Configuring protected domains

Configuring mail settings : Configuring protected domains

Configuring protected domains

The Domains tab displays the list of protected domains.

Protected domains define connections and email messages for which the FortiMail unit can perform protective email processing by describing both:

• the IP address of an SMTP server

• the domain name portion (the portion which follows the “@” symbol) of recipient email addresses in the envelope

The FortiMail unit uses both parts to compare to connections and email messages when looking for traffic that involves the protected domain.


	For FortiMail units operating in server mode, protected domains list only the domain name, not the IP address: the IP address of the SMTP server is the IP address of the FortiMail unit itself.

For example, if you wanted to scan email from email addresses such as user.one@example.com hosted on the SMTP server 10.10.10.10, you would configure a protected domain of example.com whose SMTP server is 10.10.10.10.

Aside from defining the domain, protected domains contain settings that apply specifically to all email destined for that domain, such as mail routing and disclaimer messages.

Many FortiMail features require that you configure a protected domain. For example, when applying recipient-based policies for email messages incoming to the protected domain, the FortiMail unit compares the domain name of the protected domain to the domain name portion of the recipient email addresses.

When FortiMail units operating in transparent mode are proxying email connections for a protected domain, the FortiMail unit will pass, drop or intercept connections destined for the IP address of an SMTP server associated with the protected domain, and can use the domain name of the protected domain during the SMTP greeting.


	For more information on how the domain name and mail exchanger (MX) IP address of protected domains are used, see “Incoming versus outgoing SMTP connections” and “Incoming versus outgoing email messages”.

Usually, you have already configured at least one protected domain during installation of your FortiMail unit; however, some configurations may not require any protected domains. You can add more domains or modify the settings of existing ones if necessary.


	If you have many mail domains that will use identical settings, instead of creating many protected domains, you may want to create one protected domain, and then configure the others as associated domains. For details, see “Domain Association”.

If the FortiMail unit is operating in gateway mode, you must change the MX entries for the DNS records for your email domain, referring email to the FortiMail unit rather than to your email servers. If you create additional protected domains, you must modify the MX records for each additional email domain. Similarly, MX records must also refer to the FortiMail unit if it is operating in server mode.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.

For details, see “About administrator account permissions and domains”.

Before you begin, if the protected domain will use an IP pool profile, first configure the IP pool profile. For details, see “Configuring IP pools”.

To view and configure protected domains

1. Go to Mail Settings > Domains > Domains.

The tab varies with the operation mode.


GUI item	Description
Delete (button)	Click Delete to remove the protected domain. Caution: This also deletes all associated email user accounts and preferences.
Domain FQDN	Displays the fully qualified domain name (FQDN) of the protected domain. If the protected domain is a subdomain or domain association, click the + next to a domain entry to expand the list of subdomains and domain associations. To collapse the entry, click the -.
Relay Type (transparent and gateway mode only)	Indicates one of the methods by which the SMTP server will receive email from the FortiMail unit for the protected domain: Host, MX Record (this domain), MX Record (alternative domain), IP pool, LDAP Domain Mail Host.
SMTP Server (transparent and gateway mode only)	Displays the host name or IP address and port number of the mail exchanger (MX) for this protected domain. If “Relay Type” is MX Record (this domain) or MX Record (alternative domain), this information is determined dynamically by querying the MX record of the DNS server, and this field will be empty.
Sub (transparent and gateway mode only)	A green check mark indicates that the entry is a subdomain of a protected domain.
Association (transparent and gateway mode only)	A green check nark indicates that the entry is a domain association. For more information on domain associations, see “Domain Association”.

2. Either click New to create a new protected domain, or click an row to modify it.

A multisection dialog appears. Its options vary with the operation mode.

3. Configure the general information as it applies to the current operation mode and your choice for relay type:


GUI item		Description
Domain name		Enter the fully qualified domain name (FQDN) of the protected domain. For example, if you want to protect email addresses such as user1@example.com, you would enter the protected domain name example.com. Generally, your protected domain will use a valid, globally-resolvable top-level domain (TLD) such as .com. Exceptions could include testing scenarios, where you have created a .lab mail domain on your private network to prevent accidental conflicts with live mail systems legitimately using their globally-resolvable FQDN.
Relay type (transparent and gateway mode only)		Select from one of the following methods of defining which SMTP server will receive email from the FortiMail unit that is destined for the protected domain: • Host: Configure the connection to one protected SMTP server or, if any, one fallback. Also configure “SMTP server” and “Fallback SMTP server”. • MX Record (this domain): Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them. • MX Record (alternative domain): Query the DNS server’s MX record of a domain name you specify for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them. Also configure “Alternative domain name”. • IP pool: Configure the connection to rotate among one or many protected SMTP servers for load balancing. Also configure the “IP pool profile” (also see “Configuring IP pools”). • LDAP Domain Mail Host: Query the LDAP server for the FQDN or IP address of the SMTP server. Also configure the LDAP Profile (see “Configuring LDAP profiles”). Note: If an MX option is used, you may also be required to configure the FortiMail unit to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode of the FortiMail unit.
		• In gateway mode, a private DNS server is required. On the private DNS server, configure the MX record with the FQDN of the SMTP server that you are protecting for this domain, causing the FortiMail unit to route email to the protected SMTP server. This is different from how a public DNS server should be configured for that domain name, where the MX record usually should contain the FQDN of the FortiMail unit itself, causing external SMTP servers to route email through the FortiMail unit. Additionally, if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall, on the private DNS server, configure the protected SMTP server’s A record with its private IP address, while on the public DNS server, configure the FortiMail unit’s A record with its public IP address. • In transparent mode, a private DNS server is required if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall. On the private DNS server, configure the protected SMTP server’s A record with its private IP address. On the public DNS server, configure the protected SMTP server’s A record with its public IP address. Do not modify the MX record. • For performance reason, DNS lookups are skipped in gateway and server mode unless the sending domain is blank.
SMTP server (transparent and gateway mode only)		Enter the fully qualified domain name (FQDN) or IP address of the primary SMTP server for this protected domain, then also configure “Port” and “Use SMTPS”. If you have an internal mail relay that is located on a physically separate server from your internal mail server, this could be your internal mail relay, instead of your internal mail server. Consider your network topology, directionality of the mail flow, and the operation mode of the FortiMail unit. For more information, see “Incoming versus outgoing SMTP connections” and “Avoiding scanning email twice”. This field appears only if “Relay type” is Host.
Fallback SMTP server (transparent and gateway mode only)		Enter the fully qualified domain name (FQDN) or IP address of the secondary SMTP server for this protected domain, then also configure Port and Use SMTPS. This SMTP server will be used if the primary SMTP server is unreachable. This field appears only if “Relay type” is Host.
IP pool profile (transparent and gateway mode only)		Select the name of the IP pool profile that is the range of IP addresses. Also configure Port and Use SMTPS. This field appears only if “Relay type” is IP pool.
LDAP profile (transparent mode and gateway mode only)		Select the name of the LDAP profile that has the FQDN or IP address of the SMTP server you want to query. Also configure Port and Use SMTPS. This field appears only if “Relay type” is LDAP Domain Mail Host.
	Port	Enter the port number on which the SMTP server listens. If you enable “Use SMTPS”, “Port” automatically changes to the default port number for SMTPS, but can still be customized. Displays the default SMTP port number is 25; the default SMTPS port number is 465. This field appears only if “Relay type” is Host, IP pool or LDAP Domain Mail Host.
	Use SMTPS	Enable to use SMTPS for connections originating from or destined for this protected server. This field appears only if “Relay type” is Host, IP pool or LDAP Domain Mail Host.
Alternative domain name (transparent and gateway mode only)		Enter the domain name to use when querying the DNS server for MX records. This option appears only if “Relay type” is MX Record (alternative domain name).
Is subdomain		Mark this check box to indicate the protected domain you are creating is a subdomain of an existing protected domain, then also configure “Main domain”. Subdomains, like their parent protected domains, can be selected when configuring policies specific to that subdomain. Unlike top-level protected domains, however, subdomains will appear as grouped under the parent protected domain when viewing the list of protected domains. This option is available only when another protected domain exists to select as the parent domain.
	Main domain	Select the protected domain that is the parent of this subdomain. For example, lab.example.com might be a subdomain of example.com. This option is available only when “Is subdomain” is enabled.
LDAP User Profile (server mode only)		Select the name of an LDAP profile in which you have configured (see “Configuring LDAP profiles”), enabling you to authenticate email users and expand alias email addresses or replace one email address with another by using an LDAP query to retrieve alias members.

4. Configure the following sections as needed:

• Configuring domain associations

• Configuring transparent mode options

• Configuring removal of invalid accounts

• Configuring advanced settings

• Configuring advanced scan settings

• Configuring domain level service settings (server mode only)

• Configuring mail migration settings (server mode only)