Configuring Policies

Configuring delivery rules

The Delivery tab displays a list of delivery rules that apply to SMTP sessions being initiated by the FortiMail unit in order to deliver email.

Delivery rules let you to require TLS for the SMTP sessions the FortiMail unit initiates when sending email to other email servers. They also let you to apply secure MIME (S/MIME) or IBE.

For more information about IBE, see “Configuring IBE encryption” on page 357.

When initiating an SMTP session, the FortiMail unit compares each delivery rule to the domain name portion of the envelope recipient address (RCPT TO:), and to the IP address of the SMTP server receiving the connection. Rules are evaluated for a match in the order of their list sequence, from top to bottom. If a matching delivery rule does not exist, the email message is delivered. If a match is found, the FortiMail unit compares the TLS profile settings to the connection attributes and the email message is sent or the connection is not allowed, depending on the result; if an encryption profile is selected, its settings are applied. No subsequent delivery rules are applied. Only one delivery rule is ever applied to any given SMTP session.

If you are using a delivery rule to apply S/MIME encryption, the destination of the connection can be another FortiMail unit, but it could alternatively be any email gateway or server, as long as either:

  • the destination’s MTA or mail server • the recipient’s MUA

supports S/MIME and possesses the sender’s certificate and public key, which is necessary to decrypt the email. Otherwise, the recipient cannot read the email.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see “About administrator account permissions and domains” on page 290.

To configure a delivery rule list

  1. Go to Policy > Access Control > Delivery.

Figure 189:Delivery tab

GUI item Description
Move

(button)

Click a delivery rule to select it, click Move, then select either:

•                  the direction in which to move the selected rule (Up or Down), or

•                  After or Before, then in Move right after or Move right before indicate the rule’s new location by entering the ID of another delivery rule

FortiMail units match the rules in sequence, from the top of the list downwards.

Enabled Indicates whether or not the delivery rule is currently in effect.

To disable a delivery rule, mark the check box, then click Yes to confirm.

ID Displays the number identifying the rule.

If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column.

Note: This may be different from the order in which they appear on the page, which indicates order of evaluation.

FortiMail units evaluate delivery rules in sequence. Only the topmost matching delivery rule will be applied.

Sender Pattern Displays the complete or partial envelope sender email address to match.

Recipient Pattern Displays the complete or partial envelope recipient email address to match.

IP                         Displays the IP address and netmask of the system to which the FortiMail is sending the email message. 0.0.0.0/0.0.0.0 matches any IP address.

GUI item Description
TLS Profile Displays the TLS profile, if any, used to allow or reject a connection.

•      If the attributes match, the access control action is executed.

•      If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

To edit the TLS profile, click its name. For details, see “Configuring security profiles” on page 591.

Encryption Profile Indicates the encryption profile used to apply S/MIME or IBE encryption to the email.

To edit the encryption profile, click its name. For details, see “Configuring encryption profiles” on page 594.

  1. Either click New to add a delivery control rule or double-click a delivery control rule to modify it.

A dialog appears.

  1. Configure the following:

Figure 190:Message Delivery Rule dialog

GUI item Description
Enabled Select whether or not the access control rule is currently in effect.
Sender pattern Enter a complete or partial envelope sender (MAIL FROM:) email address to match.

Wild card characters allow you to enter partial patterns that can match multiple sender email addresses. The asterisk (*) represents one or more characters. The question mark (?) represents any single character.

For example, the sender pattern ??@*.com will match messages sent by any email user with a two letter email user name from any “.com” domain name.

GUI item                 Description

Recipient pattern Enter a complete or partial envelope recipient (RCPT TO:) email address to match.

Wild card characters allow you to enter partial patterns that can match multiple recipient email addresses. The asterisk (*) represents one or more characters. The question mark (?) represents any single character.

For example, the recipient pattern *@example.??? will match messages sent to any email user at example.com, example.net, example.org, or any other “example” domain ending with a three-letter top-level domain name.

Destination IP/netmask Displays the IP address and netmask of the system to which the FortiMail unit is sending the email message. Use the netmask, the portion after the slash (/) to specify the matching subnet.

For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

To match any address, enter 0.0.0.0/0.

Note: This field is not used when considering whether or not to apply an encryption profile.

TLS profile Select a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

•      If the attributes match, the access control action is executed.

•      If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

Click New to add a new TLS profile or Edit to modify an existing one.

For more information on TLS profiles, see “Configuring TLS security profiles” on page 591.

GUI item                 Description

Encryption profile Select an encryption profile used to apply S/MIME or IBE encryption to the email.

Note that if you create a delivery rule that uses both IBE encryption profile and TLS profile, the TLS profile will override the IBE encryption profile and the IBE encryption will not be used. If you select an S/MIME profile here and an IBE profile in the Encryption with profile field (Profile > Content > Action), the S/MIME profile will override the IBE encryption profile.

Click New to add a new encryption profile or Edit to modify an existing one.

For more information, see “Configuring encryption profiles” on page 594 and “Configuring certificate bindings” on page 362.

For information about content action profiles, see “Configuring content action profiles” on page 535.

Comments Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.