Multiple domains

micahawitt · ‎03-09-2015

Running a 100C.

Have two domains running through here, and would like to see if this is possible.

Domain A was setup first, so the 100c has a host name of smtp.domaina.com.

Domain B was then setup, mail can flow, however, when doing a telnet to smtp.domainb.com on port 25, the banner shows up as smtp.domaina.com.

My question is, if someone is specifically telnetting or emails for that matter, how can i get that session from the outside world see the right domain name in the session?

emnoc · ‎03-09-2015

Does it really matter?

Seriously I host 100 of domains behind one single address and A/PTR record. Each domain does not need a specific name that matches the name of the domain that's handling the traffic inbound to it.

Just make sure you have a proper PTR records that matches the name of the device.

PCNSE

NSE

StrongSwan

abelio · ‎03-09-2015

Hello,

agree with emnoc

Moreover you could find useful set up ehlo/helo for outgoing connections from fortimail for each domain.

Sic from manual:

SMTP greeting (EHLO/HELO) Select how the FortiMail unit will identify itself during the HELO or EHLO greeting of outgoing SMTP connections that it initiates. • Use this domain name: The FortiMail unit will identify itself using the domain name for this protected domain. If the FortiMail unit will handle internal email messages (those for which both the sender and recipient addresses in the envelope contain the domain name of the protected domain), to use this option, you must also configure your protected SMTP server to use its host name for SMTP greetings. Failure to do this will result in dropped SMTP sessions, as both the FortiMail unit and the protected SMTP server will be using the same domain name when greeting each other. • Use system host name: The FortiMail unit will identify itself using its own host name. By default, the FortiMail unit uses the domain name of the protected domain. If your FortiMail unit is protecting multiple domains and using IP pool addresses, select Use system host name instead. This setting does not apply if email is incoming, according to the sender address in the envelope, from an unprotected domain.

regards

A.

regards

/ Abel

emnoc · ‎03-09-2015

FWIW: That's also how other mail service work also ( gmail godaddy etc..... )

Also if your using any SPF entries or TXT spf records, make sure you apply the correct allowances for the mail that you send for X domains.

PCNSE

NSE

StrongSwan

Holy · ‎03-09-2015

Talking about SPF,

i wanna configre SPF for a test domain would a simple "v=spf1 mx -all" TXT Record be ok? or shold i add an ip4 or a Record?

btw: Thank you Emnoc for your Documentation for Fortimail. I am an FCESP now :=)

emnoc wrote:
FWIW: That's also how other mail service work also ( gmail godaddy etc..... )

Also if your using any SPF entries or TXT spf records, make sure you apply the correct allowances for the mail that you send for X domains.

NSE 8

NSE 1 - 7

emnoc · ‎03-10-2015

It depends, I don't their's a cut case exact rule but here's what I do;

"v=spf1 mx ip4:75.xx.xx.xx include:secureserver.net -all"

or redirect to;

text "v=spf1redirect=_spf.mydomain.com"

And use the _spf.mydomain.com to reference all allowed senders.I always define the actual ipv4 address incase the dns services are down. But either way method should be okay, just remember the dependencies with any A records.

It's best practice to ALWAYS placed SPF entries even for domains that you don't send mail from. This helps from having anyone "spoof" you and getting you domain flagged as bad sender

For your FCESP, congrats. This was one of the most challenge that I did like over 3+ years ago. I know your relieved.

The FCESP unlike cisco exam, that uses wordings such as " theory" " cisco ideally", "what's the best...... " etc....., I found that the fortinet exam is 100% practical usages and settings. I was upset that I didn't pass my 1st attempt and I dedicated about a year with studying everything in the appliance that was in reason before taking the 2nd attempt

You can read more about it here if your bored.

http://socpuppet.blogspot.com/2013/06/i-passed-my-fortinet-mail-exam-fcesp.html

PCNSE

NSE

StrongSwan

Holy · ‎03-10-2015

Thank you i know chossed "v=spf1 mx ip4:x.x.x.x a:mail.example.de -all" ip and a record is a smarthost that we do use sometime.

i was glad you had to have only 50% to pass the exam :) it´s hard, really. I did spend much time in a lab with FortiMail as a Server and as a Gateway. not much practise with transparent mode and that was a problem on a exam :)

i allready read your Post. i actually do read a lot from your Blog :) Really nice Blog btw !

emnoc wrote:
It depends, I don't their's a cut case exact rule but here's what I do;

"v=spf1 mx ip4:75.xx.xx.xx include:secureserver.net -all"

or redirect to;

text "v=spf1redirect=_spf.mydomain.com"

And use the _spf.mydomain.com to reference all allowed senders.I always define the actual ipv4 address incase the dns services are down. But either way method should be okay, just remember the dependencies with any A records.

It's best practice to ALWAYS placed SPF entries even for domains that you don't send mail from. This helps from having anyone "spoof" you and getting you domain flagged as bad sender

For your FCESP, congrats. This was one of the most challenge that I did like over 3+ years ago. I know your relieved.

The FCESP unlike cisco exam, that uses wordings such as " theory" " cisco ideally", "what's the best...... " etc....., I found that the fortinet exam is 100% practical usages and settings. I was upset that I didn't pass my 1st attempt and I dedicated about a year with studying everything in the appliance that was in reason before taking the 2nd attempt

You can read more about it here if your bored.
http://socpuppet.blogspot.com/2013/06/i-passed-my-fortinet-mail-exam-fcesp.html

NSE 8

NSE 1 - 7

Multiple domains

Nominate a Forum Post for Knowledge Article Creation