A policy defines which way traffic will be filtered. It may also define user account settings, such as authentication type, disk quota, and access to webmail.
After creating the antispam, antivirus, content, authentication, TLS, or resource profiles (see Configuring profiles), you need to apply them to policies for them to take effect.
FortiMail units support three types of policies:
- Access control and delivery rules that are typical to SMTP relays and servers (see Controlling SMTP access and delivery)
- Recipient-based policies (see Controlling email based on sender and recipient addresses)
- IP-based policies (see Controlling email based on IP addresses)
Recipient-based policies versus IP-based policies
The FortiMail unit applies these based on the recipient’s email address or the recipient’s user group. May also define authenticated webmail or POP3 access by that email user to their per-recipient quarantine. Since version 4.0, the recipient-based policies also check sender patterns.
There are two types of recipient-based policies: inbound and outbound. The FortiMail unit applies inbound policies to the incoming mail messages and outbound policies to the outgoing mail messages.
Whether the email is inbound or outbound is decided by the domain name in the recipient’s email address. If the domain is a protected domain, the FortiMail unit considers the message to be inbound and applies the first matching inbound recipient-based policy. If the recipient domain is not a protected domain, the message is considered to be outbound, and applies outbound recipient-based policy.
To be more specific, the FortiMail unit actually matches the recipient domain’s IP address with the IP list of the protected SMTP servers where the protected domains reside. If there is an IP match, the domain is deemed protected and the email destined to this domain is considered to be inbound. If there is no IP match, the domain is deemed unprotected and the email destined to this domain is considered to be outbound.
IP-based policies are not divided into inbound and outbound types. The client IP address and, for transparent mode, the server IP address are only used to determine whether or not the IP-based policy matches.