Fortinet black logo

Administration Guide

Local-based filters

Local-based filters

You can make block/allowlists from emails or IP subnets to forbid or allow them to send or receive emails. With the spamhelodns (HELO DNS Lookup) and spamraddrdns (Return Email DNS Check) options, the FortiGate performs a standard DNS check on the machine name used in the HELO SMTP message, and/or the return to field to determine if these names belong to a registered domain. The FortiGate does not check the FortiGuard service during these operations.

You can also define a list of banned words. Emails that contain any of these banned words are considered spam.

Note

Banned words can only be configured in the CLI.

Tooltip

By default, HELO/DNS and Return-to/DNS checls are done before the block/allow list check. In some situations, such as when configuring a block/allow list to clear an email from performing further filtering, use the following command to give precedence to the block/allow list:

config emailfilter profile
    edit <filter>
        config smtp
            set local-override enable
        next
    end
end
To configure a local-based email filter in the GUI:
  1. Configure the email filter profile:
    1. Go to Security Profiles > Email Filter and click Create New, or edit an existing profile.
    2. Select a Feature set and enable Enable spam detection and filtering.
    3. In the Local Spam Filtering section, enable the desired filters (HELO DNS Lookup, Return Email DNS Check, Block/Allow List).
    4. If Block/Allow List is enabled, click Create New. The Create Anti-Spam Block/Allow List Entry pane opens.

    5. Select a Type, enter a Pattern, and select and Action.

    6. Click OK to save the block/allow list.

    7. Click OK save the email filter profile.
  2. Configure the firewall policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.
    2. Set the inspection-mode to Proxy-based.
    3. Enable the Email Filter option and select the previously created profile.

    4. Set SSL Inspection to a profile that has deep SSL inspection enabled.

      Deep inspection is required if you intend to filter SMTP, POP3, IMAP, or any SSL/TLS encapsulated protocol.

    5. Configure the other settings as needed.
    6. Click OK.
To configure a local-based email filter in the CLI:
  1. Configure a block/allow list:
    config emailfilter block-allow-list
        edit 1
            set name "myBAL"
            config entries
                edit 1
                    set status enable
                    set type ip
                    set action spam
                    set addr-type ipv4
                    set ip4-subnet 10.1.100.0 255.255.255.0
                next
            end
        next
    end
  2. Configure an email filter profile:
    config emailfilter profile                                             
        edit "myLocalEmailFilter"
            set spam-filtering enable
            set options spambal spamhelodns spamraddrdns
            config smtp
                set action tag
            end
            set spam-bal-table 1
        next
    end
  3. Use the profile in a firewall policy:
    config firewall policy
        edit 1
            .....
            set inspection-mode proxy                                     	
            set emailfilter-profile "myLocalEmailFilter"                 	
        next
    end
To configure banned words:
  1. Configure a banned words list:
    config emailfilter bword
        edit 1
            set name "banned"
            config entries
                edit 1
                    set pattern <string>
                next
            end
        next
    end
    
  2. Configure an email filter profile:
    config emailfilter profile
        edit "myBannedWordsProfile"
            set spam-filtering enable
            set options bannedword
            set spam-bword-table 1
        next
    end
  3. Use the profile in a firewall policy:
    config firewall policy
        edit 1
            .....
            set inspection-mode proxy                                     	
            set emailfilter-profile "myBannedWordsProfile"                 	
        next
    end

Local-based filters

You can make block/allowlists from emails or IP subnets to forbid or allow them to send or receive emails. With the spamhelodns (HELO DNS Lookup) and spamraddrdns (Return Email DNS Check) options, the FortiGate performs a standard DNS check on the machine name used in the HELO SMTP message, and/or the return to field to determine if these names belong to a registered domain. The FortiGate does not check the FortiGuard service during these operations.

You can also define a list of banned words. Emails that contain any of these banned words are considered spam.

Note

Banned words can only be configured in the CLI.

Tooltip

By default, HELO/DNS and Return-to/DNS checls are done before the block/allow list check. In some situations, such as when configuring a block/allow list to clear an email from performing further filtering, use the following command to give precedence to the block/allow list:

config emailfilter profile
    edit <filter>
        config smtp
            set local-override enable
        next
    end
end
To configure a local-based email filter in the GUI:
  1. Configure the email filter profile:
    1. Go to Security Profiles > Email Filter and click Create New, or edit an existing profile.
    2. Select a Feature set and enable Enable spam detection and filtering.
    3. In the Local Spam Filtering section, enable the desired filters (HELO DNS Lookup, Return Email DNS Check, Block/Allow List).
    4. If Block/Allow List is enabled, click Create New. The Create Anti-Spam Block/Allow List Entry pane opens.

    5. Select a Type, enter a Pattern, and select and Action.

    6. Click OK to save the block/allow list.

    7. Click OK save the email filter profile.
  2. Configure the firewall policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.
    2. Set the inspection-mode to Proxy-based.
    3. Enable the Email Filter option and select the previously created profile.

    4. Set SSL Inspection to a profile that has deep SSL inspection enabled.

      Deep inspection is required if you intend to filter SMTP, POP3, IMAP, or any SSL/TLS encapsulated protocol.

    5. Configure the other settings as needed.
    6. Click OK.
To configure a local-based email filter in the CLI:
  1. Configure a block/allow list:
    config emailfilter block-allow-list
        edit 1
            set name "myBAL"
            config entries
                edit 1
                    set status enable
                    set type ip
                    set action spam
                    set addr-type ipv4
                    set ip4-subnet 10.1.100.0 255.255.255.0
                next
            end
        next
    end
  2. Configure an email filter profile:
    config emailfilter profile                                             
        edit "myLocalEmailFilter"
            set spam-filtering enable
            set options spambal spamhelodns spamraddrdns
            config smtp
                set action tag
            end
            set spam-bal-table 1
        next
    end
  3. Use the profile in a firewall policy:
    config firewall policy
        edit 1
            .....
            set inspection-mode proxy                                     	
            set emailfilter-profile "myLocalEmailFilter"                 	
        next
    end
To configure banned words:
  1. Configure a banned words list:
    config emailfilter bword
        edit 1
            set name "banned"
            config entries
                edit 1
                    set pattern <string>
                next
            end
        next
    end
    
  2. Configure an email filter profile:
    config emailfilter profile
        edit "myBannedWordsProfile"
            set spam-filtering enable
            set options bannedword
            set spam-bword-table 1
        next
    end
  3. Use the profile in a firewall policy:
    config firewall policy
        edit 1
            .....
            set inspection-mode proxy                                     	
            set emailfilter-profile "myBannedWordsProfile"                 	
        next
    end