Configuring session profiles
Session profiles focus on the connection and envelope portion of the SMTP session. This is in contrast to other types of profiles that focus on the message header, body, or attachments.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see About administrator account permissions and domains.
To configure session profiles
- Go to Profile > Session > Session.
- Click New to add a profile or double-click a profile to modify it.
- For a new session profile, type the name in Profile name. The profile name is editable later.
- Configure the following sections as needed:
- Configuring connection settings
- Configuring sender reputation options
- Configuring endpoint reputation options
- Configuring sender validation options
- Configuring session settings
- Configuring unauthenticated session settings
- Configuring SMTP limit options
- Configuring error handling options
- Configuring header manipulation options
- Configuring list options
- Configuring advanced MTA control settings
Configuring connection settings
This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.
- Go to Profile > Session > Session.
- Click New to create a new session profile or double click on an existing profile to edit it.
- Expand the Connection Setting section if needed. The options vary with the operation mode.
- Configure the following options to restrict the number and duration of connections to the FortiMail unit. When any of these limits are exceeded, the FortiMail unit blocks further connections.
GUI item |
Description |
Hide this box from the mail server (transparent mode only) |
Enable to preserve the IP address or domain name of the SMTP client in:
This masks the existence of the FortiMail unit to the protected SMTP server. Disable to replace the SMTP client’s IP addresses or domain names with that of the FortiMail unit. Note: Unless you enabled Take precedence over recipient based policy match in the IP-based policy, the Hide the transparent box option in the protected domain supersedes this option, and may prevent it from applying to incoming email messages. Note: For full transparency, also enable Hide the transparent box. |
Restrict the number of connections per client per 30 minutes to |
Specify the maximum connections per client IP address in a period of 30 minutes. 0 means no limit. |
Restrict the number of messages per client per 30 minutes to |
Specify the maximum email messages (number of MAIL FROM) a client can send in a period of 30 minutes. 0 means no limit. |
Restrict the number of recipients per client per 30 minutes to |
Specify the maximum recipients (number of RCPT TO) a client can send email to for a period of 30 minutes. 0 means no limit. |
Maximum concurrent connections for each client |
Enter the maximum number of concurrent connections per client. 0 means no limit. |
Connection idle timeout (seconds) |
Enter a limit to the number of seconds a client may be idle before the FortiMail unit drops the connection. For server mode, gateway mode, and transparent MTA mode, 0 means the default value 30 seconds. For transparent proxy mode, 0 means no limit. |
Do not let client connect to blocklisted SMTP servers (transparent mode only) |
Enable to prevent clients from connecting to SMTP servers that have been blocklisted in antispam profiles or, the FortiGuard AntiSpam service if enabled. Note: This option applies only if you have enabled Use client-specified SMTP server to send email, and only for outgoing connections. |
Configuring sender reputation options
This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.
You can also view the sender reputation statuses by going to Monitor > Sender Reputation. See Viewing sender reputation statuses.
To configure sender reputation options
- Go to Profile > Session > Session.
- Click New to create a new session profile or double click on an existing profile to edit it.
- Click to expand Sender Reputation.
Sender reputation is a predominantly automatic antispam feature, requiring little or no maintenance. For each connecting SMTP client (sometimes called a sender), the sender reputation feature records the sender IP address and the number of good email and bad email from the sender.
In this case, bad email is defined as:
-
Spam
-
Virus-infected
-
Unknown recipients
-
Invalid DKIM
-
Failed SPF check
Sender reputation scores can be affected by sender validation results. |
Enabling sender reputation can improve performance by rejecting known spammers before more resource-intensive antispam scans are performed. |
GUI item |
Description |
|
Enable to accept or reject email based upon sender reputation scores. The following options have no effect unless this option is enabled. This option may not function well for SMTP clients with dynamic IP addresses. Instead, consider “Enable Endpoint Reputation” on page 316. |
||
|
Throttle client at
|
Enter a sender reputation score over which the FortiMail unit will rate limit the number of email messages that can be sent by this SMTP client. Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increases or decreases the sender reputation scores accordingly. The enforced rate limit is either Restrict number of emails per hour to n or Restrict email to n percent of the previous hour, whichever value is greater. After the sender reaches the limit, no more incoming email will be accepted. |
|
Restrict number of emails per hour to |
Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client. |
|
Restrict email to ... percent of the previous hour |
Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client, as a percentage of the number of email messages that the SMTP client sent during the previous hour. |
Temporarily fail client at |
Enter a sender reputation score over which the FortiMail unit will return a temporary failure error when the SMTP client attempts to initiate a connection. Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increase or decrease the sender reputation scores accordingly. |
|
Reject client at |
Enter a sender reputation score over which the FortiMail unit will reject the email and reply to the SMTP client with SMTP reply code 550 when the SMTP client attempts to initiate a connection. Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increase or decrease the sender reputation scores accordingly. |
|
FortiGuard IP reputation check |
|
Configuring endpoint reputation options
This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.
- Go to Profile > Session > Session.
- Click New to create a new session profile or double click on an existing profile to edit it.
- Click the arrow to expand Endpoint Reputation.
- Configure the following:
- Reject: Reject email and MMS messages from MSISDNs/subscriber IDs whose MSISDN reputation scores exceed Auto blocklist score trigger value.
- Monitor: Log, but do not reject, email and MMS messages from MSISDNs/subscriber IDs whose MSISDN reputation scores exceed Auto blocklist score trigger value. Entries appear in the history log.
The Endpoint Reputation settings let you restrict, based upon its endpoint reputation score, the ability of an MSISDN or subscriber ID to send email or MM3 multimedia messaging service (MMS) messages from a mobile device. The MSISDN reputation score is similar to a sender reputation score.
For more on endpoint reputation-based behavior, see About endpoint reputation.
Enabling endpoint reputation can improve performance by rejecting known spammers before more resource-intensive antispam scans are performed. |
GUI item |
Description |
Enable to accept, monitor, or reject email based upon endpoint reputation scores. This option is designed for use with SMTP clients with dynamic IP addresses. It requires that your RADIUS server provide mappings between dynamic IP addresses and MSISDNs/subscriber IDs to the FortiMail unit. If this profile governs sessions of SMTP clients with static IP addresses, instead see Configuring sender reputation options. |
|
Select either: |
|
Enter the MSISDN reputation score over which the FortiMail unit will add the MSISDN/subscriber ID to the automatic blocklist. The trigger score is relative to the period of time configured as the automatic blocklist window. For more information on the automatic blocklist window, see Configuring the endpoint reputation score window. |
|
Auto blocklist duration |
Enter the number of minutes that an MSISDN/subscriber ID will be prevented from sending email or MMS messages after they have been automatically blocklisted. |
Configuring sender validation options
This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.
- Go to Profile > Session > Session.
- Click New to create a new session profile or double click on an existing profile to edit it.
- Click the arrow to expand Sender Validation. Configure the settings to confirm sender and message.
- Configure the following:
DomainKeys validation is a predecessor of DKIM and works in the same way. Because some domains still use DomainKeys validation, it is provided for backward compatibility.
Failure to validate does not guarantee that an email is spam, just as successful validation does not guarantee that an email is not spam, but it may help to indicate spam. Validation results are used to adjust the sender reputation scores, MSISDN reputation scores, and deep header scans.
Enabling sender validation can improve performance by rejecting invalid senders before more resource-intensive antispam scans are performed. |
GUI item |
Description |
If the sender domain DNS record lists SPF authorized IP addresses, use SPF check to compare the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408). An unauthorized client IP address increases the client sender reputation score. An authorized client IP address decreases the client sender reputation score. If the DNS record for the domain name of the sender does not publish SPF information, the FortiMail unit omits the SPF client IP address validation. Note: No SPF check is performed for direct connections from RFC 1918 private IP addresses. Note: If you select to Bypass SPF checking in the session profile, SPF checking will be bypassed even though you enable it in the antispam profile. Note: Before FortiMail 4.3.1 release, only SPF hardfailed |
|
Enable DKIM check |
If a DKIM signature is present (RFC 4871), enable this to query the DNS server that hosts the DNS record for the sender’s domain name to retrieve its public key to decrypt and verify the DKIM signature. An invalid signature increases the client sender reputation score and affects the deep header scan. A valid signature decreases the client sender reputation score. If the sender domain DNS record does not include DKIM information or the message is not signed, the FortiMail unit omits the DKIM signature validation. |
Enable to sign outgoing email with a DKIM signature. This option requires that you first generate a domain key pair and publish the public key in the DNS record for the domain name of the protected domain. If you do not publish the public key, destination SMTP servers cannot validate your DKIM signature. For details on generating domain key pairs and publishing the public key, see DKIM Setting. Before 6.2.0 release, Envelope From domain is used for DKIM signatures. After 6.2.0 release, Header From domain is used instead. If there is no DKIM key for the Header From domain, then the key for the Envelope From domain will be used. Note: Outbound quarantined email messages will not be DKIM signed when they are released. |
|
Enable to sign outgoing email with a DKIM signature only if the sender is authenticated. |
|
Enable domain key check |
If a DomainKey signature is present, use this option to query the DNS server for the sender’s domain name to retrieve its public key to decrypt and verify the DomainKey signature. An invalid signature increases the client sender reputation score and affects the deep header scan. A valid signature decreases the client sender reputation score. If the sender domain DNS record does not include DomainKey information or the message is not signed, the FortiMail unit omits the DomainKey signature validation. |
If bounce verification is enabled, enable to omit verification of bounce address tags on incoming bounce messages. This bypass does not omit bounce address tagging of outgoing messages. For more information, see Configuring bounce verification and tagging. |
|
Sender address verification with LDAP |
Enable to verify sender email addresses on an LDAP server. Also select an LDAP profile from the dropdown list. Or click New to create a new one. For details about LDAP profiles, see Configuring LDAP profiles. |
Configuring session settings
This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.
- Go to Profile > Session > Session.
- Click New to create a new session profile or double click on an existing profile to edit it.
- Click the arrow to expand Session Setting.
- Configure the following:
GUI item |
Description |
Session action |
Select an action profile or click New to create a new one. The session action profile uses the content action profile. For more information about actions, see Configuring content action profiles. |
Message selection |
The action can be applied to All messages or Accepted messages only. For example, for header manipulation, tagging, some other actions, you can choose to apply them to the accepted message only. |
Reject EHLO/HELO commands with invalid characters in the domain |
Enable to return SMTP reply code 501, and to reject the SMTP greeting, if the client or server uses a greeting that contains a domain name with invalid characters. To avoid disclosure of a real domain name, spammers sometimes spoof an SMTP greeting domain name with random characters, rather than using a valid domain name. The following example shows invalid command in bold italics: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:30:20 GMT EHLO ^^&^&^#$ 501 5.0.0 Invalid domain name Valid characters for domain names include:
|
Rewrite EHLO/HELO domain to [n.n.n.n] IP string of the client address (transparent mode only) |
Enable to rewrite the domain name in the SMTP greeting ( |
Rewrite EHLO/HELO domain to (transparent mode only) |
Enable to rewrite the domain name in the SMTP greeting ( |
Prevent encryption of the session (transparent mode only) |
Enable to block Caution: Disable this option only if you trust that SMTP clients connecting using TLS through the FortiMail unit will not be sources of viruses or spam. FortiMail units operating in transparent mode cannot scan encrypted connections traveling through them. Disabling this option could thereby permit viruses and spam to travel through the FortiMail unit. |
Allow pipelining for the session (transparent mode only) |
Enable to allow SMTP command pipelining. This lets multiple SMTP commands to be accepted and processed simultaneously, improving performance for high-latency connections. Disable to allow the SMTP client to send only a single command at a time during an SMTP session. |
(transparent mode only) |
Enable to limit pipelining support to strict compliance with RFC 2920, SMTP Service Extension for Command Pipelining. This option is effective only if Allow pipelining for the session is enabled. |
Perform strict syntax checking |
Enable to return SMTP reply code 503, and to reject a SMTP command, if the client or server uses SMTP commands that are syntactically incorrect.
The following example shows invalid command in bold italics:
|
Switch to SPLICE mode after (transparent mode only) |
Enable to use splice mode. Enter threshold value based on time (seconds) or data size (kilobytes). Splice mode lets the FortiMail unit simultaneously scan an email and relay it to the SMTP server. This increases throughput and reduces the risk of server timeout. If it detects spam or a virus, it terminates the server connection and returns an error message to the sender, listing the spam or virus name and infected file name. |
ACK EOM before AntiSpam check |
Enable to acknowledge the end of message (EOM) signal immediately after receiving the carriage return and line feed (CRLF) characters that indicate the EOM, rather than waiting for antispam scanning to complete. If the FortiMail unit does not complete antispam scanning within 4 minutes, it returns SMTP reply code |
Configuring unauthenticated session settings
This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.
- Go to Profile > Session > Session.
- Click New to create a new session profile or double click on an existing profile to edit it.
- Click the arrow to expand Unauthenticated Session Setting.
- Configure the following:
GUI item |
Description |
Check HELO/EHLO domain |
Enable to return SMTP reply code 501, and reject the SMTP command, if the domain name accompanying the SMTP greeting is not a domain name that exists in either MX or A records.In the following example, the invalid command is highlighted in bold: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT EHLO example.com The following example shows the invalid command in bold italics: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 20 Nov 2013 10:42:07 -0500 ehlo abc.qq 250-FortiMail-400.localdomain Hello [172.20.140.195], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 10485760 250-DSN 250-AUTH LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 HELP mail from:aaa@333 550 5.5.0 Invalid EHLO/HELO domain. quit 221 2.0.0 FortiMail-400.localdomain closing connection Connection closed by foreign host. |
Enable to return SMTP reply code 421, and reject the SMTP command, if the domain name portion of the sender address is not a domain name that exists in either MX or A records. The following example shows the invalid command in bold italics: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT EHLO 250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you MAIL FROM:<user1@example.com> 421 4.3.0 Could not resolve sender domain. |
|
Enable to return SMTP reply code 550, and reject the SMTP command, if the domain name portion of the recipient address is not a domain name that exists in either MX or A records. The following example shows the invalid command in bold italics: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:48:32 GMT EHLO example.com 250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you MAIL FROM:<user1@fortinet.com> 250 2.1.0 <user1@fortinet.com>... Sender ok RCPT TO:<user2@example.com> 550 5.7.1 <user2@example.com>... Relaying denied. IP name lookup failed [192.168.1.1] |
|
Enable to return SMTP reply code 553, and reject the SMTP command, if the HELO/EHLO greeting does not have a domain, or the sender address ( The following example shows the invalid command in bold italics: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 20 Nov 2013 10:42:07 -0500 ehlo 250-FortiMail-400.localdomain Hello [172.20.140.195], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 10485760 250-DSN 250-AUTH LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 HELP mail from:aaa@333 550 5.5.0 Empty EHLO/HELO domain. quit 221 2.0.0 FortiMail-400.localdomain closing connection |
|
(transparent mode only) |
Enable to prevent clients from using open relays to send email by blocking sessions that are unauthenticated (Unauthenticated sessions are assumed to be occurring to an open relay). If you permit SMTP clients to use open relays to send email, email from your domain could be blocklisted by other SMTP servers. This option is effective only if you have enabled Use client-specified SMTP server to send email for outgoing mail. Otherwise, the FortiMail unit forces clients to use the gateway you have defined as a relay server (see “Configuring SMTP relay hosts), if any, or the MTA of the domain name in the recipient email address ( |
Reject if recipient and helo domain match but sender domain is different |
Enable to reject the email if the domain name in the SMTP greeting ( Mismatching domain names is sometimes used by spammers to mask the true identity of their SMTP client. |
Configuring SMTP limit options
This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.
- Go to Profile > Session > Session.
- Click New to create a new session profile or double click on an existing profile to edit it.
- Click the arrow to expand SMTP Limits.
- Configure the following:
Setting any of these values to 0 disables the limit.
GUI item |
Description |
Restrict number of EHLO/HELOs per session to |
Enter the limit of SMTP greetings that a connecting SMTP server or client can perform before the FortiMail unit terminates the connection. Restricting the number of SMTP greetings allowed per session makes it more difficult for spammers to probe the email server for vulnerabilities (more attempts results in a greater number of terminated connections, which must then be re-initiated). |
Restrict number of emails per session to |
Enter the limit of email messages per session to prevent mass mailing. |
Restrict number of recipients per email to |
Enter the limit of recipients to prevent mass mailing. |
Enter the limit of the message size. Messages over the threshold size are rejected. Note: When you configure domain settings under Domain & User > Domain, you can also set the message size limit. Here is how the two settings work together:
|
|
Cap header size (KB) at |
Enter the limit of the message header size. Messages with headers over the threshold size are rejected. |
Maximum number of NOOPs allowed for each connection |
Enter the limit of |
Maximum number of RSETs allowed for each connection |
Enter the limit of |
Configuring error handling options
This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.
- Go to Profile > Session > Session.
- Click New to create a new session profile or double click on an existing profile to edit it.
- Click the arrow to expand Error Handling.
- Configure the following:
Configure Error Handling to specify how the FortiMail unit should handle connections from SMTP clients that are error-prone. Errors sometime indicate attempts to misuse the server. You can impose delays or drop connections if there are errors. Setting any of these values to 0
disables the limit.
Configuring error handling can improve performance by dropping connections with error-prone SMTP clients. |
GUI item |
Description |
Number of 'free' errors allowed for each client |
Enter the number of errors permitted before the FortiMail unit imposes a delay. |
Delay for the first non-free error (seconds) |
Enter the delay time for the first error after the number of free errors is reached. |
Delay increment for subsequent errors (seconds) |
Enter the number of seconds by which to increase the delay for each error after the first delay is imposed. |
Maximum number of errors allowed for each connection |
Enter the total number of errors the FortiMail unit accepts before dropping the connection. By default, five errors are permitted before the FortiMail unit drops the connection. |
Configuring header manipulation options
This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.
- Go to Profile > Session > Session.
- Click New to create a new session profile or double click on an existing profile to edit it.
- Click the arrow to expand Header Manipulation.
- Configure the following:
Email processing software and hardware can add extra lines to the message header of each email message. When multiple lines are added, this can significantly increase the size of the email message. You can configure header manipulation settings to reduce the number of message headers.
GUI item |
Description |
---|---|
Enable to remove all You can alternatively remove this header on a per-domain basis. For details, see Remove received header of outgoing email. |
|
Remove headers |
Enable to remove other configured headers from email messages, then click Edit to configure which headers should be removed. |
Remove headers inserted by this unit |
Enable to remove the headers that are inserted by this FortiMail unit. The above two options are to remove headers inserted by previous MTAs. |
Configuring list options
This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.
- Go to Profile > Session > Session.
- Click New to create a new session profile or double click on an existing profile to edit it.
- Click the arrow to expand Lists.
- Configure the following:
Configure the sender and recipient block lists and safe lists, if any, to sue with the session profile. Block and safe lists are separate for each session profile, and apply only to traffic controlled by the IP-based policy to which the session profile is applied.
Email addresses in each block list or safe list are arranged in alphabetical order. For more information on how blocklisted email addresses are handled, see Order of execution of block lists and safe lists.
If you require regular expression support for safelisting and blocklisting sender and recipient email addresses in the envelope, do not configure safe and block lists in the session profile. Instead, configure access control rules and message delivery rules. For more information, see Managing the address book (server mode only). |
GUI item |
Description |
---|---|
Enable sender safe list checking |
Enable to check the sender addresses in the email envelope ( |
Enable sender block list checking |
Enable to check the sender addresses in the email envelope ( |
Allow recipients on this list |
Enable to check the recipient addresses in the email envelope ( |
Disallow recipients on this list |
Enable to check the recipient addresses in the email envelope ( |
Configuring advanced MTA control settings
This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.
In addition to global MTA settings, you can configure the following MTA settings in a session profile. These session-specific MTA settings will overwrite the global settings configured elsewhere.
By default, this feature is hidden. To use this feature, you must enable it by using the following CLI command:
config system global
set mta-adv-ctrl-status enable
end
After this feature is enabled, the following options will appear in the session profile settings. In addition, four new tabs (Address Rewrite, Mail Routing, Access Control, and DSN) will also appear under Profile > Session.
- Go to Profile > Session > Session.
- Click New to create a new session profile or double click on an existing profile to edit it.
- Click the arrow to expand Advanced Control.
- Configure the following:
GUI item |
Description |
---|---|
Email queue |
Select which email queue to use for the matching sessions. For other general queue settings, see Configuring mail queue setting. |
Rewrite sender address |
Select an Address Rewrite profile to rewrite the sender address and specify which sender address to rewrite: Envelope From, Header From, or Header Reply-to. Select Use Envelope From value for selected headers if you want to use the Envelope From value to rewrite the Header From and/or Header Reply-to. Click New to create a new profile. For details about configuring Address Rewrite profiles, see Configuring address rewrite profiles in the session profile. |
Rewrite recipient address |
Select an Address Rewrite profile to rewrite the recipient address and specify which recipient address to rewrite: Envelope recipient or Header To and CC. Note that if you set to deliver or quarantine the unmodified copy of email when you configure the action profile preferences, the envelope recipient/RCPT TO will still be rewritten. Click New to create a new profile. For details about configuring Address Rewrite profiles, see Configuring address rewrite profiles in the session profile. |
Mail routing |
Select a mail routing profile or click New to create one. For details about creating mail routing profiles, see Configuring mail routing profiles in a session profile. |
Access control |
Select an access control profile or click New to create one. For details, see Configuring access control profiles in a session profile. |
DSN |
Select a DNS profile or click New to create one. For details, see Configuring DSN profiles in a session profile. |
Remote logging |
Select a remote logging profile or click New to create one. Note that the remote logging profiles used here are the same as the system-wide remote logging profiles. For details, see Configuring logging to a Syslog server or FortiAnalyzer unit. |
Configuring address rewrite profiles in the session profile
If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the Address Rewrite tab will appear.
To configure an address rewrite profile to be used in a session profile
- Go to Profile > Session > Address Rewrite.
- Click New.
- Enter a profile name.
- Click New to enter the address rewrite rules.
- For Rewrite type, select Local if you are configuring direct rewrite from the original address to another specific address. Then specify the original address and the address you want to rewrite to. If you want to keep the local part or the domain part of the original address, click Insert Variable to insert the variable for the local part or the domain part.
- Select LDAP if you want to rewrite the original address to the user’s external email address and display name that are stored on an LDAP server when the email “Envelope From”, “Header From”, or “Reply-to” matches a sender rewrite pattern. Then specify the original address and the LDAP profile. For information about LDAP server configuration, see Configuring address mapping options.
Configuring mail routing profiles in a session profile
If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the Mail Routing tab will appear.
To configure a mail routing profile to be used in a session profile
- Go to Profile > Session > Mail Routing.
- Click New.
- Enter a profile name.
- Click New to configure the mail routing settings.
- In the popup window, specify the sender pattern, recipient pattern and the relay type:
- Host: Relay the matched sessions to the specified SMTP server.
- MX Record (this domain): Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them.
- MX Record (alternative domain): Query the DNS server’s MX record of a domain name you specify for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them. Also specify the alternate domain name.
Configuring access control profiles in a session profile
If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the Access Control tab will appear.
To configure an access control profile to be used in a session profile
- Go to Profile > Session > Access Control.
- Click New.
- Enter a profile name.
- Click New to configure the access control rule.
- In the popup window, configure the rule settings. These setting are identical to the system-wide access control rule settings. For details, see Configuring access control rules.
- Click Create.
Configuring DSN profiles in a session profile
If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the DSN tab will appear. Configure this setting to overwrite the global setting configured in Configuring mail queue setting.
To configure a DSN profile to be used in a session profile
- Go to Profile > Session > DSN.
- Click New.
- Enter a profile name.
- Specify if you want to send DSN email and the maximum number of retries.
- Click Create.