My scenario
2 VIPs
1. x.x.x.x --> mx = smtp.domaina.com 2. z.z.z.z --> mx = smtp.domainb.com
I have configured my firewall to NAT traffic to port 25 to Fortimail so the incoming mails to be checked from fortimail. Also i configured fortimail to forward mails to my 2 internal mail servers, servera for domaina.com and serverb for domainb. So all incoming traffic is ok. Also any internal mail traffic is ok. My question is about outgoing traffic.
I configured fortimail to internet traffic throw one vip. So any mail from domaina.com or domainb.com goes throw one vip. Assuming i choose x.x.x.x ip for outgoing traffic, mails from domainb are characterized as spam because there are getting out from wrong ip.
Is there a way to configure fortimail sending mails from domaina.com throw x.x.x.x and mails from domainb.com throw z.z.z.z?
Orestis Nikolaidis
Network Engineer/IT Administrator
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yeah, you need to differentiate the outgoing traffic by changing the source IP from FML for email from that domain.
Then you can NAT it accordingly on your firewall to z.z.z.z since you have an alternate source IP to work with.
With an IP Pool if using FortiGate.
To change source IP for server B; create an IP Policy with server B as the source IP. Consider ordering (place above any policy which would encompass that IP). Then apply an IP Pool on this IP Policy so that traffic matching this IP policy will be sourced as the IP Pool IP when hitting your firewall. Set IP Pool IP in the same subnet as the FortiMail interface for the egress traffic to your firewall.
E.g.: If FML traffic to firewall leaves port1 with interface IP 10.10.10.1/24, you could set IP Pool IP to 10.10.10.2/32.
This part of configuration i can understand it and i am ok wih this.
jwilkins wrote:Then you can NAT it accordingly on your firewall to z.z.z.z since you have an alternate source IP to work with.
With an IP Pool if using FortiGate.
To change source IP for server B; create an IP Policy with server B as the source IP. Consider ordering (place above any policy which would encompass that IP). Then apply an IP Pool on this IP Policy so that traffic matching this IP policy will be sourced as the IP Pool IP when hitting your firewall. Set IP Pool IP in the same subnet as the FortiMail interface for the egress traffic to your firewall.
E.g.: If FML traffic to firewall leaves port1 with interface IP 10.10.10.1/24, you could set IP Pool IP to 10.10.10.2/32.
but this part how can it be configured?
jwilkins wrote:Yeah, you need to differentiate the outgoing traffic by changing the source IP from FML for email from that domain.
Orestis Nikolaidis
Network Engineer/IT Administrator
This section was all in reference to FortiMail configuration:
'To change source IP for server B; create an IP Policy with server B as the source IP. Consider ordering (place above any policy which would encompass that IP). Then apply an IP Pool on this IP Policy so that traffic matching this IP policy will be sourced as the IP Pool IP when hitting your firewall. Set IP Pool IP in the same subnet as the FortiMail interface for the egress traffic to your firewall.'
I understand the structure of my comment made it a bit unclear.
I think i understood. But i have to create also an ip pool on fortigate and the ip policy should be an outbound session policy. Am i right?
Orestis Nikolaidis
Network Engineer/IT Administrator
I'm not sure if my assessment was correct.
these are your FortiGate VIP settings?
VIP1: 1.1.1.1 --> mx = smtp.domaina.com -->192.168.1.10 [smtp server1] VIP2: 2.2.2.2--> mx = smtp.domainb.com -->192.168.1.11 [smtp server2]
Then your FortiGate Policies would look likes these.
1. Source 192.168.1.10 -->SDWAN / WAN1 (Dynamic IP Pool -->1.1.1.1)
in this case, all outgoing traffic for smtp.domaina.com will traverse on this policy and
2. Source 192.168.1.11 -->SDWAN / WAN2 (Dynamic IP Pool -->2.2.2.2)
all outgoing traffic for smtp.domainb.com will traverse on this policy
Fortigate Newbie
No those are not my settings. For outgoing traffic it is something like
192.168.1.10 -->192.168.2.2(fortimail)-->192.168.2.1(fortigate)-->SDWAN
192.168.1.11 -->192.168.2.2(fortimail)-->192.168.2.1(fortigate)-->SDWAN
Orestis Nikolaidis
Network Engineer/IT Administrator
orani wrote:No those are not my settings. For outgoing traffic it is something like
192.168.1.10 -->192.168.2.2(fortimail)-->192.168.2.1(fortigate)-->SDWAN
192.168.1.11 -->192.168.2.2(fortimail)-->192.168.2.1(fortigate)-->SDWAN
I'm just supplying how Dirty_Wizard gave his first response.
Again, if you are using SDWAN you can craft your policies to look like these.
In your policy instead of using Use Outgoing Interface address, Choose Use Dynamic IP Pool instead. Repeat as well in policy 2 which uses diff IP Pool assigned on smtp.domainb.com.
1. Source 192.168.1.10 -->SDWAN / WAN1 (Dynamic IP Pool -->1.1.1.1) in this case, all outgoing traffic for smtp.domaina.com will traverse on this policy and 2. Source 192.168.1.11 -->SDWAN / WAN2 (Dynamic IP Pool -->2.2.2.2) all outgoing traffic for smtp.domainb.com will traverse on this policy
Fortigate Newbie
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.