Controlling email based on IP addresses
The IP Policies section of the Policies tab lets you create policies that apply profiles to SMTP connections based on the IP addresses of SMTP clients and/or servers.
Due to the nature of relay in SMTP, an SMTP client is not necessarily always located on an email user’s computer. The SMTP client is the connection initiator; it could be, for example, another email server or a mail relay attempting to deliver email. The SMTP server, however, is always a mail relay or email server that receives the connection.
For example, if computer A opened a connection to computer B to deliver mail, A is the client and B is the server. If computer B later opened a connection to computer A to deliver a reply email, B is now the client and A is now the server.
Like access control rules, IP-based policies can reject connections based on IP address. For information about IP pools, see Configuring IP pools.
Unlike access control rules, however, IP-based policies can affect email in many ways that occur after the session’s DATA
command, such as by applying antispam profiles. IP-based policies can also be overruled by recipient-based policies, and, if the FortiMail unit is operating in server mode, may match connections based on the IP address of the SMTP server, not just the SMTP client. For more information on access control rules, see Configuring access control rules.
IP-based policies can apply in addition to recipient-based policies, although recipient-based policies have precedence if the two conflict unless you enable Take precedence over recipient based policy match. |
For information about how recipient-based and IP-based policies are executed and how the order of policies in the list affects the order of execution, see How to use policies.
If SMTP traffic does not match any IP-based or recipient-based policy, it is allowed. However, no antivirus or antispam protection may be applied. |
Profiles used by the policy, if any, are listed in the policy table, and appear as linked text. To modify profile settings, click the name of the profile.
Domain administrators can create and modify IP-based policies. Because they can affect any IP address, a domain administrator could therefore create a policy that affects another domain. If you do not want to allow this, do not grant Read-Write permission to the Policy category in domain administrators’ access profiles. |
To view the list of IP-based policies, go to Policy > IP Policy > IP Policy.
GUI item |
Description |
Move (button) |
Click a policy to select it, click Move, then select either:
FortiMail units match the policies in sequence, from the top of the list downwards. |
Enabled |
Select whether or not the policy is currently in effect. |
ID |
Displays the number identifying the policy. If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column. Note: This may be different from the order in which they appear on the page, which indicates order of evaluation. FortiMail units evaluate policies in sequence. More than one policy may be applied. For details, see Order of execution of policies and Which policy/profile is applied when an email has multiple recipients? |
Source |
Displays the IP address of the SMTP source to which the policy applies. |
Destination |
Displays the IP address of the destination IP to which the policy applies. |
Session |
Displays the name of the session profile applied by this policy. To modify the or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring session profiles. |
AntiSpam |
Displays the name of the antispam profile applied by this policy. To modify or view the a profile, click its name. The profile appears in a pop-up window. For details, see Managing antispam profiles. |
AntiVirus |
Displays the name of the antivirus profile applied by this policy. To modify the or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring antivirus profiles, file signatures, and antivirus action profiles. |
Content |
Displays the name of the content profile applied by this policy. To modify the or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring content profiles. |
DLP (if DLP is enabled on GUI) |
Displays the name of the DLP profile applied by this policy. To modify the or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring DLP profiles. |
Displays the name of the IP pool profile applied by this policy. The IP addresses in the IP pool is used as the source IP address for the SMTP sessions matching this policy. The IP pool profile is ignored if the Take precedence over recipient based policy match option is disabled.
|
|
Authentication (not in server mode) |
Displays the name of an authentication profile applied to the IP policy. To modify the profile, click its name. The profile appears in a pop-up window. For details, see Configuring authentication profiles |
Exclusive |
Indicates whether or not Take precedence over recipient based policy match is enabled in this policy. See Order of execution of policies for an explanation of that option. |
To configure an IP-based policy
- Go to Policy > IP Policy > IP Policy.
- Select New to add a policy or double-click a policy to modify it.
- Configure the following settings and then click Create.
A dialog appears that varies with the operation mode.
GUI item |
Description |
Enable |
Select or clear to enable or disable the policy. |
Source |
You can use the following types of IP addresses of the SMTP clients to whose connections this policy will apply.
To match all clients, enter |
Destination |
If the FortiMail unit runs in transparent mode, enter the IP address of the SMTP server to whose connections this policy will apply.
To match all servers, enter If the FortiMail unit runs in gateway or server mode, the destination will be the FortiMail unit itself. But if you use virtual hosts on the FortiMail unit, you can specify which virtual host (IP/subnet or IP group) the email is destined to. Otherwise, you do not have to specify the destination address. |
Select whether to:
|
|
Comment |
Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list. |
Profiles |
|
|
|
Session |
Select the name of a session profile to have this policy apply. This option is applicable only if Action is Scan. Warning: If you are configuring an IP-bases policy in transparent mode, you must select a session profile for the policy to work. |
|
AntiSpam |
Select the name of an antispam profile to have this policy apply. This option is applicable only if Action is Scan. |
|
AntiVirus |
Select the name of an antivirus profile to have this policy apply. This option is applicable only if Action is Scan. |
|
Content |
Select the name of a content profile to have this policy apply. This option is applicable only if Action is Scan. |
|
DLP (if DLP is enable on GUI) |
Select the name of a DLP profile to have this policy apply. This option is applicable only if Action is Scan. |
|
IP pool |
Select the name of an IP pool profile, if any, that this policy will apply.
This option is applicable only if Action is Scan. For details about IP pools, see Configuring IP pools. |
Authentication and Access (not available in server mode) |
This section appears only if the FortiMail unit is operating in gateway or transparent mode. For server mode, select a resource profile instead. For more information on configuring authentication, see Workflow to enable and configure authentication of email users. |
|
|
Authentication type |
If you want the email user to authenticate using an external authentication server, select the authentication type of the profile (SMTP, POP3, IMAP, RADIUS, or LDAP). Note: In addition to specifying an authentication server for SMTP email messages that this policy governs, configuring Authentication profile also allows email users to authenticate when accessing their per-recipient quarantine using HTTP or HTTPS. For more information, see How to enable, configure, and use personal quarantines. |
|
Authentication profile |
Select an existing authentication profile to use with this policy. Click New to create on or Edit to modify the selected profile. |
|
Allow SMTP authentication |
Enable to allow the SMTP client to use the SMTP Disable to make SMTP authentication unavailable. This option is available only if you have selected an Authentication profile. Note: Enabling this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication. For details, see Configuring access control rules. |
Miscellaneous |
|
|
|
Reject different SMTP sender identity for authenticated user |
Enable to require that the sender uses the same identity for: authentication name, SMTP envelope Disable to remove such requirements on sender identities. By default, this feature is disabled. |
|
Sender identity verification with LDAP server |
In some cases, while you do not want to allow different SMTP sender identities for an authenticated user, you still want to:
Then you can choose to verify the sender identity with the LDAP server. If the verification is successful, the sender will be allowed to send email with different identities. Note: When the above rejection option is enabled, even though the authentication identity can be different from the sender identity upon successful LDAP verification. the envelope ( |
|
Enable to omit use of recipient-based policies for connections matching this IP-based policy. For information on how policies are executed, see How to use policies. Note that if there is no authentication profile in a recipient based policy, but there is an authentication profile in an IP-based policy, SMTP authentication can still succeed without this feature enabled. This option is applicable only if Action is Scan. Note: Enabling this option also causes the FortiMail unit to ignore the option Hide the transparent box in the protected domain. |
See also
Example: Strict and loose IP-based policies
Example: Strict and loose IP-based policies
You have a FortiMail unit running in gateway mode to protect your internal mail server (192.168.1.1). The FortiMail unit receives email incoming to, and relays email from, the internal mail server.
You can create two IP-based policies:
- Policy 1: Enter
192.168.1.1/32
as the source IP address and0.0.0.0/0
as the destination to match outgoing email connections from the mail server, and select a loose session profile, which may have sender reputation and other similar restrictions disabled, since the sender (that is, source IP) will always be your mail server. - Policy 2: Enter
0.0.0.0/0
as the source IP address and0.0.0.0/0
as the destination IP address to match incoming email connections from all other mail servers, and select a strict session profile, which has all antispam options enabled.
You would then move policy 1 above policy 2, as policies are evaluated for a match with the connection in order of their display on the page.