Specific outbound SMTP route for particular recepient domain

blazarov · ‎05-28-2015

Hello,

I have a client who wants to deliver all outbound mails to a particular domain blabla.net to a specific destination SMTP server. The Fortimail is in gateway mode in front of a Microsoft Exchange.

The only possible solution I see is to configure blabla.net as a protected domain. This seems to work fine, but I don't like it very much, because this domain is not owned by the client, but it is owned by an external partner company.

Also when it is configured as a protected domain all mails towards this domain show as inbound which is not true.

All MTA I've used have this feature, e.g. in postfix/qmail it is called SMTP routes. I've looked at policies and anything else, but couldn't find a way to implement it. Any Ideas?

emnoc · ‎05-28-2015

I think you can do this on the MS-exch server with a connector. This will bypass standard DNS lookup for the MX and gateway of the <foreigndomain>

Now do you need to filter email on the FML?

I have done exactly what you are doing with the define smtp-server being the foreign gateway-MX entry, but this leads into a host of issues from enable/disable various AS/AV filters or whitelisting. YMMV big time on whatever method you select, another option is to defined a outgoing mail-relay ( yeap another host ) and just forward mailoutbound to that host and let it route mail to foreigndomain.xyz. Did that before with real machines now we do it with virtual mailhosts.

So you have a few options, but the same question I asked above, " do you need to filter email on the fortimail appliance?" if not, I would choose a 2nd or 3rd option IMHO

PCNSE

NSE

StrongSwan

blazarov · ‎05-28-2015

emnoc wrote:
I think you can do this on the MS-exch server with a connector. This will bypass standard DNS lookup for the MX and gateway of the <foreigndomain>

Now do you need to filter email on the FML?

I have done exactly what you are doing with the define smtp-server being the foreign gateway-MX entry, but this leads into a host of issues from enable/disable various AS/AV filters or whitelisting. YMMV big time on whatever method you select, another option is to defined a outgoing mail-relay ( yeap another host ) and just forward mailoutbound to that host and let it route mail to foreigndomain.xyz. Did that before with real machines now we do it with virtual mailhosts.

So you have a few options, but the same question I asked above, " do you need to filter email on the fortimail appliance?" if not, I would choose a 2nd or 3rd option IMHO

Hello,

Indeed this can be done on the Exchange server (is this your 1st option?). The question is how can we do that on the Fortimail. I have at least two reasons to need that. First is that the client wants to be sure that he is not sending spam to his external partners. Second is that I am replacing a homemade sendmail+spamassasin which has been doing this.

Yes the whole purpose for this project is Antivirus/Antispam. The client requires filtering from the Fortimail.

Setting up another machine just to do the the SMTP routing is absolutely unacceptable because of HA and effectiveness. - I suppose you call this the 3rd option.

And adding the remote domain as a protected domain - is this your option 2?

So far only option 2 is viable for me, but just as you I expect some unwanted behavior and I am looking for a cleaner solution. To be honest I am quite surprised to see this simple feature is missing in a device so rich, powerful and flexible. You can do so many sophisticated things with the Fortimail and yet, a simple SMTP route is not possible. Am I missing something? Based on my previous experience with Fortigate - sometimes there's a CLI command that can save the day..

emnoc · ‎05-28-2015

My other option was more inline with setting up a access-control with relay for the MSeXCH server. This is typically how you send mail from a MTA thru the FML APP.

This is why I was asking if you need AS/AV filtering which in your case is warrant. It's also a good thing to inspect for AV and you might want to set sessions limits that are lacking to avoid any throttling by the FML.

Ken

PCNSE

NSE

StrongSwan

blazarov · ‎05-28-2015

emnoc wrote:
My other option was more inline with setting up a access-control with relay for the MSeXCH server. This is typically how you send mail from a MTA thru the FML APP. This is why I was asking if you need AS/AV filtering which in your case is warrant. It's also a good thing to inspect for AV and you might want to set sessions limits that are lacking to avoid any throttling by the FML. Ken

Hi, Could you be more specific what exactly do you mean? Anyways i have the access-control polocy with relay for the exchange. If i dont have that the Fortimail does not relay thw outbound mail from the exchange?

emnoc · ‎05-28-2015

Exchange has a smarthost like function, I believe it's called routing groups, so the domain that you want to sendmail to , needs to be specified and with the FML as the smarthost relay target. This will allows the exch server to send without the use of DNS MX lookup. You need to do some research on your version and what's supported.

Than you need to allow exch-server access ( FML ) . If the external domain is using a MX record, than you can let the FML execute and send the mail like another mail lookup. If you you want the FML to not use DNS MX than I not 100% sure if you have static smtp-routes options.

BTW; There's a smartrelay but that would be for ALL mail exiting from the FML which is probably not what you want.

You are going to have to do some research since I'm not a MS-exch, guy and mainly use postfix/sendmail for 99% of MTA functions, but the ability exists for this function and similar to any plain jane unix sendmail-like smarthost.

This will allow you to send mail via the ESA and execute what ever sessions policies or access-controls limits. You can relaying all mail from the fortimail, but NOT for a specific mail destination with the smtp-relay IIRC. You can reveiw that option under mail settings on the appliance or open a ticket with TAC if you need clarification.

Setting up another machine just to do the the SMTP routing is absolutely unacceptable because of HA and effectiveness.

For your HA issues and concerns, you could craft 2ea mail-relay and tell these exch devices to just these relay. Just place these in your internal domain & with a resolving address and let natural DNS-RoundRobbin load-balance. If you place dual servers, and a dual DNS "A" record, than you will have HA automatically. Pretty much brainless at that point & squashes any HA issues or concerns.

See the attached drawing for a typical diagram, I believe you could route that outgoing to a 2nd interface on the fortimail with sender-pools if that's what you want Or on the primary interface Or directly to your mail-relayers. I have a mix of both in various settings , but HA has never been a concern since we duplicate 2x relayers in 2x DC with a single DNS-RRLb A record.

The bottom line; " YMMV , but you have like a half-dozen ways to skin a cat so-to-speak " they all have limits, advantage more or less hardware. Transparent mode would limited your options but you stated Gateway mode so you have mucho options

edit to add jpeg

PCNSE

NSE

StrongSwan

oobedan · ‎03-17-2022

Very old thread, but I guess if the upstream DNS is internal on the FortiMail (not a public DNS server), just create a zone for the domain and MX inside that goes to the custom SMTP host, FortiMail wouldn't use the Public MX record but the internal one you configured? That might screw with SPF etc though so you'd have to look into that.

Specific outbound SMTP route for particular recepient domain

Nominate a Forum Post for Knowledge Article Creation