Configuring policies : Controlling email based on sender and recipient addresses
Controlling email based on sender and recipient addresses
Go to Policy > Recipient Policy to create recipient-based policies based on the incoming or outgoing directionality of an email message with respect to the protected domain.
Recipient-based policies have precedence if an IP-based policy is also applicable but conflicts. Exceptions include IP-based policies where you have enabled “Take precedence over recipient based policy match”. For information about how recipient-based and IP-based policies are executed and how the order of polices affects the execution, see “How to use policies”.
 
If the FortiMail unit protects many domains, and therefore creating recipient-based policies would be very time-consuming, such as it might be for an Internet service provider (ISP), consider configuring only IP-based policies. For details, see “Controlling email based on IP addresses”.
Alternatively, consider configuring recipient-based policies only for exceptions that must be treated differently than indicated by the IP-based policy.
Profiles used by the policy, if any, are listed in the policy table, and appear as linked text. To modify profile settings, click the name of the profile.
Before you can configure a recipient policy, you first must have configured:
at least one protected domain (see “Configuring protected domains”)
at least one user group or LDAP profile with a configured group query, if you will use either to define which recipient email addresses will match the policy (see “Managing users” or “Configuring LDAP profiles”)
at least one PKI user, if you will allow or require email users to access their per-recipient quarantine using PKI authentication (see “Configuring PKI authentication”)
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.
For details, see “About administrator account permissions and domains”.
About the default system policy
Starting from FortiMail 5.4.0, an inbound and outbound default system-level recipient policy has been added. If enabled, the default system policy will be checked before any other policies. If the email matches the default system policy, no other policies will be checked.
The default system policy provides the following conveniences:
If many domains will be using identical policies, you can just modify the default system policy for the domains to use.
When troubleshooting profiles and policies, you can temporarily use the system policy for all domains while disabling other policies, so that you can examine the profiles and policies.
If the system policies are not visible, turn on the Show system policy switch.
To view recipient-based policies
1. Go to the Policy > Recipient Policy.
2. Select Inbound or Outbound to view a list of applicable policies.
 
GUI item
Description
Move
(button)
FortiMail units match the policies for each domain in sequence, from the top of the list downwards. Therefore, you must put the more specific policies on top of the more generic ones.
To move a policy in the policy list:
1. Select a domain. Note: if the domain is “All”, the Move button is disabled
2. Click a policy to select it.
3. Click Move, then select either:
the direction in which to move the selected policy (Up or Down), or
After or Before, then in Move right after or Move right before indicate the policy’s new location by entering the ID of another policy.
Domain
(drop-down list)
All: Select to display all system-level and domain-level policies.
System: Select to display all system-level policies.
<domain>: Select one domain to display this domain’s policies.
Use the Show system policy switch to display or hide the system-level policies when you view all policies or domain-level policies.
If you are a domain administrator, you can only see the domains that are permitted by your administrator profile.
Enabled
Select whether or not the policy is currently in effect.
ID
Displays the number identifying the policy.
If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column.
Note: This may be different from the order in which they appear on the page, which indicates order of evaluation.
FortiMail units evaluate policies in sequence. More than one policy may be applied. For details, see “Order of execution of policies” and “Which policy/profile is applied when an email has multiple recipients?”.
Domain Name
(column)
Indicates the domain part of the recipient’s email address in the envelope (RCPT TO:) that an email must match in order to be subject to the policy.
For incoming recipient-based policies, this is the name of a protected domain.
For outgoing recipient-based policies, this is System, indicating that the recipient does not belong to a protected domain.
Sender Pattern
A sender email address (MAIL FROM:) as it appears in the envelope or a wildcard pattern to match sender email addresses.
Recipient Pattern
A recipient email address (RCPT TO:) as it appears in the envelope or a wildcard pattern to match recipient email addresses.
AntiSpam
Displays the antispam profile selected for the matching recipients.
To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see “Managing antispam profiles”.
AntiVirus
Displays the antivirus profile selected for the matching recipients.
To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see “Configuring antivirus profiles and antivirus action profiles”.
Content
Displays the content profile selected for the matching recipients.
To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see “Configuring content profiles”.
DLP
Displays the DLP profile selected for the matching recipients.
To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see “Configuring data loss prevention”.
Resource
(server mode only)
Displays the resource profile selected for the matching recipients.
To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see “Configuring resource profiles”.
Authentication
(not in server mode)
Displays the authentication profile selected for the matching recipients.
To modify or view a profile, click its name.The profile appears in a pop-up window. For details, see “Configuring authentication profiles” or “Configuring LDAP profiles”.
To configure recipient-based policies
1. Go to Policy > Recipient Policy > Inbound or Outbound, either click New to add a policy or double-click a policy to modify it.
A multisection dialog appears.
2. Select Enable to determine whether or not the policy is in effect.
3. For Domain, select either System or the domain name that this profile will be used for.
4. Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list.
5. Configure the following sections, as applicable:
“Configuring the inbound recipient policies”
“Configuring the outbound recipient policies”
“Configuring the profiles section of a recipient policy”
“Configuring authentication for inbound email”
“Configuring the advanced settings of inbound policies”