How FortiMail processes email
FortiMail units receive email for defined email domains and control relay of email to other domains. Email passing through the FortiMail unit can be scanned for viruses and spam. Policies and profiles govern how the FortiMail unit scans email and what it does with email messages containing viruses or spam. For information about policies, see Configuring policies. For information about profiles, see Configuring profiles.
In addition to policies and profiles, other configured items, such as email domains, may affect how your FortiMail unit processes email.
See also:
- Email domains
- Access control rules
- Recipient address verification
- Disclaimer messages and customized appearance
- Advanced delivery features
- Antispam techniques
- Order of execution
Email domains
An email domain is a set of email accounts that reside on a particular email server. The email domain name is the portion of the user’s email address following the “@” symbol.
FortiMail units can be configured to protect email domains (referred to as “protected domains” in this Administration Guide) by defining policies and profiles to scan and relay incoming and outgoing email.
If the FortiMail unit is operating in gateway mode or transparent mode, there is one local email domain that represents the FortiMail unit itself. If the FortiMail unit is operating in server mode, protected domains reside locally on the FortiMail unit’s built-in email server.
For information about creating protected domains, see Configuring protected domains.
In transparent mode, each network interface includes a proxy and/or implicit MTA that receives and relays email. By default, the proxy/implicit MTA responds to SMTP greetings (HELO
/EHLO
) using the host name of the SMTP server of the protected domain. This “masquerade” hides the existence of the FortiMail unit. For information on configuring the SMTP greeting, see Configuring protected domains.
Access control rules
The access control rules allow you to control how email messages move to, from, and through the FortiMail unit. Using access control rules the FortiMail unit can analyze email messages and take action based on the result. Messages can be examined according to the sender email address, recipient email address, and the IP address or host name of the system delivering the email message.
Each access control rule specifies an action to be taken for matching email.
For information about configuring access control rules, see Configuring access control rules.
Recipient address verification
Recipient address verification ensures that the FortiMail unit rejects email with invalid recipients and does not scan or send them to the protected email server. This verification can reduce the load on the FortiMail unit when a spammer tries to send messages to every possible recipient name on the email server.
If you want to use recipient address verification, you need to verify email recipient addresses by using either the email server or an LDAP server.
Usually you can use the email server to perform address verification. This works with most email servers that provide a User unknown
response to invalid addresses.
For instructions on configuring recipient address verification, see Configuring protected domains.
Disclaimer messages and customized appearance
You can customize both the disclaimer and replacement messages, as well as the appearance of the FortiMail unit interface.
The disclaimer message is attached to all email, generally warning the recipient the contents may be confidential.
Replacement messages are messages recipients receive instead of their email. These can include warnings about messages sent and incoming messages that are spam or infected with a virus. See Customizing replacement messages.
You can customize the appearance of the FortiMail unit web pages visible to mail administrators to better match a company look and feel. See Customizing the GUI appearance.
Advanced delivery features
Processing email takes time. Processing delays can cause clients and servers to time out. To reduce this problem, you can:
- defer delivery to process oversized email at a time when traffic is expected to be light
- send delivery status notifications (DSN)
For full configuration and procedural details regarding oversized emails, see the Cookbook recipe Downloading oversized email attachments.
Antispam techniques
Spam detection is a key feature of the FortiMail unit. The feature is based on two tiers of spam defense:
Each tier plays an important role in separating spam from legitimate email. FortiGuard Antispam delivers a highly-tuned managed service for the classification of spam while the FortiMail unit offers superior antispam detection and control technologies.
In addition to scanning incoming email messages, FortiMail units can also inspect the content of outgoing email messages. This can help eliminate the possibility that an employee or a compromised computer could send spam, resulting in the blocklisting of your organization’s email servers.
For more information on FortiMail antispam techniques, see Configuring profiles and Configuring security settings.
FortiMail antispam techniques
The following table highlights some of the FortiMail antispam techniques. For information about how these techniques are executed, see Order of execution.
FortiMail antispam technique highlights
Greylist scanning |
|
DNSBL scanning |
In addition to supporting Fortinet’s FortiGuard Antispam DNSBL service, the FortiMail unit supports third-party DNS Blocklist servers. |
SURBL scanning |
In addition to supporting Fortinet’s FortiGuard Antispam SURBL service, the FortiMail unit supports third-party Spam URL Realtime Block Lists servers. See Configuring SURBL options. |
Bayesian scanning |
|
Heuristic scanning |
|
Image spam scanning |
|
PDF scanning |
|
Block/safe lists |
|
Banned word scanning |
|
Safe list word scanning |
|
Sender reputation |
FortiGuard Antispam service
The FortiGuard Antispam service is a Fortinet-managed service that provides a three-element approach to screening email messages.
The first element is a DNS Block List (DNSBL) which is a “living” list of known spam origins.
The second element is in-depth email screening based on a Uniform Resource Identifier (URL) contained in the message body – commonly known as Spam URL Realtime Block Lists (SURBLs).
The third element is the FortiGuard Antispam Spam Checksum Blocklist (SHASH) feature. Using SHASH, the FortiMail unit sends a hash of an email to the FortiGuard Antispam server which compares the hash to hashes of known spam messages stored in the FortiGuard Antispam database. If the hash results match, the email is flagged as spam.
FortiGuard query results can be cached in memory to save network bandwidth.
To achieve up-to-date real-time identification, the FortiGuard Antispam service uses globally distributed spam probes that receive over one million spam messages per day. The FortiGuard Antispam service uses multiple layers of identification processes to produce an up-to-date list of spam origins. To further enhance the service and streamline performance, the FortiGuard Antispam service continuously retests each of the “known” identities in the list to determine the state of the origin (active or inactive). If a known spam origin has been decommissioned, the FortiGuard Antispam service removes the origin from the list, thus providing customers with both accuracy and performance.
The FortiMail FortiGuard Antispam DNSBL scanning process works this way:
- Incoming email (SMTP) connections are directed to the FortiMail unit.
- Upon receiving the inbound SMTP connection request, the FortiMail unit extracts the source information (sending server’s domain name and IP address).
- The FortiMail unit transmits the extracted source information to Fortinet’s FortiGuard Antispam service using a secure communication method.
- The FortiGuard Antispam service checks the sender’s source information against its DNSBL database of known spam sources and sends the results back to the FortiMail unit.
- The results are cached on the FortiMail unit.
- If the results identify the source as a known spam source, the FortiMail unit acts according to its configured policy.
- The cache on the FortiMail unit is checked for additional connection attempts from the same source. The FortiMail unit does not need to contact the FortiGuard Antispam service if the results of a previous connection attempt are cached.
- Additional connection requests from the same source do not need to be submitted to the FortiGuard Antispam service again because the classification is stored in the system cache.
Once the incoming connection has passed the first pass scan (DNSBL), and has not been classified as spam, it will then go through a second pass scan (SURBL) if the administrator has configured the service.
To detect spam based on the message body URLs (usually web sites), Fortinet uses FortiGuard Antispam SURBL technology. Complementing the DNSBL component, which blocks messages based on spam origin, SURBL technology blocks messages that have spam hosts mentioned in message bodies. By scanning the message body, SURBL is able to determine if the message is a known spam message regardless of origin. This augments the DNSBL technology by detecting spam messages from a spam source that may be dynamic, or a spam source that is yet unknown to the DNSBL service. The combination of both technologies provides a superior managed service with higher detection rates than traditional DNSBLs or SURBLs alone.
The FortiMail FortiGuard Antispam SURBL scanning process works this way:
- After accepting an incoming SMTP connection (passed first-pass scan), the email message is received.
- After an incoming SMTP connection has passed the DNSBL scan, the FortiMail unit accepts delivery of email messages.
- The FortiMail unit generates a signature (URL) based on the contents of the received email message.
- The FortiMail unit transmits the signature to the FortiGuard Antispam service.
- The FortiGuard Antispam service checks the email signature against its SURBL database of known signatures and sends the results back to the FortiMail unit.
- The results are cached on the FortiMail unit.
- If the results identify the signature as known spam email content, the FortiMail unit acts according to its configured policy.
- Additional connection requests with the same email signature do not need to be re-classified by the FortiGuard Antispam service, and can be checked against the classification in the system cache.
- Additional messages with the same signature do not need to be submitted to the FortiGuard Antispam service again because the signature classification is stored in the system cache.
Once the message has passed both elements (DNSBL and SURBL), it goes to the next layer of defense; the FortiMail unit that includes additional spam classification technologies.
Order of execution
FortiMail units perform each of the antispam scanning and other actions listed in the sequence presented in the following table. Disabled scans are skipped. This is a general sequence only and actions are based on the results of many factors.
This table does not include everything the FortiMail unit does when a client connects to deliver email. Only the antispam techniques, and other functions having an effect on the antispam techniques, are included. Other non-antispam functions may be running in parallel to the ones in the table. |
FortiMail actions can be categorized as following:
Exceptions:
|
The PDF file type scan does not appear in this table. When enabled, the PDF file type converts the first page of any PDF attachments into to a format the heuristic, banned word, and image spam scanners can scan. If any of these scanners are enabled, they will scan the first page of the PDF at the same time they examine the message body, according to the sequence in the table below. |
Execution sequence of antispam techniques
Check |
Check Involves |
Action If Positive |
Action If Negative |
---|---|---|---|
Client initiates communication with the FortiMail unit |
|||
Sender reputation |
Client IP address |
If the client IP is in the sender reputation database, check the score and enable any appropriate restrictions, if any. |
Add the IP address to the sender reputation database and keep a reputation score based on the email received. Proceed to the next check. |
FortiGuard block IP check |
Client IP address |
If the “Check FortiGuard Block IP at connection phase” is enabled in a session profile, FortiMail will check the client IP address against the FortiGuard block IP list. If positive, FortiMail rejects the email. |
Proceed to the next check. |
Endpoint reputation |
Client endpoint ID |
If the client endpoint ID is in the sender reputation database, check the score and enable any appropriate restrictions, if any.
|
Add the IP address to the endpoint reputation database and keep a reputation score based on the email received. Proceed to the next check. |
Sender rate control per connection |
Client IP address |
Apply any connection limitations specified in the session profile. Proceed to the next check. |
In there are no connection limitations, or if no session profile applies, proceed to the next check. |
HELO/EHLO |
If invalid characters appear in the domain, reject the |
Proceed to the next check. |
|
Sender rate control per message |
Client IP address |
Apply any connection limitations specified in the session profile. Proceed to the next check. |
In there are no connection limitations, or if no session profile applies, proceed to the next check. |
Sender domain check |
If any of the domain checks (the Check sender domain and Reject empty domains checks listed in Unauthenticated Session Settings in the session profile) fail, an error is returned to the SMTP client. The error depends on which particular check failed. |
Proceed to the next check. |
|
System safe list (Phase I) |
Client IP address and email address/domain of the envelope sender ( |
If the client IP or email address/domain of the sender appear in the system safe list, deliver the email and cancel remaining antispam checks (but not the antivirus and content checks). |
Proceed to the next check. |
System block list (Phase I) |
Client IP address and email address/domain of the envelope sender ( |
If the client IP or email address/domain of the sender appear in the system block list, invoke the block list action for the email. |
Proceed to the next check. |
Session sender safe list (Phase I) |
Client IP address and email address/domain of the envelope sender ( |
If the client IP or email address/domain of the sender appear in the session safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks). |
Proceed to the next check. |
Session sender block list (Phase I) |
Client IP address and email address/domain of the envelope sender ( |
If the client IP or email address/domain of the sender appear in the session block list, invoke the block list action for the message. |
Proceed to the next check. |
Authentication difference check |
|
Checks to see if the sender email address in the SMTP envelope matches the authenticated user name. If not allowed in the IP-based policy, the email will be rejected. |
Proceed to the next check. |
Bounce Verification |
Apply actions specified in the bounce verification settings. |
Proceed to the next check. |
|
Access control rules |
Client IP address, envelope sender and recipient ( |
If the combination of client IP, the domain/email address of the sender, and the domain/email of the recipient matches an access control rule (Policy > Access Control > Receiving), the FortiMail unit performs the action selected in the access control rule, which is one of the following:
|
If a matching access control rule does not exist, and if the recipient is a member of a protected domain, the default action is RELAY; if the recipient is not a member of a protected domain, the default action is REJECT. For more information, see Configuring access control rules. |
Recipient domain check |
If any of the domain checks (the Check recipient domain and Reject if recipient and helo domain match but sender domain is different checks listed in Unauthenticated Session Settings in the session profile) fail, an error is returned to the SMTP client. The error depends on which check failed. |
Proceed to the next check. |
|
Session recipient safe list |
If the recipient appears in the session recipient safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks). |
Proceed to the next check. |
|
Session recipient block list |
If the recipient appears in the session recipient block list, reject the message. |
Proceed to the next check. |
|
Recipient verification |
If the recipient is unknown, reject the message. |
Proceed to the next check. |
|
Greylist |
Envelope sender ( |
If the sender is in the greylist database or if the client IP subnet appears in the greylist exempt list, the message is passed to the next check. Note: This check is omitted if the access control rule’s action is RELAY. |
If the sender is not in the greylist database, a temporary failure code is returned to the SMTP client. |
System safe list (Phase II) |
Message header sender ( |
If the email address/domain of the sender appears in the system safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks). |
Proceed to the next check. |
System block list (Phase II) |
Message header sender ( |
If the email address/domain of the sender appears in the system block list, invoke the block list action for the message. |
Proceed to the next check. |
Domain safe list |
Client IP, envelope sender ( |
If the client IP, email address/domain of the sender appears in the domain safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks). |
Proceed to the next check.
|
Domain block list |
Client IP, envelope sender ( |
If the client IP, email address/domain of the sender appears in the domain block list, invoke the block list action for the message. |
Proceed to the next check.
|
Session sender safe list (Phase II) |
Message header sender ( |
If the email address/domain of the sender appears in the session sender safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks). |
Proceed to the next check. |
Session sender block list (Phase II) |
Message header sender ( |
If the email address/domain of the sender appears in the session sender block list, the block list action is invoked. |
Proceed to the next check. |
Personal safe list |
Client IP, envelope sender ( |
If the client IP, email address/domain of the sender appears in the personal safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks). |
Proceed to the next check. |
Personal block list |
Client IP, envelope sender ( |
If the client IP, email address/domain of the sender appears in the personal block list, the message is discarded. |
Proceed to the next check. |
Antivirus |
Message body and attachments |
If an infected message is detected, and the antispam profile is configured to treat viruses as spam, the default spam action will be invoked on the infected message. |
Proceed to the next check. |
Safe List Word |
Message subject and/or body |
If the safelisted word scanner determines that the message is not spam, deliver the message and cancel remaining antispam checks. |
Proceed to the next check. |
FortiGuard Antispam |
Message header and body |
If the FortiGuard scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. No further antispam checking will be performed. |
Proceed to the next check.
|
DMARC |
Client IP address |
DMARC performs email authentication with SPF and DKIM checking. If failed, treat the email as spam. |
Proceed to the next check.
|
SPF check |
Client IP address |
This option compares the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408). If failed, treat the email as spam. |
Proceed to the next check.
|
Spam outbreak protection |
Message header and body |
If the FortiGuard scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. |
Proceed to the next check.
|
Behavior analysis |
Message body |
If the scanner determines the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. |
Proceed to the next check. |
Impersonation analysis |
Message header |
If the scanner determines the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. |
Proceed to the next check. |
Banned Word |
Message subject and/or body |
If the banned word scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. |
Proceed to the next check. |
Dictionary |
Message body |
If the dictionary scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. |
Proceed to the next check. |
DNSBL |
Client IP address |
If the DNSBL scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. |
Proceed to the next check. |
SURBL |
Every URL in the message body |
If the SURBL scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. |
Proceed to the next check. |
Heuristic |
Message body |
If the heuristic antispam scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. |
Proceed to the next check. |
Image Spam |
Embedded images If Aggressive scan is enabled, attached images are also examined. |
If the image spam scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. |
Proceed to the next check. |
Header analysis |
Message header |
If the header analysis scan determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. |
Proceed to the next check. |
Bayesian |
Message body |
If the Bayesian scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. |
Proceed to the next check. |
Suspicious Newsletter |
Message header and body |
If the newsletter scan determines that the message is a newsletter, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. |
Proceed to the next check. |
Content |
Message header, body, and attachment |
If the content scanner determines that the message is spam or prohibited, the action configured in the content profile individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. |
Proceed to the next check. |
DLP |
Message header, body, and attachment |
Apply the action configured in the DLP profile. |
Deliver the message. |