If no access control rules are configured, or no matching access control rules exist, and if the SMTP client is not configured to authenticate, the FortiMail unit will perform the default action, which varies by whether or not the recipient email address in the envelope (RCPT TO:) is a member of a protected domain. For protected domains, the default action is RELAY. For unprotected domains, the default action is REJECT. For information on protected domains, see “Configuring protected domains”. |
If possible, verify configuration of access control rules in a testing environment before applying them to a FortiMail unit in active use. Failure to verify correctly configured reject, discard, and accept actions can result in inability to correctly handle SMTP sessions. |
Do not create an access control rule whose “Sender pattern” is *, “Recipient pattern” is *, “Authentication status” is Any, “TLS profile” is None, and <GUIElement>Action is RELAY. This access control rule matches and relays all connections, allowing open relay, which could result in other MTAs and DNSBL servers blocklisting your protected domain. |
GUI item | Description |
Move (button) | Select a policy, click Move, then select either: • Up or Down, or • After or Before, which opens a dialog, then in Move right after or Move right before indicate the policy’s new location by entering the ID of another policy FortiMail units match the policies in sequence, from the top of the list downwards. |
Enabled | Select to enable or disable an existing rule. |
ID | Displays the number identifying the rule. If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column. Note: This may be different from the order in which they appear on the page, which indicates order of evaluation. |
Sender Pattern | Displays the pattern that defines email senders for the rule. |
Recipient Pattern | Displays the pattern that defines email recipients for the rule. |
Sender/IP Netmask | Displays the IP address and netmask of the SMTP client attempting to deliver the email message. |
Reverse DNS Pattern | Displays the used in a reverse DNS look-up. |
Authentication Status | Displays which authentication status is used with the rule. |
TLS Profile | Displays the TLS profile, if any, used to allow or reject a connection. |
Actions | Displays the action to take when SMTP sessions match the rule. |
GUI item | Description |
Enabled | Select whether or not the access control rule is currently in effect. |
Sender pattern | Select either User Defined and enter a complete or partial sender (MAIL FROM:) email address to match, or select: • Internal: Match any email address from a protected domain. • External: Match any email address from an unprotected domain. • Email Group: Match any email address in the group. If you select this option, select an email group from the Email Group Selection field. Click New to add a new email group or Edit to modify an existing one. For more information, see “Configuring email groups”. • LDAP Group: Match any email address in the group. If you select this option, select an LDAP profile from the LDAP Profile field. The pattern can use wildcards or regular expressions. See “Using wildcards and regular expressions”. For example, the sender pattern ??@*.com matches messages sent by anyone with a two letter user name from any “.com” domain name. |
Regular expression | Mark this check box next to any of the pattern options to use regular expression syntax instead of wildcards to specify the pattern. See “Using wildcards and regular expressions”. |
Recipient pattern | Either select User Defined and enter a complete or partial recipient (RCPT TO:) email address to match, or select: • Internal: Match any email address from a protected domain. • External: Match any email address from an unprotected domain. • Email Group: Match any email address in the group. If you select this option, select an email group from the Email Group Selection field. Click New to add a new email group or Edit to modify an existing one. For more information, see “Configuring email groups”. • LDAP Group: Match any email address in the group. If you select this option, select an LDAP profile from the LDAP Profile field. The pattern can use wildcards or regular expressions. See Appendix F in FortiMail Administration Guide. For example, the recipient pattern *@example.??? will match messages sent to any email user at example.com, example.net, or any “example” domain ending with a three‑letter top-level domain name. |
Sender IP/netmask | Select User Defined and enter the IP address and netmask of the SMTP client attempting to deliver the email message. Use the netmask, the portion after the slash (/), to specify the matching subnet. For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address. Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address. To match any address, enter 0.0.0.0/0. Select IP Group to choose an IP group. Click New to add a new IP group or Edit to modify an existing one. For more information, see “Configuring IP groups”. |
Reverse DNS pattern | Enter a pattern to compare to the result of a reverse DNS look-up of the IP address of the SMTP client delivering the email message. Because domain names in the SMTP session are self-reported by the connecting SMTP server and easy to fake, the FortiMail unit does not trust the domain name that an SMTP server reports. Instead, the FortiMail does a DNS lookup using the SMTP server’s IP address. The resulting domain name is compared to the reverse DNS pattern for a match. If the reverse DNS query fails, the access control rule match will also fail. If no other access control rule matches, the connection will be rejected with SMTP reply code 550 (Relaying denied). The pattern can use wildcards or regular expressions. See “Using wildcards and regular expressions”. For example, the recipient pattern mail*.com matches messages delivered by an SMTP server whose domain name starts with “mail” and ends with “.com”. Note: Reverse DNS queries for access control rules require that the domain name be a valid top level domain (TLD). For example, “.lab” is not a valid top level domain name, and thus the FortiMail unit cannot successfully perform a reverse DNS query for it. |
Authentication status | Select whether or not to match this access control rule based on client authentication. • Any: Match or do not match this access control rule regardless of whether the client has authenticated with the FortiMail unit. • Authenticated: Match this access control rule only for clients that have authenticated with the FortiMail unit. • Not Authenticated: Match this access control rule only for clients that have not authenticated with the FortiMail unit. |
TLS profile | Select a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile. • If the attributes match, the access control action is executed. • If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile. Click New to add a new TLS profile or Edit to modify an existing one. For more information on TLS profiles, see “Configuring TLS security profiles”. |
Action | Select which action the FortiMail unit will perform for SMTP sessions matching this access control rule. • BYPASS: Relay or proxy and deliver the email, but, if the sender or recipient belongs to a protected domain, bypass all antispam profile processing. Antivirus, content, greylisting and other scans will still occur. • DISCARD: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client. • RELAY: Relay or proxy, process, and deliver the email normally if it passes all configured scans. Do not apply greylisting. • REJECT: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied). |
Comments | Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list. |