Configuring policies : How to use policies : Order of execution of policies
Order of execution of policies
Arrange policies in the policy list by placing the most specific policy at the top and more general policies at the bottom.
For example, a recipient-based policy created with an asterisk (*) entered for the user name is the most general policy possible because it will match all users in the domain. When you create more specific policies, you should move them above this policy. Otherwise, the general policy would always match all email for the domain, and no other recipient-based policy would ever be applied.
FortiMail units execute policies in the following order:
1. The FortiMail unit looks for a matching IP-based policy.
The FortiMail unit evaluates each policy for a match with the IP address of the SMTP client and, for transparent mode, the server. Evaluation occurs in the order of each policy’s distance from the top of the list of IP-based policies. Once a match is found, the FortiMail unit does not evaluate subsequent IP-based policies.
If you have enabled Take precedence over recipient based policy match in the IP-based policy, the FortiMail unit applies the profiles in the IP-based policy. In this case, it ignores recipient-based policies in the following two steps and jumps to step 4.
2. The FortiMail unit looks for a matching recipient-based policy.
The FortiMail unit evaluates each policy for a match with the domain name portion of the recipient’s email address (RCPT TO:), also known as the domain-part. Incoming policies are evaluated for matches before outgoing policies. Evaluation occurs in the order of each policy’s distance from the top of the list of recipient-based policies. Once a match is found, the FortiMail unit does not evaluate subsequent recipient-based policies.
3. The FortiMail unit applies the profiles in the matching recipient-based policy, if any.
4. The FortiMail unit applies the profiles in the matching IP-based policy, if any, only if it did not already apply profiles of that type in step .
 
If SMTP traffic does not match any IP-based or recipient-based policy, it is allowed. However, no antivirus or antispam protection may be applied.
If you are certain that you have configured policies to match and allow all required traffic, you can tighten security by adding an IP policy at the bottom of the policy list to reject all other, unwanted connections.