FortiMail Best Practices: Policy Configuration

Although your FortiMail unit will catch almost all threats that are sent to your network, there are some things you should be aware of if you want to maximize security. 

The Best Practices recipes will cover specific tips to ensure the most secure and reliable operation of your FortiMail unit.

This recipe covers the best practices for policy tuning.


Policy Configuration

The following are some tips to keep your network safe using policy settings.

Important: Disable or delete policies with care. Any changes made to policies take effect immediately.

1. Arrange your policies by specificity. When you create exceptions to a general policy, add them to the policy list above the general policy.

2.  Verify that all SMTP traffic has a matching policy. If traffic does not match a policy, it is not allowed. If you’re certain all desired traffic is allowed by existing policies, add an IP policy to the bottom of the IP policy list to reject all remaining connections.

Create a new IP policy. Enter as the IP address to match, and select Reject connections with this match. Move this policy to the bottom of the IP policy list. The FortiMail unit’s default behavior of allowing traffic with no policy matches is effectively reversed and traffic with no other matches will be denied.

3. Users can authenticate with the FortiMail unit using SMTP, POP3, IMAP, LDAP, or RADIUS
servers. For users to authenticate successfully, you must create and apply an authentication
profile by going to Profile > LDAP > LDAP, or Profile > Authentication > Authentication.
4. Addresses specified in an IP-based policy should be as specific as possible. Use subnets or
specific IP addresses for more granular control. Use a 32-bit subnet mask ( when creating a single host address. The IP setting matches all hosts.