Fortinet black logo

Administration Guide

Controlling email based on sender and recipient addresses

Controlling email based on sender and recipient addresses

Go to Policy > Recipient Policy to create recipient-based policies based on the incoming or outgoing directionality of an email message with respect to the protected domain.

Recipient-based policies have precedence if an IP-based policy is also applicable but conflicts. Exceptions include IP-based policies where you have enabled Take precedence over recipient based policy match. For information about how recipient-based and IP-based policies are executed and how the order of polices affects the execution, see How to use policies.

Note

If the FortiMail unit protects many domains, and therefore creating recipient-based policies would be very time-consuming, such as it might be for an Internet service provider (ISP), consider configuring only IP-based policies. For details, see Controlling email based on IP addresses.
Alternatively, consider configuring recipient-based policies only for exceptions that must be treated differently than indicated by the IP-based policy.

Profiles used by the policy, if any, are listed in the policy table, and appear as linked text. To modify profile settings, click the name of the profile.

Before you can configure a recipient policy, you first must have configured:

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.

For details, see About administrator account permissions and domains.

About the default system policy

Starting from FortiMail 5.4.0, an inbound and outbound default system-level recipient policy has been added. If enabled, the default system policy will be checked before any other policies. If the email matches the default system policy, no other policies will be checked.

The default system policy provides the following conveniences:

  • If many domains will be using identical policies, you can just modify the default system policy for the domains to use.
  • When troubleshooting profiles and policies, you can temporarily use the system policy for all domains while disabling other policies, so that you can examine the profiles and policies.

If the system policies are not visible, turn on the Show system policy switch.

To view recipient-based policies
  1. Go to the Policy > Recipient Policy.
  2. Select Inbound or Outbound to view a list of applicable policies.

GUI item

Description

Move

(button)

FortiMail units match the policies for each domain in sequence, from the top of the list downwards. Therefore, you must put the more specific policies on top of the more generic ones.

To move a policy in the policy list:

  1. Select a domain.
  2. Note: If Domain is set to All, the Move button is disabled. When Domain is set to a particular domain, Show system policy must be disabled in order to move domain policies.

  3. Click a policy to select it.
  4. Click Move, then select either:
  • the direction in which to move the selected policy (Up or Down), or
  • After or Before, then in Move right after or Move right before indicate the policy’s new location by entering the ID of another policy.

Domain

(drop-down list)

  • All: Select to display both system-level and domain-level policies.
  • System: Select to display system-level policies.
  • <domain>: Select one domain to display this domain’s policies.

Use the Show system policy switch to display or hide the system-level policies when you view all policies or domain-level policies.

If you are a domain administrator, you can only see the domains that are permitted by your administrator profile.

Enabled

Select whether or not the policy is currently in effect.

ID

Displays the number identifying the policy.

If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column.

Note: This may be different from the order in which they appear on the page, which indicates order of evaluation.

FortiMail units evaluate policies in sequence. More than one policy may be applied. For details, see Order of execution of policies and Which policy/profile is applied when an email has multiple recipients?.

Domain Name

(column)

Indicates the domain part of the recipient’s email address in the envelope (RCPT TO:) that an email must match in order to be subject to the policy.

  • For incoming recipient-based policies, this is the name of a protected domain.
  • For outgoing recipient-based policies, this is System, indicating that the recipient does not belong to a protected domain.

Sender Pattern

A sender email address (MAIL FROM:) as it appears in the envelope or a wildcard pattern to match sender email addresses.

Recipient Pattern

A recipient email address (RCPT TO:) as it appears in the envelope or a wildcard pattern to match recipient email addresses.

AntiSpam

Displays the antispam profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Managing antispam profiles.

AntiVirus

Displays the antivirus profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring antivirus profiles and antivirus action profiles.

Content

Displays the content profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring content profiles.

DLP

(if DLP is enable on GUI)

Displays the DLP profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring data loss prevention.

Resource

(server mode and gateway mode)

Displays the resource profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring resource profiles.

Authentication

(not in server mode; inbound only)

Displays the authentication profile selected for the matching recipients.

To modify or view a profile, click its name.The profile appears in a pop-up window. For details, see Configuring authentication profiles or Configuring LDAP profiles.

To configure recipient-based policies
  1. Go to Policy > Recipient Policy > Inbound or Outbound, either click New to add a policy or double-click a policy to modify it.
  2. A multisection dialog appears.

  3. Select Enable to determine whether or not the policy is in effect.
  4. For Domain, select either System or the domain name that this profile will be used for.
  5. Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list.
  6. Configure the following sections, as applicable:

Configuring the sender and recipient patterns

Configure the Sender Pattern and Recipient Pattern sections.

GUI item

Description

Sender Pattern

Select one of the following ways to define sender (MAIL FROM:) email addresses that match this policy:

  • User: Enter a sender email address or a pattern with wild cards, such as *@.example.com.
  • Local group (server mode only): Select the name of a protected domain in the second drop-down list, then select the name of a user group in the first drop-down list.
  • LDAP group: Select an LDAP profile in which you have enabled and configured a group query, then enter either the group’s full or partial membership attribute value as it appears in the LDAP directory.
    Depending on your LDAP directory’s schema, and whether or not you have enabled Use group name with base DN as group DN, this may be a value such as 1001, admins, or cn=admins,ou=Groups,dc=example,dc=com.
  • Email address group: Select an email group from the dropdown list. For details about creating an email group, see Configuring email groups.

Wild card characters allow you to enter patterns that can match multiple email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.

Recipient Pattern

See above descriptions.

Configuring the profiles section of a recipient policy

Select the profiles that you want to apply to the policy. If you have created a system profile and a domain profile with the same profile name, the profile that appears in the profile drop-down lists is the domain profile, not the system profile. Thus, only the domain profile will be selected.

GUI item

Description

AntiSpam

Select which antispam profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Managing antispam profiles.

Tip: You can use an LDAP query to enable or disable antispam scanning on a per-user basis.

AntiVirus

Select which antivirus profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring antivirus profiles and antivirus action profiles.

Content

Select which content profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring content profiles.

DLP

(if enabled)

Select which DLP profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring DLP profiles.

Resource

(server mode and gateway mode)

Select which resource profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring resource profiles.

Configuring authentication for inbound email

The Authentication and Access section appears only for inbound policies.

Note

When FortiMail authenticates a user, it checks the authentication profile in the matching recipient policy.

Note that for outbound email, when FortiMail requires authentication with the sender, FortiMail will lookup authentication profiles for the defined recipient patterns within inbound policies.

For more information on configuring an authentication profile, see Workflow to enable and configure authentication of email users.

GUI item

Description

Authentication type

If you want the email user to authenticate using an external authentication server, select the type of the authentication profile (SMTP, POP3, IMAP, RADIUS, LDAP, or LOCAL for server mode).

Note: In addition to specifying an authentication server for SMTP email messages that this policy governs, configuring Authentication profile also allows email users to authenticate when accessing their per-recipient quarantine using HTTP or HTTPS. For more information, see How to enable, configure, and use personal quarantines.

Authentication profile

Select an existing authentication profile to use with this policy.

Use for SMTP authentication (gateway and transparent mode only)

Enable to allow the SMTP client to use the SMTP AUTH command, and to use the server defined in Authentication profile to authenticate the connection.

Disable to make SMTP authentication unavailable.

This option is available only if you have selected an Authentication profile.

Note: Enabling this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication. For details, see Configuring access control rules.

Allow quarantined email access through POP3 (gateway and transparent mode only)

Enable to allow email users matching this policy to use POP3 to retrieve the contents of their personal quarantine. For more information, see How to enable, configure, and use personal quarantines.

Note: This option is available only if you have selected a profile in Authentication profile.

Note: This option is for POP3 access only. Email users cannot access their personal quarantine through IMAP.

Allow quarantined email access through webmail (gateway and transparent mode only)

Enable to allow email users matching this policy to use FortiMail webmail (HTTP or HTTPS) to retrieve the contents of their personal quarantine. For more information, see How to enable, configure, and use personal quarantines.

Note: This option is available only if you have selected a profile in Authentication profile.

Configuring the advanced settings of inbound policies

The Advanced Settings section appears for both inbound and outbound policies.

GUI item

Description

Reject different SMTP sender identity for authenticated user

Enable to require that the sender uses the same identity for: authentication name, SMTP envelope MAIL FROM:, and header FROM:.

Disable to remove such requirements on sender identities. By default, this feature is disabled.

Sender identity verification with LDAP server for authenticated user

In some cases, while you do not want to allow different SMTP sender identities for an authenticated user, you still want to:

  • allow users to authenticate with their identities (for example, user1@example.com) and send email from their proxy email addresses (for example, user1.name@example.com and user1name@example.com)
  • or to allow users in an alias group to authenticate with their own identities (for example, salesperson1@example.com) and send email from their alias group address (for example, sales@example.com)

Then you can choose to verify the sender identity with the LDAP server. If the verification is successful, the sender will be allowed to send email with different identities.

Note: When the above rejection option is enabled, even though the authentication identity can be different from the sender identity upon successful LDAP verification. the envelope (MAIL FROM:)address is never allowed to be different from the header FROM:)address. And the two addresses cannot be empty either.

Enable PKI authentication for web mail access

(Inbound policy only)

Enable if you want to allow web mail users to log in by presenting a certificate rather than a user name and password. Also configure Certificate validation is mandatory.

For more information on configuring PKI users and what defines a valid certificate, see Configuring PKI authentication.

Certificate validation is mandatory

(Inbound policy only)

If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enable this option.

Controlling email based on sender and recipient addresses

Go to Policy > Recipient Policy to create recipient-based policies based on the incoming or outgoing directionality of an email message with respect to the protected domain.

Recipient-based policies have precedence if an IP-based policy is also applicable but conflicts. Exceptions include IP-based policies where you have enabled Take precedence over recipient based policy match. For information about how recipient-based and IP-based policies are executed and how the order of polices affects the execution, see How to use policies.

Note

If the FortiMail unit protects many domains, and therefore creating recipient-based policies would be very time-consuming, such as it might be for an Internet service provider (ISP), consider configuring only IP-based policies. For details, see Controlling email based on IP addresses.
Alternatively, consider configuring recipient-based policies only for exceptions that must be treated differently than indicated by the IP-based policy.

Profiles used by the policy, if any, are listed in the policy table, and appear as linked text. To modify profile settings, click the name of the profile.

Before you can configure a recipient policy, you first must have configured:

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.

For details, see About administrator account permissions and domains.

About the default system policy

Starting from FortiMail 5.4.0, an inbound and outbound default system-level recipient policy has been added. If enabled, the default system policy will be checked before any other policies. If the email matches the default system policy, no other policies will be checked.

The default system policy provides the following conveniences:

  • If many domains will be using identical policies, you can just modify the default system policy for the domains to use.
  • When troubleshooting profiles and policies, you can temporarily use the system policy for all domains while disabling other policies, so that you can examine the profiles and policies.

If the system policies are not visible, turn on the Show system policy switch.

To view recipient-based policies
  1. Go to the Policy > Recipient Policy.
  2. Select Inbound or Outbound to view a list of applicable policies.

GUI item

Description

Move

(button)

FortiMail units match the policies for each domain in sequence, from the top of the list downwards. Therefore, you must put the more specific policies on top of the more generic ones.

To move a policy in the policy list:

  1. Select a domain.
  2. Note: If Domain is set to All, the Move button is disabled. When Domain is set to a particular domain, Show system policy must be disabled in order to move domain policies.

  3. Click a policy to select it.
  4. Click Move, then select either:
  • the direction in which to move the selected policy (Up or Down), or
  • After or Before, then in Move right after or Move right before indicate the policy’s new location by entering the ID of another policy.

Domain

(drop-down list)

  • All: Select to display both system-level and domain-level policies.
  • System: Select to display system-level policies.
  • <domain>: Select one domain to display this domain’s policies.

Use the Show system policy switch to display or hide the system-level policies when you view all policies or domain-level policies.

If you are a domain administrator, you can only see the domains that are permitted by your administrator profile.

Enabled

Select whether or not the policy is currently in effect.

ID

Displays the number identifying the policy.

If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column.

Note: This may be different from the order in which they appear on the page, which indicates order of evaluation.

FortiMail units evaluate policies in sequence. More than one policy may be applied. For details, see Order of execution of policies and Which policy/profile is applied when an email has multiple recipients?.

Domain Name

(column)

Indicates the domain part of the recipient’s email address in the envelope (RCPT TO:) that an email must match in order to be subject to the policy.

  • For incoming recipient-based policies, this is the name of a protected domain.
  • For outgoing recipient-based policies, this is System, indicating that the recipient does not belong to a protected domain.

Sender Pattern

A sender email address (MAIL FROM:) as it appears in the envelope or a wildcard pattern to match sender email addresses.

Recipient Pattern

A recipient email address (RCPT TO:) as it appears in the envelope or a wildcard pattern to match recipient email addresses.

AntiSpam

Displays the antispam profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Managing antispam profiles.

AntiVirus

Displays the antivirus profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring antivirus profiles and antivirus action profiles.

Content

Displays the content profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring content profiles.

DLP

(if DLP is enable on GUI)

Displays the DLP profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring data loss prevention.

Resource

(server mode and gateway mode)

Displays the resource profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring resource profiles.

Authentication

(not in server mode; inbound only)

Displays the authentication profile selected for the matching recipients.

To modify or view a profile, click its name.The profile appears in a pop-up window. For details, see Configuring authentication profiles or Configuring LDAP profiles.

To configure recipient-based policies
  1. Go to Policy > Recipient Policy > Inbound or Outbound, either click New to add a policy or double-click a policy to modify it.
  2. A multisection dialog appears.

  3. Select Enable to determine whether or not the policy is in effect.
  4. For Domain, select either System or the domain name that this profile will be used for.
  5. Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list.
  6. Configure the following sections, as applicable:

Configuring the sender and recipient patterns

Configure the Sender Pattern and Recipient Pattern sections.

GUI item

Description

Sender Pattern

Select one of the following ways to define sender (MAIL FROM:) email addresses that match this policy:

  • User: Enter a sender email address or a pattern with wild cards, such as *@.example.com.
  • Local group (server mode only): Select the name of a protected domain in the second drop-down list, then select the name of a user group in the first drop-down list.
  • LDAP group: Select an LDAP profile in which you have enabled and configured a group query, then enter either the group’s full or partial membership attribute value as it appears in the LDAP directory.
    Depending on your LDAP directory’s schema, and whether or not you have enabled Use group name with base DN as group DN, this may be a value such as 1001, admins, or cn=admins,ou=Groups,dc=example,dc=com.
  • Email address group: Select an email group from the dropdown list. For details about creating an email group, see Configuring email groups.

Wild card characters allow you to enter patterns that can match multiple email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.

Recipient Pattern

See above descriptions.

Configuring the profiles section of a recipient policy

Select the profiles that you want to apply to the policy. If you have created a system profile and a domain profile with the same profile name, the profile that appears in the profile drop-down lists is the domain profile, not the system profile. Thus, only the domain profile will be selected.

GUI item

Description

AntiSpam

Select which antispam profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Managing antispam profiles.

Tip: You can use an LDAP query to enable or disable antispam scanning on a per-user basis.

AntiVirus

Select which antivirus profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring antivirus profiles and antivirus action profiles.

Content

Select which content profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring content profiles.

DLP

(if enabled)

Select which DLP profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring DLP profiles.

Resource

(server mode and gateway mode)

Select which resource profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring resource profiles.

Configuring authentication for inbound email

The Authentication and Access section appears only for inbound policies.

Note

When FortiMail authenticates a user, it checks the authentication profile in the matching recipient policy.

Note that for outbound email, when FortiMail requires authentication with the sender, FortiMail will lookup authentication profiles for the defined recipient patterns within inbound policies.

For more information on configuring an authentication profile, see Workflow to enable and configure authentication of email users.

GUI item

Description

Authentication type

If you want the email user to authenticate using an external authentication server, select the type of the authentication profile (SMTP, POP3, IMAP, RADIUS, LDAP, or LOCAL for server mode).

Note: In addition to specifying an authentication server for SMTP email messages that this policy governs, configuring Authentication profile also allows email users to authenticate when accessing their per-recipient quarantine using HTTP or HTTPS. For more information, see How to enable, configure, and use personal quarantines.

Authentication profile

Select an existing authentication profile to use with this policy.

Use for SMTP authentication (gateway and transparent mode only)

Enable to allow the SMTP client to use the SMTP AUTH command, and to use the server defined in Authentication profile to authenticate the connection.

Disable to make SMTP authentication unavailable.

This option is available only if you have selected an Authentication profile.

Note: Enabling this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication. For details, see Configuring access control rules.

Allow quarantined email access through POP3 (gateway and transparent mode only)

Enable to allow email users matching this policy to use POP3 to retrieve the contents of their personal quarantine. For more information, see How to enable, configure, and use personal quarantines.

Note: This option is available only if you have selected a profile in Authentication profile.

Note: This option is for POP3 access only. Email users cannot access their personal quarantine through IMAP.

Allow quarantined email access through webmail (gateway and transparent mode only)

Enable to allow email users matching this policy to use FortiMail webmail (HTTP or HTTPS) to retrieve the contents of their personal quarantine. For more information, see How to enable, configure, and use personal quarantines.

Note: This option is available only if you have selected a profile in Authentication profile.

Configuring the advanced settings of inbound policies

The Advanced Settings section appears for both inbound and outbound policies.

GUI item

Description

Reject different SMTP sender identity for authenticated user

Enable to require that the sender uses the same identity for: authentication name, SMTP envelope MAIL FROM:, and header FROM:.

Disable to remove such requirements on sender identities. By default, this feature is disabled.

Sender identity verification with LDAP server for authenticated user

In some cases, while you do not want to allow different SMTP sender identities for an authenticated user, you still want to:

  • allow users to authenticate with their identities (for example, user1@example.com) and send email from their proxy email addresses (for example, user1.name@example.com and user1name@example.com)
  • or to allow users in an alias group to authenticate with their own identities (for example, salesperson1@example.com) and send email from their alias group address (for example, sales@example.com)

Then you can choose to verify the sender identity with the LDAP server. If the verification is successful, the sender will be allowed to send email with different identities.

Note: When the above rejection option is enabled, even though the authentication identity can be different from the sender identity upon successful LDAP verification. the envelope (MAIL FROM:)address is never allowed to be different from the header FROM:)address. And the two addresses cannot be empty either.

Enable PKI authentication for web mail access

(Inbound policy only)

Enable if you want to allow web mail users to log in by presenting a certificate rather than a user name and password. Also configure Certificate validation is mandatory.

For more information on configuring PKI users and what defines a valid certificate, see Configuring PKI authentication.

Certificate validation is mandatory

(Inbound policy only)

If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enable this option.