Fortinet black logo

CLI Reference

policy access-control delivery

policy access-control delivery

Use this command to configure delivery rules that apply to SMTP sessions being initiated by the FortiMail unit in order to deliver email.

Delivery rules enable you to require TLS for the SMTP sessions the FortiMail unit initiates when sending email to other email servers. They also enable you to apply identity-based encryption (IBE) in the form of secure MIME (S/MIME).

When initiating an SMTP session, the FortiMail unit compares each delivery rule to the domain name portion of the envelope recipient address (RCPT TO:), and to the IP address of the SMTP server receiving the connection. Rules are evaluated for a match in the order of their list sequence, from top to bottom. If a matching delivery rule does not exist, the email message is delivered. If a match is found, the FortiMail unit compares the TLS profile settings to the connection attributes and the email message is sent or the connection is not allowed, depending on the result; if an encryption profile is selected, its settings are applied. No subsequent delivery rules are applied. Only one delivery rule is ever applied to any given SMTP session.

Syntax

config policy access-control delivery

edit <rule_id>

set comment <string>

set destination <ip&netmask_str>

set encryption-profile <profile_str>

set ip-pool-profile

set recipient-pattern <pattern_str>

set sender-pattern <pattern_str>

set status {enable | disable}

set tls-profile <profile_str>

end

Variable

Description

Default

<rule_id>

Enter the number identifying the rule.

comment <string>

Enter any comments for email delivery rules.

destination <ip&netmask_str>

Enter the IP address and netmask of the system to which the FortiMail unit is sending the email message. Use the netmask, the portion after the slash (/) to specify the matching subnet.

For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

To match any address, enter 0.0.0.0/0.

0.0.0.0 0.0.0.0

encryption-profile <profile_str>

Enter an encryption profile to apply identity-based encryption, if a corresponding sender identity exists in the certificate bindings.

For more information on encryption profiles, see the FortiMail Administration Guide.

ip-pool-profile

Enter the name of the IP pool profile.

The IP pool profile will deliver incoming emails from FortiMail to the protected server.

recipient-pattern <pattern_str>

Enter a complete or partial envelope recipient (RCPT TO:) email address to match.

Wild card characters allow you to enter partial patterns that can match multiple recipient email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.

For example, the recipient pattern *@example.??? will match messages sent to any email user at example.com, example.net, example.org, or any other “example" domain ending with a three‑letter top-level domain name.

recipient-pattern-type

Enter the type of recipient pattern.

sender-pattern <pattern_str>

Enter a complete or partial envelope sender (MAIL FROM:) email address to match.

Wild card characters allow you to enter partial patterns that can match multiple sender email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.

For example, the sender pattern ??@*.com will match messages sent by any email user with a two letter email user name from any “.com" domain name.

sender-pattern-type

Enter the type of the sender-pattern.

status {enable | disable}

Enter enable to activate this rule.

disable

tls-profile <profile_str>

Enter a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

If the attributes match, the access control action is executed.

If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

For more information on TLS profiles, see the FortiMail Administration Guide.

Related topics

ms365 profile antivirus

config policy delivery-control

policy recipient

policy access-control delivery

Use this command to configure delivery rules that apply to SMTP sessions being initiated by the FortiMail unit in order to deliver email.

Delivery rules enable you to require TLS for the SMTP sessions the FortiMail unit initiates when sending email to other email servers. They also enable you to apply identity-based encryption (IBE) in the form of secure MIME (S/MIME).

When initiating an SMTP session, the FortiMail unit compares each delivery rule to the domain name portion of the envelope recipient address (RCPT TO:), and to the IP address of the SMTP server receiving the connection. Rules are evaluated for a match in the order of their list sequence, from top to bottom. If a matching delivery rule does not exist, the email message is delivered. If a match is found, the FortiMail unit compares the TLS profile settings to the connection attributes and the email message is sent or the connection is not allowed, depending on the result; if an encryption profile is selected, its settings are applied. No subsequent delivery rules are applied. Only one delivery rule is ever applied to any given SMTP session.

Syntax

config policy access-control delivery

edit <rule_id>

set comment <string>

set destination <ip&netmask_str>

set encryption-profile <profile_str>

set ip-pool-profile

set recipient-pattern <pattern_str>

set sender-pattern <pattern_str>

set status {enable | disable}

set tls-profile <profile_str>

end

Variable

Description

Default

<rule_id>

Enter the number identifying the rule.

comment <string>

Enter any comments for email delivery rules.

destination <ip&netmask_str>

Enter the IP address and netmask of the system to which the FortiMail unit is sending the email message. Use the netmask, the portion after the slash (/) to specify the matching subnet.

For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

To match any address, enter 0.0.0.0/0.

0.0.0.0 0.0.0.0

encryption-profile <profile_str>

Enter an encryption profile to apply identity-based encryption, if a corresponding sender identity exists in the certificate bindings.

For more information on encryption profiles, see the FortiMail Administration Guide.

ip-pool-profile

Enter the name of the IP pool profile.

The IP pool profile will deliver incoming emails from FortiMail to the protected server.

recipient-pattern <pattern_str>

Enter a complete or partial envelope recipient (RCPT TO:) email address to match.

Wild card characters allow you to enter partial patterns that can match multiple recipient email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.

For example, the recipient pattern *@example.??? will match messages sent to any email user at example.com, example.net, example.org, or any other “example" domain ending with a three‑letter top-level domain name.

recipient-pattern-type

Enter the type of recipient pattern.

sender-pattern <pattern_str>

Enter a complete or partial envelope sender (MAIL FROM:) email address to match.

Wild card characters allow you to enter partial patterns that can match multiple sender email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.

For example, the sender pattern ??@*.com will match messages sent by any email user with a two letter email user name from any “.com" domain name.

sender-pattern-type

Enter the type of the sender-pattern.

status {enable | disable}

Enter enable to activate this rule.

disable

tls-profile <profile_str>

Enter a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

If the attributes match, the access control action is executed.

If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

For more information on TLS profiles, see the FortiMail Administration Guide.

Related topics

ms365 profile antivirus

config policy delivery-control

policy recipient