FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Andy_G
Staff
Staff
Article Id 193480

Description
The discussion that follows comes from a commonly asked question.  Users of FortiGate appliances running FortiOS wish to to enable only one mail server, 192.168.16.1 for example, to be able to use port 25.  Must also restrict other computers to limit spam email from infected computers.
Scope
This article references a very specific case, and is only relevant for a FortiGate running in NAT mode.
Solution

RESTRICT MAIL FROM IP OF MAIL SERVER

After Being Blacklisted:

Find out which IP in the network is sending SMTP traffic on port 25.  This can be done by examining the session table (system->status page select [Details] beside the session count)  Setup filtering by destination port 25. This will show a list of all active SMTP sessions.

To block unwanted SMTP traffic you will need two firewall policies. The first one to allow specific SMTP traffic and the second one to block unwanted SMTP traffic.


agodwin_100109_100109-Statistic Details.PNG

For an internal mailserver(s):

The first policy will allow the correct mail server(s) IP to send traffic on port 25. Source in policy will be the desired mail server(s).  Service of SMTP with an action of ACCEPT (and a protection profile using any desired scan options). Source address(s) will use a mask /32 not /24. Enable NAT on the outgoing policy.
 
agodwin_100109_100109-Mail server policy out.PNG

agodwin_100109_100109-Mail server policy details.PNG

 

For an external mail server(s):

Create a  policy allowing all permitted internal hosts to send traffic to external mail server(s) IP address. Source all, destination of specific IPs, service of SMTP and an action of ACCEPT (again an appropriate protection profile with NAT enabled).

In both cases the second firewall policy will be an an ALL-ALL-SMTP-DENY policy. Efficiently traffic that does not match the IP address source/destination for the first policy on port 25 will hit this second policy and be dropped.

Firewall Policy Order:

1) Firewall policy order is important
2) The first policy should be located above the “generic” INTERNET access policy
3) The second policy should be located directly below the SMTP allow policy

To submit your IP to be reviewed (if blacklisted):
http://www.fortiguardcenter.com/antispam/antispam.html



Related Articles

Technical Tip : Troubleshoot and verify if traffic is hitting a Firewall Policy

Contributors