Skip to main content
jcm05
jcm05
New Member
November 20, 2016
Question

Help with routing external spam filter to internal email server.

  • November 20, 2016
  • 2 replies
  • 7725 views

I'm currently setting up a 300D and having issues setting up a route for our mail. Our current firewall only accepts email from specific ip address range example 64.235.144.x - 64.235.159.x over port 25 to our internal mail server 192.168.12.12. I thought the first thing I needed to do is setup a vip. I go in and add the ip range of the firewall external IP to mail server internal IP port 25. Then create an address group with the range of address I will accept. Next create a rule saying incoming (external port) outgoing (internal port) source (address group creadted)Destination(VIP group setup) server exchange service. I hope this makes since really could you some help with this.

    2 replies

    MikePruett
    MikePruett
    New Member
    November 20, 2016

    your VIP should map an external Address to an internal address or a port (on the fortigates WAN IP) to the internal address port accordingly.

     

    From there you use your policy to restrict who can hit it. Do you have a sanitized screen shot of the rule you created and the VIPs?

    jcm05
    jcm05Author
    New Member
    November 21, 2016

    Below is a pic of the rule I created for spam service only email. Created a VIP of the external IP to internal address over port 25. Then created an address group with the range of IP-s to accept mail from. Then created a rule to accept mail only from that source.

     

     

    MikePruett
    MikePruett
    New Member
    November 21, 2016

    What does the logs show for the traffic trying to hit? Is it getting denied, Ip conn error? etc

    slarabee
    slarabee
    New Member
    November 21, 2016

    I am not Familiar with the 300D but I just set up the same set up for my client on a 100A.

     

    Spam Filter Service -> Through Firewall -> Internal Email Server.

     

    In my configuration only the spam filtering servers come through on Port 25.

     

    So I created VIP Address mapping the Outside IP of my mail server to the Inside IP of my mail server.

     

    Then I created Addresses for the Spam Filter Service's servers individually. Then add all the spam server's addresses to a new Address Group "Spam Filter Servers"

     

    Then create a new firewall policy WAN -> Internal

     

    Source Interface/Zone WAN# Address Name Your Spam Filter's Address Group you created

     

    Destination Interface/Zone Internal 

     

    Address Name The VIP you created for your email server

     

    Schedule Always unless you have a schedule Service The port your email service is coming in on SMTP 25

     

    Action = Accept

     

    Also enable NAT on the policy.

     

    One tip: I found that the Fortigate was passing the inside IP of the firewall onto the email rather than the Source IP, so if you are using connection control on your email server you will need to add the inside address of the firewall to the connection control's list of IP address.

     

    I hope this helps,

     

    Sean

     

    Terms & ConditionsAccessibility statement