Administration Guide

Email concepts and process workflow
- Email protocols
- Client-server connections in SMTP
- DNS role in email delivery
- How FortiMail processes email
- FortiMail operation modes
- FortiMail high availability
- FortiMail management methods
Setting up the FortiMail system
- Connecting to the GUI or CLI
- Choosing the operation mode
- Running the Quick Start Wizard
- Connecting to FortiGuard services
- Gateway mode deployment
- Transparent mode deployment
- Server mode deployment
- Testing the installation
- Backing up the configuration
Using the dashboard
- Viewing the dashboard
- Using the CLI Console
Using FortiView
- Viewing mail statistics
- Viewing threat statistics
- Viewing outbreak statistics
- Viewing top user statistics
- Viewing current IP sessions
Monitoring the system
- Viewing log messages
- Managing the quarantines
- Managing the mail queues
- Viewing DMARC report statistics
  - Viewing the DMARC and SPF report summary
  - Viewing details about DMARC and SPF report statistics
- Viewing the greylist statuses
- Viewing sender, authentication and endpoint reputation
- Managing archived email
- Viewing reports
Centrally monitoring the HA cluster
- Viewing the cluster status
- Viewing HA cluster mail statistics
- Viewing HA cluster threat statistics
- Searching the HA cluster logs
Configuring system settings
- Configuring network settings
- Configuring administrator accounts and access profiles
- Configuring system time, options, and other system options
- Configuring mail settings
- Customizing custom messages, email templates, GUI and Security Fabric
- Configuring single sign-on (SSO)
- Configuring RAID
- Using high availability (HA)
- Managing certificates
- Using FortiNDR malware inspection
- Using FortiSandbox antivirus inspection
- Configuring FortiGuard services and licensed features
  - Configuring licensed features
- System maintenance
- System utility
Configuring domains and users
- Configuring protected domains
- Managing users
- Configuring user aliases
- Configuring address mappings
- Configuring IBE users
- Configuring the address book
- Sharing calendars and address books (server mode only)
- Migrating email from other mail servers (server mode only)
Configuring policies
- What is a policy?
- How to use policies
- Controlling SMTP access and delivery
- Controlling email based on IP addresses
- Controlling email based on sender and recipient addresses
Configuring profiles
- Configuring session profiles
- Configuring antispam profiles and actions
- Configuring antivirus profiles, file signatures, and actions
- Configuring content profiles and content action profiles
- Configuring replacement message profiles and variables
- Configuring resource profiles
- Workflow to enable and configure authentication of email users
- Configuring authentication profiles
- Configuring LDAP profiles
- Configuring dictionary profiles
- Configuring security profiles
- Configuring IP pools
- Configuring email, IP and GeoIP groups
- Configuring notification profiles
Configuring security settings
- Configuring URL filter profiles
- Configuring a threat feed
  - Types and file formats of threat feeds
- Configuring content disarming and reconstruction
- Configuring authentication reputation
- Configuring email quarantines and quarantine reports
- Configuring the block lists and safe lists
- Configuring greylisting
- Configuring bounce verification and tagging
- Configuring sender rewriting scheme
- Configuring endpoint reputation
- Configuring preferences
- Training and maintaining the Bayesian databases
Configuring encryption settings
- Configuring IBE encryption
- Configuring certificate bindings
Configuring data loss prevention
- DLP configuration workflow
- Defining the sensitive data
- Configuring DLP rules
- Configuring DLP profiles
Archiving email
- Email archiving workflow
- Configuring email archiving accounts
- Configuring email archiving policies
- Configuring email archiving exemptions
Logs, reports, and alerts
- About FortiMail logging
- Configuring logging
- Configuring report profiles and generating reports
- Configuring alert email
Microsoft 365, Exchange and Google Workspace threat remediation
- Microsoft 365, Exchange, and Google Workspace protection workflow
- Configuring accounts
- Configuring scanning policies
- Configuring profiles
- Monitoring log messages
Managing firmware and configuration
- Testing firmware before installing it
- Installing firmware
- Clean installing firmware
- Upgrading firmware on HA units
Best practices and fine tuning
- General security tuning
- System security tuning
- Network topology tuning
- SMTP connectivity tuning
- Antispam tuning
- Policy tuning
- System maintenance tips
- Performance tuning
Troubleshooting
- Establish a system baseline
- Define the problem
- Search for a known solution
- Create a troubleshooting plan
- Gather system information
- Troubleshoot hardware issues
- Troubleshoot GUI and CLI connection issues
- Troubleshoot FortiGuard connection issues
- Troubleshoot MTA issues
- Troubleshoot antispam issues
- Troubleshoot HA issues
- Troubleshoot resource issues
- Troubleshoot bootup issues
- Troubleshoot installation issues
- Contact Fortinet customer support for assistance
Setup for email users
- Training Bayesian databases
- Managing tagged spam
- Accessing the personal quarantine and webmail
- Sending email from an email client (gateway and transparent mode)
Appendix A: Supported RFCs
Appendix B: Maximum Values
Appendix C: Port Numbers
Appendix D: Wildcards and regular expressions
- Special characters with regular expressions and wildcards
- Case sensitivity
- Modifiers
- Word boundary
- Syntax
- Example regular expressions
Appendix E: Working with TLS/SSL
- About TLS/SSL
- How TLS/SSL works
- FortiMail support of TLS/SSL
- Troubleshooting FortiMail TLS issues
Appendix F: PKI Authentication
- Introduction to PKI authentication
- FortiMail PKI architecture
- Configuring PKI authentication on FortiMail
Change log

Home FortiMail Appliances and Virtual Machines 7.6.3 Administration Guide

7.6.3

How to use policies

FortiMail has multiple types of policies:

Access control receiving rules and delivery rules control which SMTP clients can send email through FortiMail, and how to deliver email that it proxies or relays.
IP-based policies control SMTP sessions based on the IP address of the SMTP client and, if the FortiMail unit is operating in transparent mode, the SMTP server. They may apply various features such as antispam.
Recipient-based policies control individual email messages based on the recipient’s email address and, for outbound email, the sender's email address. They may apply various features such as antispam.

Depending on each email and your configuration, multiple policies may apply. Effects vary by the order of execution for policies, and which policies matched.

See also

What is a policy?

Whether to use IP-based or recipient-based policies

Order of execution of policies

Which policy/profile is applied when an email has multiple recipients?

Whether to use IP-based or recipient-based policies

Many of the same features can be applied in IP-based and recipient-based policies. Which type of policy should you use?

You can use either or both.

Exceptions include the following scenarios, which require IP-based policies:

mail hosting service providers

There is a great number of domains, and it is not feasible to configure them all as protected domains on the FortiMail unit.

Internet service providers (ISPs)

Mail domains of customers are not known.

session control

Even if protected domains are known and configured on the FortiMail unit, an IP-based policy must be created in order to apply a session profile. Session profiles are only available in IP-based policies.

differentiated services based on the network of origin

To apply antispam and antivirus protection based on the IP address of the SMTP client or based on a notion of the internal or external network, rather than the domain in a recipient’s email address, you must use an IP-based policy.

As a general rule, it is simpler to use IP-based policies. Use recipient-based policies only where they are required, such as when the policy must be tailored for a specific email address.

For webmail login, select an Authentication type and Authentication profile when configuring an inbound recipient-based policy. This option is only available when the FortiMail unit is operating in either gateway or transparent mode.

IP-based policy authentication does not support webmail login.

For example, if your company is an ISP, you can use recipient-based policies to apply antispam and antivirus profiles for only the customers who have paid for those services.

If both a recipient-based policy and an IP-based policy match the email, unless you have enabled Take precedence over recipient based policy match in the IP-based policy, the settings in the recipient-based policy will have precedence.

Controlling email based on IP addresses

Order of execution of policies

Use Policy Lookup to test which policies will match, and which profile settings will apply. This can save time if you have many policies and domains.

During each SMTP session that FortiMail receives, it looks for matching policies and applies their profile settings in a specific order:

Find a matching access control receiving rule.
Find a matching IP-based policy.
Find a matching recipient-based policy.

Multiple policy IDs may apply if:
- The email has multiple recipients. See also Which policy/profile is applied when an email has multiple recipients?.
- The SMTP client requests authentication. This requires an authentication profile, so FortiMail searches the IP-based or recipient-based policy lists again to find a matching policy ID with an authentication profile, if any.

If either:

No matching recipient-based policy exists.
A matching recipient-based policy exists, but no protection profiles are selected there. Instead, they are in the IP-based policy.
Take precedence over recipient based policy match is enabled in the IP-based policy.

then apply the protection profiles which are in the matching IP-based policy.

Otherwise apply the protection profiles in the matching recipient-based policy.

If SMTP traffic is allowed by access control receiving rules, but does not match any IP-based or recipient-based policy, it is allowed. However, no antivirus, antispam, or other protection profile is applied.
If you configured policies to match and allow all required traffic, then you can tighten security by adding an IP-based policy at the bottom of the list to reject all other, unwanted connections.

For each policy type, FortiMail looks for a match in order, from the top to the bottom of the list — not by ID number. Disabled policies are skipped. Once a match is found, match evaluation stops. Therefore you should put more specific policies before more generic policies. Otherwise evaluation does not reach more specific policies, and they are not used.

For example, an inbound recipient-based policy that matches all recipients (*@*) is the most general policy possible because it matches all email. If you create more specific policies (for example, user1@example.com), then you must move them above. Otherwise, the general policy always matches, and so the other policies would never be applied.

Controlling email based on IP addresses

Order of execution for antispam scans

Which policy/profile is applied when an email has multiple recipients?

When applying recipient-based policies, an email with multiple recipients is treated as if it were multiple email messages, each with one recipient. This allows a fine degree of control for each recipient, but also means that separate recipient-based policies may block the email for some recipients but allow it for others.

Exceptions include use of an antivirus profile. In this case, the FortiMail unit will treat an email with multiple recipients as a single email. Starting with the first recipient email address, the FortiMail unit looks for a matching recipient-based policy. If none is found, FortiMail continues by looking for a matching IP-based policy.