Controlling email based on IP addresses
The IP Policies section of the Policies tab lets you create policies that apply profiles to SMTP connections based on the IP addresses of SMTP clients and/or servers.
Due to the nature of relay in SMTP, an SMTP client is not necessarily always located on an email user’s computer. The SMTP client is the connection initiator; it could be, for example, another email server or a mail relay attempting to deliver email. The SMTP server, however, is always a mail relay or email server that receives the connection.
For example, if computer A opened a connection to computer B to deliver mail, A is the client and B is the server. If computer B later opened a connection to computer A to deliver a reply email, B is now the client and A is now the server.
Like access control rules, IP-based policies can reject connections based on IP address. For information about IP pools, see “Configuring IP pools” on page 597.
Unlike access control rules, however, IP-based policies can affect email in many ways that occur after the session’s DATA command, such as by applying antispam profiles. IP-based policies can also be overruled by recipient-based policies, and, if the FortiMail unit is operating in server mode, may match connections based on the IP address of the SMTP server, not just the SMTP client. For more information on access control rules, see “Configuring access control rules” on page 456.
For information about how recipient-based and IP-based policies are executed and how the order of policies in the list affects the order of execution, see “How to use policies” on page 454.
If SMTP traffic does not match any IP-based or recipient-based policy, it is allowed. However, no antivirus or antispam protection may be applied.
If you are certain that you have configured policies to match and allow all required traffic, you can tighten security by adding an IP policy at the bottom of the policy list to reject all other, unwanted connections.
To do this, create a new IP policy, enter 0.0.0.0/0 as the client IP/netmask, and set the action to Reject. See the following procedures about how to configure an IP policy. Then, move the policy to the very bottom of the IP policy list. Because this policy matches any connection, all connections that do not match any other policy will match this final policy, and be rejected.
Profiles used by the policy, if any, are listed in the policy table, and appear as linked text. To modify profile settings, click the name of the profile.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.
Domain administrators can create and modify IP-based policies. Because they can affect any IP address, a domain administrator could therefore create a policy that affects another domain. If you do not want to allow this, do not grant Read-Write permission to the Policy category in domain administrators’ access profiles.
For details, see
To view the list of IP-based policies, go to IP Policies section. Figure 192:IP Policie |
“About administrator account permissions and domains” on page 290. Policy > Policies > Policies, then look in the
s |
GUI item | Description |
Move
(button) |
Click a policy to select it, click Move, then select either:
• the direction in which to move the selected policy (Up or Down), or • After or Before, then in Move right after or Move right before indicate the policy’s new location by entering the ID of another policy FortiMail units match the policies in sequence, from the top of the list downwards. |
Enabled | Select whether or not the policy is currently in effect. |
GUI item | Description |
ID | Displays the number identifying the policy.
If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column. Note: This may be different from the order in which they appear on the page, which indicates order of evaluation. FortiMail units evaluate policies in sequence. More than one policy may be applied. For details, see “Order of execution of policies” on page 455 and “Which policy/profile is applied when an email has multiple recipients?” on page 456. |
Source | Displays the IP address of the SMTP source to which the policy applies. |
Destination | Displays the IP address of the destination IP to which the policy applies. |
Session | Displays the name of the session profile applied by this policy.
To modify the or view a profile, click its name. The profile appears in a pop-up window. For details, see “Configuring session profiles” on page 482. |
AntiSpam | Displays the name of the antispam profile applied by this policy.
To modify or view the a profile, click its name. The profile appears in a pop-up window. For details, see “Managing antispam profiles” on page 503. |
AntiVirus | Displays the name of the antivirus profile applied by this policy.
To modify the or view a profile, click its name. The profile appears in a pop-up window. For details, see “Configuring antivirus profiles and antivirus action profiles” on page 521. |
Content | Displays the name of the content profile applied by this policy.
To modify the or view a profile, click its name. The profile appears in a pop-up window. For details, see “Configuring content profiles” on page 526. |
GUI item | Description |
IP Pool | Displays the name of the IP pool profile applied by this policy.
The IP addresses in the IP pool is used as the source IP address for the SMTP sessions matching this policy. The IP pool profile is ignored if the Take precedence over recipient based policy match option is disabled. • An IP pool in an IP policy will be used to deliver incoming emails from FortiMail to the protected server. It will also be used to deliver outgoing emails if the sender domain doesn’t have a delivery IP pool or, although it has a delivery IP pool, Take precedence over recipient based policy match is enabled in the IP-based policy. • An IP pool (either in an IP policy or domain settings) will NOT be used to deliver emails to the protected domain servers if the mail flow is from internal to internal domains. • When an email message’s MAIL FROM is empty “<>”, normally the email is a NDR or DSN bounced message. FortiMail will check the IP address of the sender device against the IP list of the protected domains. If the sender IP is found in the protected domain IP list, the email flow is considered as from internal to internal and the above rule is applied (the IP pool will be skipped). FortiMail will also skip the DNS query if servers of the protected domains are configured as host names and MX record. |
Authentication
(not in server mode)
Exclusive
Displays the name of an authentication profile applied to the IP policy.
To modify the profile, click its name. The profile appears in a pop-up
window. For details, see “Configuring authentication profiles” on page 542
Indicates whether or not Take precedence over recipient based policy match is enabled in this policy. See “Order of execution of policies” on page 455 for an explanation of that option.
- Green check mark icon: The option is enabled. Recipient-based policies will not be applied if a connection matches this IP-based policy.
- Red X icon: The option is disabled. Both the IP-based policy and any applicable recipient-based policies will be applied.
To configure an IP-based policy
- Go to Policy > Policies > Policies.
The tab includes two sections: one for IP policies and another for recipient policies.
- In the IP Policies section, click New to add a policy or double-click a policy to modify it.
A dialog appears that varies with the operation mode.
- Configure the following settings and then click Create.
GUI item | Description |
Enable | Select or clear to enable or disable the policy. |
Source | You can use the following types of IP addresses of the SMTP clients to whose connections this policy will apply.
• IP address and subnet mask • IP group. See “Configuring IP groups” on page 599. • IP pool. See “Configuring IP pools” on page 597. To match all clients, enter 0.0.0.0/0. |
Destination | If the FortiMail unit runs in transparent mode, enter the IP address of the SMTP server to whose connections this policy will apply.
• IP address and subnet mask • IP group. See “Configuring IP groups” on page 599. • IP pool. See “Configuring IP pools” on page 597. To match all servers, enter 0.0.0.0/0. If the FortiMail unit runs in gateway or server mode, the destination will be the FortiMail unit itself. But if you use virtual hosts on the FortiMail unit, you can specify which virtual host (IP/subnet or IP pool) the email is destined to. Otherwise, you do not have to specify the destination address. If you use virtual hosts, you must also configure the MX record to direct email to the virtual host IP addresses as well. This feature can be used to support multiple virtual hosts on a single physical interface, so that different profiles can be applied to different host and logging for each host can be separated as well. |
Action | Select whether to:
• Scan: Accept the connection and perform any scans configured in the profiles selected in this policy. • Reject: Reject the email and respond to the SMTP client with SMTP reply code 550, indicating a permanent failure. • Fail Temporarily: Reject the email and respond to the SMTP client with SMTP reply code 451, indicating to try again later. • Proxy Bypass: Bypass the FortiMail proxy without scanning. |
Comments | Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list. |
Profiles
Session | Select the name of a session profile to have this policy apply.
This option is applicable only if Action is Scan. |
AntiSpam | Select the name of an antispam profile to have this policy apply. This option is applicable only if Action is Scan. |
AntiVirus | Select the name of an antivirus profile to have this policy apply. |
This option is applicable only if Action is Scan.
Content | Select the name of a content profile to have this policy apply.
This option is applicable only if Action is Scan. |
|
IP pool | Select the name of an IP pool profile, if any, that this policy will apply. | |
• | An IP pool in an IP policy will be used to deliver incoming email from FortiMail to the protected server. It will also be used to deliver outgoing emails if the sender domain doesn’t have a delivery IP pool or, although it has a delivery IP pool, Take precedence over recipient based policy match is enabled in the IP-based policy. | |
• | An IP pool (either in an IP policy or domain settings) will NOT be used to deliver emails to the protected domain servers if the mail flow is from internal to internal domains. | |
• | When an email message’s MAIL FROM is empty “<>”, normally the email is a NDR or DSN bounced message. FortiMail will check the IP address of the sender device against the IP list of the protected domains. If the sender IP is found in the protected domain IP list, the email flow is considered as from internal to internal and the above rule is applied (the IP pool will be skipped). FortiMail will also skip the DNS query if servers of the protected domains are configured as host names and MX record. | |
This option is applicable only if Action is Scan.
For details about IP pools, see “Configuring IP pools” on page 597. |
||
Authentication and Access | This section appears only if the FortiMail unit is operating in gateway or transparent mode. For server mode, select a resource profile |
instead.
(not available in server
mode) For more information on configuring authentication, see “Workflow to enable and configure authentication of email users” on page 541.
Authentication If you want the email user to authenticate using an external type authentication server, select the authentication type of the profile (SMTP, POP3, IMAP, RADIUS, or LDAP).
Note: In addition to specifying an authentication server for SMTP email messages that this policy governs, configuring Authentication profile also allows email users to authenticate when accessing their per-recipient quarantine using HTTP or HTTPS. For more information, see “How to enable, configure, and use personal quarantines” on page 186.
Authentication Select an existing authentication profile to use with this policy. profile
Click New to create on or Edit to modify the selected profile.
Use for SMTP Enable to allow the SMTP client to use the SMTP AUTH command, authentication and to use the server defined in Authentication profile to authenticate the connection.
Disable to make SMTP authentication unavailable.
This option is available only if you have selected an Authentication profile.
Note: Enabling this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication. For details, see “Configuring access control rules” on page 456.
Allow different Enable to allow the SMTP client to send email using a different SMTP sender sender email address (MAIL FROM:) than the user name that they identity used to authenticate.
Disable to require that the sender email address in the SMTP envelope match the authenticated user name.
This option is applicable only if Use for SMTP authentication is enabled.
Miscellaneous
Take Enable to omit use of recipient-based policies for connections precedence matching this IP-based policy. For information on how policies are over recipient executed, see “How to use policies” on page 454. based policy
This option is applicable only if Action is Scan.
match
Note: Enabling this option also causes the FortiMail unit to ignore the option Hide the transparent box in the protected domain.