policy access-control delivery
Use this command to configure delivery policies that apply to SMTP sessions being initiated by the FortiMail unit in order to deliver email.
Delivery policies can be used to encrypt each connection with TLS, and/or to encrypt each email with secure MIME (S/MIME) (also called IBE).
When the FortiMail unit initiates an SMTP session, each delivery policy is compared to the domain name in the recipient email address (RCPT TO:) and sender email addresses (MAIL FROM:) in the SMTP envelope. Policies are evaluated for a match in order, from top to bottom of the list. If a match does not exist, then the email is delivered. If a match does exist, then the connection attributes are compared to the TLS profile. Depending on the result, either the email is delivered (with encryption profile settings, if selected, and to the specified destination IP address) or the connection is not allowed. No subsequent delivery policies are applied. Only one delivery policy is ever applied to each SMTP session.
If you apply S/MIME encryption, the destination can be any email gateway or server, if either the:
- destination’s MTA or mail server
- recipient’s MUA
supports S/MIME and has the sender’s certificate and public key, which is necessary to decrypt the email. Otherwise, the recipient cannot read the email.
Syntax
config policy access-control delivery
edit <policy_name>
[set comment "<comment_str>"]
set destination-ip-type {ip-group | ip-mask}
set destination <destination_ipv4/mask>
set destination-ip-group <group_name>
set encryption-profile <profile_name>
set ip-pool-profile <profile_name>
set recipient-pattern-type {default | group | ldap | regexp}
set recipient-pattern-group <group_name>
set recipient-pattern-ldap-groupname <group_str>
set recipient-pattern-ldap-profile <profile_name>
set recipient-pattern <recipient_pattern>
set sender-pattern-type {default | group | ldap | regexp}
set sender-pattern-group <group_name>
set sender-pattern-ldap-groupname <group_str>
set sender-pattern-ldap-profile <profile_name>
set sender-pattern <sender_pattern>
set tls-profile <profile_name>
end
|
Variable |
Description |
Default |
|
Enter the number that identifies the policy. Note: The policy identifier number may be different from the order of evaluation. FortiMail units evaluate these policies in sequential order, starting at the top of the list. Only the first matching policy is applied. For example, if you enter: move 15 before 1 then policy 15 is evaluated for a match before policy 1. To show the order of evaluation for the list of policies, enter: config policy access-control delivery get |
|
|
|
Enter a description or comment. If a comment exists, it is displayed as a tool tip when you mouse-over the ID column in the list of policies in the GUI. |
|
|
|
Enter an IP address and netmask. For example, enter Similarly, To match any address, enter This setting is available only if destination-ip-type {ip-group | ip-mask} is |
0.0.0.0/0 |
|
|
Enter an IP address group. This setting is available only if destination-ip-type {ip-group | ip-mask} is |
|
|
|
If you configured tls-profile <profile_name>, then select how you will define the destination IP addresses and netmasks that match the policy, either:
|
ip-mask |
|
|
If you want to apply S/MIME or IBE encryption to the email, select a profile. Note: If you select IBE in profile content-action but S/MIME in encryption-profile <profile_name>, then IBE is overridden and not used. destination <destination_ipv4/mask> does not affect whether to apply the encryption profile. |
|
|
|
Enter an IP pool profile that FortiMail will use as its source IP address when it delivers email. |
|
|
|
Enter an email address or pattern. Formatting is the same as sender-pattern <sender_pattern>. This setting is available only if recipient-pattern-type {default | group | ldap | regexp} is |
* |
|
|
Enter the group of recipient email addresses. This setting is available only if recipient-pattern-type {default | group | ldap | regexp} is |
|
|
|
Enter the group of recipient email addresses that is in the directory server. This setting is available only if recipient-pattern-type {default | group | ldap | regexp} is Note: Use |
|
|
|
Enter an LDAP profile. This setting is available only if recipient-pattern-type {default | group | ldap | regexp} is |
|
|
|
Select how you will define the recipient email addresses that match the policy. Options are the same as sender-pattern-type {default | group | ldap | regexp}. |
default |
|
|
Depending on your selection in sender-pattern-type {default | group | ldap | regexp}:
This setting is available only if sender-pattern-type {default | group | ldap | regexp} is |
* |
|
|
Enter the group of recipient email addresses. This setting is available only if sender-pattern-type {default | group | ldap | regexp} is |
|
|
|
Enter the group of recipient email addresses that is in the directory server. This setting is available only if sender-pattern-type {default | group | ldap | regexp} is Note: Use |
|
|
|
Enter an LDAP profile. This setting is available only if sender-pattern-type {default | group | ldap | regexp} is |
|
|
|
Select how you will define the sender email addresses that match the policy, either:
|
default |
|
|
Enable or disable this policy. |
disable |
|
|
If you want to allow or reject the connection based on whether the TLS profile matches the session, select a profile.
|
|