Configure MTA adapter
The Mail-Transfer-Agent (MTA) adapter feature allows email servers like Sendmail to relay emails to FortiSandbox via SMTP protocol. The adapter requires a subscription license. The license is automatically downloaded through FortiGuard and limits the per-mailbox seat count.
FortiSandbox extracts files and URLs in the email being relayed. All email addresses in the To, CC, and BCC fields are counted and tracked for those matching the configured email domains. The tracking of email addresses cannot be updated. If the seat count limit is exceeded by 10%, the system will log a warning system event. Emails are relayed and not scanned if it satisfies one of the following criteria:
- There is no valid MTA subscription license, or the license has expired.
- All email addresses in the To, CC, and BCC fields do not match the configured domain.
- The seat count limit is exceeded and one of the email addresses matches the configured domain.
The quarantine option allows FortiSandbox to hold the email. If quarantine is enabled, suspicious or malicious email is quarantined and will not be relayed. When Send alert email to receivers when email is quarantined is enabled, the recipient will receive an alert email stating that an email is quarantined. The quarantined emails will be saved on FortiSandbox until an admin releases or deletes them (see, To process quarantined emails). If quarantine is disabled, suspicious or malicious email is modified to add a prefix tag on the subject line of the email before getting relayed. The tag is configurable on the MTA configuration page.
To configure the MTA adapter:
- Go to Security Fabric > Adapter.
- Select the MTA adapter and click Edit.
- Enable the adapter.
- Configure the following settings and then click Apply.
To process quarantined emails:
- Go to Security Fabric > Adapter.
If there are malicious and suspicious emails, the number of quarantined emails is displayed beside the MTA adapter name.
- Click the Quarantined link to display the list of quarantined emails.
- To view job details, click the View Details icon.
- To download the job files as a zip file, click the Download Email File icon.
- To preview the original email, click the Preview Email icon.
- To release the quarantined email to recipient, select the emails and click the Release Email icon.
- To delete the quarantined email, select the emails and click the Delete Email icon.
Using MTA in HA-Cluster
In HA-Cluster, the MTA adapter is only available in the primary node.
Configuration is the same as on a standalone device. When the primary node receives MTA jobs, depending on workload and VM association, it distributes the jobs to itself or worker nodes.
In a cluster, configure the Local Interface to the interface of the cluster IP address so that the secondary can take over the configuration in a failover. |
To view jobs in a cluster, go to HA-Cluster > Job Summary.
To view logs in the primary node, go to Log & Report > Events > Job Events.
To view logs in a worker node, go to Log & Report > Events > All Events.