Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

policy access-control receive

Use this command to configure access control rules that apply to SMTP sessions being received by the FortiMail unit.

Access control rules, sometimes also called the access control list or ACL, specify whether the FortiMail unit will process and relay/proxy, reject, or discard email messages for SMTP sessions that are initiated by SMTP clients.

When an SMTP client attempts to deliver email through the FortiMail unit, the FortiMail unit compares each access control rule to the commands used by the SMTP client during the SMTP session, such as the envelope’s sender email address (MAIL FROM:), recipient email address (RCPT TO:), authentication (AUTH), and TLS (STARTTLS). Rules are evaluated for a match in the order of their list sequence, from top to bottom. If all the attributes of a rule match, the FortiMail unit applies the action selected in the matching rule to the SMTP session, and no subsequent access control rules are applied.

Only one access control rule is ever applied to any given SMTP session.

If no access control rules are configured, or no matching access control rules exist, and if the SMTP client is not configured to authenticate, the FortiMail unit will perform the default action, which varies by whether or not the recipient email address in the envelope (RCPT TO:) is a member of a protected domain.

For protected domains, the default action is RELAY.

For unprotected domains, the default action is REJECT.

Without any configured access control rules, the FortiMail unit’s access control prevents SMTP clients from using your protected server or FortiMail unit as an open relay: senders can deliver email incoming to protected domains, but cannot deliver email outgoing to unprotected domains.

If you want to allow SMTP clients such as your email users or email servers to send email to unprotected domains, you must configure at least one access control rule.

You may need to configure additional access control rules if, for example, you want to:

  • discard or reject email from or to some email addresses, such as email addresses that no longer exist in your protected domain
  • discard or reject email from some SMTP clients, such as a spammer that is not yet known to blocklists

Like IP-based policies, access control rules can reject connections based upon IP address.

Unlike IP-based policies, however, access control rules cannot affect email in ways that occur after the session’s DATA command, such as by applying antispam profiles. Access control rules also cannot be overruled by recipient-based policies, and cannot match connections based upon the IP address of the SMTP server (by the nature of how the ACL controls access to or through the FortiMail unit, the SMTP server is always the FortiMail unit itself, unless the FortiMail unit is operating in transparent mode). For more information on IP-based policies, see the FortiMail Administration Guide.

Syntax

config policy access-control receive

edit <rule_id>

set action {bypass | discard | reject | relay}

set authenticated {any | authenticated | not-authenticated}

set comment <string>

set recipient-pattern <pattern_str>

set recipient-pattern-ldap-groupname <string>

set recipient-pattern-ldap-profile <profile-name>

set recipient-pattern-type {default | external | group | | internal | ldap | ldap-query | regexp}

set recipient-pattern-regexp {yes | no}

set recipient-pattern-group <group_name>

set reverse-dns-pattern <pattern_str>

set reverse-dns-pattern-regexp {yes | no}

set sender-ip-group <ip_group_name>

set sender-ip-mask <ip&netmask_str>

set sender-ip-type {ip-group | ip-mask}

set sender-pattern <pattern_str>

set sender-pattern-type {default | group | regexp}

set sender-pattern-group <group_name>

set sender-pattern-regexp {yes | no}

set status {enable | disable}

set tls-profile <profile_str>

end

Variable

Description

Default

<rule_id>

Enter the number identifying the rule.

 

action {bypass | discard | reject | relay}

Enter the action the FortiMail unit will perform for SMTP sessions matching this access control rule:

  • bypass: Relay or proxy and deliver the email, but, if the sender or recipient belongs to a protected domain, bypass all antispam profile processing. Antivirus, content and other scans will still occur.
  • discard: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.
  • reject: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied).
  • relay: Relay or proxy, process, and deliver the email normally if it passes all configured scans.

relay (for protected domains)

reject (for unprotected domains)

authenticated {any | authenticated | not-authenticated}

Enter a value to indicate whether this rule applies only to messages delivered by clients that have authenticated with the FortiMail unit:

  • any: Match or do not match this access control rule regardless of whether the client has authenticated with the FortiMail unit.
  • authenticated: Match this access control rule only for clients that have authenticated with the FortiMail unit.
  • not-authenticated: Match this access control rule only for clients that have not authenticated with the FortiMail unit.

any

comment <string>

Enter any comments for access control rules for receiving email.

 

recipient-pattern <pattern_str>

Enter a pattern that defines recipient email addresses which match this rule, surrounded in slashes and single quotes (such as \'*\' ).

*

recipient-pattern-ldap-groupname <string>

Enter the LDAP group name to specify the recipient pattern.

This option is available only when recipient-pattern-type {default | external | group | | internal | ldap | ldap-query | regexp} is ldap.

 

recipient-pattern-ldap-profile <profile-name>

Enter the LDAP profile name to specify the recipient pattern.

This option is available only when recipient-pattern-type {default | external | group | | internal | ldap | ldap-query | regexp} is ldap or ldap-query.

 

recipient-pattern-type {default | external | group | | internal | ldap | ldap-query | regexp}

Enter the pattern type:

default

recipient-pattern-regexp {yes | no}

Enter yes to use regular expression syntax instead of wildcards to specify the recipient pattern.

This option is available only when recipient-pattern-type {default | external | group | | internal | ldap | ldap-query | regexp} is regexp.

no

recipient-pattern-group <group_name>

Enter the group name to specify the recipient pattern.

This option is available only when recipient-pattern-type {default | external | group | | internal | ldap | ldap-query | regexp} is group.

 

reverse-dns-pattern <pattern_str>

Enter a pattern to compare to the result of a reverse DNS look-up of the IP address of the SMTP client delivering the email message.

Because domain names in the SMTP session are self-reported by the connecting SMTP server and easy to fake, the FortiMail unit does not trust the domain name that an SMTP server reports. Instead, the FortiMail does a DNS lookup using the SMTP server’s IP address. The resulting domain name is compared to the reverse DNS pattern for a match. If the reverse DNS query fails, the access control rule match will also fail. If no other access control rule matches, the connection will be rejected with SMTP reply code 550 (Relaying denied).

Wildcard characters allow you to enter partial patterns that can match multiple reverse DNS lookup results. An asterisk (*) represents one or more characters; a question mark (?) represents any single character.

For example, the recipient pattern mail*.com will match messages delivered by an SMTP server whose domain name starts with “mail" and ends with “.com".

Note: Reverse DNS queries for access control rules require that the domain name be a valid top level domain (TLD). For example, “.lab" is not a valid top level domain name, and thus the FortiMail unit cannot successfully perform a reverse DNS query for it.

*

reverse-dns-pattern-regexp {yes | no}

Enter yes to use regular expression syntax instead of wildcards to specify the reverse DNS pattern.

no

sender-ip-group <ip_group_name>

Enter the IP group of the SMTP client attempting to deliver the email message.

This option only appears if you enter ip-group in sender-ip-type {ip-group | ip-mask}.

 

sender-ip-mask <ip&netmask_str>

Enter the IP address and netmask of the SMTP client attempting to deliver the email message. Use the netmask, the portion after the slash (/), to specify the matching subnet.

For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

To match any address, enter 0.0.0.0/0.

0.0.0.0/0

sender-ip-type {ip-group | ip-mask}

Select the method of the SMTP client attempting to deliver the email message. Also configure sender-ip-mask <ip&netmask_str> and sender-ip-group <ip_group_name>.

ip-mask

sender-pattern <pattern_str>

Enter a pattern that defines sender email addresses which match this rule, surrounded in slashes and single quotes (such as \'*\' ).

This option is only available if you enter default in sender-pattern-type {default | group | regexp}.

*

sender-pattern-type {default | group | regexp}

Enter the pattern type.

default: This is the user defined pattern. Also configure sender-pattern <pattern_str>.

group: If you enter this option, configure sender-pattern-group <group_name>.

regexp: If you enter this option, configure sender-pattern-regexp {yes | no}.

default

sender-pattern-group <group_name>

Enter the group name to match any email address in the group.
This option is only available if you enter group in sender-pattern-type {default | group | regexp}.

 

sender-pattern-regexp {yes | no}

Enter yes to use regular expression syntax instead of wildcards to specify the sender pattern.

This option is only available if you enter regexp in sender-pattern-type {default | group | regexp}.

no

status {enable | disable}

Enter enable to activate this rule.

enable

tls-profile <profile_str>

Enter a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

If the attributes match, the access control action is executed.

If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

For more information on TLS profiles, see the FortiMail Administration Guide.

 

Related topics

policy access-control delivery

config policy delivery-control

policy recipient

policy access-control receive

Use this command to configure access control rules that apply to SMTP sessions being received by the FortiMail unit.

Access control rules, sometimes also called the access control list or ACL, specify whether the FortiMail unit will process and relay/proxy, reject, or discard email messages for SMTP sessions that are initiated by SMTP clients.

When an SMTP client attempts to deliver email through the FortiMail unit, the FortiMail unit compares each access control rule to the commands used by the SMTP client during the SMTP session, such as the envelope’s sender email address (MAIL FROM:), recipient email address (RCPT TO:), authentication (AUTH), and TLS (STARTTLS). Rules are evaluated for a match in the order of their list sequence, from top to bottom. If all the attributes of a rule match, the FortiMail unit applies the action selected in the matching rule to the SMTP session, and no subsequent access control rules are applied.

Only one access control rule is ever applied to any given SMTP session.

If no access control rules are configured, or no matching access control rules exist, and if the SMTP client is not configured to authenticate, the FortiMail unit will perform the default action, which varies by whether or not the recipient email address in the envelope (RCPT TO:) is a member of a protected domain.

For protected domains, the default action is RELAY.

For unprotected domains, the default action is REJECT.

Without any configured access control rules, the FortiMail unit’s access control prevents SMTP clients from using your protected server or FortiMail unit as an open relay: senders can deliver email incoming to protected domains, but cannot deliver email outgoing to unprotected domains.

If you want to allow SMTP clients such as your email users or email servers to send email to unprotected domains, you must configure at least one access control rule.

You may need to configure additional access control rules if, for example, you want to:

  • discard or reject email from or to some email addresses, such as email addresses that no longer exist in your protected domain
  • discard or reject email from some SMTP clients, such as a spammer that is not yet known to blocklists

Like IP-based policies, access control rules can reject connections based upon IP address.

Unlike IP-based policies, however, access control rules cannot affect email in ways that occur after the session’s DATA command, such as by applying antispam profiles. Access control rules also cannot be overruled by recipient-based policies, and cannot match connections based upon the IP address of the SMTP server (by the nature of how the ACL controls access to or through the FortiMail unit, the SMTP server is always the FortiMail unit itself, unless the FortiMail unit is operating in transparent mode). For more information on IP-based policies, see the FortiMail Administration Guide.

Syntax

config policy access-control receive

edit <rule_id>

set action {bypass | discard | reject | relay}

set authenticated {any | authenticated | not-authenticated}

set comment <string>

set recipient-pattern <pattern_str>

set recipient-pattern-ldap-groupname <string>

set recipient-pattern-ldap-profile <profile-name>

set recipient-pattern-type {default | external | group | | internal | ldap | ldap-query | regexp}

set recipient-pattern-regexp {yes | no}

set recipient-pattern-group <group_name>

set reverse-dns-pattern <pattern_str>

set reverse-dns-pattern-regexp {yes | no}

set sender-ip-group <ip_group_name>

set sender-ip-mask <ip&netmask_str>

set sender-ip-type {ip-group | ip-mask}

set sender-pattern <pattern_str>

set sender-pattern-type {default | group | regexp}

set sender-pattern-group <group_name>

set sender-pattern-regexp {yes | no}

set status {enable | disable}

set tls-profile <profile_str>

end

Variable

Description

Default

<rule_id>

Enter the number identifying the rule.

 

action {bypass | discard | reject | relay}

Enter the action the FortiMail unit will perform for SMTP sessions matching this access control rule:

  • bypass: Relay or proxy and deliver the email, but, if the sender or recipient belongs to a protected domain, bypass all antispam profile processing. Antivirus, content and other scans will still occur.
  • discard: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.
  • reject: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied).
  • relay: Relay or proxy, process, and deliver the email normally if it passes all configured scans.

relay (for protected domains)

reject (for unprotected domains)

authenticated {any | authenticated | not-authenticated}

Enter a value to indicate whether this rule applies only to messages delivered by clients that have authenticated with the FortiMail unit:

  • any: Match or do not match this access control rule regardless of whether the client has authenticated with the FortiMail unit.
  • authenticated: Match this access control rule only for clients that have authenticated with the FortiMail unit.
  • not-authenticated: Match this access control rule only for clients that have not authenticated with the FortiMail unit.

any

comment <string>

Enter any comments for access control rules for receiving email.

 

recipient-pattern <pattern_str>

Enter a pattern that defines recipient email addresses which match this rule, surrounded in slashes and single quotes (such as \'*\' ).

*

recipient-pattern-ldap-groupname <string>

Enter the LDAP group name to specify the recipient pattern.

This option is available only when recipient-pattern-type {default | external | group | | internal | ldap | ldap-query | regexp} is ldap.

 

recipient-pattern-ldap-profile <profile-name>

Enter the LDAP profile name to specify the recipient pattern.

This option is available only when recipient-pattern-type {default | external | group | | internal | ldap | ldap-query | regexp} is ldap or ldap-query.

 

recipient-pattern-type {default | external | group | | internal | ldap | ldap-query | regexp}

Enter the pattern type:

default

recipient-pattern-regexp {yes | no}

Enter yes to use regular expression syntax instead of wildcards to specify the recipient pattern.

This option is available only when recipient-pattern-type {default | external | group | | internal | ldap | ldap-query | regexp} is regexp.

no

recipient-pattern-group <group_name>

Enter the group name to specify the recipient pattern.

This option is available only when recipient-pattern-type {default | external | group | | internal | ldap | ldap-query | regexp} is group.

 

reverse-dns-pattern <pattern_str>

Enter a pattern to compare to the result of a reverse DNS look-up of the IP address of the SMTP client delivering the email message.

Because domain names in the SMTP session are self-reported by the connecting SMTP server and easy to fake, the FortiMail unit does not trust the domain name that an SMTP server reports. Instead, the FortiMail does a DNS lookup using the SMTP server’s IP address. The resulting domain name is compared to the reverse DNS pattern for a match. If the reverse DNS query fails, the access control rule match will also fail. If no other access control rule matches, the connection will be rejected with SMTP reply code 550 (Relaying denied).

Wildcard characters allow you to enter partial patterns that can match multiple reverse DNS lookup results. An asterisk (*) represents one or more characters; a question mark (?) represents any single character.

For example, the recipient pattern mail*.com will match messages delivered by an SMTP server whose domain name starts with “mail" and ends with “.com".

Note: Reverse DNS queries for access control rules require that the domain name be a valid top level domain (TLD). For example, “.lab" is not a valid top level domain name, and thus the FortiMail unit cannot successfully perform a reverse DNS query for it.

*

reverse-dns-pattern-regexp {yes | no}

Enter yes to use regular expression syntax instead of wildcards to specify the reverse DNS pattern.

no

sender-ip-group <ip_group_name>

Enter the IP group of the SMTP client attempting to deliver the email message.

This option only appears if you enter ip-group in sender-ip-type {ip-group | ip-mask}.

 

sender-ip-mask <ip&netmask_str>

Enter the IP address and netmask of the SMTP client attempting to deliver the email message. Use the netmask, the portion after the slash (/), to specify the matching subnet.

For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

To match any address, enter 0.0.0.0/0.

0.0.0.0/0

sender-ip-type {ip-group | ip-mask}

Select the method of the SMTP client attempting to deliver the email message. Also configure sender-ip-mask <ip&netmask_str> and sender-ip-group <ip_group_name>.

ip-mask

sender-pattern <pattern_str>

Enter a pattern that defines sender email addresses which match this rule, surrounded in slashes and single quotes (such as \'*\' ).

This option is only available if you enter default in sender-pattern-type {default | group | regexp}.

*

sender-pattern-type {default | group | regexp}

Enter the pattern type.

default: This is the user defined pattern. Also configure sender-pattern <pattern_str>.

group: If you enter this option, configure sender-pattern-group <group_name>.

regexp: If you enter this option, configure sender-pattern-regexp {yes | no}.

default

sender-pattern-group <group_name>

Enter the group name to match any email address in the group.
This option is only available if you enter group in sender-pattern-type {default | group | regexp}.

 

sender-pattern-regexp {yes | no}

Enter yes to use regular expression syntax instead of wildcards to specify the sender pattern.

This option is only available if you enter regexp in sender-pattern-type {default | group | regexp}.

no

status {enable | disable}

Enter enable to activate this rule.

enable

tls-profile <profile_str>

Enter a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

If the attributes match, the access control action is executed.

If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

For more information on TLS profiles, see the FortiMail Administration Guide.

 

Related topics

policy access-control delivery

config policy delivery-control

policy recipient