domain
Use these commands to configure a protected domain.
For more information on protected domains and when they are required, see the FortiMail Administration Guide.
Syntax
This command contains many sub-commands. Each sub-command, linked below, is documented in subsequent sections.
config domain
edit <domain_name>
config config cal resource...
config config customized-message...
config config domain-setting...
config file filter...
config config policy recipient...
config profile antispam...
config profile antispam-action...
config profile antivirus...
config profile antivirus-action...
config profile authentication...
config profile content...
config profile content-action...
config profile email-address-group ...
config profile impersonation...
config profile resource...
config config user mail...
next
end
Variable |
Description |
Default |
Type the fully qualified domain name (FQDN) of the protected domain. For example, to protect email addresses ending in “@example.com”, type |
|
config cal resource
Use this sub-command to configure the calendar resource of a protected domain for calendar sharing.
Syntax
This sub-command is available from within the command domain.
config cal resource
edit <resource_name>
set description <string>
set display-name <string>
set management-users <user_email>
set type {room | equipment}
end
Variable |
Description |
Default |
<resource-name> | Enter a name for the calendar resource. This name forms the local name of the calendar resource for the current domain, for example <resource_name@<domain_name>.com. |
|
description <string> | Enter a description for the calendar resource entry. |
|
display-name <string> | Enter a display name. |
|
management-users <user_email> | Enter the management users for the calendar resource in the format <user_name>@<domain_name>.com. |
|
type {room | equipment} | Set the resource type to either room or equipment. |
room |
config customized-message
Use this sub-command to configure the variables and the default email template of quarantine summary of a protected domain.
Syntax
This sub-command is available from within the command domain.
config customized-message
edit report-quarantine-summary
config variable
edit <name>
set content
set display-name
config email-template
edit default
set from <string>
set subject <string>
end
Variable |
Description |
Default |
Enter a variable name that you want to add or edit, such as |
|
|
Enter the content for the variable. |
|
|
Enter the display name for the variable. For example, the display name for |
|
|
Enter the replacement message for the |
|
|
Enter the replacement message for the email body of the quarantine summary in HTML code. |
|
|
Enter the replacement message for the |
|
|
Enter the replacement message for the email body of the quarantine summary in text format. |
|
config domain-setting
Use this sub-command to configure the basic settings of a protected domain.
Syntax
This sub-command is available from within the command domain.
config domain-setting
config sender-addr-rate-ctrl-exempt
edit <id>
set sender-pattern <string>
set pattern-type {default | regexp}
end
set addressbook {domain | none | system}
set bypass-bounce-verification {enable | disable}
set disclaimer-incoming-body-content
set disclaimer-incoming-body-content-html
set disclaimer-incoming-body-location
set disclaimer-incoming-body-status {enable | disable}
set disclaimer-incoming-header-insertion-name
set disclaimer-incoming-header-insertion-value
set disclaimer-incoming-header-status {enable | disable}
set disclaimer-outgoing-body-content
set disclaimer-outgoing-body-content-html
set disclaimer-outgoing-body-location
set disclaimer-outgoing-body-status {enable | disable}
set disclaimer-outgoing-header-insertion-name
set disclaimer-outgoing-header-insertion-value
set disclaimer-outgoing-header-status {enable | disable}
set email-migration-status {enable | disable}
set fallback-host {<smtp-server_fqdn> | <smtp-server_ipv4>}
set fallback-use-smtps {enable | disable}
set global-bayesian {enable | disable}
set greeting-with-host-name {domainname | hostname | othername}
set host <host_name>
set ip-pool-direction {outgoing | incoming | both}
set is-service-domain {enable | disable}
set is-sub-domain {enable | disable}
set ldap-asav-profile <ldap-profile_name>
set ldap-asav-status {enable | disable}
set ldap-domain-routing-port <port_int>
set ldap-domain-routing-profile <ldap-profile_name>
set ldap-domain-routing-smtps {enable |disable}
set ldap-groupowner-profile <ldap-profile_name>
set ldap-routing-profile <ldap-profile_name>
set ldap-routing-status {enable | disable}
set ldap-user-profile <profile_name>
set max-message-size <limit_int>
set other-helo-greeting <string>
set quarantine-report-schedule-status {enable | disable}
set quarantine-report-status {enable | disable}
set quarantine-report-to-alt {enable | disable}
set quarantine-report-to-alt-addr <recipient_email>
set quarantine-report-to-individual {enable | disable}
set quarantine-report-to-ldap-groupowner {enable | disable}
set recipient-verification {disable | ldap | smtp}
set recipient-verification-background {disable | ldap | smtp}
set recipient-verification-background-profile <ldap-profile_name>
set relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain}
set remove-outgoing-received-header {enable | disable}
set sender-addr-rate-ctrl-action
set sender-addr-rate-ctrl-max-msgs <integer>
set sender-addr-rate-ctrl-max-msgs-state {enable | disable}
set sender-addr-rate-ctrl-max-recipients
set sender-addr-rate-ctrl-max-recipients-state {enable | disable}
set sender-addr-rate-ctrl-max-size <integer>
set sender-addr-rate-ctrl-max-size-state {enable | disable}
set sender-addr-rate-ctrl-max-spam
set sender-addr-rate-ctrl-max-spam-state {enable | disable}
set sender-addr-rate-ctrl-state {enable | disable}
set sender-addr-rate-notification-state {enable | disable}
set smtp-recipient-verification-command {rcpt | vrfy}
set smtp-recipient-verification-accept-reply-string <accept_string>
set tp-server-on-port <port_int>
set tp-use-domain-mta {yes | no}
set use-stmps {enable | disable}
set webmail-language <language_name>
set webmail-theme {IndigoDarkBlue | RedGrey | Standard | Use-System-Settings}
end
Variable |
Description |
Default |
addressbook {domain | none | system} (server mode only) |
Add newly created mail user to system address book, domain address book or not. |
domain |
Enable to omit bounce address tag verification of email incoming to this protected domain. This bypass does not omit bounce address tagging of outgoing email. |
disable |
|
fallback-host {<smtp-server_fqdn> | <smtp-server_ipv4>} (transparent mode and gateway mode only) |
Enter the fully qualified domain name (FQDN) or IP address of the secondary SMTP server for this protected domain. This SMTP server will be used if the primary SMTP server is unreachable. |
|
(transparent mode and gateway mode only) |
Enter the port number on which the failover SMTP server listens. If you enable Use SMTPS, Port automatically changes to the default port number for SMTPS, but can still be customized. The default SMTP port number is 25; the default SMTPS port number is 465. |
25 |
fallback-use-smtps {enable | disable} (transparent mode and gateway mode only) |
Enable to use SMTPS for connections originating from or destined for this protected server. |
disable |
Enable to use the global Bayesian database instead of the Bayesian database for this protected domain. If you do not need the Bayesian database to be specific to the protected domain, you may want to use the global Bayesian database instead in order to simplify database maintenance and training. Disable to use the per-domain Bayesian database. This option does not apply if you have enabled use of personal Bayesian databases in an incoming antispam profile, and if the personal Bayesian database is mature. Instead, the FortiMail unit will use the personal Bayesian database. |
disable |
|
Specify how the FortiMail unit will identify itself during the domainname: The FortiMail unit will identify itself using the domain name for this protected domain. If the FortiMail unit will handle internal email messages (those for which both the sender and recipient addresses in the envelope contain the domain name of the protected domain), to use this option, you must also configure your protected SMTP server to use its host name for SMTP greetings. Failure to do this will result in dropped SMTP sessions, as both the FortiMail unit and the protected SMTP server will be using the same domain name when greeting each other. hostname: The FortiMail unit will identify itself using its own host name. By default, the FortiMail unit uses the domain name of the protected domain. If your FortiMail unit is protecting multiple domains and using IP pool addresses, select to use the system host name instead. This setting does not apply if email is incoming, according to the sender address in the envelope, from an unprotected domain. othername: If you select this option, another command |
hostname |
|
(transparent mode and gateway mode only) |
The host name or IP address and port number of the mail exchanger (MX) for this protected domain. If Relay Type is MX Record (this domain) or MX Record (alternative domain), this information is determined dynamically by querying the MX record of the DNS server, and this field will be empty. |
|
You can use a pool of IP addresses as the source IP address when sending email from this domain, or as the destination IP address when receiving email destined to this domain, or as both the source and destination IP addresses. If you want to use the IP pool as the source IP address for this protected domain, according to the sender’s email address in the envelope ( If you want to use the IP pool as the destination IP address (virtual host) for this protected domain, according to the recipient’s email address in the envelope ( If you want to use the IP pool as both the destination and source IP address, select the IP pool to use and select Both as the Each email that the FortiMail unit sends will use the next IP address in the range. When the last IP address in the range is used, the next email will use the first IP address. |
|
|
Sets the direction for the This option is only available after you configure the |
|
|
Enable to indicate the protected domain you are creating is a subdomain of an existing protected domain, then also configure Main domain. Subdomains, like their parent protected domains, can be selected when configuring policies specific to that subdomain. Unlike top-level protected domains, however, subdomains will be displayed as grouped under the parent protected domain when viewing the list of protected domains. This option is available only when another protected domain exists to select as the parent domain. |
disable |
|
Specify the name of an LDAP profile which you have enabled and configured. |
|
|
Enable to query an LDAP server for an email user’s preferences to enable or disable antispam and/or antivirus processing for email messages destined for them. |
disable |
|
Enter the port number on which the SMTP servers in the LDAP profile listen. If you enable ldap-domain-routing-smtps, this setting automatically changes to the default port number for SMTPS, but can still be customized. The default SMTP port number is 25; the default SMTPS port number is 465. This option is valid when |
25 |
|
Select the name of the LDAP profile that has the FQDN or IP address of the SMTP server you want to query. Also configure ldap-domain-routing-port <port_int> and ldap-domain-routing-smtps {enable |disable}. This option is valid when |
|
|
Enable to use SMTPS for connections originating from or destined for this protected server. This option is valid when |
disable |
|
Select an LDAP profile to send the quarantine report to a group owner, rather than individual recipients. |
|
|
Select an LDAP profile for mail routing. |
|
|
Enable/disable LDAP mail routing. |
disable |
|
Select the name of an LDAP profile in which you have configured, enabling you to authenticate email users and expand alias email addresses or replace one email address with another by using an LDAP query to retrieve alias members. |
|
|
Enable then type the limit in kilobytes (KB) of the message size. Email messages over the threshold size are rejected. Note: If both this option and expire-inactivity <days_int> in the session profile are enabled, email size will be limited to whichever size is smaller. |
204800KB |
|
After you set the |
|
|
(transparent mode and gateway mode only) |
Set the SMTP port number of the mail server. |
25 |
Enable or disable domain-level quarantine report schedule setting. The quarantine report settings for a protected domain are a subset of the system-wide quarantine report settings. For example, if the system settings for schedule include only Monday and Thursday, when you are setting the schedule for the quarantine reports of the protected domain, you will only be able to select either Monday or Thursday. |
disable |
|
Enable or disable domain-level quarantine report. |
disable |
|
Enable or disable sending domain-level quarantine report to a recipient other than the individual recipients or group owner. For example, you might delegate quarantine reports by sending them to an administrator whose email address is not locally deliverable to the protected domain, such as admin@lab.example.com. |
disable |
|
Enter the recipient’s email address. |
|
|
Enable to send quarantine reports to all recipients. |
enable |
|
Enable to send quarantine reports to the LDAP group owner of the specified LDAP profile. |
disable |
|
Select a method of confirming that the recipient email address in the message envelope ( disable: Do not verify that the recipient address is an email user account that actually exists. smtp: Query the SMTP server using the SMTP RCPT command to verify that the recipient address is an email user account that actually exists. You can also choose to use the SMTP VRFY command to do the verification. This feature is available on the GUI when you create a domain. ldap: Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also select the LDAP profile that will be used to query the LDAP server.
|
disable |
|
Select a method by which to periodically remove quarantined spam for which an email user account does not actually exist on the protected email server. disable: Do not verify that the recipient address is an email user account that actually exists. smtp: Query the SMTP server to verify that the recipient address is an email user account that actually exists. ldap: Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also select the LDAP profile that will be used to query the LDAP server. Note: If you have also enabled Note: Spam often contains invalid recipient addresses. If you have enabled spam quarantining, but have not prevented or scheduled the periodic removal of quarantined email messages for invalid email accounts, the FortiMail hard disk may be rapidly consumed during peak traffic times, resulting in refused SMTP connections when the hard disk becomes full. To prevent this, enable either this option or verification of recipient addresses. |
|
|
relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} (transparent mode and gateway mode only) |
Select from one of the following methods of defining which SMTP server will receive email from the FortiMail unit that is destined for the protected domain:
Note: If an MX option is used, you may also be required to configure the FortiMail unit to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode of the FortiMail unit. Gateway mode: A private DNS server is required. On the private DNS server, configure the MX record with the FQDN of the SMTP server that you are protecting for this domain, causing the FortiMail unit to route email to the protected SMTP server. This is different from how a public DNS server should be configured for that domain name, where the MX record usually should contain the FQDN of the FortiMail unit itself, causing external SMTP servers to route email through the FortiMail unit. Additionally, if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall, on the private DNS server, configure the protected SMTP server’s A record with its private IP address, while on the public DNS server, configure the FortiMail unit’s A record with its public IP address. Transparent mode: A private DNS server is required if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall. On the private DNS server, configure the protected SMTP server’s A record with its private IP address. On the public DNS server, configure the protected SMTP server’s A record with its public IP address. Do not modify the MX record. |
host |
Enable to remove the Received: message headers from email whose:
You can alternatively remove this header from any matching email using session profiles. |
disable |
|
Enter the maximum number of messages per sender address per half an hour. |
30 |
|
Enable the option of maximum number of messages per sender address per half an hour. |
disable |
|
Enter the maximum number of megabytes per sender per half an hour. |
100 |
|
Enable the option of maximum number of megabytes per sender per half an hour. |
disable |
|
Enable sender address rate control per sender email address. |
disable |
|
smtp-recipient-verification-command {rcpt | vrfy} (transparent mode and gateway mode only) |
Specify the command that the FortiMail unit uses to query the SMTP server This option is only available after you select |
rcpt |
smtp-recipient-verification-accept-reply-string <accept_string> (transparent mode and gateway mode only) |
When FortiMail queries the SMTP server for recipient verification: If the reply code of the VRFY command is 2xx, the recipient exists. If the reply code is non-2xx, FortiMail will try to match the accept string you specified with the reply string. If the strings match, the recipient exists. Otherwise, the recipient is unknown. For example, if the recipient is a group or mailing list, FortiMail will receive a 550 error code and a reply string. Depending on what reply string you get, you can specify a string to match the reply string. For example, if the recipient is marketing@example.com, the reply string might say something like “marketing@example.com is a group”. In this case, if you specify “is a group” as the accept string and thus this string matches the string or part of the string in the reply string, FortiMail will deem the query successful and pass the email. This command is available only when you set |
|
Enable to preserve the IP address or domain name of the SMTP client for incoming email messages in: the SMTP greeting ( the IP addresses in the IP header This masks the existence of the FortiMail unit to the protected SMTP server. Disable to replace the SMTP client’s IP address or domain name with that of the FortiMail unit. For example, an external SMTP client might have the IP address 172.168.1.1, and the FortiMail unit might have the domain name fortimail.example.com. If the option is enabled, the message header would contain (difference highlighted in bold): Received: from 192.168.1.1 (EHLO 172.16.1.1) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:12:40 -0800 Received: from smtpa ([172.16.1.2]) by [172.16.1.1] with SMTP id kAOFESEN001901 for <user1@external.example.com>; Fri, 24 Jul 2008 15:14:28 GMT But if the option is disabled, the message headers would contain: Received: from 192.168.1.1 (EHLO fortimail.example.com) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:17:45 -0800 Received: from smtpa ([172.16.1.2]) by fortimail.example.com with SMTP id kAOFJl4j002011 for <user1@external.example.com>; Fri, 24 Jul 2008 15:19:47 GMT Note: This option does not apply to email messages sent from protected domains to protected domains, meaning that the FortiMail unit will not be hidden even if this option is enabled. |
no |
|
(transparent mode only) |
Select the network interface (physical port) to which the protected SMTP server is connected. Note: Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface. |
0 |
(transparent mode only) |
Enable to proxy SMTP clients’ incoming connections when sending outgoing email messages via the protected SMTP server. For example, if the protected domain example.com has the SMTP server 192.168.1.1, and an SMTP client for user1@example.com connects to it to send email to user2@external.example.net, enabling this option would cause the FortiMail unit to proxy the connection through to the protected SMTP server. Disable to relay email using the built-in MTA to either the defined SMTP relay, if any, or directly to the MTA that is the mail exchanger (MX) for the recipient email address’s ( This option does not affect incoming connections containing incoming email messages, which will always be handled by the built-in MTA. Note: This option will be ignored for email that matches an antispam or content profile where you have enabled alternate-host {<relay_fqdn> | <relay_ipv4>}. |
no |
Enable to use SMTPS to relay email to the mail server. |
disable |
|
Select either Use system settings, other language that the FortiMail unit will to display webmail and quarantine folder pages. By default, the FortiMail unit uses the same language as the web-based manager. |
|
|
webmail-theme {IndigoDarkBlue | RedGrey | Standard | Use-System-Settings} |
Select the display theme that the FortiMail unit will to display webmail and quarantine folder pages. By default, the FortiMail unit uses the same display theme as the web-based manager. |
Use-System-Settings |
config policy recipient
Use this sub-command to configure a recipient-based policy for a protected domain. To configure system-wide policies, use the config policy recipient command.
Syntax
This sub-command is available from within the command domain.
config policy recipient
edit <policy_index>
set auth-access-options {pop3 smtp‑auth smtp‑diff-identity web}
set certificate-required {yes | no}
set comment
set direction
set pkiauth {enable | disable}
set profile-antispam <antispam_name>
set profile-antivirus <antivirus_name>
set profile-auth-type {imap | local | ldap | pop3 | smtp | radius}
set profile-content <profile_name>
set profile-dlp
set profile-resource <profile_name>
set profile-ldap <profile_name>
set recipient-type {ldap-group | local-group | user}
set sender-domain <domain_name>
set sender-name <local-part_str>
set sender-type {ldap‑group | local-group | user}
set smtp-diff-identity-lsap-profile
next
end
Variable |
Description |
Default |
Type the index number of the policy. To view a list of existing entries, enter a question mark ( |
|
|
Type one or more of the following:
|
|
|
certificate-required {yes | no} (transparent and gateway mode only) |
If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enable this option. |
no |
Enter a comment for the recipient policy |
|
|
Enter whether the direction of mail traffic is incoming or outgoing. |
|
|
(transparent and gateway mode only) |
Enable if you want to allow email users to log in to their per-recipient spam quarantine by presenting a certificate rather than a user name and password. |
disable |
(transparent and gateway mode only) |
Enter the name of the PKI user entry, or select a user you defined before. This is not required to be the same as the administrator or email user’s account name, although you may find it helpful to do so. For example, you might have an administrator account named |
|
Select a antispam profile that you want to apply to the policy. |
|
|
Select an antivirus profile that you want to apply to the policy. |
|
|
profile-auth-type {imap | local | ldap | pop3 | smtp | radius} |
If you want email users to be able to authenticate using an external authentication server, first specify the profile type (SMTP, POP3, IMAP, RADIUS, or LDAP), then specify which profile to use. For example:
|
|
profile-auth-imap <imap_name> |
Type the name of an IMAP authentication profile. This command is applicable only if you have enabled use of an IMAP authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius} |
|
profile-auth-ldap <ldap_name> |
Type the name of an LDAP authentication profile. This command is applicable only if you have enabled use of an LDAP authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius} |
|
profile-auth-pop3 <pop3_name> |
Type the name of a POP3 authentication profile. This command is applicable only if you have enabled use of a POP3 authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius} |
|
profile-auth-smtp <smtp_name> |
Type the name of an SMTP authentication profile. This command is applicable only if you have enabled use of an SMTP authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}. |
|
profile-auth-radius <radius_name> |
Type the name of a RADIUS authentication profile. This command is applicable only if you have enabled use of a RADIUS authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}. |
|
Select which content profile you want to apply to the policy. |
|
|
Enter the DLP profile for the policy. |
|
|
Select which resource profile you want to apply to the policy. This option is only available in server mode. |
|
|
If you set the recipient type as “ldap-group", you can select an LDAP profile. |
|
|
Enter the domain part of the recipient email address. |
|
|
Enter the local part of the recipient email address or a pattern with wild cards. |
|
|
Select one of the following ways to define recipient ( user: Select this option and then use the above command to enter the local part of the recipient email address. local-group: Select this option and then specify the local group under this domain. ldap-group: Select this option and then select an LDAP profile. |
user |
|
Enter the domain part of the sender email address. For example, example.com. |
|
|
Enter the local part of the sender email address. For example, user1. |
|
|
Select one of the following ways to define which sender user: Select this option and then use the above command to enter the local part of the sender email address. local-group: Select this option and then specify the local group under this domain. ldap-group: Select this option and then select an LDAP profile. Note: This setting applies to the outgoing policies only. |
user |
|
Rejects different smtp sender identity. |
|
|
smtp-diff-identity-ldap |
Verify smtp sender identity with LDAP for authenticated email. |
|
Ldap profile for smtp sender identity verification. |
|
|
Enable or disable the policy. |
enable |
config user mail
Use this sub-command to configure email user accounts.
Syntax
This sub-command is available from within the command domain.
config user mail
rename <old_username> to <new_username> (see the note below)
edit <user_name>
next
end
Variable |
Description |
Default |
The user account name you want to rename. |
|
|
The new user account name you want to change to. |
|
|
Enter the user name of an email user, such as |
|
|
Enter the type of email user account you want to add. See set type local and set type ldap. |
ldap |
|
Enter the display name of the local email user, such as |
|
|
Enter the password of the local email user. |
|
|
Enter the display name of the LDAP email user, such as |
|
|
Enter the name of an LDAP profile in which authentication queries are enabled. |
|
If you rename an existing user account to a new user account name, all the user’s preferences and mail data will be ported to the new user. However, due to the account name change, the new user will not be able to decrypt and read the encrypted email that is sent to the old user name before. |