For FortiMail units operating in server mode, protected domains list only the domain name, not the IP address: the IP address of the SMTP server is the IP address of the FortiMail unit itself. |
For more information on how the domain name and mail exchanger (MX) IP address of protected domains are used, see “Incoming versus outgoing SMTP connections” and “Incoming versus outgoing email messages”. |
If you have many mail domains that will use identical settings, instead of creating many protected domains, you may want to create one protected domain, and then configure the others as associated domains. For details, see “Domain Association”. |
GUI item | Description |
Delete (button) | Click Delete to remove the protected domain. Caution: This also deletes all associated email user accounts and preferences. |
Domain FQDN | Displays the fully qualified domain name (FQDN) of the protected domain. If the protected domain is a subdomain or domain association, click the + next to a domain entry to expand the list of subdomains and domain associations. To collapse the entry, click the -. |
Relay Type (transparent and gateway mode only) | Indicates one of the methods by which the SMTP server will receive email from the FortiMail unit for the protected domain: Host, MX Record (this domain), MX Record (alternative domain), IP pool, LDAP Domain Mail Host. |
SMTP Server (transparent and gateway mode only) | Displays the host name or IP address and port number of the mail exchanger (MX) for this protected domain. If “Relay Type” is MX Record (this domain) or MX Record (alternative domain), this information is determined dynamically by querying the MX record of the DNS server, and this field will be empty. |
Sub (transparent and gateway mode only) | A green check mark indicates that the entry is a subdomain of a protected domain. |
Association (transparent and gateway mode only) | A green check nark indicates that the entry is a domain association. For more information on domain associations, see “Domain Association”. |
GUI item | Description | |
Domain name | Enter the fully qualified domain name (FQDN) of the protected domain. For example, if you want to protect email addresses such as user1@example.com, you would enter the protected domain name example.com. Generally, your protected domain will use a valid, globally-resolvable top-level domain (TLD) such as .com. Exceptions could include testing scenarios, where you have created a .lab mail domain on your private network to prevent accidental conflicts with live mail systems legitimately using their globally-resolvable FQDN. | |
Relay type (transparent and gateway mode only) | Select from one of the following methods of defining which SMTP server will receive email from the FortiMail unit that is destined for the protected domain: • Host: Configure the connection to one protected SMTP server or, if any, one fallback. Also configure “SMTP server” and “Fallback SMTP server”. • MX Record (this domain): Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them. • MX Record (alternative domain): Query the DNS server’s MX record of a domain name you specify for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them. Also configure “Alternative domain name”. • IP pool: Configure the connection to rotate among one or many protected SMTP servers for load balancing. Also configure the “IP pool profile” (also see “Configuring IP pools”). • LDAP Domain Mail Host: Query the LDAP server for the FQDN or IP address of the SMTP server. Also configure the LDAP Profile (see “Configuring LDAP profiles”). Note: If an MX option is used, you may also be required to configure the FortiMail unit to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode of the FortiMail unit. | |
• In gateway mode, a private DNS server is required. On the private DNS server, configure the MX record with the FQDN of the SMTP server that you are protecting for this domain, causing the FortiMail unit to route email to the protected SMTP server. This is different from how a public DNS server should be configured for that domain name, where the MX record usually should contain the FQDN of the FortiMail unit itself, causing external SMTP servers to route email through the FortiMail unit. Additionally, if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall, on the private DNS server, configure the protected SMTP server’s A record with its private IP address, while on the public DNS server, configure the FortiMail unit’s A record with its public IP address. • In transparent mode, a private DNS server is required if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall. On the private DNS server, configure the protected SMTP server’s A record with its private IP address. On the public DNS server, configure the protected SMTP server’s A record with its public IP address. Do not modify the MX record. • For performance reason, DNS lookups are skipped in gateway and server mode unless the sending domain is blank. | ||
SMTP server (transparent and gateway mode only) | Enter the fully qualified domain name (FQDN) or IP address of the primary SMTP server for this protected domain, then also configure “Port” and “Use SMTPS”. If you have an internal mail relay that is located on a physically separate server from your internal mail server, this could be your internal mail relay, instead of your internal mail server. Consider your network topology, directionality of the mail flow, and the operation mode of the FortiMail unit. For more information, see “Incoming versus outgoing SMTP connections” and “Avoiding scanning email twice”. This field appears only if “Relay type” is Host. | |
Fallback SMTP server (transparent and gateway mode only) | Enter the fully qualified domain name (FQDN) or IP address of the secondary SMTP server for this protected domain, then also configure Port and Use SMTPS. This SMTP server will be used if the primary SMTP server is unreachable. This field appears only if “Relay type” is Host. | |
IP pool profile (transparent and gateway mode only) | Select the name of the IP pool profile that is the range of IP addresses. Also configure Port and Use SMTPS. This field appears only if “Relay type” is IP pool. | |
LDAP profile (transparent mode and gateway mode only) | Select the name of the LDAP profile that has the FQDN or IP address of the SMTP server you want to query. Also configure Port and Use SMTPS. This field appears only if “Relay type” is LDAP Domain Mail Host. | |
Port | Enter the port number on which the SMTP server listens. If you enable “Use SMTPS”, “Port” automatically changes to the default port number for SMTPS, but can still be customized. Displays the default SMTP port number is 25; the default SMTPS port number is 465. | |
Use SMTPS | Enable to use SMTPS for connections originating from or destined for this protected server. | |
Alternative domain name (transparent and gateway mode only) | Enter the domain name to use when querying the DNS server for MX records. This option appears only if “Relay type” is MX Record (alternative domain name). | |
Is subdomain | Mark this check box to indicate the protected domain you are creating is a subdomain of an existing protected domain, then also configure “Main domain”. Subdomains, like their parent protected domains, can be selected when configuring policies specific to that subdomain. Unlike top-level protected domains, however, subdomains will appear as grouped under the parent protected domain when viewing the list of protected domains. This option is available only when another protected domain exists to select as the parent domain. | |
Main domain | Select the protected domain that is the parent of this subdomain. For example, lab.example.com might be a subdomain of example.com. This option is available only when “Is subdomain” is enabled. | |
LDAP User Profile (server mode only) | Select the name of an LDAP profile in which you have configured (see “Configuring LDAP profiles”), enabling you to authenticate email users and expand alias email addresses or replace one email address with another by using an LDAP query to retrieve alias members. |