Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yoda1
New Contributor

Email filter with FortiOS 7.4

I am new to Fortigate, until now we used Sophos and Watchguard FWs and several products for Antispam.

 

A read a little about email filtering with 7.2 and now I installed the demo with 7.4 and I am wondering about the reduced ruleset in contrast to 7.2. The documentation says now:

 

FortiGuard-based filters

The FortiGate consults FortiGuard servers to help identify spammer IP address or emails, known phishing URLs, known spam URLs, known spam email checksums, and others. For more information, refer to the FortiGuard website.

There are five FortiGuard spam filtering options:

 

I miss the option to deny SPF failed mails, as well options to configure quarantine, allowed attachment types and so on. Beyond that, happens email filtering only on the local appliance or will some emails be uploaded to fortigate cloud services?

 

Is let's encrypt certificate autoenrollment for SMTP available?

 

Finally, is this product capable to filter company emails from spam with good results or should I consider another solution for professional email filtering?

 

Thank you

11 REPLIES 11
Stephen_G
Moderator
Moderator

Hello Yoda1,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Stephen - Fortinet Community Team
Yoda1
New Contributor

thank you.

 

I played around a little and it looks to me like that:

 

- when I use protecting ssl server, own or let's encrypt certificates should be possible

- proxy mode is fine, more features for email filtering

- but deep inspection does not work in proxy mode, only in flow mode while using starttls

- in order to protect email servers with email filtering, starttls is a must have

- using flow mode for smtp reduces filtering options drastically

 

Maybe I did something wrong? Or is this a limitation?

 

If yes, email filtering for us would make not much sense at all...

Stephen_G
Moderator
Moderator

I'm afraid I can't personally answer the specifics of your networking requirements and FortiGate setup as this is not my area, but as far as I'm aware, FortiMail is probably a better fit for your intentions: https://www.fortinet.com/products/email-security. It's more specialized in email security than FortiGate, which is intended for use more as a general firewall.

 

FortiGate only supports SMTP and basic filtering, and is not an SMTP server that can evaluate email content - so chances are it can't do what you need as well as FortiMail could. However, maybe somebody else here can help you with the email filtering capabilities of FortiGate. Some changes may have been made in 7.4. I can't see much new in documentation, but I will ask around.

 

Hope that helps,

Stephen - Fortinet Community Team
Yoda1

Hi Stephen, i tried several options now, deep inspection with starttls and smtp 25 works obviously only in flow mode.

 

Fortinet offers the utp bundle for fortigate with email filtering and it costs extra. But what is it good for, when the main purpose, robust anti spam with incoming mail to the internal mail system is not working in proxy mode? No external mailserver will deliver mails over SMTPS, only with STARTTLS. Intrernal Clients would use SMTPS with external mail servers, but this is not the use case here. Protecting internal mail systems would be the key feature for buying the utp bundle.

 

Fortimail would be an option with extra costs. This is the reason in buying an UTM solution for smb customers, bundling services on one appliance saves money.

 

If a key feature won't work, it should not be offered. On the other hand, if this would be stated out clearly, I could have saved a lot of time.

Faiza_Emam_Delhi
Contributor II

Hello Yoda 1,

 

FortiGate's email filtering feature is a powerful tool that can effectively filter out spam and other unwanted emails from your company's email system. Here are answers to your questions:

 

1. Ruleset: FortiGate's email filtering feature in FortiOS 7.4 has a reduced ruleset compared to 7.2, but it still offers advanced protection against spam, phishing, and other email-based threats. You can enable the FortiGuard-based filters to block spammer IP addresses, phishing URLs, known spam URLs, known spam email checksums, and others. Additionally, you can create custom filters to block emails that match specific criteria, such as attachment types or specific words or phrases.

 

2. Email filtering: Email filtering happens on the local appliance, and no emails are uploaded to FortiGate cloud services. You can configure quarantine options to hold suspicious emails for review, and you can also configure allowed attachment types and other settings.

 

3. SPF failed mails: FortiGate's email filtering feature does not have an option to deny SPF failed mails out of the box, but you can create a custom filter to block emails that fail SPF checks.

 

4. Let's Encrypt certificate: Yes, FortiGate supports auto-enrollment for SMTP with Let's Encrypt certificates.

 

5. Results: FortiGate's email filtering feature can effectively filter out spam and other unwanted emails from your company's email system. However, as with any email filtering solution, there is no guarantee that 100% of unwanted emails will be blocked. It's always a good idea to have multiple layers of protection, such as antivirus software, to ensure the highest level of protection.

 

I hope this helps! Let me know if you have any further questions.

Thanks & Regards,
Faizal Emam
Thanks & Regards,Faizal Emam
Yoda1

as I explained above, this all works only with unenrypted incoming email traffic. If you want deep inspection of incoming mail with STARTTLS (above 99% of all incoming transfers), you have to choose to flow mode, proxy mode with the full anti spam options (and these are the important key functions in 7.4) just won't work, mails are running just plain through to the email server behind the fortigate.

 

As long as I did nothing wrong, but all tutorials and documentation I found, did not help. So to summarize it:

 

- flow mode: just no real antipam options, but working with STARTTLS and inspection is possible (but with simply no meaningful antispam options)

 

- proxy mode: works like a charm, but only with unencrypted incoming email <1% of all incoming mail would be inspected this way

 

I tested forth and back and tried dozens of combinations, same result in all cases.

 

gfleming

Hi Yoda1. It seems odd that proxy mode is not working while flow is. There is no reason as far as I'm concerned for proxy mode to break anything here.

 

I would suggest contacting TAC to figure out if you are hitting a bug or some other configuration issue. It does sound like you are doing everything right, however. Note that 7.4 is a very new release (couple months old) and will have lots of bugs still. Mature release right now is 7.0.x which would be recommended for production use unless you need specific features only found in 7.2.x or 7.4.x.

 

To note, the FortiGate is first and foremost a NGFW. Yes it has lots of other features packed into it like WAF and email filter. However these are basic when compared to full-fledged appliances. For instance the email filter is really only there to detect and block spam (hence "antispam" fortiguard service). It's not meant to be a full-on email security gateway (SPF checks, quarantine, content inspection, etc).

 

If it fits your needs then absolutely let's keep trying to get the FortiGate working in proxy mode for you. TAC is your best bet at this point, IMO.

 

If you'd like to, you are welcome to post the configurations of your mail filter profiles, firewall policies, certificates, etc and we can look here but again TAC will give best response.

Cheers,
Graham
Faiza_Emam_Delhi

Hi @Yoda1 

It seems like you're looking for information about the Fortinet firewall and its capabilities for inspecting incoming email traffic. From the explanation you provided, it appears that when using flow mode, you're able to perform deep inspection of incoming mail with STARTTLS. However, the antispam options are limited in this mode. On the other hand, when using proxy mode, you have more comprehensive antispam options, but it only works for unencrypted incoming email traffic, which is less than 1% of all incoming mail.

Despite following various tutorials and documentation, you haven't been able to find a solution that meets your requirements. It can be frustrating when you encounter challenges like this. If you need further assistance or would like to explore other options, feel free to provide more specific details or ask any additional questions.

Thanks & Regards,
Faizal Emam
Thanks & Regards,Faizal Emam
Yoda1
New Contributor

Thank you all for the replies. As I learned, Starttls with proxy mode would never work with 7.4 neither with 7.2. I should rely on 7.0 (did not verified it)

 

I didn't expect this and also found no hint to this topic so far;-)

How should one newcomer???

 

So how long 7.0 would be supported?

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors