Configuring address mappings
Address mappings are bidirectional, one-to-one or many-to-many mappings. They can be useful when:
- you want to hide a protected domain’s true email addresses from recipients
- a mail domain’s domain name is not globally DNS-resolvable, and you want to replace the domain name with one that is
- you want to rewrite email addresses
Like aliases, address mappings translate email addresses. They do not translate many email addresses into a single email address.
Unlike aliases:
- Mappings cannot translate one email address into many.
- Mappings cannot translate an email address into one that belongs to an unprotected domain. (This restriction applies to locally defined address mappings only. This is not enforced for mappings defined on an LDAP server.)
- Mappings are applied bidirectionally, when an email is outgoing as well as when it is incoming to the protected domain.
- Mappings may affect both sender and recipient email addresses, and may affect those email addresses in both the message envelope and the message header, depending on the match condition.
The following table illustrates the sequence in which parts of each email are compared with address mappings for a match, and which locations’ email addresses are translated if a match is found.
Both RCPT TO: and MAIL FROM: email addresses are always evaluated for a match with an address mapping. If both RCPT TO: and MAIL FROM: contain email addresses that match the mapping, both mapping translations will be performed.
Table 51:Match evaluation and rewrite behavior for email address mappings
Order of evaluation | Match condition | If yes… | Rewrite to… |
1 | Does RCPT TO: match an external email address? | Replace RCPT TO:. | Internal email address |
2 | Does MAIL FROM:
match an internal email address? |
For each of the following, if it matches an internal email address, replace it:
• MAIL FROM: • RCPT TO: • From: • To: • Return-Path: • Cc: • Reply-To: • Return-Receipt-To: • Resent-From: • Resent-Sender: • Delivery-Receipt-To: • Disposition-Notification-To:
|
External email address |
For example, you could create an address mapping between the internal email address user1@marketing.example.net and the external email address sales@example.com. The following effects would be observable on the simplest case of an outgoing email and an incoming reply:
- For email from user1@marketing.example.net to other users, user1@marketing.example.net in both the message envelope (MAIL FROM:) and many message headers (From:, Cc:, etc.) would then be replaced with sales@example.com. Recipients would only be aware of the email address sales@example.com.
- For email to sales@example.com from others, the recipient address in the message envelope (RCPT TO:), but not the message header (To:), would be replaced with user1@marketing.example.net. The recipient user1@marketing.example.net would be aware that the sender had originally sent the email to the mapped address, sales@example.com.
You can alternatively create address mappings by configuring the FortiMail unit to query an LDAP server that contains address mappings. For more information, see “Configuring LDAP profiles” on page 548.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Others category.
For details, see “About administrator account permissions and domains” on page 290.
To view and configure a address map list
- Go to User > Address Map > Address Map.
Figure 182:Address Map tab
GUI item | Description |
Domain | Select the name of a protected domain to view address maps whose internal email address belongs to that protected domain.
You can see only the domains that are permitted by your administrator profile. |
Internal Email
Address |
Displays either an email address, such as
user1@admissions.example.edu, or an email address pattern, such as *@example.com, that exists in a protected domain. |
External Email
Address |
Displays either an email address, such as admissions@example.edu, or an email address pattern, such as *@example.net, that exists in a protected domain. |
- Either click New to add an address mapping or double-click a mapping to modify it.
A dialog appears.
Figure 183:New Email Address Map dialog
- Configure the following:
GUI item | Description |
Internal email address | Enter either an email address, such as user1@example.com, or an email address pattern, such as *@example.com, that exists in a protected domain.
This email address is hidden when passing to the external network by being rewritten into the external email address according to the match conditions and effects described in Table 51 on page 445. |
External email address | Enter either an email address, such as sales@example.com, or an email address pattern, such as *@example.net, that exists in a protected domain.
This email address is visible to the internal network, but will be rewritten into the internal email address according to the match conditions and effects described in Table 51 on page 445. The external email address must not be within the same protected domain as the internal address. Otherwise, it may cause situations where an email address is rewritten twice, by matching both the sender and recipient rewrite conditions, and the result is therefore the same as the original email address and possibly not deliverable. |
If you use wildcards (* or ?) in the name, you must enter a pattern using the same wild card in the external email address. The wild card indicates that the mapping could match many email addresses, but also indicates, during the rewrite, which substring of the original email address will be substituted into the position of the wild card in the external address. If there is no wild card in the other half of the mapping, or the wild card is not the same (that is, * mapped to ? or vice versa), this substitution will fail.
Configuring IBE users
You can send secured email with Identity Based Encryption (IBE) through the FortiMail unit. The IBE User option lets you manage the IBE mail users and configure secure questions for forgotten passwords and IBE domains. For details about how to use IBE service, see “FortiMail IBE configuration workflow” on page 358.
This section contains the following topics:
- Configuring active users
- Configuring expired users
- Configuring security questions
- Configuring IBE authentication
I am using FortiGate 5.6.3 and I don’t see any buttons to allow me to export users into a csv file.
Any help would be appreciated.
Thanks.