is the primary MTA for theinternal.lab main. So, all email messages should be sent to the IntGW FortiMail firstfor processing. The IntGW FortiMail will then pass the email to the IntSRV FortiMailVM for delivery to the end user.


1. In Cloudshare, click the IntGW console window.2. Click anywhere in the console window, and then press the Enter key.3. Log in as admin and leave the password field empty.4. Configure the port1 IP address, subnet mask, and access options using the following CLI commands:

config system interfaceedit port1

set ip 10.0.1.11/24set allowaccess https ping ssh telnet

nextend

5. In Windows, open a new web browser tab, and visit the IntGW FortiMail management GUI:https://intgw.internal.lab/admin

6. Log in as admin and leave the password field empty.7. ClickSystem >Network >Routing.8. ClickNew, and then add a new static route using the following values:

Field Value

Destination IP/netmask 0.0.0.0/0

Interface port1

Gateway 10.0.1.254

9. ClickCreate to save the static route.10. ClickSystem >Network >DNS, and then configure the following DNS servers:



https://intgw.internal.lab/admin


Field Value



11. ClickApply to save the DNS changes.


1. ClickSystem >Mail Settings >Mail Server Settings.2. Configure the following values under Local Host:

Field Value

Host name IntGW


3. Keep the default values for the remaining settings, and then clickApply to save the changes.4. ClickDomain & User >Domain >Domain.5. ClickNew to add a protected domain using the following values:

Field Value

Domain name internal.lab

SMTP Server 10.0.1.99

10.0.1.99 is the IP address of the IntSRV host. This is the server mode FortiMailthat you configured in the previous exercise. It contains the user mailboxes for theinternal.lab domain. Therefore, the IntGW host is configured with 10.0.1.99 as theprotected SMTP Server.

6. Keep the default values for the remaining settings, and then clickCreate.

To verify the configuration

1. In Windows, on the taskbar, click the PuTTY icon, and then select Linux from the saved sessions.2. Click Load.3. ClickOpen.

You can also just enter the IP address of the Linux machine, which is 10.0.1.254and clickOpen.

4. Log in as student using the password password.5. After logging in, you will be at the /home/student directory. To verify, type pwd.


25



6. Run the following swaks command to test the gateway mode FortiMail configuration. A copy of the command is ina text file named commands.txt, which is located in the Resources folder on the Windows desktop.

swaks -f [email protected] -t [email protected] -s 10.0.1.11 --body 'Gateway modeFortiMail configuration is successful'

7. In Thunderbird, open the test message that you sent in the previous step.8. In theMore drop-down list, select View Source to view the full headers of the message:

9. Compare the Received: headers in the Telnet session email with the Hello World! email you sent in theprevious exercise.What differences do you see?

The Hello World email’s Received header shows that the IntSRV FortiMail receivedthe email directly from the ExtSRV FortiMail.

Received: from extsrv.external.lab ([10.200.1.99])by IntSRV.internal.lab

The swaks session email’s Received header shows that the email was processed firstby the IntGW FortiMail, and then handed off to the IntSRV FortiMail.

Received: from IntGW.internal.lab ([10.0.1.11]) byIntSRV.internal.lab



Lab 2: Access Control and Policies

In this lab, you will establish outbound email flow for the internal.lab domain, as well as configure a relay host forthe server mode FortiMail. You will create IP and recipient policies, and then use logged policy IDs to identify howpolicies are applied to an email.

Objectivesl Configure access receive rules to allow outbound emaill Configure an external relay hostl Configure IP and recipient policiesl Use logged policy IDs to track messages



27


Exercise 1: Outbound Email Flow

In this exercise, you will configure the necessary access receive rules on both the IntGW and IntSRV FortiMailVMs to allow outbound email.

To verify authenticated outbound relay

1. In Windows, open Thunderbird, and then compose a new email message to the external user using the followingvalues:

Field Value


Subject Testing Outbound Email

Message Body Will this work?

2. ClickSend. If Thunderbird displays a security warning, select the Permanently store this exception check box,and then clickConfirm Security Exception.

3. Open a web browser and visit the ExtSRV FortiMail webmail GUI:https://extsrv.external.lab/

4. Log in as extuser with the password fortinet.5. Verify that extuser has received the email.

By default, FortiMail rejects outbound email, unless the sender is authenticated.Because you configured Thunderbird to authenticate when sending emails usingSMTP, the IntSRV FortiMail relays it.

To configure the server mode access receive rule

1. In Windows, open a web browser and go to the IntSRV FortiMail management GUI:https://intsrv.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickPolicy >Access Control >Receiving.4. ClickNew and configure an access receive rule using the following values:

Field Value

Sender Pattern User Defined

*@internal.lab




https://extsrv.external.lab/admin


mailto:*@internal.lab


Field Value

Sender IP/netmask User Defined

10.0.1.0/24

Action Relay

5. ClickCreate to save the access receive rule.

While the default behavior reduces configuration requirements, it is still a goodpractice to configure an access receive rule with specific sender patterns and senderIP/netmask values in a server mode deployment to restrict filter outbound sessions.

To configure the gateway mode access receive rule

1. In Windows, open a new web browser tab, and visit the IntGW FortiMail management GUI:https://intgw.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickPolicy >Access Control>Receiving.4. ClickNew.5. Configure an access receive rule using the following values:

Field Value

Sender Pattern User Defined

*@internal.lab


10.0.1.99/32

Action Relay

On the IntGW FortiMail you are allowing only the IntSRV server mode FortiMail torelay email. Therefore, you are configuring a /32 subnet mask. No other host is ableto relay email through IntGW.

6. ClickCreate to save the access receive rule.

To verify the access receive rules

1. Return to the Thunderbird composewindow and compose a new email to [email protected], and clickSend.

2. Open a new web browser tab and go to the ExtGW webmail GUI:https://extsrv.external.lab/


29



mailto:*@internal.lab


3. Log in as extuser using the password fortinet.The email message should appear in the inbox.

4. Click the email message to open it.5. ClickMore >Detailed Header.

This displays the email header in the webmail interface.

6. Review the Received: headers.What hops did the email take to reach the destination inbox?

The email message was generated byWindows (10.0.1.10) and sent to IntSRV(10.0.1.99). The IntSRV host then delivered the email message to ExtSRV(10.200.1.99).

Received: from IntSRV.internal.lab ([10.0.1.99]) by extsrv.external.lab withESMTP id v1RL4umB001914-v1RL4umD001914

Received: from [10.0.1.10] ([10.0.1.10])([email protected]=CRAM-MD5 bits=0) by IntSRV.internal.lab with ESMTP id v1RL4uHI001985-v1RL4uHK001985

According to the headers, the email message did not pass through the IntGW FortiMail, which is expected.The IntSRV server mode FortiMail delivered the email based on MX query results. To make sure all outboundemail from IntSRV FortiMail relays through the IntGW FortiMail, you must configure a relay host on theIntSRV FortiMail.



Exercise 2: Relay Host

In this section, you will configure an external relay host on the IntSRV FortiMail so all outbound email are sent tothe IntGW gateway mode FortiMail for delivery.

To configure a relay host

1. In Windows, visit the IntSRV FortiMail management GUI:https://intsrv.internal.lab/admin

2. ClickSystem >MailSettings >Mail Server Settings.3. Expand theOutgoing Email sub-section.4. Select the Deliver to relay host check box, and then clickNew.5. Create a new relay host using the follow values:

Field Value

Name IntGWRelay

Host name/IP 10.0.1.11

6. Leave the remaining fields empty, and then clickCreate to save the relay host configuration.7. ClickApply to save theOutgoing Email setting changes.

To verify the relay host

1. Open Thunderbird, and then clickWrite.2. Compose a new email using the following values:

Field Value


Subject Testing Relay Host

Message Body Relay host is working!

3. ClickSend.4. Visit the ExtSRVwebmail GUI:

https://extsrv.external.lab/

5. Verify that the email was delivered.6. Review the headers.

Do you see any differences in the Received: headers? What hops did the email take this time to reach thedestination inbox?


31





Exercise 2: Relay Host

The email was generated byWindows (10.0.1.10) and sent to IntSRV(10.0.1.99). The IntSRV host then sent the email to IntGW (10.0.1.11). TheIntGW host delivered the email to ExtGW (10.200.1.99).

Received: from IntGW.internal.lab ([10.0.1.11]) by extsrv.external.lab withESMTP id v1RLvKZS002158-v1RLvKZU002158

Received: from IntSRV.internal.lab ([10.0.1.99]) by IntGW.internal.lab withESMTP id v1RLvKQj001948-v1RLvKQl001948

Received: from [10.0.1.10] ([10.0.1.10]) ([email protected]=CRAM-MD5 bits=0) by IntSRV.internal.lab with ESMTP id v1RLvJ8k002052-v1RLvJ8m002052

By completing the previous configuration steps, you have successfully established bidirectional email flow inwhich all inbound and outbound email must flow through the IntGW gateway mode FortiMail.



Exercise 3: Policy Usage Tracking

As email messages flow through FortiMail, log entries are created that show which policies were triggered. This isextremely useful for testing new policies and troubleshooting existing ones.

In this exercise, you will send two email messages, one in each direction, and then review which policies themessages used.

To generate log entries

1. In Windows, open Thunderbird.2. Send an email message to [email protected]. Visit the ExtSRV FortiMail webmail GUI:


4. Log in as extuser using the password fortinet.5. Open the new email message, and then clickReply.6. Type a reply in the message body, and then clickSend.7. In Thunderbird, verify you received the reply.

To review log entries

1. Visit the IntGW FortiMail management GUI:https://intgw.internal.lab/admin

2. ClickMonitor> Log >History.3. The first two entries in the History log should correspond to the two email messages that FortiMail just

processed.4. Right-click the entry for the inbound email, and then select View Details.


33






5. Review the Policy IDs field, and answer the following questions:The Policy IDs field is made up of three fields (X:Y:Z). What does each field’s value correspond to?

The first policy usage value is 0. What does this mean?

The third policy usage value is 0. What does this mean?




The policy IDs for each email message are recorded in the history logs in the formatof X:Y:Z, where X is the ID of the access control rule, Y is the ID of the IP-basedpolicy, and Z is the ID of the recipient-based policy.

If the value in the access control rule field for an incoming email is 0, it means thatFortiMail is applying its default rule for handling inbound email. If the value of X:Y:Zis 0 in any other case, it means that a policy or rule couldn’t be matched, or doesn’texist.

6. ClickClose to close the Log Detailswindow.7. Open the relevant log entry for the outbound email and review the Policy IDs field.

The policy use recorded for the outbound email message is 1:1:0. It was processedusing access receive rule ID 1, which you created in the previous exercise. Then, theemail message was processed using the default IP policy ID 1. Because you didn’tconfigure any outgoing recipient policy, the last field value is 0.


35


Exercise 4: Policy Creation

In this exercise, you will create IP and recipient policies. Then, you will test your configuration by sending emailmessages back and forth. You will also use logs to observe the changes to the policy use from the previousexercise.

To create IP policies


2. ClickPolicy > IP Policy > IP Policy.3. In the IP Policy section, clickNew.4. Create a new IP policy using the following values:

Field Value

Source 10.0.1.99/32

Session Outbound_Session

5. ClickCreate to save the policy.The new policy should have an ID value of 3.

6. Click the policy to select it.7. In theMove drop-down list, select Before.8. Move IP policy ID 3 to appear in the list before IP policy ID 1.






The policies should appear in the following order:

IP policy ID 3 will process all email sourced from the IntSRV FortiMail (outgoing), and IP Policy ID 1 willprocess all other email (incoming). IP policy ID 2 is a default IPv6 policy. Since this lab is not configured forIPv6, it is not required. You can delete it if you want to.

To create recipient policies

1. ClickPolicy >Recipient Policy > Inbound.2. ClickNew and, in the Domain drop-down list, select internal.lab.

Don't modify any other values.

3. ClickCreate to save the policy.


37



4. ClickOutbound.5. ClickNew and, in the Domain drop-down list, select internal.lab.

Don’t modify any other values.

6. ClickCreate to save the policy.

To generate log entries

1. In Windows, open Thunderbird.2. Send an email message to [email protected]. Visit the ExtSRV FortiMail webmail GUI:







4. Log in as extuser using the password fortinet.5. Open the new email message, and then clickReply.6. Type a reply in the message body, and then clickSend.7. In Thunderbird, verify you received the reply.

To review log entries

1. In the IntGW FortiMail management GUI, clickMonitor > Log >History.2. The first two entries in the History log should correspond to the two email messages that FortiMail just

processed.

3. Access the details for each log entry and review the Policy IDs field.What changes can you see from the previous exercise?

The policy use will reflect the new ID values for the policies you created. All outgoingemail will be processed by IP policy ID 3, and outgoing recipient policy ID 2. Allincoming email will be processed by IP policy ID 1, and incoming recipient policy ID 1.


39


Lab 3: Authentication

In this lab, you will configure access receive rules to enforce user SMTP authentication. You will also configure anLDAP profile to enable recipient verification, alias mapping, and user authentication.

Objectivesl Enforce user SMTP authentication using access receive rulesl Configure an LDAP profilel Enable recipient verification and alias mappingl Configure LDAP authentication for users


PrerequisitesBefore beginning this lab, you must disable sender reputation on the IntGW FortiMail.

To disable sender reputation

1. In Windows, open a web browser, and go to the IntGW FortiMail management GUI:https://intgw.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickPolicy > IP Policy > IP Policy.4. In the IP Policy section, double-click policy ID 1.5. Edit the Inbound_Session profile.6. Expand the Sender Reputation section and clear the Enable sender reputation check box.7. ClickOK to save the changes.

The sender reputation feature can interfere with some of the testing that you will do inthis lab.




Exercise 1: User Authentication Enforcement

In this exercise you will explore how FortiMail handles SMTP authentication. You will enforce authenticationusing access receive rules, and test your configuration using various outgoing server settings in Thunderbird.

To disable SMTP authentication in Thunderbird

1. In Windows, open Thunderbird.2. Press the Alt key to show the menu bar.3. Click Tools >Account Settings.

4. On the Account Settings screen, in the left pane, clickOutgoing Server (SMTP), and then clickEdit.


41



5. In the Authenticationmethod drop-down list, select No authentication.

6. ClickOK to save the changes.7. ClickOK to return to the main Thunderbird window.

By making these changes, you have disabled authentication for SMTP connections.So, when you send an email message, Thunderbird won’t authenticate.




To send an unauthenticated email message

1. In Thunderbird, send an email to [email protected]. Open a web browser, and then go to the ExtSRV FortiMail webmail GUI.


3. Log in as extuser using the password fortinet.Why was the email delivered to the destination user even though you disabled SMTP authentication inThunderbird?

The access receive rule that you configured in Access Control and Policies on page 27didn’t have authentication enforcement enabled.

When you set Authentication Status to Any, FortiMail doesn’t verify whether thesender matching the rule is authenticated or not.

To enforce authentication

1. Open a new web browser tab, and go to the IntSRV FortiMail management GUI:https://intsrv.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickPolicy >Access Control >Receiving.4. Select rule ID 1 and clickEdit.

5. In the Authentication status drop-down list, select Authenticated.


43






6. ClickOK to save the changes.

To verify authentication enforcement

1. In Thunderbird, send another email message to [email protected] time, an alert opens indicating that relaying is denied.

2. ClickOK to close the alert, but leave the email compose window open in the background.3. Visit the IntSRV FortiMail management GUI:


4. ClickMonitor > Log >History.5. Double-click the active log file.

The first entry in the History log should correspond to the rejected email message.






In this log entry, you can see IntSRV has rejected (Disposition) the email becausethe session violated an access control rule (Classifier). By changing theAuthentication Status value to Authenticated, you have successfully enforcedauthentication for users connecting to the IntSRV FortiMail.

To restore SMTP authentication on Thunderbird

1. In the main Thunderbird window, press the Alt key to show the menu bar.2. Click Tools >Account Settings.3. On the Account Settings screen, clickOutgoing Server (SMTP), and then clickEdit.4. In the Authentication method drop-down list, select Normal password.5. ClickOK to save the changes.6. ClickOK to return to the main Thunderbird window.7. Send the email message again.8. Visit the ExtGW FortiMail webmail GUI:


9. Log in as extuser using the password fortinet.10. Verify that the email was delivered.11. Visit the IntSRV FortiMail management GUI:



The first entry in the History log should correspond to the email message you just sent.

14. Click the Session ID link to retrieve the cross search results.15. Right-click the event log related to the authentication event to view the details.


45




Exercise 2: LDAP Operations

The Windows VM has been preconfigured with Active Directory devices for the internal.lab domain. In thisexercise, you will review the Active Directory configuration and learn how to retrieve LDAP attributes for ActiveDirectory objects. Then, you will configure an LDAP profile on both IntSRV and IntGW FortiMail devices to use foruser authentication, alias lookup, and recipient verification.

To review the Active Directory configuration

1. In Windows, on the desktop, open the Active Directory Users and Computersmanagement console.

A service account for the LDAP profile is located in the Service Accountsorganization unit (OU). The users and groups are located in the Training UsersOUand Training GroupsOU respectively.

All account passwords have been set to fortinet.

To access the LDAP attributes of Active Directory objects

1. In the Active Directory Users and Computersmanagement console, clickView, and then verify thatAdvanced Features is selected.



Exercise 2: LDAPOperations

2. Right-click internal.lab, and then select Properties.

3. In the internal.lab Propertieswindow, click the Attribute Editor tab.


47



You can use the previous steps to access the LDAP attributes of any Active Directoryobject necessary to configure the LDAP profile on FortiMail.

4. ClickCancel to close the properties window.5. Close the Active Directory Users and Computersmanagement console.

To configure an LDAP profile on IntGW FortiMail

1. Open a new web browser tab, and go to the IntGW FortiMail management GUI:https://intgw.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickProfile > LDAP > LDAP.4. ClickNew.5. Create an LDAP profile using the following values:

Field Value

Profile name InternalLabLDAP

Server name/IP 10.0.1.10

6. Use the following values to configure the Default Bind Options:





Field Value

Base DN OU=Training Users,DC=internal,DC=lab

Bind DN CN=LDAP Service Account,OU=Service Accounts, DC=internal,DC=lab

Bind password fortinet

7. In the User Query Options section, in the Schema drop-down list, select Active Directory.8. In the User Alias Options section, in the Schema drop-down list, select Active Directory.9. Use the following values to modify the User Alias Options:

Field Value

Alias member query proxyAddresses=smtp:$m

User group expansion inadvance

Disable

Use Separate bind Disable

10. ClickCreate to save the LDAP profile.

To configure an LDAP profile on IntSRV FortiMail


2. Log in as admin and leave the password field empty.3. ClickProfile > LDAP > LDAP.4. ClickNew.5. Create an LDAP profile using the following values:

Field Value

Profile name InternalLabLDAP

Server name/IP 10.0.1.10

6. Use the following values to configure the Default Bind Options:

Field Value

Base DN OU=Training Users,DC=internal,DC=lab

Bind DN CN=LDAP Service Account,OU=Service Accounts, DC=internal,DC=lab

Bind password: fortinet

7. In the User Query Options section, in the Schema drop-down list, select Active Directory.8. In the User Alias Options section, in the Schema drop-down list, select Active Directory.


49




9. Use the following values to modify the User Alias Options:

Field Value

Alias member query proxyAddresses=smtp:$m

User group expansion inadvance

Disable

Use Separate bind Disable

10. ClickCreate to save the LDAP profile.

To validate the LDAP profile configuration

1. In the IntGW FortiMail management GUI, select the InternalLabLDAP profile, and then clickEdit.2. On the LDAP profile configuration screen, click [Test LDAP Query…].3. Make sure the query type is set to User.4. Query for the following users:

l [email protected]

l [email protected]

5. If your configuration is correct, you will receive the following Test Resultmessage:

6. If the query fails, make sure the LDAP profile configuration matches the following example:




7. On the LDAP profile configuration screen, click [Test LDAP Query…] again.8. Change the query type to Alias.9. All of the Active Directory users have been preconfigured with aliases.

Query for the following aliases:

l [email protected]

l [email protected]

10. If your configuration is correct, you will receive the following Test Resultmessage:


51



11. If the query fails, make sure the LDAP profile User Alias Options configuration matches the following example:

12. Perform the same validation steps on the IntSRV FortiMail.




To configure recipient verification and alias mapping for gateway mode

1. In the IntGW FortiMail management GUI, clickDomain & User >Domain >Domain.2. Select the internal.lab domain, and then clickEdit.3. In the Recipient Address Verification section, select Use LDAP Server.4. In the Use LDAP server drop-down list, select InternalLabLDAP.5. Expand the LDAP Options section.6. In the User alias / address mapping profile drop-down list, select InternalLabLDAP.7. Your configuration should match the following example:


You don’t need to configure recipient verification on the IntSRV FortiMail. Recipientverification is enabled implicitly on a server mode FortiMail because the userdatabase exists locally.

You also don’t need to configure alias mapping on the IntSRV FortiMail because themapping is done by the IntGW FortiMail before it delivers an email message to theIntSRV FortiMail.

To configure LDAP authentication for gateway mode webmail access

1. ClickPolicy >Recipient Policy > Inbound.2. Select recipient policy ID 1, and then clickEdit.3. In the Authentication and Access section, configure the following values:


53



Field Value

Authentication type LDAP

Authentication profile InternalLabLDAP


Users will use their Active Directory accounts to authenticate and gain access to theIntGW FortiMail’s webmail interface for quarantined emails.

To configure LDAP authentication for server mode users


2. ClickDomain & User >User >User.3. Select user1, and then clickEdit.4. In the Authentication type drop-down list, select LDAP.5. In the LDAP profile drop-down list, select InternalLabLDAP.

If the LDAP profile doesn’t appear in the drop-down list, then you missed a step.Return to the To configure an LDAP profile on IntSRV FortiMail on page 49 section,and then follow the listed steps to configure the same LDAP profile on the IntSRVFortiMail.

6. ClickOK to save the changes.7. ClickNew.8. Create a new user using the following values:

Field Value

User name user2

Authentication type LDAP

LDAP profile InternalLabLDAP

Display name Mail User 2

9. ClickCreate to save the new user.

To validate server mode LDAP authentication

1. In Windows, open a new web browser tab, and visit the IntSRV FortiMail webmail GUI:https://intsrv.internal.lab/

2. Log in as user2 using the password fortinet.




https://intsrv.internal.lab/m/webmail/


If you have configured the server mode user LDAP authentication correctly, the login will be successful.

To validate gateway mode LDAP authentication

1. Open a new web browser tab and go to the IntGW FortiMail webmail GUI:https://intgw.internal.lab/

2. Log in as user2 using the password fortinet.If you have configured the gateway mode LDAP authentication correctly, the login will be successful.

3. Log out and close the browser tab before proceeding.

The webmail GUI in gateway mode gives users access to their Bulk folder, whichcontains only quarantined email. You will configure email quarantining in a later lab. Inthis section, you are verifying user access only.

To validate recipient verification

1. In Windows, open a new web browser tab, and go to the ExtSRV FortiMail’s webmail GUI:https://extsrv.external.lab/

2. Log in as extuser using the password fortinet.3. Compose a new email message using the following values:

Field Value


Subject Testing Recipient Verification

Message Body This should be rejected!

4. ClickSend.5. ClickRefresh to update the inbox.

You should receive a delivery status notification (DSN) message.

6. Open the DSNmessage and review the transcript details.7. Visit the IntGW FortiMail management GUI.



The first entry in the History log should correspond to email you just sent.


55


https://intgw.internal.lab/m/webmail/





10. Review the log details.

To validate alias mapping

1. Visit the ExtSRV FortiMail’s webmail GUI.https://extsrv.external.lab/

2. Log in as extuser using the password fortinet.3. Compose another email message using the following values:

Field Value


Subject Testing Alias Mapping

Message Body This should work!

4. ClickSend.5. Visit the IntSRV FortiMail’s webmail GUI:

https://intsrv.internal.lab/

6. Log in as user2 using the password fortinet.The email you sent to [email protected] should appear in the [email protected] inbox.


8. ClickMonitor > Log >History.9. The first entry in the History log should correspond to email message you just sent.










10. Click the Session ID to retrieve the cross search result.11. Review the AntiSpam log related to the session.

Alias mapping is useful to consolidate multiple email messages for the same user in asingle email account using their primary email address as the identifier. This reducesaccount management overhead for the user and the administrator. For example, if auser has five aliases in addition to a primary email address, FortiMail can use aliasmapping to maintain a single user quarantine mailbox. Otherwise, the user wouldhave to manage six separate quarantine accounts, as well as the quarantine reportsfor each account.


57


Exercise 3: SMTP Brute Force Attack

In this exercise, you will explore how FortiMail handles a failed SMTP authentication. You will generate an SMTPbrute force attack and block the offending IP address.

Enable authserver security on the IntGW FortiMail

1. In Windows open a new web browser tab and go to the IntGW FortiMail management GUI:https://intgw.internal.lab/admin/

2. Log in as admin and leave the password field empty.3. ClickSecurity >Authentication Reputation >Settings.4. Set the status to Enable, keep the default values for the remaining fields, and clickApply.

The default block period for an offending IP address is 10 minutes. You can set theblock period to a maximum of 60 minutes and minimum of 5 minutes.

Run brute force attack from Linux


You can also just enter the IP address of the Linux machine, which is 10.0.1.254,and clickOpen.

4. Log in as student using the password password.5. After logging in successfully, you will be in the /home/student directory. To verify, type pwd.6. Run the following swaks command to generate an SMTP brute force attack. A copy of the command is in a text file

named commands.txt, which is located in the Resources folder on the Windows desktop.while sleep 1; do swaks --to [email protected] --from"[email protected]" --header "Subject: Test mail" --body "This is a testmail" --server 10.0.1.11 --port 25 --timeout 40s --auth LOGIN --auth-user"[email protected]" --auth-password "Myworld" -tls; done

After a few successful SMTP connections, subsequent connections time out.

Successful connection but failed authentication attempt




Connection time out

7. Type ctrl+c to stop the attack.

Stop and think!

Why are the SMTP connections failing?

FortiMail uses a variety of adaptive factors to detect and block brute forcing (not just consecutive failures)and temporarily locks out (tarpits) the user. FortiMail detected a brute force attack and blocked that IP. NewTCP connections from that attacker were denied.

To review the logs

1. Visit the IntGW FortiMail management GUI:https://intgw.internal.lab/admin/

2. ClickMonitor > Log>History.3. The first few log entries should correspond to the failed SMTP authentication with SMTP Auth Failure showing

in the Classifier column and Reject showing in the Disposition column.

4. ClickMonitor>Reputation >Authentication Reputation.The blocked IP of the attacker is displayed.

5. Refresh to view the current expiry time.


59



If you do not see the IP address on the Authentication Reputation tab, then run thefollowing command on the CLI/console of the gateway mode FortiMail. To access theconsole, clickDashboard >Console.

# execute db reset sender-reputation

Delete the blocked IP in order to continue to the next lab

1. ClickMonitor >Reputation >Authentication Reputation.2. Select the blocked IP 10.0.1.254 and Delete it.



Lab 4: Session Management

In this lab, you will configure session profiles to inspect the envelope part of SMTP sessions. You will also usesession profiles to hide internal network information from email headers.

Objectivesl Configure session profile connection settings to limit inbound connections to the IntGW FortiMaill Configure sender address rate control to limit outbound connections on the IntSRV FortiMaill Configure session profile header manipulation to hide your internal network information


PrerequisitesBefore beginning this lab, you must restore a configuration file to the IntSRV FortiMail.

To restore the initial configuration file

1. In Windows, open a web browser and visit the IntSRV FortiMail management GUI:https://intsrv.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickSystem >Maintenance >Configuration, and upload the following configuration file:

Desktop\Resources\Starting Configs\Lab 4\04_Initial_IntSRV.tgz

The configuration file adds a new IP policy that causes all email delivery attempts fromthe ExtSRV FortiMail to the IntSRV FortiMail to fail temporarily. This is done to ensurethat when the session limits are triggered on the IntGW FortiMail, the ExtSRVFortiMail can’t deliver to the IntSRV FortiMail directly. The change helps in testing thesession profile settings you will be configuring on IntGW in this lab.

4. ClickRestore.5. Wait for the IntSRV FortiMail to finish rebooting before you proceed with the exercise.


61



Exercise 1: Connection Limits

Spammers usually send as many email messages as they can in a small period of time, before legitimate emailservers begin to block delivery. If blocked, the spammers won’t spend the time to retry. Normal email serverswillretry delivery if it fails the first time. One method of blocking spam, while allowing legitimate email messages, isto limit the number of SMTP sessions that each client can establish in a 30-minute period.

In this exercise, you will configure a session profile on the IntGW FortiMail to limit the number of connections theExtSRV FortiMail can establish over a 30-minute period. Then, you will test the connection limitation by sendingconsecutive email messages to trigger a violation. You will also verify your configuration by reviewing the logs.

To configure a session profile

1. In Windows, open a web browser, and visit the IntGW FortiMail management GUI:https://intgw.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickProfile > Session >Session.4. ClickNew.5. In the Connection Settings section, configure the following values:

Field Value

Profile name limit_connections

Restrict the number ofconnections per client per 30minutes to

4

6. ClickCreate to save the profile.

Four connections every 30 minutes is too few to be realistic for real-worlddeployments. Email servers usually send many email messages to or throughFortiMail each minute. In this lab, however, you will use the 30-minute restriction tomake your rate limit easy to trigger.

If there are no IP policies configured with a session profile, FortiMail will still rate limitconnections according to its default settings, which are similar to the session_basic_predefined profile–including the 10 MB size limit, sender reputation enabled, and soon. To disable the rate limit, you must create and apply a blank session profile.

To apply the session profile to inbound connections

1. Continuing on the IntGW FortiMail management GUI, clickPolicy > IP Policy > IP Policy.2. Edit IP policy ID 1.3. In the Profiles section, in the Session drop-down list, select limit_connections.4. ClickOK to save your settings.





To validate the connection limits

1. Open a new tab in your browser, and go to the ExtSRV FortiMail webmail GUI:https://extsrv.external.lab/

2. Log in as extuser using the password fortinet.3. Send five email messages to [email protected] to trigger the session limit.4. Open Thunderbird and verify how many email messages were delivered to the [email protected] inbox.

There will be one email sent per TCP connection. Therefore, the IntGW FortiMailshould allow the first four but block the fifth, which exceeds your configured connectionlimit.


6. ClickMonitor > Log >History.7. The first entry in the History log should correspond to the rejected email.

Why are the From, To, and Subject fields empty in this log entry?

FortiMail blocked the client’s attempt when scanning the IP layer of the initial packetsbefore the SMTP session could be established. The SMTP session contains the SMTPenvelope: the sender’s email address, the recipient’s email address, and the subject.So those parts of the email were never received.

8. Click the Session ID to retrieve the cross search results.9. Review the related AntiSpam log.

To disable connection limits

1. Go to the IntGW FortiMail management GUI:https://intgw.internal.lab/admin


63








2. ClickPolicy > IP Policy > IP Policy.3. Edit IP policy ID 1.4. In the session profile drop-down list, select Inbound_Session.5. ClickOK.



Exercise 2: Sender Address Rate Control

While it is important to protect your email users from spammers sending large volumes of email, it is alsoimportant to protect your own MX IP reputation by controlling the volume of email received from internal users.

In this exercise, you will configure sender address rate control on the IntSRV FortiMail. Then, you will sendconsecutive email messages to trigger a violation, and verify your configuration using logs.

To configure sender address rate control

1. In Windows, open a new web browser tab, and go to the IntSRV FortiMail management GUI:https://intsrv.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickDomain & User >Domain >Domain.4. Select the internal.lab domain, and clickEdit.5. In the Advanced Settings section, clickSender Address Rate Control and Enable it.6. Configure the following values:

Field Value

Action Reject

Maximum number ofmessages per half hour

4

Send email notification uponrate control violations

Enable

7. ClickNew.8. Create a notification profile using the following values:

Field Value

Name NotifyUser1

Send notification to Others

9. Enter Mail User 1’s email address: [email protected]. Click >>11. ClickCreate.12. ClickOK.13. ClickOK.

To validate sender address rate control

1. Open a new web browser tab, and go to the IntSRV FortiMail’s webmail GUI:https://intsrv.internal.lab/


65



https://intsrv.internal.lab/m/webmail/


2. Log in as user2 using the password fortinet.3. Send five email messages to [email protected] to trigger the rate control limit.4. Open a new web browser tab, and visit the ExtSRV FortiMail webmail GUI:


5. Log in as extuser using the password fortinet.6. Check how many email messages were delivered to the [email protected] inbox.

By now, [email protected] should have received the notification email for the rate control violation.

7. Open Thunderbird, and view the details in the notification email.

Notification profiles are a convenient feature that can allow administrators to keepinformed of events occurring on FortiMail. Many FortiMail features support notificationprofiles.



The first entry in the History log should correspond to the rate control violation.

While session profile connection limits and sender address rate control appear tofunction very similarly, there is a major difference in how these limits are applied byFortiMail.

As you observed in the previous exercise, session profile connection limits are appliedat the IP layer. Sender address rate control limits connections based on the senderaddress. This is derived from the mail From: field of the SMTP envelope. So, forsender address rate control, FortiMail must process at least a portion of the SMTPenvelope. This is also why [email protected] appears in the From: field of the logentry, but the log entries from the session profile connection limits are empty.

11. Click the Session ID to retrieve the cross search results.12. Review the related event, and antispam logs.

To disable sender address rate control

1. Visit the IntSRV FortiMail’s management GUI:




https://extsrv.external.lab/m/webmail/







2. ClickDomain & User >Domain >Domain.3. Select the internal.lab domain, and clickEdit.4. In the Advanced Settings section, select Sender address rate control and disable it.


67



Exercise 3: Header Manipulation

Removing internal headers is a common security practice. It hides your internal network information from theworld.

In this exercise, you will observe the effects of header manipulation settings by configuring a session profile onthe IntGW FortiMail to hide internal headers.

To review headers

1. Open a new web browser tab, and go to the ExtSRV FortiMail webmail GUI:https://extsrv.external.lab/

2. Log in as extuser using the password fortinet.3. Open any email message sent by an internal.lab user.

If you deleted all the previous email messages, open Thunderbird and send a new email message [email protected].

4. ClickMore >Detailed Header.5. Select and copy (Ctrl + C) the header contents.6. Open a new Notepad window and paste (Ctrl + V) the header details.7. Save the file on the desktop as Header_Before.txt.

To configure header manipulation

1. Open a new web browser tab, and go to the IntGW management GUI:https://intgw.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickPolicy > IP Policy > IP Policy.4. Click theOutbound_Session link.

This is the session profile currently applied to IP policy ID 3, which processes all outbound email for theinternal.lab domain.

5. Expand Header Manipulation, and then select the Remove received headers check box.6. ClickOK to save the changes.







The IntGW FortiMail removes all previous Received: headers from the email whenit starts processing it, using IP policy ID 3.

To validate header manipulation settings

1. Open Thunderbird.2. Send a new email message to [email protected]. Visit the ExtSRV FortiMail webmail GUI:


4. Log in as extuser using the password fortinet.5. Open the email message you just sent from [email protected]. Review the detailed headers of the email.

In the Received: header you should only see details about IntGW and ExtSRV.There should be no information about Windows (10.0.1.10), and IntSRV(10.0.1.99).

7. Open the Header_Before.txt file you saved earlier.8. Compare the differences.


69





Lab 5: Antivirus

In this lab, you will apply FortiMail’s local malware detection techniques to scan for viruses in inbound email.

Objectivesl Configure an antivirus profile to enable local malware detectionl Configure an antivirus action profile to replace infected content from an emaill Apply antivirus scanning to inbound emaill Test antivirus functionality



71


Exercise 1: Antivirus Scanning for Malware Detection

In this exercise, you will configure an antivirus profile and an antivirus action profile on the IntGW FortiMail. Then,you will apply the antivirus profile to a recipient-based policy in order to scan all inbound email sent to theinternal.lab domain.

You shouldn’t test your antivirus configuration using a live virus. By doing so, you risk infecting your network’shosts if your configuration is incorrect. To test your antivirus configuration without risk of infecting your network,you will use an EICAR file.

An EICAR file doesn’t contain a real virus. It is a harmless, industry-standard test file that is designed to trigger allantivirus engines for testing purposes. So, if your antivirus configuration is correct, FortiMail should detect theEICAR file as a virus.

To configure an antivirus action profile

1. In Windows, open a new web browser, and visit the IntGW FortiMail management GUI:https://intgw.internal.lab/admin/

2. Log in as admin and leave the password field empty.3. ClickProfile >AntiVirus >Action.4. ClickNew.5. Add a new action profile using the following values:

Field Value

Domain internal.lab

Profile name AV_Tag_Replace

Tag subject enabled

[VIRUSDETECTED]

Replace infected/suspiciousbody or attachments

enabled


The action profile that you created doesn’t appear in the list. Why? The list view isfiltered by domain. If you want to show the new profile, change the selection in theDomain drop-down list. Select internal.lab to view the action profiles for that specificdomain, or select All to view the action profiles for all domains.

To configure an antivirus profile for local malware detection

1. Continuing on the IntGW FortiMail management GUI, clickProfile >AntiVirus >AntiVirus.2. ClickNew.3. Add a new antivirus profile using the following values:



https://intgw.internal.lab/admin/


Field Value

Domain internal.lab

Profile name AV_In

Default action AV_Tag_Replace

4. Keep the default values for the remaining settings.5. ClickCreate to save the profile.6. In the Domain drop-down list, select internal.lab to see the new antivirus profile.

To configure a recipient policy to apply antivirus

1. ClickPolicy >Recipient Policy > Inbound.2. Select recipient policy ID 1, and then clickEdit.3. In the Profiles section, in the Antivirus drop-down list, select AV_In.4. ClickOK to save the recipient-based policy.

To send an infected email


2. Log in as extuser using the password fortinet.3. Compose a new email message using the following values:

Field Value


Subject AV EICAR Test

Message Body This contains a virus!

4. ClickAttach.5. Browse to and select:

Desktop\Resources\Files\eicar.com

6. Wait for the file upload to finish, and then clickSend.

To verify AV functionality

1. In Windows, open Thunderbird.2. Confirm that you received the email message sent from [email protected]. Note that the following actions have been applied to the email message:

l The subject line contains the [VIRUSDETECTED] tagl The IntGW FortiMail replaced the EICAR file and inserted a replacement message.


73






To monitor the logs


2. ClickMonitor > Log >History.3. The first entry in the History log should correspond to the virus email.

4. Click the Session ID link to review the cross search result for more details.




Lab 6: Antispam

In this lab, you will configure antispam scanning for both inbound and outbound email. Then, you will verify yourconfiguration by sending live spam through the IntGW FortiMail VM. You will also configure quarantine reportsettings, and manage user quarantine.

Objectivesl Scan both incoming and outgoing email for spaml Send spam email to user quarantinel Manage quarantine report configurationl Access and explore the user quarantine mailbox


PrerequisitesBefore beginning this lab, you must restore a configuration file.

To restore the initial configuration files

1. In Windows, open a web browser, and go to the IntSRV FortiMail management GUI:https://intsrv.internal.lab/admin

2. ClickSystem >Maintenance >Configuration, and upload the following configuration file:Desktop\Resources\Starting Configs\Lab 6\06_Initial_IntSRV.tgz

3. ClickRestore.4. Open a new web browser tab, and visit the IntGW FortiMail management GUI:


5. ClickSystem >Maintenance >Configuration, and upload the following configuration file:Desktop\Resources\Starting Configs\Lab 6\06_Initial_IntGW.tgz

6. Wait for the VMs to finish rebooting before proceeding with the exercise.

The configuration files disable all session profile inspection features that canpotentially interfere with the antispam testing you will do in this lab.


75




Exercise 1: Scan Incoming Email for Spam

In this exercise, you will verify the FortiGuard configuration. Then, you will configure an antispam profile to scanall incoming email and send all spam email to the users’ personal quarantine accounts.

To verify FortiGuard configuration


2. Log in as admin and leave the password field empty.3. ClickSystem > FortiGuard >Antispam.4. In the FortiGuard Antispam Options section, configure the following values:

Field Value

Enable service Enabled

Enable cache Enabled

Cache TTL (Seconds) 300 (default)

Use override server Enable

Override server address: 10.0.1.241

5. ClickApply to save the changes.6. To test the connectivity to FortiGuard, under FortiGuard > License, expand FortiGuard Antispam Query,

enter an IP address, such as 8.8.8.8, and clickQuery.7. Confirm that aQuery result andQuery score are returned such asScore: 7, Not spam.

If theQuery result isNo response, or if the antispam license status on Dashboard>Status is Trial, then change the FortiGuard service port setting, clickApply, andthen test the connection again.

8. ClickDashboard >Console.9. Type execute update now and press Enter.

To configure an antispam action profile

1. ClickProfile >AntiSpam >Action.2. ClickNew.3. Configure a new action profile using the following values:




Exercise 1: Scan Incoming Email for Spam

Field Value

Domain internal.lab

Profile name AS_In_User_Quar

Final action Personal quarantine

4. ClickCreate.

To create a resource profile

1. ClickProfile >Resource >Resource.2. ClickNew.3. Configure a new resource profile using the following values:

Field Value

Domain internal.lab

Profile name: Resource_AS_In_User_Quar

Send quarantine report Enabled

Web release Enabled

Email release Enabled

Safelist sender of released message Disabled

4. ClickCreate.

To create an antispam profile

1. ClickProfile >AntiSpam >AntiSpam.2. ClickNew.3. Configure a new antispam profile using the following values:

Field Value

Domain internal.lab

Profile name AS_In

Default action AS_In_User_Quar

4. ClickCreate.5. In the Domain drop-down list, select internal.lab.6. Select the AS_In antispam profile, and clickEdit.7. Enable the following antispam techniques:


77


Test the Antispam Configuration Exercise 1: Scan Incoming Email for Spam

l FortiGuard

l IP Reputation

l Extract IP from Received Header

l URI filter:Primary: phishingl DMARC checkl Behavior analysisl Header analysisl Heuristic

l The percentage of rules used: 100l Suspicious newsletterl Newsletter


To apply antispam scanning on all inbound email

1. ClickPolicy >Recipient Policy > Inbound.2. Select recipient policy ID 1, and then clickEdit.3. In the AntiSpam profile drop-down list, select AS_In.4. In the Resource profile drop-down list, select Resources_AS_In_User_Quar.5. ClickOK to save the changes.

Test the Antispam Configuration

To test your antispam settings, you will use the swaks tool on the Linux VM to send spam [email protected].

To test the antispam configuration

1. In Windows, on the taskbar, click the PuTTY icon, and then select Linuxfrom the saved sessions.2. Click Load.3. ClickOpen.


4. Log in as student using the password password.5. After logging in, you will be at the /home/student directory. To verify type pwd.6. Go to the directory spam_samples located in the Resources folder: cd Resources/spam_samples.7. Type pwd, and make sure you are in the right directory: /home/student/Resources/spam_samples.8. Run the following swaks command to generate spam emails. A copy of the command is in a text file named

commands.txt, which is located in the Resources folder on theWindowsDesktop.




Exercise 1: Scan Incoming Email for Spam Test the Antispam Configuration

for ii in `ls`; do swaks -s 10.0.1.11 -f [email protected] -t [email protected] -d$ii; done

9. Wait until all the spam emails are sent.10. Close the PuTTYwindow

To verify the antispam configuration

1. Go to the IntGW FortiMail’s management GUI:https://intgw.internal.lab/admin

2. ClickDashboard >Status.3. On the Statistics Summary you can see current information on the total number of email messages received,

the percentage of spam detected, and the type of antispam technique used to detect most of the spam.

4. ClickMonitor > Log >History.5. You should see all the history logs associated with the spam email.


79



Test the Antispam Configuration Exercise 1: Scan Incoming Email for Spam

6. Click the Session ID link of a history log entry, and review the related antispam log for the session.



Exercise 2: Scan Outgoing Email for Spam

In this exercise, you will configure outbound antispam scanning on the IntGW FortiMail. Then, you will test theconfiguration by sending an outbound email message containing a banned word.

To configure an outbound antispam profile


2. Log in as admin and leave the password field empty.3. ClickProfile >AntiSpam >AntiSpam.4. ClickNew.5. Configure a new antispam profile using the following values:

Field Value

Domain System

Profile name AS_Out

Default action Reject_Outbound

6. Enable Banned word.7. ClickConfiguration, and then add some words to include in your banned word list. For each word, select whether

FortiMail will scan the subject, body, or both, as follows:

8. ClickOK to close the window.9. ClickCreate to save the profile.

To apply antispam scanning on outbound email

1. ClickPolicy >Recipient Policy >Outbound.2. Select policy ID 2, and then clickEdit.


81



Exercise 2: Scan Outgoing Email for Spam

3. In the Profiles section, in the AntiSpam drop-down list, select AS_Out.4. ClickOK to save the changes.

To verify the antispam configuration

1. Open Thunderbird.2. Send an email to [email protected] that contains one of the banned words.

You should receive a delivery status notification (DSN) message.

3. Open the DSN and review the transcript details.Sample output:

An error occurred while sending mail. The mail server responded: 554 5.7.1 This emailfrom IP 10.0.1.99 has been rejected. The email message was detected as spam.


5. ClickMonitor > Log >History.The first entry in the History log should correspond to the rejected email message.

6. Review the log and verify that the appropriate action was applied to the outbound email message.7. Click the Session ID link to review the cross search result for more details.





Exercise 3: User Quarantine Management

An email user can access their list of quarantined email messages using either POP3 or webmail. In this exercise,you will access the [email protected] quarantine mailbox on the IntGW FortiMail on the webmail GUI.You will also configure quarantine report scheduling and generate an on-demand quarantine report. Then, youwill explore the options available in a quarantine report.

To access the personal quarantine

1. Open a new tab in the web browser, and go to the IntGW FortiMail webmail GUI:https://intgw.internal.lab/

2. Log in as user1 using the password fortinet.In the webmail interface of the gateway mode FortiMail, a user has access to the Bulk folder for quarantinedemail messages only. You should see all the quarantined spam messages in the Bulk folder.

3. Try releasing an email from the quarantine mailbox to the user’s inbox.4. Try deleting a quarantined email.5. Log out of the webmail interface after you’re finished.

To configure quarantine reports


2. ClickSecurity >Quarantine >Quarantine Report.3. In the Schedule section, enable the following days and times only:

l These hours: 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00l These days: Mon Tue Wed Thu Fri

4. In theQuarantine report template drop-down list, select default-with-icons.5. ClickApply to save the changes.

FortiMail auto-generates quarantine reports on schedule only for accounts that havequarantined email. If a user’s quarantine account is empty, then no report is generatedfor that account.


83



https://intgw.internal.lab/m/webmail



To generate quarantine reports on demand

1. ClickMonitor >Quarantine >Personal Quarantine.2. Select the [email protected]. ClickSend quarantine report to >Selected users.4. ClickOK.

To view the quarantine report

1. In Windows, open Thunderbird.2. Open the quarantine report.

The subject should contain the words “Quarantine Summary”.You can release or delete each quarantined email message using ether web or email actions.

3. Try using the web delete action:

4. The end of the quarantine report contains options to delete all quarantined email messages using either an emailor a web action:




5. Select the web action to delete all of the quarantined email messages for [email protected].


85



Exercise 4: Impersonation Analysis

In this exercise, you will configure Fortimail to inspect all email communications for messages designed toimpersonate critical personnel and to take appropriate action on these types of messages.

Impersonation analysis is used to detect an email spoofing attack that attempts to deceive the recipient by usinga forged header to make the message appear as though it comes from a trusted sender

To configure an impersonation analysis profile

1. In Windows, open a web browser, and go to the IntGW FortiMail management GUI:https://intgw.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickProfile >Antispam > Impersonation.4. ClickNew to create a new impersonation profile.5. In the Profile Name field, type impersonation.6. In the Impersonation Entry section, clickNew.7. Configure the dictionary entry using the following values:

Field Value

Display name pattern: Corporate CEO

Pattern type Wildcard

Email address [email protected]

8. ClickCreate to save the entry.9. ClickCreate to save the impersonation profile.





To apply impersonation to the antispam profile

1. ClickProfile >Antispam > Antispam.2. In the Domain: drop-down list, select internal.lab3. Edit AS_In.4. Enable & expand the Impersonation analysis feature set.5. In the drop-down list, select the impersonation profile impersonation.6. ClickOK.

Assuming that you have completed the previous exercises in this lab, the antispamprofile AS_In should already be applied to the inbound recipient policy. Policy >Recipient Policy > Inbound.

To test impersonation



4. Log in as studentusing the password password.5. After logging in, you will be at the /home/student directory. To verify, type pwd.


87



6. Run the following swaks command to impersonate a high-target user. A copy of the command is in a text filenamed commands.txt, which is located in the Resources folder on theWindows desktop.

swaks -f [email protected] -t [email protected] -s 10.0.1.11 --header-From "Corporate CEO <[email protected]>"

To review the logs


2. ClickMonitor > Log >History.The first entry in the History log should correspond to the email that was sent. Notice the values in theClassifier and Disposition columns.

3. Click the Session ID to retrieve the cross search results.4. Review the antispam log related to the session.




Exercise 5: Bounce Verification (Backscatter)

In this exercise, you will configure backscatter to detect spam contents in delivery status notifications (DSN).

Disable Recipient Address Verification

You will need to disable recipient address verification on the FortiMail IntGW so that you can test backscatter.

To disable recipient address verification


2. Log in as admin and leave the password field empty.3. ClickDomain & User >Domain >Domain.4. Edit the domain internal.lab.5. Expand Recipient Address Verification.6. Select Disable.7. ClickOK.

To send an email to an invalid user



4. Log in as student using the password password.5. After logging in, you will be at the /home/student directory. To verify, type pwd.6. Run the following swaks command to send an email to an invalid nonexistent user. A copy of the command is in a

text file named commands.txt, which is located in the Resources folder on theWindows desktop.swaks -f [email protected] -t [email protected] -s 10.0.1.11 --ehlo

10.0.1.254 --body 'buy while supplies last'7. Close the PuTTY session.

To verify the DSN email on Thunderbird

1. In Windows, open Thunderbird.2. Open the DSN email with the subject Returned mail: see transcript for details.3. The spam is attached to the DSN email.


89



Disable Recipient Address Verification Exercise 5: Bounce Verification (Backscatter)

To configure bounce verification

1. Go to the IntSRV FortiMail’s management GUI:https://intsrv.internal.lab/admin

2. Log in as admin with password password.3. ClickSecurity >Bounce Verification >Settings.4. ClickNew and, in the Key name field, type internal.5. Set the Status to Active.




Exercise 5: Bounce Verification (Backscatter) Disable Recipient Address Verification

6. ClickCreate.7. Enable Enable bounce verification.8. Set Bounce verification action: to Discard.9. Leave the rest to default settings.10. ClickApply.11. Verify your settings:

To send an email to an invalid user



4. Log in as student using the password password.5. After logging in, you will be at the /home/student directory. To verify, type pwd.6. Run the following swaks command to send an email to an invalid nonexistent user. A copy of the command is in a

text file named commands.txt, which is located in the Resources folder on theWindows desktop.swaks -f [email protected] -t [email protected] -s 10.0.1.11 --ehlo

10.0.1.254 --body 'buy while supplies last'7. Close the PuTTY session.

To verify the Bounce Verification log

1. Go to the IntSRV FortiMail management GUI:https://intsrv.internal.lab/admin


91



Disable Bounce Verification Exercise 5: Bounce Verification (Backscatter)

2. Log in as admin with password password.3. ClickMonitor > Log >History.4. The first log should correspond to the email you just sent.5. Verify the Classifier and Disposition.

Disable Bounce Verification

You will need to disable bounce verification because it could interfere with the next lab exercise.

To disable bounce verification

1. ClickSecurity >Bounce Verification >Settings.2. Disable Enable bounce verification.



Lab 7: Content Inspection

In this lab, you will configure a content filter to monitor email based on dictionary word scores. You will alsoconfigure the data loss prevention (DLP) feature to detect and block any outbound email containing credit cardnumbers. Finally, you will configure and verify the content disarm and reconstruction (CDR) feature on FortiMail.CDR neutralizes suspicious content in an email and delivers a clean copy of the email to the end user.

Objectivesl Configure a dictionary profile to monitor words using scoresl Configure a content profile to monitor and filter the dictionary profilel Apply content filtering on all inbound emaill Configure DLP to detect credit card numbers in an email body and attachmentsl Apply DLP on all outbound emaill Configure CDR to detect HTML tags and URIs in an email body and attachmentsl Apply CDR to all inbound email



To restore the initial configuration file

1. OnWindows, open a web browser, and go to the IntSRV FortiMail management GUI:https://intsrv.internal.lab/admin

2. ClickSystem >Maintenance >Configuration, and upload the following configuration file:Desktop\Resources\Starting Configs\Lab 7\07_Initial_IntSRV.tgz

3. ClickRestore.4. Open a new web browser tab, and go to the IntGW FortiMail management GUI:


5. ClickSystem >Maintenance >Configuration, and upload the following configuration file:Desktop\Resources\Starting Configs\Lab 7\07_Initial_IntGW.tgz

6. Wait for the VMs to finish restarting before proceeding with the exercise.

The configuration files disable bounce verification on IntSRV and the antispam profileon IntGW that can potentially interfere with the content inspection testing you will doin this lab.


93




Exercise 1: Configuring Content Inspection

In this exercise, you will configure the content monitoring and filtering options of a content profile to scan forspecific pattern occurrences in inbound email. Then, you will configure the action to be applied after the sameword occurs three times in an email message.

To configure a dictionary profile

1. OnWindows, open a web browser, and visit the IntGW FortiMail management GUI:https://intgw.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickProfile >Dictionary >Dictionary.4. ClickNew.5. Name the profile WordScores.6. In the Dictionary Entries section, clickNew.7. Configure the dictionary entry using the following values:

Field Value

Pattern fortimail


8. ClickCreate to save the entry.9. ClickCreate to save the dictionary profile.

If Enable pattern maximum weight limit is disabled, the pattern can increase anemail’s dictionary match score by more than the amount entered in the Pattern maxweight field.

To configure a content profile

1. ClickProfile >Content >Content.2. ClickNew.3. Configure a new content profile using the following values:

Field Value

Domain System

Profile name CF_Dictionary

Action SysQuarantine_Inbound





4. Expand the Content Monitor and Filtering section.5. ClickNew.6. Configure the content monitor profile using the following values:

Field Value

Dictionary profile

WordScores

Minimum score 3

7. ClickCreate to save the content monitor profile.8. ClickCreate to save the content profile.

Setting the Minimum score to 3 ensures that the action profile is applied only afterFortiMail has found three occurrences of the pattern in a single email message.

To apply content inspection to inbound email

1. ClickPolicy >Recipient Policy > Inbound.2. In Recipient Policies, select the incoming policy for internal.lab (that is, policy ID 1).3. ClickEdit.4. In the Profiles section, change the Content profile to CF_Dictionary.5. ClickOK.

To test the content profile


2. Log in as extuser using the password fortinet.3. Compose a new email message to [email protected]. Copy the contents of the following file, and paste it into the body of the email message:

Desktop\Resources\Files\messagebody.txt

FortiMail appliances provide high-performance email routing and security by utilizing multiple high-accuracyantispam filters. As part of the Fortinet Security Fabric, FortiMail prevents your email systems frombecoming threat delivery systems. FortiMail can be deployed in the cloud or on premises and gateway, inlineand server modes in a range of appliance or virtual machine form factors.

5. ClickSend.

To review the logs


2. ClickMonitor > Log >History.


95






The first entry in the Historylog should correspond to the email that was sent. Notice the values intheClassifier and Disposition columns.

3. In the Session ID column, click the link to retrieve the cross-search results.4. Review the antispam log related to the session.

To access the system quarantine

1. ClickMonitor >Quarantine >System Quarantine.2. Double-click the Content/currentmailbox.

The quarantined email will appear here.

To perform a sanity check (optional)

1. Go to the ExtSRVwebmail GUI:https://extsrv.external.lab/





2. Compose a new email to [email protected]. Copy and paste the same message body, but remove two occurrence of the word FortiMail, and then send the

email message.4. Open Thunderbird, and verify that the email message was delivered to the [email protected] inbox.


97




Exercise 2: Configuring DLP

In this exercise, you will configure a DLP profile and DLP action profile on the IntGW FortiMail. Then, you willapply the DLP profile to a recipient-based policy, to scan all outbound email sent from the internal.lab domain.

To configure a DLP rule to scan for credit card numbers


2. Log in as admin and leave the password filed empty.3. ClickData Loss Prevention >Rule and Profile >Rule.4. ClickNew to create a new message scan rule.5. In the Name field, type ScanCreditCards.6. In the Conditions section, clickNew.

7. In the first Condition drop-down list, select Body and Attachment.




8. In the second Condition drop-down list, select contains sensitive data.9. ClickEdit.10. Select the Credit_Card_Number data template, and then clickOK.

11. ClickCreate to save the scan condition.

12. Verify that yourMessage Scan Rulematches the following example, and then clickCreate to save the rule.


99



To configure a DLP profile to apply the DLP rule and action profile

1. ClickData Loss Prevention >Rule & Profile >Profile.2. ClickNew to create a new DLP profile.3. In the Name field, enter DLP_Out.4. Beside the Action drop-down list, clickNew.

5. Create a new action profile using the following values:




Field Value

Profile name DLP_Out_Sys_Quar

Final action Enable

System quarantine

Folder name Dlp

6. ClickCreate to save the action profile.

7. In the Content Scan Settings section, clickNew.

8. In the Scan rule drop-down list, select ScanCreditCards.9. ClickCreate to save the DLP content scan settings.


101



10. Verify that your DLP profile matches the following screenshot, and then clickCreate to save the profile.

To apply DLP scanning for outbound email

1. ClickPolicy >Recipient Policy >Outbound.2. Edit the outbound recipient policy.




3. In the Profiles section, in the DLP drop-down list, select DLP_Out.4. ClickOK to save the changes.

Test DLP Functionality

1. OnWindows, open Thunderbird.2. ClickWrite to compose a new email message using the following values:

Field Value


Subject DLP Credit Card Test

Message Body DLP test email

3. ClickAttach to select a file as an attachment.4. Browse to and select:

Desktop\Resources\Files\sample.pdf

5. ClickSend.

The email message won’t be delivered to [email protected] because the IntGWFortiMail should detect the credit card numbers in the PDF file, and apply the systemquarantine action.

To review the logs

1. Got to the IntGW FortiMail management GUI:https://intgw.internal.lab/admin


103







The first entry in the history log should correspond to the email message you just sent.

4. In the Session ID column, click the link to retrieve the cross-search results.5. Review the antispam log related to the session.

You can also view the logs inMonitor >Quarantine >System Quarantine.

6. Double clickDlp/current.



Exercise 3: Configuring CDR

In this exercise, you will configure CDR options in a content profile to scan the HTML content within email bodiesand attachments that may contain potentially hazardous tags and attributes, such as hyperlinks and scripts.

FortiMail provides the capability to remove or neutralize potentially hazardous contents and reconstruct the emailmessages and attachment files.

To configure action profile for sanitized email

1. OnWindows, open a web browser, and go to the IntGW FortiMail management GUI:https://intgw.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickProfile >Content >Action.4. ClickNew.5. Configure a new antispam profile using the following values:

Field Value

Domain internal.lab

Profile name CDR_User_Quar

Tag Subject Enable

[Sanitized Content]

Deliver to original host Enable

Final action Enable

Personal quarantine

6. ClickCreate.

To configure CDR in content profile


Field Value

Domain internal.lab

Profile name CDR

Action CDR_User_Quar


105



Quarantine an Unmodified Copy Exercise 3: Configuring CDR

4. Expand the Content Disarm and Reconstruction section.5. Configure the following values

Filed Value

Action Default

HTML contentEnable

Sanitize HTML content

Text content Enable

Remove URIs

PDF Enable


To apply content inspection to inbound email

1. ClickPolicy >Recipient Policy > Inbound.2. Edit policy ID 1.3. In the Profiles section, in the Content drop-down list, select CDR.4. ClickOK.

Quarantine an Unmodified Copy

When CDR is configured, the user receives a reconstructed email and attachment. If the user wants to view theoriginal email, then they can quarantine an unmodified copy of the email for review.

To quarantine an unmodified copy

1. ClickSecurity >Other>Preference.2. Beside Personal quarantine,select Unmodified copy.3. ClickApply.



Exercise 4: Verifying CDR

In this exercise, you will test and verify CDR features that you configured in the previous exercise.

You will test sanitizing a PDF file containing HTML links, URL removal, and HTML email sanitation.

To test the CDR pdf


2. Log in as extuser using the password fortinet.3. Compose a new message to [email protected]. ClickAttach.5. On the Windows desktop, browse to Resources > Files.6. Select the file labdoc.7. Wait for the file to upload.8. ClickSend.

To review the logs


2. ClickMonitor > Log >History.The first entry in the Historylog should correspond to the email that was sent.

3. Review the values forClassifier and Disposition.

4. In the Session ID column, click the link to retrieve the cross-search results.5. Review the log message.


107





Exercise 4: Verifying CDR

The recipient will receive the disarmed email.

6. Open theThunderbird client and verify that user1 received the sanitized email with the attachment.

To access the personal quarantine

1. Go to the IntGW webmail GUI:https://intgw.internal.lab/

2. Log in as user1 with the password fortinet.An unmodified copy of the email is available in the Bulk folder.

3. Open the email to view the attached unmodified PDF file.



Exercise 4: Verifying CDR Verify URI Removal

Stop and think!

Compare the two pdf files: the one that was quarantined and the other email that the user received in theemail client.

Case 1: Open the pdf labdoc file that was attached to the email in Thunderbird and click on the URLlinks. Do the links redirect you to the websites?

Case 2: Open the pdf labdoc file that was attached to the email in the personal quarantine folder andclick on the URL links. Do the links redirect you to the websites?

In case 1, the links have been neutralized by CDR; therefore, you are unable to visit the websitescorresponding to those links.

In case 2, the links are active, because it is the original file.

Verify URI Removal

You will test the URI removal feature which detects URIs in email messages. If the feature finds URIs, FortiMailremoves them from the text portion of the email message.

To verify URI removal

1. OnWindows, on the taskbar, click the PuTTY icon, and then select Linux from the saved sessions.2. Click Load.3. ClickOpen.

You can also enter the IP address of the Linux machine, which is 10.0.1.254 andclickOpen.

4. Log in as student using the password password.5. Type pwd to verify that you are at the/home/student directory, after successfully logging in.6. Run the following swak command to send URL links, one of which is malicious.

A copy of the command is available in a text file named commands.txtwhich is located in the Resourcesfolder on the Windows desktop.swaks -f [email protected] -t [email protected] -s 10.0.1.11 --ehlo10.0.1.254 --body 'please visit http://www.fortinet.com andhttp://www.wicar.org and http://www.cnn.com'

7. On Thunderbird, open the email and verify that the malicious URL has been removed.


109


Verify HTML Sanitization Exercise 4: Verifying CDR


9. Log in as user1using the password fortinet.An unmodified copy of the email is available in the Bulkfolder.

10. Go to the IntGW management GUI:https://intgw.internal.lab/admin

11. Log in as admin and leave the password field empty.12. ClickMonitor > Log>History.

The first log corresponds to the email that was just sent.

13. Review the values in the Classifierand Dispositioncolumns.

Verify HTML Sanitization

You will send an email with HTML body content and verify that the user receives a clean email from which allpotentially hazardous tags and attributes (such as hyperlinks and scripts) are removed.

To verify HTML sanitization

1. On the Window taskbar, click the PuTTY icon, and then select Linuxfrom the saved sessions.2. Click Load.3. ClickOpen.

You can also just enter the IP address of the Linux machine, which is 10.0.1.254and clickOpen

4. Log in as studentusing the password password.5. Verify that, after successfully logging in, you are at the /home/student directory.6. Run the following swak command to send an email with HTML content. A copy of the command is available in a

text file name commands.txtwhich is located in the Resources folder on the Windows desktop.cat Resources/tosanitize.dat | swaks -f [email protected] [email protected] -s 10.0.1.11 --ehlo 10.0.1.254 --data -

Swak takes the contents of the file tosanitize.dat, which contains HTML linksand attributes, and sends it to the user named in the body of the email.



Exercise 4: Verifying CDR Verify HTML Sanitization

7. Open Thunderbird and review the email.8. Click in the body of the email.

All links in the body of the email have been neutralized by CDR.


10. Log in as user1 with the password fortinet.An unmodified copy of the email is available in the Bulk folder.

11. Select the email and release it to the user1's inbox.

12. Open Thunderbird and open the original email that was just released.13. Click on the body of the email.

HTML links within the body of the email will redirect the user to various websites.

14. Go to the IntGW management GUI:https://intgw.internal.lab/admin

15. Log in as admin and leave the password field empty.16. ClickMonitor > Log >History.

The first log corresponds to the email that was just sent.

17. Review the values in the Classifierand Disposition columns.


111


Lab 8: Securing Communications

In this lab, you will implement SMTPS between the IntGW and IntSRV FortiMail VMs. You will also configurecontent inspection-based identity-based encryption (IBE) and verify your configuration by sending a secure email.

Objectivesl Implement SMTPS between IntGW and IntGW FortiMail devicesl Implement content inspection-based IBE

l Configure the dictionary profile with the trigger wordl Configure an encryption profilel Configure a content action profile to apply the encryption profilel Apply the dictionary profile and content action profile to a content profilel Apply the content profile to an outbound recipient-based policy

l Register an IBE user, and access the IBE email




Exercise 1: Implementing SMTPS

In this section, you will configure SMTPS between the IntGW and IntSRV FortiMail devices. You will alsocompare logged details before and after implementing SMTPS.

To review logs

1. OnWindows, open a web browser, and got to the ExtSRV FortiMail’s webmail GUI:https://extsrv.external.lab/

2. Log in as extuser using the password fortinet.3. Send an email message to [email protected]. Open a new web browser tab, and go to the IntGW FortiMail management GUI:


5. Log in as admin and leave the password field empty.6. ClickMonitor > Log >History.7. The first entry in the history log should correspond to the email you just sent.

8. Click the Session ID to retrieve the cross search result, and then review the last two entries, which contain detailsabout the session between the IntGW and IntSRV FortiMail devices.


113






By default, FortiMail uses SMTP over TLS if the recipient MTA supports it. In thissession, IntSRV is the recipient MTA.

By default, SMTP over TLS is enabled on FortiMail.

To configure SMTPS

1. Go to the IntGW FortiMail’s management GUI:https://intgw.internal.lab/admin

2. ClickDomain & User >Domain >Domain.3. Select internal.lab and clickEdit.4. Enable Use SMTPS.

5. ClickOK to save the change.

To verify SMTPS

1. Go to the ExtSRV FortiMail webmail GUI:https://extsrv.external.lab/

2. Send another email to [email protected]. Go to the IntGW FortiMail management GUI:


4. ClickMonitor > Log >History.The first entry in the history log should correspond to the email message you just sent.


115







5. Click the session ID to retrieve the cross-search result, and then review the last two entries, which shouldindicate the switchover to SMTPS from STARTTLS.




The underlying encryption mechanism for SMTPS and SMTP over TLS is the same.Both protocols use SSL or TLS. In this case, the FortiMail devices negotiatedTLSv1.2. The difference exists in how and when that TLS encryption is applied.

When SMTP over TLS is used, the connection is made on the standard SMTP port—TCP port 25. If the recipient MTA supports the STARTTLS extension, the senderchooses whether SMTP over TLS is used by transmitting the STARTTLSmessage.This STARTTLS request happens after the envelope exchange, and so, in SMTP overTLS only a portion of the session is encrypted.

When SMTPS is used, the client initiates the SMTP session with the server over afully-encrypted tunnel using a separateTCP port: port 465. SMTPS encrypts the fullsession.


117


Exercise 2: Implementing Content Inspection-Based IBE

In this exercise, you will configure content inspection-based IBE. You will also verify your configuration by sendingan IBE email message and reviewing the logs.

To configure the IBE service

1. OnWindows, open a web browser, and got to the IntGW FortiMail management GUI:https://intgw.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickEncryption > IBE > IBE Encryption.4. Configure the IBE Service settings using the following values:

Field Value

Enable IBE service Enabled

IBE service name Internal Lab Secure Portal

Allow secure replying Enabled

Allow secure forwarding Enabled

Allow secure composing Enabled

IBE base URL intgw.internal.lab

Send notification to senderwhen message is read

Enabled

5. ClickApply to save the changes.

To configure a dictionary profile with the trigger word

1. ClickProfile >Dictionary >Dictionary.2. ClickNew.3. Name the profile IBEDictionary.4. In the Dictionary Entries section, clickNew.5. Configure the dictionary entry using the following values:

Field Value

Pattern \[CONFIDENTIAL]


Search header Enabled





Field Value

Search body Disabled

6. ClickCreate to save the dictionary entry.7. ClickCreate to save the dictionary profile.

To configure an encryption profile for pull method delivery

1. ClickProfile >Security >Encryption.2. Select the IBE_Pull profile, and then clickEdit.3. In the Encryption algorithm drop-down list, select AES 256.4. ClickOK to save the changes.

To configure a content action profile to apply IBE encryption

1. ClickProfile >Content >Action.2. ClickNew.3. Configure a new content action profile using the following values:

Field Value

Domain System

Profile name CF_IBE_Pull

Final action: Enabled Encrypt with profile

IBE_Pull


To configure a content profile to apply IBE encryption based on dictionary match


Field Value

Domain System

Profile name CF_Out

Action CF_IBE_Pull

4. Expand the Content Monitor and Filtering section.5. ClickNew.6. In the Dictionary drop-down list, select profile and IBEDictionaryprofile.


119



7. ClickCreate to save the Content Monitor profile.8. ClickCreate to save the Content profile.

To configure an outbound recipient policy to apply the content profile

1. ClickPolicy >Recipient Policy >Outbound.2. Double-click outgoing recipient policy ID 2.3. In the Content drop-down list, select CF_Out.4. ClickOK to save the changes.

To send an IBE email

1. OnWindows, open Thunderbird.2. ClickWrite.3. Compose a new email message using the following values:

Field Value


Subject [CONFIDENTIAL] Requires immediate attention

Message body Did you leave the stove on?

4. ClickSend.

To verify IBE operations using logs


2. ClickMonitor > Log >History.The first entry in the history log should correspond to the email you just sent.

3. Click the Session ID link to retrieve the cross search results and review the antispam, and encryption logs relatedto the session.







121


Exercise 3: Accessing IBE Emails

In this exercise, you will register a new IBE user. Then, you will log in to the secure portal to retrieve the IBEemail. You will also see the message read notification email messages that the sender receives after the IBE userhas read the IBE email.

To register an IBE user

1. OnWindows, open a new web browser and go to the ExtGW FortiMail webmail GUI:https://extsrv.external.lab/

2. Log in as extuser using the password fortinet.3. Open the IBE notification email.

4. Click the link in the notification email to access the encrypted email.

5. ClickRegister.





6. Complete the registration form, and then clickRegister.When the registration is complete, webmail should display a notification that the registration was successful.

During registration if you get an invalid user error, you can ignore it, the user hasbeen created even though you get the error.

7. ClickContinue.

After registration, you will be returned to a login page.

To access the IBE email

1. Type the password that you entered during the registration process, and then clickOpen.

The secure portal displays the contents of the IBE email.


123



In the IBE Service configuration, you enabled secure replying.

2. Reply to the IBE email message to observe the behavior.

To access the message read notification

1. OnWindows, open Thunderbird.The following notification is generated when [email protected] reads the IBE email.




Lab 9: High Availability

In this lab, you will build an active-passive FortiMail HA cluster that has two FortiMail VMs. The cluster willoperate in server mode.

You will configure the IntSRV FortiMail (10.0.1.99) as the primary and the IntGW FortiMail (10.0.1.11) asthe secondary. You will verify the HA and configuration synchronization status, configure a virtual IP, and use theHA service monitor to detect when the SMTP service connectivity fails on the primary FortiMail.

The lab network DNS server has the following CNAME records to aid in identifying the two clustered devices:

l primary CNAME intsrv.internal.labl secondary CNAME intgw.internal.lab

Objectivesl Configure a FortiMail HA group to synchronize their configuration and datal Verify cluster healthl Configure HA virtual IPl Configure remote services monitoring


PrerequisitesBefore beginning this lab, you must change the operation mode of the IntGW FortiMail.

To change the operation mode

1. OnWindows, open a web browser, and visit the IntGW FortiMail’s management GUI.https://intgw.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickDashboard >Status.4. On the System information widget, in theOperation mode drop-down list, select Server.

The system will prompt you twice about most settings being reset to factory defaults.

5. ClickOK in both prompts.


125



Lab 9: High Availability

6. Wait for the FortiMail to restart.The FortiMail will still have an IP address assigned to the port1 interface. So, after it finishes restarting, youshould be able to access the management GUI again.

7. Log in to the management GUI, and then verify that the following system settings persisted:l Interface (System >Network > Interface)l Route (System >Network >Routing)l DNS (System >Network >DNS)

9. Verify the status of the following mail settings. The settings should have reset to factory default values.l Mail server settings (System >Mail Settings >Mail Server Settings)l Domains (Domain & User >Domain >Domain)

10. The IntGW FortiMail is ready to be configured as a secondary device in the cluster.

Caution: When doing the lab exercises, ensure you are applying the configurationchanges to the correct FortiMail VM.

If at any point you wish to reset the configuration state for the FortiMail VMs, you canrestore the following configuration files:

IntGW: Desktop\Resources\Starting Configs\Lab 9\09_Reset_IntGW.tgz

IntSRV: Desktop\Resources\Starting Configs\Lab 9\09_Reset_InSRV.tgz

Always restore the secondary unit first, and then the primary. The configuration fileswill restore the VMs to the standalone states they were in at the end of the SecuringCommunications on page 112 lab.



Exercise 1: Configuring the Primary FortiMail

In this exercise, you will configure the mail server settings on the primary FortiMail. Then, you will configure theHA settings.

To configure mail server settings on the primary device

1. OnWindows, open a web browser, visit the primary FortiMail's management GUI:https://primary.internal.lab/admin

Ignore any security warnings generated by your browser. These relate to the CN field and the signer of theself-signed FortiMail certificate.

2. Log in as admin and leave the password field empty.3. ClickSystem >Mail Settings >Mail Server Settings.4. Change the Host name field to primary, and then clickApply to save the change.

To configure HA on the primary device

1. ClickSystem >High Availability >Configuration, and then configure the following values:

Field Value

Mode of operation master

On failure wait for recovery then restore slave role

Shared password fortinet

2. Expand the Advanced options section, and then configure the following values:

Field Value

Backup mail data directories Enabled

Backup MTA queuedirectories

Enabled

3. ClickApply.4. In the Interface section, double-click port1 and configure the following settings:

Field Value

Enable port monitor Enabled

Heartbeat status Primary

Peer IP address 10.0.1.11

5. ClickOK and Apply to save the HA interface configuration.


127


https://primary.internal.lab/admin

Exercise 2: Configuring the Secondary FortiMail

In this exercise, you will configure the mail server settings on the secondary FortiMail because they are notsynchronized. Then, you will configure the HA settings, and verify that the cluster has formed.

To configure mail server settings on the secondary device

1. Open a new tab in the web browser and go to the secondary FortiMail’s management GUI:https://secondary.internal.lab/admin


2. Log in as admin and leave the password field empty.3. In the admin drop-down, select Advanced mode.

4. ClickOK.5. ClickSystem >Mail Settings >Mail Server Settings.6. Configure the following values:

Field Value

Hostname secondary


7. ClickApply.

To configure HA on the secondary device

1. ClickSystem >High Availability >Configuration.2. Configure the following values:

Field Value

Mode of operation slave

On failure wait for recovery then restore slave role

Shared password fortinet



https://secondary.internal.lab/admin

Exercise 2: Configuring the Secondary FortiMail

3. Expand the Advanced options section, and then configure the following values:

Field Value

Backup mail data directories Enabled

Backup MTA queuedirectories

Enabled

4. ClickApply.5. In the Interface section, double-click port1.6. Configure the following values:

Field Value

Enable port monitor Enabled

Heartbeat status Primary

Peer IP address 10.0.1.99

7. ClickOK and Apply to save the HA interface configuration.8. ClickSystem >High Availability >Status.9. ClickRefresh to update the daemon status.

As soon as the two devices join in a cluster and complete synchronization, thesecondary device’s management GUI session will time out and return you to the loginprompt. This process may take a few minutes.


129


Exercise 3: Verifying Cluster Health

In this exercise, you will verify the HA and configuration synchronization status.

To verify the HA status

1. Go to the primary FortiMail management GUI:https://primary.internal.lab/admin

2. ClickDashboard >Status.3. On the System Information widget, verify that the HA mode values are Configured: master, Effective:

master.

4. You can find the same information by clicking System >High Availability >Status.





5. Go to the secondary FortiMail’s management GUI:https://secondary.internal.lab/admin

6. Verify the HA status of the secondary FortiMail.


131




To verify configuration synchronization status

1. On the secondary FortiMail, verify domains (Domain & User >Domain >Domain).2. Verify users (Domain & User >User >User).3. Verify LDAP (Profile > LDAP > LDAP).

The steps 1 to 3 are configuration elements that should have been synchronized from the primary FortiMail.

4. Go to the primary FortiMail’s management GUI:https://primary.internal.lab/admin

5. ClickPolicy >Recipient Policy > Inbound.6. ClickNew.

Don’t change any values.

7. ClickCreate.8. Go to the secondary FortiMail management GUI:







9. ClickPolicy >Recipient Policy > Inbound, and then verify that the new policy has synchronized with thesecondary device.

To verify configuration synchronization status (alternate method)


2. ClickDashboard >Console.3. On the Consolewidget, type the following command:

# diagnose system ha showcsum

The console outputs the HA checksum for the primary device.

4. Open a new web browser tab, and visit the secondary FortiMail’s management GUI:https://secondary.internal.lab/admin

5. ClickDashboard >Console.6. On the Consolewidget, type the following command:

# diagnose system ha showcsum

The console outputs the HA checksum for the secondary device.

7. Compare the checksum values of the two devices.If they match, then their configurations are in sync.


133




Exercise 4: Configuring HA Virtual IP

In this exercise, you will configure a virtual IP for the HA cluster. You will also verify the virtual IP function byforcing a failover.

To configure a virtual IP on the primary device


2. ClickSystem >High Availability >Configuration.3. In the Interface section, double-click port1.4. Configure the following values:

Field Value

Virtual IP action Use

Virtual IP address 10.0.1.100/24


To configure a virtual IP on the secondary device

1. Go to the secondary FortiMail management GUI:https://secondary.internal.lab/admin

2. ClickSystem >High Availability >Configuration.3. In the Interface section, double-click port1.4. Configure the following values:

Field Value

Virtual IP action Use

Virtual IP address 10.0.1.100/24


To verify the virtual IP configuration

1. Open a new web browser tab and use the virtual IP to access the management GUI:https://10.0.1.100/admin






https://10.0.1.100/admin


2. Log in as admin and leave the password field empty.3. ClickSystem >Mail Settings >Mail Server Settings.4. Verify the host name of the current cluster device that owns the virtual IP. It should be primary.

5. OnWindows, open a command prompt window.6. Initiate a telnet command to start an SMTP session to the virtual IP:

telnet 10.0.1.100 25

7. You should be presented with the following banner, which belongs to the primary device:220 primary.internal.lab ESMTP Smtpd;

To failover to the secondary device

1. Go to the cluster management GUI:https://10.0.1.100/admin

2. ClickSystem >High Availability >Status.3. In the Actions section, clickSwitch to SLAVE mode.

The system prompts you to verify this action.

4. ClickOK.This forces a failover to the secondary device.

5. Wait a few seconds, and then reload the management GUI.You should be returned to the login prompt.

6. Log in as admin and leave the password field empty.

To verify the virtual IP after failover

1. ClickSystem >Mail Settings >Mail Server Settings.2. Verify the hostname of the current cluster device that owns the virtual IP.

It should be secondary.


135




3. OnWindows, open a command prompt window.4. Initiate a telnet command to start an SMTP session to the virtual IP:

telnet 10.0.1.100 25

5. The following banner, which belongs to the secondary device, should appear:220 secondary.internal.lab ESMTP Smtpd;

6. Close the command prompt window.

To restore the cluster

1. Go to the cluster management GUI:https://10.0.1.100/admin

2. ClickSystem >High Availability >Status.3. In the Actions section, clickRestore to configured operating mode.

The system prompts you to verify your action.

4. ClickOK.This forces a failover to the primary device.

5. Wait a few seconds, and then reload the management GUI.You should be returned to the login prompt.

6. Log in as admin and leave the password field empty.7. ClickSystem >Mail Settings >Mail Server Settings.8. Verify that the primary FortiMail was restored to the master role.




Exercise 5: Monitoring Remote Services

In addition to hardware failure, it’s often useful for cluster devices to monitor the network connectivity andservices of each other. This ensures a failover occurs if any of these services experience an outage.

In this exercise, you will configure remote SMTP service monitoring on both cluster devices. Then, you will triggera service-based failover to verify the configuration, and then verify the failover using event logs.

To configure service monitoring on the primary device


2. ClickSystem >High Availability >Configuration.3. In the Service Monitor section, double-clickRemote SMTP.4. Configure the following values:

Field Value

Enable Enabled

Remote IP 10.0.1.11

Timeout 10

Interval 30

Retries 2

For the purposes of this lab, you are reducing the time values to their lowestconfigurable value to speed things up. In a live production environment, the defaultvalues are a good place to start. You can fine tune them as you discover what kind ofoutage your email network can tolerate.

Using this procedure, you configured the secondary device to test the primary’sdevice’s port 25 connectivity every 30 seconds (Interval). If a connection attempttimes out for 10 seconds (timeout) it is considered a failure. Two (retries) failuresmust occur before the secondary device forces a failover.

5. ClickOK and Apply to save the changes.

To configure service monitoring on the secondary device

1. Go to the secondary FortiMail management GUI:https://secondary.internal.lab/admin

2. ClickSystem >High Availability >Configuration.3. In the Service Monitor section, double-clickRemote SMTP.


137





4. Configure the following values:

Field Value

Enable Enabled

Remote IP 10.0.1.99

Timeout 10

Interval 30

Retries 2

5. ClickOK and Apply to save the changes.

To trigger a service-based failover


2. ClickSystem >Mail Settings >Mail Server Settings.3. Change the SMTP server port number value to 125.4. ClickApply.

Using this procedure, you changed the SMTP service port on the primary FortiMail toport 125. Because of this change, the secondary FortiMail can no longer detect SMTPservices on port 25 and should trigger a failover based on remote service failure.

You must to wait a few minutes for the secondary device to go through the servicemonitoring check schedule before a failover is triggered.

To verify service-based failover

1. Visit the secondary FortiMail’s management GUI:https://secondary.internal.lab/admin

2. ClickMonitor > Log >System Event.3. In the Type drop-down list, select HA, and keep clicking the refresh icon to see the latest logs related to HA

events.






Event logs related to the remote SMTP service should show up when the secondary device detects failure forthe first time.

After the second detection, the secondary device takes over as the active member.

4. ClickDashboard >Status.5. On the System Information Widget, verify that the HA mode values are Configured: slave, Effective:

master.


139




7. ClickDashboard >Status.8. On the System Information Widget, verify that the HA mode values are Configured: master, Effective:

failed.

To restore the cluster







2. ClickSystem >Mail Settings >Mail Server Settings.3. Change the SMTP server port number value back to 25.4. ClickApply.5. ClickSystem >High Availability >Status.6. In the Actions section, clickRestart the HA system.

The system prompts you to confirm your action.

7. ClickOK.8. ClickRefresh.

The primary FortiMail reverts to the master role.

9. ClickMonitor > Log >System Event.10. In the Sub type drop-down list, select HA.11. Review the log messages related to the HA events.


141


Lab 10: Server Mode

In this lab, you will configure server mode resource profiles, and see their effect on user resource allocation. Youwill also populate the global address book from the LDAP server.

Objectivesl Configure resource profilesl Configure LDAPmapping to import a domain address book






Desktop\Resources\Starting Configs\Lab 10\10_Initial_IntGW.tgz

4. ClickRestore.5. Open a new web browser tab, and go to the IntSRV FortiMail management GUI:




8. ClickOK.9. Wait for the VMs to finish restarting before proceeding with the exercise.

The configuration files will restore the devices to the standalone states they were inbefore you completed High Availability on page 125.





Exercise 1: Configuring Resource Profiles

In this exercise, you will review the IntSRV FortiMai configuration. Then, you will configure resource profiles, andobserve their effects on resource allocation for email users.

To review the server mode FortiMail configuration

1. OnWindows, open a web browser, and go to the IntSRV FortiMail webmail GUI:https://intsrv.internal.lab/

2. Log in as user1 using the password fortinet.3. Scroll to the bottom and find the Disk Usage value for user1.

If there are no resource profiles or domain-level service settings configured, there is asystem default 500 MB disk limit for each user mailbox.

4. Click the address book icon and find the address books that user1 has access to.

If there are no resource profiles configured, server mode users have access to theirpersonal address book only.

To configure a resource profile



143





2. ClickProfile >Resource >Resource.3. ClickNew.4. Create a new resource profile using the following values:

Field Value

Domain internal.lab

Profile name PowerUsers

Disk quota (MB) 2000

5. ExpandWebmail access and enable Domain address book.6. ClickCreate to save the profile.7. ClickNew again.8. Create another resource profile using the following values:

Field Value

Domain internal.lab

Profile name RegularUsers

Disk quota (MB) 1000


To apply the resource profile to a recipient policy

1. ClickPolicy >Recipient Policy > Inbound.2. ClickNew.3. Create a new recipient policy using the following values:

Field Value

Domain internal.lab

Recipient Pattern Type: User

user1

Resource PowerUsers

4. ClickCreate to save the policy.5. ClickNew again.6. Create another recipient policy using the following values:




Field Value

Domain internal.lab

Recipient Pattern Type: User

user2

Resource RegularUsers

7. ClickCreate to save the policy.The following two recipient policies should appear:

For larger deployments that have different levels of resource allocation requirements,you can create recipient policies for local or LDAP groups, and assign resource profilesusing separate recipient policies.

To verify the resource profile configuration

1. Go to the IntSRV FortiMail webmail GUI:https://intsrv.internal.lab/

2. Log in as user1 using the password fortinet.If you were already logged in, you must log out and log back in for the resource profile changes to apply.

3. Verify user1 has the disk quota and address book access as defined in the PowerUsers resource profile.4. Log out of user1’s account.5. Log in as user2 using the password fortinet.6. Verify user2 has the disk quota and address book access as defined by the RegularUsers resource profile.


145



Exercise 2: Address Book LDAP Import

In this exercise, you will review the existing LDAP profile you configured in Authentication on page 40. Then, youwill configure an LDAPmapping profile, and use the LDAP profile to import contacts into the domain addressbook.

To review the existing LDAP profile


2. ClickProfile > LDAP > LDAP.3. Double-click InternalLabLDAP.4. Verify that the profile configuration matches the following settings:

5. ClickCancel.

When the LDAPmapping profile uses the existing LDAP profile to import contacts, itstarts from the base DN. To ensure the LDAPmapping profile doesn’t import ActiveDirectory system accounts, configure the base DN to point to the location of the useraccounts.





To configure an LDAP mapping profile

1. ClickDomain & User >Address Book > LDAP Mapping.2. ClickNew.3. Create a new mapping profile using the values shown here. To add new contact fields, click +.

Field Value

Mapping name InternalLabMapping

Email (Work) mail

Display name cn

First name givenName

Last name sn

Title title

Department department

Company name company

To review how to find LDAP attributes of Active Directory objects, you can refer to theLDAPOperations exercise in Authentication on page 40.

The profile should match the following values:



147



To import contacts from LDAP

1. ClickDomain & User >Address Book >Contact.2. In the Domain drop-down list, select internal.lab.3. In theMore drop-down list, select Import and then select LDAP.4. Configure the following values:

Field Value

Select LDAP profile InternalLabLDAP

Select LDAPmapping InternalLabMapping

Overwrite existing contacts Enabled

Delete nonexistent contacts Enabled

5. ClickOK.The system notifies you that LDAP synchronization is running.

6. ClickOK.

7. Click the refresh icon.

You should see all the users that were imported from the Training Users OU in the internal.lab address book.




To verify the domain address book

1. Go tothe IntSRV FortiMail webmail GUI:https://intsrv.internal.lab/

2. Log in as user1 using the password fortinet.3. In the address book, verify that domain address book contains the imported contacts.


149



Lab 11: Transparent Mode

In this lab, you will configure a transparent mode FortiMail to process bidirectional email for the external.labdomain using the built-in MTA. You will also configure and verify bidirectional transparency.

Objectivesl Configure a transparent mode FortiMail to process bidirectional emaill Verify built-in MTA functionalityl Configure bidirectional transparency




Exercise 1: Configuring a Transparent Mode FortiMail

In this exercise, you will review the initial system configuration and the topology for the ExtTP FortiMail VM.Then, you will perform the rest of the basic configuration tasks required to establish bidirectional email flow. Youwill also verify built-in MTA functionality using logs.

To review the initial system configuration

1. OnWindows, open a web browser, and go to the ExtTP FortiMail management GUI:https://exttp.external.lab/admin


2. Log in as admin and leave the password field empty.3. On the System Status page, on the System Information widget, besideOperation mode, verify that

Transparent is selected.

4. ClickSystem > Network > Interface.5. Verify the following:

l port1/Management IP is configured using the IP address 10.200.1.98/24l All interfaces are members of the built-in bridgel port3 and port4 are administratively down


151


https://exttp.external.lab/admin


6. ClickSystem >Network >Routing.7. Verify that there is a default route configured through port1.

To review the topology

1. Review the topology below and make note of the following:ExtSRV FortiMail is directly connected to ExtTP FortiMail’s bridge-member interface port2.

To configure connection pickup

1. Visit the ExtTP FortiMail management GUI:https://exttp.external.lab/admin

2. ClickSystem >Network > Interface.3. Double-click port1/Management IP.4. Verify that the SMTP proxy configuration uses the following values:

Field Value

Incoming connections Proxy

Outgoing connections Pass through





Field Value

Local connections Enable

5. ClickCancel.6. Double-click port2.7. Configure the following SMTP proxy values:

Field Value

Incoming connections Pass through

Outgoing connections Proxy

Local connections Disable


Because port1 is the closest interface to the source for all inbound email, port1’sincoming connections are proxied. Port2 is the closest interface to the source for alloutbound email, so port2’s outbound connections are proxied.


1. ClickSystem >Network >DNS.2. Configure the following DNS servers:

Field Value



3. ClickApply to save the changes.


1. ClickSystem >Mail Settings >Mail Server Settings.2. Configure the following values for the Local Host:

Field Value

Host name ExtTP

Local domain name external.lab

3. Keep the default values for the remaining settings, and then clickApply to save the changes.4. ClickDomain & User >Domain >Domain.5. ClickNew to add a protected domain using the following values:


153



Field Value

Domain name external.lab

SMTP server 10.200.1.99

6. Expand Transparent Mode Options.7. In the This server is on drop-down list, select port2.8. Keep the default values for the remaining settings, and then clickCreate.

To configure an access receive rule for outbound email

1. ClickPolicy > Access Control >Receiving.2. ClickNew.3. Create a new access receive rule using the following values:

Field Value

Sender pattern User Defined

*@external.lab


10.200.1.99/32

Action Relay

4. ClickCreate to save the rule.

To verify built-in MTA functionality

1. OnWindows, open Thunderbird.2. ClickWrite.3. Compose a new email message using the following values:

Field Value


Subject Testing Transparent Mode

Message Body Will this work?

4. ClickSend.5. Open a new web browser tab, and go to the ExtSRV FortiMail webmail GUI:


6. Log in as extuser using the password fortinet.7. Verify that the email message was delivered.8. Reply to the email message.



mailto:*@external.lab




9. On Thunderbird, verify that the reply was received.10. Visit the ExtTP FortiMail management GUI:



The first two entries in the history log should correspond to the two email messages that FortiMail justprocessed.

13. View the details for each log, and review the values beside Direction andMailer.


155




FortiMail is using its built-in MTA to route email in both directions. The valuemtabesideMailer, shows this.



Exercise 2: Configuring Bidirectional Transparency

You have verified that the ExtTP FortiMail is picking up email in both directions, and using the built-in MTA toroute email to its intended destination successfully.

In this exercise, you will examine email headers to investigate the transparency of ExtTP FortiMail’s emailprocessing. Then, you will configure transparency for both incoming and outgoing email.

To examine outgoing email headers

1. OnWindows, open Thunderbird.2. Open the last email user1 received from extuser.3. ClickMore >View Source.4. Review the Received headers:

Received: from IntGW.internal.lab ([10.0.1.11])by IntSRV.internal.lab with ESMTP id v29HESsx001946-v29HESt0001946Received: from ExtTP.external.lab ([10.200.1.98])by IntGW.internal.lab with ESMTP id v29HESm1001931-v29HESm3001931Received: from extsrv.external.lab ([10.200.1.99])by ExtTP.external.lab with ESMTP id

v29HERuL002360-v29HERuN002360Received: from [10.0.1.10] ([127.0.0.1])by extsrv.external.lab with ESMTP id

v29HER6G001960-v29HER6H001960

To examine incoming email headers


2. Open the last email extuser received from user1.3. ClickMore >Detailed Header.4. Review the Received headers:

Received: from ExtTP.external.lab ([10.200.1.98])by extsrv.external.lab with ESMTP id v29HEDnS001931-v29HEDnU00193Received: from IntGW.internal.lab ([10.0.1.11])by ExtTP.external.lab with ESMTP id v29HEDhs002345-v29HEDhu002345

You should see that the transparent mode FortiMail is not really transparent in theemail headers.

To configure inbound transparency

1. Go to the ExtTP FortiMai management GUI:https://exttp.external.lab/admin

2. ClickDomain & User >Domain >Domain.3. Double-click external.lab.4. Expand the Transparent Mode Options section.


157





5. Enable the Hide the transparent box.6. ClickOK to save the changes.

To configure outbound transparency

1. ClickPolicy > IP Policy > IP Policy.2. In the IP Policies section, click the Inbound_Session link for policy ID 1.

This session profile is applied to IP policy ID 1, which is currently processing all email.

3. In the Connection Settings section, enable Hide this box from the mail server.4. ClickOK.

To verify inbound transparency

1. On Thunderbird, send a new email message to [email protected]. Visit the ExtSRV FortiMail webmail GUI:

http://extsrv.external.lab/

3. Open the email message you just sent.4. ClickMore >Detailed Header.5. Review the Received headers.

Received: from IntGW.internal.lab ([10.0.1.11])by extsrv.external.lab with ESMTP id v29IUVNd002175-v29IUVNf002175

The ExtTP FortiMail no longer appears in the inbound email headers.

To verify outbound transparency

1. Go to the ExtSRV FortiMail webmail GUI:http://extsrv.external.lab/

2. Send a new email message to [email protected]. On Thunderbird, open the email message you just sent.4. ClickMore >View Source.5. Review the Received headers:

Received: from IntGW.internal.lab ([10.0.1.11])by IntSRV.internal.lab with ESMTP id v29IgrVu001966-XXXXXXX

Received: from ExtTP.external.lab ([10.200.1.99])by IntGW.internal.lab with ESMTP id v29IgrJV001947-XXXXXXX

Received: from [10.0.1.10] ([127.0.0.1])by extsrv.external.lab with ESMTP id v29IgqvA00221-XXXXXXX




http://extsrv.external.lab/m/webmail

http://extsrv.external.lab/m/webmail



While the header is now showing the IP address of the ExtSRV FortiMail(10.200.1.99), the hostname still shows ExtTP.external.lab. This is because theExtTP FortiMail uses its own hostname in the SMTP greeting. There is one moreconfiguration change you must make to prevent this.

To configure SMTP greeting rewrite

1. Got to the ExtTP FortiMail’s management GUI:https://exttp.external.lab/admin

2. ClickDomain & User >Domain >Domain.3. Double-click external.lab.4. Expand Advanced Settings and clickOther.5. Beside SMTP greeting (EHLO/HELO) name (as client) select Use other name, and then enter

ExtSRV.external.lab.

6. ClickOK.7. ClickOK.

To verify outbound transparency


2. Send an email message to [email protected]. On Thunderbird, open the new email message.4. ClickMore >View Source.5. Review the Received headers.

The ExtTP FortiMail should no longer appear in the headers:

Received: from IntGW.internal.lab ([10.0.1.11])by IntSRV.internal.lab with ESMTP id v29MUF0s001921-v29MUF0t001921Received: from ExtSRV.external.lab ([10.200.1.99])by IntGW.internal.lab with ESMTP id v29MUEdn001911-v29MUEdp001911Received: from [10.0.1.10] ([127.0.0.1])by extsrv.external.lab with ESMTP id v29MUExs002184-v29MUExt002184


159





Lab 12: Maintenance

In this lab, you will configure and generate a local report, monitor system resource use, and perform local storagemanagement.

Objectivesl Configure and generate a local reportl Monitor historical and real-time system resource usel Partition a disk to allocate more space to the log disk




Exercise 1: Configuring and Generating Local Reports

In this exercise, you will configure a local report to query the IntGW FortiMail’s mail filtering statistics. Then, youwill generate an on-demand report and review the statistics.

To configure a local report

1. OnWindows, open a web browser, and go to the IntGW FortiMai management GUI:https://intgw.internal.lab/admin

2. Log in as admin and leave the password field empty.3. Click Log and Report >Report Settings >Configuration.4. ClickNew.5. Create a new report configuration using the following values:

Field Value

Report name IntGWReport

Time Period This week

6. Expand theQuery Selection section.7. Expand theMail Filtering Statistics query, and enable the following queries:

l Mail Category by Datel Non-Spam Classifier by Datel Spam Classifier by Datel Virus Classifier by Date

8. In the Sender Domain section, disable All domains and add just the internal.lab domain.

9. ClickCreate to save the report configuration.


161




In a production FortiMail, you should also configure scheduling and add a notificationemail so that the report is automatically generated and sent to you by email. Thescheduled reporting will help keep you up-to-date on the email trends of your network.

To generate an on-demand report

1. Click Log and Report >Report Settings >Configuration.2. Select the IntGWReport entry, and clickGenerate.

FortiMail generates the following notification:

3. ClickOK.

To view the local report

1. ClickMonitor >Report >Report.2. Expand the report file entry.

3. Double-click the html file.

The report opens on a separate web browser tab.

4. Use the menu on the left to navigate and review the data.





163


Exercise 2: Monitoring System Resource Use

In this exercise, you will view the historical and real-time resources used by the IntGW FortiMail.

To view the resource use history

1. Visit the IntGW FortiMai management GUI:https://intgw.internal.lab/admin

2. ClickDashboard >Status.3. In the System Resourcewidget, make note of the following values:

l CPU usagel Memory usagel System loadl Active sessions

4. ClickHistory.

You may need to allow Flash to run in the web browser.

5. Make note of the trends in resource use.





To view resource use in real-time

1. OnWindows, open PuTTY.2. Double-click the preconfigured session for IntGW.3. Log in as admin and leave the password field empty.4. To view the list of processes that are consuming the most CPU cycles or RAM, enter the following command:

diagnose system top delay 1

A list of system processes is displayed. The processes consuming the most CPU at thetop of the list. The list refreshes every second, which gives you a real-time view of thesystem’s resource use. To stop the output, press Q.

5. Press Q to stop the output.


165



To generate traffic

1. OnWindows, on the taskbar, click the PuTTY icon, and then select Linux from the saved sessions.2. Click Load.3. ClickOpen.

You can also enter the IP address of the Linux machine, which is 10.0.1.254 andclickOpen.

4. Log in as student using the password password.5. After you log in successfully, you will be at the /home/student directory. To verify type pwd.6. Run the following python script to send continuous emails to the IntGW FortiMail:

sudo python mbox_send.py --to [email protected] --from [email protected] spam_mbox

A copy of the command is in a text file name commands.txt, which is located in the Resourcesfolder onthe Windows desktop.

If asked for password, the password is password.

To view resource use during traffic


2. ClickDashboard >Status.3. In the System Resourcewidget, clickHistory.4. You must wait a few minutes before the charts refresh with new data.5. In the drop-down list at the top of the screen, you can select By Minute orBy Hour, to specify how you want to

view the system resource usage.






167


Exercise 3: Managing Local Storage

By default, the mail disk partition size is 80% of the total disk. For a gateway mode FortiMail, this can mean thata lot of unused space is taken up by the mail disk partition.

In this exercise, you will partition the IntGW FortiMail local storage, and allocate more space to the log diskpartition.

To verify partition sizes


2. ClickDashboard >Status.3. On the System Information widget, make note of the Log disk andMailbox disk sizes:

To change the partition size

1. On the virtual lab environment window, click the IntGW console.This opens a new tab for the FortiMail VM console session.

You should always perform disk formatting and partitioning tasks using the consoleconnection. This allows you to monitor the entire process and take action, in case oferrors.

2. Click anywhere on the console window, and then press Enter.This displays the login prompt.





3. Log in as admin and leave the password field empty.4. Type the following commands to change the log disk partition size to 50% of the total storage:

execute partitionlogdisk 50

The system warns you about data loss on the mail and log disk. Press Y.

5. After partitioning completes, the VM restarts.

To verify the size after partitioning

1. OnWindows, return to the IntGW FortiMail management GUI:https://intgw.internal.lab/admin

2. Log in as admin and leave the password field empty.3. ClickDashboard >Status.4. On the System Information widget, make note of the Log disk andMailbox disk sizes:


169



Lab 13: Troubleshooting

The internal.lab users are complaining that they are not able to send or receive email. In this lab, you will useSMTP event logs and the built-in packet capture tools to investigate and remedy the mail flow issues.

Objectivesl Investigate user complaintsl Use SMTP event logs and packet capturing to determine where the issue is occurringl Remedy the email flow issue






Desktop\Resources\Starting Configs\Lab 13\13_Initial_IntGW.tgz

4. ClickRestore.5. Open a new web browser tab, and go to the IntSRV FortiMail management GUI:




8. Wait for the VMs to finish restarting before proceeding with the exercise.

The config files introduce errors that cause the mail flow issues. Try to follow themethodologies presented in the lab to troubleshoot and remedy the problem.


171




Exercise 1: Troubleshooting the Problem

In this exercise, you will verify the problem. Then, you will use SMTP event logs and packet capturing todetermine where the issue lies.

To investigate inbound email flow

1. OnWindows, open a web browser, and visit the ExtSRV FortiMail webmail GUI:https://extsrv.external.lab/

2. Log in as extuser using the password fortinet.3. Send an email message to [email protected]. Open Thunderbird, and then wait for the email message to arrive.

Hint: It won’t arrive.

5. Open a new web browser tab and go to the IntGW FortiMail management GUI:https://intgw.internal.lab/admin

6. Log in as admin and leave the password field empty.7. ClickMonitor > Log >History.8. Double-click the active log file.

The first entry in the history log should correspond to the email message you just sent from extuser.

9. View the log details.Do the details indicate that there is a problem?







In this particular instance, the history log details don’t provide much information. Youmust dig deeper.

10. ClickClose.11. In the Session ID column, click the link to retrieve the cross search results.12. Review the event logs related to the session:


173



The first two event logs relate to the external part of the session–from ExtSRV toIntGW. The third event log relates to the internal part of the session–from IntGW toIntSRV.

Do the event logs indicate that there is a problem?

The external part of the session appears to be without issues. The internal part of thesession appears to be experiencing problems. Specifically, the connection from IntGWto IntSRV is being refused. However the reason for refusal isn’t listed.

To investigate outbound email flow

1. In Windows, open Thunderbird.2. Try to send an email message to [email protected].





Hint: It won’t work!


4. Log in as admin and leave the password field empty.5. ClickMonitor > Log >History.6. Click the active log file, and try to find an entry in the history log for the outbound email message you just tried to

send.7. ClickMonitor > Log >Mail Event.8. Double-click the active log file.9. In the Type drop-down list, select SMTP.10. Try to find a related SMTP event log entry for the outbound email message you just tried to send.

If you can’t find an entry in the history or event logs for a specific session, it meansthere is an issue at either the IP or TCP layer. In these types of scenarios, only a trafficcapture might show you what the problem is.

To capture inbound email traffic


2. ClickSystem >Network > Traffic Capture.3. ClickNew.4. Configure the following values:

Field Value

Description InboundCapture

Duration 10 minutes

Interface port1

IP/Host 10.0.1.99

Filter None

After investigating the inbound email flow, you established that the issue appears tobe with the internal portion of the email session. Therefore, you are only interested inseeing traffic for the IntSRV (10.0.1.99) FortiMail.

5. ClickCreate.6. Visit the ExtSRV FortiMail webmail GUI:



175






7. Send a new email message to [email protected]. Visit the IntGW FortiMail management GUI.9. ClickSystem >Network > Traffic Capture.10. ClickRefresh until you see the Size(Byte) column populated.11. Select the capture, and then clickStop.12. Select the capture again, and then clickExport.13. Save the capture file to the desktop.

To review the inbound traffic capture

1. On the Windows desktop, open the capture file.2. In the Display Filter field, type ip.addr==10.0.1.99, and then press Enter.3. You should see the following packets:

4. Select the first packet (Source: 10.0.1.11 Destination 10.0.1.99), and expand the Transmission ControlProtocol header.

5. Review the details:





This is the first packet of the session between IntGW (10.0.1.11) and IntSRV(10.0.1.99) on port 465 (Dst Port). This packet has a sequence number of 0 and isflagged as the SYN packet. This packet is expected, since all TCP sessions start with aSYN packet.

6. Select the second packet (Source: 10.0.1.99 Destination 10.0.1.11), and expand the TransmissionControl Protocol header.

7. Review the details:


177



This second packet is not expected. It has a RST/ACK flag. The IntSRV FortiMail issending a reset as soon as IntGW attempts to set up a TCP session on port 465. Theexpected packet would have been a SYN/ACK, but that is not the case.

From the above analysis, you can start to form an idea about the root cause. TheIntGW FortiMail is sending a SYN packet for port 465 (SMTPS); however, the IntSRVFortiMail is refusing the session. You know, and can verify, that it’s not related to IPaddressing because if it was you wouldn’t see a reply packet at all. So, it must berelated to the TCP port. However, before you try to fix this issue, have a look at theoutbound session using a packet capture.




To capture outbound email traffic

1. OnWindows, open a PuTTYwindow.2. Double-click the preconfigured session for IntSRV.3. Log in as admin and leave the password field empty.4. Type the following commands to start a packet capture:

diagnose sniffer packet any “host 10.0.1.10 and port 25” 4

The filter is set up to capture SMTP (port 25) traffic from the 10.0.1.10 host(Windows).

5. OnWindows, open Thunderbird.6. Try to send another email message to [email protected]. On the PuTTYwindow, review the capture output:

The IntSRV FortiMail is showing similar behavior for outbound traffic. The10.0.1.10 host is initiating the session on port 25 with a SYN packet. However, the10.0.1.99 host is refusing the session with an RST.

8. Press Ctrl+C to stop the capture.9. Close the PuTTYwindow.


179



Exercise 2: Fixing the Problem

In this exercise, you will review the configuration and fix any errors. Then, you will verify your changes by sendingemail in both directions.

To review the configuration


2. Log in as admin and leave the password field empty.3. Try to navigate the various configuration sections and discover where there could be a potential configuration

issues for SMTP and SMTPS port numbers.

Hint: CheckSystem >Mail Settings >Mail Server Settings.

4. Fix any errors you see on theMail Server Settings tab.

Hint: SMTP uses port 25 and SMTPS uses port 465.

To verify the change

1. On the main Thunderbird window, send another email message to [email protected].





Exercise 2: Fixing the Problem

If your changes are correct, the email message will be delivered to the recipient.

2. Open another web browser tab, and go to the ExtSRV FortiMai webmail GUI:https://extsrv.external.lab/

3. Log in as extuser using the password fortinet.4. Verify that the email was received.5. Open the email message, and then reply to it.6. On the main Thunderbird window, verify that the reply was received.


181



No part of this publication may be reproduced in any form or by any means or used to make anyderivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,as stipulated by the United States Copyright Act of 1976.Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or companynames may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, andactual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing hereinrepresents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding writtencontract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identifiedperformancemetrics and, in such event, only the specific performancemetrics expressly identified in such binding written contract shall be binding on Fortinet. Forabsolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make anycommitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,transfer, or otherwise revise this publication without notice, and themost current version of the publication shall be applicable.


do not reprint © fortinet

Documents