Course 221 - FortiMail Email Filtering Transparent Mode

06-50000-0221-20130726 1

1

© 2013 Fortinet Inc. All rights reserved.The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 06-50000-0221-20130726

Transparent ModeModule 11

2

Transparent Mode

• Transparent relay• FortiMail is inline, in front of the mail servers or mail relays

• FortiMail is not the SMTP end point• FortiMail transparently intercepts and scans SMTP sessions based on

the destination IP address

FORTIMAIL UNIT INTERCEPTS AND SCANS SESSIONS DESTINED TO

THE BACKEND SERVERS

MTAs

INTERNET

MAIL FLOW

Course 221 - FortiMail Email Filtering Transparent Mode

06-50000-0221-20130726 2

3

Transparent Mode Advantages

• IP layer transparency» FortiMail unit acts as a bridge for SMTP and non SMTP traffic» The IP address scheme does not require any change

• SMTP layer transparency» No changes required to existing MX records and MUA/MTA configurations» The FortiMail unit’s presence can be hidden

4

Network Interfaces - Bridge Mode

• When configured in bridge mode the network interfaces operate as an L2 forwarding bridge

• The FortiMail unit can be reached through the management IP address statically assigned to the port1 interface

• Port1 interface cannot be changed to route mode

Course 221 - FortiMail Email Filtering Transparent Mode

06-50000-0221-20130726 3

5

Network Interfaces - Route Mode

• Configured in route mode the network interface is not part of the bridge anymore

• CLI syntax to remove the interface from the bridge is:config system interface

(interface)# edit port2

(port2)# set bridge-member disable

(port2)# set ip 192.168.2.100 255.255.255.0

(port2)# set allowaccess ping

(port2)# next

6

Transparent Mode

SMTP SESSIONS ARE PROXIED AND BRIDGED

MTAs

INTERNET

MAIL FLOW

FORTIMAIL DEFAULT ROUTE AND MTA DEFAULT ROUTE

MANAGEMENT IP ADDRESS IS IN THE SAME SUBNET AS THE

MTAs

NON SMTP TRAFFIC IS BRIDGED (ARP REQUEST,

ETC.)

Course 221 - FortiMail Email Filtering Transparent Mode

06-50000-0221-20130726 4

7

Transparent Mode – Hybrid Example 1

• Mail flow is bridged by the FortiMail unit• A third interface is in route mode

INTERNAL INTERFACE IN BRIDGE MODE

MTAs

INTERNET

EXTERNAL INTERFACE IN BRIDGE MODE

MAIL FLOW

THIRD INTERFACE IN ROUTE MODE FOR OOB

MANAGEMENTMANAGEMENTPLATFORMS

FORTIMAIL DEFAULT ROUTE

FORTIMAIL STATIC ROUTE TO THE MANAGEMENT

PLATFORMS

8

Transparent Mode – Hybrid Example 2

SMTP

ONE-ARM ATTACHMENT(2nd INTERFACE FOR OOB

MANAGEMENT)

MAIL USERAGENTS

POLICY-BASED ROUTINGSMTP TRAFFIC --> FORTIMAIL

INTERNET INTERNALNETWORK

MTAs MTAs

MAIL USERAGENTS

ROUTE MODEINTERFACE

MAIL FLOW WOULD NOT BE SENT TO THE FORTIMAIL WITHOUT POLICY-

BASED ROUTING

DESTINATION IP = MTAs ADDRESSES

Course 221 - FortiMail Email Filtering Transparent Mode

06-50000-0221-20130726 5

9

Transparent Mode Directions

• In transparent mode the recipient domain address does not determine the direction

• At the network connectivity level the destination IP address determines whether a session is incoming or outgoing:» An SMTP session is considered incoming if the destination IP address matches

an SMTP server configured in the protected domain list» An SMTP session is considered outgoing if the destination IP address does not

match any SMTP server configured on the FortiMail unit

10

Transparency Settings

• By default, the transparent mode unit does not hide its presence in the mail flow

• The management IP address (if in bridge mode) or the interface IP address (if in route mode) will be used to establish a new session to the destination MTA

• To hide the transparent unit you can use one of the following options depending on the direction of the email: » Incoming emails: Enable the option “Hide the transparent box” (System > Domain)» Outgoing emails: Enable the option “Hide this box from the mail server” (Session

profile > Connection Settings)» In both cases, the TP unit will reuse the sender IP address to establish the new

session

Course 221 - FortiMail Email Filtering Transparent Mode

06-50000-0221-20130726 6

11

Built in MTA

• A transparent mode FortiMail unit can route a message to its destination by using its built in MTA or by proxying it

• When the built in MTA is used the following actions are taken: » The email is intercepted» DNS MX and A resolution are performed on the recipient domain» The email is delivered

12

Transparent Proxy

• If the transparent proxy is enabled, the FortiMail unit performs the following actions:» The email is intercepted» The email is simply forwarded to destination» No queuing of messages in case of delivery failure

• Transparent proxy can be enabled depending on the direction of the mail flow in the following ways: » Incoming: Select the option “Use this domain’s SMTP to deliver the email” (Mail

Settings > Domains)» Outgoing: Select the option “Use client specified SMTP server to send email”

(Mail Settings > Settings)

Course 221 - FortiMail Email Filtering Transparent Mode

06-50000-0221-20130726 7

13

Mail Traffic inspection

• To perform inspection on specific mail flows the administrator has to enable proxy inspection on the physical interfaces

14

Transparent Mode SMTP Pass Through

Port1

Port2

tp.smarthost.lab10.0.3.201

gw.smarthost.lab10.0.3.100

FQDN server.external.labIP 10.0.2.100Domain: external.lab

FQDN server.internal.labIP 10.0.1.100Domain: internal.lab

Mail From: user@internal.labRCPT To: user@external.labMX record for domain external.lab:gw.smarthost.lab(10.0.3.100)

Transparent unit (tp.smarthost.lab) configured to Pass Throughincoming and outgoing SMTP connections. The session from 10.0.1.100 to 10.0.3.100 is bridged.

MX record for external.lab: server.external.lab (10.0.2.100)

1 2

Course 221 - FortiMail Email Filtering Transparent Mode

06-50000-0221-20130726 8

15

Transparent Mode Incoming SMTP MTA Routing

Port1

Port2

tp.smarthost.lab10.0.3.201

gw.smarthost.lab10.0.3.100

FQDN server.external.labIP 10.0.2.100Domain: external.lab

FQDN server.internal.labIP 10.0.1.100Domain: internal.lab

Mail From: user@internal.labRCPT To: user@external.labMX record for domain external.lab: gw.smarthost.lab(10.0.3.100)

Domain smarthost.lab defined with IP 10.0.3.100The transparent mode unit intercepts the email and it triggers its internal MTA to route the email to destination.MX record for domain external.lab: server.external.lab(10.0.2.100)

1 2

16

Transparent Mode Incoming SMTP Proxy

Port1

Port2

tp.smarthost.lab10.0.3.201

gw.smarthost.lab10.0.3.100

FQDN server.external.labIP 10.0.2.100Domain: external.lab

FQDN server.internal.labIP 10.0.1.100Domain: internal.lab

Mail From: user@internal.labRCPT To: user@external.labMX record for domain external.lab:gw.smarthost.lab(10.0.3.100)

The Gateway FortiMail unit receives the email.MX lookup is performed to route the email to destination.MX record for domain external.lab: server.external.lab (10.0.2.100)

Domain smarthost.lab defined with IP 10.0.3.100The transparent mode unit intercepts the email and it forwards it to 10.0.3.100 (as indicated in the protected domain section)A new session is initiated from the TP unit with source IP of 10.0.3.201 to 10.0.3.100

1

2

3

Course 221 - FortiMail Email Filtering Transparent Mode

06-50000-0221-20130726 9

17

Transparent Mode Outgoing SMTP MTA

Port1

Port2

tp.smarthost.lab10.0.3.201

gw.smarthost.lab10.0.3.100

FQDN server.external.labIP 10.0.2.100Domain: external.lab

FQDN server.internal.labIP 10.0.1.100Domain: internal.lab

Mail From: user@internal.labRCPT To: user@external.labMX record for domain external.lab: gw.smarthost.lab(10.0.3.100)

No protected domain configured on the Transparent FortiMail unit.All traffic is considered OUTGOING.Port1 configured to proxy outgoing SMTP connections.The Transparent mode unit intercepts the email and it triggers its internal MTA to route the email to destination.MX record for domain external.lab: server.external.lab (10.0.2.100)

1 2

18

Transparent Mode Outgoing SMTP Proxy

Port1

Port2

tp.smarthost.lab10.0.3.201

gw.smarthost.lab10.0.3.100

FQDN server.external.labIP 10.0.2.100Domain: external.lab

FQDN server.internal.labIP 10.0.1.100Domain: internal.lab

Mail From: user@internal.labRCPT To: user@external.labMX record for domain external.lab:gw.smarthost.lab(10.0.3.100)

The Gateway unit receives the email.MX lookup is performed to route the email to destination.MX record for domain external.lab: server.external.lab (10.0.2.100)No protected domain configured on the Transparent unit.

All traffic is considered outgoing.Port1 configured to proxy outgoing SMTP connections.The transparent mode unit intercepts the email and it forwards it to 10.0.3.100 (as indicated by the client).A new session is initiated from the TP unit with source IP of 10.0.3.201

1

2

3