Fortinet black logo

New Features

Add email filters for block allow lists

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:386433
Download PDF

Add email filters for block allow lists

Two new email block/allow list filters have been added to match the recipient address (email-to) and subject (subject). The email address type (email) in previous FortiOS versions has been changed to email sender (email-from).

When upgrading, any email entries are converted to email-from.

config emailfilter block-allow-list
    edit <id>
        set name <string>
        config entries
            edit <id>
                set type {ip | email-to | email-from | subject}
            next
        end
    next
end

The new filter types are currently not supported in flow inspection mode.

Caution

When downgrading from 7.2 to earlier versions, email-from, email-to, and subject entries could be lost.

In this example, an email filter is configured with three block/allow list entries that use the new email-related entry types.

To configure block/allow list filters in the GUI:
  1. Go to Security Profiles > Email Filter and click Create New.

  2. Enter a Name, set the Feature set to Proxy-based.

  3. Enable Enable spam detection and filtering.

  4. In the Local Spam Filtering section, enable Block/Allow List.

  5. Create the recipient address filter:

    1. Click Create New. The Create Anti-Spam Block/Allow List Entry pane opens.

    2. Select the Recipient Address filter Type, enter a Pattern, and select Mark as Spam.

    3. Click OK. The Recipient Address filter type has been added to the Block/Allow List.

  6. Create the sender address filter:

    1. Click Create New.

    2. Select the Sender Address filter Type, enter a Pattern, and select Mark as Spam.

    3. Click OK. The Sender Address filter type has been added to the Block/Allow List.

  7. Create the subject filter:

    1. Click Create New.

    2. Select the Subject filter Type, enter a Pattern, and select Mark as Spam.

    3. Click OK. The Subject filter type has been added to the Block/Allow List.

  8. Click OK.

  9. Configure the firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.

    2. Configure the other settings as needed.

    3. Enable the Email Filter option and select the previously created profile.

    4. Configure the other settings as needed.
    5. Click OK.

To configure block/allow list filters in the CLI:
  1. Configure the block/allow list entries:

    config emailfilter block-allow-list
        edit 3
            set name "newBALtypes"
            config entries
                edit 1
                    set type email-to
                    set pattern "testpc3"
                next
                edit 2
                    set type email-from
                    set pattern "admin"
                next
                edit 3
                    set type subject
                    set pattern "loto"
                next
            end
        next
    end
  2. Configure the email filter profile:

    config emailfilter profile
        edit "newBALtypes"
            set feature-set proxy
            set spam-filtering enable
            set options spambal
            config imap
                set action tag
            end
            config pop3
                set action tag
            end
            config smtp
                set action discard
            end
            set spam-bal-table 3
        next
    end
  3. Use the email filter profile in a firewall policy:

    config firewall policy
        edit 1
            set utm-status enable
            set inspection-mode proxy
            set emailfilter-profile "newBALtypes"
            set nat enable
        next
    end

When an email is detected as spam for one of the defined filter types, the FortiGate will reply to the SMTP message with a 554 5.7.1 code and insert the following replacement messages:

Filter type

Message

Blocked for email-to This message has been blocked because mail to this email address is not allowed.
Blocked for email-from This message has been blocked because mail from this email address is not allowed.
Blocked for subject

This message has been blocked because the subject contains a banned phrase.

To view the generated UTM logs in the GUI, go to Log & Report > Security Events and click the Anti-Spam card.

To view and filter the UTM logs in the CLI:
# execute log filter category 5
# execute log display
1: date=2022-02-17 time=19:38:13 eventtime=1645155493096591226 tz="-0800" logid="0513020480" type="utm" subtype="emailfilter" eventtype="spam" level="notice" vd="vdom1" policyid=1 poluuid="ed18d1fe-8f60-51ec-c782-68322b3bfbe1" policytype="policy" sessionid=26031 srcip=10.1.100.22 srcport=32952 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" proto=6 service="SMTP" profile="newBALtypes" action="blocked" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" sender="testpc3@qa.fortinet.com" recipient="testpc3@qa.fortinet.com" direction="outgoing" msg="subject is in email blocklist.(no.3 pattern matched)" subject="loto" size="230" attachment="no"
2: date=2022-02-17 time=19:37:10 eventtime=1645155430137897870 tz="-0800" logid="0513020480" type="utm" subtype="emailfilter" eventtype="spam" level="notice" vd="vdom1" policyid=1 poluuid="ed18d1fe-8f60-51ec-c782-68322b3bfbe1" policytype="policy" sessionid=25908 srcip=10.1.100.22 srcport=32948 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" proto=6 service="SMTP" profile="newBALtypes" action="blocked" from="testpc3@qa.fortinet.com" direction="outgoing" msg="from email address is in email blocklist.(no.2 pattern matched)" size="0"
3: date=2022-02-17 time=19:28:20 eventtime=1645154899989684584 tz="-0800" logid="0513020480" type="utm" subtype="emailfilter" eventtype="spam" level="notice" vd="vdom1" policyid=1 poluuid="ed18d1fe-8f60-51ec-c782-68322b3bfbe1" policytype="policy" sessionid=25008 srcip=10.1.100.22 srcport=32940 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" proto=6 service="SMTP" profile="newBALtypes" action="blocked" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" direction="outgoing" msg="to email address is in email blocklist.(no.1 pattern matched)" size="0"

Add email filters for block allow lists

Two new email block/allow list filters have been added to match the recipient address (email-to) and subject (subject). The email address type (email) in previous FortiOS versions has been changed to email sender (email-from).

When upgrading, any email entries are converted to email-from.

config emailfilter block-allow-list
    edit <id>
        set name <string>
        config entries
            edit <id>
                set type {ip | email-to | email-from | subject}
            next
        end
    next
end

The new filter types are currently not supported in flow inspection mode.

Caution

When downgrading from 7.2 to earlier versions, email-from, email-to, and subject entries could be lost.

In this example, an email filter is configured with three block/allow list entries that use the new email-related entry types.

To configure block/allow list filters in the GUI:
  1. Go to Security Profiles > Email Filter and click Create New.

  2. Enter a Name, set the Feature set to Proxy-based.

  3. Enable Enable spam detection and filtering.

  4. In the Local Spam Filtering section, enable Block/Allow List.

  5. Create the recipient address filter:

    1. Click Create New. The Create Anti-Spam Block/Allow List Entry pane opens.

    2. Select the Recipient Address filter Type, enter a Pattern, and select Mark as Spam.

    3. Click OK. The Recipient Address filter type has been added to the Block/Allow List.

  6. Create the sender address filter:

    1. Click Create New.

    2. Select the Sender Address filter Type, enter a Pattern, and select Mark as Spam.

    3. Click OK. The Sender Address filter type has been added to the Block/Allow List.

  7. Create the subject filter:

    1. Click Create New.

    2. Select the Subject filter Type, enter a Pattern, and select Mark as Spam.

    3. Click OK. The Subject filter type has been added to the Block/Allow List.

  8. Click OK.

  9. Configure the firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.

    2. Configure the other settings as needed.

    3. Enable the Email Filter option and select the previously created profile.

    4. Configure the other settings as needed.
    5. Click OK.

To configure block/allow list filters in the CLI:
  1. Configure the block/allow list entries:

    config emailfilter block-allow-list
        edit 3
            set name "newBALtypes"
            config entries
                edit 1
                    set type email-to
                    set pattern "testpc3"
                next
                edit 2
                    set type email-from
                    set pattern "admin"
                next
                edit 3
                    set type subject
                    set pattern "loto"
                next
            end
        next
    end
  2. Configure the email filter profile:

    config emailfilter profile
        edit "newBALtypes"
            set feature-set proxy
            set spam-filtering enable
            set options spambal
            config imap
                set action tag
            end
            config pop3
                set action tag
            end
            config smtp
                set action discard
            end
            set spam-bal-table 3
        next
    end
  3. Use the email filter profile in a firewall policy:

    config firewall policy
        edit 1
            set utm-status enable
            set inspection-mode proxy
            set emailfilter-profile "newBALtypes"
            set nat enable
        next
    end

When an email is detected as spam for one of the defined filter types, the FortiGate will reply to the SMTP message with a 554 5.7.1 code and insert the following replacement messages:

Filter type

Message

Blocked for email-to This message has been blocked because mail to this email address is not allowed.
Blocked for email-from This message has been blocked because mail from this email address is not allowed.
Blocked for subject

This message has been blocked because the subject contains a banned phrase.

To view the generated UTM logs in the GUI, go to Log & Report > Security Events and click the Anti-Spam card.

To view and filter the UTM logs in the CLI:
# execute log filter category 5
# execute log display
1: date=2022-02-17 time=19:38:13 eventtime=1645155493096591226 tz="-0800" logid="0513020480" type="utm" subtype="emailfilter" eventtype="spam" level="notice" vd="vdom1" policyid=1 poluuid="ed18d1fe-8f60-51ec-c782-68322b3bfbe1" policytype="policy" sessionid=26031 srcip=10.1.100.22 srcport=32952 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" proto=6 service="SMTP" profile="newBALtypes" action="blocked" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" sender="testpc3@qa.fortinet.com" recipient="testpc3@qa.fortinet.com" direction="outgoing" msg="subject is in email blocklist.(no.3 pattern matched)" subject="loto" size="230" attachment="no"
2: date=2022-02-17 time=19:37:10 eventtime=1645155430137897870 tz="-0800" logid="0513020480" type="utm" subtype="emailfilter" eventtype="spam" level="notice" vd="vdom1" policyid=1 poluuid="ed18d1fe-8f60-51ec-c782-68322b3bfbe1" policytype="policy" sessionid=25908 srcip=10.1.100.22 srcport=32948 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" proto=6 service="SMTP" profile="newBALtypes" action="blocked" from="testpc3@qa.fortinet.com" direction="outgoing" msg="from email address is in email blocklist.(no.2 pattern matched)" size="0"
3: date=2022-02-17 time=19:28:20 eventtime=1645154899989684584 tz="-0800" logid="0513020480" type="utm" subtype="emailfilter" eventtype="spam" level="notice" vd="vdom1" policyid=1 poluuid="ed18d1fe-8f60-51ec-c782-68322b3bfbe1" policytype="policy" sessionid=25008 srcip=10.1.100.22 srcport=32940 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" proto=6 service="SMTP" profile="newBALtypes" action="blocked" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" direction="outgoing" msg="to email address is in email blocklist.(no.1 pattern matched)" size="0"