IP-based policies can apply in addition to recipient-based policies, although recipient-based policies have precedence if the two conflict unless you enable Take precedence over recipient based policy match. |
If SMTP traffic does not match any IP-based or recipient-based policy, it is allowed. However, no antivirus or antispam protection may be applied. If you are certain that you have configured policies to match and allow all required traffic, you can tighten security by adding an IP policy at the bottom of the policy list to reject all other, unwanted connections. To do this, create a new IP policy, enter 0.0.0.0/0 as the client IP/netmask, and set the action to Reject. See the following procedures about how to configure an IP policy. Then, move the policy to the very bottom of the IP policy list. Because this policy matches any connection, all connections that do not match any other policy will match this final policy, and be rejected. |
Domain administrators can create and modify IP-based policies. Because they can affect any IP address, a domain administrator could therefore create a policy that affects another domain. If you do not want to allow this, do not grant Read-Write permission to the Policy category in domain administrators’ access profiles. |
GUI item | Description |
Move (button) | Click a policy to select it, click Move, then select either: • the direction in which to move the selected policy (Up or Down), or • After or Before, then in Move right after or Move right before indicate the policy’s new location by entering the ID of another policy FortiMail units match the policies in sequence, from the top of the list downwards. |
Enabled | Select whether or not the policy is currently in effect. |
ID | Displays the number identifying the policy. If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column. Note: This may be different from the order in which they appear on the page, which indicates order of evaluation. FortiMail units evaluate policies in sequence. More than one policy may be applied. For details, see “Order of execution of policies” and “Which policy/profile is applied when an email has multiple recipients?”. |
Source | Displays the IP address of the SMTP source to which the policy applies. |
Destination | Displays the IP address of the destination IP to which the policy applies. |
Session | Displays the name of the session profile applied by this policy. To modify the or view a profile, click its name. The profile appears in a pop-up window. For details, see “Configuring session profiles”. |
AntiSpam | Displays the name of the antispam profile applied by this policy. To modify or view the a profile, click its name. The profile appears in a pop-up window. For details, see “Managing antispam profiles”. |
AntiVirus | Displays the name of the antivirus profile applied by this policy. To modify the or view a profile, click its name. The profile appears in a pop-up window. For details, see “Configuring antivirus profiles and antivirus action profiles”. |
Content | Displays the name of the content profile applied by this policy. To modify the or view a profile, click its name. The profile appears in a pop-up window. For details, see “Configuring content profiles”. |
IP Pool | Displays the name of the IP pool profile applied by this policy. The IP addresses in the IP pool is used as the source IP address for the SMTP sessions matching this policy. The IP pool profile is ignored if the “Take precedence over recipient based policy match” option is disabled. • An IP pool in an IP policy will be used to deliver incoming emails from FortiMail to the protected server. It will also be used to deliver outgoing emails if the sender domain doesn't have a delivery IP pool or, although it has a delivery IP pool, Take precedence over recipient based policy match is enabled in the IP-based policy. • An IP pool (either in an IP policy or domain settings) will NOT be used to deliver emails to the protected domain servers if the mail flow is from internal to internal domains. • When an email message’s MAIL FROM is empty "<>", normally the email is a NDR or DSN bounced message. FortiMail will check the IP address of the sender device against the IP list of the protected domains. If the sender IP is found in the protected domain IP list, the email flow is considered as from internal to internal and the above rule is applied (the IP pool will be skipped). FortiMail will also skip the DNS query if servers of the protected domains are configured as host names and MX record. |
Authentication (not in server mode) | Displays the name of an authentication profile applied to the IP policy. To modify the profile, click its name. The profile appears in a pop-up window. For details, see “Configuring authentication profiles” |
Exclusive | Indicates whether or not “Take precedence over recipient based policy match” is enabled in this policy. See “Order of execution of policies” for an explanation of that option. • Green check mark icon: The option is enabled. Recipient-based policies will not be applied if a connection matches this IP-based policy. • Red X icon: The option is disabled. Both the IP-based policy and any applicable recipient-based policies will be applied. |
GUI item | Description |
Enable | Select or clear to enable or disable the policy. |
Source | You can use the following types of IP addresses of the SMTP clients to whose connections this policy will apply. • IP address and subnet mask • IP group. See “Configuring IP groups”. • IP pool. See “Configuring IP pools”. To match all clients, enter 0.0.0.0/0. |
Destination | If the FortiMail unit runs in transparent mode, enter the IP address of the SMTP server to whose connections this policy will apply. • IP address and subnet mask • IP group. See “Configuring IP groups”. • IP pool. See “Configuring IP pools”. To match all servers, enter 0.0.0.0/0. If the FortiMail unit runs in gateway or server mode, the destination will be the FortiMail unit itself. But if you use virtual hosts on the FortiMail unit, you can specify which virtual host (IP/subnet or IP pool) the email is destined to. Otherwise, you do not have to specify the destination address. If you use virtual hosts, you must also configure the MX record to direct email to the virtual host IP addresses as well. This feature can be used to support multiple virtual hosts on a single physical interface, so that different profiles can be applied to different host and logging for each host can be separated as well. |
Action | Select whether to: • Scan: Accept the connection and perform any scans configured in the profiles selected in this policy. • Reject: Reject the email and respond to the SMTP client with SMTP reply code 550, indicating a permanent failure. • Fail Temporarily: Reject the email and respond to the SMTP client with SMTP reply code 451, indicating to try again later. • Proxy Bypass: Bypass the FortiMail proxy without scanning. |
Comments | Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list. |
Profiles | ||
Session | Select the name of a session profile to have this policy apply. This option is applicable only if “Action” is Scan. Warning: If you are configuring an IP-bases policy in transparent mode, you must select a session profile for the policy to work. | |
AntiSpam | Select the name of an antispam profile to have this policy apply. This option is applicable only if “Action” is Scan. | |
AntiVirus | Select the name of an antivirus profile to have this policy apply. This option is applicable only if “Action” is Scan. | |
Content | Select the name of a content profile to have this policy apply. This option is applicable only if “Action” is Scan. | |
IP pool | Select the name of an IP pool profile, if any, that this policy will apply. • An IP pool in an IP policy will be used to deliver incoming email from FortiMail to the protected server. It will also be used to deliver outgoing emails if the sender domain doesn't have a delivery IP pool or, although it has a delivery IP pool, Take precedence over recipient based policy match is enabled in the IP-based policy. • An IP pool (either in an IP policy or domain settings) will NOT be used to deliver emails to the protected domain servers if the mail flow is from internal to internal domains. • When an email message’s MAIL FROM is empty "<>", normally the email is a NDR or DSN bounced message. FortiMail will check the IP address of the sender device against the IP list of the protected domains. If the sender IP is found in the protected domain IP list, the email flow is considered as from internal to internal and the above rule is applied (the IP pool will be skipped). FortiMail will also skip the DNS query if servers of the protected domains are configured as host names and MX record. This option is applicable only if “Action” is Scan. For details about IP pools, see “Configuring IP pools”. | |
Authentication and Access (not available in server mode) | This section appears only if the FortiMail unit is operating in gateway or transparent mode. For server mode, select a resource profile instead. For more information on configuring authentication, see “Workflow to enable and configure authentication of email users”. | |
Authentication type | If you want the email user to authenticate using an external authentication server, select the authentication type of the profile (SMTP, POP3, IMAP, RADIUS, or LDAP). Note: In addition to specifying an authentication server for SMTP email messages that this policy governs, configuring “Authentication profile” also allows email users to authenticate when accessing their per-recipient quarantine using HTTP or HTTPS. For more information, see “How to enable, configure, and use personal quarantines”. | |
Authentication profile | Select an existing authentication profile to use with this policy. Click New to create on or Edit to modify the selected profile. | |
Use for SMTP authentication | Enable to allow the SMTP client to use the SMTP AUTH command, and to use the server defined in “Authentication profile” to authenticate the connection. Disable to make SMTP authentication unavailable. This option is available only if you have selected an “Authentication profile”. Note: Enabling this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication. For details, see “Configuring access control rules”. | |
Miscellaneous | ||
Reject different SMTP sender identity for authenticated user | Enable to require that the sender uses the same identity for: authentication name, SMTP envelope MAIL FROM:, and header FROM:. Disable to remove such requirements on sender identities. By default, this feature is disabled. | |
Sender identity verification with LDAP server | In some cases, while you do not want to allow different SMTP sender identities for an authenticated user, you still want to: • allow users to authenticate with their identities (for example, user1@example.com) and send email from their proxy email addresses (for example, user1.name@example.com and user1name@example.com) • or to allow users in an alias group to authenticate with their own identities (for example, salesperson1@example.com) and send email from their alias group address (for example, sales@example.com) Then you can choose to verify the sender identity with the LDAP server. If the verification is successful, the sender will be allowed to send email with different identities. Note: When the above rejection option is enabled, even though the authentication identity can be different from the sender identity upon successful LDAP verification. the envelope (MAIL FROM:)address is never allowed to be different from the header FROM:)address. And the two addresses cannot be empty either. | |
Take precedence over recipient based policy match | Enable to omit use of recipient-based policies for connections matching this IP-based policy. For information on how policies are executed, see “How to use policies”. This option is applicable only if <GUIElement>Action is Scan. Note: Enabling this option also causes the FortiMail unit to ignore the option “Hide the transparent box” in the protected domain. |