Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Carlos_A_Almeida
New Contributor III

Problem to config email filter

Hi guys,

 

I'm facing a big problem here with one FG60D (5.2.1). I had configure email filter as usual but it's not working. I don't know why cause it's an easy configuration.

 

My config email filter profile is:

config spamfilter profile
    edit "EF_example"
        set comment "Email Filter"
        set flow-based enable
        set spam-filtering enable
        set options spambwl spamfsip spamfssubmit spamfschksum spamfsurl spamfsphish
            config imap
                set tag-msg "[FG-Spam]"
            end
            config pop3
                set tag-msg "[FG-Spam]"
            end
            config smtp
                set log enable
                set action tag
                set tag-msg "[FG-Spam]"
            end
        set spam-rbl-table 1
    next
end

 

My config into the firewall rule is:

config firewall policy
    edit 13
        set uuid 5d9c181c-775b-51e4-44e4-592b7f50c004
        set srcintf "dmz"
        set dstintf "wan1"
        set srcaddr "<VIP ADDRESS>"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set spamfilter-profile "EF_example"
        set profile-protocol-options "default"
        set ssl-ssh-profile "deep-inspection"
        set nat enable
        set ippool enable
        set poolname "<IP POOL with my public IP>"
    next

 

I really don't know what's wrong. Can someone enlighten me?

 

Sorry about language mistakes,

 

Thank you,

 

Carlos - Brazil

1 Solution
Dave_Hall
Honored Contributor

CarlosAlmeida wrote:

I really don't know what's wrong. Can someone enlighten me?

 

Two things to keep in mind -- 1) traffic originally from the mail server -> out, and 2) traffic originally from outside -> mail server. Both types won't be using the same VIP.    Although your VIP is configured for "any interface" it is expecting the ext IP (which is the trigger for the port forward) to be the "public IP" -- if the mail server initials the connection from its side of the DMZ, it's internal IP address will be the extip.

 

Your firewall policy rule#13 should work if you use the mail server's internal IP for src address (no VIP needed because you are already NATTing the source IP).

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
7 REPLIES 7
Bromont_FTNT
Staff
Staff

This looks like a firewall policy from your mail server out to the internet... <VIP ADDRESS> needs to be your internal mail server address.

Carlos_A_Almeida

Bromont wrote:

This looks like a firewall policy from your mail server out to the internet... <VIP ADDRESS> needs to be your internal mail server address.

But it is, look:

 

edit "RULE NAME"
        set uuid dcf567ea-5f6d-51e4-ac49-5695fb4831fb
        set extip <OUR PUBLIC IP>
        set extintf "any"
        set portforward enable
        set mappedip <INTERNAL IP>
        set extport 25
        set mappedport 25
    next

 

Our mail server is at dmz behind Fortigate, I have to use VIP to route to internal address. It's working well but email filter option.

Thank you.

Dave_Hall
Honored Contributor

CarlosAlmeida wrote:

I really don't know what's wrong. Can someone enlighten me?

 

Two things to keep in mind -- 1) traffic originally from the mail server -> out, and 2) traffic originally from outside -> mail server. Both types won't be using the same VIP.    Although your VIP is configured for "any interface" it is expecting the ext IP (which is the trigger for the port forward) to be the "public IP" -- if the mail server initials the connection from its side of the DMZ, it's internal IP address will be the extip.

 

Your firewall policy rule#13 should work if you use the mail server's internal IP for src address (no VIP needed because you are already NATTing the source IP).

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Carlos_A_Almeida

Dave Hall wrote:

CarlosAlmeida wrote:

I really don't know what's wrong. Can someone enlighten me?

 

Two things to keep in mind -- 1) traffic originally from the mail server -> out, and 2) traffic originally from outside -> mail server. Both types won't be using the same VIP.    Although your VIP is configured for "any interface" it is expecting the ext IP (which is the trigger for the port forward) to be the "public IP" -- if the mail server initials the connection from its side of the DMZ, it's internal IP address will be the extip.

 

Your firewall policy rule#13 should work if you use the mail server's internal IP for src address (no VIP needed because you are already NATTing the source IP).

Dave, thank you for your time. I will try later (no time next weeks) just reformulate all my MTA infrastructure. 

 

I let all know soon.

 

Best regards,

 

Carlos - Brazil

Carlos_A_Almeida
New Contributor III

Hello All.

 

I made some improvement at my firewall and seems to work to log mail traffic and some tag action too.

 

date=2015-03-30 time=14:46:11 logid=0508020503 type=utm subtype=emailfilter eventtype=smtp level=information vd="root" sessionid=83880258 srcip=42.156.225.16 srcport=53279 dstip=x.x.x.x dstport=25 proto=6 service=SMTP profile="EF_Example" action=tagged from="promotion@aliexpress.com" to="mail1@x.x" sender="promotion@aliexpress.com" recipient="mail1@x.x" sentbyte=80396 rcvdbyte=46 direction=outgoing msg="general email log" subject="Preparamos_uma_seleção_de_produtos_para_você" size="80387" attachment=yes

 

date=2015-03-30 time=14:42:11 logid=0508020503 type=utm subtype=emailfilter eventtype=smtp level=information vd="root" sessionid=83879670 srcip=12.130.136.122 srcport=48137 dstip=x.x.x.x dstport=25 proto=6 service=SMTP profile="EF_Example" action=log-only from="newsletterslatin@trendmicro.rsys1.com" to="mail2@x.x" sender="newsletterslatin@trendmicro.rsys1.com" recipient="mail2@x.x" sentbyte=15369 rcvdbyte=46 direction=outgoing msg="general email log" subject="Novos Treinamentos para Certificação Trend Micro" size="15360" attachment=no Not perfect yet but now it's working.

 

Thanks,

Jones

Good Morning, Carlos could teach me this command to view the logs and teach points to be analyzed in the log? I am brazilian too

Carlos_A_Almeida

Hi Jones, how are you?

 

Of course I can help you. It's better to us talk in portuguese, right? Send me an e-mail (www.c.almeida at gmail dot com) and we can talk there.

 

Regards,

Labels
Top Kudoed Authors