Solution Brief

FortiMail for Service Providers

Nathalie Rivat

Agenda
FortiMail for Internet Service Providers
Outbound antispam to prevent blacklisting
MMS routing for Mobile Operators
Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers
Corporate employee mailboxes

FortiMail for Mail Service Providers

Inbound antispam for enterprise customers
Deployment options:
Hosted AV/AS - In the cloud
Remote AV/AS - As a CPE device
Key Features

FortiMail Product Line

ISP Blacklisting Context

When a spammer uses ADSL/3G connection to support his
illegal activities:
The computer is identified as a source of spam by popular
DNSBL services (DNS BlackList)
As a result, its IP address is registered in a blacklist database
Most Internet MTAs refuse mail from blacklisted IP addresses
DNSBL is a popular technique, widely used by antispam GWs
BLACK IP

ADSL
NETWORK

SOURCE OF SPAM

OUTGOING
MAIL
DNSBL SERVER
DATABASE OF BLACK IPs
INTERNET
DNSBL QUERY
REPLY = IP ADDRESS IS LISTED

MOBILE
NETWORK
3G

SOURCE OF SPAM

SMTP CONNECTION
IS DENIED

MTA
ANTISPAM GW

ISP Blacklisting Subscriber impact

Case #1: the black IP is reassigned to a clean 3G/ADSL subscriber
The latter can not send mail

Case #2: Even more critical (picture below)

Multiple subscribers are NATed behind the same public IP address
A single infected computer sends out spam
The public IP address is blacklisted
All subscribers are impacted and can not send mail
ALL SOURCES ARE
NATED BEHIND THE
SAME PUBLIC IP

MTA

3G

CLEAN SOURCE

3G

SOURCE OF SPAM

MOBILE
NETWORK

SMTP CONNECTIONS
ARE DENIED
REFUSED

INTERNET
FW
BLACK IP

MTA

ISP Blacklisting Cost

Cost of de-registrating IPs from DNSBL databases
Fee paid to DNSBL organizations
Recurrent / on a weekly basis / Never ending process

Management cost

Collecting backlisted IPs

Contacting DNSBL services
Justifying registration end
Etc.

User experience
Bad quality of service
Risk to unsubscribe

IP Blacklisting protection is business critical

This is achieved by filtering outbound mail flow with FortiMail

Outbound antispam User

Transparency
Outbound scanning must not impact users
It is not desirable to change the mail client configuration with
an explicit outgoing relay
User mobility and ease of use
Subscribers should be able to send mail directly to the
Internet
As they were doing before the antispam deployment

The antispam solution must be a transparent

Unique and prioprietary FortiMail transparent proxy
FortiMail intercepts SMTP sessions even though it is not the
destination MTA
Destination IP = Internet MTA, not FortiMail

Outbond antispam Topology

Policy-based routing makes sure SMTP sessions of
subscribers are redirected to FortiMail for scanning
No need for FortiMail to process web, ftp, pop3, etc. traffic
This would result in unecessary resource usage
No need to redirect/scan incoming mail flow
I.E sessions initiated by Internet MTAs

SMTP CLIENTS

SUBSCRIBER
NETWORK

OUTGOING MAIL
INTERNET
INCOMING MAIL
ROUTERS

POLICY-BASED ROUTING
OUTGOING SESSIONS --> FORTIMAIL

MTAs
FIREWALL
DESTINATION MTAs
OF OUTGOING MAIL

Outbound antispam Protocol

Transparency
Unique to FortiMail
Transparent in the IP layer
FortiMail does not change the client source IP address when
relaying sessions

No interference in the SMTP negotiation

SMTP commands are not altered
SMTP AUTH is performed by the destination MTA
FortiMail does not queue mail if the destination MTA is
unreachable
The ISP is not in charge of compensating MTA availability
by queueing mail

Transparent in the SMTP envelop and headers

There are no visibles trace of FortiMail processing

Outbound antispam Protocol

Transparency
SMTP-envelope transparency
SMTP COMMANDS
ARE NOT ALTERED

SMTP CLIENT
MYDOMAIN.COM

220 MAILSERVER.FORTINET.COM

220 MAILSERVER.FORTINET.COM

EHLO ME.MYDOMAIN.COM

EHLO ME.MYDOMAIN.COM

250 MAILSERVER.FORTINET.COM

250 MAILSERVER.FORTINET.COM

SMTP SERVER
FORTINET.COM

IP-layer transparency
SOURCE AND DESTINATION IP
ADDRESSES ARE NOT ALTERED

SMTP CLIENT
1.2.3.4

SOURCE IP =

1.2.3.4

SOURCE IP =

1.2.3.4

DESTINATION IP =

5.6.7.8

DESTINATION IP =

5.6.7.8

SMTP SERVER
5.6.7.8

Outbound antispam Filters

Dedicated antispam techniques are required
Traditional antispam GWs rely on reputation/score of
public IP addresses
This technique is not relevant for outbound antispam
Subscribers may have private IP addresses
Not known by central Internet databases

Spam should be blocked before the IP address is

blacklisted /score is bad

Fortinet research team developed specific techniques

to efficiently identify outbound spam

Identifying 3G subscribers
3G mobile operators: SIM card and MSISDN
An MSISDN is the number associated with a SIM card
It uniquely identifies subscribers
As opposed to IP addresses that are dynamically assigned

FortiMail: the only AS GW that retrieves and processes MSISDN

Benefit: MSISDN Realtime monitoring/blocking
FortiMail dynamically calculates MSISDN reputation
And automatically alerts or blocks offending MSISDNs

Benefit: MSISDN Reporting

MSISDN statistics: Top senders / Src of spam / Src of virus
Thanks to FortiMail MSISDN support ISPs can track bad
subscribers

Identifying 3G subscribers
SUBSCRIBER
CONNECTS

SUBSCRIBER
SENDS A MAIL
SGSN

GGSN

ROUTER

3G

INTERNET
DESTINATION
MTA

SUBSCRIBER

IP ADDRESS
IS ASSIGNED

RADIUS
SERVER
RADIUS SERVER
SENDS MSISDN +
IP ADDRESS

SMTP SESSION IS LOGGED WITH

MSISDN
MSISDN REPUTATION IS UPDATED
FOR OFFENDING MSISDN, ALERT IS
SENT OR SESSION IS BLOCKED

Agenda
FortiMail for Internet Service Providers
Outbound antispam to prevent blacklisting
MMS routing for Mobile Operators
Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers
Corporate employee mailboxes

FortiMail for Mail Service Providers

Inbound antispam for enterprise customers
Deployment options:
Hosted AV/AS - In the cloud
Remote AV/AS - As a CPE device
Key Features

FortiMail Product Line

MMS routing for Mobile Operator

MMS format
MM3: SMTP-based MMS between MMSC and Internet MTAs
Used to send out MMS to the Internet

MM4: SMTP-based MMS between MMSCs

Used to send out MMS to another mobile operator

FortiMail relays MM3/MM4 traffic

MMSC relays outgoing traffic to FortiMail
Incoming traffic is sent to FortiMail before reaching the MMSC
MMSC is not directly connected to the Internet or other MMSCs
Improved security
MM3
ING

MM1

INCOM

GRX
SUBSCRIBER
PHONE

INTERNET

OUTGO
ING

MMSC
THE SECURE GATEWAY TO CONNECT
TO INTERNET & OHTER MMSCs

OTHER
OPERATOR
MM4
MMSC

Agenda
FortiMail for Internet Service Providers
Outbound antispam to prevent blacklisting
MMS routing for Mobile Operators
Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers
Corporate employee mailboxes

FortiMail for Mail Service Providers

Inbound antispam for enterprise customers
Deployment options:
Hosted AV/AS - In the cloud
Remote AV/AS - As a CPE device
Key Features

FortiMail Product Line

Inbound antispam for ISPs

Incoming mail filtering to protect local mailboxes
FortiMail provides AV/AS services to filter incoming flow that
receives the internal mail servers
ISP internal mail server protection
Free mailboxes offered to 3G/ADSL subscribers
ISP corporate mail server protection
Employee mailboxes
SUBSCRIBER MAILBOXES
EMPLOYEE MAILBOXES
SERVICE PROVIDER LOCATION
MAIL SERVERS
SUBSCRIBER
NETWORK

OUTG
O

ING S

SMTP CLIENTS

MTP

CORPORATE
NETWORK
SMTP CLIENTS

INTERNET

INCOMING SMTP

Agenda
FortiMail for Internet Service Providers
Outbound antispam to prevent blacklisting
MMS routing for Mobile Operators
Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers
Corporate employee mailboxes

FortiMail for Mail Service Providers

Inbound antispam for enterprise customers
Deployment options:
Hosted AV/AS - In the cloud
Remote AV/AS - As a CPE device
Key Features

FortiMail Product Line

FortiMail for Mail Service Providers

Incoming mail filtering
AV/AS Protection for enterprise customer domains
Deployment option: FortiMail in the cloud
Scenario 1: Full hosted services
Customer mail servers & FortiMail are located at the ISP site
FortiMail protects several customers

Scenario 2: Clean pipe only

Mailserver located at the customer site
FortiMail located at the ISP site protecting several customers

Deployment option: FortiMail as CPE device

Scenario 3: outsourcing without hosting
Mailserver and FortiMail are located at the customer site
FortiMail protects a single customer
Remote management from Service Provider SOC

Mail Service Providers Scenario 1

In the cloud AV/AS services
FortiMail is located at the ISP site and handles multiple domains

Service Provider delivers clean hosted mailboxes to enterprises

Full suite of hosted services (mailserver + AV/AS)

ISP offers clean & free hosted mailboxes to ADSL/3G subscribers

Internal domain protection

Service Provider offers clean mailboxes to employees

Corporate domain protection
SERVICE PROVIDER LOCATION
MAIL SERVERS
OUTG
OING

SMTP CLIENTS
CUSTOMER LOCATION

INTERNET

SMTP

INCOMING SMTP

CUSTOMER
MAILBOXES

Mail Service Providers Scenario 2

In the cloud AV/AS services
FortiMail is located at the ISP site and handles multiple domains

Mail Service Provider delivers clean mail flow to customers

= Clean pipes
Mailserver is located at the customer premise
Hosted AV/AS services
FortiMail provides services to remote mail servers

MAIL SERVER

OUTG
OING

SMTP CLIENTS

SERVICE PROVIDER LOCATION

SMTP

CUSTOMER LOCATION

ING
COM

IN

INTERNET

P
SMT

PROTECTION OF
MULTIPLE CUSTOMER
DOMAINS

Mail Service Providers Scenario 3

CPE approach (Customer Premise Equipment)
Mail Service Provider remotely managed customer equipments
Dedicated FortiMail per customer
FortiMail is located at the customer site
Remotely managed from Service Provider SOC

MAIL SERVER

INCOMING SMTP

INTERNET

OUTGOING SMTP
SERVICE PROVIDER SOC

SMTP CLIENTS

CUSTOMER LOCATION
SINGLE CUSTOMER
PROTECTION

REMOTE
MANAGEMENT

Agenda
FortiMail for Internet Service Providers
Outbound antispam to prevent blacklisting
MMS routing for Mobile Operators
Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers
Corporate employee mailboxes

FortiMail for Mail Service Providers

Inbound antispam for enterprise customers
Deployment options:
Hosted AV/AS - In the cloud
Remote AV/AS - As a CPE device
Key Features

FortiMail Product Line

FortiMail key features for MSP

Scalability from SMB to large enterprises & Service
Providers
Hardware scalability
Optional redundant PS, optional hardware RAID, etc.
Performance scalability

Supports three modes of operation

Explicit relay, transparent relay, mail server

Supports a high number of domains

Up to 20,000 listed domains per box
If not explicitely listed: unlimited number of domains

Role-based management
Per domain configuration rights
Per domain logging and reporting

FortiMail key features for MSP

Same level of features and management through the
range
Encryption, antispam, antivirus, content filtering, etc.

Access to the configuration by GUI or command lines for

scripting
Large amount of disk storage for logging and spam
quarantine even on small appliances
From 250GB to several TeraBytes
Embedded reporting engine

Centralized logging and reporting provided by

FortiAnalyzer

FortiMail key features for MSP

Unique feature-rich HA implementation
In addition to traditional configuration synchronization
+FortiMail synchronizes mail data for transparent
failover
Mail queues
Mailboxes of quarantined spam

+FortiMail provides automatic failover

Service availability check (WEB, SMTP, etc.)
Interface availability check

FortiMail key features for MSP

High performance
Due to a proprietary MTA development
Mail are not queued but processed in real-time
Minimizes transmission delay
Real-time AV/AS filtering

In relay mode, mail are queued ONLY if the destination

MTA is not available
Minimize size of the queue
Simplify queue management

FortiMail key features for MSP

100% Fortinet technology
No third party agreement for AS engine or AV engine
High optimization of the code
Highest possible integration of tasks
Such as mail routing + antispam filtering + virus blocking

Benefit: Performances & Investment protection

Mailbox licence free
No headhache tracking number of users
Cost performance

Agenda
FortiMail for Internet Service Providers
Outbound antispam to prevent blacklisting
MMS routing for Mobile Operators
Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers
Corporate employee mailboxes

FortiMail for Mail Service Providers

Inbound antispam for enterprise customers
Deployment options:
Hosted AV/AS - In the cloud
Remote AV/AS - As a CPE device
Key Features

FortiMail Product Line

FortiMail Product Line

SMALL ENTERPRISE

MEDIUM ENTERPRISE

FORTIMAIL 100

FORTIMAIL 400B
4x 10/100 + 2x 10/100/1000
500GB HD
OPTIONAL HD
SW RAID 0/1

FORTIMAIL 2000A / 4000A

4x 10/100/1000
REDUNDANT FANs & PS
6x / 12x 250GB HD
HD RAID 0/1/5/10/50

< 250

< 1000

> 1000

20000

180k

380k

7k

50k

160k

4x 10/100
250GB HD
RECOMMENDED
USERS
FORTIGUARD
MAIL / HOUR
FULL AV/AS
MAIL / HOUR

LARGE ENTERPRISE

SERVICE PROVIDER

FortiMail SKUs
MODEL

SKU

DESCRIPTION

FML-100-BDL-X

4x 10/100 ports
Single 250GB HDD

FML-400B-BDL-X

2x 10/100
4x 10/100/1000
SW RAID 0/1
Single 500GB HDD (additional disk in option)

FML-2000A-BDL-X

4x 10/100/1000
Dual CPU
Dual Redundant PS
HW RAID 0/1/
6x 250GB HDD

FortiMail 4000A

FML-4000A-BDL-X

4x 10/100/1000
Dual CPU
Dual Redundant PS
HW RAID 0/1/5/10/50
12x 250GB HDD

250GB HD

FL-400D2

250GB Hard Drive for FML-2000A and FML-4000A

500GB HD

SP-D500

500GB Hard drive for FML-400B

FortiMail 100

FortiMail 400B

FortiMail 2000A

Thank you