Fortinet black logo

CLI Reference

profile access-control

profile access-control

Use this command to configure access control rules.

Note that all access control rules operate at the system level. Only system level profiles (for example, email groups) can be used by access control rules.

Syntax

config profile access-control

edit <profile_name>

config access-control

edit <id>

set action {discard | receive | reject | relay | safe | safe-relay}

set authenticated {any | authenticated | not-authenticated}

set recipient-pattern <string>

set recipient-pattern-ldap-groupname <group_name>

set recipient-pattern-ldap-profile <profile_name>

set recipient-pattern-group <group_name>

set recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

set reverse-dns-pattern <string>

set reverse-dns-pattern-regexp {yes | no}

set sender-ip-mask <ipv4mask>

set sender-ip-type {geoip-group | ip-group | ip-mask}

set sender-pattern <string>

set sender-pattern-group <group_name>

set sender-pattern-ldap-groupname <group_name>

set sender-pattern-ldap-profile <profile_name>

set sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

set status {enable | disable}

set tls-profile <profile_name>

end

end

Variable

Description

Default

action {discard | receive | reject | relay | safe | safe-relay}

Enter an action for the profile:

  • discard: Enter to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client.

  • receive: Enter to only accept incoming email to protected domains if it passes all configured scans.

  • reject: Enter to reject the email and reply to the SMTP client with SMTP reply code 550.

  • relay: Enter to relay or proxy, process, and deliver the email normally if it passes all configured scans.

    Note: Do not apply greylisting.

  • safe: Enter to relay or proxy and deliver the email only if the recipient belongs to a protected domain or the sender is authenticated.

    All antispam profile processing will be skipped, but antivirus, content and other scans will still occur.

  • safe-relay: Enter to relay or proxy and deliver the email.

    All antispam profile processing will be skipped, but antivirus, content, and other scans will still occur.

reject

authenticated {any | authenticated | not-authenticated}

Enter whether or not to match this access control rule based on client authentication:

  • any: Match or do not match this access control rule regardless of whether the client has authenticated with the FortiMail unit.

  • authenticated: Match this access control rule only for clients that have authenticated with the FortiMail unit.

  • not-authenticated: Match this access control rule only for clients that have not authenticated with the FortiMail unit.

any

recipient-pattern <string>

Enter a pattern that defines recipient email addresses which match this rule, surrounded in slashes and single quotes (such as \'*\' ).

*

recipient-pattern-ldap-groupname <group_name>

Enter the LDAP group name to specify the recipient pattern.

This option is only available when recipient-pattern-type is set to ldap.

recipient-pattern-ldap-profile <profile_name>

Enter the LDAP profile name to specify the recipient pattern.

This option is only available when recipient-pattern-type is set to either ldap or ldap-query.

recipient-pattern-group <group_name>

Enter the group name to specify the recipient pattern.

This option is only available when recipient-pattern-type is set to group.

recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

Enter the pattern type:

default

reverse-dns-pattern <string>

Enter a pattern to compare to the result of a reverse DNS look-up of the IP address of the SMTP client delivering the email message.

Because domain names in the SMTP session are self-reported by the connecting SMTP server and easy to fake, the FortiMail unit does not trust the domain name that an SMTP server reports. Instead, the FortiMail does a DNS lookup using the SMTP server’s IP address. The resulting domain name is compared to the reverse DNS pattern for a match. If the reverse DNS query fails, the access control rule match will also fail. If no other access control rule matches, the connection will be rejected with SMTP reply code 550 (Relaying denied).

Wildcard characters allow you to enter partial patterns that can match multiple reverse DNS lookup results. An asterisk (*) represents one or more characters; a question mark (?) represents any single character.

For example, the recipient pattern mail*.com will match messages delivered by an SMTP server whose domain name starts with “mail" and ends with “.com".

Note: Reverse DNS queries for access control rules require that the domain name be a valid top level domain (TLD). For example, “.lab" is not a valid top level domain name, and thus the FortiMail unit cannot successfully perform a reverse DNS query for it.

*

reverse-dns-pattern-regexp {yes | no}

Enter yes to use regular expression syntax instead of wildcards to specify the reverse DNS pattern.

no

sender-ip-mask <ipv4mask>

Enter the sender's IP address.

0.0.0.0/0

sender-ip-type {geoip-group | ip-group | ip-mask}

Select the method of the SMTP client attempting to deliver the email message.

ip-mask

sender-pattern <string>

Enter a pattern that defines sender email addresses which match this rule, surrounded in slashes and single quotes (such as \'*@example.com\' ).

sender-pattern-group <group_name>

Enter the group name to specify the sender pattern.

This option is only available when sender-pattern-type is set to group.

sender-pattern-ldap-groupname <group_name>

Enter the LDAP group name to specify the sender pattern.

This option is only available when sender-pattern-type is set to ldap.

sender-pattern-ldap-profile <profile_name>

Enter the LDAP profile name to specify the sender pattern.

This option is only available when sender-pattern-type is set to either ldap or ldap-query.

sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

Enter the pattern type:

default

status {enable | disable}

Enable or disable the access control rule.

enable

tls-profile <profile_name>

Enter a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

If the attributes match, the access control action is executed.

If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

For more information on TLS profiles, see the FortiMail Administration Guide.

profile access-control

Use this command to configure access control rules.

Note that all access control rules operate at the system level. Only system level profiles (for example, email groups) can be used by access control rules.

Syntax

config profile access-control

edit <profile_name>

config access-control

edit <id>

set action {discard | receive | reject | relay | safe | safe-relay}

set authenticated {any | authenticated | not-authenticated}

set recipient-pattern <string>

set recipient-pattern-ldap-groupname <group_name>

set recipient-pattern-ldap-profile <profile_name>

set recipient-pattern-group <group_name>

set recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

set reverse-dns-pattern <string>

set reverse-dns-pattern-regexp {yes | no}

set sender-ip-mask <ipv4mask>

set sender-ip-type {geoip-group | ip-group | ip-mask}

set sender-pattern <string>

set sender-pattern-group <group_name>

set sender-pattern-ldap-groupname <group_name>

set sender-pattern-ldap-profile <profile_name>

set sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

set status {enable | disable}

set tls-profile <profile_name>

end

end

Variable

Description

Default

action {discard | receive | reject | relay | safe | safe-relay}

Enter an action for the profile:

  • discard: Enter to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client.

  • receive: Enter to only accept incoming email to protected domains if it passes all configured scans.

  • reject: Enter to reject the email and reply to the SMTP client with SMTP reply code 550.

  • relay: Enter to relay or proxy, process, and deliver the email normally if it passes all configured scans.

    Note: Do not apply greylisting.

  • safe: Enter to relay or proxy and deliver the email only if the recipient belongs to a protected domain or the sender is authenticated.

    All antispam profile processing will be skipped, but antivirus, content and other scans will still occur.

  • safe-relay: Enter to relay or proxy and deliver the email.

    All antispam profile processing will be skipped, but antivirus, content, and other scans will still occur.

reject

authenticated {any | authenticated | not-authenticated}

Enter whether or not to match this access control rule based on client authentication:

  • any: Match or do not match this access control rule regardless of whether the client has authenticated with the FortiMail unit.

  • authenticated: Match this access control rule only for clients that have authenticated with the FortiMail unit.

  • not-authenticated: Match this access control rule only for clients that have not authenticated with the FortiMail unit.

any

recipient-pattern <string>

Enter a pattern that defines recipient email addresses which match this rule, surrounded in slashes and single quotes (such as \'*\' ).

*

recipient-pattern-ldap-groupname <group_name>

Enter the LDAP group name to specify the recipient pattern.

This option is only available when recipient-pattern-type is set to ldap.

recipient-pattern-ldap-profile <profile_name>

Enter the LDAP profile name to specify the recipient pattern.

This option is only available when recipient-pattern-type is set to either ldap or ldap-query.

recipient-pattern-group <group_name>

Enter the group name to specify the recipient pattern.

This option is only available when recipient-pattern-type is set to group.

recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

Enter the pattern type:

default

reverse-dns-pattern <string>

Enter a pattern to compare to the result of a reverse DNS look-up of the IP address of the SMTP client delivering the email message.

Because domain names in the SMTP session are self-reported by the connecting SMTP server and easy to fake, the FortiMail unit does not trust the domain name that an SMTP server reports. Instead, the FortiMail does a DNS lookup using the SMTP server’s IP address. The resulting domain name is compared to the reverse DNS pattern for a match. If the reverse DNS query fails, the access control rule match will also fail. If no other access control rule matches, the connection will be rejected with SMTP reply code 550 (Relaying denied).

Wildcard characters allow you to enter partial patterns that can match multiple reverse DNS lookup results. An asterisk (*) represents one or more characters; a question mark (?) represents any single character.

For example, the recipient pattern mail*.com will match messages delivered by an SMTP server whose domain name starts with “mail" and ends with “.com".

Note: Reverse DNS queries for access control rules require that the domain name be a valid top level domain (TLD). For example, “.lab" is not a valid top level domain name, and thus the FortiMail unit cannot successfully perform a reverse DNS query for it.

*

reverse-dns-pattern-regexp {yes | no}

Enter yes to use regular expression syntax instead of wildcards to specify the reverse DNS pattern.

no

sender-ip-mask <ipv4mask>

Enter the sender's IP address.

0.0.0.0/0

sender-ip-type {geoip-group | ip-group | ip-mask}

Select the method of the SMTP client attempting to deliver the email message.

ip-mask

sender-pattern <string>

Enter a pattern that defines sender email addresses which match this rule, surrounded in slashes and single quotes (such as \'*@example.com\' ).

sender-pattern-group <group_name>

Enter the group name to specify the sender pattern.

This option is only available when sender-pattern-type is set to group.

sender-pattern-ldap-groupname <group_name>

Enter the LDAP group name to specify the sender pattern.

This option is only available when sender-pattern-type is set to ldap.

sender-pattern-ldap-profile <profile_name>

Enter the LDAP profile name to specify the sender pattern.

This option is only available when sender-pattern-type is set to either ldap or ldap-query.

sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

Enter the pattern type:

default

status {enable | disable}

Enable or disable the access control rule.

enable

tls-profile <profile_name>

Enter a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

If the attributes match, the access control action is executed.

If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

For more information on TLS profiles, see the FortiMail Administration Guide.