Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

profile session

Use this command to create session profiles.

While, like antispam profiles, session profiles protect against spam, session profiles focus on the connection and envelope portion of the SMTP session, rather than the message header, body, or attachments.

Similar to access control rules or delivery rules, session profiles control aspects of sessions in an SMTP connection.

Syntax

config profile session

edit <profile_name>

set block_encrypted {enable | disable}

set bypass-bounce-verification {enable | disable}

set check-client-ip-quick {enable | disable}

set conn-blocklisted {enable | disable}

set conn-concurrent <connections_int>

set conn-hiden {enable | disable}

set conn-idle-timeout <timeout_int>

set conn-total <connections_int>

set dkim-signing {enable | disable}

set dkim-signing-authenticated-only {enable | disable}

set dkim-validation {enable | disable}

set domain-key-validation {enable | disable}

set domain-key-validation {enable | disable}

set email-queue {default | incoming | no-preference | outgoing}

set endpoint-reputation {enable | disable}

set endpoint-reputation-action {reject | monitor}

set endpoint-reputation-blocklist-duration <duration_int>

set endpoint-reputation-blocklist-trigger <trigger_int>

set eom-ack {enable | disable}

set error-drop-after <errors_int>

set error-penalty-increment <penalty-increment_int>

set error-penalty-initial <penalty-initial_int>

set error-penalty-threshold <threshold_int>

set limit-NOOPs <limit_int>

set limit-RSETs <limit_int>

set limit-email <limit_int>

set limit-helo <limit_int>

set limit-max-header-size <limit_int>

set expire-inactivity <days_int>

set limit-recipient <limit_int>

set mail-route <profile_name>

set number-of-messages <limit_int>

set number-of-recipients <limit_int>

set recipient-blocklist-status {enable | disable}

set recipient-rewrite-map <profile_name>

set recipient-safelist-status {enable | disable}

set remote-log <profile_name>

set remove-current-headers {enable | disable}

set remove-headers {enable | disable}

set remove-received-headers {enable | disable}

set sender-blocklist-status {enable | disable}

set sender-reputation-reject-score <threshold_int>

set sender-reputation-status {enable | disable}

set sender-reputation-tempfail-score <threshold_int>

set sender-reputation-throttle-number <rate_int>

set sender-reputation-throttle-percentage <percentage_int>

set sender-reputation-throttle-score <threshold_int>

set sender-reputation-throttle-number <num_integer>

set sender-reputation-throttle-percentage <percentage_int>

set sender-reputation-throttle-score <threshold_int>

set sender-safelist-status {enable | disable}

set session-3way-check {enable | disable}

set session-allow-pipelining {no | loose | strict}

set session-command-checking {enable | disable}

set session-disallow-encrypted {enable | disable}

set session-helo-char-validation {enable | disable}

set session-helo-domain-check {enable | disable}

set session-helo-rewrite-clientip {enable | disable}

set session-helo-rewrite-custom {enable | disable}

set session-helo-rewrite-custom-string <helo_str>

set session-prevent-open-relay {enable | disable}

set session-recipient-domain-check {enable | disable}

set session-reject-empty-domain {enable | disable}

set session-sender-domain-check {enable | disable}

set spf-validation {enable | disable}

set splice-status {enable | disable}

set splice-threshold

set splice-unit {seconds | kilobytes}

config header-removal-list

edit <key_str>

config recipient-blocklist

edit <recipient_address_str>

config recipient-safelist

edit <recipient_address_str>

config sender-blocklist

edit <sender_address_str>

config sender-safelist

edit <sender_address_str>

next

end

Variable

Description

Default

<profile_name>

Enter the name of the session profile.

 

<key_str>

Enter a header key to remove it from email messages.

 

<recipient_address_str>

Enter a blocklisted recipient email address to which this profile is applied.

 

<recipient_address_str>

Enter a safelisted recipient email address to which this profile is applied.

 

<sender_address_str>

Enter a blocklisted sender email address to which this profile is applied.

 

<sender_address_str>

Enter a safelisted sender email address to which this profile is applied.

 

block_encrypted {enable | disable}

Enable to block TLS/MD5 commands so that email must pass unencrypted, enabling the FortiMail unit to scan the email for viruses and spam.

Disable to pass TLS/MD5 commands, allowing encrypted email to pass. The FortiMail unit cannot scan encrypted email for viruses and spam.

This option applies only if the FortiMail unit is operating in transparent mode.

disable

bypass-bounce-verification {enable | disable}

Select to, if bounce verification is enabled, omit verification of bounce address tags on incoming bounce messages.

This bypass does not omit bounce address tagging of outgoing email.

Alternatively, you can omit bounce verification according to the protected domain. For details, see config domain-setting.

For information on enabling bounce address tagging and verification (BATV), see antispam bounce-verification.

disable

check-client-ip-quick {enable | disable}

Enable to query the FortiGuard Antispam Service to determine if the IP address of the SMTP server is blocklisted. This action will happen during the connection phase.

In an antispam profile, you can also enable FortiGuard block-IP checking. But that action happens after the entire message has been received by FortiMail.

Therefore, if this feature is enabled in a session profile and the action is reject, the performance will be improved.

disable

conn-blocklisted {enable | disable}

Enable to prevent clients from using SMTP servers that have been blocklisted in antispam profiles or, if enabled, the FortiGuard AntiSpam service.

This option applies only if the FortiMail unit is operating in transparent mode.

disable

conn-concurrent <connections_int>

Enter a limit to the number of concurrent connections per SMTP client. Additional connections are rejected.

To disable the limit, enter 0.

0

conn-hiden {enable | disable}

Enter either of the following transparency behaviors:

enable: Be transparent. Preserve the IP address or domain name in: the SMTP greeting (HELO/EHLO) in the envelope, the Received: Message headers of email messages, and the IP addresses in the IP header source and destination. This masks the existence of the FortiMail unit to the protected SMTP server.

disable: Do not be transparent. Replace the SMTP client’s IP addresses or domain names with that of the FortiMail unit.

This option applies only if the FortiMail unit is operating in transparent mode. For more information about the proxies and built-in MTA transparency, see the FortiMail Administration Guide.

Note: Unless you have enabled exclusive {enable | disable} in config policy delivery-control, the hide (tp-hidden {no | yes} ) option in config domain-setting has precedence over this option, and may prevent it from applying to incoming email messages.

Note: For full transparency, also set the hide (tp-hidden {no | yes} ) option in config domain-setting to yes.

disable

conn-idle-timeout <timeout_int>

Enter a limit to the number of seconds a client may be inactive before the FortiMail unit drops the connection.

For server mode, gateway mode, and transparent MTA mode, 0 means the default value 30 seconds.

For transparent proxy mode, 0 means no limit.

30

conn-rate-number <connections_int>

This is a rate limit to the number of messages sent per client IP address per time interval (the default value is 30 minutes).

You set the time interval using the command:

config antispam settings

set session-profile-rate-control-interval <minutes>

end

To disable the limit, enter 0.

0

conn-total <connections_int>

Enter a limit to the total number of concurrent connections from all sources.

To disable the limit, enter 0.

0

dkim-signing {enable | disable}

Enable to sign outgoing email with a DKIM signature.

This option requires that you first generate a domain key pair and publish the public key in the DNS record for the domain name of the protected domain. If you do not publish the public key, destination SMTP servers will not be able to validate your DKIM signature. For details on generating domain key pairs and publishing the public key, see the FortiMail Administration Guide.

disable

dkim-signing-authenticated-only {enable | disable}

Enable to sign outgoing email with a DKIM signature only if the sender is authenticated.

This option is available only if dkim-signing is enable.

disable

dkim-validation {enable | disable}

Enable to, if a DKIM signature is present, query the DNS server that hosts the DNS record for the sender’s domain name to retrieve its public key to decrypt and verify the DKIM signature.

An invalid signature increases the client sender reputation score and affect the deep header scan. A valid signature decreases the client sender reputation score.

If the sender domain DNS record does not include DKIM information or the message is not signed, the FortiMail unit omits the DKIM signature validation.

disable

domain-key-validation {enable | disable}

Enable if the DNS record for the domain name of the sender lists DomainKeys.

An unauthorized client IP address increases the client sender reputation score. An authorized client IP address decreases the client sender reputation score.

If the DNS record for the domain name of the sender does not publish DomainKeys information, the FortiMail unit omits the DomainKeys client IP address validation.

disable

email-addr-rewrite-options {envelope-from | envelope-from-as-key | envelope-to | header-from | header-to | reply-to}

Specify which sender and recipient addresses to rewrite. For more details, see the session profile section in the FortiMail Administration Guide.

 

email-queue {default | incoming | no-preference | outgoing}

Enter the email queue to use for the matching sessions.

no-preference

endpoint-reputation {enable | disable}

Enable to accept, monitor, or reject email based upon endpoint reputation scores.

This option is designed for use with SMTP clients with dynamic IP addresses. It requires that your RADIUS server provide mappings between dynamic IP addresses and MSISDNs/subscriber IDs to the FortiMail unit. If this profile governs sessions of SMTP clients with static IP addresses, instead consider sender-reputation-status {enable | disable}.

disable

endpoint-reputation-action {reject | monitor}

Enter either:

reject: Reject email and MMS messages from MSISDNs/subscriber IDs whose MSISDN reputation scores exceed Auto blocklist score trigger value.

monitor: Log, but do not reject, email and MMS messages from MSISDNs/subscriber IDs whose MSISDN reputation scores exceed endpoint-reputation-blocklist-trigger value. Log entries appear in the history log.

reject

endpoint-reputation-blocklist-duration <duration_int>

Enter the number of minutes that an MSISDN/subscriber ID will be prevented from sending email or MMS messages after they have been automatically blocklisted.

0

endpoint-reputation-blocklist-trigger <trigger_int>

Enter the MSISDN reputation score over which the FortiMail unit will add the MSISDN/subscriber ID to the automatic blocklist.

The trigger score is relative to the period of time configured as the automatic blocklist window.

5

eom-ack {enable | disable}

Enable to acknowledge the end of message (EOM) signal immediately after receiving the carriage return and line feed (CRLF) characters that indicate the EOM, rather than waiting for antispam scanning to complete.

If the FortiMail unit has not yet completed antispam scanning by the time that four (4) minutes has elapsed, it will return SMTP reply code 451(Try again later), resulting in no permanent problems, as according to RFC 2281, the minimum timeout value should be 10 minutes. However, in rare cases where the server or client’s timeout is shorter than 4 minutes, the sending client or server could time-out while waiting for the FortiMail unit to acknowledge the EOM command. Enabling this option prevents those rare cases.

disable

error-drop-after <errors_int>

Enter the total number of errors the FortiMail unit will accept before dropping the connection.

5

error-penalty-increment <penalty-increment_int>

Enter the number of seconds by which to increase the delay for each error after the first delay is imposed.

1

error-penalty-initial <penalty-initial_int>

Enter the delay penalty in seconds for the first error after the number of “free" errors is reached.

1

error-penalty-threshold <threshold_int>

Enter the number of number of errors permitted before the FortiMail unit will penalize the SMTP client by imposing a delay.

1

limit-NOOPs <limit_int>

Enter the limit of NOOP commands that are permitted per SMTP session. Some spammers use NOOP commands to keep a long session alive. Legitimate sessions usually require few NOOPs.

Enter 0 to reset to the default value.

10

limit-RSETs <limit_int>

Enter the limit of RSET commands that are permitted per SMTP session. Some spammers use RSET commands to try again after receiving error messages such as unknown recipient. Legitimate sessions should require few RSETs.

To disable the limit, enter 0.

20

limit-email <limit_int>

Enter the limit of email messages per session to prevent mass mailing.

To disable the limit, enter 0.

10

limit-helo <limit_int>

Enter the limit of SMTP greetings that a connecting SMTP server or client can perform before the FortiMail unit terminates the connection. Restricting the number of SMTP greetings allowed per session makes it more difficult for spammers to probe the email server for vulnerabilities, as a greater number of attempts results in a greater number of terminated connections, which must then be re-initiated.

Enter 0 to reset to the default value.

3

limit-max-header-size <limit_int>

Enter the limit of the message header size. If enabled, messages with headers over the threshold size are rejected.

32

limit-max-message-size <limit_int>

Enter the limit of message size in kilobytes (KB) . If enabled, messages over the threshold size are rejected.

Note: If both this option and max-message-size <limit_int> in the protected domain are enabled, email size will be limited to whichever size is smaller.

10240KB

limit-recipient <limit_int>

Enter the limit of recipients to prevent mass mailing.

500

mail-route <profile_name>

Enter a mail routing profile to be used in a session profile.

 

number-of-messages <limit_int>

Enter the number of message per client per time interval (the default value is 30 minutes).

You set the time interval using the command:

config antispam settings

set session-profile-rate-control-interval <minutes>

end

Enter 0 to disable the limit.

0

number-of-recipients <limit_int>

Enter the number jof recipients per client per time interval (the default value is 30 minutes).

You set the time interval using the command:

config antispam settings

set session-profile-rate-control-interval <minutes>

end

Enter 0 to disable the limit.

0

recipient-blocklist-status {enable | disable}

Enable to use an envelope recipient (RCPT TO:) blocklist in SMTP sessions to which this profile is applied, then define blocklisted email addresses using <recipient_address_str>.

disable

recipient-rewrite-map <profile_name>

Enter an address rewrite profile to be used in a session profile.

 

recipient-safelist-status {enable | disable}

Enable to use an envelope recipient (RCPT TO:) safelist in SMTP sessions to which this profile is applied, then define safelisted email addresses using <recipient_address_str>.

disable

remote-log <profile_name>

Enter a remote logging profile. Note that the remote logging profiles used here are the same as the system-wide remote logging profiles.

 

remove-current-headers {enable | disable}

Enable to remove headers that are inserted by the current unit.

Note: This command is enabled by default for backwards compatibility with related subcommands remove-headers and remove-received-headers.

enable

remove-headers {enable | disable}

Enable to remove other configured headers from email messages.

disable

remove-received-headers {enable | disable}

Enable to remove all Received: message headers from email messages.

 

disable

sender-blocklist-status {enable | disable}

Enable to use an envelope sender (MAIL FROM:) blocklist in SMTP sessions to which this profile is applied, then define the blocklisted email addresses using <sender_address_str>.

disable

sender-reputation-reject-score <threshold_int>

Enter a sender reputation score over which the FortiMail unit will return a rejection error code when the SMTP client attempts to initiate a connection.

This option applies only if sender-reputation-status {enable | disable} is enabled.

80

sender-reputation-status {enable | disable}

Enable to reject email based upon sender reputation scores.

disable

sender-reputation-tempfail-score <threshold_int>

Enter a sender reputation score over which the FortiMail unit will return a temporary failure error code when the SMTP attempts to initiate a connection.

This option applies only if sender-reputation-status {enable | disable} is enabled.

55

sender-reputation-throttle-number <rate_int>

Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client.

5

sender-reputation-throttle-percentage <percentage_int>

Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client, as a percentage of the number of email messages that the sender sent during the previous hour.

1

sender-reputation-throttle-score <threshold_int>

Enter the sender reputation score over which the FortiMail unit will rate limit the number of email messages that can be sent by this SMTP client.

The enforced rate limit is either sender-reputation-throttle-number <rate_int> or sender-reputation-throttle-percentage <percentage_int> whichever value is greater.

This option applies only if sender-reputation-status {enable | disable} is enabled.

15

sender-reputation-throttle-number <num_integer>

Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client.

5

sender-reputation-throttle-percentage <percentage_int>

Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client, as a percentage of the number of email messages that the SMTP client sent during the previous hour.

1

sender-reputation-throttle-score <threshold_int>

Enter a sender reputation score over which the FortiMail unit will rate limit the number of email messages that can be sent by this SMTP client.

Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increases or decreases the sender reputation scores accordingly.

35

sender-safelist-status {enable | disable}

Enable to use an envelope sender (MAIL FROM:) safelist in SMTP sessions to which this profile is applied, then define safelisted email addresses using <sender_address_str>.

disable

session-3way-check {enable | disable}

Enable to reject the email if the domain name in the SMTP greeting (HELO/EHLO) and recipient email address (RCPT TO:) match, but the domain name in the sender email address (MAIL FROM:) does not.

Mismatching domain names is sometimes used by spammers to mask the true identity of their SMTP client.

This check only affects unauthenticated sessions.

disable

session-allow-pipelining {no | loose | strict}

Select one of the following behaviors for ESMTP command pipelining, which causes some SMTP commands to be accepted and processed as a batch, increasing performance over high-latency connections.

no: Disabled. The FortiMail unit accepts only one command at a time during an SMTP session and will not accept the next command until it completes processing of the previous command.

loose: Enabled, and does not require strict compliance with RFC2920.

strict: Enabled, but requires strict compliance with RFC 2920.

This option applies only if the FortiMail unit is operating in transparent mode.

no

session-command-checking {enable | disable}

Enable to return SMTP reply code 503, rejecting the SMTP command, if the client or server uses SMTP commands that are syntactically incorrect.

EHLO or HELO, MAIL FROM:, RCPT TO: (can be multiple), and DATA commands must be in that order. AUTH, STARTTLS, RSET, NOOP commands can arrive at any time. Other commands, or commands in an unacceptable order, return a syntax error.

In the following example, the invalid commands are highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:41:15 GMT

EHLO example.com

250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

RCPT TO:<user1@example.com>

503 5.0.0 Need MAIL before RCPT

disable

session-disallow-encrypted {enable | disable}

Enable to block TLS/MD5 commands so that email must pass unencrypted, enabling the FortiMail unit to scan the email for viruses and spam.

Clear to pass TLS/MD5 commands, allowing encrypted email to pass. The FortiMail unit cannot scan encrypted email for viruses and spam.

This option applies only if the FortiMail unit is operating in transparent mode.

disable

session-helo-char-validation {enable | disable}

Enable to return SMTP reply code 501, rejecting the SMTP greeting, if the client or server uses a greeting that contains a domain name with invalid characters.

To avoid disclosure of a real domain name, spammers sometimes spoof an SMTP greeting domain name with random characters, rather than using a genuine, valid domain name. If this option is enabled, such connections are rejected.

In the following example, the invalid command is highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:30:20 GMT

EHLO ^^&^&^#$

501 5.0.0 Invalid domain name

Valid characters for domain names include:

  • alphanumerics (A to Z and 0 to 9)
  • brackets ( [ and ] )
  • periods ( . )
  • dashes ( - )
  • underscores ( _ )
  • number symbols( # )
  • colons ( : )

disable

session-helo-domain-check {enable | disable}

Enable to return SMTP reply code 501, rejecting the SMTP greeting, if the client or server uses a greeting that contains a domain name with invalid characters.

To avoid disclosure of a real domain name, spammers sometimes spoof an SMTP greeting domain name with random characters, rather than using a genuine, valid domain name. If this option is enabled, such connections are rejected.

In the following example, the invalid command is highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:30:20 GMT

EHLO ^^&^&^#$

501 5.0.0 Invalid domain name

Valid domain characters include:

  • alphanumerics (A to Z and 0 to 9)
  • brackets ( [ and ] )
  • periods ( . )
  • dashes ( - )
  • underscores ( _ )
  • number symbols( # )
  • colons (:)

disable

session-helo-rewrite-clientip {enable | disable}

Enable to rewrite the HELO/EHLO domain to the IP address of the SMTP client to prevent domain name spoofing.

This option applies only if the FortiMail unit is operating in transparent mode.

disable

session-helo-rewrite-custom {enable | disable}

Enable to rewrite the HELO/EHLO domain, then enter the replacement text using session-helo-rewrite-custom-string <helo_str>.

This option applies only if the FortiMail unit is operating in transparent mode.

disable

session-helo-rewrite-custom-string <helo_str>

Enter the replacement text for the HELO/EHLO domain.

 

session-prevent-open-relay {enable | disable}

Enable to block unauthenticated outgoing connections to unprotected mail servers in order to prevent clients from using open relays to send email. If clients from your protected domains are permitted to use open relays to send email, email from your domain could be blocklisted by other SMTP servers.

This feature:

  • applies only if the FortiMail unit is operating in transparent mode,
  • only affects unauthenticated sessions, and
  • is applicable only if you allow clients to use an unprotected SMTP server for outgoing connections. For details, see mailsetting proxy-smtp.

disable

session-recipient-domain-check {enable | disable}

Enable to return SMTP reply code 550, rejecting the SMTP command, if the domain name portion of the recipient address is not a domain name that exists in either MX or A records.

In the following example, the invalid command is highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:48:32 GMT

EHLO example.com

250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

MAIL FROM:<user1@fortinet.com>

250 2.1.0 <user1@fortinet.com>... Sender ok

RCPT TO:<user2@example.com>

550 5.7.1 <user2@example.com>... Relaying denied. IP name lookup failed [192.168.1.1]

This check only affects unauthenticated sessions.

disable

session-reject-empty-domain {enable | disable}

Enable to return SMTP reply code 553, rejecting the SMTP command, if a domain name does not follow the “@" symbol in the sender email address.

Because the sender address is invalid and therefore cannot receive delivery status notifications (DSN), you may want to disable this feature.

In the following example, the invalid command is highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2007 14:48:32 GMT

EHLO example.com

250-FortiMail-400.localdomain Hello [192.168.171.217], pleased to meet you

MAIL FROM:<john@>

553 5.1.3 <john@>... Hostname required

This check only affects unauthenticated sessions.

disable

session-sender-domain-check {enable | disable}

Enable o return SMTP reply code 421, rejecting the SMTP command, if the domain name portion of the sender address is not a domain name that exists in either MX or A records.

In the following example, the invalid command is highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT

EHLO

250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

MAIL FROM:<user1@example.com>

421 4.3.0 Could not resolve sender domain.

disable

spf-validation {enable | disable}

Enable to, if the sender domain DNS record lists SPF authorized IP addresses, compare the client IP address to the IP addresses of authorized senders in the DNS record.

An unauthorized client IP address increases the client sender reputation score. An authorized client IP address decreases the client sender reputation score.

If the DNS record for the domain name of the sender does not publish SPF information, the FortiMail unit omits the SPF client IP address validation.

disable

splice-status {enable | disable}

Enable to permit splicing.

Splicing enables the FortiMail unit to simultaneously scan an email and relay it to the SMTP server. This increases throughput and reduces the risk of a server timeout.

If the FortiMail unit detects spam or a virus, it terminates the server connection and returns an error message to the sender, listing the spam or virus name and infected file name.

This option applies only if the FortiMail unit is operating in transparent mode.

disable

splice-threshold

<integer>

Enter a threshold value to switch to splice mode based on time (seconds) or data size (kilobytes) using splice-unit {seconds | kilobytes}.

This option applies only if the FortiMail unit is operating in transparent mode.

0

splice-unit {seconds | kilobytes}

Enter the time (seconds) or data size (kilobytes) for the splice threshold.

This option applies only if the FortiMail unit is operating in transparent mode.

seconds

Related topics

profile encryption

profile session

Use this command to create session profiles.

While, like antispam profiles, session profiles protect against spam, session profiles focus on the connection and envelope portion of the SMTP session, rather than the message header, body, or attachments.

Similar to access control rules or delivery rules, session profiles control aspects of sessions in an SMTP connection.

Syntax

config profile session

edit <profile_name>

set block_encrypted {enable | disable}

set bypass-bounce-verification {enable | disable}

set check-client-ip-quick {enable | disable}

set conn-blocklisted {enable | disable}

set conn-concurrent <connections_int>

set conn-hiden {enable | disable}

set conn-idle-timeout <timeout_int>

set conn-total <connections_int>

set dkim-signing {enable | disable}

set dkim-signing-authenticated-only {enable | disable}

set dkim-validation {enable | disable}

set domain-key-validation {enable | disable}

set domain-key-validation {enable | disable}

set email-queue {default | incoming | no-preference | outgoing}

set endpoint-reputation {enable | disable}

set endpoint-reputation-action {reject | monitor}

set endpoint-reputation-blocklist-duration <duration_int>

set endpoint-reputation-blocklist-trigger <trigger_int>

set eom-ack {enable | disable}

set error-drop-after <errors_int>

set error-penalty-increment <penalty-increment_int>

set error-penalty-initial <penalty-initial_int>

set error-penalty-threshold <threshold_int>

set limit-NOOPs <limit_int>

set limit-RSETs <limit_int>

set limit-email <limit_int>

set limit-helo <limit_int>

set limit-max-header-size <limit_int>

set expire-inactivity <days_int>

set limit-recipient <limit_int>

set mail-route <profile_name>

set number-of-messages <limit_int>

set number-of-recipients <limit_int>

set recipient-blocklist-status {enable | disable}

set recipient-rewrite-map <profile_name>

set recipient-safelist-status {enable | disable}

set remote-log <profile_name>

set remove-current-headers {enable | disable}

set remove-headers {enable | disable}

set remove-received-headers {enable | disable}

set sender-blocklist-status {enable | disable}

set sender-reputation-reject-score <threshold_int>

set sender-reputation-status {enable | disable}

set sender-reputation-tempfail-score <threshold_int>

set sender-reputation-throttle-number <rate_int>

set sender-reputation-throttle-percentage <percentage_int>

set sender-reputation-throttle-score <threshold_int>

set sender-reputation-throttle-number <num_integer>

set sender-reputation-throttle-percentage <percentage_int>

set sender-reputation-throttle-score <threshold_int>

set sender-safelist-status {enable | disable}

set session-3way-check {enable | disable}

set session-allow-pipelining {no | loose | strict}

set session-command-checking {enable | disable}

set session-disallow-encrypted {enable | disable}

set session-helo-char-validation {enable | disable}

set session-helo-domain-check {enable | disable}

set session-helo-rewrite-clientip {enable | disable}

set session-helo-rewrite-custom {enable | disable}

set session-helo-rewrite-custom-string <helo_str>

set session-prevent-open-relay {enable | disable}

set session-recipient-domain-check {enable | disable}

set session-reject-empty-domain {enable | disable}

set session-sender-domain-check {enable | disable}

set spf-validation {enable | disable}

set splice-status {enable | disable}

set splice-threshold

set splice-unit {seconds | kilobytes}

config header-removal-list

edit <key_str>

config recipient-blocklist

edit <recipient_address_str>

config recipient-safelist

edit <recipient_address_str>

config sender-blocklist

edit <sender_address_str>

config sender-safelist

edit <sender_address_str>

next

end

Variable

Description

Default

<profile_name>

Enter the name of the session profile.

 

<key_str>

Enter a header key to remove it from email messages.

 

<recipient_address_str>

Enter a blocklisted recipient email address to which this profile is applied.

 

<recipient_address_str>

Enter a safelisted recipient email address to which this profile is applied.

 

<sender_address_str>

Enter a blocklisted sender email address to which this profile is applied.

 

<sender_address_str>

Enter a safelisted sender email address to which this profile is applied.

 

block_encrypted {enable | disable}

Enable to block TLS/MD5 commands so that email must pass unencrypted, enabling the FortiMail unit to scan the email for viruses and spam.

Disable to pass TLS/MD5 commands, allowing encrypted email to pass. The FortiMail unit cannot scan encrypted email for viruses and spam.

This option applies only if the FortiMail unit is operating in transparent mode.

disable

bypass-bounce-verification {enable | disable}

Select to, if bounce verification is enabled, omit verification of bounce address tags on incoming bounce messages.

This bypass does not omit bounce address tagging of outgoing email.

Alternatively, you can omit bounce verification according to the protected domain. For details, see config domain-setting.

For information on enabling bounce address tagging and verification (BATV), see antispam bounce-verification.

disable

check-client-ip-quick {enable | disable}

Enable to query the FortiGuard Antispam Service to determine if the IP address of the SMTP server is blocklisted. This action will happen during the connection phase.

In an antispam profile, you can also enable FortiGuard block-IP checking. But that action happens after the entire message has been received by FortiMail.

Therefore, if this feature is enabled in a session profile and the action is reject, the performance will be improved.

disable

conn-blocklisted {enable | disable}

Enable to prevent clients from using SMTP servers that have been blocklisted in antispam profiles or, if enabled, the FortiGuard AntiSpam service.

This option applies only if the FortiMail unit is operating in transparent mode.

disable

conn-concurrent <connections_int>

Enter a limit to the number of concurrent connections per SMTP client. Additional connections are rejected.

To disable the limit, enter 0.

0

conn-hiden {enable | disable}

Enter either of the following transparency behaviors:

enable: Be transparent. Preserve the IP address or domain name in: the SMTP greeting (HELO/EHLO) in the envelope, the Received: Message headers of email messages, and the IP addresses in the IP header source and destination. This masks the existence of the FortiMail unit to the protected SMTP server.

disable: Do not be transparent. Replace the SMTP client’s IP addresses or domain names with that of the FortiMail unit.

This option applies only if the FortiMail unit is operating in transparent mode. For more information about the proxies and built-in MTA transparency, see the FortiMail Administration Guide.

Note: Unless you have enabled exclusive {enable | disable} in config policy delivery-control, the hide (tp-hidden {no | yes} ) option in config domain-setting has precedence over this option, and may prevent it from applying to incoming email messages.

Note: For full transparency, also set the hide (tp-hidden {no | yes} ) option in config domain-setting to yes.

disable

conn-idle-timeout <timeout_int>

Enter a limit to the number of seconds a client may be inactive before the FortiMail unit drops the connection.

For server mode, gateway mode, and transparent MTA mode, 0 means the default value 30 seconds.

For transparent proxy mode, 0 means no limit.

30

conn-rate-number <connections_int>

This is a rate limit to the number of messages sent per client IP address per time interval (the default value is 30 minutes).

You set the time interval using the command:

config antispam settings

set session-profile-rate-control-interval <minutes>

end

To disable the limit, enter 0.

0

conn-total <connections_int>

Enter a limit to the total number of concurrent connections from all sources.

To disable the limit, enter 0.

0

dkim-signing {enable | disable}

Enable to sign outgoing email with a DKIM signature.

This option requires that you first generate a domain key pair and publish the public key in the DNS record for the domain name of the protected domain. If you do not publish the public key, destination SMTP servers will not be able to validate your DKIM signature. For details on generating domain key pairs and publishing the public key, see the FortiMail Administration Guide.

disable

dkim-signing-authenticated-only {enable | disable}

Enable to sign outgoing email with a DKIM signature only if the sender is authenticated.

This option is available only if dkim-signing is enable.

disable

dkim-validation {enable | disable}

Enable to, if a DKIM signature is present, query the DNS server that hosts the DNS record for the sender’s domain name to retrieve its public key to decrypt and verify the DKIM signature.

An invalid signature increases the client sender reputation score and affect the deep header scan. A valid signature decreases the client sender reputation score.

If the sender domain DNS record does not include DKIM information or the message is not signed, the FortiMail unit omits the DKIM signature validation.

disable

domain-key-validation {enable | disable}

Enable if the DNS record for the domain name of the sender lists DomainKeys.

An unauthorized client IP address increases the client sender reputation score. An authorized client IP address decreases the client sender reputation score.

If the DNS record for the domain name of the sender does not publish DomainKeys information, the FortiMail unit omits the DomainKeys client IP address validation.

disable

email-addr-rewrite-options {envelope-from | envelope-from-as-key | envelope-to | header-from | header-to | reply-to}

Specify which sender and recipient addresses to rewrite. For more details, see the session profile section in the FortiMail Administration Guide.

 

email-queue {default | incoming | no-preference | outgoing}

Enter the email queue to use for the matching sessions.

no-preference

endpoint-reputation {enable | disable}

Enable to accept, monitor, or reject email based upon endpoint reputation scores.

This option is designed for use with SMTP clients with dynamic IP addresses. It requires that your RADIUS server provide mappings between dynamic IP addresses and MSISDNs/subscriber IDs to the FortiMail unit. If this profile governs sessions of SMTP clients with static IP addresses, instead consider sender-reputation-status {enable | disable}.

disable

endpoint-reputation-action {reject | monitor}

Enter either:

reject: Reject email and MMS messages from MSISDNs/subscriber IDs whose MSISDN reputation scores exceed Auto blocklist score trigger value.

monitor: Log, but do not reject, email and MMS messages from MSISDNs/subscriber IDs whose MSISDN reputation scores exceed endpoint-reputation-blocklist-trigger value. Log entries appear in the history log.

reject

endpoint-reputation-blocklist-duration <duration_int>

Enter the number of minutes that an MSISDN/subscriber ID will be prevented from sending email or MMS messages after they have been automatically blocklisted.

0

endpoint-reputation-blocklist-trigger <trigger_int>

Enter the MSISDN reputation score over which the FortiMail unit will add the MSISDN/subscriber ID to the automatic blocklist.

The trigger score is relative to the period of time configured as the automatic blocklist window.

5

eom-ack {enable | disable}

Enable to acknowledge the end of message (EOM) signal immediately after receiving the carriage return and line feed (CRLF) characters that indicate the EOM, rather than waiting for antispam scanning to complete.

If the FortiMail unit has not yet completed antispam scanning by the time that four (4) minutes has elapsed, it will return SMTP reply code 451(Try again later), resulting in no permanent problems, as according to RFC 2281, the minimum timeout value should be 10 minutes. However, in rare cases where the server or client’s timeout is shorter than 4 minutes, the sending client or server could time-out while waiting for the FortiMail unit to acknowledge the EOM command. Enabling this option prevents those rare cases.

disable

error-drop-after <errors_int>

Enter the total number of errors the FortiMail unit will accept before dropping the connection.

5

error-penalty-increment <penalty-increment_int>

Enter the number of seconds by which to increase the delay for each error after the first delay is imposed.

1

error-penalty-initial <penalty-initial_int>

Enter the delay penalty in seconds for the first error after the number of “free" errors is reached.

1

error-penalty-threshold <threshold_int>

Enter the number of number of errors permitted before the FortiMail unit will penalize the SMTP client by imposing a delay.

1

limit-NOOPs <limit_int>

Enter the limit of NOOP commands that are permitted per SMTP session. Some spammers use NOOP commands to keep a long session alive. Legitimate sessions usually require few NOOPs.

Enter 0 to reset to the default value.

10

limit-RSETs <limit_int>

Enter the limit of RSET commands that are permitted per SMTP session. Some spammers use RSET commands to try again after receiving error messages such as unknown recipient. Legitimate sessions should require few RSETs.

To disable the limit, enter 0.

20

limit-email <limit_int>

Enter the limit of email messages per session to prevent mass mailing.

To disable the limit, enter 0.

10

limit-helo <limit_int>

Enter the limit of SMTP greetings that a connecting SMTP server or client can perform before the FortiMail unit terminates the connection. Restricting the number of SMTP greetings allowed per session makes it more difficult for spammers to probe the email server for vulnerabilities, as a greater number of attempts results in a greater number of terminated connections, which must then be re-initiated.

Enter 0 to reset to the default value.

3

limit-max-header-size <limit_int>

Enter the limit of the message header size. If enabled, messages with headers over the threshold size are rejected.

32

limit-max-message-size <limit_int>

Enter the limit of message size in kilobytes (KB) . If enabled, messages over the threshold size are rejected.

Note: If both this option and max-message-size <limit_int> in the protected domain are enabled, email size will be limited to whichever size is smaller.

10240KB

limit-recipient <limit_int>

Enter the limit of recipients to prevent mass mailing.

500

mail-route <profile_name>

Enter a mail routing profile to be used in a session profile.

 

number-of-messages <limit_int>

Enter the number of message per client per time interval (the default value is 30 minutes).

You set the time interval using the command:

config antispam settings

set session-profile-rate-control-interval <minutes>

end

Enter 0 to disable the limit.

0

number-of-recipients <limit_int>

Enter the number jof recipients per client per time interval (the default value is 30 minutes).

You set the time interval using the command:

config antispam settings

set session-profile-rate-control-interval <minutes>

end

Enter 0 to disable the limit.

0

recipient-blocklist-status {enable | disable}

Enable to use an envelope recipient (RCPT TO:) blocklist in SMTP sessions to which this profile is applied, then define blocklisted email addresses using <recipient_address_str>.

disable

recipient-rewrite-map <profile_name>

Enter an address rewrite profile to be used in a session profile.

 

recipient-safelist-status {enable | disable}

Enable to use an envelope recipient (RCPT TO:) safelist in SMTP sessions to which this profile is applied, then define safelisted email addresses using <recipient_address_str>.

disable

remote-log <profile_name>

Enter a remote logging profile. Note that the remote logging profiles used here are the same as the system-wide remote logging profiles.

 

remove-current-headers {enable | disable}

Enable to remove headers that are inserted by the current unit.

Note: This command is enabled by default for backwards compatibility with related subcommands remove-headers and remove-received-headers.

enable

remove-headers {enable | disable}

Enable to remove other configured headers from email messages.

disable

remove-received-headers {enable | disable}

Enable to remove all Received: message headers from email messages.

 

disable

sender-blocklist-status {enable | disable}

Enable to use an envelope sender (MAIL FROM:) blocklist in SMTP sessions to which this profile is applied, then define the blocklisted email addresses using <sender_address_str>.

disable

sender-reputation-reject-score <threshold_int>

Enter a sender reputation score over which the FortiMail unit will return a rejection error code when the SMTP client attempts to initiate a connection.

This option applies only if sender-reputation-status {enable | disable} is enabled.

80

sender-reputation-status {enable | disable}

Enable to reject email based upon sender reputation scores.

disable

sender-reputation-tempfail-score <threshold_int>

Enter a sender reputation score over which the FortiMail unit will return a temporary failure error code when the SMTP attempts to initiate a connection.

This option applies only if sender-reputation-status {enable | disable} is enabled.

55

sender-reputation-throttle-number <rate_int>

Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client.

5

sender-reputation-throttle-percentage <percentage_int>

Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client, as a percentage of the number of email messages that the sender sent during the previous hour.

1

sender-reputation-throttle-score <threshold_int>

Enter the sender reputation score over which the FortiMail unit will rate limit the number of email messages that can be sent by this SMTP client.

The enforced rate limit is either sender-reputation-throttle-number <rate_int> or sender-reputation-throttle-percentage <percentage_int> whichever value is greater.

This option applies only if sender-reputation-status {enable | disable} is enabled.

15

sender-reputation-throttle-number <num_integer>

Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client.

5

sender-reputation-throttle-percentage <percentage_int>

Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client, as a percentage of the number of email messages that the SMTP client sent during the previous hour.

1

sender-reputation-throttle-score <threshold_int>

Enter a sender reputation score over which the FortiMail unit will rate limit the number of email messages that can be sent by this SMTP client.

Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increases or decreases the sender reputation scores accordingly.

35

sender-safelist-status {enable | disable}

Enable to use an envelope sender (MAIL FROM:) safelist in SMTP sessions to which this profile is applied, then define safelisted email addresses using <sender_address_str>.

disable

session-3way-check {enable | disable}

Enable to reject the email if the domain name in the SMTP greeting (HELO/EHLO) and recipient email address (RCPT TO:) match, but the domain name in the sender email address (MAIL FROM:) does not.

Mismatching domain names is sometimes used by spammers to mask the true identity of their SMTP client.

This check only affects unauthenticated sessions.

disable

session-allow-pipelining {no | loose | strict}

Select one of the following behaviors for ESMTP command pipelining, which causes some SMTP commands to be accepted and processed as a batch, increasing performance over high-latency connections.

no: Disabled. The FortiMail unit accepts only one command at a time during an SMTP session and will not accept the next command until it completes processing of the previous command.

loose: Enabled, and does not require strict compliance with RFC2920.

strict: Enabled, but requires strict compliance with RFC 2920.

This option applies only if the FortiMail unit is operating in transparent mode.

no

session-command-checking {enable | disable}

Enable to return SMTP reply code 503, rejecting the SMTP command, if the client or server uses SMTP commands that are syntactically incorrect.

EHLO or HELO, MAIL FROM:, RCPT TO: (can be multiple), and DATA commands must be in that order. AUTH, STARTTLS, RSET, NOOP commands can arrive at any time. Other commands, or commands in an unacceptable order, return a syntax error.

In the following example, the invalid commands are highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:41:15 GMT

EHLO example.com

250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

RCPT TO:<user1@example.com>

503 5.0.0 Need MAIL before RCPT

disable

session-disallow-encrypted {enable | disable}

Enable to block TLS/MD5 commands so that email must pass unencrypted, enabling the FortiMail unit to scan the email for viruses and spam.

Clear to pass TLS/MD5 commands, allowing encrypted email to pass. The FortiMail unit cannot scan encrypted email for viruses and spam.

This option applies only if the FortiMail unit is operating in transparent mode.

disable

session-helo-char-validation {enable | disable}

Enable to return SMTP reply code 501, rejecting the SMTP greeting, if the client or server uses a greeting that contains a domain name with invalid characters.

To avoid disclosure of a real domain name, spammers sometimes spoof an SMTP greeting domain name with random characters, rather than using a genuine, valid domain name. If this option is enabled, such connections are rejected.

In the following example, the invalid command is highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:30:20 GMT

EHLO ^^&^&^#$

501 5.0.0 Invalid domain name

Valid characters for domain names include:

  • alphanumerics (A to Z and 0 to 9)
  • brackets ( [ and ] )
  • periods ( . )
  • dashes ( - )
  • underscores ( _ )
  • number symbols( # )
  • colons ( : )

disable

session-helo-domain-check {enable | disable}

Enable to return SMTP reply code 501, rejecting the SMTP greeting, if the client or server uses a greeting that contains a domain name with invalid characters.

To avoid disclosure of a real domain name, spammers sometimes spoof an SMTP greeting domain name with random characters, rather than using a genuine, valid domain name. If this option is enabled, such connections are rejected.

In the following example, the invalid command is highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:30:20 GMT

EHLO ^^&^&^#$

501 5.0.0 Invalid domain name

Valid domain characters include:

  • alphanumerics (A to Z and 0 to 9)
  • brackets ( [ and ] )
  • periods ( . )
  • dashes ( - )
  • underscores ( _ )
  • number symbols( # )
  • colons (:)

disable

session-helo-rewrite-clientip {enable | disable}

Enable to rewrite the HELO/EHLO domain to the IP address of the SMTP client to prevent domain name spoofing.

This option applies only if the FortiMail unit is operating in transparent mode.

disable

session-helo-rewrite-custom {enable | disable}

Enable to rewrite the HELO/EHLO domain, then enter the replacement text using session-helo-rewrite-custom-string <helo_str>.

This option applies only if the FortiMail unit is operating in transparent mode.

disable

session-helo-rewrite-custom-string <helo_str>

Enter the replacement text for the HELO/EHLO domain.

 

session-prevent-open-relay {enable | disable}

Enable to block unauthenticated outgoing connections to unprotected mail servers in order to prevent clients from using open relays to send email. If clients from your protected domains are permitted to use open relays to send email, email from your domain could be blocklisted by other SMTP servers.

This feature:

  • applies only if the FortiMail unit is operating in transparent mode,
  • only affects unauthenticated sessions, and
  • is applicable only if you allow clients to use an unprotected SMTP server for outgoing connections. For details, see mailsetting proxy-smtp.

disable

session-recipient-domain-check {enable | disable}

Enable to return SMTP reply code 550, rejecting the SMTP command, if the domain name portion of the recipient address is not a domain name that exists in either MX or A records.

In the following example, the invalid command is highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:48:32 GMT

EHLO example.com

250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

MAIL FROM:<user1@fortinet.com>

250 2.1.0 <user1@fortinet.com>... Sender ok

RCPT TO:<user2@example.com>

550 5.7.1 <user2@example.com>... Relaying denied. IP name lookup failed [192.168.1.1]

This check only affects unauthenticated sessions.

disable

session-reject-empty-domain {enable | disable}

Enable to return SMTP reply code 553, rejecting the SMTP command, if a domain name does not follow the “@" symbol in the sender email address.

Because the sender address is invalid and therefore cannot receive delivery status notifications (DSN), you may want to disable this feature.

In the following example, the invalid command is highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2007 14:48:32 GMT

EHLO example.com

250-FortiMail-400.localdomain Hello [192.168.171.217], pleased to meet you

MAIL FROM:<john@>

553 5.1.3 <john@>... Hostname required

This check only affects unauthenticated sessions.

disable

session-sender-domain-check {enable | disable}

Enable o return SMTP reply code 421, rejecting the SMTP command, if the domain name portion of the sender address is not a domain name that exists in either MX or A records.

In the following example, the invalid command is highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT

EHLO

250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

MAIL FROM:<user1@example.com>

421 4.3.0 Could not resolve sender domain.

disable

spf-validation {enable | disable}

Enable to, if the sender domain DNS record lists SPF authorized IP addresses, compare the client IP address to the IP addresses of authorized senders in the DNS record.

An unauthorized client IP address increases the client sender reputation score. An authorized client IP address decreases the client sender reputation score.

If the DNS record for the domain name of the sender does not publish SPF information, the FortiMail unit omits the SPF client IP address validation.

disable

splice-status {enable | disable}

Enable to permit splicing.

Splicing enables the FortiMail unit to simultaneously scan an email and relay it to the SMTP server. This increases throughput and reduces the risk of a server timeout.

If the FortiMail unit detects spam or a virus, it terminates the server connection and returns an error message to the sender, listing the spam or virus name and infected file name.

This option applies only if the FortiMail unit is operating in transparent mode.

disable

splice-threshold

<integer>

Enter a threshold value to switch to splice mode based on time (seconds) or data size (kilobytes) using splice-unit {seconds | kilobytes}.

This option applies only if the FortiMail unit is operating in transparent mode.

0

splice-unit {seconds | kilobytes}

Enter the time (seconds) or data size (kilobytes) for the splice threshold.

This option applies only if the FortiMail unit is operating in transparent mode.

seconds

Related topics

profile encryption