Fortinet black logo

Administration Guide

How to use policies

How to use policies

Use access control rules and delivery rules to control which SMTP clients can send email through an SMTP relay and how SMTP will deliver email that it proxies or relays.

Recipient-based policies are applied to individual email messages based on the recipient’s email address.

IP-based policies are applied based on the IP address of the connecting SMTP client and, if the FortiMail unit is operating in transparent mode, the SMTP server.

See also

What is a policy?

Whether to use IP-based or recipient-based policies

Order of execution of policies

Which policy/profile is applied when an email has multiple recipients?

Whether to use IP-based or recipient-based policies

Since there are two types of policies, which type should you use?

You can use either or both.

Exceptions include the following scenarios, which require IP-based policies:

  • mail hosting service providers
  • There is a great number of domains, and it is not feasible to configure them all as protected domains on the FortiMail unit.

  • Internet service providers (ISPs)
  • Mail domains of customers are not known.

  • session control
  • Even if protected domains are known and configured on the FortiMail unit, an IP-based policy must be created in order to apply a session profile. Session profiles are only available in IP-based policies.

  • differentiated services based on the network of origin
  • To apply antispam and antivirus protection based on the IP address of the SMTP client or based on a notion of the internal or external network, rather than the domain in a recipient’s email address, you must use an IP-based policy.

As a general rule, it is simpler to use IP-based policies. Use recipient-based policies only where they are required, such as when the policy must be tailored for a specific email address.

Note

For webmail login, configure an inbound recipient-based policy with Use for SMTP authentication enabled under Authentication and Access. This option is only available when the FortiMail unit is operating in either Gateway or Transparent mode.

IP-based policy authentication does not support webmail login.

For example, if your company is an ISP, you can use recipient-based policies to apply antispam and antivirus profiles for only the customers who have paid for those services.

If both a recipient-based policy and an IP-based policy match the email, unless you have enabled Take precedence over recipient based policy match in the IP-based policy, the settings in the recipient-based policy will have precedence.

See also

Controlling email based on sender and recipient addresses

Controlling email based on IP addresses

Order of execution of policies

Arrange policies in the policy list by placing the most specific policy at the top and more general policies at the bottom.

For example, a recipient-based policy created with an asterisk (*) entered for the user name is the most general policy possible because it will match all users in the domain. When you create more specific policies, you should move them above this policy. Otherwise, the general policy would always match all email for the domain, and no other recipient-based policy would ever be applied.

FortiMail units execute policies in the following order:

  1. As a general rule, recipient-based policies override IP-based policies. This means that if an email message matches both a recipient-based policy and an IP-based policy, the settings in the recipient-based policy will be applied and the IP-based policy will be ignored. The exception is described in the next step.
  2. The FortiMail unit looks for a matching IP-based policy.
  3. The FortiMail unit evaluates each policy for a match with the IP address of the SMTP client and, for transparent mode, the server. Evaluation occurs in the order of each policy’s distance from the top of the list of IP-based policies. Once a match is found, the FortiMail unit does not evaluate subsequent IP-based policies.

    If you have enabled Take precedence over recipient based policy match in the IP-based policy, the FortiMail unit applies the profiles in the IP-based policy. In this case, it ignores recipient-based policies in the following two steps and jumps to step The FortiMailunit applies the profiles in the matching IP-based policy, if any, only if you have enabledTake precedence over recipient based policy matchin the IP-based policy, or if there is no recipient-based policy match3..

  4. The FortiMail unit looks for a matching recipient-based policy.
  5. The FortiMail unit evaluates each policy for a match with the domain name portion of the recipient’s email address (RCPT TO:), also known as the domain-part. Incoming policies are evaluated for matches before outgoing policies. Evaluation occurs in the order of each policy’s distance from the top of the list of recipient-based policies. Once a match is found, the FortiMail unit does not evaluate subsequent recipient-based policies.

  6. The FortiMail unit applies the profiles in the matching recipient-based policy, if any.
  7. The FortiMailunit applies the profiles in the matching IP-based policy, if any, only if you have enabledTake precedence over recipient based policy matchin the IP-based policy, or if there is no recipient-based policy match3.
Caution

If SMTP traffic does not match any IP-based or recipient-based policy, it is allowed. However, no antivirus or antispam protection may be applied.
If you are certain that you have configured policies to match and allow all required traffic, you can tighten security by adding an IP policy at the bottom of the policy list to reject all other, unwanted connections.

See also

Controlling email based on sender and recipient addresses

Controlling email based on IP addresses

Which policy/profile is applied when an email has multiple recipients?

When applying recipient-based policies, an email message with multiple recipients is treated as if it were multiple email messages, each with a single recipient. This allows a fine degree of control for each recipient, but also means that separate recipient-based policies may block the email for some recipients but allow it for others.

Exceptions include use of an antivirus profile. In this case, the FortiMail unit will treat an email with multiple recipients as a single email. Starting with the first recipient email address, the FortiMail unit will look for a matching recipient-based policy. If none is found, the FortiMail unit will evaluate each subsequent recipient email address for a matching policy. The FortiMail unit will apply only the first matching policy; it will not evaluate subsequent recipients for a matching policy. If no matching recipient-based policy is found, the FortiMail unit will apply the antivirus profile from the IP-based policy, if any.

If no recipient-based or IP-based policy matches, no profiles is applied.

See also

Controlling email based on sender and recipient addresses

How to use policies

How to use policies

Use access control rules and delivery rules to control which SMTP clients can send email through an SMTP relay and how SMTP will deliver email that it proxies or relays.

Recipient-based policies are applied to individual email messages based on the recipient’s email address.

IP-based policies are applied based on the IP address of the connecting SMTP client and, if the FortiMail unit is operating in transparent mode, the SMTP server.

See also

What is a policy?

Whether to use IP-based or recipient-based policies

Order of execution of policies

Which policy/profile is applied when an email has multiple recipients?

Whether to use IP-based or recipient-based policies

Since there are two types of policies, which type should you use?

You can use either or both.

Exceptions include the following scenarios, which require IP-based policies:

  • mail hosting service providers
  • There is a great number of domains, and it is not feasible to configure them all as protected domains on the FortiMail unit.

  • Internet service providers (ISPs)
  • Mail domains of customers are not known.

  • session control
  • Even if protected domains are known and configured on the FortiMail unit, an IP-based policy must be created in order to apply a session profile. Session profiles are only available in IP-based policies.

  • differentiated services based on the network of origin
  • To apply antispam and antivirus protection based on the IP address of the SMTP client or based on a notion of the internal or external network, rather than the domain in a recipient’s email address, you must use an IP-based policy.

As a general rule, it is simpler to use IP-based policies. Use recipient-based policies only where they are required, such as when the policy must be tailored for a specific email address.

Note

For webmail login, configure an inbound recipient-based policy with Use for SMTP authentication enabled under Authentication and Access. This option is only available when the FortiMail unit is operating in either Gateway or Transparent mode.

IP-based policy authentication does not support webmail login.

For example, if your company is an ISP, you can use recipient-based policies to apply antispam and antivirus profiles for only the customers who have paid for those services.

If both a recipient-based policy and an IP-based policy match the email, unless you have enabled Take precedence over recipient based policy match in the IP-based policy, the settings in the recipient-based policy will have precedence.

See also

Controlling email based on sender and recipient addresses

Controlling email based on IP addresses

Order of execution of policies

Arrange policies in the policy list by placing the most specific policy at the top and more general policies at the bottom.

For example, a recipient-based policy created with an asterisk (*) entered for the user name is the most general policy possible because it will match all users in the domain. When you create more specific policies, you should move them above this policy. Otherwise, the general policy would always match all email for the domain, and no other recipient-based policy would ever be applied.

FortiMail units execute policies in the following order:

  1. As a general rule, recipient-based policies override IP-based policies. This means that if an email message matches both a recipient-based policy and an IP-based policy, the settings in the recipient-based policy will be applied and the IP-based policy will be ignored. The exception is described in the next step.
  2. The FortiMail unit looks for a matching IP-based policy.
  3. The FortiMail unit evaluates each policy for a match with the IP address of the SMTP client and, for transparent mode, the server. Evaluation occurs in the order of each policy’s distance from the top of the list of IP-based policies. Once a match is found, the FortiMail unit does not evaluate subsequent IP-based policies.

    If you have enabled Take precedence over recipient based policy match in the IP-based policy, the FortiMail unit applies the profiles in the IP-based policy. In this case, it ignores recipient-based policies in the following two steps and jumps to step The FortiMailunit applies the profiles in the matching IP-based policy, if any, only if you have enabledTake precedence over recipient based policy matchin the IP-based policy, or if there is no recipient-based policy match3..

  4. The FortiMail unit looks for a matching recipient-based policy.
  5. The FortiMail unit evaluates each policy for a match with the domain name portion of the recipient’s email address (RCPT TO:), also known as the domain-part. Incoming policies are evaluated for matches before outgoing policies. Evaluation occurs in the order of each policy’s distance from the top of the list of recipient-based policies. Once a match is found, the FortiMail unit does not evaluate subsequent recipient-based policies.

  6. The FortiMail unit applies the profiles in the matching recipient-based policy, if any.
  7. The FortiMailunit applies the profiles in the matching IP-based policy, if any, only if you have enabledTake precedence over recipient based policy matchin the IP-based policy, or if there is no recipient-based policy match3.
Caution

If SMTP traffic does not match any IP-based or recipient-based policy, it is allowed. However, no antivirus or antispam protection may be applied.
If you are certain that you have configured policies to match and allow all required traffic, you can tighten security by adding an IP policy at the bottom of the policy list to reject all other, unwanted connections.

See also

Controlling email based on sender and recipient addresses

Controlling email based on IP addresses

Which policy/profile is applied when an email has multiple recipients?

When applying recipient-based policies, an email message with multiple recipients is treated as if it were multiple email messages, each with a single recipient. This allows a fine degree of control for each recipient, but also means that separate recipient-based policies may block the email for some recipients but allow it for others.

Exceptions include use of an antivirus profile. In this case, the FortiMail unit will treat an email with multiple recipients as a single email. Starting with the first recipient email address, the FortiMail unit will look for a matching recipient-based policy. If none is found, the FortiMail unit will evaluate each subsequent recipient email address for a matching policy. The FortiMail unit will apply only the first matching policy; it will not evaluate subsequent recipients for a matching policy. If no matching recipient-based policy is found, the FortiMail unit will apply the antivirus profile from the IP-based policy, if any.

If no recipient-based or IP-based policy matches, no profiles is applied.

See also

Controlling email based on sender and recipient addresses