Controlling email based on sender and recipient addresses
Go to Policy > Recipient Policy to create recipient-based policies based on the incoming or outgoing directionality of an email message with respect to the protected domain.
Recipient-based policies have precedence if an IP-based policy is also applicable but conflicts. Exceptions include IP-based policies where you have enabled Take precedence over recipient based policy match. For information about how recipient-based and IP-based policies are executed and how the order of polices affects the execution, see How to use policies.
If the FortiMail unit protects many domains, and therefore creating recipient-based policies would be very time-consuming, such as it might be for an Internet service provider (ISP), consider configuring only IP-based policies. For details, see Controlling email based on IP addresses. |
Profiles used by the policy, if any, are listed in the policy table, and appear as linked text. To modify profile settings, click the name of the profile.
Before you can configure a recipient policy, you first must have configured:
- at least one protected domain (see Configuring protected domains)
- at least one user group or LDAP profile with a configured group query, if you will use either to define which recipient email addresses will match the policy (see Managing users or Configuring LDAP profiles)
- at least one PKI user, if you will allow or require email users to access their per-recipient quarantine using PKI authentication (see Configuring PKI authentication)
About the default system policy
Starting from FortiMail 5.4.0, an inbound and outbound default system-level recipient policy has been added. If enabled, the default system policy will be checked before any other policies. If the email matches the default system policy, no other policies will be checked.
The default system policy provides the following conveniences:
- If many domains will be using identical policies, you can just modify the default system policy for the domains to use.
- When troubleshooting profiles and policies, you can temporarily use the system policy for all domains while disabling other policies, so that you can examine the profiles and policies.
If the system policies are not visible, turn on the Show system policy switch.
To view recipient-based policies
Go to Policy > Recipient Policy > Inbound or Policy > Recipient Policy > Outbound to view a list of applicable policies.
GUI item |
Description |
Move (button) |
FortiMail units match the policies for each domain in sequence, from the top of the list downwards. Therefore, you must put the more specific policies on top of the more generic ones. To move a policy in the policy list:
Note: If Domain is set to All, the Move button is disabled. When Domain is set to a particular domain, Show system policy must be disabled in order to move domain policies.
|
Domain (dropdown list) |
Use the Show system policy switch to display or hide the system-level policies when you view all policies or domain-level policies. If you are a domain administrator, you can only see the domains that are permitted by your administrator profile. |
Enabled |
Select whether or not the policy is currently in effect. |
ID |
Displays the number identifying the policy. If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column. Note: This may be different from the order in which they appear on the page, which indicates order of evaluation. FortiMail units evaluate policies in sequence. More than one policy may be applied. For details, see Order of execution of policies and Which policy/profile is applied when an email has multiple recipients? |
Domain Name (column) |
Indicates which part the policy is used for: either system wide or a specific protected domain. |
Sender Pattern |
A sender email address ( |
Recipient Pattern |
A recipient email address ( |
AntiSpam |
Displays the antispam profile selected for the matching recipients. To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring antispam profiles. |
AntiVirus |
Displays the antivirus profile selected for the matching recipients. To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring antivirus profiles, file signatures, and actions. |
Content |
Displays the content profile selected for the matching recipients. To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring content profiles. |
DLP (if DLP is enable on GUI) |
Displays the DLP profile selected for the matching recipients. To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring data loss prevention. |
(server mode and gateway mode) |
Displays the resource profile selected for the matching recipients. To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see Configuring resource profiles. |
Authentication (not in server mode; inbound only) |
Displays the authentication profile selected for the matching recipients. To modify or view a profile, click its name.The profile appears in a pop-up window. For details, see Configuring authentication profiles or Configuring LDAP profiles. |
To configure recipient-based policies
- Go to Policy > Recipient Policy > Inbound or Policy > Recipient Policy > Outbound, either click New to add a policy or double-click a policy to modify it.
- Select Enable to determine whether or not the policy is in effect.
- For Domain, select either System or the domain name that this profile will be used for.
- Enter a comment if necessary. The comment will appears as a mouse-over tooltip in the ID column of the rule list.
-
Configure the following:
Configuring the sender and recipient patterns
Configure the Sender and Recipient sections.
GUI item |
Description |
Type |
Select one of the following ways to define sender or recipient email addresses that match this policy:
Optionally, before entering a regular expression, click Validate to test regular expressions and string text. See also Syntax. |
Configuring the recipient exclusion list
If you want to exclude any recipients from the policy, add them to the exclusion list under the Recipient Exclusion section.
GUI item |
Description |
Status |
Enable/disable the exclusion list. |
Type |
Select one of the following ways to define recipient email addresses to be excluded from this policy:
Optionally, before entering a regular expression, click Validate to test regular expressions and string text. See also Syntax. |
Configuring the profiles section of a recipient policy
Select the profiles that you want to apply to the policy. If you have created a system profile and a domain profile with the same profile name, the profile that appears in the profile dropdown lists is the domain profile, not the system profile. Thus, only the domain profile will be selected.
GUI item |
Description |
AntiSpam |
Select which antispam profile, if any, to apply to email matching the policy. If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring antispam profiles. Tip: You can use an LDAP query to enable or disable antispam scanning on a per-user basis. |
AntiVirus |
Select which antivirus profile, if any, to apply to email matching the policy. If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring antivirus profiles, file signatures, and actions. |
Content |
Select which content profile, if any, to apply to email matching the policy. If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring content profiles. |
DLP (if enabled) |
Select which DLP profile, if any, to apply to email matching the policy. If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring DLP profiles. |
Resource (server mode and gateway mode) |
Select which resource profile, if any, to apply to email matching the policy. If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see Configuring resource profiles. |
Configuring authentication for inbound email
The Authentication and Access section appears only for inbound policies.
When FortiMail authenticates a user, it checks the authentication profile in the matching recipient policy. Note that for outbound email, when FortiMail requires authentication with the sender, FortiMail will lookup authentication profiles for the defined recipient patterns within inbound policies. |
For more information on configuring an authentication profile, see Workflow to enable and configure authentication of email users.
GUI item |
Description |
Authentication type |
If you want the email user to authenticate using an external authentication server, select the type of the authentication profile (SMTP, POP3, IMAP, RADIUS, LDAP, or LOCAL for server mode). Note: In addition to specifying an authentication server for SMTP email messages that this policy governs, configuring Authentication profile also allows email users to authenticate when accessing their per-recipient quarantine using HTTP or HTTPS. For more information, see How to enable, configure, and use personal quarantines. |
Select an existing authentication profile to use with this policy. |
|
Allow SMTP authentication (gateway and transparent mode only) |
Enable to allow the SMTP client to use the SMTP Disable to make SMTP authentication unavailable. This option is available only if you have selected an Authentication profile. Note: Enabling this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication. For details, see Configuring access control receiving policies. |
Configuring the advanced settings of inbound policies
The Advanced Setting section appears for both inbound and outbound policies.
GUI item |
Description |
Reject different SMTP sender identity for authenticated user |
Enable to require that the sender uses the same identity for: authentication name, SMTP envelope Disable to remove such requirements on sender identities. By default, this feature is disabled. |
Sender identity verification with LDAP server for authenticated user |
In some cases, while you do not want to allow different SMTP sender identities for an authenticated user, you still want to:
Then you can choose to verify the sender identity with the LDAP server. If the verification is successful, the sender will be allowed to send email with different identities. Note: When the above rejection option is enabled, even though the authentication identity can be different from the sender identity upon successful LDAP verification. the envelope ( |
Enable PKI authentication for web mail access (Inbound policy only) |
Enable if you want to allow web mail users to log in by presenting a certificate rather than a user name and password. Also configure Certificate validation is mandatory. For more information on configuring PKI users and what defines a valid certificate, see Configuring PKI authentication. |
Certificate validation is mandatory (Inbound policy only) |
If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enable this option. |