Professional Documents
Culture Documents
Inbound & Outbound Email Unlike other messaging security products, FortiMail secures
Messaging Security inbound and outbound mail inspection with only one system
INTERNET
INCOMING SMTP
OUTGOING SMTP
MTAs
INTERNET
INCOMING SMTP
ONE-ARM or DUAL-ARM
ATTACHEMENT POLICY-BASED ROUTING:
(OPTIONALY: 3rd INTERFACE SMTP TRAFFIC --> FORTIMAIL
FOR OOB MANAGEMENT)
MTAs
MTAs
OUTGOING SMTP
INTERNAL
INTERNET
NETWORK
MUAs
MUAs
SESSIONS INITIATED FROM THE INTERNET TO THE
ISP INTERNAL NETWORK ARE NOT SCANNED
OUTGOING SMTP
INTERNET
INCOMING SMTP
• Dedicated appliance
– Integrated hardware and software
– Purpose build and hardened operating system
• Fit the need of any company size
– From SMB market to High-End Enterprise & Service Providers
• Deliver the same protection level and features through the range
FortiMail 100
IP POLICY
EXCLUSIVE FLAG
Protection profiles
• Profile = a collection of FortiMail settings that control the email flow
• Profiles are selected in policies and run on any traffic the policy
controls
• Several types of profile:
– Session profile
Set session rate
Restrict the number of mail per session, of recipients per mail, of simultaneous
session for the same client
Prevent session encryption,
Perform SMTP strict syntax check, domain check, etc.
– Antispam profile
– Antivirus profile
– Content profile
Filter file type, file extensions, banned content
Defer large message
– Authentication profile
Authenticate sessions using SMTP, POP3, IMAP, or RADIUS servers
Comments
• You do not have to define the protected domains
– Mail Service Provider and Internet Service Provider environment
– Differentiated services can still apply based on IP addresses or
recipient mail addresses
• Wildcard policies
– IP=0.0.0.0/0
– or recipient address=*
• Antispam, antivirus, content and session profiles are
available for incoming or outgoing mail flow
Agenda
• Introducing FortiMail
• FortiMail deployment scenarios
• FortiMail product line
• Differentiated services: policies and profiles
• Antispam techniques
• Virus detection
• FortiMail HA
• Email archiving
• Reporting
FortiMail Advanced Spam Detection
• FortiGuard-Antispam service
– FortiMail queries a central database
• FortiMail employs multiple sophisticated antispam
technologies that complement the FortiGuard-Antispam
service:
– Session-based inspection
Session level detection methods greatly reduce load
– Avoid unnecessary mail processing and content scanning
Most of the session control parameters are configured in the session
profile
– Few of them in the antispam profile (grey listing & DNSBL)
• FortiRule
– FortiGuard also updates FortiMail local set of heuristics rules
FortiIP – Sender IP reputation
• FortiGuard-Antispam maintains a global IP reputation
database
– The reputation of each IP is built and maintained based on tens of
properties gathered from various sources
– The properties include:
The whois information, geographical location, service provider,
Whether it is an open relay or hijacked host, etc.
One of the key properties is the email volume from this sender as
gathered from our FortiGuard service network
• By comparing a sender's recent email volume with its
historical pattern, FortiGuard-AntiSpam updates each IP's
reputation in real-time and provides a highly effective sender
IP address filter
FortiGuard-Antispam overview
• To achieve up-to-date real-time spam identification, Fortinet
utilizes globally distributed spam probes that receive over
one million spam messages per day
• Each message is processed through multiple layers of
identification processes to produce an up-to-date list of spam
origins
– To further enhance the service and streamline performance, each
of the “known” identities in the list is continually re-tested to
determine the state of the origin (active or inactive)
– If a known spam origin has been decommissioned, the origin is
then removed from the list, thus providing customers with both
accuracy and performance
FortiMail Advanced Spam Detection
• Session based inspection
– SMTP syntax verification and RFC compliancy
– SMTP checks (sender/recipient domain check, prevent open relay,
etc.)
– SMTP rate limiting (simultaneous sessions, new sessions / period
of time, etc.)
– SMTP error control
– Recipient address check (valid mail address)
– Greylist Filtering
– Local Reputation Filtering
– Etc.
Session level – Protocol check
• Consider at least the two following options:
Session level – SMTP errors
• Errors sometimes indicate attempts to misuse the server
• You can impose delays or drop connections if there are
errors
Session level – Unauth sessions
• Check sender domain
– Checks the existence of the sender domain by looking up both the
MX record and A record
– One successful query would pass the check
– Enable it depending on deployment scenario
Useful for ISP outgoing antispam and MSP/Enterprise incoming mail
• Check recipient domain
– Checks the existence of the sender domain by looking up both the
MX record and A record
– One successful query would pass the check
– Enable this depending on your deployment scenario
Useful for ISP/MSP/Enterprise outgoing antispam
Session level – Unauth sessions
• Reject if recipient and helo domain match but sender domain
is different
– If the recipient (RCPT TO = toto@fortinet.com) and helo domain
match (for instance, SMTP client host name =
mailserver.fortinet.com), then it is expected that it is an internal mail
(sender@fortinet.com in our example): the mail should be coming
from Fortinet and destined to Fortinet.
– That's why if the sender domain is not the same as the recipient
domain, FortiMail would drop the connection
It is very unlikely that a well-configured mail server would make such a
connection
• Prevent open relaying:
– Verifies that the RCPT TO domain matches the IP address given
by MX lookup – but allow if authentication is used
Session level – Settings for unauth
sessions
Session level – Recipient address
check for incoming mail
• Recipient address verification helps to detect incoming spam
• Ensure that email with invalid recipients is rejected, not
scanned, nor sent to the back end email server
• Support SMTP server or LDAP database
OPEN A USER
MAILBOX
Spam quarantine
• Review the content of a quarantine mailbox
CLICK HERE TO
VIEW A MAIL
Spam quarantine
• Read quarantined mail
SUPPORTS REDUNDANT HA
INTERFACE
DEFINE FAILURE
DETECTION SETTINGS
Agenda
• Introducing FortiMail
• FortiMail deployment scenarios
• FortiMail product line
• Differentiated services: policies and profiles
• Antispam techniques
• Virus detection
• FortiMail HA
• Email archiving
• Reporting
Archival – Meet regulatory
requirements
• Selectively archive mails based on: • Storage:
– FortiMail HD
– Sender scheduled SFTP/FTP upload
– Recipient – Or External NAS storage
– Content Pattern
Keywords in subject
Keywords in body
– Attachment type
Agenda
• Introducing FortiMail
• FortiMail deployment scenarios
• FortiMail product line
• Differentiated services: policies and profiles
• Antispam techniques
• Virus detection
• FortiMail HA
• Email archiving
• Management / Logging / Reporting
Logging
• Logs
– On device local logging
– Syslog/FortiAnalyzer output
• Alerts and resources usage
– SNMP traps and MIB polling
– CPU Usage, Memory Usage, Log Disk Usage, Mailbox Disk
Usage, Deferred queue, Detected virus, Detected spam, etc.
Logs
CHOOSE
WHERE TO LOG
Logs
SCHEDULE THE
REPORT
CHOOSE A LIST OF
DOMAINS OR ALL
DOMAINS
SELECT INCOMING OR
OUTGOING TRAFFIC CHOOSE THE
OUTPUT
Reports – Query selection
• Mail Statistics • Spam by Sender • Spam by Recipient
– Top Spam Recipient
– Mail Stat Messages – Top Spam Sender
– Top Local Spam Recipient
– Top Spam Domain
– Mail Stat Viruses – Top Remote Spam Recipient
– Top Spam IP •
–
Virus by Sender
Mail Stat Actions – Top Local Spam Sender – Top Virus Sender
• Total Summary – Top Local Spam Domain – Top Virus Domain
– Total Sent And Received – Top Remote Spam Sender – Top Virus IP
– Top Remote Spam Domain – Top Local Virus Sender
– Total Spam And Nonspam – Top Local Virus Domain
– Top Spam MSISDN
– Top Ten Viruses – Top Remote Virus Sender
• Mail by Sender – Top Remote Virus Domain
• High Level Breakdown –
– Top Sender Top Virus MSISDN
– Top Client IP – Top Sender IP • Virus by Recipient
– – Top Local Sender – Top Virus Recipient
Top Local User
– Top Local Virus Recipient
– Top Remote Address – Top Remote Sender
– Top Remote Virus Recipient By Month
– Top Sender MSISDN
– Spam Filter
• Mail by Recipient
– Action
– Top Recipient
– Top Virus – Top Local Recipient
– Virus – Top Remote Recipient
BY DATE, HOUR OF DAY, DAY OF
– MONTH,
WEEK, DAY OF System User
BY WEEK
OF YEAR, OR BY MONTH
– Top Client MSISDN
Report sample
FortiMail key points
Fit any deployment scenario and network requirement (explicit or transparent proxy, route or bridge
packets, visible or unvisible in the headers, etc).