FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 194525

Description

 

The way the FortiGate adds SMTP mail Replacement Messages, and how it is viewed by the email client software depends on the following factors:

 

SMTP 'splice' (also known as 'streaming') feature (enabled or disabled)**.


Whether the email is being sent or received by an email client.
The type of email client software used.


Note.

In FortiOS v2.80MR7 (build 318) to MR9 (build 393), SMTP splice/streaming is automatically enabled (and cannot be disabled) when Anti-Virus scanning is enabled.

 

In FortiOS 2.8 MR10 (build 456), this feature can be dissabled through the CLI using the config firewall profile command options. For details, see the FortiGate Command Line Reference Guide.

 

Example Network Diagram.


In the diagram below, the internal email client sends the outgoing email to the corporate SMTP server on the DMZ.

The SMTP server then transfers it to the destination SMTP server on the Internet.

Incoming email is delivered to the corporate SMTP server on the DMZ.

The email client retrieves the email via POP3, IMAP or MAPI protocol.

 

FortiGate Firewall Policies are applied on the SMTP from Internal -> DMZ and from External-> DMZ, with an anti-virus and file blocking Protection Profile.

 

Additional Firewall Policies are required to allow internal clients to retrieve their incoming email, and to allow the corporate SMTP server to transmit the email to the external SMTP servers.

The following explanations only concern the traffic flow as initiated by the colored lines in the diagram, and not any additional firewall protection policies.

 

SMTP 'splice' enabled.


Internal email client sends a blocked/virus infected email.

The FortiGate unit aborts the SMTP communication and returns a 554 SMTP error message to the client and includes the Replacement Message with the 554 code.

The client views this as a communication error, and the Replacement Message may only be viewable in the client email software’s error log/window. The destination email client never receives the email nor any notification.

 

External SMTP server is sending a blocked/virus infected email.


The FortiGate unit aborts the SMTP communication and returns a 554 SMTP error message to the sending server. The 554 SMTP error message will include the Replacement Message as additional information..

The sending SMTP server then sends a non delivery report (NDR) email back to the original sender, stating that the email could not be delivered due to the following reason(s).

The reason should include the 554 error code and the FortiGate Replacement Message.

The way this NDR email is formatted depends on the remote SMTP server’s configuration. The Replacement Message may be included as an attachment instead of within the body of the email.

 

The original email attachment(s) may also be ‘bounced’ back to the sender in this NDR email.
SMTP 'splice' disabled.


Internal email client sends a blocked/virus infected email.


The FortiGate delivers the email to the corporate DMZ SMTP server, but removes the blocked/infected attachment.

It then includes the Replacement Message within the body of the email, and then transmits this 'modified' email to the remote external SMTP server.

 

The email client on the receiving side, receives an email without the infected/blocked attachment, and with a Replacement Message included inline within the body of the email.

The internal sender is not aware that this modification has occurred to his original email, and only the external receiver sees the modification.

 

External SMTP server is sending a blocked/virus infected email.


The FortiGate unit delivers the email to the DMZ server, but will remove the blocked/infected attachments and will include the Replacement Message within the body of the email.

The external sender is not aware that this modification has occurred to his original email, and only the internal receiver sees the modification.

The internal receiver will then retrieve this 'modified' email via POP, IMAP or MAPI.


Attachments and email client software.


Different email clients display attachments in differently, for example:

 

- Email clients such as Outlook, displays the attachment only as an attachment.


- Email clients such as PocoMail, display the attachment and display it inline with the email body as well.


- Email clients such as Outlook Express, display the attachment inline with the body, but not as an attachment.

Contributors