Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

system mailserver

Use this command to configure the system-wide mail settings.

Syntax

config system mailserver

config mail-queue

edit {default | incoming | outgoing}

set queue-dsn-timeout <timeout_int>

set queue-retry <interval_int>

set queue-timeout <timeout_int>

set queue-warning <first-dsn_int>

end

set deadmail-expiry <time_int>

set default-auth-domain <domain_name>

set defer-delivery-starttime <time_str>

set defer-delivery-stoptime <time_str>

set delivery-esmtp {no | yes}

set delivery-failure-conditions {dns-failure | mta-failure-permanant | mta-failure-temporary | network-failure-connection | network-failure-other}

set delivery-failure-handling-option {normal | relay-to-host}

set delivery-failure-host <host_name>

set delivery-failure-min-age <minute_int>

set dsn-sender-address <email_str>

set dsn-sender-displayname <name_str>

set dsn-status {enable | disable}

set imap-service {enable | disable}

set ldap-domaincheck {enable | disable}

set ldap-domaincheck-auto-associate {enable | disable}

set ldap-domaincheck-internal-domain <domain_str>

set ldap-domaincheck-profile <profile_str>

set local-domain-name <local-domain_str>

set pop3-port <port_int>

set pop3-service {enable | disable}

set queue-dsn-timeout <timeout_int>

set queue-retry <interval_int>

set queue-timeout <timeout_int>

set queue-warning <first-dsn_int>

set relay-server-name <relay_name>

set relay-server-status {enable |disable}

set show-accept-cert-ca {enable | disable}

set smtp-auth {enable | disable}

set smtp-auth-over-tls {enable | disable}

set smtp-auth-smtps {enable | disable}

set smtp-delivery-addr-pref {ipv4-ipv6 | ipv6-ipv4 | ipv4 | ipv6}

set smtp-delivery-session-preference {domain | host}

set smtp-max-connections <connection_int>

set smtp-max-hop-count <number>

set smtp-msa {enable | disable}

set smtp-msa-port <port_int>

set smtp-port <port_int>

set smtp-service {enable | disable}

set smtps-port <port_int

set smtps-tls-status {enable | disable}

set timeout-connect <seconds_int>

set timeout-greeting <seconds_int>

end

Variable

Description

Default

deadmail-expiry <time_int>

Enter the number of days to keep permanently undeliverable email in the dead mail folder. Dead mail has both incorrect recipient and sender email addresses, and can neither be delivered nor the sender notified.

The valid range is from 1 to 365 days.

1

default-auth-domain <domain_name>

Enter the domain to use for default authentication.

 

{default | incoming | outgoing}

Select the queue you want to configure.

default

defer-delivery-starttime <time_str>

Enter the time that the FortiMail unit will begin to process deferred oversized email, using the format hh:mm, where hh is the hour according to a 24-hour clock, and mm is the minutes.

00:00

defer-delivery-stoptime <time_str>

Enter the time that the FortiMail unit will stop processing deferred oversized email, using the format hh:mm, where hh is the hour according to a 24-hour clock, and mm is the minutes.

00:00

delivery-esmtp {no | yes}

Enter either:

yes: Disable the FortiMail unit from delivering email using ESMTP, and use standard SMTP instead.

no: Enable the FortiMail unit to deliver email using ESMTP if the SMTP server to which it is connecting supports the protocol.

no

delivery-failure-conditions {dns-failure | mta-failure-permanant | mta-failure-temporary | network-failure-connection | network-failure-other}

Specify the type of failed network connections the backup relay should take over and retry.

 

delivery-failure-handling-option {normal | relay-to-host}

When email delivery fails, you can choose to use the mail queue settings to handle the temporary or permanent failures. You can also try another relay that you know might work.

normal: Enter this option if you want to queue the email and use the mail queue settings.

relay-to-host: Enter another relay (backup relay) that you want to use for failed deliveries.

normal

delivery-failure-host <host_name>

Enter a host to relay email when access to original mail host fails.

 

delivery-failure-min-age <minute_int>

Enter the time in minutes the undelivered email should wait in the normal queue before trying the backup relay.

30

dsn-sender-address <email_str>

Enter the sender email address in delivery status notification (DSN) email messages sent by the FortiMail unit to notify email users of delivery failure.

If this string is empty, the FortiMail unit sends DSN from the default sender email address of “postmaster@example.com", where “example.com" is the domain name of the FortiMail unit.

 

dsn-sender-displayname <name_str>

Enter the display name of the sender email address for DSN.

If this string is empty, the FortiMail unit uses the display name “postmaster".

 

dsn-status {enable | disable}

Enable to allow DSN email generation.

disable

imap-service {enable | disable}

Enable to allow IMAP service.

enable

ldap-domaincheck {enable | disable}

Enable to verify the existence of domains that have not been configured as protected domains. Also configure ldap-domaincheck-profile <profile_str> and ldap-domaincheck-auto-associate {enable | disable}.

To verify the existence of unknown domains, the FortiMail unit queries an LDAP server for a user object that contains the email address. If the user object exists, the verification is successful, the action varies by configuration of ldap-domaincheck-auto-associate {enable | disable}.

disable

ldap-domaincheck-auto-associate {enable | disable}

If ldap-domaincheck is enable, select whether to enable or disable automatic creation of domain associations.

enable: The FortiMail unit automatically adds the unknown domain as a domain associated of the protected domain selected in ldap-domaincheck-internal-domain <domain_str>.

disable: If the DNS lookup of the unknown domain name is successful, the FortiMail unit routes the email to the IP address resolved for the domain name during the DNS lookup. Because the domain is not formally defined as a protected domain, the email is considered to be outgoing, and outgoing recipient-based policies are used to scan the email. For more information, see policy recipient.

disable

ldap-domaincheck-internal-domain <domain_str>

If ldap-domaincheck is enable, and ldap-domaincheck-auto-associate is enable, enter name of the protected domain with which successfully verified domains will become associated.

 

ldap-domaincheck-profile <profile_str>

If ldap-domaincheck is enable, enter the name of the LDAP profile to use when verifying unknown domains.

 

local-domain-name <local-domain_str>

Enter the name of the domain to which the FortiMail unit belongs, such as example.com.

This option applies only if the FortiMail unit is operating in server mode.

 

pop3-port <port_int>

Enter the port number on which the FortiMail unit’s POP3 server will listen for POP3 connections. The default port number is 110.

This option applies only if the FortiMail unit is operating in server mode.

110

pop3-service {enable | disable}

Enable to allow POP3 service.

enable

queue-dsn-timeout <timeout_int>

Enter the maximum number of days a delivery status notification (DSN) message can remain in the mail queues. If the maximum time is set to zero (0) days, the FortiMail unit attempts to deliver the DSN only once.

After the maximum time has been reached, the DSN email is moved to the dead mail folder.

The valid range is from zero to ten days.

5

queue-retry <interval_int>

Enter the number of minutes between delivery retries for email messages in the deferred and spam mail queues.

The valid range is from 10 to 120 minutes.

27

queue-timeout <timeout_int>

Enter the maximum number of hours that deferred email messages can remain in the deferred or spam mail queue, during which the FortiMail unit periodically retries to send the message.

After the maximum time has been reached, the FortiMail unit will send a final delivery status notification (DSN) email message to notify the sender that the email message was undeliverable.

The valid range is from 1 to 240 hours.

120

queue-warning <first-dsn_int>

Enter the number of hours after an initial failure to deliver an email message before the FortiMail unit sends the first delivery status notification (DSN) email message to notify the sender that the email message has been deferred.

After sending this initial DSN, the FortiMail unit will continue to retry sending the email until reaching the limit configured in timeout.

The valid range is from 1 to 24 hours.

4

relay-server-name <relay_name>

Specify the relay server to deliver outgoing email.

 

relay-server-status {enable |disable}

If enabled, the relay server will be used to deliver outgoing email. If disabled, the FortiMail built-in MTA will be used.

disable

show-accept-cert-ca {enable | disable}

Enable to show acceptable client certificate ca.

enable

smtp-auth {enable | disable}

Enable to accept the AUTH command to authenticate email users for connections using SMTP.

enable

smtp-auth-over-tls {enable | disable}

Enable to accept the AUTH command to authenticate email users for connections using SMTP over TLS.

enable

smtp-auth-smtps {enable | disable}

Enable to accept the AUTH command to authenticate email users for connections using SMTPS (SMTP with SSL).

enable

smtp-delivery-addr-pref {ipv4-ipv6 | ipv6-ipv4 | ipv4 | ipv6}

When FortiMail delivers email to a host name, it does DNS AAAA and A record lookup.

Use this command to specify the IPv4/IPv6 delivery preferences:

  • ipv4-ipv6: Try to deliver to the IPv4 address frist. If the IPv4 address is not accessible, try the IPv6 address. Because most MTAs support IPv4, this is the default setting.
  • ipv6-ipv4: Try IPv6 first, then IPv4. However, if the AAAA record does not exist, the extra AAAA DNS lookup for IPv6 addresses will potentially cause email delivery delay.
  • ipv4: Try IPv4 only. This setting is not recommended.
  • ipv6: Try IPv6 only. This setting is not recommended.

ipv4-ipv6

smtp-delivery-session-preference {domain | host}

Google business email service does not accept multiple destination domains per SMTP transaction, resulting in repeated delivery attempts and delayed email. To work around this Google limitation, this command is added in 5.4.6 and 6.0.1 releases.

Before 5.4.6 and 6.0. releases, the default setting is host. Multiple recipient domains that resolve to the same MTA are sent to the server in the same session.

After 5.4.6 and 6.0.1 release, the default setting is changed to domain. Multiple recipient domains that resolve to the same MTA are sent to the server in separate sessions.

domain

smtp-max-connections <connection_int>

Enter the maximum number of concurrent SMTP connections that FortiMail can accept from the STMP clients.

Platform dependent

smtp-max-hop-count <number>

Enter the maximum number of hops that FortiMail can accept from the SMTP connections. Valid range is 1 to 200.

30

smtp-msa {enable | disable}

Enable to allow your email clients to use SMTP for message submission on a separate TCP port number from deliveries or mail relay by MTAs.

For details on message submission by email clients as distinct from SMTP used by MTAs, see RFC 2476.

disable

smtp-msa-port <port_int>

Enter the TCP port number on which the FortiMail unit listens for email clients to submit email for delivery.

587

smtp-port <port_int>

Enter the port number on which the FortiMail unit’s SMTP server will listen for SMTP connections.

25

smtp-service {enable | disable}

Enable to allow SMTP service.

disable

smtps-port <port_int

Enter the port number on which the FortiMail unit’s built-in MTA listens for secure SMTP connections.

465

smtps-tls-status {enable | disable}

Enable to allow SSL- and TLS-secured connections from SMTP clients that request SSL/TLS.

When disabled, SMTP connections with the FortiMail unit’s built-in MTA must occur as clear text, unencrypted.

disable

timeout-connect <seconds_int>

Enter the maximum amount of time to wait, after the FortiMail unit initiates it, for the receiving SMTP server to establish the network connection.

The valid range is 10 to 120.

Note: This timeout applies to all SMTP connections, regardless of whether it is the first connection to that SMTP server or not.

30

timeout-greeting <seconds_int>

Enter the maximum amount of time to wait for an SMTP server to send SMTP reply code 220 to the FortiMail unit.

The valid range is 10 to 360.

Note: RFC 2821 recommends a timeout value of 5 minutes (300 seconds). For performance reasons, you may prefer to have a smaller timeout value, which reduces the amount of time spent waiting for sluggish SMTP servers. However, if this causes your FortiMail unit to be unable to successfully initiate an SMTP session with some SMTP servers, consider increasing the timeout.

30

Related topics

system route

system mailserver

Use this command to configure the system-wide mail settings.

Syntax

config system mailserver

config mail-queue

edit {default | incoming | outgoing}

set queue-dsn-timeout <timeout_int>

set queue-retry <interval_int>

set queue-timeout <timeout_int>

set queue-warning <first-dsn_int>

end

set deadmail-expiry <time_int>

set default-auth-domain <domain_name>

set defer-delivery-starttime <time_str>

set defer-delivery-stoptime <time_str>

set delivery-esmtp {no | yes}

set delivery-failure-conditions {dns-failure | mta-failure-permanant | mta-failure-temporary | network-failure-connection | network-failure-other}

set delivery-failure-handling-option {normal | relay-to-host}

set delivery-failure-host <host_name>

set delivery-failure-min-age <minute_int>

set dsn-sender-address <email_str>

set dsn-sender-displayname <name_str>

set dsn-status {enable | disable}

set imap-service {enable | disable}

set ldap-domaincheck {enable | disable}

set ldap-domaincheck-auto-associate {enable | disable}

set ldap-domaincheck-internal-domain <domain_str>

set ldap-domaincheck-profile <profile_str>

set local-domain-name <local-domain_str>

set pop3-port <port_int>

set pop3-service {enable | disable}

set queue-dsn-timeout <timeout_int>

set queue-retry <interval_int>

set queue-timeout <timeout_int>

set queue-warning <first-dsn_int>

set relay-server-name <relay_name>

set relay-server-status {enable |disable}

set show-accept-cert-ca {enable | disable}

set smtp-auth {enable | disable}

set smtp-auth-over-tls {enable | disable}

set smtp-auth-smtps {enable | disable}

set smtp-delivery-addr-pref {ipv4-ipv6 | ipv6-ipv4 | ipv4 | ipv6}

set smtp-delivery-session-preference {domain | host}

set smtp-max-connections <connection_int>

set smtp-max-hop-count <number>

set smtp-msa {enable | disable}

set smtp-msa-port <port_int>

set smtp-port <port_int>

set smtp-service {enable | disable}

set smtps-port <port_int

set smtps-tls-status {enable | disable}

set timeout-connect <seconds_int>

set timeout-greeting <seconds_int>

end

Variable

Description

Default

deadmail-expiry <time_int>

Enter the number of days to keep permanently undeliverable email in the dead mail folder. Dead mail has both incorrect recipient and sender email addresses, and can neither be delivered nor the sender notified.

The valid range is from 1 to 365 days.

1

default-auth-domain <domain_name>

Enter the domain to use for default authentication.

 

{default | incoming | outgoing}

Select the queue you want to configure.

default

defer-delivery-starttime <time_str>

Enter the time that the FortiMail unit will begin to process deferred oversized email, using the format hh:mm, where hh is the hour according to a 24-hour clock, and mm is the minutes.

00:00

defer-delivery-stoptime <time_str>

Enter the time that the FortiMail unit will stop processing deferred oversized email, using the format hh:mm, where hh is the hour according to a 24-hour clock, and mm is the minutes.

00:00

delivery-esmtp {no | yes}

Enter either:

yes: Disable the FortiMail unit from delivering email using ESMTP, and use standard SMTP instead.

no: Enable the FortiMail unit to deliver email using ESMTP if the SMTP server to which it is connecting supports the protocol.

no

delivery-failure-conditions {dns-failure | mta-failure-permanant | mta-failure-temporary | network-failure-connection | network-failure-other}

Specify the type of failed network connections the backup relay should take over and retry.

 

delivery-failure-handling-option {normal | relay-to-host}

When email delivery fails, you can choose to use the mail queue settings to handle the temporary or permanent failures. You can also try another relay that you know might work.

normal: Enter this option if you want to queue the email and use the mail queue settings.

relay-to-host: Enter another relay (backup relay) that you want to use for failed deliveries.

normal

delivery-failure-host <host_name>

Enter a host to relay email when access to original mail host fails.

 

delivery-failure-min-age <minute_int>

Enter the time in minutes the undelivered email should wait in the normal queue before trying the backup relay.

30

dsn-sender-address <email_str>

Enter the sender email address in delivery status notification (DSN) email messages sent by the FortiMail unit to notify email users of delivery failure.

If this string is empty, the FortiMail unit sends DSN from the default sender email address of “postmaster@example.com", where “example.com" is the domain name of the FortiMail unit.

 

dsn-sender-displayname <name_str>

Enter the display name of the sender email address for DSN.

If this string is empty, the FortiMail unit uses the display name “postmaster".

 

dsn-status {enable | disable}

Enable to allow DSN email generation.

disable

imap-service {enable | disable}

Enable to allow IMAP service.

enable

ldap-domaincheck {enable | disable}

Enable to verify the existence of domains that have not been configured as protected domains. Also configure ldap-domaincheck-profile <profile_str> and ldap-domaincheck-auto-associate {enable | disable}.

To verify the existence of unknown domains, the FortiMail unit queries an LDAP server for a user object that contains the email address. If the user object exists, the verification is successful, the action varies by configuration of ldap-domaincheck-auto-associate {enable | disable}.

disable

ldap-domaincheck-auto-associate {enable | disable}

If ldap-domaincheck is enable, select whether to enable or disable automatic creation of domain associations.

enable: The FortiMail unit automatically adds the unknown domain as a domain associated of the protected domain selected in ldap-domaincheck-internal-domain <domain_str>.

disable: If the DNS lookup of the unknown domain name is successful, the FortiMail unit routes the email to the IP address resolved for the domain name during the DNS lookup. Because the domain is not formally defined as a protected domain, the email is considered to be outgoing, and outgoing recipient-based policies are used to scan the email. For more information, see policy recipient.

disable

ldap-domaincheck-internal-domain <domain_str>

If ldap-domaincheck is enable, and ldap-domaincheck-auto-associate is enable, enter name of the protected domain with which successfully verified domains will become associated.

 

ldap-domaincheck-profile <profile_str>

If ldap-domaincheck is enable, enter the name of the LDAP profile to use when verifying unknown domains.

 

local-domain-name <local-domain_str>

Enter the name of the domain to which the FortiMail unit belongs, such as example.com.

This option applies only if the FortiMail unit is operating in server mode.

 

pop3-port <port_int>

Enter the port number on which the FortiMail unit’s POP3 server will listen for POP3 connections. The default port number is 110.

This option applies only if the FortiMail unit is operating in server mode.

110

pop3-service {enable | disable}

Enable to allow POP3 service.

enable

queue-dsn-timeout <timeout_int>

Enter the maximum number of days a delivery status notification (DSN) message can remain in the mail queues. If the maximum time is set to zero (0) days, the FortiMail unit attempts to deliver the DSN only once.

After the maximum time has been reached, the DSN email is moved to the dead mail folder.

The valid range is from zero to ten days.

5

queue-retry <interval_int>

Enter the number of minutes between delivery retries for email messages in the deferred and spam mail queues.

The valid range is from 10 to 120 minutes.

27

queue-timeout <timeout_int>

Enter the maximum number of hours that deferred email messages can remain in the deferred or spam mail queue, during which the FortiMail unit periodically retries to send the message.

After the maximum time has been reached, the FortiMail unit will send a final delivery status notification (DSN) email message to notify the sender that the email message was undeliverable.

The valid range is from 1 to 240 hours.

120

queue-warning <first-dsn_int>

Enter the number of hours after an initial failure to deliver an email message before the FortiMail unit sends the first delivery status notification (DSN) email message to notify the sender that the email message has been deferred.

After sending this initial DSN, the FortiMail unit will continue to retry sending the email until reaching the limit configured in timeout.

The valid range is from 1 to 24 hours.

4

relay-server-name <relay_name>

Specify the relay server to deliver outgoing email.

 

relay-server-status {enable |disable}

If enabled, the relay server will be used to deliver outgoing email. If disabled, the FortiMail built-in MTA will be used.

disable

show-accept-cert-ca {enable | disable}

Enable to show acceptable client certificate ca.

enable

smtp-auth {enable | disable}

Enable to accept the AUTH command to authenticate email users for connections using SMTP.

enable

smtp-auth-over-tls {enable | disable}

Enable to accept the AUTH command to authenticate email users for connections using SMTP over TLS.

enable

smtp-auth-smtps {enable | disable}

Enable to accept the AUTH command to authenticate email users for connections using SMTPS (SMTP with SSL).

enable

smtp-delivery-addr-pref {ipv4-ipv6 | ipv6-ipv4 | ipv4 | ipv6}

When FortiMail delivers email to a host name, it does DNS AAAA and A record lookup.

Use this command to specify the IPv4/IPv6 delivery preferences:

  • ipv4-ipv6: Try to deliver to the IPv4 address frist. If the IPv4 address is not accessible, try the IPv6 address. Because most MTAs support IPv4, this is the default setting.
  • ipv6-ipv4: Try IPv6 first, then IPv4. However, if the AAAA record does not exist, the extra AAAA DNS lookup for IPv6 addresses will potentially cause email delivery delay.
  • ipv4: Try IPv4 only. This setting is not recommended.
  • ipv6: Try IPv6 only. This setting is not recommended.

ipv4-ipv6

smtp-delivery-session-preference {domain | host}

Google business email service does not accept multiple destination domains per SMTP transaction, resulting in repeated delivery attempts and delayed email. To work around this Google limitation, this command is added in 5.4.6 and 6.0.1 releases.

Before 5.4.6 and 6.0. releases, the default setting is host. Multiple recipient domains that resolve to the same MTA are sent to the server in the same session.

After 5.4.6 and 6.0.1 release, the default setting is changed to domain. Multiple recipient domains that resolve to the same MTA are sent to the server in separate sessions.

domain

smtp-max-connections <connection_int>

Enter the maximum number of concurrent SMTP connections that FortiMail can accept from the STMP clients.

Platform dependent

smtp-max-hop-count <number>

Enter the maximum number of hops that FortiMail can accept from the SMTP connections. Valid range is 1 to 200.

30

smtp-msa {enable | disable}

Enable to allow your email clients to use SMTP for message submission on a separate TCP port number from deliveries or mail relay by MTAs.

For details on message submission by email clients as distinct from SMTP used by MTAs, see RFC 2476.

disable

smtp-msa-port <port_int>

Enter the TCP port number on which the FortiMail unit listens for email clients to submit email for delivery.

587

smtp-port <port_int>

Enter the port number on which the FortiMail unit’s SMTP server will listen for SMTP connections.

25

smtp-service {enable | disable}

Enable to allow SMTP service.

disable

smtps-port <port_int

Enter the port number on which the FortiMail unit’s built-in MTA listens for secure SMTP connections.

465

smtps-tls-status {enable | disable}

Enable to allow SSL- and TLS-secured connections from SMTP clients that request SSL/TLS.

When disabled, SMTP connections with the FortiMail unit’s built-in MTA must occur as clear text, unencrypted.

disable

timeout-connect <seconds_int>

Enter the maximum amount of time to wait, after the FortiMail unit initiates it, for the receiving SMTP server to establish the network connection.

The valid range is 10 to 120.

Note: This timeout applies to all SMTP connections, regardless of whether it is the first connection to that SMTP server or not.

30

timeout-greeting <seconds_int>

Enter the maximum amount of time to wait for an SMTP server to send SMTP reply code 220 to the FortiMail unit.

The valid range is 10 to 360.

Note: RFC 2821 recommends a timeout value of 5 minutes (300 seconds). For performance reasons, you may prefer to have a smaller timeout value, which reduces the amount of time spent waiting for sluggish SMTP servers. However, if this causes your FortiMail unit to be unable to successfully initiate an SMTP session with some SMTP servers, consider increasing the timeout.

30

Related topics

system route