Controlling SMTP access and delivery
The Policy > Access Control submenu lets you configure access control rules for SMTP sessions.
Unlike proxy/implicit relay pickup, which you may have configured on “Configuring proxies (transparent mode only)” on page 414 (if the FortiMail unit is operating in transparent mode), access control rules take effect after the FortiMail unit has initiated or received an IP and TCP-level connection at the application layer of the network.
Access control rules are categorized separately based on whether they affect either the receipt or delivery of email messages by the FortiMail unit; that is, whether the FortiMail unit initiated the SMTP session or was the destination.
- Configuring access control rules
- Configuring delivery rules
- Troubleshoot MTA issues
Configuring access control rules
The Receiving tab displays a list of access control rules that apply to SMTP sessions being received by the FortiMail unit.
Access control rules, sometimes also called the access control list or ACL, specify whether the FortiMail unit will process and relay/proxy, reject, or discard email messages for SMTP sessions that are initiated by SMTP clients.
When an SMTP client attempts to deliver email through the FortiMail unit, the FortiMail unit compares each access control rule to the commands used by the SMTP client during the SMTP session, such as the envelope’s sender email address (MAIL FROM:), recipient email address (RCPT TO:), authentication (AUTH), and TLS (STARTTLS). Rules are evaluated for a match in the order of their list sequence, from top to bottom. If all attributes of a rule match, the FortiMail unit applies the action selected in the matching rule to the SMTP session, and no subsequent access control rules are applied.
Only one access control rule is ever applied to any given SMTP session.
If no access control rules are configured, or no matching access control rules exist, and if the SMTP client is not configured to authenticate, the FortiMail unit will perform the default action, which varies by whether or not the recipient email address in the envelope (RCPT TO:) is a member of a protected domain.
For protected domains, the default action is RELAY.
For unprotected domains, the default action is REJECT.
For information on protected domains, see “Configuring protected domains” on page 380.
In the absence of access control rules, the FortiMail unit prevents SMTP clients from using your protected server or FortiMail unit as an open relay: senders can deliver email incoming to protected domains, but cannot deliver email outgoing to unprotected domains.
For information on the sequence in which access control rules are used relative to other antispam methods, see “Order of execution” on page 16.
If you want to allow SMTP clients, such as your email users or email servers, to send email to unprotected domains, you must configure at least one access control rule. You may need to configure additional access control rules if, for example, you want to:
- discard or reject email from or to some email addresses, such as email addresses that no longer exist in your protected domain
- discard or reject email from some SMTP clients, such as a spammer that is not yet known to blacklists
Like IP-based policies, access control rules can reject connections based on IP address. Unlike IP-based policies, access control rules cannot affect email in ways that occur after the session’s DATA command, such as by applying antispam profiles.
Access control rules cannot be overruled by recipient-based policies, and cannot match connections based on the SMTP server’s IP address. (By the nature of how ACL controls access to or through the FortiMail unit, the SMTP server is always the FortiMail unit itself, unless the FortiMail unit is operating in transparent mode.) For more information on IP-based policies, see “Controlling email based on IP addresses” on page 475.
If possible, verify configuration of access control rules in a testing environment before applying them to a FortiMail unit in active use. Failure to verify correctly configured reject, discard, and accept actions can result in inability to correctly handle SMTP sessions.
Do not create an access control rule whose Sender pattern is *, Recipient pattern is *, Authentication status is Any, TLS profile is None, and Action is RELAY. This access control rule matches and relays all connections, allowing open relay, which could result in other MTAs and DNSBL servers blacklisting your protected domain.
To access this part of the web UI, your administrator account’s:
- Domain must be System
- access profile must have Read or Read-Write permission to the Policy category
For details, see “About administrator account permissions and domains” on page 290.
To view and configure access control rules
- Go to Policy > Access Control > Receiving.
Figure 188:Receiving tab
GUI item | Description |
Move
(button) |
Select a policy, click Move, then select either:
• Up or Down, or • After or Before, which opens a dialog, then in Move right after or Move right before indicate the policy’s new location by entering the ID of another policy FortiMail units match the policies in sequence, from the top of the list downwards. |
Enabled | Select to enable or disable an existing rule. |
ID | Displays the number identifying the rule.
If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column. Note: This may be different from the order in which they appear on the page, which indicates order of evaluation. |
Sender Pattern | Displays the pattern that defines email senders for the rule. |
Recipient Pattern | Displays the pattern that defines email recipients for the rule. |
Sender/IP
Netmask |
Displays the IP address and netmask of the SMTP client attempting to deliver the email message. |
Reverse DNS Pattern | Displays the used in a reverse DNS look-up. |
Authentication Status | Displays which authentication status is used with the rule. |
TLS Profile | Displays the TLS profile, if any, used to allow or reject a connection. |
Actions | Displays the action to take when SMTP sessions match the rule. |
- Either click New to add an access control rule or double-click an access control rule to modify it.
A dialog appears.
- Configure the following:
GUI item | Description |
Enabled | Select whether or not the access control rule is currently in effect. |
Sender pattern | Select either User Defined and enter a complete or partial sender (MAIL FROM:) email address to match, or select:
• Internal: Match any email address from a protected domain. • External: Match any email address from an unprotected domain. • Email Group: Match any email address in the group. If you select this option, select an email group from the Email Group Selection field. Click New to add a new email group or Edit to modify an existing one. For more information, see “Configuring email groups” on page 599. The pattern can use wildcards or regular expressions. See “Using wildcards and regular expressions” on page 461. For example, the sender pattern ??@*.com matches messages sent by anyone with a two letter user name from any “.com” domain name. |
Regular expression | Mark this check box next to any of the pattern options to use regular expression syntax instead of wildcards to specify the pattern. See “Using wildcards and regular expressions” on page 461. |
Recipient pattern | Either select User Defined and enter a complete or partial recipient (RCPT TO:) email address to match, or select:
• Internal: Match any email address from a protected domain. • External: Match any email address from an unprotected domain. • Email Group: Match any email address in the group. If you select this option, select an email group from the Email Group Selection field. Click New to add a new email group or Edit to modify an existing one. For more information, see “Configuring email groups” on page 599. The pattern can use wildcards or regular expressions. See “Using wildcards and regular expressions” on page 461. For example, the recipient pattern *@example.??? will match messages sent to any email user at example.com, example.net, or any “example” domain ending with a three-letter top-level domain name. |
GUI item Description
Sender IP/netmask | Select User Defined and enter the IP address and netmask of the SMTP client attempting to deliver the email message. Use the netmask, the portion after the slash (/), to specify the matching subnet.
For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address. Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address. To match any address, enter 0.0.0.0/0. Select IP Group to choose an IP group. Click New to add a new IP group or Edit to modify an existing one. For more information, see “Configuring IP groups” on page 599. |
Reverse DNS pattern | Enter a pattern to compare to the result of a reverse DNS look-up of the IP address of the SMTP client delivering the email message.
Because domain names in the SMTP session are self-reported by the connecting SMTP server and easy to fake, the FortiMail unit does not trust the domain name that an SMTP server reports. Instead, the FortiMail does a DNS lookup using the SMTP server’s IP address. The resulting domain name is compared to the reverse DNS pattern for a match. If the reverse DNS query fails, the access control rule match will also fail. If no other access control rule matches, the connection will be rejected with SMTP reply code 550 (Relaying denied). The pattern can use wildcards or regular expressions. See “Using wildcards and regular expressions” on page 461. For example, the recipient pattern mail*.com matches messages delivered by an SMTP server whose domain name starts with “mail” and ends with “.com”. Note: Reverse DNS queries for access control rules require that the domain name be a valid top level domain (TLD). For example, “.lab” is not a valid top level domain name, and thus the FortiMail unit cannot successfully perform a reverse DNS query for it. |
Authentication status | Select whether or not to match this access control rule based on client authentication.
• Any: Match or do not match this access control rule regardless of whether the client has authenticated with the FortiMail unit. • Authenticated: Match this access control rule only for clients that have authenticated with the FortiMail unit. • Not Authenticated: Match this access control rule only for clients that have not authenticated with the FortiMail unit. |
GUI item | Description |
TLS profile | Select a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.
• If the attributes match, the access control action is executed. • If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile. Click New to add a new TLS profile or Edit to modify an existing one. For more information on TLS profiles, see “Configuring TLS security profiles” on page 591. |
Action | Select which action the FortiMail unit will perform for SMTP sessions matching this access control rule.
• BYPASS: Relay or proxy and deliver the email, but, if the sender or recipient belongs to a protected domain, bypass all antispam profile processing. Antivirus, content, greylisting and other scans will still occur. • DISCARD: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client. • RELAY: Relay or proxy, process, and deliver the email normally if it passes all configured scans. Do not apply greylisting. • REJECT: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied). |
Comments | Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list. |
- Click Create or OK.
The access control rule appears at the bottom of the list of access control rules. As a result, the FortiMail unit will evaluate it as a match for the SMTP session only if no previous access control rule matches. If you want your new rule to be evaluated before another rule, move your new access control rule to its intended position in the list.