Help
FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
oholecek_FTNT
Staff
Staff

Created on ‎03-29-2013 10:38 AM Edited on ‎08-19-2024 05:37 AM By Moderator

Article Id 190624

Technical Tip: Configuring email message relaying on the FortiMail system

Description

 

This article describes that in the context of an email message delivery, 'relaying' refers to the operation when an email message is being sent to a destination that is not 'local' (Gmail, Yahoo, another company, etc.).

By default, the FortiMail unit does not accept emails for any other domain than is locally configured (see the 'Mail Settings -> Domains' menu). Otherwise, SPAM senders would be able to abuse this functionality, to send unsolicited emails without the approval of the FortiMail unit owner.

Scope

 

FortiMail.


Solution

 
Frequently, the company needs to allow its internal users to send emails to any remote server.
 
There are two ways, how to achieve this on a FortiMail system:
 
  1. Create an Access Control policy to specify the IP address and/or email addresses that are allowed to relay emails.
  2. Allow relaying from authenticated users.
 
Solution 1: Create an Access Control policy.
 
In the web admin GUI, navigate to the Policy -> Access control menu, create a new 'Receiving Policy' and modify the following fields:
  • Sender pattern: Internal.
  • Recipient pattern: External.
  • Sender IP/netmask: User defined: IP range of the internal network.
  • Action: RELAY.
 
 

image (2).png

 

With this policy in place, the FortiMail unit will accept and forward all email messages, sent by users from the specified internal network (10.0.0.0/8 in this example), where the email sender belongs to the locally configured domain.
 
Solution 2: Allow relaying from authenticated users.
 
When an authentication profile is created and used in the Policies -> Policies IP Policies or Policies -> Policies -> Recipient Policies menu, all users who can successfully authenticate will be able to send any email message. For authentication to work properly, there needs to be a backend server in the internal network that can verify provided usernames and passwords. In this simple example, an SMTP authentication is used.

To create an authentication profile, verified by the internal SMTP server, in the web admin GUI navigate to the Profile -> Authentication menu, and enter the new profile as follows:

  • Profile name: choose the name of the new profile.
  • Server name/IP: fill in the IP address of your internal SMTP server that supports SMTP authentication.

image (3).png

 

 

Then, apply this profile in the Policies -> Policies -> IP Policies or Policies -> Policies -> Recipient Policies menu, and enable the 'Use for SMTP authentication' checkbox.

 

From now on, every user, whose credentials are verified by the internal SMTP server, can send any email.

 

image (4).png

Labels:
21645
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.