Fortinet black logo

CLI Reference

policy recipient

policy recipient

Use this command to create recipient-based policies based on the inbound or outbound directionality of an email message with respect to the protected domain.

Syntax

config policy recipient

edit <policy_int>

set auth-access-options {pop3 | smtp-auth | smtp-diff-identity | web}

set certificate-required {yes | no}

set comment <comment>

set direction {incoming | outgoing}

set pkiauth {enable | disable}

set pkiuser <user_str>

set profile-antispam <antispam-profile_name>

set profile-antivirus <antivirus-profile_name>

set profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

set profile-content <content-profile_name>

set profile-dlp <profile_name>

set profile-ldap <ldap-profile_name>

set profile-resource <profile_name>

set recipient-domain <domain_str>

set recipient-name <local-part_str>

set recipient-pattern-regex <string>

set recipient-type {email-address-group | ldap-group | regexp | user}

set sender-domain <domain_str>

set sender-name <local-part_str>

set sender-pattern-regex <string>

set sender-type {email-address-group | ldap-group | regexp | user}

set smtp-diff-identity {enable | disable}

set smtp-diff-identity-ldap {enable | disable}

set smtp-diff-identity-ldap-profile <profile_name>

set status {enable | disable}

end

Variable

Description

Default

<policy_int>

Enter the index number of the recipient-based policy.

auth-access-options {pop3 | smtp-auth | smtp-diff-identity | web}

Enter the method that email users matching this policy use to retrieve the contents of their per-recipient spam quarantine.

pop3: Allow the email user to use POP3 to retrieve the contents of their per-recipient spam quarantine.

smtp-auth: Use the authentication server selected in the authentication profile when performing SMTP authentication for connecting SMTP clients.

smtp-diff-identity: Allow email when the SMTP client authenticates with a different user name than the one that appears in the envelope’s sender email address. You must also enter smtp-auth for this option to have any effect.

web: Allow the email user to use FortiMail webmail (HTTP or HTTPS) to retrieve the contents of their per-recipient spam quarantine.

Note: Entering this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication.

certificate-required {yes | no}

If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enter yes.

no

comment <comment>

Optionally, enter a comment for the recipient policy.

direction {incoming | outgoing}

Select the mail traffic direction.

incoming

pkiauth {enable | disable}

Enable if you want to allow email users to log in to their per-recipient spam quarantine by presenting a certificate rather than a user name and password.

disable

pkiuser <user_str>

If pkiauth is enable, enter the name of a PKI user, such as 'user1'. For information on configuring PKI users, see user pki.

profile-antispam <antispam-profile_name>

Enter the name of an antispam profile, if any, that this policy will apply.

profile-antivirus <antivirus-profile_name>

Enter the name of an antivirus profile, if any, that this policy will apply.

profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

Enter the type of the authentication profile that this policy will apply.

The command profile-auth-<auth_type> appears for the type chosen. Enter the name of an authentication profile for the type.

none

profile-dlp <profile_name>

Enter the name of the DLP profile that you want to apply to connections matching the policy.

profile-content <content-profile_name>

Enter the name of the content profile that you want to apply to connections matching the policy.

profile-resource <profile_name>

Enter the name of the resource profile that you want to apply to connections matching the policy.

profile-ldap <ldap-profile_name>

If recipient-type or sender-type is ldap-group, enter the name of an LDAP profile in which the group owner query has been enabled and configured.

recipient-domain <domain_str>

Enter the domain part of recipient email address to define recipient (RCPT TO:) email addresses that match this policy.

recipient-name <local-part_str>

Enter the local part of recipient email address to define recipient (RCPT TO:) email addresses that match this policy.

recipient-pattern-regex <string>

Define the recipient email address regular expression pattern.

This option is only available when recipient-type is set to regexp.

.*

recipient-type {email-address-group | ldap-group | regexp | user}

Enter one of the following ways to define recipient (RCPT TO:) email addresses that match this policy.

If you enter ldap-group, also configure profile-ldap by entering an LDAP profile in which you have enabled and configured a group query.

user

sender-pattern-regex <string>

Define the sender email address regular expression pattern.

This option is only available when sender-type is set to regexp.

.*

sender-domain <domain_str>

Enter the domain part of sender email address to define sender (MAIL FROM:) email addresses that match this policy.

sender-name <local-part_str>

Enter the local part of sender email address to define sender (MAIL FROM:) email addresses that match this policy.

sender-type {email-address-group | ldap-group | regexp | user}

Enter one of the following ways to define sender (MAIL FROM:) email addresses that match this policy.

If you enter ldap-group, also configure profile-ldap profile-ldap by entering an LDAP profile in which you have enabled and configured a group query.

user

smtp-diff-identity {enable | disable}

Enable to allow the SMTP client to send email using a different sender email address (MAIL FROM:) than the user name that they used to authenticate.

Disable to require that the sender email address in the SMTP envelope match the authenticated user name.

This option is applicable only if smtp auth is used.

enable

smtp-diff-identity-ldap {enable | disable}

Enable to allow the SMTP client to verify SMTP sender identity with LDAP for authenticated email.

This option is applicable only if smtp auth is used.

disable

smtp-diff-identity-ldap-profile <profile_name>

Enter the LDAP profile name for SMTP sender identity verification.

This option is applicable only if smtp auth is used.

status {enable | disable}

Enable to apply this policy.

enable

Related topics

ms365 profile antivirus

policy access-control delivery

config policy delivery-control

policy recipient

policy recipient

Use this command to create recipient-based policies based on the inbound or outbound directionality of an email message with respect to the protected domain.

Syntax

config policy recipient

edit <policy_int>

set auth-access-options {pop3 | smtp-auth | smtp-diff-identity | web}

set certificate-required {yes | no}

set comment <comment>

set direction {incoming | outgoing}

set pkiauth {enable | disable}

set pkiuser <user_str>

set profile-antispam <antispam-profile_name>

set profile-antivirus <antivirus-profile_name>

set profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

set profile-content <content-profile_name>

set profile-dlp <profile_name>

set profile-ldap <ldap-profile_name>

set profile-resource <profile_name>

set recipient-domain <domain_str>

set recipient-name <local-part_str>

set recipient-pattern-regex <string>

set recipient-type {email-address-group | ldap-group | regexp | user}

set sender-domain <domain_str>

set sender-name <local-part_str>

set sender-pattern-regex <string>

set sender-type {email-address-group | ldap-group | regexp | user}

set smtp-diff-identity {enable | disable}

set smtp-diff-identity-ldap {enable | disable}

set smtp-diff-identity-ldap-profile <profile_name>

set status {enable | disable}

end

Variable

Description

Default

<policy_int>

Enter the index number of the recipient-based policy.

auth-access-options {pop3 | smtp-auth | smtp-diff-identity | web}

Enter the method that email users matching this policy use to retrieve the contents of their per-recipient spam quarantine.

pop3: Allow the email user to use POP3 to retrieve the contents of their per-recipient spam quarantine.

smtp-auth: Use the authentication server selected in the authentication profile when performing SMTP authentication for connecting SMTP clients.

smtp-diff-identity: Allow email when the SMTP client authenticates with a different user name than the one that appears in the envelope’s sender email address. You must also enter smtp-auth for this option to have any effect.

web: Allow the email user to use FortiMail webmail (HTTP or HTTPS) to retrieve the contents of their per-recipient spam quarantine.

Note: Entering this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication.

certificate-required {yes | no}

If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enter yes.

no

comment <comment>

Optionally, enter a comment for the recipient policy.

direction {incoming | outgoing}

Select the mail traffic direction.

incoming

pkiauth {enable | disable}

Enable if you want to allow email users to log in to their per-recipient spam quarantine by presenting a certificate rather than a user name and password.

disable

pkiuser <user_str>

If pkiauth is enable, enter the name of a PKI user, such as 'user1'. For information on configuring PKI users, see user pki.

profile-antispam <antispam-profile_name>

Enter the name of an antispam profile, if any, that this policy will apply.

profile-antivirus <antivirus-profile_name>

Enter the name of an antivirus profile, if any, that this policy will apply.

profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

Enter the type of the authentication profile that this policy will apply.

The command profile-auth-<auth_type> appears for the type chosen. Enter the name of an authentication profile for the type.

none

profile-dlp <profile_name>

Enter the name of the DLP profile that you want to apply to connections matching the policy.

profile-content <content-profile_name>

Enter the name of the content profile that you want to apply to connections matching the policy.

profile-resource <profile_name>

Enter the name of the resource profile that you want to apply to connections matching the policy.

profile-ldap <ldap-profile_name>

If recipient-type or sender-type is ldap-group, enter the name of an LDAP profile in which the group owner query has been enabled and configured.

recipient-domain <domain_str>

Enter the domain part of recipient email address to define recipient (RCPT TO:) email addresses that match this policy.

recipient-name <local-part_str>

Enter the local part of recipient email address to define recipient (RCPT TO:) email addresses that match this policy.

recipient-pattern-regex <string>

Define the recipient email address regular expression pattern.

This option is only available when recipient-type is set to regexp.

.*

recipient-type {email-address-group | ldap-group | regexp | user}

Enter one of the following ways to define recipient (RCPT TO:) email addresses that match this policy.

If you enter ldap-group, also configure profile-ldap by entering an LDAP profile in which you have enabled and configured a group query.

user

sender-pattern-regex <string>

Define the sender email address regular expression pattern.

This option is only available when sender-type is set to regexp.

.*

sender-domain <domain_str>

Enter the domain part of sender email address to define sender (MAIL FROM:) email addresses that match this policy.

sender-name <local-part_str>

Enter the local part of sender email address to define sender (MAIL FROM:) email addresses that match this policy.

sender-type {email-address-group | ldap-group | regexp | user}

Enter one of the following ways to define sender (MAIL FROM:) email addresses that match this policy.

If you enter ldap-group, also configure profile-ldap profile-ldap by entering an LDAP profile in which you have enabled and configured a group query.

user

smtp-diff-identity {enable | disable}

Enable to allow the SMTP client to send email using a different sender email address (MAIL FROM:) than the user name that they used to authenticate.

Disable to require that the sender email address in the SMTP envelope match the authenticated user name.

This option is applicable only if smtp auth is used.

enable

smtp-diff-identity-ldap {enable | disable}

Enable to allow the SMTP client to verify SMTP sender identity with LDAP for authenticated email.

This option is applicable only if smtp auth is used.

disable

smtp-diff-identity-ldap-profile <profile_name>

Enter the LDAP profile name for SMTP sender identity verification.

This option is applicable only if smtp auth is used.

status {enable | disable}

Enable to apply this policy.

enable

Related topics

ms365 profile antivirus

policy access-control delivery

config policy delivery-control