Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
micahawitt
New Contributor III

Multiple domains

Running a 100C.

 

Have two domains running through here, and would like to see if this is possible.

 

Domain A was setup first, so the 100c has a host name of smtp.domaina.com.

 

Domain B was then setup, mail can flow, however, when doing a telnet to smtp.domainb.com on port 25, the banner shows up as smtp.domaina.com.  

 

My question is, if someone is specifically telnetting or emails for that matter, how can i get that session from the outside world see the right domain name in the session?

6 REPLIES 6
emnoc
Esteemed Contributor III

Does it really matter?

 

Seriously I  host 100 of domains behind one single address and A/PTR record. Each domain does not need a specific name that matches the name of the domain  that's handling the traffic inbound to it.

 

Just make sure you have a proper  PTR records that matches the name of the device.

 

 

 

PCNSE 

NSE 

StrongSwan  

abelio
Valued Contributor

Hello,

agree with emnoc

 

Moreover you could find useful set up ehlo/helo  for outgoing connections from fortimail for each domain.

 

Sic from manual:

 

SMTP greeting (EHLO/HELO) Select how the FortiMail unit will identify itself during the HELO or EHLO greeting of outgoing SMTP connections that it initiates. Use this domain name: The FortiMail unit will identify itself using the domain name for this protected domain. If the FortiMail unit will handle internal email messages (those for which both the sender and recipient addresses in the envelope contain the domain name of the protected domain), to use this option, you must also configure your protected SMTP server to use its host name for SMTP greetings. Failure to do this will result in dropped SMTP sessions, as both the FortiMail unit and the protected SMTP server will be using the same domain name when greeting each other. • Use system host name: The FortiMail unit will identify itself using its own host name. By default, the FortiMail unit uses the domain name of the protected domain. If your FortiMail unit is protecting multiple domains and using IP pool addresses, select Use system host name instead. This setting does not apply if email is incoming, according to the sender address in the envelope, from an unprotected domain.

 

 

regards

 

A.

 

regards


__ Abel

emnoc
Esteemed Contributor III

FWIW: That's also how other mail service work also  ( gmail godaddy etc..... )

 

Also if your using any SPF entries or TXT  spf records, make sure you apply the correct allowances for the mail that you send for X domains.

 

 

 

 

PCNSE 

NSE 

StrongSwan  

Holy

Talking about SPF,

 

i wanna configre SPF for a test domain would a simple "v=spf1 mx -all" TXT Record be ok? or shold i add an ip4 or a Record?

 

btw: Thank you Emnoc for your Documentation for Fortimail.  I am an FCESP now :=)

 

emnoc wrote:

FWIW: That's also how other mail service work also  ( gmail godaddy etc..... )

 

Also if your using any SPF entries or TXT  spf records, make sure you apply the correct allowances for the mail that you send for X domains.

 

 

 

 

NSE 8 

NSE 1 - 7

 

emnoc
Esteemed Contributor III

It depends, I don't their's a cut case exact rule  but here's what I do;

 

 

"v=spf1 mx ip4:75.xx.xx.xx include:secureserver.net -all"

 

or redirect to;

 

 text "v=spf1redirect=_spf.mydomain.com"

 

And use the _spf.mydomain.com to reference all allowed senders.I always define the  actual ipv4 address incase the  dns services are down. But either way method should be okay, just remember  the dependencies with any A records.

 

It's best practice to ALWAYS placed SPF entries even for domains that you don't send mail from. This helps from having anyone "spoof" you and getting you domain flagged as bad sender

 

For your FCESP, congrats. This was one of the most challenge that  I did like over 3+ years ago. I know your relieved.

 

 

The FCESP unlike cisco  exam,  that uses wordings such as " theory" " cisco ideally",  "what's the best...... " etc....., I found that the fortinet exam is 100% practical usages and settings. I was upset that I didn't pass my 1st attempt and I dedicated about a year with studying everything in the appliance  that was in reason before taking the 2nd attempt

 

You can read more about it here if your bored.

http://socpuppet.blogspot.com/2013/06/i-passed-my-fortinet-mail-exam-fcesp.html

 

 

 

 

 

 

 

PCNSE 

NSE 

StrongSwan  

Holy

Thank you i know chossed "v=spf1 mx ip4:x.x.x.x a:mail.example.de -all" ip and a record is a smarthost that we do use sometime.

 

i was glad you had to have only 50% to pass the exam :) it´s hard, really. I did spend much time in a lab with FortiMail as a Server and as a Gateway. not much practise with transparent mode and that was a problem on a exam :)

 

i allready read your Post. i actually do read a lot from your Blog :) Really nice Blog btw !

 

emnoc wrote:

It depends, I don't their's a cut case exact rule  but here's what I do;

 

 

"v=spf1 mx ip4:75.xx.xx.xx include:secureserver.net -all"

 

or redirect to;

 

 text "v=spf1redirect=_spf.mydomain.com"

 

And use the _spf.mydomain.com to reference all allowed senders.I always define the  actual ipv4 address incase the  dns services are down. But either way method should be okay, just remember  the dependencies with any A records.

 

It's best practice to ALWAYS placed SPF entries even for domains that you don't send mail from. This helps from having anyone "spoof" you and getting you domain flagged as bad sender

 

For your FCESP, congrats. This was one of the most challenge that  I did like over 3+ years ago. I know your relieved.

 

 

The FCESP unlike cisco  exam,  that uses wordings such as " theory" " cisco ideally",  "what's the best...... " etc....., I found that the fortinet exam is 100% practical usages and settings. I was upset that I didn't pass my 1st attempt and I dedicated about a year with studying everything in the appliance  that was in reason before taking the 2nd attempt

 

You can read more about it here if your bored.

http://socpuppet.blogspot.com/2013/06/i-passed-my-fortinet-mail-exam-fcesp.html

 

 

 

 

 

 

 

NSE 8 

NSE 1 - 7