Technical Note
FORTIMAIL Configuration
For Enterprise Deployment
Rev 2.1
Table of Contents
1Introduction ... 3
1.1
Objective ... 3
1.2
Network deployment ... 3
1.3
Convention... 3
2
System settings ... 4
2.1
DNS settings... 4
2.2
SMTP access control ... 4
2.2.1
Inbound traffic ... 4
2.2.2
Outbound traffic ... 4
2.2.3
Enforcing authentication for roaming users... 4
2.3
FortiGuard queries... 4
2.4
Log settings ... 5
3
Domain settings ... 6
3.1
Domain creation ... 6
3.2
Recipient verification ... 6
4
Protection profile settings... 7
4.1
Session profile settings ... 7
4.1.1
Session profile for inbound traffic ... 7
4.1.2
Session profile for outbound traffic... 7
4.2
Antispam profile settings ... 8
4.2.1
Antispam profile for inbound traffic ... 8
4.2.2
Antispam profile for outbound traffic... 9
4.3
Antivirus profile... 10
5
Policies ... 11
5.1
IP based policies... 11
5.2
Recipient based policies ... 11
5.3
Authentication policies (Webmail & SMTP)... 11
Change Log
Revision Description
1.0 2009/03/05 Initial Draft Release
1.5 2009/03/09 1.6 2009/03/10 2.0 2009/03/18 General Availability 2.1 2009/04/07 FortiMail 3.0 MR3 Patch 5 Comments Nathalie Rivat [email protected]
© Copyright 2009 Fortinet Inc. All rights reserved.
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective holders.
1 Introduction
1.1 Objective
The purpose of this document is to provide recommendation for FortiMail antispam settings in enterprise environment.
This document is destined to administrators who already have a good understanding of FortiMail features and positioning.
The intention is not to explain filtering techniques. Please refer to the Administration Guide for that.
1.2 Network deployment
FortiMail is deployed in gateway mode (default mode).
Incoming mail filtering
The MX resolution of “mycompany.com” returns the IP address of the platform.
This way, the corporate mail server is not directly connected to the Internet and does not receive unfiltered/unwanted sessions. FortiMail filters incoming traffic for spam and malicious traffic.
Outgoing mail filtering
We recommend to use FortiMail as an outgoing relay for the backend mailserver in order to policy and filter outbound traffic.
1.3 Convention
For an easy description FortiMail configuration is presented with command lines, based on the recommended release as of today: FortiMail Release 3.0 Minor Release 4 Patch 5.
Providing CLI commands also helps replication of settings with copy/paste.
Parameters that are written in red should be modified to fit the local network and system environment.
2 System settings
2.1 DNS settings
FortiMail should to be configured with two local DNS servers. Fast answers from DNS servers is critical to maximize FortiMail performances.
Adapt the following IP addresses to the corporate environment: set system dns primary 192.168.1.1 secondary 192.168.1.2
2.2 SMTP access control
The main purpose of the access list is to control if mail should be relayed while policies control how mail should be processed and filtered (authentication, antivirus, antispam, content filters).
2.2.1 Inbound traffic
The definition of internal domains to be protected by FortiMail implicitely creates access-list entries to accept and relay mail to these domains.
Refer to the chapter “Domain definition” for this.
There is no need to define any additional access list to relay inbound traffic.
2.2.2 Outbound traffic
An explicit access list must be defined to allow outgoing traffic from the backend mail server to the Internet. Adapt the following command with the IP address of the backend mail server. set mailserver access rule 0 set sender_pattern * no recipient_pattern * no ip_mask
192.168.2.100/32 reverse_dns_pattern * no authenticated no tlsprofile / action RELAY
2.2.3 Enforcing authentication for roaming users
If there are roaming users sending mail through FortiMail from the Internet, you may consider enforcing authentication for these MUA sessions. This would avoid spammers spoofing internal email addresses.
set mailserver access rule 1 set sender_pattern *@mydomain.com no recipient_pattern * no ip_mask 0.0.0.0/0 reverse_dns_pattern * no authenticated yes tlsprofile / action RELAY set mailserver access rule 2 set sender_pattern *@mydomain.com no recipient_pattern * no ip_mask 0.0.0.0/0 reverse_dns_pattern * no authenticated no tlsprofile / action REJECT
2.3 FortiGuard queries
FortiMail queries FortiGuard:
• For antivirus engine and definition updates
• For SHASH/URI/IP check to filter spam from SMTP sessions.
To maximize FortiMail performances, SHASH/URI/IP query results can be cached locally on FortiMail.
set fshd cache status enabled set fshd cache ttl 600
Schedule antivirus database and engine updates every hour: set system autoupdate schedule enable every 1:0
2.4 Log settings
Configure the following events to be logged locally:
set log policy destination local event status enable category system smtp ha update set log policy destination local virus status enable category infected
set log policy destination local history status enable
3 Domain settings
3.1 Domain creation
Define internal domains that should be protected by FortiMail:
set policy mydomain.com modify ip 192.168.2.100 port 25 usessl disabled
3.2 Recipient verification
Before relaying incoming mail to the backend mailserver(s) FortiMail optionally validates if a mailbox exists for the recipient mail address.
• This off-loads the mail server from processing a significant amount of mail destined to unknown users.
• This helps the spam catch rate as the local sender reputation algorithm automatically adjusts the score of the sender IP address by learning from those failures.
The best option to implement this check is to use the corporate LDAP directory as FortiMail: • is able to cache LDAP answers
• and supports redundant LDAP configuration for automatic failover.
If LDAP is not available, it is possible to use the backend SMTP server to validate the recipient addresses. FortiMail sends a RCPT TO command and expects in return a message validating the user address.
Verify that the backend mail server is configured to provide a valid status. It sometimes requires an additional option configuration on the mail server.
Define the LDAP profile:
set ldap_profile profile ldap_server server 192.168.2.100 port 636 secure none set ldap_profile profile ldap_server user schema inetorgperson basedn
dc=mycompany.com,dc=com binddn cn=Manager,dc=mycompany,dc=com bindpw fortinet deref never scope sub query '(& (objectClass=inetOrgPerson) (mail=$m))'
set ldap_profile profile ldap_server auth authstate enable upnstatus disable upnsuffix '' cnidstatus disable cnidname uid searchstatus enable
set ldap_profile profile ldap_server option timelimit 10 version ver3 unauthbind disable cachestate enable cachettl 1440
Enable recipient check using the LDAP profile:
4 Protection profile settings
4.1 Session profile settings
A session profile should always be added to policy traffic in both directions.
Two different profiles are defined, one for incoming traffic, one for outgoing traffic.
4.1.1 Session profile for inbound traffic
Take into account the recommended settings as listed below.
• Adapt the connection rate and the number of concurrent connections to the local environment.
• Modify the maximum message size according to the company policy. set ip_profile inbound
set ip_profile inbound connection rate 100 5 set ip_profile inbound connection concurrent 2 set ip_profile inbound check domain enable set ip_profile inbound check helo disable set ip_profile inbound check sender enable set ip_profile inbound check recipient disable
set ip_profile inbound check stop_empty_domains enable set ip_profile inbound check 3_way enable
set ip_profile inbound limit recipient 500 set ip_profile inbound limit helo 3
set ip_profile inbound limit email 10
set ip_profile inbound limit message_size 10485760 set ip_profile inbound limit header_size 32768 set ip_profile inbound limit NOOP 10
set ip_profile inbound limit RSET 20 set ip_profile inbound error free 1
set ip_profile inbound error initial_delay 4 set ip_profile inbound error increment 4 set ip_profile inbound error total 5
set ip_profile inbound senderreputation status enable set ip_profile inbound senderreputation throttle 45 set ip_profile inbound senderreputation throttle_number 5 set ip_profile inbound senderreputation throttle_percent 1 set ip_profile inbound senderreputation tempfail 55
set ip_profile inbound senderreputation reject 80
set ip_profile inbound sendervalidation dkim disable signing disable authenticated disable domainkey disable spf enable bypassbounceverify disable
4.1.2 Session profile for outbound traffic
It is recommended to policy the outgoing traffic from the backend mail server.
• From the standard settings listed below, adapt the connection rate and the number of concurrent connections to the network environment.
• Modify the maximum message size according to the company policy.
set ip_profile outbound
set ip_profile outbound connection rate 200 5 set ip_profile outbound connection concurrent 10 set ip_profile outbound check domain enable set ip_profile outbound check helo disable set ip_profile outbound check sender enable set ip_profile outbound check recipient enable
set ip_profile outbound check stop_empty_domains enable set ip_profile outbound check open_relay disable
set ip_profile outbound check 3_way enable set ip_profile outbound limit recipient 500 set ip_profile outbound limit helo 3
set ip_profile outbound limit email 10
set ip_profile outbound limit message_size 10485760 set ip_profile outbound limit header_size 32768 set ip_profile outbound limit NOOP 10
set ip_profile outbound limit RSET 20 set ip_profile outbound error free 1
set ip_profile outbound error initial_delay 4 set ip_profile outbound error increment 4 set ip_profile outbound error total 5
set ip_profile outbound senderreputation status disable
set ip_profile outbound sendervalidation dkim disable signing disable authenticated disable domainkey disable spf disable bypassbounceverify disable
4.2 Antispam profile settings
4.2.1 Antispam profile for inbound traffic
A specific antispam profile is defined to filter incoming mail and store spam in user quarantine.
• A discard or reject action should be considered for FortiGuard filters. Other antispam techniques can be configured to trigger quarantine.
• A maximum size for scanning should be set. This helps to control False Positives and improve performances.
• Eventually consider bypassing scanning for authenticated sessions (roaming users). However valid accounts may have been hacked by spammers.
• Note that Forged IP is disabled.
• Consider grey listing whenever possible. This is a good technique but has some drawbacks.
set as profile inbound modify actions discard dis reject dis summary en
set as profile inbound modify auto-release dis webrelease en autowhitelist dis set as profile inbound modify scanoptions maxsize 80
set as profile inbound modify scanoptions bypass_on_auth dis set as profile inbound modify scanoptions attachment_type pdf en set as profile inbound modify whitelist dis
set as profile inbound modify virus en set as profile inbound modify forgedip dis set as profile inbound modify greylist dis
set as profile inbound modify bayesian scanner dis userdb dis usertrain en autotrain en set as profile inbound modify deepheader scanner en checkip en headeranalysis en
set as profile inbound modify heuristic scanner en lower-level -20.000000 upper-level 3.500000 rules-percentage 100
set as profile inbound modify quarantine queue en days 14 set as profile inbound modify dnsbl en
set as profile inbound modify surbl en
set as profile inbound modify dictionary scanner dis set as profile inbound modify bannedword dis
set as profile inbound modify whitelistword dis
set as profile inbound modify imagespam scanner en aggressive dis set as profile inbound modify tags header dis subject dis
set as profile inbound modify dnsblserver sbl-xbl.spamhaus.org add set as profile inbound modify surblserver multi.surbl.org add
set as profile inbound modify individualaction scanner dnsbl action default set as profile inbound modify individualaction scanner surbl action default set as profile inbound modify individualaction scanner fortishield action reject set as profile inbound modify individualaction scanner bayesian action default set as profile inbound modify individualaction scanner heuristic action default set as profile inbound modify individualaction scanner dictionary action default set as profile inbound modify individualaction scanner bannedword action default set as profile inbound modify individualaction scanner deepheader action default set as profile inbound modify individualaction scanner forgedip action default set as profile inbound modify individualaction scanner imagespam action default set as profile inbound modify individualaction scanner virus action default If grey listing is enabled, consider the following parameters:
set as greylist ttl 20
set as greylist greylistperiod 1 set as greylist initial_expiry_period 4 set as greylist capacity 125000
• Adapt the expiry period to the environment. It may be necessary to increase this timer if there are too many MTAs trying again too late - after the 4 hours window. • You may want to increase the table size of greylist entries according to your
hardware and the max value matrix:
http://kc.forticare.com/default.asp?id=3756&Lang=1&SID=
Adjust the deepheader confidence degre to 96 (95 being the default value). If needed, you can later increase the filter aggressiveness by gradually reducing the confidence degree to 95.
set spam deepheader confidence 96
4.2.2 Antispam profile for outbound traffic
We have seen situation where mailboxes or the mailserver itself were compromised and spam were sent out to the Internet. This has caused the outgoing IP address of the company to be blacklisted by well-known DNSBL services.
To avoid such situations, an antispam profile is applied to the outgoing traffic.
The following profile detects and stores spam into the system quarantine for later review by the administrator.
• Adapt the maximum mail size for scanning as desired.
• Note that IP reputation check have been disabled (FortiGuard IP, DNSBL, and deep header IP scan)
set out_profile profile outbound modify scanoptions attachment_type pdf en set out_profile profile outbound modify greylist dis
set out_profile profile outbound modify virus en
set out_profile profile outbound modify deepheader scanner en checkip dis headeranalysis en
set out_profile profile outbound modify fortishield scanner en checkip dis
set out_profile profile outbound modify heuristic scanner en lower-level -20.000000 upper-level 3.500000 rules-percentage 100
set out_profile profile outbound modify dnsbl dis set out_profile profile outbound modify surbl en
set out_profile profile outbound modify dictionary scanner dis set out_profile profile outbound modify bayesian dis
set out_profile profile outbound modify bannedword dis set out_profile profile outbound modify whitelistword dis
set out_profile profile outbound modify imagespam scanner dis aggressive dis set out_profile profile outbound modify tags header dis subject dis
set out_profile profile outbound modify surblserver multi.surbl.org add
set out_profile profile outbound modify individualaction scanner dnsbl action default set out_profile profile outbound modify individualaction scanner surbl action default set out_profile profile outbound modify individualaction scanner fortishield action default
set out_profile profile outbound modify individualaction scanner bayesian action default set out_profile profile outbound modify individualaction scanner heuristic action default set out_profile profile outbound modify individualaction scanner dictionary action default set out_profile profile outbound modify individualaction scanner bannedword action default set out_profile profile outbound modify individualaction scanner deepheader action default set out_profile profile outbound modify individualaction scanner imagespam action default set out_profile profile outbound modify individualaction scanner virus action default
4.3 Antivirus profile
Create an antivirus profile and enable virus detection by signatures: set av antivirus modify scanner en
5 Policies
5.1 IP based policies
Two IP policies should be set:• A default policy to enforce an inbound session profile for all incoming traffic.
• A second specific policy to identify outgoing traffic from the backend mail server and apply the dedicated outbound session profile and the outbound antispam profile. Rules are ordered so that the more specific rules are listed at the top.
set ip_policy 0
set ip_policy 0 match 192.168.2.100/32 set ip_policy 0 action SCAN
set ip_policy 0 ip outbound set ip_policy 0 as outbound set ip_policy 1
set ip_policy 1 match 0.0.0.0/0 set ip_policy 1 action SCAN set ip_policy 1 ip inbound
5.2 Recipient based policies
Traffic destined to the internal domain is filtered through the antispam and antivirus profiles thanks to the following recipient based policy:
set policy mydomain.com modify user * modify groupmode user as inbound av antivirus content content_def
5.3 Authentication policies (Webmail & SMTP)
Users have access to their web-based quarantine using LDAP authentication. SMTP would be the alternate choice if LDAP is not available.
If roaming users can send mail from the Internet using FortiMail as an outgoing SMTP server, sessions should be authenticated to avoid spammers relaying mail by spoofing sender mail addresses. The LDAP server is used to process this authentication, or the backend SMTP server if LDAP is not available.
set spam retrieval policy mydomain.com user *@mydomain.com auth LDAP ldap_server senddomain enable allowaccess http smtpauth
