Fortinet black logo

Administration Guide

Configuring IP pools

Configuring IP pools

The Profile > IP Pool tab displays the list of IP pool profiles.

IP pools define a range of IP addresses, and can be used in multiple ways:

  • To define source IP addresses used by the FortiMail unit if you want outgoing email to originate from a range of IP addresses (see IP pool)
  • To define destination addresses used by the FortiMail unit if you want incoming email to destine to the virtual host on a range of IP addresses (see IP pool)

Each email that the FortiMail unit sends will use the next IP address in the range. When the last IP address in the range is used, the next email will use the first IP address.

Note
  • An IP pool in an IP policy will be used to deliver incoming emails from FortiMail to the protected server. It will also be used to deliver outgoing emails if the sender domain doesn't have a delivery IP pool or, although it has a delivery IP pool, Take precedence over recipient based policy match is enabled in the IP-based policy.
  • An IP pool (either in an IP policy or domain settings) will NOT be used to deliver emails to the protected domain servers if the mail flow is from internal to internal domains.
  • When an email message’s MAIL FROM is empty "<>", normally the email is a NDR or DSN bounced message. FortiMail will check the IP address of the sender device against the IP list of the protected domains. If the sender IP is found in the protected domain IP list, the email flow is considered as from internal to internal and the above rule is applied (the IP pool will be skipped). FortiMail will also skip the DNS query if servers of the protected domains are configured as host names and MX record.
  • Avoid using large IP pools because whenever an IP pool is referenced, FortiMail will send out gratuitous ARP for each IP address in the IP pool. Too many gratuitous ARP broadcasts may flood the network.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category.

For details, see About administrator account permissions and domains.

To manage IP pool profiles
  1. Go to Profile > IP Pool > IP Pool.
  2. Either click New to add a profile or double-click a profile to modify it. The profile name is editable later.
  3. Configuring the following:

GUI item

Description

Pool name

Enter a name. The name must contain only alphanumeric characters, hyphens ( - ) and underscores ( _ ). Spaces are not allowed.

IP Group

Click New to create a new IP group, which can be an IP/netmask or IP range. For example, 192.168.1.0/24.

Comment

Optionally enter a descriptive comment.

SMTP Certificate

If you want to bind a certificate to this IP pool profile for TLS purpose, under SMTP Certificate, select a certificate and specify if the certificate will be used for mail receiving, delivery, or both. For example, if FortiMail protects several mail servers for several customers, you may want to bind the customer’s own certificate to the customer’s IP pool.

SMTP Session

By default, FortiMail uses its system host name as the greeting name in the SMTP sessions. In some cases, for example, when different IP pools are bound to different domains, you may want to use different host names for different IP pools. To to this, under SMTP Session, select Use other name and specify the host name to use. This setting is applicable when FortiMail is connecting as a server or a client.

To apply the IP pool, select it when configuring a protected domain (you can use the IP pool for delivering and/or receiving directions) or when configuring an IP-based policy. For details, see IP pool, and/or IP Pool.

Configuring IP pools

The Profile > IP Pool tab displays the list of IP pool profiles.

IP pools define a range of IP addresses, and can be used in multiple ways:

  • To define source IP addresses used by the FortiMail unit if you want outgoing email to originate from a range of IP addresses (see IP pool)
  • To define destination addresses used by the FortiMail unit if you want incoming email to destine to the virtual host on a range of IP addresses (see IP pool)

Each email that the FortiMail unit sends will use the next IP address in the range. When the last IP address in the range is used, the next email will use the first IP address.

Note
  • An IP pool in an IP policy will be used to deliver incoming emails from FortiMail to the protected server. It will also be used to deliver outgoing emails if the sender domain doesn't have a delivery IP pool or, although it has a delivery IP pool, Take precedence over recipient based policy match is enabled in the IP-based policy.
  • An IP pool (either in an IP policy or domain settings) will NOT be used to deliver emails to the protected domain servers if the mail flow is from internal to internal domains.
  • When an email message’s MAIL FROM is empty "<>", normally the email is a NDR or DSN bounced message. FortiMail will check the IP address of the sender device against the IP list of the protected domains. If the sender IP is found in the protected domain IP list, the email flow is considered as from internal to internal and the above rule is applied (the IP pool will be skipped). FortiMail will also skip the DNS query if servers of the protected domains are configured as host names and MX record.
  • Avoid using large IP pools because whenever an IP pool is referenced, FortiMail will send out gratuitous ARP for each IP address in the IP pool. Too many gratuitous ARP broadcasts may flood the network.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category.

For details, see About administrator account permissions and domains.

To manage IP pool profiles
  1. Go to Profile > IP Pool > IP Pool.
  2. Either click New to add a profile or double-click a profile to modify it. The profile name is editable later.
  3. Configuring the following:

GUI item

Description

Pool name

Enter a name. The name must contain only alphanumeric characters, hyphens ( - ) and underscores ( _ ). Spaces are not allowed.

IP Group

Click New to create a new IP group, which can be an IP/netmask or IP range. For example, 192.168.1.0/24.

Comment

Optionally enter a descriptive comment.

SMTP Certificate

If you want to bind a certificate to this IP pool profile for TLS purpose, under SMTP Certificate, select a certificate and specify if the certificate will be used for mail receiving, delivery, or both. For example, if FortiMail protects several mail servers for several customers, you may want to bind the customer’s own certificate to the customer’s IP pool.

SMTP Session

By default, FortiMail uses its system host name as the greeting name in the SMTP sessions. In some cases, for example, when different IP pools are bound to different domains, you may want to use different host names for different IP pools. To to this, under SMTP Session, select Use other name and specify the host name to use. This setting is applicable when FortiMail is connecting as a server or a client.

To apply the IP pool, select it when configuring a protected domain (you can use the IP pool for delivering and/or receiving directions) or when configuring an IP-based policy. For details, see IP pool, and/or IP Pool.