Configuring policies
The Policy menu lets you create policies that use profiles to filter email.
It also lets you control who can send email through the FortiMail unit, and stipulate rules for how it will deliver email that it proxies or relays.
• What is a policy?
- How to use policies
- Controlling SMTP access and delivery
- Controlling email based on recipient addresses
- Controlling email based on IP addresses
What is a policy?
A policy defines which way traffic will be filtered. It may also define user account settings, such as authentication type, disk quota, and access to webmail.
After creating the antispam, antivirus, content, authentication, TLS, or resource profiles (see “Configuring profiles” on page 482), you need to apply them to policies for them to take effect.
FortiMail units support three types of policies:
- Access control and delivery rules that are typical to SMTP relays and servers (see
“Controlling SMTP access and delivery” on page 456)
- Recipient-based policies (see “Controlling email based on recipient addresses” on page 468)
- IP-based policies (see “Controlling email based on IP addresses” on page 475)
Recipient-based policies versus IP-based policies
- Recipient-based policies
The FortiMail unit applies these based on the recipient’s email address or the recipient’s user group. May also define authenticated webmail or POP3 access by that email user to their per-recipient quarantine. Since version 4.0, the recipient-based policies also check sender patterns.
- IP-based policies
The FortiMail unit applies these based on the SMTP client’s IP address (server mode or gateway mode), or the IP addresses of both the SMTP client and SMTP server (transparent mode).
Page 453
Incoming versus outgoing email messages
There are two types of recipient-based policies: incoming and outgoing. The FortiMail unit applies incoming policies to the incoming mail messages and outgoing policies to the outgoing mail messages.
Whether the email is incoming or outgoing is decided by the domain name in the recipient’s email address. If the domain is a protected domain, the FortiMail unit considers the message to be incoming and applies the first matching incoming recipient-based policy. If the recipient domain is not a protected domain, the message is considered to be outgoing, and applies outgoing recipient-based policy.
To be more specific, the FortiMail unit actually matches the recipient domain’s IP address with the IP list of the protected SMTP servers where the protected domains reside. If there is an IP match, the domain is deemed protected and the email destined to this domain is considered to be incoming. If there is no IP match, the domain is deemed unprotected and the email destined to this domain is considered to be outgoing.
For more information on protected domains, see “Configuring protected domains” on page 380.