FortiMail - Systems Settings and Administrative Options

Select the Operation Mode

The default operation mode is gateway mode – the other modes are server and transparent mode. Changing the operation mode requires a reboot as the operation mode changes how the entire appliance works.
The operation mode that you are planning to run your FortiMail appliance in should be decided ahead of the initial deployment, as the operation mode is chosen during the initial setup. This can be changed from the Dashboard later on, but will require a reconfiguration of the appliance for it to work afterwards.

 
 In email operation having correct time is imperative for correct operation. Timestamps are used for logging but are also placed in mail headers for messages sent on to other MTA’s. As a best practice you should configure your FortiMail appliance to use an NTP server.

 
 

Domain Name

  • By default the system hostname is the device’s serial number. This name shows up in mail headers so should be changed.
  • The Host name + the Local domain name = the fully qualified domain name (FQDN).
  • This FQDN should be globally resolvable, especially if a FortiMail is an outbound MTA with a DNS address (A) and pointer (PTR) record.
  • Functions such as email quarantine won’t work unless the FQDN can be resolved correctly in both directions (A and PTR records)
 

 Network Settings

  • Typically, in Gateway and Server modes only one interface is active.
    • However as a security best practice, it makes sense to have two interfaces:
      • One for services such as web mail and mail transport
      • One dedicated for management

  • In Transparent mode more than one interface is active, as the FortiMail is physically in the network path.
  • The default IP of a FortiMail is 192.168.1.99/24, this should be changed as it’s the same default IP that all Fortinet devices use.
  • FortiMail supports the use of IPv4 and IPv6 IP addresses
  • There are no routes in the routing table by default, so static routes need to be set to allow traffic to flow.

  • By default, DNS is set to the FortiGuard DNS servers. DNS is key for mail routing and for FortiGuard connectivity, as such it is critical to get right.

Administrative Accounts

  • You can configure local and remote authentication for administrator accounts. The remote authentication methods that are supported are LDAP, RADIUS, PKI and SSO.
  • FortiMail is configured by default with an “admin” user with an empty password field. As part of the setup process you have to configure a password for this admin user in order to progress the setup.
  • You can configure remote authentication for the FortiMail administrators, however this requires the setup of an additional profile (LDAP, RADIUS, PKI or SSO)
  • You can restrict where administrators can log in from by using the “Trusted hosts” field. It is a best practice to configure this field to limit your attack surface.
  • You can set the access profile and domain to restrict administrators to certain sections of the GUI or to specific domains.

You can define different levels for administrator account permissions

  • You must associate each administrator user account with an admin profile which determines what each administrator can access.
  • The default profile is super_admin_prof which has access to everything. This is assigned to the default user account and cannot be deleted.
  • You can copy the in-built accounts and modify these copies to achieve the desired administrative restrictions.
  • These configurations apply to both GUI and CLI access for administrators.

Enforcing Password Policies

You can and should enforce complex passwords within the FortiMail system.

  • These apply to administrators, webmail users, and identity-based encryption (IBE) users
  • As a best practice you should modify the default value of 45 mins for the idle timeout to best suit your environment.
  • You can enable a login disclaimer for admin, webmail or IBE
  • From these menus you can modify default service ports for HTTP, HTTPS, SSH and TELNET
  • Configurations applied here apply to both the GUI and CLI

Microsoft 365 Threat Remediation

Within FortiMail there is a Microsoft 365 GUI view which becomes available once you license this feature

 
 
Within the Microsoft 365 settings you have two options - Real-time scanning and Scheduled scanning 

Real Time Scanning

  • This allows for Real-time scanning
  • A calid CA signed certificate and FortiMail device reachavility by hostname is required for this feature 
  • Email is scanned immediately on arrival in the users mailbox

Scheduled Scanning

  • On demand: Scans emails post delivery when triggered by an administrator or schedule (useful for proof of concept)
 
Profiles
  • Are like recipient policy
  • Apply security profiles to email flows




 


 

 

 

 

 

Comments

Post a Comment

Popular posts from this blog

NSE8 Lab Study Resources - Narbik CCIE R&S v5.1 Foundations

Image
 Hey All, I have been working on putting together some scenarios for lab practice and I've found myself falling back on some of the study materials I used when preparing for the CCIE EI (yet to obtain, on the list after the NSE8). A legendary trainer in this area is Narbik Kocharians CCIE 12410 who is the president of Micronics Networking and Training - his CCIE prep courses and text books are considered almost required reading for any serious candidate for this certification. His text books work through hands on labs that are focused on specific topics to help cement the theory of the different topics in the exam.  His textbook CCIE Routing and Switching 5.1 Foundations: Bridging the Gap between CCNP and CCIE is well aimed at the skill level required of the NSE8 and fortunately there is actually quite a bit of overlap in its 1100 pages. The chapters within the textbook are: 1. Physical Topology 2. Physical and Logical Topologies 3. Spanning Tree Protocol 4. Point-to-Point Protocol
Read more

Journey to the NSE8 - Change in tactic

 I've previously been studying the Secure Wireless LAN content in order to pass the final exam required for my NSE6 (on the way to the NSE8). Going over the material again at the moment I'm noticing that my study sessions are becoming a bit of a blur and I'm not absorbing the content as well as I should be, and I can see this track of study becoming like quicksand if I don't give myself a break from it. The NSE6 fortunately covers a lot of technologies, including FortiAuthenticator and FortiADC which are both heavily featured on the NSE8 blueprint. So from here Im going to review the training for the FortiADC and have a crack at that exam to finish off my NSE6
Read more

Specifying a domain name suffix for DHCP clients on a FortiGate (FortiOS)

Image
Domain Name Suffix You can specify a domain name suffix in a DHCP address pool on the FortiGate DHCP server . With this suffix assigned, the client only needs to input part of a domain name, and the system adds the domain name suffix for name resolution. For example a client can type in https://fortimanager in their web browser to access your fortimanager instance, instead of the FQDN of https://fortimanager.domain.local In FortiOS (current as of December 2022) this is configured via the CLI.   Configuration config system dhcp server     edit <#>          set domain <domain suffix>   In a full context this would be config system dhcp server     edit 1          set domain "lab.example.com"          set default-gateway 192.168.1.1          set netmask 255.255.255.0          set interface "port1"          config ip-range               edit 1                    set start-ip 192.168.1.100                    set end-ip 192.168.1.200               next         
Read more