Course 221 - FortiMail Email Filtering
Transparent Mode
Transparent Mode Module 11
© 2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams 1 or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical optical or otherwise, for any purpose, without without prior written permission of Fortinet Inc. 06-50000-0221-20130726
Transparent Mode • Transparent relay • FortiMail is inline, in front of the mail servers or or mail relays FORTIMAIL UNIT INTERCEPTS AND SCANS SESSIONS DESTINED TO THE BACKEND SERVERS
MAIL FLOW INTERNET
MTAs
• Forti FortiMail Mail is not the the SMTP SMTP end poin pointt • Forti FortiMail Mail trans transpare parently ntly inte intercep rcepts ts and scans scans SMTP sess sessions ions based based on the destination IP address 2
06-50000-0221-20130726
1
Course 221 - FortiMail Email Filtering
Transparent Mode
Transparent Mode Advantages • IP layer transparency » FortiMail unit acts as a bridge for SMTP and non SMTP traffic » The IP address scheme does not require any change
• SMTP layer transparency » No changes required to existing MX records and MUA/MTA configurations configurations » The FortiMail unit’s presence can be hidden
3
Network Interface Interfaces s - Bridge Mode Mode • When configured in bridge mode the network interfaces operate as an L2 forwarding bridge • The FortiMail unit can be reached through the manageme management nt IP address statically assigned to the port1 interface • Port1 interface cannot be changed to route mode
4
06-50000-0221-20130726
2
Course 221 - FortiMail Email Filtering
Transparent Mode
Network Interface Interfaces s - Route Mode Mode • Configured in route mode the network interface is not part of the bridge anymore • CLI syntax to remove the interface from the bridge is: config con fig syst system em int interfa erface ce (interface)# edit port2 (port2)# set bridge-member disable (port2)# (port2) # set set ip 192.168. 192.168.2.100 2.100 255.255 255.255.255.0 .255.0 (port2) (po rt2)# # set allo allowacc waccess ess ping (port2)# next
5
Transparent Mode
SMTP SESSIONS ARE PROXIED AND BRIDGED
MAIL FLOW INTERNET
MTAs FORTIMAIL DEFAULT ROUTE AND MTA DEFAULT ROUTE
MANAGEMENT IP ADDRESS IS IN THE SAME SUBNET AS THE MTAs
NON SMTP TRAFFIC IS BRIDGED (ARP REQUEST, ETC.)
6
06-50000-0221-20130726
3
Course 221 - FortiMail Email Filtering
Transparent Mode
Transparent Transpa rent Mode Mode – Hybrid Example Example 1 • Mail flow is bridg bridged ed by the Fort FortiMail iMail unit • A third interface is in route mode EXTERNAL INTERFACE IN BRIDGE MODE
INTERNAL INTERFACE IN BRIDGE MODE
MAIL FLOW INTERNET
MTAs
FORTIMAIL DEFAULT ROUTE
FORTIMAIL STATIC ROUTE TO THE MANAGEMENT PLATFORMS
MANAGEMENT PLATFORMS
THIRD INTERFACE IN ROUTE MODE FOR OOB MANAGEMENT
7
Transparent Transpa rent Mode Mode – Hybrid Example Example 2
ROUTE MODE INTERFACE
MTAs
ONE-ARM ATTACHMENT (2nd INTERFACE FOR OOB MANAGEMENT)
INTERNET
MAIL USER AGENTS
POLICY-BASED ROUTING SMTP TRAFFIC --> FORTIMAIL
MAIL FLOW WOULD NOT BE SENT TO THE FORTIMAIL WITHOUT POLICYBASED ROUTING
SMTP
DESTINATION IP = MTAs ADDRESSES
MTAs
INTERNAL NETWORK
MAIL USER AGENTS
8
06-50000-0221-20130726
4
Course 221 - FortiMail Email Filtering
Transparent Mode
Transparent Mode Directions • In transparent mode the recipient domain address does not determine the direction • At the network connectivity connectivity level the destination IP address address determines whether a session is incoming or outgoing: » An SMTP session session is considered considered incoming if the destination destination IP address address matches an SMTP server configured in the protected domain list » An SMTP session session is considered considered outgoing ifif the destination destination IP address address does not match any SMTP server configured on the FortiMail unit
9
Transparency Settings • By default, the transparent mode unit does not hide its presence in the mail flow • The management IP address (if in bridge mode) or the interface IP address (if in route mode) will be used to establish a new session to the destination MTA • To hide the transparent unit you can use one of the following options depending on the direction of the email: » Incoming emails: Enable the option “Hide the transparent box ” (System (System > Domain) Domain) » Outgoing emails: Enable the option “ Hide this box from the mail server ” server ” (Session (Session profile > Connection Connection Settings Settings ) » In both cases, the TP unit will reuse the sender IP address to establish the new session
10
06-50000-0221-20130726
5
Course 221 - FortiMail Email Filtering
Transparent Mode
Built in MTA • A transparent mode mode FortiMail unit can route a message message to its destination by using using its built in MTA MTA or by proxying proxying it • When the built in MTA is used the following actions are taken: » The email is intercepted » DNS MX and A resolution are performed on the recipient domain » The email is delivered
11
Transparent Proxy • If the transparent proxy is enabled, the FortiMail unit performs the following actions: » The email is intercepted » The email is simply forwarded to destination » No queuing of messages in case of delivery failure
• Transparent proxy can be enabled depending on the direction of the mail flow in the following ways: » Incoming Incoming:: Select the option “Use “ Use this domain’s SMTP to deliver the email ” email ” (Mail (Mail Settings > Domains) Domains ) » Outgoing Outgoing:: Select the option “Use “ Use client specified SMTP server to send email ” email ” (Mail Settings > Settings)
12
06-50000-0221-20130726
6
Course 221 - FortiMail Email Filtering
Transparent Mode
Mail Traffic inspection • To perform inspection on specific mail flows the administrator has to enable proxy inspection on the physical interfaces
13
Transparent Mode SMTP Pass Through gw.smarthost.lab 10.0.3.100
MX record for external.lab: server.external.lab server.external.lab (10.0.2.100)
Transparent unit (tp.smarthost.lab) configured toPass toPass Through incoming and outgoing SMTP connections. The session from 10.0.1.100 to 10.0.3.100 is bridged. Mail From:
[email protected] RCPT To:
[email protected] MX record for domain external.lab: gw.smarthost.lab(10.0.3.100)
FQDN server.internal.lab IP 10.0.1.100 Domain: internal.lab
1
Port2 tp.smarthost.lab 10.0.3.201 Port1
2
FQDN server.external.lab IP 10.0.2.100 Domain: external.lab
14
06-50000-0221-20130726
7
Course 221 - FortiMail Email Filtering
Transparent Mode
Transparent Mode Incoming SMTP MTA Routing gw.smarthost.lab 10.0.3.100
Domain smarthost.lab defined with IP 10.0.3.100 The transparent mode unit intercepts the email and it triggers its internal MTA to route the email to destination. MX record for domain external.lab: server.external.lab (10.0.2.100)
Port2
tp.smarthost.lab 10.0.3.201
Mail From:
[email protected] RCPT To:
[email protected] MX record for domain external.lab: gw.smarthost.lab(10.0.3.100)
Port1 2
1
FQDN server.external.lab IP 10.0.2.100 Domain: external.lab
FQDN server.internal.lab IP 10.0.1.100 Domain: internal.lab
15
Transparent Mode Incoming SMTP Proxy gw.smarthost.lab 10.0.3.100
Domain smarthost.lab defined with IP 10.0.3.100 The transparent mode unit intercepts the email and it forwards it to 10.0.3.100 (as indicated in the protected domain section) A new session is initiated from the TP unit with source IP of 10.0.3.201 to 10.0.3.100
The Gateway FortiMail unit receives the email. MX lookup is performed to route the email to destination. MX record for domain external.lab: server.external.lab (10.0.2.100)
2
Port2 tp.smarthost.lab 10.0.3.201
Mail From:
[email protected] RCPT To:
[email protected] MX record for domain external.lab: gw.smarthost.lab(10.0.3.100) FQDN server.internal.lab IP 10.0.1.100 Domain: internal.lab
Port1 1
3
FQDN server.external.lab IP 10.0.2.100 Domain: external.lab
16
06-50000-0221-20130726
8
Course 221 - FortiMail Email Filtering
Transparent Mode
Transparent Mode Outgoing SMTP MTA gw.smarthost.lab 10.0.3.100
Port2
No protected domain configured on the Transparent FortiMail unit. All traffic is considered OUTGOING. Port1 configured to proxy outgoing SMTP connections. The Transparent mode unit intercepts the email and it triggers its internal MTA to route the email to destination. MX record for domain external.lab: server.external.lab (10.0.2.100) tp.smarthost.lab 10.0.3.201
Mail From:
[email protected] RCPT To:
[email protected] MX record for domain external.lab: gw.smarthost.lab(10.0.3.100)
Port1
1
2
FQDN server.external.lab IP 10.0.2.100 Domain: external.lab
FQDN server.internal.lab IP 10.0.1.100 Domain: internal.lab
17
Transparent Mode Outgoing SMTP Proxy gw.smarthost.lab 10.0.3.100
No protected domain configured on the Transparent unit. All traffic is considered outgoing. Port1 configured to proxy outgoing SMTP connections. The transparent mode unit intercepts the email and it forwards it to 2 10.0.3.100 (as indicated by the client). A new session is initiated from the TP unit with source IP of 10.0.3.20 1
Mail From:
[email protected] RCPT To:
[email protected] MX record for domain external.lab: gw.smarthost.lab(10.0.3.100)
FQDN server.internal.lab IP 10.0.1.100 Domain: internal.lab
The Gateway unit receives the email. MX lookup is performed to route the email to destination. MX record for domain external.lab: server.external.lab (10.0.2.100)
Port2 tp.smarthost.lab 10.0.3.201 Port1
1
3
FQDN server.external.lab IP 10.0.2.100 Domain: external.lab
18
06-50000-0221-20130726
9