Fortinet white logo
Fortinet white logo

Administration Guide

Controlling email based on sender and recipient addresses

Controlling email based on sender and recipient addresses

Go to Policy > Recipient Policy to create recipient-based policies based on the incoming or outgoing directionality of an email message with respect to the protected domain.

Recipient-based policies have precedence if an IP-based policy is also applicable but conflicts. Exceptions include IP-based policies where you have enabled Take precedence over recipient based policy match. For information about how recipient-based and IP-based policies are executed and how the order of polices affects the execution, see How to use policies.

Note

If the FortiMail unit protects many domains, and therefore creating recipient-based policies would be very time-consuming, such as it might be for an Internet service provider (ISP), consider configuring only IP-based policies. For details, see Controlling email based on IP addresses.
Alternatively, consider configuring recipient-based policies only for exceptions that must be treated differently than indicated by the IP-based policy.

Profiles used by the policy, if any, are listed in the policy table, and appear as linked text. To modify profile settings, click the name of the profile.

Before you can configure a recipient policy, you first must have configured:

About the default system policy

Starting from FortiMail 5.4.0, an inbound and outbound default system-level recipient policy has been added. If enabled, the default system policy will be checked before any other policies. If the email matches the default system policy, no other policies will be checked.

The default system policy provides the following conveniences:

  • If many domains will be using identical policies, you can just modify the default system policy for the domains to use.
  • When troubleshooting profiles and policies, you can temporarily use the system policy for all domains while disabling other policies, so that you can examine the profiles and policies.

If the system policies are not visible, turn on the Show system policy switch.

To view recipient-based policies

Go to Policy > Recipient Policy > Inbound or Policy > Recipient Policy > Outbound to view a list of applicable policies.

GUI item

Description

Move

(button)

FortiMail units match the policies for each domain in sequence, from the top of the list downwards. Therefore, you must put the more specific policies on top of the more generic ones.

To move a policy in the policy list:

  1. Select a domain.
  2. Note: If Domain is set to All, the Move button is disabled. When Domain is set to a particular domain, Show system policy must be disabled in order to move domain policies.

  3. Click a policy to select it.
  4. Click Move, then select either:
  • the direction in which to move the selected policy (Up or Down), or
  • After or Before, then in Move right after or Move right before indicate the policy’s new location by entering the ID of another policy.

Domain

(dropdown list)

  • All: Select to display both system-level and domain-level policies.
  • System: Select to display system-level policies.
  • <domain>: Select one domain to display this domain’s policies.

Use the Show system policy switch to display or hide the system-level policies when you view all policies or domain-level policies.

If you are a domain administrator, you can only see the domains that are permitted by your administrator profile.

Enabled

Select whether or not the policy is currently in effect.

ID

Displays the number identifying the policy.

If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column.

Note: This may be different from the order in which they appear on the page, which indicates order of evaluation.

FortiMail units evaluate policies in sequence. More than one policy may be applied. For details, see Order of execution of policies and Which policy/profile is applied when an email has multiple recipients?

Domain Name

(column)

Indicates which part the policy is used for: either system wide or a specific protected domain.

Sender Pattern

A sender email address (MAIL FROM:) as it appears in the envelope or a regular expression pattern to match sender email addresses. See also Syntax.

Recipient Pattern

A recipient email address (RCPT TO:) as it appears in the envelope or a regular expression pattern to match recipient email addresses. See also Syntax.

AntiSpam

Displays the antispam profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring antispam profiles.

AntiVirus

Displays the antivirus profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring antivirus profiles, file signatures, and actions.

Content

Displays the content profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring content profiles.

DLP

(if DLP is enable on GUI)

Displays the DLP profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring data loss prevention.

Resource

(server mode and gateway mode)

Displays the resource profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring resource profiles.

Authentication

(not in server mode; inbound only)

Displays the authentication profile selected for the matching recipients.

To modify or view a profile, click its name.The profile appears in a pop-up window. For details, see Configuring authentication profiles or Configuring LDAP profiles.

To configure recipient-based policies
  1. Go to Policy > Recipient Policy > Inbound or Policy > Recipient Policy > Outbound, either click New to add a policy or double-click a policy to modify it.
  2. Select Enable to determine whether or not the policy is in effect.
  3. For Domain, select either System or the domain name that this profile will be used for.
  4. Enter a comment if necessary. The comment will appears as a mouse-over tooltip in the ID column of the rule list.
  5. Configure the following:

Configuring the sender and recipient patterns

Configure the Sender and Recipient sections.

GUI item

Description

Type

Select one of the following ways to define sender or recipient email addresses that match this policy:

  • User (wildcard): Enter a sender/recipient email address. Wild card characters allow you to enter patterns that can match multiple email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.
  • User (regex): Enter a sender/recipient as a regular expression pattern, such as *@example.com.
  • Optionally, before entering a regular expression, click Validate to test regular expressions and string text. See also Syntax.

  • Local group (server mode only): Select the name of a protected domain in the second dropdown list, then select the name of a user group in the first dropdown list.
  • LDAP group: Select an LDAP profile in which you have enabled and configured a group query, then enter either the group’s full or partial membership attribute value as it appears in the LDAP directory.
    Depending on your LDAP directory’s schema, and whether or not you have enabled Use group name with base DN as group DN, this may be a value such as 1001, admins, or cn=admins,ou=Groups,dc=example,dc=com.
  • Email address group: Select an email group from the dropdown list. For details about creating an email group, see Configuring email groups.

Configuring the recipient exclusion list

If you want to exclude any recipients from the policy, add them to the exclusion list under the Recipient Exclusion section.

GUI item

Description

Status

Enable/disable the exclusion list.

Type

Select one of the following ways to define recipient email addresses to be excluded from this policy:

  • User (wildcard): Enter the recipient email address.Wild card characters allow you to enter patterns that can match multiple email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.
  • User (regex): Enter a recipient as a regular expression pattern, such as *@example.com.
  • Optionally, before entering a regular expression, click Validate to test regular expressions and string text. See also Syntax.

  • Email address group: Select an email group from the dropdown list. For details about creating an email group, see Configuring email groups.

Configuring the profiles section of a recipient policy

Select the profiles that you want to apply to the policy. If you have created a system profile and a domain profile with the same profile name, the profile that appears in the profile dropdown lists is the domain profile, not the system profile. Thus, only the domain profile will be selected.

GUI item

Description

AntiSpam

Select which antispam profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring antispam profiles.

Tip: You can use an LDAP query to enable or disable antispam scanning on a per-user basis.

AntiVirus

Select which antivirus profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring antivirus profiles, file signatures, and actions.

Content

Select which content profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring content profiles.

DLP

(if enabled)

Select which DLP profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring DLP profiles.

Resource

(server mode and gateway mode)

Select which resource profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring resource profiles.

Configuring authentication for inbound email

The Authentication and Access section appears only for inbound policies.

Note

When FortiMail authenticates a user, it checks the authentication profile in the matching recipient policy.

Note that for outbound email, when FortiMail requires authentication with the sender, FortiMail will lookup authentication profiles for the defined recipient patterns within inbound policies.

For more information on configuring an authentication profile, see Workflow to enable and configure authentication of email users.

GUI item

Description

Authentication type

If you want the email user to authenticate using an external authentication server, select the type of the authentication profile (SMTP, POP3, IMAP, RADIUS, LDAP, or LOCAL for server mode).

Note: In addition to specifying an authentication server for SMTP email messages that this policy governs, configuring Authentication profile also allows email users to authenticate when accessing their per-recipient quarantine using HTTP or HTTPS. For more information, see How to enable, configure, and use personal quarantines.

Authentication profile

Select an existing authentication profile to use with this policy.

Allow SMTP authentication (gateway and transparent mode only)

Enable to allow the SMTP client to use the SMTP AUTH command, and to use the server defined in Authentication profile to authenticate the connection.

Disable to make SMTP authentication unavailable.

This option is available only if you have selected an Authentication profile.

Note: Enabling this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication. For details, see Configuring access control receiving policies.

Configuring the advanced settings of inbound policies

The Advanced Setting section appears for both inbound and outbound policies.

GUI item

Description

Reject different SMTP sender identity for authenticated user

Enable to require that the sender uses the same identity for: authentication name, SMTP envelope MAIL FROM:, and header FROM:.

Disable to remove such requirements on sender identities. By default, this feature is disabled.

Sender identity verification with LDAP server for authenticated user

In some cases, while you do not want to allow different SMTP sender identities for an authenticated user, you still want to:

  • allow users to authenticate with their identities (for example, user1@example.com) and send email from their proxy email addresses (for example, user1.name@example.com and user1name@example.com)
  • or to allow users in an alias group to authenticate with their own identities (for example, salesperson1@example.com) and send email from their alias group address (for example, sales@example.com)

Then you can choose to verify the sender identity with the LDAP server. If the verification is successful, the sender will be allowed to send email with different identities.

Note: When the above rejection option is enabled, even though the authentication identity can be different from the sender identity upon successful LDAP verification. the envelope (MAIL FROM:)address is never allowed to be different from the header FROM:)address. And the two addresses cannot be empty either.

Enable PKI authentication for web mail access

(Inbound policy only)

Enable if you want to allow web mail users to log in by presenting a certificate rather than a user name and password. Also configure Certificate validation is mandatory.

For more information on configuring PKI users and what defines a valid certificate, see Configuring PKI authentication.

Certificate validation is mandatory

(Inbound policy only)

If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enable this option.

Controlling email based on sender and recipient addresses

Controlling email based on sender and recipient addresses

Go to Policy > Recipient Policy to create recipient-based policies based on the incoming or outgoing directionality of an email message with respect to the protected domain.

Recipient-based policies have precedence if an IP-based policy is also applicable but conflicts. Exceptions include IP-based policies where you have enabled Take precedence over recipient based policy match. For information about how recipient-based and IP-based policies are executed and how the order of polices affects the execution, see How to use policies.

Note

If the FortiMail unit protects many domains, and therefore creating recipient-based policies would be very time-consuming, such as it might be for an Internet service provider (ISP), consider configuring only IP-based policies. For details, see Controlling email based on IP addresses.
Alternatively, consider configuring recipient-based policies only for exceptions that must be treated differently than indicated by the IP-based policy.

Profiles used by the policy, if any, are listed in the policy table, and appear as linked text. To modify profile settings, click the name of the profile.

Before you can configure a recipient policy, you first must have configured:

About the default system policy

Starting from FortiMail 5.4.0, an inbound and outbound default system-level recipient policy has been added. If enabled, the default system policy will be checked before any other policies. If the email matches the default system policy, no other policies will be checked.

The default system policy provides the following conveniences:

  • If many domains will be using identical policies, you can just modify the default system policy for the domains to use.
  • When troubleshooting profiles and policies, you can temporarily use the system policy for all domains while disabling other policies, so that you can examine the profiles and policies.

If the system policies are not visible, turn on the Show system policy switch.

To view recipient-based policies

Go to Policy > Recipient Policy > Inbound or Policy > Recipient Policy > Outbound to view a list of applicable policies.

GUI item

Description

Move

(button)

FortiMail units match the policies for each domain in sequence, from the top of the list downwards. Therefore, you must put the more specific policies on top of the more generic ones.

To move a policy in the policy list:

  1. Select a domain.
  2. Note: If Domain is set to All, the Move button is disabled. When Domain is set to a particular domain, Show system policy must be disabled in order to move domain policies.

  3. Click a policy to select it.
  4. Click Move, then select either:
  • the direction in which to move the selected policy (Up or Down), or
  • After or Before, then in Move right after or Move right before indicate the policy’s new location by entering the ID of another policy.

Domain

(dropdown list)

  • All: Select to display both system-level and domain-level policies.
  • System: Select to display system-level policies.
  • <domain>: Select one domain to display this domain’s policies.

Use the Show system policy switch to display or hide the system-level policies when you view all policies or domain-level policies.

If you are a domain administrator, you can only see the domains that are permitted by your administrator profile.

Enabled

Select whether or not the policy is currently in effect.

ID

Displays the number identifying the policy.

If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column.

Note: This may be different from the order in which they appear on the page, which indicates order of evaluation.

FortiMail units evaluate policies in sequence. More than one policy may be applied. For details, see Order of execution of policies and Which policy/profile is applied when an email has multiple recipients?

Domain Name

(column)

Indicates which part the policy is used for: either system wide or a specific protected domain.

Sender Pattern

A sender email address (MAIL FROM:) as it appears in the envelope or a regular expression pattern to match sender email addresses. See also Syntax.

Recipient Pattern

A recipient email address (RCPT TO:) as it appears in the envelope or a regular expression pattern to match recipient email addresses. See also Syntax.

AntiSpam

Displays the antispam profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring antispam profiles.

AntiVirus

Displays the antivirus profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring antivirus profiles, file signatures, and actions.

Content

Displays the content profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring content profiles.

DLP

(if DLP is enable on GUI)

Displays the DLP profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring data loss prevention.

Resource

(server mode and gateway mode)

Displays the resource profile selected for the matching recipients.

To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring resource profiles.

Authentication

(not in server mode; inbound only)

Displays the authentication profile selected for the matching recipients.

To modify or view a profile, click its name.The profile appears in a pop-up window. For details, see Configuring authentication profiles or Configuring LDAP profiles.

To configure recipient-based policies
  1. Go to Policy > Recipient Policy > Inbound or Policy > Recipient Policy > Outbound, either click New to add a policy or double-click a policy to modify it.
  2. Select Enable to determine whether or not the policy is in effect.
  3. For Domain, select either System or the domain name that this profile will be used for.
  4. Enter a comment if necessary. The comment will appears as a mouse-over tooltip in the ID column of the rule list.
  5. Configure the following:

Configuring the sender and recipient patterns

Configure the Sender and Recipient sections.

GUI item

Description

Type

Select one of the following ways to define sender or recipient email addresses that match this policy:

  • User (wildcard): Enter a sender/recipient email address. Wild card characters allow you to enter patterns that can match multiple email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.
  • User (regex): Enter a sender/recipient as a regular expression pattern, such as *@example.com.
  • Optionally, before entering a regular expression, click Validate to test regular expressions and string text. See also Syntax.

  • Local group (server mode only): Select the name of a protected domain in the second dropdown list, then select the name of a user group in the first dropdown list.
  • LDAP group: Select an LDAP profile in which you have enabled and configured a group query, then enter either the group’s full or partial membership attribute value as it appears in the LDAP directory.
    Depending on your LDAP directory’s schema, and whether or not you have enabled Use group name with base DN as group DN, this may be a value such as 1001, admins, or cn=admins,ou=Groups,dc=example,dc=com.
  • Email address group: Select an email group from the dropdown list. For details about creating an email group, see Configuring email groups.

Configuring the recipient exclusion list

If you want to exclude any recipients from the policy, add them to the exclusion list under the Recipient Exclusion section.

GUI item

Description

Status

Enable/disable the exclusion list.

Type

Select one of the following ways to define recipient email addresses to be excluded from this policy:

  • User (wildcard): Enter the recipient email address.Wild card characters allow you to enter patterns that can match multiple email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.
  • User (regex): Enter a recipient as a regular expression pattern, such as *@example.com.
  • Optionally, before entering a regular expression, click Validate to test regular expressions and string text. See also Syntax.

  • Email address group: Select an email group from the dropdown list. For details about creating an email group, see Configuring email groups.

Configuring the profiles section of a recipient policy

Select the profiles that you want to apply to the policy. If you have created a system profile and a domain profile with the same profile name, the profile that appears in the profile dropdown lists is the domain profile, not the system profile. Thus, only the domain profile will be selected.

GUI item

Description

AntiSpam

Select which antispam profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring antispam profiles.

Tip: You can use an LDAP query to enable or disable antispam scanning on a per-user basis.

AntiVirus

Select which antivirus profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring antivirus profiles, file signatures, and actions.

Content

Select which content profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring content profiles.

DLP

(if enabled)

Select which DLP profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring DLP profiles.

Resource

(server mode and gateway mode)

Select which resource profile, if any, to apply to email matching the policy.

If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring resource profiles.

Configuring authentication for inbound email

The Authentication and Access section appears only for inbound policies.

Note

When FortiMail authenticates a user, it checks the authentication profile in the matching recipient policy.

Note that for outbound email, when FortiMail requires authentication with the sender, FortiMail will lookup authentication profiles for the defined recipient patterns within inbound policies.

For more information on configuring an authentication profile, see Workflow to enable and configure authentication of email users.

GUI item

Description

Authentication type

If you want the email user to authenticate using an external authentication server, select the type of the authentication profile (SMTP, POP3, IMAP, RADIUS, LDAP, or LOCAL for server mode).

Note: In addition to specifying an authentication server for SMTP email messages that this policy governs, configuring Authentication profile also allows email users to authenticate when accessing their per-recipient quarantine using HTTP or HTTPS. For more information, see How to enable, configure, and use personal quarantines.

Authentication profile

Select an existing authentication profile to use with this policy.

Allow SMTP authentication (gateway and transparent mode only)

Enable to allow the SMTP client to use the SMTP AUTH command, and to use the server defined in Authentication profile to authenticate the connection.

Disable to make SMTP authentication unavailable.

This option is available only if you have selected an Authentication profile.

Note: Enabling this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication. For details, see Configuring access control receiving policies.

Configuring the advanced settings of inbound policies

The Advanced Setting section appears for both inbound and outbound policies.

GUI item

Description

Reject different SMTP sender identity for authenticated user

Enable to require that the sender uses the same identity for: authentication name, SMTP envelope MAIL FROM:, and header FROM:.

Disable to remove such requirements on sender identities. By default, this feature is disabled.

Sender identity verification with LDAP server for authenticated user

In some cases, while you do not want to allow different SMTP sender identities for an authenticated user, you still want to:

  • allow users to authenticate with their identities (for example, user1@example.com) and send email from their proxy email addresses (for example, user1.name@example.com and user1name@example.com)
  • or to allow users in an alias group to authenticate with their own identities (for example, salesperson1@example.com) and send email from their alias group address (for example, sales@example.com)

Then you can choose to verify the sender identity with the LDAP server. If the verification is successful, the sender will be allowed to send email with different identities.

Note: When the above rejection option is enabled, even though the authentication identity can be different from the sender identity upon successful LDAP verification. the envelope (MAIL FROM:)address is never allowed to be different from the header FROM:)address. And the two addresses cannot be empty either.

Enable PKI authentication for web mail access

(Inbound policy only)

Enable if you want to allow web mail users to log in by presenting a certificate rather than a user name and password. Also configure Certificate validation is mandatory.

For more information on configuring PKI users and what defines a valid certificate, see Configuring PKI authentication.

Certificate validation is mandatory

(Inbound policy only)

If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enable this option.