Configuring the recipient incoming policies
If you are configuring a policy for incoming email, configure the Sender Pattern and Recipient Pattern sections.
GUI item Description
Recipient Pattern | Select one of the following ways to define recipient (RCPT TO:) email addresses that match this policy:
• Recipient: Enter a recipient email address or a pattern with wild cards, such as *@protected.example.com. • Local group: Click the option and select the name of a protected domain in the second drop-down list, then select the name of a user group in the first drop-down list. • LDAP group: Click the option and select an LDAP profile in which you have enabled and configured a group query, then enter either the group’s full or partial membership attribute value as it appears in the LDAP directory. Depending on your LDAP directory’s schema, and whether or not you have enabled Use group name with base DN as group DN, this may be a value such as 1001, admins, or cn=admins,ou=Groups,dc=example,dc=com. Wild card characters allow you to enter patterns that can match multiple email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character. |
Sender Pattern | See above descriptions. |
Configuring the recipient outgoing policies
If you are configuring a policy for outgoing email, configure the Sender Pattern and Recipient Pattern sections.
GUI item Description
Sender Pattern | Select one of the following ways to define sender (MAIL FROM:) email addresses that match this policy: |
- Sender: Enter a sender email address or a pattern with wild cards, such as *@
- .example.com.
- Local group: Click the option and select the name of a protected domain in the second drop-down list, then select the name of a user group in the first drop-down list.
- LDAP group: Click the option and select an LDAP profile in which you have enabled and configured a group query, then enter either the group’s full or partial membership attribute value as it appears in the LDAP directory.
Depending on your LDAP directory’s schema, and whether or not you have enabled Use group name with base DN as group DN, this may be a value such as 1001, admins, or cn=admins,ou=Groups,dc=example,dc=com.
Wild card characters allow you to enter patterns that can match multiple email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.
Recipient See above descriptions. Pattern
Configuring the profiles section of a recipient policy
Select the profiles that you want to apply to the policy. If you have created a system profile and a domain profile with the same profile name, the profile that appears in the profile drop-down lists is the domain profile, not the system profile. Thus, only the domain profile will be selected.
GUI item | Description |
AntiSpam | Select which antispam profile, if any, to apply to email matching the policy.
If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see “Managing antispam profiles” on page 503. Tip: You can use an LDAP query to enable or disable antispam scanning on a per-user basis. For details, see and “Check AS/AV configuration” on page 400. |
AntiVirus | Select which antivirus profile, if any, to apply to email matching the policy.
If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see “Configuring antivirus profiles and antivirus action profiles” on page 521. |
Content | Select which content profile, if any, to apply to email matching the policy.
If you have not yet configured the profile that you want to apply, click New to add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see “Configuring content profiles” on page 526. |
Resource Select which resource profile, if any, to apply to email matching the policy.
(server mode If you have not yet configured the profile that you want to apply, click New to only) add the profile in a pop-up dialog. If you need to modify an existing profile before applying it, click Edit. For details, see “Configuring resource profiles (server mode only)” on page 539.
Configuring authentication for incoming email
The Authentication and Access section appears only if the directionality is incoming.
For more information on configuring an authentication profile, see “Workflow to enable and configure authentication of email users” on page 541.
GUI item | Description |
Authenticatio n type | If you want the email user to authenticate using an external authentication server, select the type of the authentication profile (SMTP, POP3, IMAP, RADIUS, LDAP, or LOCAL for server mode).
Note: In addition to specifying an authentication server for SMTP email messages that this policy governs, configuring Authentication profile also allows email users to authenticate when accessing their per-recipient quarantine using HTTP or HTTPS. For more information, see “How to enable, configure, and use personal quarantines” on page 186. |
Authenticatio n profile | Select an existing authentication profile to use with this policy. |
Use for SMTP Enable to allow the SMTP client to use the SMTP AUTH command, and to use authentication the server defined in Authentication profile to authenticate the connection.
(gateway and
Disable to make SMTP authentication unavailable.
transparent mode only) This option is available only if you have selected an Authentication profile.
Note: Enabling this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication. For details, see “Configuring access control rules” on page 456.
Allow Enable to allow email users matching this policy to use POP3 to retrieve the quarantined contents of their personal quarantine. For more information, see “How to email access enable, configure, and use personal quarantines” on page 186. through POP3
This option is available only if you have selected a profile in Authentication
(gateway and
profile.
transparent
mode only) Note: This option is for POP3 access only. Email users cannot access their personal quarantine through IMAP.
Allow quarantined email access through webmail (gateway and transparent mode only) | Enable to allow email users matching this policy to use FortiMail webmail (HTTP or HTTPS) to retrieve the contents of their personal quarantine. For more information, see “How to enable, configure, and use personal quarantines” on page 186.
This option is available only if you have selected a profile in Authentication profile. |
Configuring the advanced incoming policies
The Advanced Settings section appears only if the directionality is incoming.
GUI item | Description |
Allow different SMTP sender
identity for authenticated user |
Enable to allow the SMTP client to send email using a different sender email address (MAIL FROM:) than the user name that they used to authenticate.
Disable to require that the sender email address in the SMTP envelope match the authenticated user name. |
Enable PKI authentication
for web mail access |
Enable if you want to allow web mail users to log in by presenting a certificate rather than a user name and password. Also configure “Certificate validation is mandatory”.
For more information on configuring PKI users and what defines a valid certificate, see “Configuring PKI authentication” on page 435. |
Certificate validation is mandatory | If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enable this option.
|