Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

policy recipient

Use this command to create recipient-based policies based on the inbound or outbound directionality of an email message with respect to the protected domain.

Syntax

config policy recipient

edit <policy_int>

set auth-access-options {pop3 | smtp-auth | smtp‑diff-identity | web}

set certificate-required {yes | no}

set pkiauth {enable | disable}

set pkiuser <user_str>

set profile-antispam <antispam-profile_name>

set profile-antivirus <antivirus-profile_name>

set profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

set profile-content <content-profile_name>

set profile-ldap <profile_name>

set recipient-domain <domain_str>

set recipient-name <local-part_str>

set recipient-type {ldap-group | local group| user}

set sender-domain <domain_str>

set sender-name <local-part_str>

set sender-type {ldap-group | local group| user}

set smtp-diff-identity {enable | disable}

set status {enable | disable}

end

Variable

Description

Default

<policy_int>

Enter the index number of the recipient-based policy.

 

auth-access-options {pop3 | smtp-auth | smtp‑diff-identity | web}

Enter the method that email users matching this policy use to retrieve the contents of their per-recipient spam quarantine.

pop3: Allow the email user to use POP3 to retrieve the contents of their per-recipient spam quarantine.

smtp-auth: Use the authentication server selected in the authentication profile when performing SMTP authentication for connecting SMTP clients.

smtp-diff-identity: Allow email when the SMTP client authenticates with a different user name than the one that appears in the envelope’s sender email address. You must also enter smtp-auth for this option to have any effect.

web: Allow the email user to use FortiMail webmail (HTTP or HTTPS) to retrieve the contents of their per-recipient spam quarantine.

Note: Entering this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication.

 

certificate-required {yes | no}

If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enter yes.

no

pkiauth {enable | disable}

Enable if you want to allow email users to log in to their per-recipient spam quarantine by presenting a certificate rather than a user name and password.

disable

pkiuser <user_str>

If pkiauth is enable, enter the name of a PKI user, such as 'user1'. For information on configuring PKI users, see user pki.

 

profile-antispam <antispam-profile_name>

Enter the name of an antispam profile, if any, that this policy will apply.

 

profile-antivirus <antivirus-profile_name>

Enter the name of an antivirus profile, if any, that this policy will apply.

 

profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

Enter the type of the authentication profile that this policy will apply.

The command profile-auth-<auth_type> appears for the type chosen. Enter the name of an authentication profile for the type.

none

profile-content <content-profile_name>

Enter the name of the content profile that you want to apply to connections matching the policy.

 

ldap_profile <ldap-profile_name>

If recipient-type or sender-type is ldap-group, enter the name of an LDAP profile in which the group owner query has been enabled and configured.

 

recipient-domain <domain_str>

Enter the domain part of recipient email address to define recipient (RCPT TO:) email addresses that match this policy.

 

recipient-name <local-part_str>

Enter the local part of recipient email address to define recipient (RCPT TO:) email addresses that match this policy.

 

recipient-type {ldap-group | local group| user}

Enter one of the following ways to define recipient (RCPT TO:) email addresses that match this policy.

If you enter ldap-group, also configure profile-ldap by entering an LDAP profile in which you have enabled and configured a group query.

user

sender-domain <domain_str>

Enter the domain part of sender email address to define sender (MAIL FROM:) email addresses that match this policy.

 

sender-name <local-part_str>

Enter the local part of sender email address to define sender (MAIL FROM:) email addresses that match this policy.

 

sender-type {ldap-group | local group| user}

Enter one of the following ways to define sender (MAIL FROM:) email addresses that match this policy.

If you enter ldap-group, also configure profile-ldap profile-ldap by entering an LDAP profile in which you have enabled and configured a group query.

user

smtp-diff-identity {enable | disable}

Enable to allow the SMTP client to send email using a different sender email address (MAIL FROM:) than the user name that they used to authenticate.

Disable to require that the sender email address in the SMTP envelope match the authenticated user name.

This option is applicable only if smtp auth is used.

enable

status {enable | disable}

Enable to apply this policy.

enable

Related topics

ms365 profile antivirus

policy access-control delivery

config policy delivery-control

policy recipient

Use this command to create recipient-based policies based on the inbound or outbound directionality of an email message with respect to the protected domain.

Syntax

config policy recipient

edit <policy_int>

set auth-access-options {pop3 | smtp-auth | smtp‑diff-identity | web}

set certificate-required {yes | no}

set pkiauth {enable | disable}

set pkiuser <user_str>

set profile-antispam <antispam-profile_name>

set profile-antivirus <antivirus-profile_name>

set profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

set profile-content <content-profile_name>

set profile-ldap <profile_name>

set recipient-domain <domain_str>

set recipient-name <local-part_str>

set recipient-type {ldap-group | local group| user}

set sender-domain <domain_str>

set sender-name <local-part_str>

set sender-type {ldap-group | local group| user}

set smtp-diff-identity {enable | disable}

set status {enable | disable}

end

Variable

Description

Default

<policy_int>

Enter the index number of the recipient-based policy.

 

auth-access-options {pop3 | smtp-auth | smtp‑diff-identity | web}

Enter the method that email users matching this policy use to retrieve the contents of their per-recipient spam quarantine.

pop3: Allow the email user to use POP3 to retrieve the contents of their per-recipient spam quarantine.

smtp-auth: Use the authentication server selected in the authentication profile when performing SMTP authentication for connecting SMTP clients.

smtp-diff-identity: Allow email when the SMTP client authenticates with a different user name than the one that appears in the envelope’s sender email address. You must also enter smtp-auth for this option to have any effect.

web: Allow the email user to use FortiMail webmail (HTTP or HTTPS) to retrieve the contents of their per-recipient spam quarantine.

Note: Entering this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication.

 

certificate-required {yes | no}

If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enter yes.

no

pkiauth {enable | disable}

Enable if you want to allow email users to log in to their per-recipient spam quarantine by presenting a certificate rather than a user name and password.

disable

pkiuser <user_str>

If pkiauth is enable, enter the name of a PKI user, such as 'user1'. For information on configuring PKI users, see user pki.

 

profile-antispam <antispam-profile_name>

Enter the name of an antispam profile, if any, that this policy will apply.

 

profile-antivirus <antivirus-profile_name>

Enter the name of an antivirus profile, if any, that this policy will apply.

 

profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

Enter the type of the authentication profile that this policy will apply.

The command profile-auth-<auth_type> appears for the type chosen. Enter the name of an authentication profile for the type.

none

profile-content <content-profile_name>

Enter the name of the content profile that you want to apply to connections matching the policy.

 

ldap_profile <ldap-profile_name>

If recipient-type or sender-type is ldap-group, enter the name of an LDAP profile in which the group owner query has been enabled and configured.

 

recipient-domain <domain_str>

Enter the domain part of recipient email address to define recipient (RCPT TO:) email addresses that match this policy.

 

recipient-name <local-part_str>

Enter the local part of recipient email address to define recipient (RCPT TO:) email addresses that match this policy.

 

recipient-type {ldap-group | local group| user}

Enter one of the following ways to define recipient (RCPT TO:) email addresses that match this policy.

If you enter ldap-group, also configure profile-ldap by entering an LDAP profile in which you have enabled and configured a group query.

user

sender-domain <domain_str>

Enter the domain part of sender email address to define sender (MAIL FROM:) email addresses that match this policy.

 

sender-name <local-part_str>

Enter the local part of sender email address to define sender (MAIL FROM:) email addresses that match this policy.

 

sender-type {ldap-group | local group| user}

Enter one of the following ways to define sender (MAIL FROM:) email addresses that match this policy.

If you enter ldap-group, also configure profile-ldap profile-ldap by entering an LDAP profile in which you have enabled and configured a group query.

user

smtp-diff-identity {enable | disable}

Enable to allow the SMTP client to send email using a different sender email address (MAIL FROM:) than the user name that they used to authenticate.

Disable to require that the sender email address in the SMTP envelope match the authenticated user name.

This option is applicable only if smtp auth is used.

enable

status {enable | disable}

Enable to apply this policy.

enable

Related topics

ms365 profile antivirus

policy access-control delivery

config policy delivery-control