Controlling SMTP access and delivery
The Policy > Access Control submenu lets you configure access control rules for SMTP sessions.
Unlike proxy/implicit relay pickup, access control rules take effect after the FortiMail unit has initiated or received an IP and TCP-level connection at the application layer of the network.
Other protocols can also be restricted if the connection’s destination is the FortiMail unit. For details, see Configuring the network interfaces. |
Access control rules are categorized separately based on whether they affect either the receipt or delivery of email messages by the FortiMail unit; that is, whether the FortiMail unit initiated the SMTP session or was the destination. Incoming/outgoing does not apply in the same sense for ACLs. Matching the domain name portion of the HELO or sender address to a protected domain is not the core issue; rather, it is whether or not the FortiMail unit is the connection initiator.
See also
Configuring access control rules
Configuring access control rules
The Receiving tab displays a list of access control rules that apply to SMTP sessions being received by the FortiMail unit.
Access control rules, sometimes also called the access control list or ACL, specify whether the FortiMail unit will process and relay/proxy, reject, or discard email messages for SMTP sessions that are initiated by SMTP clients.
If a user is authenticated but no access control rule is defined, the user can still send email through FortiMail. |
When an SMTP client attempts to deliver email through the FortiMail unit, the FortiMail unit compares each access control rule to the commands used by the SMTP client during the SMTP session, such as the envelope’s sender email address (MAIL FROM:
), recipient email address (RCPT TO:
), authentication (AUTH
), and TLS (STARTTLS
). Rules are evaluated for a match in the order of their list sequence, from top to bottom. If all attributes of a rule match, the FortiMail unit applies the action selected in the matching rule to the SMTP session, and no subsequent access control rules are applied.
Only one access control rule is ever applied to any given SMTP session.
If no access control rules are configured, or no matching access control rules exist, and if the SMTP client is not configured to authenticate, the FortiMail unit will perform the default action, which varies by whether or not the recipient email address in the envelope (
For information on protected domains, see Configuring protected domains. |
In the absence of access control rules, the FortiMail unit prevents SMTP clients from using your protected server or FortiMail unit as an open relay: senders can deliver email incoming to protected domains, but cannot deliver email outgoing to unprotected domains.
For information on the sequence in which access control rules are used relative to other antispam methods, see Order of execution.
If you want to allow SMTP clients, such as your email users or email servers, to send email to unprotected domains, you must configure at least one access control rule. You may need to configure additional access control rules if, for example, you want to:
- discard or reject email from or to some email addresses, such as email addresses that no longer exist in your protected domain
- discard or reject email from some SMTP clients, such as a spammer that is not yet known to blocklists
Like IP-based policies, access control rules can reject connections based on IP address. Unlike IP-based policies, access control rules cannot affect email in ways that occur after the session’s DATA
command, such as by applying antispam profiles.
Access control rules cannot be overruled by recipient-based policies, and cannot match connections based on the SMTP server’s IP address (by the nature of how ACL controls access to or through the FortiMail unit, the SMTP server is always the FortiMail unit itself, unless the FortiMail unit is operating in transparent mode). For more information on IP-based policies, see Controlling email based on IP addresses.
If possible, verify configuration of access control rules in a testing environment before applying them to a FortiMail unit in active use. Failure to verify correctly configured reject, discard, and accept actions can result in inability to correctly handle SMTP sessions. |
Do not create an access control rule whose Sender is |
To view and configure access control rules
- Go to Policy > Access Control > Receiving.
- Up or Down, or
- After or Before, which opens a dialog, then in Move right after or Move right before indicate the policy’s new location by entering the ID of another policy
- Either click New to add an access control rule or double-click an access control rule to modify it.
- Configure the following:
- Internal: Match any email address from a protected domain.
- External: Match any email address from an unprotected domain.
- Email Group: Match any email address in the group.
If you select this option, select an email group from the Email Group Selection field. Click New to add a new email group or Edit to modify an existing one.
For more information, see Configuring email groups. - LDAP Group: Match any email address in the group.
If you select this option, select an LDAP profile from the LDAP Profile field. - LDAP Verification: Match any individual email address queried by the LDAP profile.
If you select this option, select an LDAP profile from the dropdown list or click New to create a new one. - Create an ACL rule and choose LDAP verification in the sender pattern.
- Choose a LDAP profile where below user query string is used: (&(mail=$m)(!(allowedSenders=$s)))
- Set the ACL rule action to Reject.
- Regular Expression: Use regular expression syntax instead of wildcards to specify the pattern. Optionally, click Validate to test regular expressions and string text.See Using wildcards and regular expressions.
- User Defined: Specify the email addresses. The pattern can use wildcards or regular expressions. See Appendix D: Wildcards and regular expressions. For example, the sender pattern
*@example.???
will match messages sent to any email user at example.com, example.net, or any “example” domain ending with a three-letter top-level domain name. - Internal: Match any email address from a protected domain.
- External: Match any email address from an unprotected domain.
- Email Group: Match any email address in the group.
If you select this option, select an email group from the Email Group Selection field. Click New to add a new email group or Edit to modify an existing one.
For more information, see Configuring email groups. - LDAP Group: Match any email address in the group.
If you select this option, select an LDAP profile from the LDAP Profile field. - LDAP Verification: Match any individual email address queried by the LDAP profile.
If you select this option, select an LDAP profile from the dropdown list or click New to create a new one. - Regular Expression: Use regular expression syntax instead of wildcards to specify the pattern. Optionally, click Validate to test regular expressions and string text. See Using wildcards and regular expressions.
- User Defined: Specify the email addresses. The pattern can use wildcards or regular expressions. See Appendix D: Wildcards and regular expressions. For example, the recipient pattern
*@example.???
will match messages sent to any email user at example.com, example.net, or any “example” domain ending with a three‑letter top-level domain name. - Select IP/Netmask and enter the IP address and netmask of the SMTP client. Use the netmask, the portion after the slash (
/
), to specify the matching subnet. - Select IP Group to choose an IP group. Click New to add a new group or Edit to modify an existing one. For more information, see Configuring IP groups.
- Select GeoIP Group to choose a GeoIP group. Click New to add a new group or Edit to modify an existing one. For more information, see Configuring GeoIP groups.
- Select ISDB to choose an ISDB. The Internet Service Database (ISDB) is an automatically updated collection of IP addresses and subnets used by popular services such as Microsoft 365 or 8x8.
- Any: Match or do not match this access control rule regardless of whether the client has authenticated with the FortiMail unit.
- Authenticated: Match this access control rule only for clients that have authenticated with the FortiMail unit.
- Not Authenticated: Match this access control rule only for clients that have not authenticated with the FortiMail unit.
- If the attributes match, the access control action is executed.
- If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.
- DISCARD: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.
- RECEIVE: Only accept email if the recipient belongs to a protected domain or the sender is authenticated.
- REJECT: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (
Relaying denied
). - RELAY: Relay or proxy, process, and deliver the email normally if it passes all configured scans. Do not apply greylisting.
- SAFE: Relay or proxy and deliver the email, only if the recipient belongs to a protected domain or the sender is authenticated. All antispam profile processing will be skipped; but antivirus, content and other scans will still occur.
- SAFE & RELAY: Relay or proxy and deliver the email. All antispam profile processing will be skipped; but antivirus, content, and other scans will still occur.
- Click Create or OK.
GUI item |
Description |
---|---|
Move (button) |
Select a policy, click Move, then select either: FortiMail units match the policies in sequence, from the top of the list downwards. |
Enabled |
Select to enable or disable an existing rule. |
ID |
Displays the number identifying the rule. If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column. Note: This may be different from the order in which they appear on the page, which indicates order of evaluation. |
Sender |
Displays the pattern that defines email senders for the rule. |
Recipient |
Displays the pattern that defines email recipients for the rule. |
Source |
Displays the IP address and netmask of the SMTP client attempting to deliver the email message. |
Reverse DNS Pattern |
Displays the used in a reverse DNS look-up. |
Authentication Status |
Displays which authentication status is used with the rule. |
TLS Profile |
Displays the TLS profile, if any, used to allow or reject a connection. |
Actions |
Displays the action to take when SMTP sessions match the rule. |
A dialog appears.
GUI item |
Description |
Enabled |
Select whether or not the access control rule is currently in effect. |
Select either User Defined and enter a complete or partial sender ( Note: Use "$s" to match sender addresses. For example, to reject senders that are not in the recipient's allowed sender list: This will match a sender that is not in the allowedSenders list of the recipient and reject email from such senders. |
|
Either select User Defined and enter a complete or partial recipient ( Note: Use "$m" to match recipient addresses. |
|
Source |
Select a source type of the SMTP client attempting to deliver the email message. For example, enter Similarly, To match any address, enter |
Reverse DNS pattern |
Enter a pattern to compare to the result of a reverse DNS look-up of the IP address of the SMTP client delivering the email message. Because domain names in the SMTP session are self-reported by the connecting SMTP server and easy to fake, the FortiMail unit does not trust the domain name that an SMTP server reports. Instead, the FortiMail does a DNS lookup using the SMTP server’s IP address. The resulting domain name is compared to the reverse DNS pattern for a match. If the reverse DNS query fails, the access control rule match will also fail. If no other access control rule matches, the connection will be rejected with SMTP reply code 550 ( The pattern can use wildcards or regular expressions. If you enable Regular Expression, you may optionally click Validate to test regular expressions and string text. See Using wildcards and regular expressions. For example, the recipient pattern Note: Reverse DNS queries for access control rules require that the domain name be a valid top level domain (TLD). For example, “.lab” is not a valid top level domain name, and thus the FortiMail unit cannot successfully perform a reverse DNS query for it. |
Select whether or not to match this access control rule based on client authentication. |
|
Select a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile. Click New to add a new TLS profile or Edit to modify an existing one. For more information on TLS profiles, see Configuring TLS security profiles. |
|
Select which action the FortiMail unit will perform for SMTP sessions matching this access control rule. |
|
Comments |
Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list. |
The access control rule appears at the bottom of the list of access control rules. As a result, the FortiMail unit will evaluate it as a match for the SMTP session only if no previous access control rule matches. If you want your new rule to be evaluated before another rule, move your new access control rule to its intended position in the list.
Using wildcards and regular expressions
You can enter wildcards or regular expressions in any pattern field, such as Reverse DNS pattern, on the Access Control Rule dialog.
Optionally, before entering a regular expression, click Validate to test regular expressions and string text. General regular expression validation can be carried out under System > Utility > Regex Validator.
To use a regular expression as a pattern, first enable Regular expression, which is beside the pattern field.
If a pattern is listed on the Receiving tab with the R/
prefix, it is set to use regular expression syntax. If the pattern is listed with a -/
prefix, it does not use regular expression syntax.
Wildcard characters (* and ?) allow you to enter partial patterns that can match multiple reverse DNS lookup results. An asterisk (*
) represents one or more characters. A question mark (?
) represents any single character.
When configuring access control rules, do not leave any pattern fields blank. Instead, to have the FortiMail unit ignore a pattern:
- If Regular expression is disabled for the field, enter an asterisk (
*
) in the pattern field. - If Regular expression is enabled for the field, enter a dot-star (
.*
) character sequence in the pattern field.
For example, if you enter an asterisk (*
) in the Recipient Pattern field and do not enable Regular expression, the asterisk matches all recipient addresses, and therefore will not exclude any SMTP sessions from matching the access control rule.
See also
Example: Access control rules with wild cards
Example: Access control rules with regular expressions
Controlling SMTP access and delivery
Example: Access control rules with wild cards
If your protected domain, example.com, contains email addresses in the format of user1@example.com, user2@example.com, and so on, and you want to allow those email addresses to send email to any external domain as long as they authenticate their identities and use TLS, you might configure the following access control rule:
Example access control rule
Sender Pattern |
user*@example.com |
Recipient Pattern |
* |
Sender IP/Netmask |
0.0.0.0/0 |
Reverse DNS Pattern |
* |
Authentication Status |
authenticated |
TLS Profile |
tlsprofile1 |
Actio |
RELAY |
See also
Configuring access control rules
Example: Access control rules with regular expressions
Controlling SMTP access and delivery
Example: Access control rules with regular expressions
Example Corporation uses a FortiMail unit operating in gateway mode, and that has been configured with only one protected domain: example.com. The FortiMailunit was configured with the access control rules illustrated in the following table.
A list of example enabled access control rules
ID |
Sender Pattern |
Recipient |
Sender IP/Netmask |
Reverse DNS Pattern |
Authentication |
Action |
---|---|---|---|---|---|---|
1 |
-/* |
-/user932@example.com |
0.0.0.0/0 |
-/* |
Any |
Reject |
2 |
R/^\s*$ |
-/* |
0.0.0.0/0 |
-/* |
Any |
Reject |
3 |
-/* |
-/*@example.com |
172.20.120.0/24 |
-/mail.example.org |
Any |
Relay |
4 |
-/*@example.org |
-/* |
0.0.0.0/0 |
-/* |
Any |
Reject |
5 |
-/* |
R/^user\d*@example\.com$ |
0.0.0.0/0 |
-/* |
Any |
Relay |
Rule 1
The email account of former employee user932 receives a large amount of spam. Since this employee is no longer with the company and all the user’s external contacts were informed of their new Example Corporation employee contacts, messages addressed to the former employee’s address must be spam.
Rule 1 uses only the recipient pattern. All other access control rule attributes are configured to match any value. This rule rejects all messages sent to the user932@example.com recipient email address. Rejection at the access control stage prevents these messages from being scanned for spam and viruses, saving FortiMail system resources.
This rule is placed first because it is the most specific access control rule in the list. It applies only to SMTP sessions for that single recipient address. SMTP sessions sending email to any other recipient do not match it. If a rule that matched all messages were placed at the top of the list, no rule after the first would ever be checked for a match, because the first would always match.
SMTP sessions not matching this rule are checked against the next rule.
Rule 2
Much of the spam received by the Example Corporation has no sender specified in the message envelope. Most valid email messages will have a sender email address.
Rule 2 uses only the sender pattern. The regular expression ^\s*$
will match a sender string that contains one or more spaces, or is empty. If any non-space character appears in the sender string, this rule does not match. This rule will reject all messages with a no sender, or a sender containing only spaces.
Not all email messages without a sender are spam, however. Delivery status notification (DSN) messages often have no specified sender. Bounce notifications are the most common type of DSN messages. The FortiMail administrators at the Example Corporation decided that the advantages of this rule outweigh the disadvantages.
Messages not matching this rule are checked against the next rule.
Rules 3 and 4
Recently, the Example Corporation has been receiving spam that appears to be sent by example.org. The FortiMail log files revealed that the sender address is being spoofed and the messages are sent from servers operated by spammers. Because spam servers often change IP addresses to avoid being blocked, the FortiMail administrators decided to use two rules to block all mail from example.org unless delivered from a server with the proper address and host name.
When legitimate, email messages from example.org are sent from one of multiple mail servers. All these servers have IP addresses within the 172.20.120.0/24 subnet and have a domain name of mail.example.org that can be verified using a reverse DNS query.
Rule 3 uses the recipient pattern, the sender IP, and the reverse DNS pattern. This rule will relay messages to email users of example.com sent from a client whose domain name is mail.example.org and IP address is between 172.20.120.1 and 172.20.120.255.
Messages not matching this rule are checked against the next rule.
Rule 4 works in conjunction with rule 3. It uses only the sender pattern. Rule 4 rejects all messages from example.org. But because it is positioned after rule 3 in the list, rule 4 affects only messages that were not already proven to be legitimate by rule 3, thereby rejecting only email messages with a fake sender.
Rules 3 and 4 must appear in the order shown. If they were reversed, all mail from example.org would be rejected. The more specific rule 3 (accept valid mail from example.org) is placed first, and the more general rule 4 (reject all mail from example.org) follows.
Messages not matching these rules are checked against the next rule.
Rules 5
The administrator of example.com has noticed that during peak traffic, a flood of spam using random user names causes the FortiMail unit to devote a significant amount of resources to recipient verification. Verification is performed with the aid of an LDAP server which also expends significant resources servicing these requests. Example Corporation email addresses start with “user” followed by the user’s employee number, and end with “@example.com”.
Rule 5 uses only the recipient pattern. The recipient pattern is a regular expression that will match all email addresses that start with “user”, end with “@example.com”, and have one or more numbers in between. Email messages matching this rule are relayed.
Default implicit rules
For messages not matching any of the above rules, the FortiMail unit will perform the default action, which varies by whether or not the recipient email address in the envelope (RCPT TO:) is a member of a protected domain.
- For protected domains, the default action is delivery (with greylisting).
- For unprotected domains, the default action is REJECT.
See also
Configuring access control rules
Example: Access control rules with wild cards
Controlling SMTP access and delivery
Configuring delivery rules
The Delivery tab displays a list of delivery rules that apply to SMTP sessions being initiated by the FortiMail unit in order to deliver email.
Delivery rules let you to require TLS for the SMTP sessions the FortiMail unit initiates when sending email to other email servers. They also let you to apply secure MIME (S/MIME) or IBE.
For more information about IBE, see Configuring IBE encryption.
When initiating an SMTP session, the FortiMail unit compares each delivery rule to the domain name portion of the envelope recipient address (RCPT TO:
). Rules are evaluated for a match in the order of their list sequence, from top to bottom. If a matching delivery rule does not exist, the email message is delivered. If a match is found, the FortiMail unit compares the TLS profile settings to the connection attributes and the email message is sent or the connection is not allowed, depending on the result; if an encryption profile is selected, its settings are applied. No subsequent delivery rules are applied. Only one delivery rule is ever applied to any given SMTP session.
If you are using a delivery rule to apply S/MIME encryption, the destination of the connection can be another FortiMail unit, but it could alternatively be any email gateway or server, as long as either:
- the destination’s MTA or mail server
- the recipient’s MUA
supports S/MIME and possesses the sender’s certificate and public key, which is necessary to decrypt the email. Otherwise, the recipient cannot read the email.
To configure a delivery rule list
- Go to Policy > Access Control > Delivery.
- the direction in which to move the selected rule (Up or Down), or
- After or Before, then in Move right after or Move right before indicate the rule’s new location by entering the ID of another delivery rule
- If the attributes match, the access control action is executed.
- If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.
- Either click New to add a delivery control rule or double-click a delivery control rule to modify it.
- Configure the following:
- If the attributes match, the access control action is executed.
- If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.
GUI item |
Description |
Move (button) |
Click a delivery rule to select it, click Move, then select either: FortiMail units match the rules in sequence, from the top of the list downwards. |
Enabled |
Indicates whether or not the delivery rule is currently in effect. To disable a delivery rule, select the button, then click Yes to confirm. |
ID |
Displays the number identifying the rule. If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column. Note: This may be different from the order in which they appear on the page, which indicates order of evaluation. FortiMail units evaluate delivery rules in sequence. Only the topmost matching delivery rule will be applied. |
Sender Pattern |
Displays the complete or partial envelope sender email address to match. |
Recipient Pattern |
Displays the complete or partial envelope recipient email address to match. |
TLS Destination IP |
Displays the IP address and netmask of the system to which the FortiMail is sending the email message. |
Displays the TLS profile, if any, used to allow or reject a connection. To edit the TLS profile, click its name. For details, see Configuring security profiles. |
|
IP Pool Profile |
Displays the IP pool profile that FortiMail uses as its local IP address when communicating with destination mail servers. |
Encryption Profile |
Indicates the encryption profile used to apply S/MIME or IBE encryption to the email. To edit the encryption profile, click its name. For details, see Configuring encryption profiles. |
A dialog appears.
GUI item |
Description |
Enabled |
Select whether or not the access control rule is currently in effect. |
Sender pattern |
Enter a complete or partial envelope sender ( Wild card characters allow you to enter partial patterns that can match multiple sender email addresses. The asterisk (*) represents one or more characters. The question mark (?) represents any single character. For example, the sender pattern |
Recipient pattern |
Enter a complete or partial envelope recipient ( Wild card characters allow you to enter partial patterns that can match multiple recipient email addresses. The asterisk ( For example, the recipient pattern |
TLS Destination IP/netmask |
Enter the IP address and netmask of the system to which the FortiMail unit is sending the email message using TLS connection. Use the netmask, the portion after the slash ( For example, enter Similarly, To match any address, enter Note: This field is not used when considering whether or not to apply an encryption profile. |
Select a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile. Click New to add a new TLS profile or Edit to modify an existing one. For more information on TLS profiles, see Configuring TLS security profiles. |
|
IP pool profile |
Starting from 6.2 release, you can specify an IP pool profile so that FortiMail can use an IP address in the pool as its local IP address when communicating with destination mail servers. For details about IP pools, see Configuring IP pools. |
Encryption profile |
Select an encryption profile used to apply S/MIME or IBE encryption to the email. Note that if you create a delivery rule that uses both IBE encryption profile and TLS profile, the TLS profile will override the IBE encryption profile and the IBE encryption will not be used. If you select an S/MIME profile here and an IBE profile in the Encryption with profile field (Profile > Content > Action), the S/MIME profile will override the IBE encryption profile. Click New to add a new encryption profile or Edit to modify an existing one. For more information, see Configuring encryption profiles and Configuring certificate bindings. For information about content action profiles, see Configuring content action profiles. |
Comments |
Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list. |
Configuring delivery control policies
MTA IP addresses might be blocklisted if sending outgoing email at a high rate; marketing mail campaigns can cause the corporate IP addresses to be registered in DNSBL.
To solve this problem, you can rate limit email delivery when configuring domain settings (see Sender address rate control). You can also rate limit email delivery at system level.
To configure an email delivery control policy
- Go to Policy > Access Control > Delivery Control.
- Click New to add a new delivery control policy.
- Configure the following:
GUI item |
Description |
Enabled |
Toggle to enable or disable the policy. |
Recipient domain |
Specify the recipient domain to apply the policy on. Use wildcard * to represent all recipient domains. |
Restrict the number of concurrent connections |
Specify to limit the number of concurrent connections to the above domain. 0 means no limit. |
Restrict the number of messages per connection |
Specify to limit the number of email messages to be sent for one connection session. 0 means no limit. |
Restrict the number of recipients per period (30 minutes) |
Specify to limit the number of email recipients in an interval of 30 minutes. 0 means no limit. |
Restrict the number of recipients per message |
Specify to limit the number of email recipients per message. 0 means no limit. |
See also
Incoming versus outgoing email
Which policy/profile is applied when an email has multiple recipients?