This article describes how to use the IP pool in several scenarios.
FortiMail v7.0 and v7.2.
IP pools are used to define a range of IP addresses that can be used as source or destination IPs.
IP pool can be used in 3 different locations and each of them has a different behavior:
1) IP pool applied under IP policy: in the IP policy, the IP pool will be used as the originating IP when sending emails to external users or to the internal SMTP server of protected domains. It will NOT be used in receiving.
2) IP pool applied under Domain settings: via the GUI under Domain & user -> Domain -> Choose a domain and select Edit -> Advanced setting -> Other -> IP pool. Here it is possible to choose the directions of the IP pool as follows:
Delivery: the IP pool will be used as the originating IP when delivering emails to external, but it will NOT be used as originating IP when delivering to the internal SMTP server.
Receiving: the IP pool will be used as the destination IP for the incoming traffic.
Both: Receiving & Delivery.
3) IP pool applied under Delivery Access Control Policy: the IP pool here will be used as originating IP when delivering emails externally and to the internal SMTP server of protected domains.
It will NOT be used in receiving. It is similar to the IP pool applied under the IP policy, however here it is possible to have more control by specifying the sender and recipient by domain names. The IP policy is based on IP.
Note 1: the Delivery Access control policy has priority over the IP policy, so if the IP pool is applied in both access control & IP policy, only the one in the access control policy will be applied.
Note 2: when the email hits the delivery access control policy, the logs will show only the receiving access control in the policy ID. The matched Delivery access control policy will not be visible. In the policy ID only Receiving access control, IP policy: Recipient policy will be shown as following in the logs:
Note 3: before v7.0.1 GA, the IP pool will be ignored when the sender and recipient are protected domain addresses. Starting from v7.0.1 GA, the IP pool will be used and a new CLI command was introduced to have more control on it:
# config system mailserver
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.