Configuring policies : Controlling SMTP access and delivery : Configuring delivery rules
Configuring delivery rules
The Delivery tab displays a list of delivery rules that apply to SMTP sessions being initiated by the FortiMail unit in order to deliver email.
Delivery rules let you to require TLS for the SMTP sessions the FortiMail unit initiates when sending email to other email servers. They also let you to apply secure MIME (S/MIME) or IBE.
For more information about IBE, see “Configuring IBE encryption”.
When initiating an SMTP session, the FortiMail unit compares each delivery rule to the domain name portion of the envelope recipient address (RCPT TO:), and to the IP address of the SMTP server receiving the connection. Rules are evaluated for a match in the order of their list sequence, from top to bottom. If a matching delivery rule does not exist, the email message is delivered. If a match is found, the FortiMail unit compares the TLS profile settings to the connection attributes and the email message is sent or the connection is not allowed, depending on the result; if an encryption profile is selected, its settings are applied. No subsequent delivery rules are applied. Only one delivery rule is ever applied to any given SMTP session.
If you are using a delivery rule to apply S/MIME encryption, the destination of the connection can be another FortiMail unit, but it could alternatively be any email gateway or server, as long as either:
the destination’s MTA or mail server
the recipient’s MUA
supports S/MIME and possesses the sender’s certificate and public key, which is necessary to decrypt the email. Otherwise, the recipient cannot read the email.
To access this part of the web UI, your administrator account’s:
Domain must be System
access profile must have Read or Read-Write permission to the Policy category
For details, see “About administrator account permissions and domains”.
To configure a delivery rule list
1. Go to Policy > Access Control > Delivery.
 
GUI item
Description
Move
(button)
Click a delivery rule to select it, click Move, then select either:
the direction in which to move the selected rule (Up or Down), or
After or Before, then in Move right after or Move right before indicate the rule’s new location by entering the ID of another delivery rule
FortiMail units match the rules in sequence, from the top of the list downwards.
Enabled
Indicates whether or not the delivery rule is currently in effect.
To disable a delivery rule, mark the check box, then click Yes to confirm.
ID
Displays the number identifying the rule.
If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column.
Note: This may be different from the order in which they appear on the page, which indicates order of evaluation.
FortiMail units evaluate delivery rules in sequence. Only the topmost matching delivery rule will be applied.
Sender Pattern
Displays the complete or partial envelope sender email address to match.
Recipient Pattern
Displays the complete or partial envelope recipient email address to match.
TLS Destination IP
Displays the IP address and netmask of the system to which the FortiMail is sending the email message. 0.0.0.0/0.0.0.0 matches any IP address.
TLS Profile
Displays the TLS profile, if any, used to allow or reject a connection.
If the attributes match, the access control action is executed.
If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.
To edit the TLS profile, click its name. For details, see “Configuring security profiles”.
Encryption Profile
Indicates the encryption profile used to apply S/MIME or IBE encryption to the email.
To edit the encryption profile, click its name. For details, see “Configuring encryption profiles”.
2. Either click New to add a delivery control rule or double-click a delivery control rule to modify it.
A dialog appears.
3. Configure the following:
 
GUI item
Description
Enabled
Select whether or not the access control rule is currently in effect.
Sender pattern
Enter a complete or partial envelope sender (MAIL FROM:) email address to match.
Wild card characters allow you to enter partial patterns that can match multiple sender email addresses. The asterisk (*) represents one or more characters. The question mark (?) represents any single character.
For example, the sender pattern ??@*.com will match messages sent by any email user with a two letter email user name from any “.com” domain name.
Recipient pattern
Enter a complete or partial envelope recipient (RCPT TO:) email address to match.
Wild card characters allow you to enter partial patterns that can match multiple recipient email addresses. The asterisk (*) represents one or more characters. The question mark (?) represents any single character.
For example, the recipient pattern *@example.??? will match messages sent to any email user at example.com, example.net, example.org, or any other “example” domain ending with a three‑letter top-level domain name.
TLS Destination IP/netmask
Enter the IP address and netmask of the system to which the FortiMail unit is sending the email message using TLS connection. Use the netmask, the portion after the slash (/) to specify the matching subnet.
For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.
Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.
To match any address, enter 0.0.0.0/0.
Note: This field is not used when considering whether or not to apply an encryption profile.
TLS profile
Select a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.
If the attributes match, the access control action is executed.
If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.
Click New to add a new TLS profile or Edit to modify an existing one.
For more information on TLS profiles, see “Configuring TLS security profiles”.
Encryption profile
Select an encryption profile used to apply S/MIME or IBE encryption to the email.
Note that if you create a delivery rule that uses both IBE encryption profile and TLS profile, the TLS profile will override the IBE encryption profile and the IBE encryption will not be used. If you select an S/MIME profile here and an IBE profile in the Encryption with profile field (Profile > Content > Action), the S/MIME profile will override the IBE encryption profile.
Click New to add a new encryption profile or Edit to modify an existing one.
For more information, see “Configuring encryption profiles” and “Configuring certificate bindings”.
For information about content action profiles, see “Configuring content action profiles”.
Comments
Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list.