Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiMail 7.2.1 CLI Reference
    7.2.1
    7.6.1
    7.6.0
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    profile access-control

    profile access-control

    Use this command to configure access control rules.

    Note that all access control rules operate at the system level. Only system level profiles (for example, email groups) can be used by access control rules.

    Syntax

    config profile access-control

    edit <profile_name>

    config access-control

    edit <id>

    set action {discard | receive | reject | relay | safe | safe-relay}

    set authenticated {any | authenticated | not-authenticated}

    set recipient-pattern <string>

    set recipient-pattern-ldap-groupname <group_name>

    set recipient-pattern-ldap-profile <profile_name>

    set recipient-pattern-group <group_name>

    set recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

    set reverse-dns-pattern <string>

    set reverse-dns-pattern-regexp {yes | no}

    set sender-ip-mask <ipv4mask>

    set sender-ip-type {geoip-group | ip-group | ip-mask}

    set sender-pattern <string>

    set sender-pattern-group <group_name>

    set sender-pattern-ldap-groupname <group_name>

    set sender-pattern-ldap-profile <profile_name>

    set sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

    set status {enable | disable}

    set tls-profile <profile_name>

    end

    end

    Variable

    Description

    Default
    action {discard | receive | reject | relay | safe | safe-relay}

    Enter an action for the profile:

    • discard: Enter to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client.

    • receive: Enter to only accept incoming email to protected domains if it passes all configured scans.

    • reject: Enter to reject the email and reply to the SMTP client with SMTP reply code 550.

    • relay: Enter to relay or proxy, process, and deliver the email normally if it passes all configured scans.

      Note: Do not apply greylisting.

    • safe: Enter to relay or proxy and deliver the email only if the recipient belongs to a protected domain or the sender is authenticated.

      All antispam profile processing will be skipped, but antivirus, content and other scans will still occur.

    • safe-relay: Enter to relay or proxy and deliver the email.

      All antispam profile processing will be skipped, but antivirus, content, and other scans will still occur.

    		 reject

    authenticated {any | authenticated | not-authenticated}

    Enter whether or not to match this access control rule based on client authentication:

    • any: Match or do not match this access control rule regardless of whether the client has authenticated with the FortiMail unit.

    • authenticated: Match this access control rule only for clients that have authenticated with the FortiMail unit.

    • not-authenticated: Match this access control rule only for clients that have not authenticated with the FortiMail unit.

    any

    recipient-pattern <string>

    Enter a pattern that defines recipient email addresses which match this rule, surrounded in slashes and single quotes (such as \'*\' ).

    *

    recipient-pattern-ldap-groupname <group_name>

    Enter the LDAP group name to specify the recipient pattern.

    This option is only available when recipient-pattern-type is set to ldap.

    recipient-pattern-ldap-profile <profile_name>

    Enter the LDAP profile name to specify the recipient pattern.

    This option is only available when recipient-pattern-type is set to either ldap or ldap-query.

    recipient-pattern-group <group_name>

    Enter the group name to specify the recipient pattern.

    This option is only available when recipient-pattern-type is set to group.

    recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

    Enter the pattern type:

    default

    reverse-dns-pattern <string>

    Enter a pattern to compare to the result of a reverse DNS look-up of the IP address of the SMTP client delivering the email message.

    Because domain names in the SMTP session are self-reported by the connecting SMTP server and easy to fake, the FortiMail unit does not trust the domain name that an SMTP server reports. Instead, the FortiMail does a DNS lookup using the SMTP server’s IP address. The resulting domain name is compared to the reverse DNS pattern for a match. If the reverse DNS query fails, the access control rule match will also fail. If no other access control rule matches, the connection will be rejected with SMTP reply code 550 (Relaying denied).

    Wildcard characters allow you to enter partial patterns that can match multiple reverse DNS lookup results. An asterisk (*) represents one or more characters; a question mark (?) represents any single character.

    For example, the recipient pattern mail*.com will match messages delivered by an SMTP server whose domain name starts with “mail" and ends with “.com".

    Note: Reverse DNS queries for access control rules require that the domain name be a valid top level domain (TLD). For example, “.lab" is not a valid top level domain name, and thus the FortiMail unit cannot successfully perform a reverse DNS query for it.

    *

    reverse-dns-pattern-regexp {yes | no}

    Enter yes to use regular expression syntax instead of wildcards to specify the reverse DNS pattern.

    no

    sender-ip-mask <ipv4mask>

    Enter the sender's IP address.

    0.0.0.0/0

    sender-ip-type {geoip-group | ip-group | ip-mask}

    Select the method of the SMTP client attempting to deliver the email message.

    ip-mask

    sender-pattern <string>

    Enter a pattern that defines sender email addresses which match this rule, surrounded in slashes and single quotes (such as \'*@example.com\' ).

    sender-pattern-group <group_name>

    Enter the group name to specify the sender pattern.

    This option is only available when sender-pattern-type is set to group.

    sender-pattern-ldap-groupname <group_name>

    Enter the LDAP group name to specify the sender pattern.

    This option is only available when sender-pattern-type is set to ldap.

    sender-pattern-ldap-profile <profile_name>

    Enter the LDAP profile name to specify the sender pattern.

    This option is only available when sender-pattern-type is set to either ldap or ldap-query.

    sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

    Enter the pattern type:

    default

    status {enable | disable}

    Enable or disable the access control rule.

    enable
    tls-profile <profile_name>

    Enter a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

    If the attributes match, the access control action is executed.

    If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

    For more information on TLS profiles, see the FortiMail Administration Guide.
    Previous
    Next

    profile access-control

    profile access-control

    Use this command to configure access control rules.

    Note that all access control rules operate at the system level. Only system level profiles (for example, email groups) can be used by access control rules.

    Syntax

    config profile access-control

    edit <profile_name>

    config access-control

    edit <id>

    set action {discard | receive | reject | relay | safe | safe-relay}

    set authenticated {any | authenticated | not-authenticated}

    set recipient-pattern <string>

    set recipient-pattern-ldap-groupname <group_name>

    set recipient-pattern-ldap-profile <profile_name>

    set recipient-pattern-group <group_name>

    set recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

    set reverse-dns-pattern <string>

    set reverse-dns-pattern-regexp {yes | no}

    set sender-ip-mask <ipv4mask>

    set sender-ip-type {geoip-group | ip-group | ip-mask}

    set sender-pattern <string>

    set sender-pattern-group <group_name>

    set sender-pattern-ldap-groupname <group_name>

    set sender-pattern-ldap-profile <profile_name>

    set sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

    set status {enable | disable}

    set tls-profile <profile_name>

    end

    end

    Variable

    Description

    Default
    action {discard | receive | reject | relay | safe | safe-relay}

    Enter an action for the profile:

    • discard: Enter to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client.

    • receive: Enter to only accept incoming email to protected domains if it passes all configured scans.

    • reject: Enter to reject the email and reply to the SMTP client with SMTP reply code 550.

    • relay: Enter to relay or proxy, process, and deliver the email normally if it passes all configured scans.

      Note: Do not apply greylisting.

    • safe: Enter to relay or proxy and deliver the email only if the recipient belongs to a protected domain or the sender is authenticated.

      All antispam profile processing will be skipped, but antivirus, content and other scans will still occur.

    • safe-relay: Enter to relay or proxy and deliver the email.

      All antispam profile processing will be skipped, but antivirus, content, and other scans will still occur.

    		 reject

    authenticated {any | authenticated | not-authenticated}

    Enter whether or not to match this access control rule based on client authentication:

    • any: Match or do not match this access control rule regardless of whether the client has authenticated with the FortiMail unit.

    • authenticated: Match this access control rule only for clients that have authenticated with the FortiMail unit.

    • not-authenticated: Match this access control rule only for clients that have not authenticated with the FortiMail unit.

    any

    recipient-pattern <string>

    Enter a pattern that defines recipient email addresses which match this rule, surrounded in slashes and single quotes (such as \'*\' ).

    *

    recipient-pattern-ldap-groupname <group_name>

    Enter the LDAP group name to specify the recipient pattern.

    This option is only available when recipient-pattern-type is set to ldap.

    recipient-pattern-ldap-profile <profile_name>

    Enter the LDAP profile name to specify the recipient pattern.

    This option is only available when recipient-pattern-type is set to either ldap or ldap-query.

    recipient-pattern-group <group_name>

    Enter the group name to specify the recipient pattern.

    This option is only available when recipient-pattern-type is set to group.

    recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

    Enter the pattern type:

    default

    reverse-dns-pattern <string>

    Enter a pattern to compare to the result of a reverse DNS look-up of the IP address of the SMTP client delivering the email message.

    Because domain names in the SMTP session are self-reported by the connecting SMTP server and easy to fake, the FortiMail unit does not trust the domain name that an SMTP server reports. Instead, the FortiMail does a DNS lookup using the SMTP server’s IP address. The resulting domain name is compared to the reverse DNS pattern for a match. If the reverse DNS query fails, the access control rule match will also fail. If no other access control rule matches, the connection will be rejected with SMTP reply code 550 (Relaying denied).

    Wildcard characters allow you to enter partial patterns that can match multiple reverse DNS lookup results. An asterisk (*) represents one or more characters; a question mark (?) represents any single character.

    For example, the recipient pattern mail*.com will match messages delivered by an SMTP server whose domain name starts with “mail" and ends with “.com".

    Note: Reverse DNS queries for access control rules require that the domain name be a valid top level domain (TLD). For example, “.lab" is not a valid top level domain name, and thus the FortiMail unit cannot successfully perform a reverse DNS query for it.

    *

    reverse-dns-pattern-regexp {yes | no}

    Enter yes to use regular expression syntax instead of wildcards to specify the reverse DNS pattern.

    no

    sender-ip-mask <ipv4mask>

    Enter the sender's IP address.

    0.0.0.0/0

    sender-ip-type {geoip-group | ip-group | ip-mask}

    Select the method of the SMTP client attempting to deliver the email message.

    ip-mask

    sender-pattern <string>

    Enter a pattern that defines sender email addresses which match this rule, surrounded in slashes and single quotes (such as \'*@example.com\' ).

    sender-pattern-group <group_name>

    Enter the group name to specify the sender pattern.

    This option is only available when sender-pattern-type is set to group.

    sender-pattern-ldap-groupname <group_name>

    Enter the LDAP group name to specify the sender pattern.

    This option is only available when sender-pattern-type is set to ldap.

    sender-pattern-ldap-profile <profile_name>

    Enter the LDAP profile name to specify the sender pattern.

    This option is only available when sender-pattern-type is set to either ldap or ldap-query.

    sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

    Enter the pattern type:

    default

    status {enable | disable}

    Enable or disable the access control rule.

    enable
    tls-profile <profile_name>

    Enter a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

    If the attributes match, the access control action is executed.

    If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

    For more information on TLS profiles, see the FortiMail Administration Guide.
    Previous
    Next