Upload
cater-aid
View
10
Download
0
Embed Size (px)
Citation preview
8/4/2015 Example: Access control rules with regular expressions
http://docslegacy.fortinet.com/fmail/fortimailadmin/index.html#page/FortiMail%2520Online%2520Help/policy.09.13.html#ww1132901 1/2
Concepts and workflow
About FortiMail web UI
About basic managementmode
Monitoring the system
Maintaining the system
Configuring system settings
Configuring mail settings
Managing users
Configuring policies
What is a policy?
How to use policies
Whether to use IPbasedor recipientbasedpolicies
Order of execution ofpolicies
Which policy/profile isapplied when an emailhas multiple recipients?
Controlling SMTP accessand delivery
Configuring accesscontrol rules
Using wildcards andregular expressions
Example: Accesscontrol rules with wildcards
Example: Accesscontrol rules withregular expressions
Configuring delivery rules
Controlling email basedon recipient addresses
Controlling email basedon IP addresses
Configuring profiles
Configuring antispamsettings
Archiving email
Logs, reports and alerts
Installing firmware
Best practices and finetuning
Troubleshooting
Setup for email users
Fortinet products End UserLicense Agreement
8/4/2015 Example: Access control rules with regular expressions
http://docslegacy.fortinet.com/fmail/fortimailadmin/index.html#page/FortiMail%2520Online%2520Help/policy.09.13.html#ww1132901 2/2
Configuring policies : Controlling SMTP access and delivery : Configuring access control rules : Example: Access control rules with regular expressions
Example: Access control rules with regular expressionsExample Corporation uses a FortiMail unit operating in gateway mode, and that has been configured with only one protected domain: example.com. The FortiMail unit was configured with the accesscontrol rules illustrated in Table 111.
Table 111: A list of example access control rules
Enabled ID Sender Pattern Recipient Pattern Sender IP/Netmask Reverse DNS Pattern Authentication
Yes 1 /* /[email protected] 0.0.0.0/0 /* Any
Yes 2 R/^\s*$ /* 0.0.0.0/0 /* Any
Yes 3 /* /*@example.com 172.20.120.0/24 /mail.example.org Any
Yes 4 /*@example.org /* 0.0.0.0/0 /* Any
Yes 5 /* R/^user\d*@example\.com$ 0.0.0.0/0 /* Any
Rule 1
The email account of former employee user932 receives a large amount of spam. Since this employee is no longer with the company and all the user’s external contacts were informed of their newExample Corporation employee contacts, messages addressed to the former employee’s address must be spam.Rule 1 uses only the recipient pattern. All other access control rule attributes are configured to match any value. This rule rejects all messages sent to the [email protected] recipient emailaddress. Rejection at the access control stage prevents these messages from being scanned for spam and viruses, saving FortiMail system resources.This rule is placed first because it is the most specific access control rule in the list. It applies only to SMTP sessions for that single recipient address. SMTP sessions sending email to any otherrecipient do not match it. If a rule that matched all messages were placed at the top of the list, no rule after the first would ever be checked for a match, because the first would always match.SMTP sessions not matching this rule are checked against the next rule.
Rule 2
Much of the spam received by the Example Corporation has no sender specified in the message envelope. Most valid email messages will have a sender email address.Rule 2 uses only the sender pattern. The regular expression ^\s*$ will match a sender string that contains one or more spaces, or is empty. If any nonspace character appears in the sender string,this rule does not match. This rule will reject all messages with a no sender, or a sender containing only spaces.Not all email messages without a sender are spam, however. Delivery status notification (DSN) messages often have no specified sender. Bounce notifications are the most common type of DSNmessages. The FortiMail administrators at the Example Corporation decided that the advantages of this rule outweigh the disadvantages.Messages not matching this rule are checked against the next rule.
Rules 3 and 4
Recently, the Example Corporation has been receiving spam that appears to be sent by example.org. The FortiMail log files revealed that the sender address is being spoofed and the messages aresent from servers operated by spammers. Because spam servers often change IP addresses to avoid being blocked, the FortiMail administrators decided to use two rules to block all mail fromexample.org unless delivered from a server with the proper address and host name.When legitimate, email messages from example.org are sent from one of multiple mail servers. All these servers have IP addresses within the 172.20.120.0/24 subnet and have a domain name ofmail.example.org that can be verified using a reverse DNS query.Rule 3 uses the recipient pattern, the sender IP, and the reverse DNS pattern. This rule will relay messages to email users of example.com sent from a client whose domain name is mail.example.organd IP address is between 172.20.120.1 and 172.20.120.255.Messages not matching this rule are checked against the next rule.Rule 4 works in conjunction with rule 3. It uses only the sender pattern. Rule 4 rejects all messages from example.org. But because it is positioned after rule 3 in the list, rule 4 affects only messagesthat were not already proven to be legitimate by rule 3, thereby rejecting only email messages with a fake sender.Rules 3 and 4 must appear in the order shown. If they were reversed, all mail from example.org would be rejected. The more specific rule 3 (accept valid mail from example.org) is placed first, andthe more general rule 4 (reject all mail from example.org) follows.Messages not matching these rules are checked against the next rule.
Rules 5
The administrator of example.com has noticed that during peak traffic, a flood of spam using random user names causes the FortiMail unit to devote a significant amount of resources to recipientverification. Verification is performed with the aid of an LDAP server which also expends significant resources servicing these requests. Example Corporation email addresses start with “user” followedby the user’s employee number, and end with “@example.com”.Rule 5 uses only the recipient pattern. The recipient pattern is a regular expression that will match all email addresses that start with “user”, end with “@example.com”, and have one or more numbersin between. Email messages matching this rule are relayed.
Default implicit rules
For messages not matching any of the above rules, the FortiMail unit will perform the default action, which varies by whether or not the recipient email address in the envelope (RCPT TO:) is amember of a protected domain.• For protected domains, the default action is RELAY.• For unprotected domains, the default action is REJECT.
See also
• Configuring access control rules• Example: Access control rules with wild cards• Controlling SMTP access and delivery