Professional Documents
Culture Documents
Example:Accesscontrolruleswithregularexpressions
Conceptsandworkflow
AboutFortiMailwebUI
Aboutbasicmanagement
mode
Monitoringthesystem
Maintainingthesystem
Configuringsystemsettings
Configuringmailsettings
Managingusers
Configuringpolicies
Whatisapolicy?
Howtousepolicies
WhethertouseIPbased
orrecipientbased
policies
Orderofexecutionof
policies
Whichpolicy/profileis
appliedwhenanemail
hasmultiplerecipients?
ControllingSMTPaccess
anddelivery
Configuringaccess
controlrules
Usingwildcardsand
regularexpressions
Example:Access
controlruleswithwild
cards
Example:Access
controlruleswith
regularexpressions
Configuringdeliveryrules
Controllingemailbased
onrecipientaddresses
Controllingemailbased
onIPaddresses
Configuringprofiles
Configuringantispam
settings
Archivingemail
Logs,reportsandalerts
Installingfirmware
Bestpracticesandfine
tuning
Troubleshooting
Setupforemailusers
FortinetproductsEndUser
LicenseAgreement
http://docslegacy.fortinet.com/fmail/fortimailadmin/index.html#page/FortiMail%2520Online%2520Help/policy.09.13.html#ww1132901
1/2
8/4/2015
Example:Accesscontrolruleswithregularexpressions
Configuringpolicies:ControllingSMTPaccessanddelivery:Configuringaccesscontrolrules:Example:Accesscontrolruleswithregularexpressions
Example:Accesscontrolruleswithregularexpressions
ExampleCorporationusesaFortiMailunitoperatingingatewaymode,andthathasbeenconfiguredwithonlyoneprotecteddomain:example.com.TheFortiMai
controlrulesillustratedinTable111.
Table111:Alistofexampleaccesscontrolrules
Enabled
ID
SenderPattern
RecipientPattern
SenderIP/Netmask
ReverseDNSPattern
Authentication
Yes
/*
/user932@example.com
0.0.0.0/0
/*
Any
Yes
R/^\s*$
/*
0.0.0.0/0
/*
Any
Yes
/*
/*@example.com
172.20.120.0/24
/mail.example.org
Any
Yes
/*@example.org
/*
0.0.0.0/0
/*
Any
Yes
/*
R/^user\d*@example\.com$
0.0.0.0/0
/*
Any
Rule1
Theemailaccountofformeremployeeuser932receivesalargeamountofspam.Sincethisemployeeisnolongerwiththecompanyandalltheusersexternalc
ExampleCorporationemployeecontacts,messagesaddressedtotheformeremployeesaddressmustbespam.
Rule1usesonlytherecipientpattern.Allotheraccesscontrolruleattributesareconfiguredtomatchanyvalue.Thisrulerejectsallmessagessenttotheuser932
address.Rejectionattheaccesscontrolstagepreventsthesemessagesfrombeingscannedforspamandviruses,savingFortiMailsystemresources.
Thisruleisplacedfirstbecauseitisthemostspecificaccesscontrolruleinthelist.ItappliesonlytoSMTPsessionsforthatsinglerecipientaddress.SMTPsess
recipientdonotmatchit.Ifarulethatmatchedallmessageswereplacedatthetopofthelist,noruleafterthefirstwouldeverbecheckedforamatch,becauset
SMTPsessionsnotmatchingthisrulearecheckedagainstthenextrule.
Rule2
MuchofthespamreceivedbytheExampleCorporationhasnosenderspecifiedinthemessageenvelope.Mostvalidemailmessageswillhaveasenderemaila
Rule2usesonlythesenderpattern.Theregularexpression^\s*$willmatchasenderstringthatcontainsoneormorespaces,orisempty.Ifanynonspacech
thisruledoesnotmatch.Thisrulewillrejectallmessageswithanosender,orasendercontainingonlyspaces.
Notallemailmessageswithoutasenderarespam,however.Deliverystatusnotification(DSN)messagesoftenhavenospecifiedsender.Bouncenotificationsar
messages.TheFortiMailadministratorsattheExampleCorporationdecidedthattheadvantagesofthisruleoutweighthedisadvantages.
Messagesnotmatchingthisrulearecheckedagainstthenextrule.
Rules3and4
Recently,theExampleCorporationhasbeenreceivingspamthatappearstobesentbyexample.org.TheFortiMaillogfilesrevealedthatthesenderaddressisb
sentfromserversoperatedbyspammers.BecausespamserversoftenchangeIPaddressestoavoidbeingblocked,theFortiMailadministratorsdecidedtouset
example.orgunlessdeliveredfromaserverwiththeproperaddressandhostname.
Whenlegitimate,emailmessagesfromexample.orgaresentfromoneofmultiplemailservers.AlltheseservershaveIPaddresseswithinthe172.20.120.0/24su
mail.example.orgthatcanbeverifiedusingareverseDNSquery.
Rule3usestherecipientpattern,thesenderIP,andthereverseDNSpattern.Thisrulewillrelaymessagestoemailusersofexample.comsentfromaclientwho
andIPaddressisbetween172.20.120.1and172.20.120.255.
Messagesnotmatchingthisrulearecheckedagainstthenextrule.
Rule4worksinconjunctionwithrule3.Itusesonlythesenderpattern.Rule4rejectsallmessagesfromexample.org.Butbecauseitispositionedafterrule3int
thatwerenotalreadyproventobelegitimatebyrule3,therebyrejectingonlyemailmessageswithafakesender.
Rules3and4mustappearintheordershown.Iftheywerereversed,allmailfromexample.orgwouldberejected.Themorespecificrule3(acceptvalidmailfro
themoregeneralrule4(rejectallmailfromexample.org)follows.
Messagesnotmatchingtheserulesarecheckedagainstthenextrule.
Rules5
Theadministratorofexample.comhasnoticedthatduringpeaktraffic,afloodofspamusingrandomusernamescausestheFortiMailunittodevoteasignificant
verification.VerificationisperformedwiththeaidofanLDAPserverwhichalsoexpendssignificantresourcesservicingtheserequests.ExampleCorporationema
bytheusersemployeenumber,andendwith@example.com.
Rule5usesonlytherecipientpattern.Therecipientpatternisaregularexpressionthatwillmatchallemailaddressesthatstartwithuser,endwith@example.c
inbetween.Emailmessagesmatchingthisrulearerelayed.
Defaultimplicitrules
Formessagesnotmatchinganyoftheaboverules,theFortiMailunitwillperformthedefaultaction,whichvariesbywhetherornottherecipientemailaddressin
memberofaprotecteddomain.
Forprotecteddomains,thedefaultactionisRELAY.
Forunprotecteddomains,thedefaultactionisREJECT.
Seealso
Configuringaccesscontrolrules
Example:Accesscontrolruleswithwildcards
ControllingSMTPaccessanddelivery
http://docslegacy.fortinet.com/fmail/fortimailadmin/index.html#page/FortiMail%2520Online%2520Help/policy.09.13.html#ww1132901
2/2