This article describes how to troubleshoot and resolve the issue where outbound emails with offending attachments are not being rejected as expected and are instead sent to the system quarantine in FortiMail.
Scope
FortiMail.
Solution
FortiMail allows enforcement of email content policies, including rejecting emails with specific attachments.
However, in some cases, outbound emails may not be rejected and instead end up in the system quarantine.
This issue can occur due to antivirus profile settings.
Troubleshooting Outbound Email Rejection:
Navigate to the Content Filter Profile: In the FortiMail web console, navigate to the 'Profiles' section and select the 'Content Filte' profile that is configured for outbound emails.
Review Content Filter Settings: Within the Content Filter profile, review the settings and actions configured for outbound emails. Pay close attention to the final action specified in the profile. If the final action is set to 'Reject', the email should be rejected when it matches the profile criteria.
Review Emails by performing a cross-search: Go to Monitor -> Log and perform a cross-search on the message. Export the cross-search and search for related emails to gather more information.
Check Antivirus Profile: In FortiMail, the antivirus profile can play a role in the email processing flow. If the email is being deferred due to a malware or virus outbreak detected by the antivirus profile, it may not reach the Content Filter for rejection.
Disable Antivirus Feature for Outbound Emails: To allow the rejection of emails based on the Content Filter settings, consider disabling the antivirus feature specifically for outbound emails. This can be done by creating or modifying the antivirus profile associated with outbound email traffic.
Apply Changes: After disabling the antivirus feature for outbound emails, apply the changes to the antivirus profile and save the configuration.
Test Outbound Email Rejection: Send a test email from a user in a protected domain with an offending attachment (e.g., a WMZ file). Ensure that the email is now rejected based on the Content Filter settings.
Notify Users: If the issue is resolved, notify users and ensure that they are aware of the rejection policy for outbound emails with specific attachments.
Regularly Review and Update Profiles: Periodically review and update the Content Filter and antivirus profiles to align them with the organization's email security policies and to address emerging threats.
