Fortinet white logo
Fortinet white logo

Administration Guide

Configuring session profiles

Configuring session profiles

Session profiles focus on the connection and envelope portion of the SMTP session. This is in contrast to other types of profiles that focus on the message header, body, or attachments.

To configure session profiles
  1. Go to Profile > Session > Session.
  2. Click New to add a profile or double-click a profile to modify it.
  3. For a new session profile, type the name in Profile name. The profile name is editable later.
  4. Configure the following sections as needed:

Configuring connection settings

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

  1. Go to Profile > Session > Session.
  2. Click New to create a new session profile or double click on an existing profile to edit it.
  3. Expand the Connection Setting section if needed. The options vary with the operation mode.
  4. Configure the following options to restrict the number and duration of connections to the FortiMail unit. When any of these limits are exceeded, the FortiMail unit blocks further connections.

GUI item

Description

Hide this box from the mail server

(transparent mode only)

Enable to preserve the IP address or domain name of the SMTP client in:

  • the SMTP greeting (HELO/EHLO) and in the Received: message headers of email messages
  • the client IP in email header

This masks the existence of the FortiMail unit to the protected SMTP server.

Disable to replace the SMTP client’s IP addresses or domain names with that of the FortiMail unit.

Note: Unless you enabled Take precedence over recipient based policy match in the IP-based policy, the Hide the transparent box option in the protected domain supersedes this option, and may prevent it from applying to incoming email messages.

Note: For full transparency, also enable Hide the transparent box.

Restrict the number of connections per client per 30 minutes to

Specify the maximum connections per client IP address in a period of 30 minutes. 0 means no limit.

Restrict the number of messages per client per 30 minutes to

Specify the maximum email messages (number of MAIL FROM) a client can send in a period of 30 minutes. 0 means no limit.

Restrict the number of recipients per client per 30 minutes to

Specify the maximum recipients (number of RCPT TO) a client can send email to for a period of 30 minutes. 0 means no limit.

Maximum concurrent connections for each client

Enter the maximum number of concurrent connections per client. 0 means no limit.

Connection idle timeout (seconds)

Enter a limit to the number of seconds a client may be idle before the FortiMail unit drops the connection.

Set the value between 5-1200.

Do not let client connect to blocklisted SMTP servers

(transparent mode only)

Enable to prevent clients from connecting to SMTP servers that have been blocklisted in antispam profiles or, the FortiGuard AntiSpam service if enabled.

Note: This option applies only if you have enabled “Use client-specified SMTP server to send email” on page 259, and only for outgoing connections.

Configuring sender reputation options

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

You can also view the sender reputation statuses by going to Monitor > Sender Reputation. See Viewing sender reputation statuses.

To configure sender reputation options
  1. Go to Profile > Session > Session.
  2. Click New to create a new session profile or double click on an existing profile to edit it.
  3. Click to expand Sender Reputation.
  4. Sender reputation is a predominantly automatic antispam feature, requiring little or no maintenance. For each connecting SMTP client (sometimes called a sender), the sender reputation feature records the sender IP address and the number of good email and bad email from the sender.

    In this case, bad email is defined as:

  • Spam

  • Virus-infected

  • Unknown recipients

  • Invalid DKIM

  • Failed SPF check

Note

Sender reputation scores can be affected by sender validation results.

Note

Enabling sender reputation can improve performance by rejecting known spammers before more resource-intensive antispam scans are performed.

  • Configure the following:
  • GUI item

    Description

    Enable sender reputation

    Enable to accept or reject email based upon sender reputation scores.

    The following options have no effect unless this option is enabled.

    This option may not function well for SMTP clients with dynamic IP addresses. Instead, consider “Enable Endpoint Reputation” on page 316.

    Throttle client at

    Enter a sender reputation score over which the FortiMail unit will rate limit the number of email messages that can be sent by this SMTP client.

    Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increases or decreases the sender reputation scores accordingly.

    The enforced rate limit is either Restrict number of emails per hour to n or Restrict email to n percent of the previous hour, whichever value is greater. After the sender reaches the limit, no more incoming email will be accepted.

    Restrict number of emails per hour to

    Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client.

    Restrict email to ... percent of the previous hour

    Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client, as a percentage of the number of email messages that the SMTP client sent during the previous hour.

    Temporarily fail client at

    Enter a sender reputation score over which the FortiMail unit will return a temporary failure error when the SMTP client attempts to initiate a connection.

    Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increase or decrease the sender reputation scores accordingly.

    Reject client at

    Enter a sender reputation score over which the FortiMail unit will reject the email and reply to the SMTP client with SMTP reply code 550 when the SMTP client attempts to initiate a connection.

    Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increase or decrease the sender reputation scores accordingly.

    FortiGuard IP reputation check

    • Use AntiSpam profile settings: In an antispam profile, you can also enable or disable FortiGuard IP reputation checking. This action happens after the entire message has been received by FortiMail. For details, see Configuring FortiGuard options.
    • When client connects: Enable to query the FortiGuard Antispam Service to determine if the IP address of the SMTP server is blocklisted. And this action will happen during the connection phase. Therefore, if this feature is enabled in a session profile and the action is reject, the performance will be improved.
    • Disable: Skip FortiGuard IP reputation check, even this is enabled in an antispam profile.

    Configuring endpoint reputation options

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Endpoint Reputation.
    4. The Endpoint Reputation settings let you restrict, based upon its endpoint reputation score, the ability of an MSISDN or subscriber ID to send email or MM3 multimedia messaging service (MMS) messages from a mobile device. The MSISDN reputation score is similar to a sender reputation score.

      For more on endpoint reputation-based behavior, see About endpoint reputation.

      Note

      Enabling endpoint reputation can improve performance by rejecting known spammers before more resource-intensive antispam scans are performed.

    5. Configure the following:
    6. GUI item

      Description

      Enable Endpoint Reputation

      Enable to accept, monitor, or reject email based upon endpoint reputation scores.

      This option is designed for use with SMTP clients with dynamic IP addresses. It requires that your RADIUS server provide mappings between dynamic IP addresses and MSISDNs/subscriber IDs to the FortiMail unit. If this profile governs sessions of SMTP clients with static IP addresses, instead see Configuring sender reputation options.

      Action

      Select either:

      • Reject: Reject email and MMS messages from MSISDNs/subscriber IDs whose MSISDN reputation scores exceed Auto blocklist score trigger value.
      • Monitor: Log, but do not reject, email and MMS messages from MSISDNs/subscriber IDs whose MSISDN reputation scores exceed Auto blocklist score trigger value. Entries appear in the history log.

      Auto blocklist score trigger value

      Enter the MSISDN reputation score over which the FortiMail unit will add the MSISDN/subscriber ID to the automatic blocklist.

      The trigger score is relative to the period of time configured as the automatic blocklist window. For more information on the automatic blocklist window, see Configuring the endpoint reputation score window.

      Auto blocklist duration

      Enter the number of minutes that an MSISDN/subscriber ID will be prevented from sending email or MMS messages after they have been automatically blocklisted.

    Configuring sender validation options

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Sender Validation. Configure the settings to confirm sender and message.
    4. DomainKeys validation is a predecessor of DKIM and works in the same way. Because some domains still use DomainKeys validation, it is provided for backward compatibility.

      Failure to validate does not guarantee that an email is spam, just as successful validation does not guarantee that an email is not spam, but it may help to indicate spam. Validation results are used to adjust the sender reputation scores, MSISDN reputation scores, and deep header scans.

      Note

      Enabling sender validation can improve performance by rejecting invalid senders before more resource-intensive antispam scans are performed.

    5. Configure the following:
    6. GUI item

      Description

      SPF check

      If the sender domain DNS record lists SPF authorized IP addresses, use SPF check to compare the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408).

      An unauthorized client IP address increases the client sender reputation score. An authorized client IP address decreases the client sender reputation score.

      If the DNS record for the domain name of the sender does not publish SPF information, the FortiMail unit omits the SPF client IP address validation.

      Note: No SPF check is performed for direct connections from RFC 1918 private IP addresses.

      Note: If you select to Bypass SPF checking in the session profile, SPF checking will be bypassed even though you enable it in the antispam profile.

      Note: Before FortiMail 4.3.1 release, only SPF hardfailed
      (-all) email is treated as spam. Starting from 4.3.2 to 6.0.2 release, you can use a CLI command (set spf-checking {strict | aggressive} under config antispam settings) to control if the SPF softfailed (~all) email should also be treated as spam. For details, see the FortiMail CLI Guide. Starting from 6.0.3, this command is removed.

      Enable DKIM check

      If a DKIM signature is present (RFC 4871), enable this to query the DNS server that hosts the DNS record for the sender’s domain name to retrieve its public key to decrypt and verify the DKIM signature.

      An invalid signature increases the client sender reputation score and affects the deep header scan. A valid signature decreases the client sender reputation score.

      If the sender domain DNS record does not include DKIM information or the message is not signed, the FortiMail unit omits the DKIM signature validation.

      Enable DKIM signing for outgoing messages

      Enable to sign outgoing email with a DKIM signature.

      This option requires that you first generate a domain key pair and publish the public key in the DNS record for the domain name of the protected domain. If you do not publish the public key, destination SMTP servers cannot validate your DKIM signature. For details on generating domain key pairs and publishing the public key, see DKIM Setting.

      Before 6.2.0 release, Envelope From domain is used for DKIM signatures. After 6.2.0 release, Header From domain is used instead. If there is no DKIM key for the Header From domain, then the key for the Envelope From domain will be used.

      Note: Outbound quarantined email messages will not be DKIM signed when they are released.

      Enable DKIM signing for authenticated senders only

      Enable to sign outgoing email with a DKIM signature only if the sender is authenticated.

      Enable domain key check

      If a DomainKey signature is present, use this option to query the DNS server for the sender’s domain name to retrieve its public key to decrypt and verify the DomainKey signature.

      An invalid signature increases the client sender reputation score and affects the deep header scan. A valid signature decreases the client sender reputation score.

      If the sender domain DNS record does not include DomainKey information or the message is not signed, the FortiMail unit omits the DomainKey signature validation.

      Bypass bounce verification check

      If bounce verification is enabled, enable to omit verification of bounce address tags on incoming bounce messages.

      This bypass does not omit bounce address tagging of outgoing messages.

      For more information, see Configuring bounce verification and tagging.

      Sender address verification with LDAP

      Enable to verify sender email addresses on an LDAP server. Also select an LDAP profile from the dropdown list. Or click New to create a new one. For details about LDAP profiles, see Configuring LDAP profiles.

    Configuring session settings

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Session Setting.
    4. Configure the following:

    GUI item

    Description

    Session action

    Select an action profile or click New to create a new one. The session action profile uses the content action profile. For more information about actions, see Configuring content action profiles.

    Message selection

    The action can be applied to All messages or Accepted messages only. For example, for header manipulation, tagging, some other actions, you can choose to apply them to the accepted message only.

    Reject EHLO/HELO commands with invalid characters in the domain

    Enable to return SMTP reply code 501, and to reject the SMTP greeting, if the client or server uses a greeting that contains a domain name with invalid characters.

    To avoid disclosure of a real domain name, spammers sometimes spoof an SMTP greeting domain name with random characters, rather than using a valid domain name.

    The following example shows invalid command in bold italics:

    220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:30:20 GMT

    EHLO ^^&^&^#$

    501 5.0.0 Invalid domain name

    Valid characters for domain names include:

    • alphanumerics (A to Z and 0 to 9)
    • brackets ( [ and ] )
    • periods ( . )
    • dashes ( - )
    • underscores ( _ )
    • number symbols( # )
    • colons ( : )

    Rewrite EHLO/HELO domain to [n.n.n.n] IP string of the client address

    (transparent mode only)

    Enable to rewrite the domain name in the SMTP greeting (HELO/EHLO) to the IP address of the client to prevent domain name spoofing.

    Rewrite EHLO/HELO domain to

    (transparent mode only)

    Enable to rewrite the domain name in the SMTP greeting (HELO/EHLO) to the specified value.

    Prevent encryption of the session

    (transparent mode only)

    Enable to block STARTTLS/MD5 commands so that email connections cannot be TLS-encrypted.

    Caution: Disable this option only if you trust that SMTP clients connecting using TLS through the FortiMail unit will not be sources of viruses or spam. FortiMail units operating in transparent mode cannot scan encrypted connections traveling through them. Disabling this option could thereby permit viruses and spam to travel through the FortiMail unit.

    Allow pipelining for the session

    (transparent mode only)

    Enable to allow SMTP command pipelining. This lets multiple SMTP commands to be accepted and processed simultaneously, improving performance for high-latency connections.

    Disable to allow the SMTP client to send only a single command at a time during an SMTP session.

    Enforce strict RFC compliance

    (transparent mode only)

    Enable to limit pipelining support to strict compliance with RFC 2920, SMTP Service Extension for Command Pipelining.

    This option is effective only if Allow pipelining for the session is enabled.

    Perform strict syntax checking

    Enable to return SMTP reply code 503, and to reject a SMTP command, if the client or server uses SMTP commands that are syntactically incorrect.

    EHLO or HELO, MAIL FROM:, RCPT TO: (can be multiple), and DATA commands must be in that order. AUTH, STARTTLS, RSET, or NOOP commands can arrive at any time. Other commands, or commands in an unacceptable order, return a syntax error.

    The following example shows invalid command in bold italics:

    220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:41:15 GMT

    EHLO example.com

    250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

    RCPT TO:<user1@example.com>

    503 5.0.0 Need MAIL before RCPT

    Switch to SPLICE mode after

    (transparent mode only)

    Enable to use splice mode. Enter threshold value based on time (seconds) or data size (kilobytes).

    Splice mode lets the FortiMail unit simultaneously scan an email and relay it to the SMTP server. This increases throughput and reduces the risk of server timeout. If it detects spam or a virus, it terminates the server connection and returns an error message to the sender, listing the spam or virus name and infected file name.

    ACK EOM before AntiSpam check

    Enable to acknowledge the end of message (EOM) signal immediately after receiving the carriage return and line feed (CRLF) characters that indicate the EOM, rather than waiting for antispam scanning to complete.

    If the FortiMail unit does not complete antispam scanning within 4 minutes, it returns SMTP reply code 451(Try again later), resulting in no permanent problems, since according to RFC 2821, the minimum timeout value should be 10 minutes. However, in rare cases where the server or client’s timeout is shorter than 4 minutes, the sending client or server could time-out while waiting for the FortiMail unit to acknowledge the EOM command. Enabling this option prevents those rare cases.

    Configuring unauthenticated session settings

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Unauthenticated Session Setting.
    4. Configure the following:

    GUI item

    Description

    Check HELO/EHLO domain

    Enable to return SMTP reply code 501, and reject the SMTP command, if the domain name accompanying the SMTP greeting is not a domain name that exists in either MX or A records.In the following example, the invalid command is highlighted in bold:

    220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT

    EHLO example.com

    The following example shows the invalid command in bold italics:

    220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 20 Nov 2013 10:42:07 -0500

    ehlo abc.qq

    250-FortiMail-400.localdomain Hello [172.20.140.195], pleased to meet you

    250-ENHANCEDSTATUSCODES

    250-PIPELINING

    250-8BITMIME

    250-SIZE 10485760

    250-DSN

    250-AUTH LOGIN PLAIN

    250-STARTTLS

    250-DELIVERBY

    250 HELP

    mail from:aaa@333

    550 5.5.0 Invalid EHLO/HELO domain.

    quit

    221 2.0.0 FortiMail-400.localdomain closing connection

    Connection closed by foreign host.

    Check sender domain

    Enable to return SMTP reply code 421, and reject the SMTP command, if the domain name portion of the sender address is not a domain name that exists in either MX or A records.

    The following example shows the invalid command in bold italics:

    220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT

    EHLO

    250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

    MAIL FROM:<user1@example.com>

    421 4.3.0 Could not resolve sender domain.

    Check recipient domain

    Enable to return SMTP reply code 550, and reject the SMTP command, if the domain name portion of the recipient address is not a domain name that exists in either MX or A records.

    The following example shows the invalid command in bold italics:

    220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:48:32 GMT

    EHLO example.com

    250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

    MAIL FROM:<user1@fortinet.com>

    250 2.1.0 <user1@fortinet.com>... Sender ok

    RCPT TO:<user2@example.com>

    550 5.7.1 <user2@example.com>... Relaying denied. IP name lookup failed [192.168.1.1]

    Reject empty domains

    Enable to return SMTP reply code 553, and reject the SMTP command, if the HELO/EHLO greeting does not have a domain, or the sender address (MAIL FROM:) is empty.

    The following example shows the invalid command in bold italics:

    220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 20 Nov 2013 10:42:07 -0500

    ehlo

    250-FortiMail-400.localdomain Hello [172.20.140.195], pleased to meet you

    250-ENHANCEDSTATUSCODES

    250-PIPELINING

    250-8BITMIME

    250-SIZE 10485760

    250-DSN

    250-AUTH LOGIN PLAIN

    250-STARTTLS

    250-DELIVERBY

    250 HELP

    mail from:aaa@333

    550 5.5.0 Empty EHLO/HELO domain.

    quit

    221 2.0.0 FortiMail-400.localdomain closing connection

    Prevent open relaying

    (transparent mode only)

    Enable to prevent clients from using open relays to send email by blocking sessions that are unauthenticated (Unauthenticated sessions are assumed to be occurring to an open relay).

    If you permit SMTP clients to use open relays to send email, email from your domain could be blocklisted by other SMTP servers.

    This option is effective only if you have enabled Use client-specified SMTP server to send email for outgoing mail. Otherwise, the FortiMail unit forces clients to use the gateway you have defined as a relay server (see Configuring SMTP relay hosts), if any, or the MTA of the domain name in the recipient email address (RCPT TO:), as determined using an MX lookup, so it is not possible for them to use an open relay.

    Reject if recipient and helo domain match but sender domain is different

    Enable to reject the email if the domain name in the SMTP greeting (HELO/EHLO) and recipient email address (RCPT TO:) match, but the domain name in the sender email address (MAIL FROM:) does not.

    Mismatching domain names is sometimes used by spammers to mask the true identity of their SMTP client.

    Configuring SMTP limit options

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand SMTP Limits.
    4. Setting any of these values to 0 disables the limit.

    5. Configure the following:

    GUI item

    Description

    Restrict number of EHLO/HELOs per session to

    Enter the limit of SMTP greetings that a connecting SMTP server or client can perform before the FortiMail unit terminates the connection. Restricting the number of SMTP greetings allowed per session makes it more difficult for spammers to probe the email server for vulnerabilities (more attempts results in a greater number of terminated connections, which must then be re-initiated).

    Restrict number of emails per session to

    Enter the limit of email messages per session to prevent mass mailing.

    Restrict number of recipients per email to

    Enter the limit of recipients to prevent mass mailing.

    Cap message size (KB) at

    Enter the limit of the message size. Messages over the threshold size are rejected.

    Note: When you configure domain settings under Domain & User > Domain, you can also set the message size limit. Here is how the two settings work together:

    • For outgoing email (for information about email directions, see Inbound versus outbound email), only the size limit in the session profile will be matched. If there is no session profile defined or no IP-based policy matched, the default size limit of 10 MB will be used.
    • For incoming email, the size limits in both the session profile and domain settings will be checked. If there is no session profile defined or no IP-based policy matched, the default size limit of 10 MB will be compared with the size limit in the domain settings. FortiMail will use the smaller size.

    Cap header size (KB) at

    Enter the limit of the message header size. Messages with headers over the threshold size are rejected.

    Maximum number of NOOPs allowed for each connection

    Enter the limit of NOOP commands permitted per SMTP connection. Some spammers use NOOP commands to keep a long connection alive. Legitimate connections usually require few NOOPs.

    Maximum number of RSETs allowed for each connection

    Enter the limit of RSET commands permitted per SMTP connection. Some spammers use RSET commands to try again after receiving error messages such as unknown recipient. Legitimate connections should require few RSETs.

    Configuring error handling options

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Error Handling.
    4. Configure Error Handling to specify how the FortiMail unit should handle connections from SMTP clients that are error-prone. Errors sometime indicate attempts to misuse the server. You can impose delays or drop connections if there are errors. Setting any of these values to 0 disables the limit.

      Note

      Configuring error handling can improve performance by dropping connections with error-prone SMTP clients.

    5. Configure the following:
    6. GUI item

      Description

      Number of 'free' errors allowed for each client

      Enter the number of errors permitted before the FortiMail unit imposes a delay.

      Delay for the first non-free error (seconds)

      Enter the delay time for the first error after the number of free errors is reached.

      Delay increment for subsequent errors (seconds)

      Enter the number of seconds by which to increase the delay for each error after the first delay is imposed.

      Maximum number of errors allowed for each connection

      Enter the total number of errors the FortiMail unit accepts before dropping the connection. By default, five errors are permitted before the FortiMail unit drops the connection.

    Configuring header manipulation options

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Header Manipulation.
    4. Email processing software and hardware can add extra lines to the message header of each email message. When multiple lines are added, this can significantly increase the size of the email message. You can configure header manipulation settings to reduce the number of message headers.

    5. Configure the following:

    GUI item

    Description

    Remove received header

    Enable to remove all Received: message headers from email messages.

    You can alternatively remove this header on a per-domain basis. For details, see Remove received header of outgoing email.

    Remove headers

    Enable to remove other configured headers from email messages, then click Edit to configure which headers should be removed.

    Remove headers inserted by this unit

    Enable to remove the headers that are inserted by this FortiMail unit. The above two options are to remove headers inserted by previous MTAs.

    Configuring list options

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Lists.
    4. Configure the sender and recipient block lists and safe lists, if any, to sue with the session profile. Block and safe lists are separate for each session profile, and apply only to traffic controlled by the IP-based policy to which the session profile is applied.

      Email addresses in each block list or safe list are arranged in alphabetical order. For more information on how blocklisted email addresses are handled, see Order of execution of block lists and safe lists.

      Note

      If you require regular expression support for safelisting and blocklisting sender and recipient email addresses in the envelope, do not configure safe and block lists in the session profile. Instead, configure access control rules and message delivery rules. For more information, see Managing the address book (server mode only).

      Caution

      Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans, including SPF validation.

    5. Configure the following:
    6. GUI item

      Description

      Enable sender safe list checking

      Enable to check the sender addresses in the email envelope (MAIL FROM:), email header (From:) and (Reply-to:) against the safe list in the SMTP sessions to which this profile is applied, then click Edit to define the safelisted email addresses.

      Enable sender block list checking

      Enable to check the sender addresses in the email envelope (MAIL FROM:), email header (From:) and (Reply-to:) against the block list in the SMTP sessions to which this profile is applied, then click Edit to define the blocklisted email addresses.

      Allow recipients on this list

      Enable to check the recipient addresses in the email envelope (RCPT TO:) against the safe list in the SMTP sessions to which this profile is applied, then click Edit to define safelisted email addresses.

      Disallow recipients on this list

      Enable to check the recipient addresses in the email envelope (RCPT TO:) against the block list in the SMTP sessions to which this profile is applied, then click Edit to define blocklisted email addresses.

    Configuring advanced MTA control settings

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    In addition to global MTA settings, you can configure the following MTA settings in a session profile. These session-specific MTA settings will overwrite the global settings configured elsewhere.

    By default, this feature is hidden. To use this feature, you must enable it under System > FortiGuard > Licensed Feature or by using the following CLI command:

    config system global

    set mta-adv-ctrl-status enable

    end

    After this feature is enabled, the following options will appear in the session profile settings. In addition, four new tabs (Address Rewrite, Mail Routing, Access Control, and DSN) will also appear under Profile > Session.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Advanced Control.
    4. Configure the following:

    GUI item

    Description

    Email queue

    Select which email queue to use for the matching sessions. For other general queue settings, see Configuring mail queue setting.

    Rewrite sender address

    Select an Address Rewrite profile to rewrite the sender address and specify which sender address to rewrite: Envelope From, Header From, or Header Reply-to.

    Select Use Envelope From value for selected headers if you want to use the Envelope From value to rewrite the Header From and/or Header Reply-to.

    Click New to create a new profile. For details about configuring Address Rewrite profiles, see Configuring address rewrite profiles in the session profile.

    Rewrite recipient address

    Select an Address Rewrite profile to rewrite the recipient address and specify which recipient address to rewrite: Envelope recipient or Header To and CC.

    Note that if you set to deliver or quarantine the unmodified copy of email when you configure the action profile preferences, the envelope recipient/RCPT TO will still be rewritten.

    Click New to create a new profile. For details about configuring Address Rewrite profiles, see Configuring address rewrite profiles in the session profile.

    Mail routing

    Select a mail routing profile or click New to create one. For details about creating mail routing profiles, see Configuring mail routing profiles in a session profile.

    Access control

    Select an access control profile or click New to create one. For details, see Configuring access control profiles in a session profile.

    DSN

    Select a DNS profile or click New to create one. For details, see Configuring DSN profiles in a session profile.

    Remote logging

    Select a remote logging profile or click New to create one. Note that the remote logging profiles used here are the same as the system-wide remote logging profiles. For details, see Configuring logging to a Syslog server or FortiAnalyzer unit.

    Configuring address rewrite profiles in the session profile

    If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the Address Rewrite tab will appear.

    To configure an address rewrite profile to be used in a session profile
    1. Go to Profile > Session > Address Rewrite.
    2. Click New.
    3. Enter a profile name.
    4. Click New to enter the address rewrite rules.
    • For Rewrite type, select Local if you are configuring direct rewrite from the original address to another specific address. Then specify the original address and the address you want to rewrite to. If you want to keep the local part or the domain part of the original address, click Insert Variable to insert the variable for the local part or the domain part.
    • Select LDAP if you want to rewrite the original address to the user’s external email address and display name that are stored on an LDAP server when the email “Envelope From”, “Header From”, or “Reply-to” matches a sender rewrite pattern. Then specify the original address and the LDAP profile. For information about LDAP server configuration, see Configuring address mapping options.
  • Click Create.
  • Configuring mail routing profiles in a session profile

    If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the Mail Routing tab will appear.

    To configure a mail routing profile to be used in a session profile
    1. Go to Profile > Session > Mail Routing.
    2. Click New.
    3. Enter a profile name.
    4. Click New to configure the mail routing settings.
    5. In the popup window, specify the sender pattern, recipient pattern and the relay type:
    • Host: Relay the matched sessions to the specified SMTP server.
    • MX Record (this domain): Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them.
    • MX Record (alternative domain): Query the DNS server’s MX record of a domain name you specify for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them. Also specify the alternate domain name.
  • Specify the SMTP port number. The default port is 25.
  • Click Create.
  • Configuring access control profiles in a session profile

    If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the Access Control tab will appear.

    To configure an access control profile to be used in a session profile
    1. Go to Profile > Session > Access Control.
    2. Click New.
    3. Enter a profile name.
    4. Click New to configure the access control rule.
    5. In the popup window, configure the rule settings. These setting are identical to the system-wide access control rule settings. For details, see Configuring access control rules.
    6. Click Create.

    Configuring DSN profiles in a session profile

    If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the DSN tab will appear. Configure this setting to overwrite the global setting configured in Configuring mail queue setting.

    To configure a DSN profile to be used in a session profile
    1. Go to Profile > Session > DSN.
    2. Click New.
    3. Enter a profile name.
    4. Specify if you want to send DSN email and the maximum number of retries.
    5. Click Create.

    Configuring session profiles

    Configuring session profiles

    Session profiles focus on the connection and envelope portion of the SMTP session. This is in contrast to other types of profiles that focus on the message header, body, or attachments.

    To configure session profiles
    1. Go to Profile > Session > Session.
    2. Click New to add a profile or double-click a profile to modify it.
    3. For a new session profile, type the name in Profile name. The profile name is editable later.
    4. Configure the following sections as needed:

    Configuring connection settings

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Expand the Connection Setting section if needed. The options vary with the operation mode.
    4. Configure the following options to restrict the number and duration of connections to the FortiMail unit. When any of these limits are exceeded, the FortiMail unit blocks further connections.

    GUI item

    Description

    Hide this box from the mail server

    (transparent mode only)

    Enable to preserve the IP address or domain name of the SMTP client in:

    • the SMTP greeting (HELO/EHLO) and in the Received: message headers of email messages
    • the client IP in email header

    This masks the existence of the FortiMail unit to the protected SMTP server.

    Disable to replace the SMTP client’s IP addresses or domain names with that of the FortiMail unit.

    Note: Unless you enabled Take precedence over recipient based policy match in the IP-based policy, the Hide the transparent box option in the protected domain supersedes this option, and may prevent it from applying to incoming email messages.

    Note: For full transparency, also enable Hide the transparent box.

    Restrict the number of connections per client per 30 minutes to

    Specify the maximum connections per client IP address in a period of 30 minutes. 0 means no limit.

    Restrict the number of messages per client per 30 minutes to

    Specify the maximum email messages (number of MAIL FROM) a client can send in a period of 30 minutes. 0 means no limit.

    Restrict the number of recipients per client per 30 minutes to

    Specify the maximum recipients (number of RCPT TO) a client can send email to for a period of 30 minutes. 0 means no limit.

    Maximum concurrent connections for each client

    Enter the maximum number of concurrent connections per client. 0 means no limit.

    Connection idle timeout (seconds)

    Enter a limit to the number of seconds a client may be idle before the FortiMail unit drops the connection.

    Set the value between 5-1200.

    Do not let client connect to blocklisted SMTP servers

    (transparent mode only)

    Enable to prevent clients from connecting to SMTP servers that have been blocklisted in antispam profiles or, the FortiGuard AntiSpam service if enabled.

    Note: This option applies only if you have enabled “Use client-specified SMTP server to send email” on page 259, and only for outgoing connections.

    Configuring sender reputation options

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    You can also view the sender reputation statuses by going to Monitor > Sender Reputation. See Viewing sender reputation statuses.

    To configure sender reputation options
    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click to expand Sender Reputation.
    4. Sender reputation is a predominantly automatic antispam feature, requiring little or no maintenance. For each connecting SMTP client (sometimes called a sender), the sender reputation feature records the sender IP address and the number of good email and bad email from the sender.

      In this case, bad email is defined as:

    • Spam

    • Virus-infected

    • Unknown recipients

    • Invalid DKIM

    • Failed SPF check

    Note

    Sender reputation scores can be affected by sender validation results.

    Note

    Enabling sender reputation can improve performance by rejecting known spammers before more resource-intensive antispam scans are performed.

  • Configure the following:
  • GUI item

    Description

    Enable sender reputation

    Enable to accept or reject email based upon sender reputation scores.

    The following options have no effect unless this option is enabled.

    This option may not function well for SMTP clients with dynamic IP addresses. Instead, consider “Enable Endpoint Reputation” on page 316.

    Throttle client at

    Enter a sender reputation score over which the FortiMail unit will rate limit the number of email messages that can be sent by this SMTP client.

    Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increases or decreases the sender reputation scores accordingly.

    The enforced rate limit is either Restrict number of emails per hour to n or Restrict email to n percent of the previous hour, whichever value is greater. After the sender reaches the limit, no more incoming email will be accepted.

    Restrict number of emails per hour to

    Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client.

    Restrict email to ... percent of the previous hour

    Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client, as a percentage of the number of email messages that the SMTP client sent during the previous hour.

    Temporarily fail client at

    Enter a sender reputation score over which the FortiMail unit will return a temporary failure error when the SMTP client attempts to initiate a connection.

    Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increase or decrease the sender reputation scores accordingly.

    Reject client at

    Enter a sender reputation score over which the FortiMail unit will reject the email and reply to the SMTP client with SMTP reply code 550 when the SMTP client attempts to initiate a connection.

    Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increase or decrease the sender reputation scores accordingly.

    FortiGuard IP reputation check

    • Use AntiSpam profile settings: In an antispam profile, you can also enable or disable FortiGuard IP reputation checking. This action happens after the entire message has been received by FortiMail. For details, see Configuring FortiGuard options.
    • When client connects: Enable to query the FortiGuard Antispam Service to determine if the IP address of the SMTP server is blocklisted. And this action will happen during the connection phase. Therefore, if this feature is enabled in a session profile and the action is reject, the performance will be improved.
    • Disable: Skip FortiGuard IP reputation check, even this is enabled in an antispam profile.

    Configuring endpoint reputation options

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Endpoint Reputation.
    4. The Endpoint Reputation settings let you restrict, based upon its endpoint reputation score, the ability of an MSISDN or subscriber ID to send email or MM3 multimedia messaging service (MMS) messages from a mobile device. The MSISDN reputation score is similar to a sender reputation score.

      For more on endpoint reputation-based behavior, see About endpoint reputation.

      Note

      Enabling endpoint reputation can improve performance by rejecting known spammers before more resource-intensive antispam scans are performed.

    5. Configure the following:
    6. GUI item

      Description

      Enable Endpoint Reputation

      Enable to accept, monitor, or reject email based upon endpoint reputation scores.

      This option is designed for use with SMTP clients with dynamic IP addresses. It requires that your RADIUS server provide mappings between dynamic IP addresses and MSISDNs/subscriber IDs to the FortiMail unit. If this profile governs sessions of SMTP clients with static IP addresses, instead see Configuring sender reputation options.

      Action

      Select either:

      • Reject: Reject email and MMS messages from MSISDNs/subscriber IDs whose MSISDN reputation scores exceed Auto blocklist score trigger value.
      • Monitor: Log, but do not reject, email and MMS messages from MSISDNs/subscriber IDs whose MSISDN reputation scores exceed Auto blocklist score trigger value. Entries appear in the history log.

      Auto blocklist score trigger value

      Enter the MSISDN reputation score over which the FortiMail unit will add the MSISDN/subscriber ID to the automatic blocklist.

      The trigger score is relative to the period of time configured as the automatic blocklist window. For more information on the automatic blocklist window, see Configuring the endpoint reputation score window.

      Auto blocklist duration

      Enter the number of minutes that an MSISDN/subscriber ID will be prevented from sending email or MMS messages after they have been automatically blocklisted.

    Configuring sender validation options

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Sender Validation. Configure the settings to confirm sender and message.
    4. DomainKeys validation is a predecessor of DKIM and works in the same way. Because some domains still use DomainKeys validation, it is provided for backward compatibility.

      Failure to validate does not guarantee that an email is spam, just as successful validation does not guarantee that an email is not spam, but it may help to indicate spam. Validation results are used to adjust the sender reputation scores, MSISDN reputation scores, and deep header scans.

      Note

      Enabling sender validation can improve performance by rejecting invalid senders before more resource-intensive antispam scans are performed.

    5. Configure the following:
    6. GUI item

      Description

      SPF check

      If the sender domain DNS record lists SPF authorized IP addresses, use SPF check to compare the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408).

      An unauthorized client IP address increases the client sender reputation score. An authorized client IP address decreases the client sender reputation score.

      If the DNS record for the domain name of the sender does not publish SPF information, the FortiMail unit omits the SPF client IP address validation.

      Note: No SPF check is performed for direct connections from RFC 1918 private IP addresses.

      Note: If you select to Bypass SPF checking in the session profile, SPF checking will be bypassed even though you enable it in the antispam profile.

      Note: Before FortiMail 4.3.1 release, only SPF hardfailed
      (-all) email is treated as spam. Starting from 4.3.2 to 6.0.2 release, you can use a CLI command (set spf-checking {strict | aggressive} under config antispam settings) to control if the SPF softfailed (~all) email should also be treated as spam. For details, see the FortiMail CLI Guide. Starting from 6.0.3, this command is removed.

      Enable DKIM check

      If a DKIM signature is present (RFC 4871), enable this to query the DNS server that hosts the DNS record for the sender’s domain name to retrieve its public key to decrypt and verify the DKIM signature.

      An invalid signature increases the client sender reputation score and affects the deep header scan. A valid signature decreases the client sender reputation score.

      If the sender domain DNS record does not include DKIM information or the message is not signed, the FortiMail unit omits the DKIM signature validation.

      Enable DKIM signing for outgoing messages

      Enable to sign outgoing email with a DKIM signature.

      This option requires that you first generate a domain key pair and publish the public key in the DNS record for the domain name of the protected domain. If you do not publish the public key, destination SMTP servers cannot validate your DKIM signature. For details on generating domain key pairs and publishing the public key, see DKIM Setting.

      Before 6.2.0 release, Envelope From domain is used for DKIM signatures. After 6.2.0 release, Header From domain is used instead. If there is no DKIM key for the Header From domain, then the key for the Envelope From domain will be used.

      Note: Outbound quarantined email messages will not be DKIM signed when they are released.

      Enable DKIM signing for authenticated senders only

      Enable to sign outgoing email with a DKIM signature only if the sender is authenticated.

      Enable domain key check

      If a DomainKey signature is present, use this option to query the DNS server for the sender’s domain name to retrieve its public key to decrypt and verify the DomainKey signature.

      An invalid signature increases the client sender reputation score and affects the deep header scan. A valid signature decreases the client sender reputation score.

      If the sender domain DNS record does not include DomainKey information or the message is not signed, the FortiMail unit omits the DomainKey signature validation.

      Bypass bounce verification check

      If bounce verification is enabled, enable to omit verification of bounce address tags on incoming bounce messages.

      This bypass does not omit bounce address tagging of outgoing messages.

      For more information, see Configuring bounce verification and tagging.

      Sender address verification with LDAP

      Enable to verify sender email addresses on an LDAP server. Also select an LDAP profile from the dropdown list. Or click New to create a new one. For details about LDAP profiles, see Configuring LDAP profiles.

    Configuring session settings

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Session Setting.
    4. Configure the following:

    GUI item

    Description

    Session action

    Select an action profile or click New to create a new one. The session action profile uses the content action profile. For more information about actions, see Configuring content action profiles.

    Message selection

    The action can be applied to All messages or Accepted messages only. For example, for header manipulation, tagging, some other actions, you can choose to apply them to the accepted message only.

    Reject EHLO/HELO commands with invalid characters in the domain

    Enable to return SMTP reply code 501, and to reject the SMTP greeting, if the client or server uses a greeting that contains a domain name with invalid characters.

    To avoid disclosure of a real domain name, spammers sometimes spoof an SMTP greeting domain name with random characters, rather than using a valid domain name.

    The following example shows invalid command in bold italics:

    220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:30:20 GMT

    EHLO ^^&^&^#$

    501 5.0.0 Invalid domain name

    Valid characters for domain names include:

    • alphanumerics (A to Z and 0 to 9)
    • brackets ( [ and ] )
    • periods ( . )
    • dashes ( - )
    • underscores ( _ )
    • number symbols( # )
    • colons ( : )

    Rewrite EHLO/HELO domain to [n.n.n.n] IP string of the client address

    (transparent mode only)

    Enable to rewrite the domain name in the SMTP greeting (HELO/EHLO) to the IP address of the client to prevent domain name spoofing.

    Rewrite EHLO/HELO domain to

    (transparent mode only)

    Enable to rewrite the domain name in the SMTP greeting (HELO/EHLO) to the specified value.

    Prevent encryption of the session

    (transparent mode only)

    Enable to block STARTTLS/MD5 commands so that email connections cannot be TLS-encrypted.

    Caution: Disable this option only if you trust that SMTP clients connecting using TLS through the FortiMail unit will not be sources of viruses or spam. FortiMail units operating in transparent mode cannot scan encrypted connections traveling through them. Disabling this option could thereby permit viruses and spam to travel through the FortiMail unit.

    Allow pipelining for the session

    (transparent mode only)

    Enable to allow SMTP command pipelining. This lets multiple SMTP commands to be accepted and processed simultaneously, improving performance for high-latency connections.

    Disable to allow the SMTP client to send only a single command at a time during an SMTP session.

    Enforce strict RFC compliance

    (transparent mode only)

    Enable to limit pipelining support to strict compliance with RFC 2920, SMTP Service Extension for Command Pipelining.

    This option is effective only if Allow pipelining for the session is enabled.

    Perform strict syntax checking

    Enable to return SMTP reply code 503, and to reject a SMTP command, if the client or server uses SMTP commands that are syntactically incorrect.

    EHLO or HELO, MAIL FROM:, RCPT TO: (can be multiple), and DATA commands must be in that order. AUTH, STARTTLS, RSET, or NOOP commands can arrive at any time. Other commands, or commands in an unacceptable order, return a syntax error.

    The following example shows invalid command in bold italics:

    220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:41:15 GMT

    EHLO example.com

    250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

    RCPT TO:<user1@example.com>

    503 5.0.0 Need MAIL before RCPT

    Switch to SPLICE mode after

    (transparent mode only)

    Enable to use splice mode. Enter threshold value based on time (seconds) or data size (kilobytes).

    Splice mode lets the FortiMail unit simultaneously scan an email and relay it to the SMTP server. This increases throughput and reduces the risk of server timeout. If it detects spam or a virus, it terminates the server connection and returns an error message to the sender, listing the spam or virus name and infected file name.

    ACK EOM before AntiSpam check

    Enable to acknowledge the end of message (EOM) signal immediately after receiving the carriage return and line feed (CRLF) characters that indicate the EOM, rather than waiting for antispam scanning to complete.

    If the FortiMail unit does not complete antispam scanning within 4 minutes, it returns SMTP reply code 451(Try again later), resulting in no permanent problems, since according to RFC 2821, the minimum timeout value should be 10 minutes. However, in rare cases where the server or client’s timeout is shorter than 4 minutes, the sending client or server could time-out while waiting for the FortiMail unit to acknowledge the EOM command. Enabling this option prevents those rare cases.

    Configuring unauthenticated session settings

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Unauthenticated Session Setting.
    4. Configure the following:

    GUI item

    Description

    Check HELO/EHLO domain

    Enable to return SMTP reply code 501, and reject the SMTP command, if the domain name accompanying the SMTP greeting is not a domain name that exists in either MX or A records.In the following example, the invalid command is highlighted in bold:

    220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT

    EHLO example.com

    The following example shows the invalid command in bold italics:

    220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 20 Nov 2013 10:42:07 -0500

    ehlo abc.qq

    250-FortiMail-400.localdomain Hello [172.20.140.195], pleased to meet you

    250-ENHANCEDSTATUSCODES

    250-PIPELINING

    250-8BITMIME

    250-SIZE 10485760

    250-DSN

    250-AUTH LOGIN PLAIN

    250-STARTTLS

    250-DELIVERBY

    250 HELP

    mail from:aaa@333

    550 5.5.0 Invalid EHLO/HELO domain.

    quit

    221 2.0.0 FortiMail-400.localdomain closing connection

    Connection closed by foreign host.

    Check sender domain

    Enable to return SMTP reply code 421, and reject the SMTP command, if the domain name portion of the sender address is not a domain name that exists in either MX or A records.

    The following example shows the invalid command in bold italics:

    220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT

    EHLO

    250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

    MAIL FROM:<user1@example.com>

    421 4.3.0 Could not resolve sender domain.

    Check recipient domain

    Enable to return SMTP reply code 550, and reject the SMTP command, if the domain name portion of the recipient address is not a domain name that exists in either MX or A records.

    The following example shows the invalid command in bold italics:

    220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:48:32 GMT

    EHLO example.com

    250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

    MAIL FROM:<user1@fortinet.com>

    250 2.1.0 <user1@fortinet.com>... Sender ok

    RCPT TO:<user2@example.com>

    550 5.7.1 <user2@example.com>... Relaying denied. IP name lookup failed [192.168.1.1]

    Reject empty domains

    Enable to return SMTP reply code 553, and reject the SMTP command, if the HELO/EHLO greeting does not have a domain, or the sender address (MAIL FROM:) is empty.

    The following example shows the invalid command in bold italics:

    220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 20 Nov 2013 10:42:07 -0500

    ehlo

    250-FortiMail-400.localdomain Hello [172.20.140.195], pleased to meet you

    250-ENHANCEDSTATUSCODES

    250-PIPELINING

    250-8BITMIME

    250-SIZE 10485760

    250-DSN

    250-AUTH LOGIN PLAIN

    250-STARTTLS

    250-DELIVERBY

    250 HELP

    mail from:aaa@333

    550 5.5.0 Empty EHLO/HELO domain.

    quit

    221 2.0.0 FortiMail-400.localdomain closing connection

    Prevent open relaying

    (transparent mode only)

    Enable to prevent clients from using open relays to send email by blocking sessions that are unauthenticated (Unauthenticated sessions are assumed to be occurring to an open relay).

    If you permit SMTP clients to use open relays to send email, email from your domain could be blocklisted by other SMTP servers.

    This option is effective only if you have enabled Use client-specified SMTP server to send email for outgoing mail. Otherwise, the FortiMail unit forces clients to use the gateway you have defined as a relay server (see Configuring SMTP relay hosts), if any, or the MTA of the domain name in the recipient email address (RCPT TO:), as determined using an MX lookup, so it is not possible for them to use an open relay.

    Reject if recipient and helo domain match but sender domain is different

    Enable to reject the email if the domain name in the SMTP greeting (HELO/EHLO) and recipient email address (RCPT TO:) match, but the domain name in the sender email address (MAIL FROM:) does not.

    Mismatching domain names is sometimes used by spammers to mask the true identity of their SMTP client.

    Configuring SMTP limit options

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand SMTP Limits.
    4. Setting any of these values to 0 disables the limit.

    5. Configure the following:

    GUI item

    Description

    Restrict number of EHLO/HELOs per session to

    Enter the limit of SMTP greetings that a connecting SMTP server or client can perform before the FortiMail unit terminates the connection. Restricting the number of SMTP greetings allowed per session makes it more difficult for spammers to probe the email server for vulnerabilities (more attempts results in a greater number of terminated connections, which must then be re-initiated).

    Restrict number of emails per session to

    Enter the limit of email messages per session to prevent mass mailing.

    Restrict number of recipients per email to

    Enter the limit of recipients to prevent mass mailing.

    Cap message size (KB) at

    Enter the limit of the message size. Messages over the threshold size are rejected.

    Note: When you configure domain settings under Domain & User > Domain, you can also set the message size limit. Here is how the two settings work together:

    • For outgoing email (for information about email directions, see Inbound versus outbound email), only the size limit in the session profile will be matched. If there is no session profile defined or no IP-based policy matched, the default size limit of 10 MB will be used.
    • For incoming email, the size limits in both the session profile and domain settings will be checked. If there is no session profile defined or no IP-based policy matched, the default size limit of 10 MB will be compared with the size limit in the domain settings. FortiMail will use the smaller size.

    Cap header size (KB) at

    Enter the limit of the message header size. Messages with headers over the threshold size are rejected.

    Maximum number of NOOPs allowed for each connection

    Enter the limit of NOOP commands permitted per SMTP connection. Some spammers use NOOP commands to keep a long connection alive. Legitimate connections usually require few NOOPs.

    Maximum number of RSETs allowed for each connection

    Enter the limit of RSET commands permitted per SMTP connection. Some spammers use RSET commands to try again after receiving error messages such as unknown recipient. Legitimate connections should require few RSETs.

    Configuring error handling options

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Error Handling.
    4. Configure Error Handling to specify how the FortiMail unit should handle connections from SMTP clients that are error-prone. Errors sometime indicate attempts to misuse the server. You can impose delays or drop connections if there are errors. Setting any of these values to 0 disables the limit.

      Note

      Configuring error handling can improve performance by dropping connections with error-prone SMTP clients.

    5. Configure the following:
    6. GUI item

      Description

      Number of 'free' errors allowed for each client

      Enter the number of errors permitted before the FortiMail unit imposes a delay.

      Delay for the first non-free error (seconds)

      Enter the delay time for the first error after the number of free errors is reached.

      Delay increment for subsequent errors (seconds)

      Enter the number of seconds by which to increase the delay for each error after the first delay is imposed.

      Maximum number of errors allowed for each connection

      Enter the total number of errors the FortiMail unit accepts before dropping the connection. By default, five errors are permitted before the FortiMail unit drops the connection.

    Configuring header manipulation options

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Header Manipulation.
    4. Email processing software and hardware can add extra lines to the message header of each email message. When multiple lines are added, this can significantly increase the size of the email message. You can configure header manipulation settings to reduce the number of message headers.

    5. Configure the following:

    GUI item

    Description

    Remove received header

    Enable to remove all Received: message headers from email messages.

    You can alternatively remove this header on a per-domain basis. For details, see Remove received header of outgoing email.

    Remove headers

    Enable to remove other configured headers from email messages, then click Edit to configure which headers should be removed.

    Remove headers inserted by this unit

    Enable to remove the headers that are inserted by this FortiMail unit. The above two options are to remove headers inserted by previous MTAs.

    Configuring list options

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Lists.
    4. Configure the sender and recipient block lists and safe lists, if any, to sue with the session profile. Block and safe lists are separate for each session profile, and apply only to traffic controlled by the IP-based policy to which the session profile is applied.

      Email addresses in each block list or safe list are arranged in alphabetical order. For more information on how blocklisted email addresses are handled, see Order of execution of block lists and safe lists.

      Note

      If you require regular expression support for safelisting and blocklisting sender and recipient email addresses in the envelope, do not configure safe and block lists in the session profile. Instead, configure access control rules and message delivery rules. For more information, see Managing the address book (server mode only).

      Caution

      Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans, including SPF validation.

    5. Configure the following:
    6. GUI item

      Description

      Enable sender safe list checking

      Enable to check the sender addresses in the email envelope (MAIL FROM:), email header (From:) and (Reply-to:) against the safe list in the SMTP sessions to which this profile is applied, then click Edit to define the safelisted email addresses.

      Enable sender block list checking

      Enable to check the sender addresses in the email envelope (MAIL FROM:), email header (From:) and (Reply-to:) against the block list in the SMTP sessions to which this profile is applied, then click Edit to define the blocklisted email addresses.

      Allow recipients on this list

      Enable to check the recipient addresses in the email envelope (RCPT TO:) against the safe list in the SMTP sessions to which this profile is applied, then click Edit to define safelisted email addresses.

      Disallow recipients on this list

      Enable to check the recipient addresses in the email envelope (RCPT TO:) against the block list in the SMTP sessions to which this profile is applied, then click Edit to define blocklisted email addresses.

    Configuring advanced MTA control settings

    This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

    In addition to global MTA settings, you can configure the following MTA settings in a session profile. These session-specific MTA settings will overwrite the global settings configured elsewhere.

    By default, this feature is hidden. To use this feature, you must enable it under System > FortiGuard > Licensed Feature or by using the following CLI command:

    config system global

    set mta-adv-ctrl-status enable

    end

    After this feature is enabled, the following options will appear in the session profile settings. In addition, four new tabs (Address Rewrite, Mail Routing, Access Control, and DSN) will also appear under Profile > Session.

    1. Go to Profile > Session > Session.
    2. Click New to create a new session profile or double click on an existing profile to edit it.
    3. Click the arrow to expand Advanced Control.
    4. Configure the following:

    GUI item

    Description

    Email queue

    Select which email queue to use for the matching sessions. For other general queue settings, see Configuring mail queue setting.

    Rewrite sender address

    Select an Address Rewrite profile to rewrite the sender address and specify which sender address to rewrite: Envelope From, Header From, or Header Reply-to.

    Select Use Envelope From value for selected headers if you want to use the Envelope From value to rewrite the Header From and/or Header Reply-to.

    Click New to create a new profile. For details about configuring Address Rewrite profiles, see Configuring address rewrite profiles in the session profile.

    Rewrite recipient address

    Select an Address Rewrite profile to rewrite the recipient address and specify which recipient address to rewrite: Envelope recipient or Header To and CC.

    Note that if you set to deliver or quarantine the unmodified copy of email when you configure the action profile preferences, the envelope recipient/RCPT TO will still be rewritten.

    Click New to create a new profile. For details about configuring Address Rewrite profiles, see Configuring address rewrite profiles in the session profile.

    Mail routing

    Select a mail routing profile or click New to create one. For details about creating mail routing profiles, see Configuring mail routing profiles in a session profile.

    Access control

    Select an access control profile or click New to create one. For details, see Configuring access control profiles in a session profile.

    DSN

    Select a DNS profile or click New to create one. For details, see Configuring DSN profiles in a session profile.

    Remote logging

    Select a remote logging profile or click New to create one. Note that the remote logging profiles used here are the same as the system-wide remote logging profiles. For details, see Configuring logging to a Syslog server or FortiAnalyzer unit.

    Configuring address rewrite profiles in the session profile

    If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the Address Rewrite tab will appear.

    To configure an address rewrite profile to be used in a session profile
    1. Go to Profile > Session > Address Rewrite.
    2. Click New.
    3. Enter a profile name.
    4. Click New to enter the address rewrite rules.
    • For Rewrite type, select Local if you are configuring direct rewrite from the original address to another specific address. Then specify the original address and the address you want to rewrite to. If you want to keep the local part or the domain part of the original address, click Insert Variable to insert the variable for the local part or the domain part.
    • Select LDAP if you want to rewrite the original address to the user’s external email address and display name that are stored on an LDAP server when the email “Envelope From”, “Header From”, or “Reply-to” matches a sender rewrite pattern. Then specify the original address and the LDAP profile. For information about LDAP server configuration, see Configuring address mapping options.
  • Click Create.
  • Configuring mail routing profiles in a session profile

    If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the Mail Routing tab will appear.

    To configure a mail routing profile to be used in a session profile
    1. Go to Profile > Session > Mail Routing.
    2. Click New.
    3. Enter a profile name.
    4. Click New to configure the mail routing settings.
    5. In the popup window, specify the sender pattern, recipient pattern and the relay type:
    • Host: Relay the matched sessions to the specified SMTP server.
    • MX Record (this domain): Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them.
    • MX Record (alternative domain): Query the DNS server’s MX record of a domain name you specify for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them. Also specify the alternate domain name.
  • Specify the SMTP port number. The default port is 25.
  • Click Create.
  • Configuring access control profiles in a session profile

    If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the Access Control tab will appear.

    To configure an access control profile to be used in a session profile
    1. Go to Profile > Session > Access Control.
    2. Click New.
    3. Enter a profile name.
    4. Click New to configure the access control rule.
    5. In the popup window, configure the rule settings. These setting are identical to the system-wide access control rule settings. For details, see Configuring access control rules.
    6. Click Create.

    Configuring DSN profiles in a session profile

    If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the DSN tab will appear. Configure this setting to overwrite the global setting configured in Configuring mail queue setting.

    To configure a DSN profile to be used in a session profile
    1. Go to Profile > Session > DSN.
    2. Click New.
    3. Enter a profile name.
    4. Specify if you want to send DSN email and the maximum number of retries.
    5. Click Create.