Fortinet black logo

CLI Reference

domain

domain

Use these commands to configure a protected domain.

For more information on protected domains and when they are required, see the FortiMail Administration Guide.

Syntax

This command contains many sub-commands. Each sub-command, linked below, is documented in subsequent sections.

config domain

edit <domain_name>

config config cal resource...

config config customized-message...

config config domain-setting...

config file filter...

config config policy recipient...

config profile account-sync...

config profile antispam...

config profile antispam-action...

config profile antivirus...

config profile antivirus-action...

config profile authentication...

config profile content...

config profile content-action...

config profile cousin-domain...

config profile email-address-group ...

config profile impersonation...

config profile notification...

config profile resource...

config config user mail...

next

end

Variable

Description

Default

<domain_name>

Type the fully qualified domain name (FQDN) of the protected domain.

For example, to protect email addresses ending in “@example.com”, type example.com.

config cal resource

Use this sub-command to configure the calendar resource of a protected domain for calendar sharing.

Syntax

This sub-command is available from within the command domain.

config cal resource

edit <resource_name>

set description <string>

set display-name <string>

set management-users <user_email>

set type {room | equipment}

end

Variable

Description

Default

<resource-name> Enter a name for the calendar resource. This name forms the local name of the calendar resource for the current domain, for example <resource_name@<domain_name>.com.

description <string> Enter a description for the calendar resource entry.

display-name <string> Enter a display name.

management-users <user_email> Enter the management users for the calendar resource in the format <user_name>@<domain_name>.com.

type {room | equipment} Set the resource type to either room or equipment.

room

config customized-message

Use this sub-command to configure the variables and the default email template of quarantine summary of a protected domain.

Syntax

This sub-command is available from within the command domain.

config customized-message

edit report-quarantine-summary

config variable

edit <name>

set content

set display-name

config email-template

edit default

set from <string>

set html-body <string>

set subject <string>

set text-body <string>

end

Variable

Description

Default

<name>

Enter a variable name that you want to add or edit, such as %%SENDER%%.

content

Enter the content for the variable.

display-name

Enter the display name for the variable. For example, the display name for %%SENDER%% can be From.

from <string>

Enter the replacement message for the From field of the quarantine summary.

html-body <string>

Enter the replacement message for the email body of the quarantine summary in HTML code.

subject <string>

Enter the replacement message for the subject field of the quarantine summary.

text-body <string>

Enter the replacement message for the email body of the quarantine summary in text format.

config domain-setting

Use this sub-command to configure the basic settings of a protected domain.

Syntax

This sub-command is available from within the command domain.

config domain-setting

config sender-addr-rate-ctrl-exempt

edit <id>

set sender-pattern <string>

set pattern-type {default | regexp}

end

set addressbook {domain | none | system}

set bypass-bounce-verification {enable | disable}

set disclaimer-incoming-body-content

set disclaimer-incoming-body-content-html

set disclaimer-incoming-body-location

set disclaimer-incoming-body-status {enable | disable}

set disclaimer-incoming-header-insertion-name

set disclaimer-incoming-header-insertion-value

set disclaimer-incoming-header-status {enable | disable}

set disclaimer-outgoing-body-content

set disclaimer-outgoing-body-content-html

set disclaimer-outgoing-body-location

set disclaimer-outgoing-body-status {enable | disable}

set disclaimer-outgoing-header-insertion-name

set disclaimer-outgoing-header-insertion-value

set disclaimer-outgoing-header-status {enable | disable}

set dmarc-report-status {disable | enable | monitor-only | use-system-setting}

set email-continuity-status {enable | disable}

set fallback-host {<smtp-server_fqdn> | <smtp-server_ipv4>}

set fallback-port <port_int>

set fallback-use-smtps {enable | disable}

set global-bayesian {enable | disable}

set greeting-with-host-name {domainname | hostname | othername}

set host <host_name>

set ip-pool <pool_name>

set ip-pool-direction {outgoing | incoming | both}

set is-service-domain {enable | disable}

set is-sub-domain {enable | disable}

set ldap-asav-profile <ldap-profile_name>

set ldap-asav-status {enable | disable}

set ldap-domain-routing-port <port_int>

set ldap-domain-routing-profile <ldap-profile_name>

set ldap-domain-routing-smtps {enable |disable}

set ldap-groupowner-profile <ldap-profile_name>

set ldap-routing-profile <ldap-profile_name>

set ldap-routing-status {enable | disable}

set ldap-user-profile <profile_name>

set max-message-size <limit_int>

set other-helo-greeting <string>

set port <smtp-port_int>

set quarantine-report-schedule-status {enable | disable}

set quarantine-report-status {enable | disable}

set quarantine-report-to-alt {enable | disable}

set quarantine-report-to-alt-addr <recipient_email>

set quarantine-report-to-individual {enable | disable}

set quarantine-report-to-ldap-groupowner {enable | disable}

set recipient-verification {disable | ldap | smtp}

set recipient-verification-background {disable | ldap | smtp}

set recipient-verification-background-profile <ldap-profile_name>

set relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain}

set remove-outgoing-received-header {enable | disable}

set sender-addr-rate-ctrl-action

set sender-addr-rate-ctrl-max-msgs <integer>

set sender-addr-rate-ctrl-max-msgs-state {enable | disable}

set sender-addr-rate-ctrl-max-recipients

set sender-addr-rate-ctrl-max-recipients-state {enable | disable}

set sender-addr-rate-ctrl-max-size <integer>

set sender-addr-rate-ctrl-max-size-state {enable | disable}

set sender-addr-rate-ctrl-max-spam

set sender-addr-rate-ctrl-max-spam-state {enable | disable}

set sender-addr-rate-ctrl-state {enable | disable}

set sender-addr-rate-notification-state {enable | disable}

set smtp-recipient-verification-command {rcpt | vrfy}

set smtp-recipient-verification-accept-reply-string <accept_string>

set tp-hidden {no | yes}

set tp-server-on-port <port_int>

set tp-use-domain-mta {yes | no}

set use-stmps {enable | disable}

set webmail-language <language_name>

set webmail-theme {IndigoDarkBlue | RedGrey | Standard | Use-System-Settings}

end

Variable

Description

Default

addressbook {domain | none | system}

(server mode only)

Add newly created mail user to system address book, domain address book or not.

domain

bypass-bounce-verification {enable | disable}

Enable to omit bounce address tag verification of email incoming to this protected domain.

This bypass does not omit bounce address tagging of outgoing email.

disable

fallback-host {<smtp-server_fqdn> | <smtp-server_ipv4>}

(transparent mode and gateway mode only)

Enter the fully qualified domain name (FQDN) or IP address of the secondary SMTP server for this protected domain.

This SMTP server will be used if the primary SMTP server is unreachable.

fallback-port <port_int>

(transparent mode and gateway mode only)

Enter the port number on which the failover SMTP server listens.

If you enable Use SMTPS, Port automatically changes to the default port number for SMTPS, but can still be customized.

The default SMTP port number is 25; the default SMTPS port number is 465.

25

fallback-use-smtps {enable | disable}

(transparent mode and gateway mode only)

Enable to use SMTPS for connections originating from or destined for this protected server.

disable

global-bayesian {enable | disable}

Enable to use the global Bayesian database instead of the Bayesian database for this protected domain.

If you do not need the Bayesian database to be specific to the protected domain, you may want to use the global Bayesian database instead in order to simplify database maintenance and training.

Disable to use the per-domain Bayesian database.

This option does not apply if you have enabled use of personal Bayesian databases in an incoming antispam profile, and if the personal Bayesian database is mature. Instead, the FortiMail unit will use the personal Bayesian database.

disable

greeting-with-host-name {domainname | hostname | othername}

Specify how the FortiMail unit will identify itself during the HELO or EHLO greeting of outgoing SMTP connections that it initiates.

domainname: The FortiMail unit will identify itself using the domain name for this protected domain.

If the FortiMail unit will handle internal email messages (those for which both the sender and recipient addresses in the envelope contain the domain name of the protected domain), to use this option, you must also configure your protected SMTP server to use its host name for SMTP greetings. Failure to do this will result in dropped SMTP sessions, as both the FortiMail unit and the protected SMTP server will be using the same domain name when greeting each other.

hostname: The FortiMail unit will identify itself using its own host name.

By default, the FortiMail unit uses the domain name of the protected domain. If your FortiMail unit is protecting multiple domains and using IP pool addresses, select to use the system host name instead. This setting does not apply if email is incoming, according to the sender address in the envelope, from an unprotected domain.

othername: If you select this option, another command set other-helo-greeting <string> will appear, allowing you enter a name other than the domain name or host name, for the HELO/EHELO greeating.

hostname

host <host_name>

(transparent mode and gateway mode only)

The host name or IP address and port number of the mail exchanger (MX) for this protected domain.

If Relay Type is MX Record (this domain) or MX Record (alternative domain), this information is determined dynamically by querying the MX record of the DNS server, and this field will be empty.

ip-pool <pool_name>

You can use a pool of IP addresses as the source IP address when sending email from this domain, or as the destination IP address when receiving email destined to this domain, or as both the source and destination IP addresses.

If you want to use the IP pool as the source IP address for this protected domain, according to the sender’s email address in the envelope (MAIL FROM:), select the IP pool to use and select outgoing as the ip-pool-direction.

If you want to use the IP pool as the destination IP address (virtual host) for this protected domain, according to the recipient’s email address in the envelope (RCPT TO:), select the IP pool to use and select incoming as the ip-pool-direction. You must also configure the MX record to direct email to the IP pool addresses as well.
This feature can be used to support multiple virtual hosts on a single physical interface, so that different profiles can be applied to different host and logging for each host can be separated as well.

If you want to use the IP pool as both the destination and source IP address, select the IP pool to use and select Both as the ip-pool-direction.

Each email that the FortiMail unit sends will use the next IP address in the range. When the last IP address in the range is used, the next email will use the first IP address.

ip-pool-direction {outgoing | incoming | both}

Sets the direction for the ip-pool option. See description above.

This option is only available after you configure the ip-pool option.

is-sub-domain {enable | disable}

Enable to indicate the protected domain you are creating is a subdomain of an existing protected domain, then also configure Main domain.

Subdomains, like their parent protected domains, can be selected when configuring policies specific to that subdomain. Unlike top-level protected domains, however, subdomains will be displayed as grouped under the parent protected domain when viewing the list of protected domains.

This option is available only when another protected domain exists to select as the parent domain.

disable

ldap-asav-profile <ldap-profile_name>

Specify the name of an LDAP profile which you have enabled and configured.

ldap-asav-status {enable | disable}

Enable to query an LDAP server for an email user’s preferences to enable or disable antispam and/or antivirus processing for email messages destined for them.

disable

ldap-domain-routing-port <port_int>

Enter the port number on which the SMTP servers in the LDAP profile listen.

If you enable ldap-domain-routing-smtps, this setting automatically changes to the default port number for SMTPS, but can still be customized.

The default SMTP port number is 25; the default SMTPS port number is 465.

This option is valid when relay-type is ldap-domain-routing.

25

ldap-domain-routing-profile <ldap-profile_name>

Select the name of the LDAP profile that has the FQDN or IP address of the SMTP server you want to query. Also configure ldap-domain-routing-port <port_int> and ldap-domain-routing-smtps {enable |disable}.

This option is valid when relay-type is set to ldap-domain-routing.

ldap-domain-routing-smtps {enable |disable}

Enable to use SMTPS for connections originating from or destined for this protected server.

This option is valid when relay-type is ldap-domain-routing.

disable

ldap-groupowner-profile <ldap-profile_name>

Select an LDAP profile to send the quarantine report to a group owner, rather than individual recipients.

ldap-routing-profile <ldap-profile_name>

Select an LDAP profile for mail routing.

ldap-routing-status {enable | disable}

Enable/disable LDAP mail routing.

disable

ldap-user-profile <profile_name>

Select the name of an LDAP profile in which you have configured, enabling you to authenticate email users and expand alias email addresses or replace one email address with another by using an LDAP query to retrieve alias members.

max-message-size <limit_int>

Enable then type the limit in kilobytes (KB) of the message size. Email messages over the threshold size are rejected.

Note: If both this option and expire-inactivity <days_int> in the session profile are enabled, email size will be limited to whichever size is smaller.

204800KB

other-helo-greeting <string>

After you set the greeting-with-hostname to othername, use this command to specify the name to use for HELO/EHELO greeting.

port <smtp-port_int>

(transparent mode and gateway mode only)

Set the SMTP port number of the mail server.

25

quarantine-report-schedule-status {enable | disable}

Enable or disable domain-level quarantine report schedule setting.

The quarantine report settings for a protected domain are a subset of the system-wide quarantine report settings.

For example, if the system settings for schedule include only Monday and Thursday, when you are setting the schedule for the quarantine reports of the protected domain, you will only be able to select either Monday or Thursday.

disable

quarantine-report-status {enable | disable}

Enable or disable domain-level quarantine report.

disable

quarantine-report-to-alt {enable | disable}

Enable or disable sending domain-level quarantine report to a recipient other than the individual recipients or group owner. For example, you might delegate quarantine reports by sending them to an administrator whose email address is not locally deliverable to the protected domain, such as admin@lab.example.com.

disable

quarantine-report-to-alt-addr <recipient_email>

Enter the recipient’s email address.

quarantine-report-to-individual {enable | disable}

Enable to send quarantine reports to all recipients.

enable

quarantine-report-to-ldap-groupowner {enable | disable}

Enable to send quarantine reports to the LDAP group owner of the specified LDAP profile.

disable

recipient-verification {disable | ldap | smtp}

Select a method of confirming that the recipient email address in the message envelope (RCPT TO:) corresponds to an email user account that actually exists on the protected email server. If the recipient address is invalid, the FortiMail unit will reject the email. This prevents quarantine email messages for non-existent accounts, thereby conserving quarantine hard disk space.

disable: Do not verify that the recipient address is an email user account that actually exists.

smtp: Query the SMTP server using the SMTP RCPT command to verify that the recipient address is an email user account that actually exists. You can also choose to use the SMTP VRFY command to do the verification. This feature is available on the GUI when you create a domain.
If you want to query an SMTP server other than the one you have defined as the protected SMTP server, also enable Use alternative server, then enter the IP address or FQDN of the server in the field next to it. Also configure Port with the TCP port number on which the SMTP server listens, and enable Use SMTPS if you want to use SMTPS for recipient address verification connections with the server.

ldap: Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also select the LDAP profile that will be used to query the LDAP server.


Note: This option can cause a performance impact that may be noticeable during peak traffic times. For a lesser performance impact, you can alternatively periodically automatically remove quarantined email messages for invalid email user accounts, rather than actively preventing them during each email message.

Note: Spam often contains invalid recipient addresses. If you have enabled spam quarantining, but have not prevented or scheduled the periodic removal of quarantined email messages for invalid email accounts, the FortiMail hard disk may be rapidly consumed during peak traffic times, resulting in refused SMTP connections when the hard disk becomes full. To prevent this, enable either this option or the periodic removal of invalid quarantine accounts.

disable

recipient-verification-background {disable | ldap | smtp}

Select a method by which to periodically remove quarantined spam for which an email user account does not actually exist on the protected email server.

disable: Do not verify that the recipient address is an email user account that actually exists.

smtp: Query the SMTP server to verify that the recipient address is an email user account that actually exists.

ldap: Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also select the LDAP profile that will be used to query the LDAP server.
If you select either Use SMTP server or Use LDAP server, at 4:00 AM daily (unless configured for another time, using the CLI), the FortiMail unit queries the server to verify the existence of email user accounts. If an email user account does not currently exist, the FortiMail unit removes all spam quarantined for that email user account.

Note: If you have also enabled recipient-verification, the FortiMail unit is prevented from forming quarantine accounts for email user accounts that do not really exist on the protected email server. In that case, invalid quarantine accounts are never formed, and this option may not be necessary, except when you delete email user accounts on the protected email server. If this is the case, you can improve the performance of the FortiMail unit by disabling this option.

Note: Spam often contains invalid recipient addresses. If you have enabled spam quarantining, but have not prevented or scheduled the periodic removal of quarantined email messages for invalid email accounts, the FortiMail hard disk may be rapidly consumed during peak traffic times, resulting in refused SMTP connections when the hard disk becomes full. To prevent this, enable either this option or verification of recipient addresses.

relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain}

(transparent mode and gateway mode only)

Select from one of the following methods of defining which SMTP server will receive email from the FortiMail unit that is destined for the protected domain:

host: Configure the connection to one protected SMTP server or, if any, one fallback.

ldap-domain-routing: Query the LDAP server for the FQDN or IP address of the SMTP server. For more information about domain lookup, see domain-query <query_str>.

mx-lookup: Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them.

mx-lookup-alt-domain: Query the DNS server’s MX record of a domain name you specify for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them.

ip-pool: Configure the connection to rotate among one or many protected SMTP servers.

Note: If an MX option is used, you may also be required to configure the FortiMail unit to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode of the FortiMail unit.

Gateway mode: A private DNS server is required. On the private DNS server, configure the MX record with the FQDN of the SMTP server that you are protecting for this domain, causing the FortiMail unit to route email to the protected SMTP server. This is different from how a public DNS server should be configured for that domain name, where the MX record usually should contain the FQDN of the FortiMail unit itself, causing external SMTP servers to route email through the FortiMail unit. Additionally, if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall, on the private DNS server, configure the protected SMTP server’s A record with its private IP address, while on the public DNS server, configure the FortiMail unit’s A record with its public IP address.

Transparent mode: A private DNS server is required if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall. On the private DNS server, configure the protected SMTP server’s A record with its private IP address. On the public DNS server, configure the protected SMTP server’s A record with its public IP address. Do not modify the MX record.

host

remove-outgoing-received-header {enable | disable}

Enable to remove the Received: message headers from email whose:

  • sender email address belongs to this protected domain, and
  • recipient email address is outgoing (that is, does not belong to this protected domain); if there are multiple recipients, only the first recipient’s email address is used to determine whether an email is outgoing.

You can alternatively remove this header from any matching email using session profiles.

disable

sender-addr-rate-ctrl-max-msgs <integer>

Enter the maximum number of messages per sender address per half an hour.

30

sender-addr-rate-ctrl-max-msgs-state {enable | disable}

Enable the option of maximum number of messages per sender address per half an hour.

disable

sender-addr-rate-ctrl-max-size <integer>

Enter the maximum number of megabytes per sender per half an hour.

100

sender-addr-rate-ctrl-max-size-state {enable | disable}

Enable the option of maximum number of megabytes per sender per half an hour.

disable

sender-addr-rate-ctrl-state {enable | disable}

Enable sender address rate control per sender email address.

disable

smtp-recipient-verification-command {rcpt | vrfy}

(transparent mode and gateway mode only)

Specify the command that the FortiMail unit uses to query the SMTP server to verify that the recipient address is an email user account that actually exists. The default command that the FortiMail unit uses is rcpt.
For information about recipient verification, see recipient-verification {disable | ldap | smtp}

This option is only available after you select smtp in recipient-verification.

rcpt

smtp-recipient-verification-accept-reply-string <accept_string>

(transparent mode and gateway mode only)

When FortiMail queries the SMTP server for recipient verification:

If the reply code of the VRFY command is 2xx, the recipient exists.

If the reply code is non-2xx, FortiMail will try to match the accept string you specified with the reply string. If the strings match, the recipient exists.

Otherwise, the recipient is unknown.

For example, if the recipient is a group or mailing list, FortiMail will receive a 550 error code and a reply string. Depending on what reply string you get, you can specify a string to match the reply string.

For example, if the recipient is marketing@example.com, the reply string might say something like “marketing@example.com is a group”. In this case, if you specify “is a group” as the accept string and thus this string matches the string or part of the string in the reply string, FortiMail will deem the query successful and pass the email.

This command is available only when you set SMTP-recipient-verification-command to vrfy.

tp-hidden {no | yes}

(transparent mode only)

Enable to preserve the IP address or domain name of the SMTP client for incoming email messages in:

the SMTP greeting (HELO/EHLO) in the envelope and in the Received: message headers of email messages

the IP addresses in the IP header

This masks the existence of the FortiMail unit to the protected SMTP server.

Disable to replace the SMTP client’s IP address or domain name with that of the FortiMail unit.

For example, an external SMTP client might have the IP address 172.168.1.1, and the FortiMail unit might have the domain name fortimail.example.com. If the option is enabled, the message header would contain (difference highlighted in bold):

Received: from 192.168.1.1 (EHLO 172.16.1.1) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:12:40 -0800

Received: from smtpa ([172.16.1.2]) by [172.16.1.1] with SMTP id kAOFESEN001901 for <user1@external.example.com>; Fri, 24 Jul 2008 15:14:28 GMT

But if the option is disabled, the message headers would contain:

Received: from 192.168.1.1 (EHLO fortimail.example.com) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:17:45 -0800

Received: from smtpa ([172.16.1.2]) by fortimail.example.com with SMTP id kAOFJl4j002011 for <user1@external.example.com>; Fri, 24 Jul 2008 15:19:47 GMT

Note: This option does not apply to email messages sent from protected domains to protected domains, meaning that the FortiMail unit will not be hidden even if this option is enabled.

no

tp-server-on-port <port_int>

(transparent mode only)

Select the network interface (physical port) to which the protected SMTP server is connected.

Note: Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface.

0

tp-use-domain-mta {yes | no}

(transparent mode only)

Enable to proxy SMTP clients’ incoming connections when sending outgoing email messages via the protected SMTP server.

For example, if the protected domain example.com has the SMTP server 192.168.1.1, and an SMTP client for user1@example.com connects to it to send email to user2@external.example.net, enabling this option would cause the FortiMail unit to proxy the connection through to the protected SMTP server.

Disable to relay email using the built-in MTA to either the defined SMTP relay, if any, or directly to the MTA that is the mail exchanger (MX) for the recipient email address’s (RCPT TO:) domain. The email may not actually travel through the protected SMTP server, even though it was the relay originally specified by the SMTP client.

This option does not affect incoming connections containing incoming email messages, which will always be handled by the built-in MTA.

Note: This option will be ignored for email that matches an antispam or content profile where you have enabled alternate-host {<relay_fqdn> | <relay_ipv4>}.

no

use-stmps {enable | disable}

Enable to use SMTPS to relay email to the mail server.

disable

webmail-language <language_name>

Select either Use system settings, other language that the FortiMail unit will to display webmail and quarantine folder pages. By default, the FortiMail unit uses the same language as the web-based manager.

webmail-theme {IndigoDarkBlue | RedGrey | Standard | Use-System-Settings}

Select the display theme that the FortiMail unit will to display webmail and quarantine folder pages. By default, the FortiMail unit uses the same display theme as the web-based manager.

Use-System-Settings

config policy recipient

Use this sub-command to configure a recipient-based policy for a protected domain. To configure system-wide policies, use the config policy recipient command.

Syntax

This sub-command is available from within the command domain.

config policy recipient

edit <policy_index>

set auth-access-options {pop3 smtp‑auth smtp‑diff-identity web}

set certificate-required {yes | no}

set comment

set direction

set pkiauth {enable | disable}

set pkiuser <user_name>

set profile-antispam <antispam_name>

set profile-antivirus <antivirus_name>

set profile-auth-type {imap | local | ldap | pop3 | smtp | radius}

set profile-content <profile_name>

set profile-dlp

set profile-resource <profile_name>

set profile-ldap <profile_name>

set recipient-domain <domain>

set recipient-name <name_str>

set recipient-type {ldap-group | local-group | user}

set sender-domain <domain_name>

set sender-name <local-part_str>

set sender-type {ldap‑group | local-group | user}

set smtp-diff-identity

set smtp-diff-identity

set smtp-diff-identity-lsap-profile

set status {enable | disable}

next

end

Variable

Description

Default

<policy_index>

Type the index number of the policy.

To view a list of existing entries, enter a question mark ( ? ).

auth-access-options {pop3 smtp‑auth smtp‑diff-identity web}

Type one or more of the following:

smtp-diff-identity: Allow email when the SMTP client authenticates with a different user name than the one that appears in the envelope’s sender email address. You must also enter smtpauth for this option to have any effect.

web: Allow the email user to use FortiMail webmail (HTTP or HTTPS) to retrieve the contents of their per-recipient spam quarantine.

pop3: Allow the email user to use POP3 to retrieve the contents of their per-recipient spam quarantine.

smtp-auth: Use the authentication server selected in the authentication profile when performing SMTP authentication for connecting SMTP clients.
Note: Entering this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication.

certificate-required {yes | no}

(transparent and gateway mode only)

If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enable this option.

no

comment

Enter a comment for the recipient policy

direction

Enter whether the direction of mail traffic is incoming or outgoing.

pkiauth {enable | disable}

(transparent and gateway mode only)

Enable if you want to allow email users to log in to their per-recipient spam quarantine by presenting a certificate rather than a user name and password.

disable

pkiuser <user_name>

(transparent and gateway mode only)

Enter the name of the PKI user entry, or select a user you defined before.

This is not required to be the same as the administrator or email user’s account name, although you may find it helpful to do so.

For example, you might have an administrator account named admin1.You might therefore find it most straightforward to also name the PKI user admin1, making it easy to remember which account you intended to use these PKI settings.

profile-antispam <antispam_name>

Select a antispam profile that you want to apply to the policy.

profile-antivirus <antivirus_name>

Select an antivirus profile that you want to apply to the policy.

profile-auth-type {imap | local | ldap | pop3 | smtp | radius}

If you want email users to be able to authenticate using an external authentication server, first specify the profile type (SMTP, POP3, IMAP,RADIUS, or LDAP), then specify which profile to use.

For example:

set profile-auth-type ldap

set profile-auth-ldap ldap_profile1

profile-auth-imap <imap_name>

Type the name of an IMAP authentication profile.

This command is applicable only if you have enabled use of an IMAP authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}

profile-auth-ldap <ldap_name>

Type the name of an LDAP authentication profile.

This command is applicable only if you have enabled use of an LDAP authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}

profile-auth-pop3 <pop3_name>

Type the name of a POP3 authentication profile.

This command is applicable only if you have enabled use of a POP3 authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}

profile-auth-smtp <smtp_name>

Type the name of an SMTP authentication profile.

This command is applicable only if you have enabled use of an SMTP authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}.

profile-auth-radius <radius_name>

Type the name of a RADIUS authentication profile.

This command is applicable only if you have enabled use of a RADIUS authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}.

profile-content <profile_name>

Select which content profile you want to apply to the policy.

profile-dlp

Enter the DLP profile for the policy.

profile-resource <profile_name>

Select which resource profile you want to apply to the policy.

This option is only available in server mode.

profile-ldap <profile_name>

If you set the recipient type as “ldap-group", you can select an LDAP profile.

recipient-domain <domain>

Enter the domain part of the recipient email address.

recipient-name <name_str>

Enter the local part of the recipient email address or a pattern with wild cards.

recipient-type {ldap-group | local-group | user}

Select one of the following ways to define recipient (RCPT TO:) email addresses that match this policy. This setting applies to the incoming policies only.

user: Select this option and then use the above command to enter the local part of the recipient email address.

local-group: Select this option and then specify the local group under this domain.

ldap-group: Select this option and then select an LDAP profile.

user

sender-domain <domain_name>

Enter the domain part of the sender email address. For example, example.com.

sender-name <local-part_str>

Enter the local part of the sender email address. For example, user1.

sender-type {ldap‑group | local-group | user}

Select one of the following ways to define which sender (MAIL FROM:)email addresses match this policy.

user: Select this option and then use the above command to enter the local part of the sender email address.

local-group: Select this option and then specify the local group under this domain.

ldap-group: Select this option and then select an LDAP profile.

Note: This setting applies to the outgoing policies only.

user

smtp-diff-identity

Rejects different smtp sender identity.

smtp-diff-identity-ldap

Verify smtp sender identity with LDAP for authenticated email.

smtp-diff-identity-lsap-profile

Ldap profile for smtp sender identity verification.

status {enable | disable}

Enable or disable the policy.

enable

config profile account-sync

Use this command to configure account synchronization settings for remote users from LDAP and Microsoft 365 servers.

Syntax

This sub-command is available from within the command domain.

config profile account-sync

edit <profile_name>

set base-dn <string>

set bind-dn <string>

set bind-password <password>

set description <string>

set group-display-name <string>

set group-primary-address <string>

set group-query <string>

set group-secondary-address <string>

set ldap-port <integer>

set ldap-secure {enable | disable}

set ldap-server <string>

set ldap-version {ver2 | ver3}

set ms365-application-id <string>

set ms365-application-secret <password>

set ms365-tenant-id <password>

set recurrence {daily | monthly | none | weekly}

set referrals-chase {enable | disable}

set schedule-hour <integer>

set scope {base | one | sub}

set timeout <integer>

set type {ldap | ms365}

set user-display-name <string>

set user-primary-address <string>

set user-query <string>

set user-secondry-address <string>

next

end

Variable

Description

Default

base-dn <string>

Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail unit will search for user objects, such as ou=People,dc=example,dc=com.

User objects should be child nodes of this location.

bind-dn <string>

Enter the bind DN, such as cn=FortiMailA,dc=example,dc=com, of an LDAP user account with permissions to query the basedn.

bind-password <password>

Enter the password of bind-dn <string>.

description <string>

Enter a description.

group-display-name <string>

Enter the LDAP group/mailing list display name attribute.

group-primary-address <string>

Enter the LDAP group/mailing list primary email address attribute.

group-query <string>

Enter the LDAP group/mailinglistquery string.

group-secondary-address <string>

Enter the LDAP group/mailing list secondary email address attribute.

ldap-port <integer>

Enter the TCP port number of the LDAP server.

The standard port number for LDAP is 389. The standard port number for SSL-secured LDAP is 636.

389

ldap-secure {enable | disable}

Enable or disable (by default) a secure encrypted connection to the LDAP server.

disable

ldap-server <string>

Enter the fully qualified domain name (FQDN) or IP address of the LDAP server.

ldap-version {ver2 | ver3}

Enter the LDAP server protocol version.

ver3

ms365-application-id <string>

Enter the Microsoft 365 application ID.

ms365-application-secret <password>

Enter the Microsoft 365 application secret.

ms365-tenant-id <password>

Enter the Microsoft 365 tenant ID.

recurrence {daily | monthly | none | weekly}

Define the recurrence/schedule of the remote server synchronization.

none

referrals-chase {enable | disable}

Enable or disable (by default) chasing of referrals.

disable

schedule-hour <integer>

Enter the hour of the day at which synchronization will occur. Set the value between 0-23.

1

scope {base | one | sub}

Define the search scope of the LDAP server; either base, one level, or subtree (by default).

sub

timeout <integer>

Enter the query timeout limit in seconds. Set the value between 60-600.

60

type {ldap | ms365}

Enter the remote server profile type.

ldap

user-display-name <string>

Enter the LDAP user's display name attribute.

user-primary-address <string>

Enter the LDAP user's primary email address attribute.

user-query <string>

Enter the LDAP query string to get all users.

user-secondry-address <string>

Enter the LDAP user's secondary email address attribute.

config user mail

Use this sub-command to configure email user accounts.

Syntax

This sub-command is available from within the command domain.

config user mail

rename <old_username> to <new_username> (see the note below)

edit <user_name>

set type {local | ldap}

set type local

set displayname <name_str>

set password <pwd_str>

set type ldap

set displayname <name_str>

set ldap-profile <ldap_name>

next

end

Variable

Description

Default

<old_username>

The user account name you want to rename.

<new_username>

The new user account name you want to change to.

<user_name>

Enter the user name of an email user, such as user1. This is also the local-part portion of the email user’s primary email address.

type {local | ldap}

Enter the type of email user account you want to add.

See set type local and set type ldap.

ldap

displayname <name_str>

Enter the display name of the local email user, such as 'User One'.

password <pwd_str>

Enter the password of the local email user.

displayname <name_str>

Enter the display name of the LDAP email user, such as 'User One'.

ldap-profile <ldap_name>

Enter the name of an LDAP profile in which authentication queries are enabled.

If you rename an existing user account to a new user account name, all the user’s preferences and mail data will be ported to the new user. However, due to the account name change, the new user will not be able to decrypt and read the encrypted email that is sent to the old user name before.

domain

Use these commands to configure a protected domain.

For more information on protected domains and when they are required, see the FortiMail Administration Guide.

Syntax

This command contains many sub-commands. Each sub-command, linked below, is documented in subsequent sections.

config domain

edit <domain_name>

config config cal resource...

config config customized-message...

config config domain-setting...

config file filter...

config config policy recipient...

config profile account-sync...

config profile antispam...

config profile antispam-action...

config profile antivirus...

config profile antivirus-action...

config profile authentication...

config profile content...

config profile content-action...

config profile cousin-domain...

config profile email-address-group ...

config profile impersonation...

config profile notification...

config profile resource...

config config user mail...

next

end

Variable

Description

Default

<domain_name>

Type the fully qualified domain name (FQDN) of the protected domain.

For example, to protect email addresses ending in “@example.com”, type example.com.

config cal resource

Use this sub-command to configure the calendar resource of a protected domain for calendar sharing.

Syntax

This sub-command is available from within the command domain.

config cal resource

edit <resource_name>

set description <string>

set display-name <string>

set management-users <user_email>

set type {room | equipment}

end

Variable

Description

Default

<resource-name> Enter a name for the calendar resource. This name forms the local name of the calendar resource for the current domain, for example <resource_name@<domain_name>.com.

description <string> Enter a description for the calendar resource entry.

display-name <string> Enter a display name.

management-users <user_email> Enter the management users for the calendar resource in the format <user_name>@<domain_name>.com.

type {room | equipment} Set the resource type to either room or equipment.

room

config customized-message

Use this sub-command to configure the variables and the default email template of quarantine summary of a protected domain.

Syntax

This sub-command is available from within the command domain.

config customized-message

edit report-quarantine-summary

config variable

edit <name>

set content

set display-name

config email-template

edit default

set from <string>

set html-body <string>

set subject <string>

set text-body <string>

end

Variable

Description

Default

<name>

Enter a variable name that you want to add or edit, such as %%SENDER%%.

content

Enter the content for the variable.

display-name

Enter the display name for the variable. For example, the display name for %%SENDER%% can be From.

from <string>

Enter the replacement message for the From field of the quarantine summary.

html-body <string>

Enter the replacement message for the email body of the quarantine summary in HTML code.

subject <string>

Enter the replacement message for the subject field of the quarantine summary.

text-body <string>

Enter the replacement message for the email body of the quarantine summary in text format.

config domain-setting

Use this sub-command to configure the basic settings of a protected domain.

Syntax

This sub-command is available from within the command domain.

config domain-setting

config sender-addr-rate-ctrl-exempt

edit <id>

set sender-pattern <string>

set pattern-type {default | regexp}

end

set addressbook {domain | none | system}

set bypass-bounce-verification {enable | disable}

set disclaimer-incoming-body-content

set disclaimer-incoming-body-content-html

set disclaimer-incoming-body-location

set disclaimer-incoming-body-status {enable | disable}

set disclaimer-incoming-header-insertion-name

set disclaimer-incoming-header-insertion-value

set disclaimer-incoming-header-status {enable | disable}

set disclaimer-outgoing-body-content

set disclaimer-outgoing-body-content-html

set disclaimer-outgoing-body-location

set disclaimer-outgoing-body-status {enable | disable}

set disclaimer-outgoing-header-insertion-name

set disclaimer-outgoing-header-insertion-value

set disclaimer-outgoing-header-status {enable | disable}

set dmarc-report-status {disable | enable | monitor-only | use-system-setting}

set email-continuity-status {enable | disable}

set fallback-host {<smtp-server_fqdn> | <smtp-server_ipv4>}

set fallback-port <port_int>

set fallback-use-smtps {enable | disable}

set global-bayesian {enable | disable}

set greeting-with-host-name {domainname | hostname | othername}

set host <host_name>

set ip-pool <pool_name>

set ip-pool-direction {outgoing | incoming | both}

set is-service-domain {enable | disable}

set is-sub-domain {enable | disable}

set ldap-asav-profile <ldap-profile_name>

set ldap-asav-status {enable | disable}

set ldap-domain-routing-port <port_int>

set ldap-domain-routing-profile <ldap-profile_name>

set ldap-domain-routing-smtps {enable |disable}

set ldap-groupowner-profile <ldap-profile_name>

set ldap-routing-profile <ldap-profile_name>

set ldap-routing-status {enable | disable}

set ldap-user-profile <profile_name>

set max-message-size <limit_int>

set other-helo-greeting <string>

set port <smtp-port_int>

set quarantine-report-schedule-status {enable | disable}

set quarantine-report-status {enable | disable}

set quarantine-report-to-alt {enable | disable}

set quarantine-report-to-alt-addr <recipient_email>

set quarantine-report-to-individual {enable | disable}

set quarantine-report-to-ldap-groupowner {enable | disable}

set recipient-verification {disable | ldap | smtp}

set recipient-verification-background {disable | ldap | smtp}

set recipient-verification-background-profile <ldap-profile_name>

set relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain}

set remove-outgoing-received-header {enable | disable}

set sender-addr-rate-ctrl-action

set sender-addr-rate-ctrl-max-msgs <integer>

set sender-addr-rate-ctrl-max-msgs-state {enable | disable}

set sender-addr-rate-ctrl-max-recipients

set sender-addr-rate-ctrl-max-recipients-state {enable | disable}

set sender-addr-rate-ctrl-max-size <integer>

set sender-addr-rate-ctrl-max-size-state {enable | disable}

set sender-addr-rate-ctrl-max-spam

set sender-addr-rate-ctrl-max-spam-state {enable | disable}

set sender-addr-rate-ctrl-state {enable | disable}

set sender-addr-rate-notification-state {enable | disable}

set smtp-recipient-verification-command {rcpt | vrfy}

set smtp-recipient-verification-accept-reply-string <accept_string>

set tp-hidden {no | yes}

set tp-server-on-port <port_int>

set tp-use-domain-mta {yes | no}

set use-stmps {enable | disable}

set webmail-language <language_name>

set webmail-theme {IndigoDarkBlue | RedGrey | Standard | Use-System-Settings}

end

Variable

Description

Default

addressbook {domain | none | system}

(server mode only)

Add newly created mail user to system address book, domain address book or not.

domain

bypass-bounce-verification {enable | disable}

Enable to omit bounce address tag verification of email incoming to this protected domain.

This bypass does not omit bounce address tagging of outgoing email.

disable

fallback-host {<smtp-server_fqdn> | <smtp-server_ipv4>}

(transparent mode and gateway mode only)

Enter the fully qualified domain name (FQDN) or IP address of the secondary SMTP server for this protected domain.

This SMTP server will be used if the primary SMTP server is unreachable.

fallback-port <port_int>

(transparent mode and gateway mode only)

Enter the port number on which the failover SMTP server listens.

If you enable Use SMTPS, Port automatically changes to the default port number for SMTPS, but can still be customized.

The default SMTP port number is 25; the default SMTPS port number is 465.

25

fallback-use-smtps {enable | disable}

(transparent mode and gateway mode only)

Enable to use SMTPS for connections originating from or destined for this protected server.

disable

global-bayesian {enable | disable}

Enable to use the global Bayesian database instead of the Bayesian database for this protected domain.

If you do not need the Bayesian database to be specific to the protected domain, you may want to use the global Bayesian database instead in order to simplify database maintenance and training.

Disable to use the per-domain Bayesian database.

This option does not apply if you have enabled use of personal Bayesian databases in an incoming antispam profile, and if the personal Bayesian database is mature. Instead, the FortiMail unit will use the personal Bayesian database.

disable

greeting-with-host-name {domainname | hostname | othername}

Specify how the FortiMail unit will identify itself during the HELO or EHLO greeting of outgoing SMTP connections that it initiates.

domainname: The FortiMail unit will identify itself using the domain name for this protected domain.

If the FortiMail unit will handle internal email messages (those for which both the sender and recipient addresses in the envelope contain the domain name of the protected domain), to use this option, you must also configure your protected SMTP server to use its host name for SMTP greetings. Failure to do this will result in dropped SMTP sessions, as both the FortiMail unit and the protected SMTP server will be using the same domain name when greeting each other.

hostname: The FortiMail unit will identify itself using its own host name.

By default, the FortiMail unit uses the domain name of the protected domain. If your FortiMail unit is protecting multiple domains and using IP pool addresses, select to use the system host name instead. This setting does not apply if email is incoming, according to the sender address in the envelope, from an unprotected domain.

othername: If you select this option, another command set other-helo-greeting <string> will appear, allowing you enter a name other than the domain name or host name, for the HELO/EHELO greeating.

hostname

host <host_name>

(transparent mode and gateway mode only)

The host name or IP address and port number of the mail exchanger (MX) for this protected domain.

If Relay Type is MX Record (this domain) or MX Record (alternative domain), this information is determined dynamically by querying the MX record of the DNS server, and this field will be empty.

ip-pool <pool_name>

You can use a pool of IP addresses as the source IP address when sending email from this domain, or as the destination IP address when receiving email destined to this domain, or as both the source and destination IP addresses.

If you want to use the IP pool as the source IP address for this protected domain, according to the sender’s email address in the envelope (MAIL FROM:), select the IP pool to use and select outgoing as the ip-pool-direction.

If you want to use the IP pool as the destination IP address (virtual host) for this protected domain, according to the recipient’s email address in the envelope (RCPT TO:), select the IP pool to use and select incoming as the ip-pool-direction. You must also configure the MX record to direct email to the IP pool addresses as well.
This feature can be used to support multiple virtual hosts on a single physical interface, so that different profiles can be applied to different host and logging for each host can be separated as well.

If you want to use the IP pool as both the destination and source IP address, select the IP pool to use and select Both as the ip-pool-direction.

Each email that the FortiMail unit sends will use the next IP address in the range. When the last IP address in the range is used, the next email will use the first IP address.

ip-pool-direction {outgoing | incoming | both}

Sets the direction for the ip-pool option. See description above.

This option is only available after you configure the ip-pool option.

is-sub-domain {enable | disable}

Enable to indicate the protected domain you are creating is a subdomain of an existing protected domain, then also configure Main domain.

Subdomains, like their parent protected domains, can be selected when configuring policies specific to that subdomain. Unlike top-level protected domains, however, subdomains will be displayed as grouped under the parent protected domain when viewing the list of protected domains.

This option is available only when another protected domain exists to select as the parent domain.

disable

ldap-asav-profile <ldap-profile_name>

Specify the name of an LDAP profile which you have enabled and configured.

ldap-asav-status {enable | disable}

Enable to query an LDAP server for an email user’s preferences to enable or disable antispam and/or antivirus processing for email messages destined for them.

disable

ldap-domain-routing-port <port_int>

Enter the port number on which the SMTP servers in the LDAP profile listen.

If you enable ldap-domain-routing-smtps, this setting automatically changes to the default port number for SMTPS, but can still be customized.

The default SMTP port number is 25; the default SMTPS port number is 465.

This option is valid when relay-type is ldap-domain-routing.

25

ldap-domain-routing-profile <ldap-profile_name>

Select the name of the LDAP profile that has the FQDN or IP address of the SMTP server you want to query. Also configure ldap-domain-routing-port <port_int> and ldap-domain-routing-smtps {enable |disable}.

This option is valid when relay-type is set to ldap-domain-routing.

ldap-domain-routing-smtps {enable |disable}

Enable to use SMTPS for connections originating from or destined for this protected server.

This option is valid when relay-type is ldap-domain-routing.

disable

ldap-groupowner-profile <ldap-profile_name>

Select an LDAP profile to send the quarantine report to a group owner, rather than individual recipients.

ldap-routing-profile <ldap-profile_name>

Select an LDAP profile for mail routing.

ldap-routing-status {enable | disable}

Enable/disable LDAP mail routing.

disable

ldap-user-profile <profile_name>

Select the name of an LDAP profile in which you have configured, enabling you to authenticate email users and expand alias email addresses or replace one email address with another by using an LDAP query to retrieve alias members.

max-message-size <limit_int>

Enable then type the limit in kilobytes (KB) of the message size. Email messages over the threshold size are rejected.

Note: If both this option and expire-inactivity <days_int> in the session profile are enabled, email size will be limited to whichever size is smaller.

204800KB

other-helo-greeting <string>

After you set the greeting-with-hostname to othername, use this command to specify the name to use for HELO/EHELO greeting.

port <smtp-port_int>

(transparent mode and gateway mode only)

Set the SMTP port number of the mail server.

25

quarantine-report-schedule-status {enable | disable}

Enable or disable domain-level quarantine report schedule setting.

The quarantine report settings for a protected domain are a subset of the system-wide quarantine report settings.

For example, if the system settings for schedule include only Monday and Thursday, when you are setting the schedule for the quarantine reports of the protected domain, you will only be able to select either Monday or Thursday.

disable

quarantine-report-status {enable | disable}

Enable or disable domain-level quarantine report.

disable

quarantine-report-to-alt {enable | disable}

Enable or disable sending domain-level quarantine report to a recipient other than the individual recipients or group owner. For example, you might delegate quarantine reports by sending them to an administrator whose email address is not locally deliverable to the protected domain, such as admin@lab.example.com.

disable

quarantine-report-to-alt-addr <recipient_email>

Enter the recipient’s email address.

quarantine-report-to-individual {enable | disable}

Enable to send quarantine reports to all recipients.

enable

quarantine-report-to-ldap-groupowner {enable | disable}

Enable to send quarantine reports to the LDAP group owner of the specified LDAP profile.

disable

recipient-verification {disable | ldap | smtp}

Select a method of confirming that the recipient email address in the message envelope (RCPT TO:) corresponds to an email user account that actually exists on the protected email server. If the recipient address is invalid, the FortiMail unit will reject the email. This prevents quarantine email messages for non-existent accounts, thereby conserving quarantine hard disk space.

disable: Do not verify that the recipient address is an email user account that actually exists.

smtp: Query the SMTP server using the SMTP RCPT command to verify that the recipient address is an email user account that actually exists. You can also choose to use the SMTP VRFY command to do the verification. This feature is available on the GUI when you create a domain.
If you want to query an SMTP server other than the one you have defined as the protected SMTP server, also enable Use alternative server, then enter the IP address or FQDN of the server in the field next to it. Also configure Port with the TCP port number on which the SMTP server listens, and enable Use SMTPS if you want to use SMTPS for recipient address verification connections with the server.

ldap: Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also select the LDAP profile that will be used to query the LDAP server.


Note: This option can cause a performance impact that may be noticeable during peak traffic times. For a lesser performance impact, you can alternatively periodically automatically remove quarantined email messages for invalid email user accounts, rather than actively preventing them during each email message.

Note: Spam often contains invalid recipient addresses. If you have enabled spam quarantining, but have not prevented or scheduled the periodic removal of quarantined email messages for invalid email accounts, the FortiMail hard disk may be rapidly consumed during peak traffic times, resulting in refused SMTP connections when the hard disk becomes full. To prevent this, enable either this option or the periodic removal of invalid quarantine accounts.

disable

recipient-verification-background {disable | ldap | smtp}

Select a method by which to periodically remove quarantined spam for which an email user account does not actually exist on the protected email server.

disable: Do not verify that the recipient address is an email user account that actually exists.

smtp: Query the SMTP server to verify that the recipient address is an email user account that actually exists.

ldap: Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also select the LDAP profile that will be used to query the LDAP server.
If you select either Use SMTP server or Use LDAP server, at 4:00 AM daily (unless configured for another time, using the CLI), the FortiMail unit queries the server to verify the existence of email user accounts. If an email user account does not currently exist, the FortiMail unit removes all spam quarantined for that email user account.

Note: If you have also enabled recipient-verification, the FortiMail unit is prevented from forming quarantine accounts for email user accounts that do not really exist on the protected email server. In that case, invalid quarantine accounts are never formed, and this option may not be necessary, except when you delete email user accounts on the protected email server. If this is the case, you can improve the performance of the FortiMail unit by disabling this option.

Note: Spam often contains invalid recipient addresses. If you have enabled spam quarantining, but have not prevented or scheduled the periodic removal of quarantined email messages for invalid email accounts, the FortiMail hard disk may be rapidly consumed during peak traffic times, resulting in refused SMTP connections when the hard disk becomes full. To prevent this, enable either this option or verification of recipient addresses.

relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain}

(transparent mode and gateway mode only)

Select from one of the following methods of defining which SMTP server will receive email from the FortiMail unit that is destined for the protected domain:

host: Configure the connection to one protected SMTP server or, if any, one fallback.

ldap-domain-routing: Query the LDAP server for the FQDN or IP address of the SMTP server. For more information about domain lookup, see domain-query <query_str>.

mx-lookup: Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them.

mx-lookup-alt-domain: Query the DNS server’s MX record of a domain name you specify for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them.

ip-pool: Configure the connection to rotate among one or many protected SMTP servers.

Note: If an MX option is used, you may also be required to configure the FortiMail unit to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode of the FortiMail unit.

Gateway mode: A private DNS server is required. On the private DNS server, configure the MX record with the FQDN of the SMTP server that you are protecting for this domain, causing the FortiMail unit to route email to the protected SMTP server. This is different from how a public DNS server should be configured for that domain name, where the MX record usually should contain the FQDN of the FortiMail unit itself, causing external SMTP servers to route email through the FortiMail unit. Additionally, if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall, on the private DNS server, configure the protected SMTP server’s A record with its private IP address, while on the public DNS server, configure the FortiMail unit’s A record with its public IP address.

Transparent mode: A private DNS server is required if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall. On the private DNS server, configure the protected SMTP server’s A record with its private IP address. On the public DNS server, configure the protected SMTP server’s A record with its public IP address. Do not modify the MX record.

host

remove-outgoing-received-header {enable | disable}

Enable to remove the Received: message headers from email whose:

  • sender email address belongs to this protected domain, and
  • recipient email address is outgoing (that is, does not belong to this protected domain); if there are multiple recipients, only the first recipient’s email address is used to determine whether an email is outgoing.

You can alternatively remove this header from any matching email using session profiles.

disable

sender-addr-rate-ctrl-max-msgs <integer>

Enter the maximum number of messages per sender address per half an hour.

30

sender-addr-rate-ctrl-max-msgs-state {enable | disable}

Enable the option of maximum number of messages per sender address per half an hour.

disable

sender-addr-rate-ctrl-max-size <integer>

Enter the maximum number of megabytes per sender per half an hour.

100

sender-addr-rate-ctrl-max-size-state {enable | disable}

Enable the option of maximum number of megabytes per sender per half an hour.

disable

sender-addr-rate-ctrl-state {enable | disable}

Enable sender address rate control per sender email address.

disable

smtp-recipient-verification-command {rcpt | vrfy}

(transparent mode and gateway mode only)

Specify the command that the FortiMail unit uses to query the SMTP server to verify that the recipient address is an email user account that actually exists. The default command that the FortiMail unit uses is rcpt.
For information about recipient verification, see recipient-verification {disable | ldap | smtp}

This option is only available after you select smtp in recipient-verification.

rcpt

smtp-recipient-verification-accept-reply-string <accept_string>

(transparent mode and gateway mode only)

When FortiMail queries the SMTP server for recipient verification:

If the reply code of the VRFY command is 2xx, the recipient exists.

If the reply code is non-2xx, FortiMail will try to match the accept string you specified with the reply string. If the strings match, the recipient exists.

Otherwise, the recipient is unknown.

For example, if the recipient is a group or mailing list, FortiMail will receive a 550 error code and a reply string. Depending on what reply string you get, you can specify a string to match the reply string.

For example, if the recipient is marketing@example.com, the reply string might say something like “marketing@example.com is a group”. In this case, if you specify “is a group” as the accept string and thus this string matches the string or part of the string in the reply string, FortiMail will deem the query successful and pass the email.

This command is available only when you set SMTP-recipient-verification-command to vrfy.

tp-hidden {no | yes}

(transparent mode only)

Enable to preserve the IP address or domain name of the SMTP client for incoming email messages in:

the SMTP greeting (HELO/EHLO) in the envelope and in the Received: message headers of email messages

the IP addresses in the IP header

This masks the existence of the FortiMail unit to the protected SMTP server.

Disable to replace the SMTP client’s IP address or domain name with that of the FortiMail unit.

For example, an external SMTP client might have the IP address 172.168.1.1, and the FortiMail unit might have the domain name fortimail.example.com. If the option is enabled, the message header would contain (difference highlighted in bold):

Received: from 192.168.1.1 (EHLO 172.16.1.1) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:12:40 -0800

Received: from smtpa ([172.16.1.2]) by [172.16.1.1] with SMTP id kAOFESEN001901 for <user1@external.example.com>; Fri, 24 Jul 2008 15:14:28 GMT

But if the option is disabled, the message headers would contain:

Received: from 192.168.1.1 (EHLO fortimail.example.com) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:17:45 -0800

Received: from smtpa ([172.16.1.2]) by fortimail.example.com with SMTP id kAOFJl4j002011 for <user1@external.example.com>; Fri, 24 Jul 2008 15:19:47 GMT

Note: This option does not apply to email messages sent from protected domains to protected domains, meaning that the FortiMail unit will not be hidden even if this option is enabled.

no

tp-server-on-port <port_int>

(transparent mode only)

Select the network interface (physical port) to which the protected SMTP server is connected.

Note: Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface.

0

tp-use-domain-mta {yes | no}

(transparent mode only)

Enable to proxy SMTP clients’ incoming connections when sending outgoing email messages via the protected SMTP server.

For example, if the protected domain example.com has the SMTP server 192.168.1.1, and an SMTP client for user1@example.com connects to it to send email to user2@external.example.net, enabling this option would cause the FortiMail unit to proxy the connection through to the protected SMTP server.

Disable to relay email using the built-in MTA to either the defined SMTP relay, if any, or directly to the MTA that is the mail exchanger (MX) for the recipient email address’s (RCPT TO:) domain. The email may not actually travel through the protected SMTP server, even though it was the relay originally specified by the SMTP client.

This option does not affect incoming connections containing incoming email messages, which will always be handled by the built-in MTA.

Note: This option will be ignored for email that matches an antispam or content profile where you have enabled alternate-host {<relay_fqdn> | <relay_ipv4>}.

no

use-stmps {enable | disable}

Enable to use SMTPS to relay email to the mail server.

disable

webmail-language <language_name>

Select either Use system settings, other language that the FortiMail unit will to display webmail and quarantine folder pages. By default, the FortiMail unit uses the same language as the web-based manager.

webmail-theme {IndigoDarkBlue | RedGrey | Standard | Use-System-Settings}

Select the display theme that the FortiMail unit will to display webmail and quarantine folder pages. By default, the FortiMail unit uses the same display theme as the web-based manager.

Use-System-Settings

config policy recipient

Use this sub-command to configure a recipient-based policy for a protected domain. To configure system-wide policies, use the config policy recipient command.

Syntax

This sub-command is available from within the command domain.

config policy recipient

edit <policy_index>

set auth-access-options {pop3 smtp‑auth smtp‑diff-identity web}

set certificate-required {yes | no}

set comment

set direction

set pkiauth {enable | disable}

set pkiuser <user_name>

set profile-antispam <antispam_name>

set profile-antivirus <antivirus_name>

set profile-auth-type {imap | local | ldap | pop3 | smtp | radius}

set profile-content <profile_name>

set profile-dlp

set profile-resource <profile_name>

set profile-ldap <profile_name>

set recipient-domain <domain>

set recipient-name <name_str>

set recipient-type {ldap-group | local-group | user}

set sender-domain <domain_name>

set sender-name <local-part_str>

set sender-type {ldap‑group | local-group | user}

set smtp-diff-identity

set smtp-diff-identity

set smtp-diff-identity-lsap-profile

set status {enable | disable}

next

end

Variable

Description

Default

<policy_index>

Type the index number of the policy.

To view a list of existing entries, enter a question mark ( ? ).

auth-access-options {pop3 smtp‑auth smtp‑diff-identity web}

Type one or more of the following:

smtp-diff-identity: Allow email when the SMTP client authenticates with a different user name than the one that appears in the envelope’s sender email address. You must also enter smtpauth for this option to have any effect.

web: Allow the email user to use FortiMail webmail (HTTP or HTTPS) to retrieve the contents of their per-recipient spam quarantine.

pop3: Allow the email user to use POP3 to retrieve the contents of their per-recipient spam quarantine.

smtp-auth: Use the authentication server selected in the authentication profile when performing SMTP authentication for connecting SMTP clients.
Note: Entering this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication.

certificate-required {yes | no}

(transparent and gateway mode only)

If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enable this option.

no

comment

Enter a comment for the recipient policy

direction

Enter whether the direction of mail traffic is incoming or outgoing.

pkiauth {enable | disable}

(transparent and gateway mode only)

Enable if you want to allow email users to log in to their per-recipient spam quarantine by presenting a certificate rather than a user name and password.

disable

pkiuser <user_name>

(transparent and gateway mode only)

Enter the name of the PKI user entry, or select a user you defined before.

This is not required to be the same as the administrator or email user’s account name, although you may find it helpful to do so.

For example, you might have an administrator account named admin1.You might therefore find it most straightforward to also name the PKI user admin1, making it easy to remember which account you intended to use these PKI settings.

profile-antispam <antispam_name>

Select a antispam profile that you want to apply to the policy.

profile-antivirus <antivirus_name>

Select an antivirus profile that you want to apply to the policy.

profile-auth-type {imap | local | ldap | pop3 | smtp | radius}

If you want email users to be able to authenticate using an external authentication server, first specify the profile type (SMTP, POP3, IMAP,RADIUS, or LDAP), then specify which profile to use.

For example:

set profile-auth-type ldap

set profile-auth-ldap ldap_profile1

profile-auth-imap <imap_name>

Type the name of an IMAP authentication profile.

This command is applicable only if you have enabled use of an IMAP authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}

profile-auth-ldap <ldap_name>

Type the name of an LDAP authentication profile.

This command is applicable only if you have enabled use of an LDAP authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}

profile-auth-pop3 <pop3_name>

Type the name of a POP3 authentication profile.

This command is applicable only if you have enabled use of a POP3 authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}

profile-auth-smtp <smtp_name>

Type the name of an SMTP authentication profile.

This command is applicable only if you have enabled use of an SMTP authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}.

profile-auth-radius <radius_name>

Type the name of a RADIUS authentication profile.

This command is applicable only if you have enabled use of a RADIUS authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}.

profile-content <profile_name>

Select which content profile you want to apply to the policy.

profile-dlp

Enter the DLP profile for the policy.

profile-resource <profile_name>

Select which resource profile you want to apply to the policy.

This option is only available in server mode.

profile-ldap <profile_name>

If you set the recipient type as “ldap-group", you can select an LDAP profile.

recipient-domain <domain>

Enter the domain part of the recipient email address.

recipient-name <name_str>

Enter the local part of the recipient email address or a pattern with wild cards.

recipient-type {ldap-group | local-group | user}

Select one of the following ways to define recipient (RCPT TO:) email addresses that match this policy. This setting applies to the incoming policies only.

user: Select this option and then use the above command to enter the local part of the recipient email address.

local-group: Select this option and then specify the local group under this domain.

ldap-group: Select this option and then select an LDAP profile.

user

sender-domain <domain_name>

Enter the domain part of the sender email address. For example, example.com.

sender-name <local-part_str>

Enter the local part of the sender email address. For example, user1.

sender-type {ldap‑group | local-group | user}

Select one of the following ways to define which sender (MAIL FROM:)email addresses match this policy.

user: Select this option and then use the above command to enter the local part of the sender email address.

local-group: Select this option and then specify the local group under this domain.

ldap-group: Select this option and then select an LDAP profile.

Note: This setting applies to the outgoing policies only.

user

smtp-diff-identity

Rejects different smtp sender identity.

smtp-diff-identity-ldap

Verify smtp sender identity with LDAP for authenticated email.

smtp-diff-identity-lsap-profile

Ldap profile for smtp sender identity verification.

status {enable | disable}

Enable or disable the policy.

enable

config profile account-sync

Use this command to configure account synchronization settings for remote users from LDAP and Microsoft 365 servers.

Syntax

This sub-command is available from within the command domain.

config profile account-sync

edit <profile_name>

set base-dn <string>

set bind-dn <string>

set bind-password <password>

set description <string>

set group-display-name <string>

set group-primary-address <string>

set group-query <string>

set group-secondary-address <string>

set ldap-port <integer>

set ldap-secure {enable | disable}

set ldap-server <string>

set ldap-version {ver2 | ver3}

set ms365-application-id <string>

set ms365-application-secret <password>

set ms365-tenant-id <password>

set recurrence {daily | monthly | none | weekly}

set referrals-chase {enable | disable}

set schedule-hour <integer>

set scope {base | one | sub}

set timeout <integer>

set type {ldap | ms365}

set user-display-name <string>

set user-primary-address <string>

set user-query <string>

set user-secondry-address <string>

next

end

Variable

Description

Default

base-dn <string>

Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail unit will search for user objects, such as ou=People,dc=example,dc=com.

User objects should be child nodes of this location.

bind-dn <string>

Enter the bind DN, such as cn=FortiMailA,dc=example,dc=com, of an LDAP user account with permissions to query the basedn.

bind-password <password>

Enter the password of bind-dn <string>.

description <string>

Enter a description.

group-display-name <string>

Enter the LDAP group/mailing list display name attribute.

group-primary-address <string>

Enter the LDAP group/mailing list primary email address attribute.

group-query <string>

Enter the LDAP group/mailinglistquery string.

group-secondary-address <string>

Enter the LDAP group/mailing list secondary email address attribute.

ldap-port <integer>

Enter the TCP port number of the LDAP server.

The standard port number for LDAP is 389. The standard port number for SSL-secured LDAP is 636.

389

ldap-secure {enable | disable}

Enable or disable (by default) a secure encrypted connection to the LDAP server.

disable

ldap-server <string>

Enter the fully qualified domain name (FQDN) or IP address of the LDAP server.

ldap-version {ver2 | ver3}

Enter the LDAP server protocol version.

ver3

ms365-application-id <string>

Enter the Microsoft 365 application ID.

ms365-application-secret <password>

Enter the Microsoft 365 application secret.

ms365-tenant-id <password>

Enter the Microsoft 365 tenant ID.

recurrence {daily | monthly | none | weekly}

Define the recurrence/schedule of the remote server synchronization.

none

referrals-chase {enable | disable}

Enable or disable (by default) chasing of referrals.

disable

schedule-hour <integer>

Enter the hour of the day at which synchronization will occur. Set the value between 0-23.

1

scope {base | one | sub}

Define the search scope of the LDAP server; either base, one level, or subtree (by default).

sub

timeout <integer>

Enter the query timeout limit in seconds. Set the value between 60-600.

60

type {ldap | ms365}

Enter the remote server profile type.

ldap

user-display-name <string>

Enter the LDAP user's display name attribute.

user-primary-address <string>

Enter the LDAP user's primary email address attribute.

user-query <string>

Enter the LDAP query string to get all users.

user-secondry-address <string>

Enter the LDAP user's secondary email address attribute.

config user mail

Use this sub-command to configure email user accounts.

Syntax

This sub-command is available from within the command domain.

config user mail

rename <old_username> to <new_username> (see the note below)

edit <user_name>

set type {local | ldap}

set type local

set displayname <name_str>

set password <pwd_str>

set type ldap

set displayname <name_str>

set ldap-profile <ldap_name>

next

end

Variable

Description

Default

<old_username>

The user account name you want to rename.

<new_username>

The new user account name you want to change to.

<user_name>

Enter the user name of an email user, such as user1. This is also the local-part portion of the email user’s primary email address.

type {local | ldap}

Enter the type of email user account you want to add.

See set type local and set type ldap.

ldap

displayname <name_str>

Enter the display name of the local email user, such as 'User One'.

password <pwd_str>

Enter the password of the local email user.

displayname <name_str>

Enter the display name of the LDAP email user, such as 'User One'.

ldap-profile <ldap_name>

Enter the name of an LDAP profile in which authentication queries are enabled.

If you rename an existing user account to a new user account name, all the user’s preferences and mail data will be ported to the new user. However, due to the account name change, the new user will not be able to decrypt and read the encrypted email that is sent to the old user name before.