Fortinet black logo

Administration Guide

Controlling SMTP access and delivery

Controlling SMTP access and delivery

The Policy > Access Control submenu lets you configure access control rules for SMTP sessions.

Unlike proxy/implicit relay pickup, access control rules take effect after the FortiMail unit has initiated or received an IP and TCP-level connection at the application layer of the network.

Note

Other protocols can also be restricted if the connection’s destination is the FortiMail unit. For details, see Configuring the network interfaces.

Access control rules are categorized separately based on whether they affect either the receipt or delivery of email messages by the FortiMail unit; that is, whether the FortiMail unit initiated the SMTP session or was the destination. Incoming/outgoing does not apply in the same sense for ACLs. Matching the domain name portion of the HELO or sender address to a protected domain is not the core issue; rather, it is whether or not the FortiMail unit is the connection initiator.

See also

Configuring access control rules

Configuring delivery rules

Troubleshoot MTA issues

Configuring access control rules

The Receiving tab displays a list of access control rules that apply to SMTP sessions being received by the FortiMail unit.

Access control rules, sometimes also called the access control list or ACL, specify whether the FortiMail unit will process and relay/proxy, reject, or discard email messages for SMTP sessions that are initiated by SMTP clients.

When an SMTP client attempts to deliver email through the FortiMail unit, the FortiMail unit compares each access control rule to the commands used by the SMTP client during the SMTP session, such as the envelope’s sender email address (MAIL FROM:), recipient email address (RCPT TO:), authentication (AUTH), and TLS (STARTTLS). Rules are evaluated for a match in the order of their list sequence, from top to bottom. If all attributes of a rule match, the FortiMail unit applies the action selected in the matching rule to the SMTP session, and no subsequent access control rules are applied.

Only one access control rule is ever applied to any given SMTP session.

Note

If no access control rules are configured, or no matching access control rules exist, and if the SMTP client is not configured to authenticate, the FortiMail unit will perform the default action, which varies by whether or not the recipient email address in the envelope (RCPT TO:) is a member of a protected domain.

  • For protected domains, the default action is delivery (with greylisting).
  • For unprotected domains, the default action is REJECT.

For information on protected domains, see Configuring protected domains.

In the absence of access control rules, the FortiMail unit prevents SMTP clients from using your protected server or FortiMail unit as an open relay: senders can deliver email incoming to protected domains, but cannot deliver email outgoing to unprotected domains.

For information on the sequence in which access control rules are used relative to other antispam methods, see Order of execution.

If you want to allow SMTP clients, such as your email users or email servers, to send email to unprotected domains, you must configure at least one access control rule. You may need to configure additional access control rules if, for example, you want to:

  • discard or reject email from or to some email addresses, such as email addresses that no longer exist in your protected domain
  • discard or reject email from some SMTP clients, such as a spammer that is not yet known to blocklists

Like IP-based policies, access control rules can reject connections based on IP address. Unlike IP-based policies, access control rules cannot affect email in ways that occur after the session’s DATA command, such as by applying antispam profiles.

Access control rules cannot be overruled by recipient-based policies, and cannot match connections based on the SMTP server’s IP address (by the nature of how ACL controls access to or through the FortiMail unit, the SMTP server is always the FortiMail unit itself, unless the FortiMail unit is operating in transparent mode). For more information on IP-based policies, see Controlling email based on IP addresses.

Caution

If possible, verify configuration of access control rules in a testing environment before applying them to a FortiMail unit in active use. Failure to verify correctly configured reject, discard, and accept actions can result in inability to correctly handle SMTP sessions.

Caution

Do not create an access control rule whose Sender is *, Recipient is *, Authentication status is Any, TLS profile is None, and Action is RELAY. This access control rule matches and relays all connections, allowing open relay, which could result in other MTAs and DNSBL servers blocklisting your protected domain.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To view and configure access control rules
  1. Go to Policy > Access Control > Receiving.
  2. GUI item

    Description

    Move

    (button)

    Select a policy, click Move, then select either:

    • Up or Down, or
    • After or Before, which opens a dialog, then in Move right after or Move right before indicate the policy’s new location by entering the ID of another policy

    FortiMail units match the policies in sequence, from the top of the list downwards.

    Enabled

    Select to enable or disable an existing rule.

    ID

    Displays the number identifying the rule.

    If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column.

    Note: This may be different from the order in which they appear on the page, which indicates order of evaluation.

    Sender

    Displays the pattern that defines email senders for the rule.

    Recipient

    Displays the pattern that defines email recipients for the rule.

    Source

    Displays the IP address and netmask of the SMTP client attempting to deliver the email message.

    Reverse DNS Pattern

    Displays the used in a reverse DNS look-up.

    Authentication Status

    Displays which authentication status is used with the rule.

    TLS Profile

    Displays the TLS profile, if any, used to allow or reject a connection.

    Actions

    Displays the action to take when SMTP sessions match the rule.

  3. Either click New to add an access control rule or double-click an access control rule to modify it.
  4. A dialog appears.

  5. Configure the following:
  6. GUI item

    Description

    Enabled

    Select whether or not the access control rule is currently in effect.

    Sender

    Select either User Defined and enter a complete or partial sender (MAIL FROM:) email address to match, or select:

    • Internal: Match any email address from a protected domain.
    • External: Match any email address from an unprotected domain.
    • Email Group: Match any email address in the group.
      If you select this option, select an email group from the Email Group Selection field. Click New to add a new email group or Edit to modify an existing one.
      For more information, see Configuring email groups.
    • LDAP Group: Match any email address in the group.
      If you select this option, select an LDAP profile from the LDAP Profile field.
    • LDAP Verification: Match any individual email address queried by the LDAP profile.
      If you select this option, select an LDAP profile from the dropdown list or click New to create a new one.
    • Note: Use "$s" to match sender addresses. For example, to reject senders that are not in the recipient's allowed sender list:

    1. Create an ACL rule and choose LDAP verification in the sender pattern.
    2. Choose a LDAP profile where below user query string is used: (&(mail=$m)(!(allowedSenders=$s)))
    3. Set the ACL rule action to Reject.

    This will match a sender that is not in the allowedSenders list of the recipient and reject email from such senders.

  7. Regular Expression: Use regular expression syntax instead of wildcards to specify the pattern. See Using wildcards and regular expressions.
  8. User Defined: Specify the email addresses. The pattern can use wildcards or regular expressions. See Appendix D: Regular expressions. For example, the sender pattern *@example.??? will match messages sent to any email user at example.com, example.net, or any “example” domain ending with a three-letter top-level domain name.
  9. Recipient

    Either select User Defined and enter a complete or partial recipient (RCPT TO:) email address to match, or select:

    • Internal: Match any email address from a protected domain.
    • External: Match any email address from an unprotected domain.
    • Email Group: Match any email address in the group.
      If you select this option, select an email group from the Email Group Selection field. Click New to add a new email group or Edit to modify an existing one.
      For more information, see Configuring email groups.
    • LDAP Group: Match any email address in the group.
      If you select this option, select an LDAP profile from the LDAP Profile field.
    • LDAP Verification: Match any individual email address queried by the LDAP profile.
      If you select this option, select an LDAP profile from the dropdown list or click New to create a new one.
    • Note: Use "$m" to match recipient addresses.

    • Regular Expression: Use regular expression syntax instead of wildcards to specify the pattern. See Using wildcards and regular expressions.
    • User Defined: Specify the email addresses. The pattern can use wildcards or regular expressions. See Appendix D: Regular expressions. For example, the recipient pattern *@example.??? will match messages sent to any email user at example.com, example.net, or any “example” domain ending with a three‑letter top-level domain name.

    Source

    • Select IP/Netmask and enter the IP address and netmask of the SMTP client attempting to deliver the email message. Use the netmask, the portion after the slash (/), to specify the matching subnet.
    • For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

      Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

      To match any address, enter 0.0.0.0/0.

    • Select IP Group to choose an IP group. Click New to add a new group or Edit to modify an existing one. For more information, see Configuring IP groups.
    • Select GeoIP Group to choose a GeoIP group. Click New to add a new group or Edit to modify an existing one. For more information, see Configuring GeoIP groups.

    Reverse DNS pattern

    Enter a pattern to compare to the result of a reverse DNS look-up of the IP address of the SMTP client delivering the email message.

    Because domain names in the SMTP session are self-reported by the connecting SMTP server and easy to fake, the FortiMail unit does not trust the domain name that an SMTP server reports. Instead, the FortiMail does a DNS lookup using the SMTP server’s IP address. The resulting domain name is compared to the reverse DNS pattern for a match. If the reverse DNS query fails, the access control rule match will also fail. If no other access control rule matches, the connection will be rejected with SMTP reply code 550 (Relaying denied).

    The pattern can use wildcards or regular expressions. See Using wildcards and regular expressions.

    For example, the recipient pattern mail*.com matches messages delivered by an SMTP server whose domain name starts with “mail” and ends with “.com”.

    Note: Reverse DNS queries for access control rules require that the domain name be a valid top level domain (TLD). For example, “.lab” is not a valid top level domain name, and thus the FortiMail unit cannot successfully perform a reverse DNS query for it.

    Authentication status

    Select whether or not to match this access control rule based on client authentication.

    • Any: Match or do not match this access control rule regardless of whether the client has authenticated with the FortiMail unit.
    • Authenticated: Match this access control rule only for clients that have authenticated with the FortiMail unit.
    • Not Authenticated: Match this access control rule only for clients that have not authenticated with the FortiMail unit.

    TLS profile

    Select a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

    • If the attributes match, the access control action is executed.
    • If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

    Click New to add a new TLS profile or Edit to modify an existing one.

    For more information on TLS profiles, see Configuring TLS security profiles.

    Action

    Select which action the FortiMail unit will perform for SMTP sessions matching this access control rule.

    • DISCARD: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.
    • REJECT: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied).
    • RELAY: Relay or proxy, process, and deliver the email normally if it passes all configured scans. Do not apply greylisting.
    • SAFE: Relay or proxy and deliver the email, only if the recipient belongs to a protected domain or the sender is authenticated. All antispam profile processing will be skipped; but antivirus, content and other scans will still occur.
    • SAFE & RELAY: Relay or proxy and deliver the email. All antispam profile processing will be skipped; but antivirus, content, and other scans will still occur.

    Comments

    Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list.

  10. Click Create or OK.
  11. The access control rule appears at the bottom of the list of access control rules. As a result, the FortiMail unit will evaluate it as a match for the SMTP session only if no previous access control rule matches. If you want your new rule to be evaluated before another rule, move your new access control rule to its intended position in the list.

Using wildcards and regular expressions

You can enter wildcards or regular expressions in any pattern field, such as Reverse DNS pattern, on the Access Control Rule dialog.

To use a regular expression as a pattern, first enable Regular expression, which is beside the pattern field.

If a pattern is listed on the Receiving tab with the R/ prefix, it is set to use regular expression syntax. If the pattern is listed with a -/ prefix, it does not use regular expression syntax.

Wildcard characters (* and ?) allow you to enter partial patterns that can match multiple reverse DNS lookup results. An asterisk (*) represents one or more characters. A question mark (?) represents any single character.

When configuring access control rules, do not leave any pattern fields blank. Instead, to have the FortiMail unit ignore a pattern:

  • If Regular expression is disabled for the field, enter an asterisk (*) in the pattern field.
  • If Regular expression is enabled for the field, enter a dot-star (.*) character sequence in the pattern field.

For example, if you enter an asterisk (*) in the Recipient Pattern field and do not enable Regular expression, the asterisk matches all recipient addresses, and therefore will not exclude any SMTP sessions from matching the access control rule.

See also

Example: Access control rules with wild cards

Example: Access control rules with regular expressions

Controlling SMTP access and delivery

Example: Access control rules with wild cards

If your protected domain, example.com, contains email addresses in the format of user1@example.com, user2@example.com, and so on, and you want to allow those email addresses to send email to any external domain as long as they authenticate their identities and use TLS, you might configure the following access control rule:

Example access control rule

Sender Pattern

user*@example.com

Recipient Pattern

*

Sender IP/Netmask

0.0.0.0/0

Reverse DNS Pattern

*

Authentication Status

authenticated

TLS Profile

tlsprofile1

Actio

RELAY

See also

Configuring access control rules

Example: Access control rules with regular expressions

Controlling SMTP access and delivery

Example: Access control rules with regular expressions

Example Corporation uses a FortiMail unit operating in gateway mode, and that has been configured with only one protected domain: example.com. The FortiMailunit was configured with the access control rules illustrated in the following table.

A list of example enabled access control rules

ID

Sender Pattern

Recipient
Pattern

Sender IP/Netmask

Reverse DNS Pattern

Authentication

Action

1

-/*

-/user932@example.com

0.0.0.0/0

-/*

Any

Reject

2

R/^\s*$

-/*

0.0.0.0/0

-/*

Any

Reject

3

-/*

-/*@example.com

172.20.120.0/24

-/mail.example.org

Any

Relay

4

-/*@example.org

-/*

0.0.0.0/0

-/*

Any

Reject

5

-/*

R/^user\d*@example\.com$

0.0.0.0/0

-/*

Any

Relay

Rule 1

The email account of former employee user932 receives a large amount of spam. Since this employee is no longer with the company and all the user’s external contacts were informed of their new Example Corporation employee contacts, messages addressed to the former employee’s address must be spam.

Rule 1 uses only the recipient pattern. All other access control rule attributes are configured to match any value. This rule rejects all messages sent to the user932@example.com recipient email address. Rejection at the access control stage prevents these messages from being scanned for spam and viruses, saving FortiMail system resources.

This rule is placed first because it is the most specific access control rule in the list. It applies only to SMTP sessions for that single recipient address. SMTP sessions sending email to any other recipient do not match it. If a rule that matched all messages were placed at the top of the list, no rule after the first would ever be checked for a match, because the first would always match.

SMTP sessions not matching this rule are checked against the next rule.

Rule 2

Much of the spam received by the Example Corporation has no sender specified in the message envelope. Most valid email messages will have a sender email address.

Rule 2 uses only the sender pattern. The regular expression ^\s*$ will match a sender string that contains one or more spaces, or is empty. If any non-space character appears in the sender string, this rule does not match. This rule will reject all messages with a no sender, or a sender containing only spaces.

Not all email messages without a sender are spam, however. Delivery status notification (DSN) messages often have no specified sender. Bounce notifications are the most common type of DSN messages. The FortiMail administrators at the Example Corporation decided that the advantages of this rule outweigh the disadvantages.

Messages not matching this rule are checked against the next rule.

Rules 3 and 4

Recently, the Example Corporation has been receiving spam that appears to be sent by example.org. The FortiMail log files revealed that the sender address is being spoofed and the messages are sent from servers operated by spammers. Because spam servers often change IP addresses to avoid being blocked, the FortiMail administrators decided to use two rules to block all mail from example.org unless delivered from a server with the proper address and host name.

When legitimate, email messages from example.org are sent from one of multiple mail servers. All these servers have IP addresses within the 172.20.120.0/24 subnet and have a domain name of mail.example.org that can be verified using a reverse DNS query.

Rule 3 uses the recipient pattern, the sender IP, and the reverse DNS pattern. This rule will relay messages to email users of example.com sent from a client whose domain name is mail.example.org and IP address is between 172.20.120.1 and 172.20.120.255.

Messages not matching this rule are checked against the next rule.

Rule 4 works in conjunction with rule 3. It uses only the sender pattern. Rule 4 rejects all messages from example.org. But because it is positioned after rule 3 in the list, rule 4 affects only messages that were not already proven to be legitimate by rule 3, thereby rejecting only email messages with a fake sender.

Rules 3 and 4 must appear in the order shown. If they were reversed, all mail from example.org would be rejected. The more specific rule 3 (accept valid mail from example.org) is placed first, and the more general rule 4 (reject all mail from example.org) follows.

Messages not matching these rules are checked against the next rule.

Rules 5

The administrator of example.com has noticed that during peak traffic, a flood of spam using random user names causes the FortiMail unit to devote a significant amount of resources to recipient verification. Verification is performed with the aid of an LDAP server which also expends significant resources servicing these requests. Example Corporation email addresses start with “user” followed by the user’s employee number, and end with “@example.com”.

Rule 5 uses only the recipient pattern. The recipient pattern is a regular expression that will match all email addresses that start with “user”, end with “@example.com”, and have one or more numbers in between. Email messages matching this rule are relayed.

Default implicit rules

For messages not matching any of the above rules, the FortiMail unit will perform the default action, which varies by whether or not the recipient email address in the envelope (RCPT TO:) is a member of a protected domain.

  • For protected domains, the default action is delivery (with greylisting).
  • For unprotected domains, the default action is REJECT.
See also

Configuring access control rules

Example: Access control rules with wild cards

Controlling SMTP access and delivery

Configuring delivery rules

The Delivery tab displays a list of delivery rules that apply to SMTP sessions being initiated by the FortiMail unit in order to deliver email.

Delivery rules let you to require TLS for the SMTP sessions the FortiMail unit initiates when sending email to other email servers. They also let you to apply secure MIME (S/MIME) or IBE.

For more information about IBE, see Configuring IBE encryption.

When initiating an SMTP session, the FortiMail unit compares each delivery rule to the domain name portion of the envelope recipient address (RCPT TO:). Rules are evaluated for a match in the order of their list sequence, from top to bottom. If a matching delivery rule does not exist, the email message is delivered. If a match is found, the FortiMail unit compares the TLS profile settings to the connection attributes and the email message is sent or the connection is not allowed, depending on the result; if an encryption profile is selected, its settings are applied. No subsequent delivery rules are applied. Only one delivery rule is ever applied to any given SMTP session.

If you are using a delivery rule to apply S/MIME encryption, the destination of the connection can be another FortiMail unit, but it could alternatively be any email gateway or server, as long as either:

  • the destination’s MTA or mail server
  • the recipient’s MUA

supports S/MIME and possesses the sender’s certificate and public key, which is necessary to decrypt the email. Otherwise, the recipient cannot read the email.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To configure a delivery rule list
  1. Go to Policy > Access Control > Delivery.
  2. GUI item

    Description

    Move

    (button)

    Click a delivery rule to select it, click Move, then select either:

    • the direction in which to move the selected rule (Up or Down), or
    • After or Before, then in Move right after or Move right before indicate the rule’s new location by entering the ID of another delivery rule

    FortiMail units match the rules in sequence, from the top of the list downwards.

    Enabled

    Indicates whether or not the delivery rule is currently in effect.

    To disable a delivery rule, select the button, then click Yes to confirm.

    ID

    Displays the number identifying the rule.

    If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column.

    Note: This may be different from the order in which they appear on the page, which indicates order of evaluation.

    FortiMail units evaluate delivery rules in sequence. Only the topmost matching delivery rule will be applied.

    Sender Pattern

    Displays the complete or partial envelope sender email address to match.

    Recipient Pattern

    Displays the complete or partial envelope recipient email address to match.

    TLS Destination IP

    Displays the IP address and netmask of the system to which the FortiMail is sending the email message. 0.0.0.0/0.0.0.0 matches any IP address.

    TLS Profile

    Displays the TLS profile, if any, used to allow or reject a connection.

    • If the attributes match, the access control action is executed.
    • If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

    To edit the TLS profile, click its name. For details, see Configuring security profiles.

    IP Pool Profile

    Displays the IP pool profile that FortiMail uses as its local IP address when communicating with destination mail servers.

    Encryption Profile

    Indicates the encryption profile used to apply S/MIME or IBE encryption to the email.

    To edit the encryption profile, click its name. For details, see Configuring encryption profiles.

  3. Either click New to add a delivery control rule or double-click a delivery control rule to modify it.
  4. A dialog appears.

  5. Configure the following:
  6. GUI item

    Description

    Enabled

    Select whether or not the access control rule is currently in effect.

    Sender pattern

    Enter a complete or partial envelope sender (MAIL FROM:) email address to match.

    Wild card characters allow you to enter partial patterns that can match multiple sender email addresses. The asterisk (*) represents one or more characters. The question mark (?) represents any single character.

    For example, the sender pattern ??@*.com will match messages sent by any email user with a two letter email user name from any “.com” domain name.

    Recipient pattern

    Enter a complete or partial envelope recipient (RCPT TO:) email address to match.

    Wild card characters allow you to enter partial patterns that can match multiple recipient email addresses. The asterisk (*) represents one or more characters. The question mark (?) represents any single character.

    For example, the recipient pattern *@example.??? will match messages sent to any email user at example.com, example.net, example.org, or any other “example” domain ending with a three‑letter top-level domain name.

    TLS Destination IP/netmask

    Enter the IP address and netmask of the system to which the FortiMail unit is sending the email message using TLS connection. Use the netmask, the portion after the slash (/) to specify the matching subnet.

    For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

    Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

    To match any address, enter 0.0.0.0/0.

    Note: This field is not used when considering whether or not to apply an encryption profile.

    TLS profile

    Select a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

    • If the attributes match, the access control action is executed.
    • If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

    Click New to add a new TLS profile or Edit to modify an existing one.

    For more information on TLS profiles, see Configuring TLS security profiles.

    IP pool profile

    Starting from 6.2 release, you can specify an IP pool profile so that FortiMail can use an IP address in the pool as its local IP address when communicating with destination mail servers. For details about IP pools, see Configuring IP pools.

    Encryption profile

    Select an encryption profile used to apply S/MIME or IBE encryption to the email.

    Note that if you create a delivery rule that uses both IBE encryption profile and TLS profile, the TLS profile will override the IBE encryption profile and the IBE encryption will not be used. If you select an S/MIME profile here and an IBE profile in the Encryption with profile field (Profile > Content > Action), the S/MIME profile will override the IBE encryption profile.

    Click New to add a new encryption profile or Edit to modify an existing one.

    For more information, see Configuring encryption profiles and Configuring certificate bindings.

    For information about content action profiles, see Configuring content action profiles.

    Comments

    Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list.

Configuring delivery control policies

MTA IP addresses might be blocklisted if sending outgoing email at a high rate; marketing mail campaigns can cause the corporate IP addresses to be registered in DNSBL.

To solve this problem, you can rate limit email delivery when configuring domain settings (see Sender address rate control). You can also rate limit email delivery at system level.

To configure an email delivery control policy
  1. Go to Policy > Access Control > Delivery Control.
  2. Click New to add a new delivery control policy.
  3. Configure the following:
  4. GUI item

    Description

    Enabled

    Toggle to enable or disable the policy.

    Recipient domain

    Specify the recipient domain to apply the policy on. Use wildcard * to represent all recipient domains.

    Restrict the number of concurrent connections

    Specify to limit the number of concurrent connections to the above domain. 0 means no limit.

    Restrict the number of messages per connection

    Specify to limit the number of email messages to be sent for one connection session. 0 means no limit.

    Restrict the number of recipients per period (30 minutes)

    Specify to limit the number of email recipients in an interval of 30 minutes. 0 means no limit.

    Restrict the number of recipients per message

    Specify to limit the number of email recipients per message. 0 means no limit.

See also

What is a policy?

How to use policies

Incoming versus outgoing email

Which policy/profile is applied when an email has multiple recipients?

Controlling SMTP access and delivery

The Policy > Access Control submenu lets you configure access control rules for SMTP sessions.

Unlike proxy/implicit relay pickup, access control rules take effect after the FortiMail unit has initiated or received an IP and TCP-level connection at the application layer of the network.

Note

Other protocols can also be restricted if the connection’s destination is the FortiMail unit. For details, see Configuring the network interfaces.

Access control rules are categorized separately based on whether they affect either the receipt or delivery of email messages by the FortiMail unit; that is, whether the FortiMail unit initiated the SMTP session or was the destination. Incoming/outgoing does not apply in the same sense for ACLs. Matching the domain name portion of the HELO or sender address to a protected domain is not the core issue; rather, it is whether or not the FortiMail unit is the connection initiator.

See also

Configuring access control rules

Configuring delivery rules

Troubleshoot MTA issues

Configuring access control rules

The Receiving tab displays a list of access control rules that apply to SMTP sessions being received by the FortiMail unit.

Access control rules, sometimes also called the access control list or ACL, specify whether the FortiMail unit will process and relay/proxy, reject, or discard email messages for SMTP sessions that are initiated by SMTP clients.

When an SMTP client attempts to deliver email through the FortiMail unit, the FortiMail unit compares each access control rule to the commands used by the SMTP client during the SMTP session, such as the envelope’s sender email address (MAIL FROM:), recipient email address (RCPT TO:), authentication (AUTH), and TLS (STARTTLS). Rules are evaluated for a match in the order of their list sequence, from top to bottom. If all attributes of a rule match, the FortiMail unit applies the action selected in the matching rule to the SMTP session, and no subsequent access control rules are applied.

Only one access control rule is ever applied to any given SMTP session.

Note

If no access control rules are configured, or no matching access control rules exist, and if the SMTP client is not configured to authenticate, the FortiMail unit will perform the default action, which varies by whether or not the recipient email address in the envelope (RCPT TO:) is a member of a protected domain.

  • For protected domains, the default action is delivery (with greylisting).
  • For unprotected domains, the default action is REJECT.

For information on protected domains, see Configuring protected domains.

In the absence of access control rules, the FortiMail unit prevents SMTP clients from using your protected server or FortiMail unit as an open relay: senders can deliver email incoming to protected domains, but cannot deliver email outgoing to unprotected domains.

For information on the sequence in which access control rules are used relative to other antispam methods, see Order of execution.

If you want to allow SMTP clients, such as your email users or email servers, to send email to unprotected domains, you must configure at least one access control rule. You may need to configure additional access control rules if, for example, you want to:

  • discard or reject email from or to some email addresses, such as email addresses that no longer exist in your protected domain
  • discard or reject email from some SMTP clients, such as a spammer that is not yet known to blocklists

Like IP-based policies, access control rules can reject connections based on IP address. Unlike IP-based policies, access control rules cannot affect email in ways that occur after the session’s DATA command, such as by applying antispam profiles.

Access control rules cannot be overruled by recipient-based policies, and cannot match connections based on the SMTP server’s IP address (by the nature of how ACL controls access to or through the FortiMail unit, the SMTP server is always the FortiMail unit itself, unless the FortiMail unit is operating in transparent mode). For more information on IP-based policies, see Controlling email based on IP addresses.

Caution

If possible, verify configuration of access control rules in a testing environment before applying them to a FortiMail unit in active use. Failure to verify correctly configured reject, discard, and accept actions can result in inability to correctly handle SMTP sessions.

Caution

Do not create an access control rule whose Sender is *, Recipient is *, Authentication status is Any, TLS profile is None, and Action is RELAY. This access control rule matches and relays all connections, allowing open relay, which could result in other MTAs and DNSBL servers blocklisting your protected domain.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To view and configure access control rules
  1. Go to Policy > Access Control > Receiving.
  2. GUI item

    Description

    Move

    (button)

    Select a policy, click Move, then select either:

    • Up or Down, or
    • After or Before, which opens a dialog, then in Move right after or Move right before indicate the policy’s new location by entering the ID of another policy

    FortiMail units match the policies in sequence, from the top of the list downwards.

    Enabled

    Select to enable or disable an existing rule.

    ID

    Displays the number identifying the rule.

    If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column.

    Note: This may be different from the order in which they appear on the page, which indicates order of evaluation.

    Sender

    Displays the pattern that defines email senders for the rule.

    Recipient

    Displays the pattern that defines email recipients for the rule.

    Source

    Displays the IP address and netmask of the SMTP client attempting to deliver the email message.

    Reverse DNS Pattern

    Displays the used in a reverse DNS look-up.

    Authentication Status

    Displays which authentication status is used with the rule.

    TLS Profile

    Displays the TLS profile, if any, used to allow or reject a connection.

    Actions

    Displays the action to take when SMTP sessions match the rule.

  3. Either click New to add an access control rule or double-click an access control rule to modify it.
  4. A dialog appears.

  5. Configure the following:
  6. GUI item

    Description

    Enabled

    Select whether or not the access control rule is currently in effect.

    Sender

    Select either User Defined and enter a complete or partial sender (MAIL FROM:) email address to match, or select:

    • Internal: Match any email address from a protected domain.
    • External: Match any email address from an unprotected domain.
    • Email Group: Match any email address in the group.
      If you select this option, select an email group from the Email Group Selection field. Click New to add a new email group or Edit to modify an existing one.
      For more information, see Configuring email groups.
    • LDAP Group: Match any email address in the group.
      If you select this option, select an LDAP profile from the LDAP Profile field.
    • LDAP Verification: Match any individual email address queried by the LDAP profile.
      If you select this option, select an LDAP profile from the dropdown list or click New to create a new one.
    • Note: Use "$s" to match sender addresses. For example, to reject senders that are not in the recipient's allowed sender list:

    1. Create an ACL rule and choose LDAP verification in the sender pattern.
    2. Choose a LDAP profile where below user query string is used: (&(mail=$m)(!(allowedSenders=$s)))
    3. Set the ACL rule action to Reject.

    This will match a sender that is not in the allowedSenders list of the recipient and reject email from such senders.

  7. Regular Expression: Use regular expression syntax instead of wildcards to specify the pattern. See Using wildcards and regular expressions.
  8. User Defined: Specify the email addresses. The pattern can use wildcards or regular expressions. See Appendix D: Regular expressions. For example, the sender pattern *@example.??? will match messages sent to any email user at example.com, example.net, or any “example” domain ending with a three-letter top-level domain name.
  9. Recipient

    Either select User Defined and enter a complete or partial recipient (RCPT TO:) email address to match, or select:

    • Internal: Match any email address from a protected domain.
    • External: Match any email address from an unprotected domain.
    • Email Group: Match any email address in the group.
      If you select this option, select an email group from the Email Group Selection field. Click New to add a new email group or Edit to modify an existing one.
      For more information, see Configuring email groups.
    • LDAP Group: Match any email address in the group.
      If you select this option, select an LDAP profile from the LDAP Profile field.
    • LDAP Verification: Match any individual email address queried by the LDAP profile.
      If you select this option, select an LDAP profile from the dropdown list or click New to create a new one.
    • Note: Use "$m" to match recipient addresses.

    • Regular Expression: Use regular expression syntax instead of wildcards to specify the pattern. See Using wildcards and regular expressions.
    • User Defined: Specify the email addresses. The pattern can use wildcards or regular expressions. See Appendix D: Regular expressions. For example, the recipient pattern *@example.??? will match messages sent to any email user at example.com, example.net, or any “example” domain ending with a three‑letter top-level domain name.

    Source

    • Select IP/Netmask and enter the IP address and netmask of the SMTP client attempting to deliver the email message. Use the netmask, the portion after the slash (/), to specify the matching subnet.
    • For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

      Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

      To match any address, enter 0.0.0.0/0.

    • Select IP Group to choose an IP group. Click New to add a new group or Edit to modify an existing one. For more information, see Configuring IP groups.
    • Select GeoIP Group to choose a GeoIP group. Click New to add a new group or Edit to modify an existing one. For more information, see Configuring GeoIP groups.

    Reverse DNS pattern

    Enter a pattern to compare to the result of a reverse DNS look-up of the IP address of the SMTP client delivering the email message.

    Because domain names in the SMTP session are self-reported by the connecting SMTP server and easy to fake, the FortiMail unit does not trust the domain name that an SMTP server reports. Instead, the FortiMail does a DNS lookup using the SMTP server’s IP address. The resulting domain name is compared to the reverse DNS pattern for a match. If the reverse DNS query fails, the access control rule match will also fail. If no other access control rule matches, the connection will be rejected with SMTP reply code 550 (Relaying denied).

    The pattern can use wildcards or regular expressions. See Using wildcards and regular expressions.

    For example, the recipient pattern mail*.com matches messages delivered by an SMTP server whose domain name starts with “mail” and ends with “.com”.

    Note: Reverse DNS queries for access control rules require that the domain name be a valid top level domain (TLD). For example, “.lab” is not a valid top level domain name, and thus the FortiMail unit cannot successfully perform a reverse DNS query for it.

    Authentication status

    Select whether or not to match this access control rule based on client authentication.

    • Any: Match or do not match this access control rule regardless of whether the client has authenticated with the FortiMail unit.
    • Authenticated: Match this access control rule only for clients that have authenticated with the FortiMail unit.
    • Not Authenticated: Match this access control rule only for clients that have not authenticated with the FortiMail unit.

    TLS profile

    Select a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

    • If the attributes match, the access control action is executed.
    • If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

    Click New to add a new TLS profile or Edit to modify an existing one.

    For more information on TLS profiles, see Configuring TLS security profiles.

    Action

    Select which action the FortiMail unit will perform for SMTP sessions matching this access control rule.

    • DISCARD: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.
    • REJECT: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied).
    • RELAY: Relay or proxy, process, and deliver the email normally if it passes all configured scans. Do not apply greylisting.
    • SAFE: Relay or proxy and deliver the email, only if the recipient belongs to a protected domain or the sender is authenticated. All antispam profile processing will be skipped; but antivirus, content and other scans will still occur.
    • SAFE & RELAY: Relay or proxy and deliver the email. All antispam profile processing will be skipped; but antivirus, content, and other scans will still occur.

    Comments

    Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list.

  10. Click Create or OK.
  11. The access control rule appears at the bottom of the list of access control rules. As a result, the FortiMail unit will evaluate it as a match for the SMTP session only if no previous access control rule matches. If you want your new rule to be evaluated before another rule, move your new access control rule to its intended position in the list.

Using wildcards and regular expressions

You can enter wildcards or regular expressions in any pattern field, such as Reverse DNS pattern, on the Access Control Rule dialog.

To use a regular expression as a pattern, first enable Regular expression, which is beside the pattern field.

If a pattern is listed on the Receiving tab with the R/ prefix, it is set to use regular expression syntax. If the pattern is listed with a -/ prefix, it does not use regular expression syntax.

Wildcard characters (* and ?) allow you to enter partial patterns that can match multiple reverse DNS lookup results. An asterisk (*) represents one or more characters. A question mark (?) represents any single character.

When configuring access control rules, do not leave any pattern fields blank. Instead, to have the FortiMail unit ignore a pattern:

  • If Regular expression is disabled for the field, enter an asterisk (*) in the pattern field.
  • If Regular expression is enabled for the field, enter a dot-star (.*) character sequence in the pattern field.

For example, if you enter an asterisk (*) in the Recipient Pattern field and do not enable Regular expression, the asterisk matches all recipient addresses, and therefore will not exclude any SMTP sessions from matching the access control rule.

See also

Example: Access control rules with wild cards

Example: Access control rules with regular expressions

Controlling SMTP access and delivery

Example: Access control rules with wild cards

If your protected domain, example.com, contains email addresses in the format of user1@example.com, user2@example.com, and so on, and you want to allow those email addresses to send email to any external domain as long as they authenticate their identities and use TLS, you might configure the following access control rule:

Example access control rule

Sender Pattern

user*@example.com

Recipient Pattern

*

Sender IP/Netmask

0.0.0.0/0

Reverse DNS Pattern

*

Authentication Status

authenticated

TLS Profile

tlsprofile1

Actio

RELAY

See also

Configuring access control rules

Example: Access control rules with regular expressions

Controlling SMTP access and delivery

Example: Access control rules with regular expressions

Example Corporation uses a FortiMail unit operating in gateway mode, and that has been configured with only one protected domain: example.com. The FortiMailunit was configured with the access control rules illustrated in the following table.

A list of example enabled access control rules

ID

Sender Pattern

Recipient
Pattern

Sender IP/Netmask

Reverse DNS Pattern

Authentication

Action

1

-/*

-/user932@example.com

0.0.0.0/0

-/*

Any

Reject

2

R/^\s*$

-/*

0.0.0.0/0

-/*

Any

Reject

3

-/*

-/*@example.com

172.20.120.0/24

-/mail.example.org

Any

Relay

4

-/*@example.org

-/*

0.0.0.0/0

-/*

Any

Reject

5

-/*

R/^user\d*@example\.com$

0.0.0.0/0

-/*

Any

Relay

Rule 1

The email account of former employee user932 receives a large amount of spam. Since this employee is no longer with the company and all the user’s external contacts were informed of their new Example Corporation employee contacts, messages addressed to the former employee’s address must be spam.

Rule 1 uses only the recipient pattern. All other access control rule attributes are configured to match any value. This rule rejects all messages sent to the user932@example.com recipient email address. Rejection at the access control stage prevents these messages from being scanned for spam and viruses, saving FortiMail system resources.

This rule is placed first because it is the most specific access control rule in the list. It applies only to SMTP sessions for that single recipient address. SMTP sessions sending email to any other recipient do not match it. If a rule that matched all messages were placed at the top of the list, no rule after the first would ever be checked for a match, because the first would always match.

SMTP sessions not matching this rule are checked against the next rule.

Rule 2

Much of the spam received by the Example Corporation has no sender specified in the message envelope. Most valid email messages will have a sender email address.

Rule 2 uses only the sender pattern. The regular expression ^\s*$ will match a sender string that contains one or more spaces, or is empty. If any non-space character appears in the sender string, this rule does not match. This rule will reject all messages with a no sender, or a sender containing only spaces.

Not all email messages without a sender are spam, however. Delivery status notification (DSN) messages often have no specified sender. Bounce notifications are the most common type of DSN messages. The FortiMail administrators at the Example Corporation decided that the advantages of this rule outweigh the disadvantages.

Messages not matching this rule are checked against the next rule.

Rules 3 and 4

Recently, the Example Corporation has been receiving spam that appears to be sent by example.org. The FortiMail log files revealed that the sender address is being spoofed and the messages are sent from servers operated by spammers. Because spam servers often change IP addresses to avoid being blocked, the FortiMail administrators decided to use two rules to block all mail from example.org unless delivered from a server with the proper address and host name.

When legitimate, email messages from example.org are sent from one of multiple mail servers. All these servers have IP addresses within the 172.20.120.0/24 subnet and have a domain name of mail.example.org that can be verified using a reverse DNS query.

Rule 3 uses the recipient pattern, the sender IP, and the reverse DNS pattern. This rule will relay messages to email users of example.com sent from a client whose domain name is mail.example.org and IP address is between 172.20.120.1 and 172.20.120.255.

Messages not matching this rule are checked against the next rule.

Rule 4 works in conjunction with rule 3. It uses only the sender pattern. Rule 4 rejects all messages from example.org. But because it is positioned after rule 3 in the list, rule 4 affects only messages that were not already proven to be legitimate by rule 3, thereby rejecting only email messages with a fake sender.

Rules 3 and 4 must appear in the order shown. If they were reversed, all mail from example.org would be rejected. The more specific rule 3 (accept valid mail from example.org) is placed first, and the more general rule 4 (reject all mail from example.org) follows.

Messages not matching these rules are checked against the next rule.

Rules 5

The administrator of example.com has noticed that during peak traffic, a flood of spam using random user names causes the FortiMail unit to devote a significant amount of resources to recipient verification. Verification is performed with the aid of an LDAP server which also expends significant resources servicing these requests. Example Corporation email addresses start with “user” followed by the user’s employee number, and end with “@example.com”.

Rule 5 uses only the recipient pattern. The recipient pattern is a regular expression that will match all email addresses that start with “user”, end with “@example.com”, and have one or more numbers in between. Email messages matching this rule are relayed.

Default implicit rules

For messages not matching any of the above rules, the FortiMail unit will perform the default action, which varies by whether or not the recipient email address in the envelope (RCPT TO:) is a member of a protected domain.

  • For protected domains, the default action is delivery (with greylisting).
  • For unprotected domains, the default action is REJECT.
See also

Configuring access control rules

Example: Access control rules with wild cards

Controlling SMTP access and delivery

Configuring delivery rules

The Delivery tab displays a list of delivery rules that apply to SMTP sessions being initiated by the FortiMail unit in order to deliver email.

Delivery rules let you to require TLS for the SMTP sessions the FortiMail unit initiates when sending email to other email servers. They also let you to apply secure MIME (S/MIME) or IBE.

For more information about IBE, see Configuring IBE encryption.

When initiating an SMTP session, the FortiMail unit compares each delivery rule to the domain name portion of the envelope recipient address (RCPT TO:). Rules are evaluated for a match in the order of their list sequence, from top to bottom. If a matching delivery rule does not exist, the email message is delivered. If a match is found, the FortiMail unit compares the TLS profile settings to the connection attributes and the email message is sent or the connection is not allowed, depending on the result; if an encryption profile is selected, its settings are applied. No subsequent delivery rules are applied. Only one delivery rule is ever applied to any given SMTP session.

If you are using a delivery rule to apply S/MIME encryption, the destination of the connection can be another FortiMail unit, but it could alternatively be any email gateway or server, as long as either:

  • the destination’s MTA or mail server
  • the recipient’s MUA

supports S/MIME and possesses the sender’s certificate and public key, which is necessary to decrypt the email. Otherwise, the recipient cannot read the email.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To configure a delivery rule list
  1. Go to Policy > Access Control > Delivery.
  2. GUI item

    Description

    Move

    (button)

    Click a delivery rule to select it, click Move, then select either:

    • the direction in which to move the selected rule (Up or Down), or
    • After or Before, then in Move right after or Move right before indicate the rule’s new location by entering the ID of another delivery rule

    FortiMail units match the rules in sequence, from the top of the list downwards.

    Enabled

    Indicates whether or not the delivery rule is currently in effect.

    To disable a delivery rule, select the button, then click Yes to confirm.

    ID

    Displays the number identifying the rule.

    If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column.

    Note: This may be different from the order in which they appear on the page, which indicates order of evaluation.

    FortiMail units evaluate delivery rules in sequence. Only the topmost matching delivery rule will be applied.

    Sender Pattern

    Displays the complete or partial envelope sender email address to match.

    Recipient Pattern

    Displays the complete or partial envelope recipient email address to match.

    TLS Destination IP

    Displays the IP address and netmask of the system to which the FortiMail is sending the email message. 0.0.0.0/0.0.0.0 matches any IP address.

    TLS Profile

    Displays the TLS profile, if any, used to allow or reject a connection.

    • If the attributes match, the access control action is executed.
    • If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

    To edit the TLS profile, click its name. For details, see Configuring security profiles.

    IP Pool Profile

    Displays the IP pool profile that FortiMail uses as its local IP address when communicating with destination mail servers.

    Encryption Profile

    Indicates the encryption profile used to apply S/MIME or IBE encryption to the email.

    To edit the encryption profile, click its name. For details, see Configuring encryption profiles.

  3. Either click New to add a delivery control rule or double-click a delivery control rule to modify it.
  4. A dialog appears.

  5. Configure the following:
  6. GUI item

    Description

    Enabled

    Select whether or not the access control rule is currently in effect.

    Sender pattern

    Enter a complete or partial envelope sender (MAIL FROM:) email address to match.

    Wild card characters allow you to enter partial patterns that can match multiple sender email addresses. The asterisk (*) represents one or more characters. The question mark (?) represents any single character.

    For example, the sender pattern ??@*.com will match messages sent by any email user with a two letter email user name from any “.com” domain name.

    Recipient pattern

    Enter a complete or partial envelope recipient (RCPT TO:) email address to match.

    Wild card characters allow you to enter partial patterns that can match multiple recipient email addresses. The asterisk (*) represents one or more characters. The question mark (?) represents any single character.

    For example, the recipient pattern *@example.??? will match messages sent to any email user at example.com, example.net, example.org, or any other “example” domain ending with a three‑letter top-level domain name.

    TLS Destination IP/netmask

    Enter the IP address and netmask of the system to which the FortiMail unit is sending the email message using TLS connection. Use the netmask, the portion after the slash (/) to specify the matching subnet.

    For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

    Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

    To match any address, enter 0.0.0.0/0.

    Note: This field is not used when considering whether or not to apply an encryption profile.

    TLS profile

    Select a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

    • If the attributes match, the access control action is executed.
    • If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

    Click New to add a new TLS profile or Edit to modify an existing one.

    For more information on TLS profiles, see Configuring TLS security profiles.

    IP pool profile

    Starting from 6.2 release, you can specify an IP pool profile so that FortiMail can use an IP address in the pool as its local IP address when communicating with destination mail servers. For details about IP pools, see Configuring IP pools.

    Encryption profile

    Select an encryption profile used to apply S/MIME or IBE encryption to the email.

    Note that if you create a delivery rule that uses both IBE encryption profile and TLS profile, the TLS profile will override the IBE encryption profile and the IBE encryption will not be used. If you select an S/MIME profile here and an IBE profile in the Encryption with profile field (Profile > Content > Action), the S/MIME profile will override the IBE encryption profile.

    Click New to add a new encryption profile or Edit to modify an existing one.

    For more information, see Configuring encryption profiles and Configuring certificate bindings.

    For information about content action profiles, see Configuring content action profiles.

    Comments

    Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list.

Configuring delivery control policies

MTA IP addresses might be blocklisted if sending outgoing email at a high rate; marketing mail campaigns can cause the corporate IP addresses to be registered in DNSBL.

To solve this problem, you can rate limit email delivery when configuring domain settings (see Sender address rate control). You can also rate limit email delivery at system level.

To configure an email delivery control policy
  1. Go to Policy > Access Control > Delivery Control.
  2. Click New to add a new delivery control policy.
  3. Configure the following:
  4. GUI item

    Description

    Enabled

    Toggle to enable or disable the policy.

    Recipient domain

    Specify the recipient domain to apply the policy on. Use wildcard * to represent all recipient domains.

    Restrict the number of concurrent connections

    Specify to limit the number of concurrent connections to the above domain. 0 means no limit.

    Restrict the number of messages per connection

    Specify to limit the number of email messages to be sent for one connection session. 0 means no limit.

    Restrict the number of recipients per period (30 minutes)

    Specify to limit the number of email recipients in an interval of 30 minutes. 0 means no limit.

    Restrict the number of recipients per message

    Specify to limit the number of email recipients per message. 0 means no limit.

See also

What is a policy?

How to use policies

Incoming versus outgoing email

Which policy/profile is applied when an email has multiple recipients?