When it comes to security, we at Tech With a Hammer and found the best approach is to have multiple layers of security. One of the important pieces is incoming mail flow. There are an assortment of solutions that can vary in size and requirements, they can be a virtual machine in your network, a physical appliance installed in a rack, or an outside service that mail is routed through.
Of the solutions used we are impartial to Barracuda Spam Firewalls for the clients that would prefer to keep everything in-house, while Appriver is another service that is common to the industry. When it comes to locking down you on-premise Exchange servers another layer of security is to allow only Appriver IP addresses forward SMTP traffic to your server, we recommend disabling PAT for the incoming rule if possible as then the hosts will see traffic coming in from the external IP addresses instead of the firewall.
To make life easy, due to the number of Fortigate devices we have to configure, here is a quick snippet to cover all the network addresses and IPs that SMTP traffic can come through.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |
config firewall address edit "AppriverRange1" set associated-interface "wan1" set subnet 5.152.185.128 255.255.255.192 set visibility disable next edit "AppriverRange2" set associated-interface "wan1" set subnet 8.19.118.0 255.255.255.0 set visibility disable next edit "AppriverRange3" set associated-interface "wan1" set subnet 8.31.233.0 255.255.255.0 set visibility disable next edit "AppriverRange4" set associated-interface "wan1" set subnet 72.32.252.0 255.255.255.0 set visibility disable next edit "AppriverRange5" set associated-interface "wan1" set subnet 74.205.4.0 255.255.255.0 set visibility disable next edit "AppriverRange6" set associated-interface "wan1" set subnet 207.97.230.0 255.255.255.0 set visibility disable next edit "AppriverRange7" set associated-interface "wan1" set subnet 207.97.242.0 255.255.255.0 set visibility disable next edit "AppriverAddress1" set type iprange set associated-interface "wan1" set start-ip 69.20.58.226 set end-ip 69.20.58.226 set visibility disable next edit "AppriverAddress2" set type iprange set associated-interface "wan1" set start-ip 69.20.68.133 set end-ip 69.20.68.133 set visibility disable next edit "AppriverAddress3" set type iprange set associated-interface "wan1" set start-ip 207.97.224.142 set end-ip 207.97.224.142 set visibility disable next edit "AppriverAddress4" set type iprange set associated-interface "wan1" set start-ip 207.97.229.125 set end-ip 207.97.229.125 set visibility disable next edit "AppriverAddress5" set type iprange set associated-interface "wan1" set start-ip 8.31.233.196 set end-ip 8.31.233.196 set visibility disable next edit "AppriverAddress6" set type iprange set associated-interface "wan1" set start-ip 92.52.89.74 set end-ip 92.52.89.74 set visibility disable next edit "AppriverAddress7" set type iprange set associated-interface "wan1" set start-ip 72.32.253.10 set end-ip 72.32.253.10 set visibility disable next edit "AppriverAddress8" set type iprange set associated-interface "wan1" set start-ip 72.32.252.97 set end-ip 72.32.252.97 set visibility disable next edit "AppriverAddress9" set type iprange set associated-interface "wan1" set start-ip 69.20.60.122 set end-ip 69.20.60.122 set visibility disable next edit "AppriverAddress10" set type iprange set associated-interface "wan1" set start-ip 69.20.58.234 set end-ip 69.20.58.234 set visibility disable next edit "AppriverAddress11" set type iprange set associated-interface "wan1" set start-ip 72.32.253.39 set end-ip 72.32.253.39 set visibility disable next edit "AppriverAddress12" set type iprange set associated-interface "wan1" set start-ip 98.129.58.235 set end-ip 98.129.58.235 set visibility disable next end config firewall addrgrp edit "Appriver" set member "AppriverRange1" "AppriverRange2" "AppriverRange3" "AppriverRange4" "AppriverRange5" "AppriverRange6" "AppriverRange7" "AppriverAddress1" "AppriverAddress10" "AppriverAddress11" "AppriverAddress12" "AppriverAddress2" "AppriverAddress3" "AppriverAddress4" "AppriverAddress5" "AppriverAddress6" "AppriverAddress7" "AppriverAddress8" "AppriverAddress9" next end |