Add rule for email clients (POP and IMAP)

Email clients (POP and IMAP) rule is used to protect mail servers which are hosted publicly (WAN). This page describes how to configure a protection rule and control access of mail servers using application template - Email clients.

Note

If you delete email clients rule, the emails which are under process by this rule will be queued but will not be delivered.

We recommend to follow below given steps so that you do not lose all the emails processed by this rule:

  1. Before deleting this rule, clone this rule by choosing Clone above option and change the Action to Drop. This cloned rule will hold all the incoming emails.
  2. Go to Email > Mail spool and check if spool is empty.
  3. Once the spool is empty, delete both the firewall rules.
  1. Go to Firewall and select between IPv4 or IPv6, using the default filter.
  2. Now, click +Add firewall rule and select Business application rule.
  3. Specify the general rule details.
    Application template
    Select Email clients (POP & IMAP) to define a application filter policy for POP and IMAP based email clients.
    Description
    Specify the rule description.
    Rule position
    Specify the position of the rule.
    Available options:
    • Top
    • Bottom
    Rule group
    Specify the rule group to add the firewall rule to. You can also create a new rule group by using Create new from the list.
    If you select Automatic, the firewall rule will be added to an existing group based on first match with rule type and source-destination zones.
    Rule name
    Specify a name to identify the rule.
  4. Specify Source details.
    Zone
    Select the allowed source zone(s).
    Networks
    Select the allowed source network(s) . A new network host can be created directly from this page or from the Hosts and services > IP host page.
  5. Specify Destination details.
    Zone
    Select the zone to which the rule applies.
    Networks
    Select the network(s) to be protected.
    A new network host can be created directly from this page or from the Hosts and services > IP host page.
  6. Specify Identity details.
    Match rule based on user identity
    Click to enable a rule based on the user identity.
    Show captive portal to unknown users
    Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can sign in to access the internet.
    Clear the check box to drop traffic from unknown users.
    User or groups (only available if Match rule based on user identity is enabled)
    Select the user(s) or group(s) from the list of available options.
    Exclude this user activity from data accounting (only available if Match rule based on user identity is enabled)
    Click to enable/disable user traffic activity from data accounting.
    By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic from user data accounting. The traffic allowed through this rule will not be accounted towards data transfer for the user.
  7. Specify Malware scanning details.
    Scan IMAP/IMAPS/POP3/POP3S/SMTP/SMTPS
    Click to enable/disable scanning of IMAP/IMAPS/POP3/POP3S/SMTP/SMTPS traffic.
  8. Specify advanced settings.
    1. Specify Policies for business applications.
      Intrusion prevention
      Select an IPS policy for the rule. A new IPS policy can be created directly from this page itself or from the Intrusion prevention > IPS policies page.
      Traffic shaping (not available if Match rule based on user identity is selected)
      Select a traffic shaping policy for the rule.
      A traffic shaping policy allocates & limits the maximum bandwidth usage of the user.
      A new traffic shaping policy can be created directly from this page or from the Profiles > Traffic shaping page.
    2. SpecifySecurity Heartbeat settings (only available if IPv4 is selected).
      Minimum source HB permitted
      Select a minimum health status that a source device must have to conform to this rule. Health status can be either Green, Yellow or No restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
      Block clients with no heartbeat
      Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
      Based on that information, you can restrict a source device’s access to certain services and networks.
      Enable/disable the option to require the sending of heartbeats.
      Minimum destination HB permitted (not available if the only Destination zone selected is WAN)
      Select a minimum health status that a destination device must have to conform to this rule. Health status can be either Green, Yellow or No restriction. If the health criterion is not met, access and privileges defined in this policy will not be granted to the user.
      Note You can use the option if you have selected multiple zones along with WAN.
      Block request to destination with no heartbeat (Not available if the only Destination zone selected is WAN)
      Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
      Based on that information, you can block requests to destinations not sending heartbeat.
      Enable/disable the option to require the sending of heartbeats.
      Note You can use the option if you have selected multiple zones along with WAN.
    3. Specify Routing details.
      Rewrite source address (Masquerading)
      Enable/disable to re-write the source address or specify a NAT policy.
      Use gateway-specific default NAT policy (only if Masquerading is selected)
      Select to override the default NAT policy with a gateway specific policy.
      Override default NAT policy for specific gateway (only if Use gateway-specific default NAT policy is selected)
      Select to specify gateway and corresponding NAT policy. Multiple gateways and NAT policies can be added.
      Use outbound address (only available if Rewrite source address is enabled and Use gateway-specific default NAT policy is disabled)
      Select the NAT policy to be applied the list or available NAT policies.
      A new NAT policy can be created directly from this page or from the Profiles > Network address translation page.
      The default NAT policy is Masquerade.
      MASQ (interface default IP)
      • IP address of the destination zone as configured in Network > Interfaces will be displayed instead of (interface default IP) when single Destination zone is selected.
      • (Interface default IP) will be displayed when multiple Destination zones are selected.
      Primary gateway
      Select the primary gateway to route the request. You can create new gateway from this page itself or from Routing > Gateways.
      Note On deletion of the gateway, Primary gateway will display WAN link load balance for WAN destination zone and None for other zones. In such case, firewall rule will not make routing decisions.
      Backup gateway
      Select the backup gateway to route the request. You can create new gateway from this page itself or from Routing > Gateways.
      Note On deletion of the gateway, Backup gateway will display None.
  9. Specify logging option for the user application traffic.
    Log firewall traffic
    Click to enable logging of permitted and denied traffic.