Controlling email based on recipient addresses
The Recipient Policies section of the Policies tab lets you create recipient-based policies based on the incoming or outgoing directionality of an email message with respect to the protected domain. For details about email directionality, see “Incoming versus outgoing email messages” on page 454.
Recipient-based policies have precedence if an IP-based policy is also applicable but conflicts. Exceptions include IP-based policies where you have enabled Take precedence over recipient based policy match. For information about how recipient-based and IP-based policies are executed and how the order of polices affects the execution, see “How to use policies” on page 454.
If the FortiMail unit protects many domains, and therefore creating recipient-based policies would be very time-consuming, such as it might be for an Internet service provider (ISP), consider configuring only IP-based policies. For details, see “Controlling email based on IP addresses” on page 475.
Alternatively, consider configuring recipient-based policies only for exceptions that must be treated differently than indicated by the IP-based policy.
Profiles used by the policy, if any, are listed in the policy table, and appear as linked text. To modify profile settings, click the name of the profile.
Before you can configure a recipient policy, you first must have configured:
- at least one protected domain (see “Configuring protected domains” on page 380)
- at least one user group or LDAP profile with a configured group query, if you will use either to define which recipient email addresses will match the policy (see “Configuring user groups” on page 440 or “Configuring LDAP profiles” on page 548)
- at least one PKI user, if you will allow or require email users to access their per-recipient quarantine using PKI authentication (see “Configuring PKI authentication” on page 435)
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.
For details, see “About administrator account permissions and domains” on page 290.
To view recipient-based policies
- Go to Policy > Policies > Policies.
The tab includes two sections: one for IP policies and another for recipient policies.
Figure 191:Policies tab
- In the Recipient Policies section of the tab, select Incoming or Outgoing from Direction to view a list of applicable policies.
| GUI item | Description |
| Move
(button) |
FortiMail units match the policies for each domain in sequence, from the top of the list downwards. Therefore, you must put the more specific policies on top of the more generic ones.
To move a policy in the policy list: 1. Select a domain. Note: if the domain is “All”, the Move button is disabled 2. Click a policy to select it. 3. Click Move, then select either: • the direction in which to move the selected policy (Up or Down), or • After or Before, then in Move right after or Move right before indicate the policy’s new location by entering the ID of another policy. |
| Domain
(drop-down list) |
Select a domain to display its recipient-based policy list.
You can see only the domains that are permitted by your administrator profile. |
| Direction
(drop-down list) |
Select either Incoming to see and configure incoming recipient-based policy, or Outgoing to see and configure outgoing recipient-based policy. For a definition of directions, see “Incoming versus outgoing email messages” on page 454. |
| Enabled | Select whether or not the policy is currently in effect. |
| GUI item | Description |
| ID | Displays the number identifying the policy.
If a comment is added to this rule when the rule is created, the comment will show up as a mouse-over tool-tip in this column. Note: This may be different from the order in which they appear on the page, which indicates order of evaluation. FortiMail units evaluate policies in sequence. More than one policy may be applied. For details, see “Order of execution of policies” on page 455 and “Which policy/profile is applied when an email has multiple recipients?” on page 456. |
| Direction
(column) |
Displays the incoming or outgoing directionality of the policy as set in the Direction drop-down list. |
| Domain Name (column) | Indicates the domain part of the recipient’s email address in the envelope (RCPT TO:) that an email must match in order to be subject to the policy.
• For incoming recipient-based policies, this is the name of a protected domain. • For outgoing recipient-based policies, this is System, indicating that the recipient does not belong to a protected domain. |
| Sender Pattern | A sender email address (MAIL FROM:) as it appears in the envelope or a wildcard pattern to match sender email addresses. |
| Recipient Pattern | A recipient email address (RCPT TO:) as it appears in the envelope or a wildcard pattern to match recipient email addresses. |
| AntiSpam | Displays the antispam profile selected for the matching recipients.
To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see “Managing antispam profiles” on page 503. |
| AntiVirus | Displays the antivirus profile selected for the matching recipients.
To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see “Configuring antivirus profiles and antivirus action profiles” on page 521. |
| Content | Displays the content profile selected for the matching recipients.
To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see “Configuring content profiles” on page 526. |
| GUI item | Description |
| Resource
(server mode only) |
Displays the resource profile selected for the matching recipients.
To modify or view a profile, click its name. The profile appears in a pop-up window. For details, see “Configuring resource profiles (server mode only)” on page 539. |
| Authentication
(not in server mode) |
Displays the authentication profile selected for the matching recipients.
To modify or view a profile, click its name.The profile appears in a pop-up window. For details, see “Configuring authentication profiles” on page 542 or “Configuring LDAP profiles” on page 548. |
To configure recipient-based policies
- Under Recipient Policies, either click New to add a policy or double-click a policy to modify it.
A multisection dialog appears.
- Select Enable to determine whether or not the policy is in effect.
- For a new policy, select from the Direction drop-down list either Incoming, for a recipient-based policy that affects incoming email, or Outgoing, for a recipient-based policy that affects outgoing email.
The options available vary greatly with your choice for this setting
For definitions of outgoing and incoming email, see “Incoming versus outgoing email messages” on page 454.
- Enter a comment if necessary. The comment will appears as a mouse-over tool-tip in the ID column of the rule list.
- Configure the following sections, as applicable:
- “Configuring the recipient incoming policies” on page 471
- “Configuring the recipient outgoing policies” on page 472
- “Configuring the profiles section of a recipient policy” on page 473
- “Configuring authentication for incoming email” on page 473
- “Configuring the advanced incoming policies” on page 474
- Click Create.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!