Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Danny
New Contributor

How can I create a SMTP allowed policy?

I’m running an FG 50B I know quite old but I’m still very happy with. However I’ve found a strange problem with a policy I have created recently.

 

I’m trying to create an allowed policy to control my SMTP traffic, which means just allow SMTP from certain networks/ips or countries.

 

I have created the addresses I want to allow under firewall objects I have created a group containing the addresses mentioned above.

 

My policy allows SMTP services from the source interface zone (wan1) to the destination addresses (wan2) only when the source address matches the allowed list. The action is then set to “accept” There is no other rule regarding SMTP

 

However this seems not to work because no matter where I place this policy the SMTP traffic from networks which are not on the list is still getting through. Did I missed something? From my understanding all non-allowed SMTP traffic should be dropped. A deny policy would work without any problems but it would be much easier to have an allowed policy instead.

 

I really appreciate any replies

 

 

2 REPLIES 2
ede_pfau
Esteemed Contributor III

hi,

could you please clarify: this is for traffic from your LAN to WAN/ISP, or something else?

The culprit most likely will not be the ACCEPT policy but some other policy allowing a broader range of services. We should have a look at the policy table.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Danny
New Contributor

Hi Ede,

Thank you very much for your reply. I'm trying to control the inbound access coming in from the WAN or ISP if you want. The other services which are allowed are HTTP, HTTPS, DNS, FTP, POP and IMAP in separate rules.

Furthermore I'm allowing RDP from two restricted zones which works perfect btw.

In the top of the list are the policies blocking either everything or SMTP (depending on what had happen) containing hundreds of IP s in their address groups. They are working perfectly. My consideration was to use a kind of an allow policy instead of denying hundreds addresses to make my live a little easier. But it seems not to work when I'm using a group instead of single ranges or addresses. 

The mentioned policy looks like this and is placed almost directly under the block all bad guys policy:

Source Interface/Zone     wan1 Source Address     SMTP Allowed List < containing the IP addresses or even countries Destination Interface/Zone     wan2(DMZ) Destination Address          2xx.xxx.xxx.x1 < DMZ addresses     2xx.xxx.xxx.x2     2xx.xxx.xxx.x5 Schedule     always Service SMTP smtps SSL MAIL (995 993) Action     ACCEPT

 

Please let me k now how I could support you finding a solution

 

Thank you very much

 

Danny

Ps, sorry for my bad English ;-@

 

 

Labels
Top Kudoed Authors