Add email filters for block allow lists
Two new email block/allow list filters have been added to match the recipient address (email-to
) and subject (subject
). The email address type (email
) in previous FortiOS versions has been changed to email sender (email-from
).
When upgrading, any email
entries are converted to email-from
.
config emailfilter block-allow-list edit <id> set name <string> config entries edit <id> set type {ip | email-to | email-from | subject} next end next end
The new filter types are currently not supported in flow inspection mode.
When downgrading from 7.2 to earlier versions, |
In this example, an email filter is configured with three block/allow list entries that use the new email-related entry types.
To configure block/allow list filters in the GUI:
-
Go to Security Profiles > Email Filter and click Create New.
-
Enter a Name, set the Feature set to Proxy-based.
-
Enable Enable spam detection and filtering.
-
In the Local Spam Filtering section, enable Block/Allow List.
-
Create the recipient address filter:
-
Click Create New. The Create Anti-Spam Block/Allow List Entry pane opens.
-
Select the Recipient Address filter Type, enter a Pattern, and select Mark as Spam.
-
Click OK. The Recipient Address filter type has been added to the Block/Allow List.
-
-
Create the sender address filter:
-
Click Create New.
-
Select the Sender Address filter Type, enter a Pattern, and select Mark as Spam.
-
Click OK. The Sender Address filter type has been added to the Block/Allow List.
-
-
Create the subject filter:
-
Click Create New.
-
Select the Subject filter Type, enter a Pattern, and select Mark as Spam.
-
Click OK. The Subject filter type has been added to the Block/Allow List.
-
-
Click OK.
-
Configure the firewall policy:
-
Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.
-
Configure the other settings as needed.
-
Enable the Email Filter option and select the previously created profile.
- Configure the other settings as needed.
-
Click OK.
-
To configure block/allow list filters in the CLI:
-
Configure the block/allow list entries:
config emailfilter block-allow-list edit 3 set name "newBALtypes" config entries edit 1 set type email-to set pattern "testpc3" next edit 2 set type email-from set pattern "admin" next edit 3 set type subject set pattern "loto" next end next end
-
Configure the email filter profile:
config emailfilter profile edit "newBALtypes" set feature-set proxy set spam-filtering enable set options spambal config imap set action tag end config pop3 set action tag end config smtp set action discard end set spam-bal-table 3 next end
-
Use the email filter profile in a firewall policy:
config firewall policy edit 1 set utm-status enable set inspection-mode proxy set emailfilter-profile "newBALtypes" set nat enable next end
When an email is detected as spam for one of the defined filter types, the FortiGate will reply to the SMTP message with a 554 5.7.1 code and insert the following replacement messages:
Filter type |
Message |
---|---|
Blocked for email-to |
This message has been blocked because mail to this email address is not allowed. |
Blocked for email-from |
This message has been blocked because mail from this email address is not allowed. |
Blocked for subject |
This message has been blocked because the subject contains a banned phrase. |
To view the generated UTM logs in the GUI, go to Log & Report > Security Events and click the Anti-Spam card.
To view and filter the UTM logs in the CLI:
# execute log filter category 5
# execute log display
1: date=2022-02-17 time=19:38:13 eventtime=1645155493096591226 tz="-0800" logid="0513020480" type="utm" subtype="emailfilter" eventtype="spam" level="notice" vd="vdom1" policyid=1 poluuid="ed18d1fe-8f60-51ec-c782-68322b3bfbe1" policytype="policy" sessionid=26031 srcip=10.1.100.22 srcport=32952 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" proto=6 service="SMTP" profile="newBALtypes" action="blocked" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" sender="testpc3@qa.fortinet.com" recipient="testpc3@qa.fortinet.com" direction="outgoing" msg="subject is in email blocklist.(no.3 pattern matched)" subject="loto" size="230" attachment="no"
2: date=2022-02-17 time=19:37:10 eventtime=1645155430137897870 tz="-0800" logid="0513020480" type="utm" subtype="emailfilter" eventtype="spam" level="notice" vd="vdom1" policyid=1 poluuid="ed18d1fe-8f60-51ec-c782-68322b3bfbe1" policytype="policy" sessionid=25908 srcip=10.1.100.22 srcport=32948 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" proto=6 service="SMTP" profile="newBALtypes" action="blocked" from="testpc3@qa.fortinet.com" direction="outgoing" msg="from email address is in email blocklist.(no.2 pattern matched)" size="0"
3: date=2022-02-17 time=19:28:20 eventtime=1645154899989684584 tz="-0800" logid="0513020480" type="utm" subtype="emailfilter" eventtype="spam" level="notice" vd="vdom1" policyid=1 poluuid="ed18d1fe-8f60-51ec-c782-68322b3bfbe1" policytype="policy" sessionid=25008 srcip=10.1.100.22 srcport=32940 srccountry="Reserved" srcintf="port21" srcintfrole="undefined" srcuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17" dstintfrole="undefined" dstuuid="cc019bd6-8f60-51ec-323a-03b14a3c17bf" proto=6 service="SMTP" profile="newBALtypes" action="blocked" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" direction="outgoing" msg="to email address is in email blocklist.(no.1 pattern matched)" size="0"