Configuring address mappings
Address mappings are bidirectional, one-to-one or many-to-many mappings. They can be useful when:
- you want to hide a protected domain’s true email addresses from recipients
- a mail domain’s domain name is not globally DNS-resolvable, and you want to replace the domain name with one that is
- you want to rewrite email addresses
Like aliases, address mappings translate email addresses.
Unlike aliases:
- Mappings cannot translate one email address into many.
- Mappings cannot translate an email address into one that belongs to an unprotected domain (this restriction applies to locally defined address mappings only; it is not enforced for mappings defined on an LDAP server).
- Mappings are applied bidirectionally, when an email is outgoing as well as when it is incoming to the protected domain.
- Mappings may affect both sender and recipient email addresses, and may affect those email addresses in both the message envelope and the message header, depending on the match condition.
The following table illustrates the sequence in which parts of each email are compared with address mappings for a match, and which locations’ email addresses are translated if a match is found.
Match evaluation and rewrite behavior for email address mappings
Order of evaluation |
Match condition |
If yes... |
Rewrite to... |
---|---|---|---|
1 |
Does |
Replace |
Internal email address |
2 |
Does |
For each of the following, if it matches an internal email address, replace it:
|
External email address |
For example, you could create an address mapping between the internal email address user1@marketing.example.net
and the external email address sales@example.com
. The following effects would be observable on the simplest case of an outgoing email and an incoming reply:
- For email from
user1@marketing.example.net
to other users,user1@marketing.example.net
in both the message envelope (MAIL FROM:
) and many message headers (From:
,Cc:
, etc.) would then be replaced bysales@example.com
. Recipients would only be aware of the email addresssales@example.com
. - For email to
sales@example.com
from others, the recipient address in the message envelope (RCPT TO:
), but not the message header (To:
), would be replaced withuser1@marketing.example.net
. The recipientuser1@marketing.example.net
would be aware that the sender had originally sent the email to the mapped address,sales@example.com
.
You can alternatively create address mappings by configuring the FortiMail unit to query an LDAP server that contains address mappings. For more information, see Configuring LDAP profiles.
To view and configure an address map list
- Go to Domain & User > Address Map > Address Map.
- Either click New to add an address mapping or double-click a mapping to modify it.
-
Configure the following:
GUI item
Description
Internal email address
Enter either an email address, such as
user1@example.com
, or an email address pattern, such as*@example.com
, that exists in a protected domain.This email address is hidden when passing to the external network by being rewritten into the external email address according to the match conditions and effects described in Match evaluation and rewrite behavior for email address mappings.
External email address
Enter either an email address, such as
sales@example.com
, or an email address pattern, such as*@example.net
, that exists in a protected domain.This email address is visible to the internal network, but will be rewritten into the internal email address according to the match conditions and effects described in Match evaluation and rewrite behavior for email address mappings.
The external email address must not be within the same protected domain as the internal address. Otherwise, it may cause situations where an email address is rewritten twice, by matching both the sender and recipient rewrite conditions, and the result is therefore the same as the original email address and possibly not deliverable.
Note: If you use wildcards (* or ?) in the name, you must enter a pattern using the same wild card in the external email address. The wild card indicates that the mapping could match many email addresses, but also indicates, during the rewrite, which substring of the original email address will be substituted into the position of the wild card in the external address. If there is no wild card in the other half of the mapping, or the wild card is not the same (that is,
*
mapped to?
or the opposite), then this substitution will fail.
GUI item |
Description |
Domain |
Select the name of a protected domain to view address maps whose internal email address belongs to that protected domain. You can see only the domains that are permitted by your administrator profile. |
Internal Email Address |
Displays either an email address, such as |
External Email Address |
Displays either an email address, such as |
A dialog appears.
See also