Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Configure MTA adapter

The Mail-Transfer-Agent (MTA) adapter feature allows email servers like Sendmail to relay emails to FortiSandbox via SMTP protocol. The adapter requires a subscription license. The license is automatically downloaded through FortiGuard and limits the per-mailbox seat count.

FortiSandbox extracts files and URLs in the email being relayed. All email addresses in the To, CC, and BCC fields are counted and tracked for those matching the configured email domains. The tracking of email addresses cannot be updated. If the seat count limit is exceeded by 10%, the system will log a warning system event. Emails are relayed and not scanned if it satisfies one of the following criteria:

  • There is no valid MTA subscription license, or the license has expired.
  • All email addresses in the To, CC, and BCC fields do not match the configured domain.
  • The seat count limit is exceeded and one of the email addresses matches the configured domain.

The quarantine option allows FortiSandbox to hold the email. If quarantine is enabled, suspicious or malicious email is quarantined and will not be relayed. When Send alert email to receivers when email is quarantined is enabled, the recipient will receive an alert email stating that an email is quarantined. The quarantined emails will be saved on FortiSandbox until an admin releases or deletes them (see, To process quarantined emails). If quarantine is disabled, suspicious or malicious email is modified to add a prefix tag on the subject line of the email before getting relayed. The tag is configurable on the MTA configuration page.

To configure the MTA adapter:
  1. Go to Security Fabric > Adapter.
  2. Select the MTA adapter and click Edit.
  3. Enable the adapter.

  4. Configure the following settings and then click Apply.

    URL number to extract from email body

    Maximum number of URLs to be extracted from one email body.

    Tag For Suspicious/Malicious Mails

    If the email scan result is malicious or suspicious, this text is prefixed to the email subject line. The next hop email server can act accordingly.

    Email Scan Timeout (Minutes)

    Maximum time FortiSandbox waits for scan result. If there is no result after timeout, the email is released to recipient.

    Message Size Limit (mb)

    Maximum size of email to accept to scan.

    Disk Usage Upper Limit(%)

    Maximum percentage disk space used before MTA stops scanning emails and only routes emails.

    Relay Emails for Domain Names

    Domain names of email server to be relayed from this FortiSandbox. When FortiSandbox receives these emails and finishes scan, FortiSandbox relays these emails if they are clean, or quarantines them if malicious.

    Note

    If you change or remove a domain, the emails submitted to that domain before they are relayed will be lost.

    Next Hop Mail Server Name

    IP address or domain name of email server to relay to for relayed emails.

    Local Interface

    Select the local interface.

    Local SMTP Port

    Specify the local SMTP port.

    Quarantine emails whose content has the following ratings

    Select the ratings of emails to quarantine.

    Send alert email to receivers when email is quarantined

    When email is quarantined, send alert email as configured.

    Email Sender

    The From field of alert email sent.

    Email Subject

    Email subject line of alert email sent.

    Email Content Template

    Text in alert email body.

To process quarantined emails:
  1. Go to Security Fabric > Adapter.

    If there are malicious and suspicious emails, the number of quarantined emails is displayed beside the MTA adapter name.

  2. Click the Quarantined link to display the list of quarantined emails.

    • To view job details, click the View Details icon.
    • To download the job files as a zip file, click the Download Email File icon.
    • To preview the original email, click the Preview Email icon.
    • To release the quarantined email to recipient, select the emails and click the Release Email icon.
    • To delete the quarantined email, select the emails and click the Delete Email icon.

Using MTA in HA-Cluster

In HA-Cluster, the MTA adapter is only available in the primary node.

Configuration is the same as on a standalone device. When the primary node receives MTA jobs, depending on workload and VM association, it distributes the jobs to itself or worker nodes.

Note

In a cluster, configure the Local Interface to the interface of the cluster IP address so that the secondary can take over the configuration in a failover.

To view jobs in a cluster, go to HA-Cluster > Job Summary.

To view logs in the primary node, go to Log & Report > Events > Job Events.

To view logs in a worker node, go to Log & Report > Events > All Events.

Configure MTA adapter

The Mail-Transfer-Agent (MTA) adapter feature allows email servers like Sendmail to relay emails to FortiSandbox via SMTP protocol. The adapter requires a subscription license. The license is automatically downloaded through FortiGuard and limits the per-mailbox seat count.

FortiSandbox extracts files and URLs in the email being relayed. All email addresses in the To, CC, and BCC fields are counted and tracked for those matching the configured email domains. The tracking of email addresses cannot be updated. If the seat count limit is exceeded by 10%, the system will log a warning system event. Emails are relayed and not scanned if it satisfies one of the following criteria:

  • There is no valid MTA subscription license, or the license has expired.
  • All email addresses in the To, CC, and BCC fields do not match the configured domain.
  • The seat count limit is exceeded and one of the email addresses matches the configured domain.

The quarantine option allows FortiSandbox to hold the email. If quarantine is enabled, suspicious or malicious email is quarantined and will not be relayed. When Send alert email to receivers when email is quarantined is enabled, the recipient will receive an alert email stating that an email is quarantined. The quarantined emails will be saved on FortiSandbox until an admin releases or deletes them (see, To process quarantined emails). If quarantine is disabled, suspicious or malicious email is modified to add a prefix tag on the subject line of the email before getting relayed. The tag is configurable on the MTA configuration page.

To configure the MTA adapter:
  1. Go to Security Fabric > Adapter.
  2. Select the MTA adapter and click Edit.
  3. Enable the adapter.

  4. Configure the following settings and then click Apply.

    URL number to extract from email body

    Maximum number of URLs to be extracted from one email body.

    Tag For Suspicious/Malicious Mails

    If the email scan result is malicious or suspicious, this text is prefixed to the email subject line. The next hop email server can act accordingly.

    Email Scan Timeout (Minutes)

    Maximum time FortiSandbox waits for scan result. If there is no result after timeout, the email is released to recipient.

    Message Size Limit (mb)

    Maximum size of email to accept to scan.

    Disk Usage Upper Limit(%)

    Maximum percentage disk space used before MTA stops scanning emails and only routes emails.

    Relay Emails for Domain Names

    Domain names of email server to be relayed from this FortiSandbox. When FortiSandbox receives these emails and finishes scan, FortiSandbox relays these emails if they are clean, or quarantines them if malicious.

    Note

    If you change or remove a domain, the emails submitted to that domain before they are relayed will be lost.

    Next Hop Mail Server Name

    IP address or domain name of email server to relay to for relayed emails.

    Local Interface

    Select the local interface.

    Local SMTP Port

    Specify the local SMTP port.

    Quarantine emails whose content has the following ratings

    Select the ratings of emails to quarantine.

    Send alert email to receivers when email is quarantined

    When email is quarantined, send alert email as configured.

    Email Sender

    The From field of alert email sent.

    Email Subject

    Email subject line of alert email sent.

    Email Content Template

    Text in alert email body.

To process quarantined emails:
  1. Go to Security Fabric > Adapter.

    If there are malicious and suspicious emails, the number of quarantined emails is displayed beside the MTA adapter name.

  2. Click the Quarantined link to display the list of quarantined emails.

    • To view job details, click the View Details icon.
    • To download the job files as a zip file, click the Download Email File icon.
    • To preview the original email, click the Preview Email icon.
    • To release the quarantined email to recipient, select the emails and click the Release Email icon.
    • To delete the quarantined email, select the emails and click the Delete Email icon.

Using MTA in HA-Cluster

In HA-Cluster, the MTA adapter is only available in the primary node.

Configuration is the same as on a standalone device. When the primary node receives MTA jobs, depending on workload and VM association, it distributes the jobs to itself or worker nodes.

Note

In a cluster, configure the Local Interface to the interface of the cluster IP address so that the secondary can take over the configuration in a failover.

To view jobs in a cluster, go to HA-Cluster > Job Summary.

To view logs in the primary node, go to Log & Report > Events > Job Events.

To view logs in a worker node, go to Log & Report > Events > All Events.