Configuring session profiles

Session profiles focus on the connection and envelope portion of the SMTP session. This is in contrast to other types of profiles that focus on the message header, body, or attachments.

To configure session profiles

Go to Profile > Session > Session.
Click New to add a profile or double-click a profile to modify it.
For a new session profile, type the name in Profile name. The profile name is editable later.
Configure the following sections as needed:

Configuring connection settings
Configuring sender reputation options
Configuring endpoint reputation options
Configuring sender validation options
Configuring session settings
Configuring unauthenticated session settings
Configuring SMTP limit options
Configuring error handling options
Configuring header manipulation options
Configuring list options
Configuring advanced MTA control settings

Configuring connection settings

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

Go to Profile > Session > Session.
Click New to create a new session profile or double click on an existing profile to edit it.
Expand the Connection Setting section if needed. The options vary with the operation mode.
Configure the following options to restrict the number and duration of connections to the FortiMail unit. When any of these limits are exceeded, the FortiMail unit blocks further connections.

GUI item	Description
Hide this box from the mail server (transparent mode only)	Enable to preserve the IP address or domain name of the SMTP client in: the SMTP greeting (`HELO`/`EHLO`) and in the `Received:` message headers of email messages the client IP in email header This masks the existence of the FortiMail unit to the protected SMTP server. Disable to replace the SMTP client’s IP addresses or domain names with that of the FortiMail unit. Note: Unless you enabled Take precedence over recipient based policy match in the IP-based policy, the Hide the transparent box option in the protected domain supersedes this option, and may prevent it from applying to incoming email messages. Note: For full transparency, also enable Hide the transparent box.
Restrict the number of connections per client per 30 minutes to	Specify the maximum connections per client IP address in a period of 30 minutes. 0 means no limit.
Restrict the number of messages per client per 30 minutes to	Specify the maximum email messages (number of MAIL FROM) a client can send in a period of 30 minutes. 0 means no limit.
Restrict the number of recipients per client per 30 minutes to	Specify the maximum recipients (number of RCPT TO) a client can send email to for a period of 30 minutes. 0 means no limit.
Maximum concurrent connections for each client	Enter the maximum number of concurrent connections per client. 0 means no limit.
Connection idle timeout (seconds)	Enter a limit to the number of seconds a client may be idle before the FortiMail unit drops the connection. Set the value between 5-1200.
Do not let client connect to blocklisted SMTP servers (transparent mode only)	Enable to prevent clients from connecting to SMTP servers that have been blocklisted in antispam profiles or, the FortiGuard AntiSpam service if enabled. Note: This option applies only if you have enabled “Use client-specified SMTP server to send email” on page 259, and only for outgoing connections.

Configuring sender reputation options

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

You can also view the sender reputation statuses by going to Monitor > Sender Reputation. See Viewing sender reputation statuses.

To configure sender reputation options

Go to Profile > Session > Session.
Click New to create a new session profile or double click on an existing profile to edit it.
Click to expand Sender Reputation.

Sender reputation is a predominantly automatic antispam feature, requiring little or no maintenance. For each connecting SMTP client (sometimes called a sender), the sender reputation feature records the sender IP address and the number of good email and bad email from the sender.

In this case, bad email is defined as:

Spam
Virus-infected
Unknown recipients
Invalid DKIM
Failed SPF check

Sender reputation scores can be affected by sender validation results.

Enabling sender reputation can improve performance by rejecting known spammers before more resource-intensive antispam scans are performed.

Configure the following:

GUI item		Description
Enable sender reputation		Enable to accept or reject email based upon sender reputation scores. The following options have no effect unless this option is enabled. This option may not function well for SMTP clients with dynamic IP addresses. Instead, consider “Enable Endpoint Reputation” on page 316.
	Throttle client at	Enter a sender reputation score over which the FortiMail unit will rate limit the number of email messages that can be sent by this SMTP client. Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increases or decreases the sender reputation scores accordingly. The enforced rate limit is either Restrict number of emails per hour to n or Restrict email to n percent of the previous hour, whichever value is greater. After the sender reaches the limit, no more incoming email will be accepted.
	Restrict number of emails per hour to	Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client.
	Restrict email to ... percent of the previous hour	Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client, as a percentage of the number of email messages that the SMTP client sent during the previous hour.
	Temporarily fail client at	Enter a sender reputation score over which the FortiMail unit will return a temporary failure error when the SMTP client attempts to initiate a connection. Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increase or decrease the sender reputation scores accordingly.
	Reject client at	Enter a sender reputation score over which the FortiMail unit will reject the email and reply to the SMTP client with SMTP reply code 550 when the SMTP client attempts to initiate a connection. Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increase or decrease the sender reputation scores accordingly.
FortiGuard IP reputation check		If you want the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted, enable this option. If the SMTP client IP address is a private one, the FortiMail unit will query the FortiGuard Antispam service to determine if the first public IP address in the header is blocklisted. Use AntiSpam profile settings: In an antispam profile, you can also enable or disable FortiGuard IP reputation checking. This action happens after the entire message has been received by FortiMail. For details, see Configuring FortiGuard options. Use AntiSpam profile settings (no authentication): Use antispam profile settings but disable SMTP authentication when the client IP reputation score triggers the threshold. When client connects: Enable to query the FortiGuard Antispam Service to determine if the IP address of the SMTP server is blocklisted. And this action will happen during the connection phase. Therefore, if this feature is enabled in a session profile and the action is reject, the performance will be improved. FortiGuard categorizes the blocklisted IP addresses into three levels -- level 3 has bad reputation; level 2 has worse reputation; and level 1 has the worst reputation. To help prevent false positives, you can choose which level to block with the following CLI commands: `config system fortiguard antispam` `set threshold-ip-connect <integer>` `end` <integer> is the level number: 1, 2, or 3. The default setting is 3, which means all levels will be blocked. If you want to block level 1 and level 2 but not level 3, then you set it to 2. Disable: Skip FortiGuard IP reputation check, even this is enabled in an antispam profile.

Configuring endpoint reputation options

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

Go to Profile > Session > Session.
Click New to create a new session profile or double click on an existing profile to edit it.
Click the arrow to expand Endpoint Reputation.

The Endpoint Reputation settings let you restrict, based upon its endpoint reputation score, the ability of an MSISDN or subscriber ID to send email or MM3 multimedia messaging service (MMS) messages from a mobile device. The MSISDN reputation score is similar to a sender reputation score.

For more on endpoint reputation-based behavior, see About endpoint reputation.

Enabling endpoint reputation can improve performance by rejecting known spammers before more resource-intensive antispam scans are performed.

Configure the following:

GUI item	Description
Enable Endpoint Reputation	Enable to accept, monitor, or reject email based upon endpoint reputation scores. This option is designed for use with SMTP clients with dynamic IP addresses. It requires that your RADIUS server provide mappings between dynamic IP addresses and MSISDNs/subscriber IDs to the FortiMail unit. If this profile governs sessions of SMTP clients with static IP addresses, instead see Configuring sender reputation options.
Action	Select either: Reject: Reject email and MMS messages from MSISDNs/subscriber IDs whose MSISDN reputation scores exceed Auto blocklist score trigger value. Monitor: Log, but do not reject, email and MMS messages from MSISDNs/subscriber IDs whose MSISDN reputation scores exceed Auto blocklist score trigger value. Entries appear in the history log.
Auto blocklist score trigger value	Enter the MSISDN reputation score over which the FortiMail unit will add the MSISDN/subscriber ID to the automatic blocklist. The trigger score is relative to the period of time configured as the automatic blocklist window. For more information on the automatic blocklist window, see Configuring the endpoint reputation score window.
Auto blocklist duration	Enter the number of minutes that an MSISDN/subscriber ID will be prevented from sending email or MMS messages after they have been automatically blocklisted.

Configuring sender validation options

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

Go to Profile > Session > Session.
Click New to create a new session profile or double click on an existing profile to edit it.
Click the arrow to expand Sender Validation. Configure the settings to confirm sender and message.

DomainKeys validation is a predecessor of DKIM and works in the same way. Because some domains still use DomainKeys validation, it is provided for backward compatibility.

Failure to validate does not guarantee that an email is spam, just as successful validation does not guarantee that an email is not spam, but it may help to indicate spam. Validation results are used to adjust the sender reputation scores, MSISDN reputation scores, and deep header scans.

Enabling sender validation can improve performance by rejecting invalid senders before more resource-intensive antispam scans are performed.

Configure the following:

GUI item	Description
SPF check	If the sender domain DNS record lists SPF authorized IP addresses, use SPF check to compare the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408). An unauthorized client IP address increases the client sender reputation score. An authorized client IP address decreases the client sender reputation score. If the DNS record for the domain name of the sender does not publish SPF information, the FortiMail unit omits the SPF client IP address validation. Note: No SPF check is performed for direct connections from RFC 1918 private IP addresses. Note: If you select to Bypass SPF checking in the session profile, SPF checking will be bypassed even though you enable it in the antispam profile. Note: Before FortiMail 4.3.1 release, only SPF hardfailed (-all) email is treated as spam. Starting from 4.3.2 to 6.0.2 release, you can use a CLI command (`set spf-checking {strict \| aggressive}` under `config antispam settings`) to control if the SPF softfailed (~all) email should also be treated as spam. For details, see the FortiMail CLI Guide. Starting from 6.0.3, this command is removed.
Enable DKIM check	If a DKIM signature is present (RFC 4871), enable this to query the DNS server that hosts the DNS record for the sender’s domain name to retrieve its public key to decrypt and verify the DKIM signature. An invalid signature increases the client sender reputation score and affects the deep header scan. A valid signature decreases the client sender reputation score. If the sender domain DNS record does not include DKIM information or the message is not signed, the FortiMail unit omits the DKIM signature validation.
Enable DKIM signing for outgoing messages	Enable to sign outgoing email with a DKIM signature. This option requires that you first generate a domain key pair and publish the public key in the DNS record for the domain name of the protected domain. If you do not publish the public key, destination SMTP servers cannot validate your DKIM signature. For details on generating domain key pairs and publishing the public key, see DKIM and ARC Setting. Before 6.2.0 release, Envelope From domain is used for DKIM signatures. After 6.2.0 release, Header From domain is used instead. If there is no DKIM key for the Header From domain, then the key for the Envelope From domain will be used. Note: Outbound quarantined email messages will not be DKIM signed when they are released.
Enable DKIM signing for authenticated senders only	Enable to sign outgoing email with a DKIM signature only if the sender is authenticated.
Enable domain key check	If a DomainKey signature is present, use this option to query the DNS server for the sender’s domain name to retrieve its public key to decrypt and verify the DomainKey signature. An invalid signature increases the client sender reputation score and affects the deep header scan. A valid signature decreases the client sender reputation score. If the sender domain DNS record does not include DomainKey information or the message is not signed, the FortiMail unit omits the DomainKey signature validation.
Bypass bounce verification check	If bounce verification is enabled, enable to omit verification of bounce address tags on incoming bounce messages. This bypass does not omit bounce address tagging of outgoing messages. For more information, see Configuring bounce verification and tagging.
Sender address verification with LDAP	Enable to verify sender email addresses on an LDAP server. Also select an LDAP profile from the dropdown list. Or click New to create a new one. For details about LDAP profiles, see Configuring LDAP profiles.

Configuring session settings

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

Go to Profile > Session > Session.
Click New to create a new session profile or double click on an existing profile to edit it.
Click the arrow to expand Session Setting.
Configure the following:

GUI item	Description
Session action	Select an action profile or click New to create a new one. The session action profile uses the content action profile. For more information about actions, see Configuring content action profiles.
Message selection	The action can be applied to All messages or Accepted messages only. For example, for header manipulation, tagging, some other actions, you can choose to apply them to the accepted message only.
Reject EHLO/HELO commands with invalid characters in the domain	Enable to return SMTP reply code 501, and to reject the SMTP greeting, if the client or server uses a greeting that contains a domain name with invalid characters. To avoid disclosure of a real domain name, spammers sometimes spoof an SMTP greeting domain name with random characters, rather than using a valid domain name. The following example shows invalid command in bold italics: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:30:20 GMT EHLO ^^&^&^#$ 501 5.0.0 Invalid domain name Valid characters for domain names include: alphanumerics (A to Z and 0 to 9) brackets ( `[` and `]` ) periods ( `.` ) dashes ( `-` ) underscores ( `_` ) number symbols( `#` ) colons ( `:` )
Rewrite EHLO/HELO domain to [n.n.n.n] IP string of the client address (transparent mode only)	Enable to rewrite the domain name in the SMTP greeting (`HELO`/`EHLO`) to the IP address of the client to prevent domain name spoofing.
Rewrite EHLO/HELO domain to (transparent mode only)	Enable to rewrite the domain name in the SMTP greeting (`HELO`/`EHLO`) to the specified value.
Prevent encryption of the session (transparent mode only)	Enable to block `STARTTLS`/MD5 commands so that email connections cannot be TLS-encrypted. Caution: Disable this option only if you trust that SMTP clients connecting using TLS through the FortiMail unit will not be sources of viruses or spam. FortiMail units operating in transparent mode cannot scan encrypted connections traveling through them. Disabling this option could thereby permit viruses and spam to travel through the FortiMail unit.
Allow pipelining for the session	Enable to allow SMTP command pipelining. This lets multiple SMTP commands to be accepted and processed simultaneously, improving performance for high-latency connections. Disable to allow the SMTP client to send only a single command at a time during an SMTP session.
Enforce strict RFC compliance (transparent mode only)	Enable to limit pipelining support to strict compliance with RFC 2920, SMTP Service Extension for Command Pipelining. This option is effective only if Allow pipelining for the session is enabled.
Perform strict syntax checking	Enable to return SMTP reply code 503, and to reject a SMTP command, if the client or server uses SMTP commands that are syntactically incorrect. `EHLO` or `HELO`, `MAIL FROM:`, `RCPT TO:` (can be multiple), and `DATA` commands must be in that order. `AUTH`, `STARTTLS`, `RSET`, or `NOOP` commands can arrive at any time. Other commands, or commands in an unacceptable order, return a syntax error. The following example shows invalid command in bold italics: `220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:41:15 GMT` `EHLO example.com` `250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you` `RCPT TO:<user1@example.com>` `503 5.0.0 Need MAIL before RCPT`
Switch to SPLICE mode after (transparent mode only)	Enable to use splice mode. Enter threshold value based on time (seconds) or data size (kilobytes). Splice mode lets the FortiMail unit simultaneously scan an email and relay it to the SMTP server. This increases throughput and reduces the risk of server timeout. If it detects spam or a virus, it terminates the server connection and returns an error message to the sender, listing the spam or virus name and infected file name.
ACK EOM before AntiSpam check	Enable to acknowledge the end of message (EOM) signal immediately after receiving the carriage return and line feed (CRLF) characters that indicate the EOM, rather than waiting for antispam scanning to complete. If the FortiMail unit does not complete antispam scanning within 4 minutes, it returns SMTP reply code `451(Try again later)`, resulting in no permanent problems, since according to RFC 2821, the minimum timeout value should be 10 minutes. However, in rare cases where the server or client’s timeout is shorter than 4 minutes, the sending client or server could time-out while waiting for the FortiMail unit to acknowledge the EOM command. Enabling this option prevents those rare cases.

Configuring unauthenticated session settings

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

Go to Profile > Session > Session.
Click New to create a new session profile or double click on an existing profile to edit it.
Click the arrow to expand Unauthenticated Session Setting.
Configure the following:

GUI item	Description
Check HELO/EHLO domain	Enable to return SMTP reply code 501, and reject the SMTP command, if the domain name accompanying the SMTP greeting is not a domain name that exists in either MX or A records.In the following example, the invalid command is highlighted in bold: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT EHLO example.com The following example shows the invalid command in bold italics: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 20 Nov 2013 10:42:07 -0500 ehlo abc.qq 250-FortiMail-400.localdomain Hello [172.20.140.195], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 10485760 250-DSN 250-AUTH LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 HELP mail from:aaa@333 550 5.5.0 Invalid EHLO/HELO domain. quit 221 2.0.0 FortiMail-400.localdomain closing connection Connection closed by foreign host.
Check sender domain	Enable to return SMTP reply code 421, and reject the SMTP command, if the domain name portion of the sender address is not a domain name that exists in either MX or A records. The following example shows the invalid command in bold italics: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT EHLO 250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you MAIL FROM:<user1@example.com> 421 4.3.0 Could not resolve sender domain.
Check recipient domain	Enable to return SMTP reply code 550, and reject the SMTP command, if the domain name portion of the recipient address is not a domain name that exists in either MX or A records. The following example shows the invalid command in bold italics: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:48:32 GMT EHLO example.com 250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you MAIL FROM:<user1@fortinet.com> 250 2.1.0 <user1@fortinet.com>... Sender ok RCPT TO:<user2@example.com> 550 5.7.1 <user2@example.com>... Relaying denied. IP name lookup failed [192.168.1.1]
Reject empty domains	Enable to return SMTP reply code 553, and reject the SMTP command, if the HELO/EHLO greeting does not have a domain, or the sender address (`MAIL FROM`:) is empty. The following example shows the invalid command in bold italics: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 20 Nov 2013 10:42:07 -0500 ehlo 250-FortiMail-400.localdomain Hello [172.20.140.195], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 10485760 250-DSN 250-AUTH LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 HELP mail from:aaa@333 550 5.5.0 Empty EHLO/HELO domain. quit 221 2.0.0 FortiMail-400.localdomain closing connection
Prevent open relaying (transparent mode only)	Enable to prevent clients from using open relays to send email by blocking sessions that are unauthenticated (Unauthenticated sessions are assumed to be occurring to an open relay). If you permit SMTP clients to use open relays to send email, email from your domain could be blocklisted by other SMTP servers. This option is effective only if you have enabled Use client-specified SMTP server to send email for outgoing mail. Otherwise, the FortiMail unit forces clients to use the gateway you have defined as a relay server (see “Configuring SMTP relay hosts), if any, or the MTA of the domain name in the recipient email address (`RCPT TO:`), as determined using an MX lookup, so it is not possible for them to use an open relay.
Reject if recipient and helo domain match but sender domain is different	Enable to reject the email if the domain name in the SMTP greeting (`HELO`/`EHLO`) and recipient email address (`RCPT TO:`) match, but the domain name in the sender email address (`MAIL FROM:`) does not. Mismatching domain names is sometimes used by spammers to mask the true identity of their SMTP client.

Configuring SMTP limit options

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

Go to Profile > Session > Session.
Click New to create a new session profile or double click on an existing profile to edit it.
Click the arrow to expand SMTP Limits.

Setting any of these values to 0 disables the limit.

Configure the following:

GUI item	Description
Restrict number of EHLO/HELOs per session to	Enter the limit of SMTP greetings that a connecting SMTP server or client can perform before the FortiMail unit terminates the connection. Restricting the number of SMTP greetings allowed per session makes it more difficult for spammers to probe the email server for vulnerabilities (more attempts results in a greater number of terminated connections, which must then be re-initiated).
Restrict number of emails per session to	Enter the limit of email messages per session to prevent mass mailing.
Restrict number of recipients per email to	Enter the limit of recipients to prevent mass mailing.
Cap message size (KB) at	Enter the limit of the message size. Messages over the threshold size are rejected. Note: When you configure domain settings under Domain & User > Domain, you can also set the message size limit. Here is how the two settings work together: For outgoing email (for information about email directions, see Inbound versus outbound email), only the size limit in the session profile will be matched. If there is no session profile defined or no IP-based policy matched, the default size limit of 10 MB will be used. For incoming email, the size limits in both the session profile and domain settings will be checked. If there is no session profile defined or no IP-based policy matched, the default size limit of 10 MB will be compared with the size limit in the domain settings. FortiMail will use the smaller size.
Cap header size (KB) at	Enter the limit of the message header size. Messages with headers over the threshold size are rejected.
Maximum number of NOOPs allowed for each connection	Enter the limit of `NOOP` commands permitted per SMTP connection. Some spammers use `NOOP` commands to keep a long connection alive. Legitimate connections usually require few `NOOP`s.
Maximum number of RSETs allowed for each connection	Enter the limit of `RSET` commands permitted per SMTP connection. Some spammers use `RSET` commands to try again after receiving error messages such as unknown recipient. Legitimate connections should require few `RSET`s.

Configuring error handling options

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

Go to Profile > Session > Session.
Click New to create a new session profile or double click on an existing profile to edit it.
Click the arrow to expand Error Handling.

Configure Error Handling to specify how the FortiMail unit should handle connections from SMTP clients that are error-prone. Errors sometime indicate attempts to misuse the server. You can impose delays or drop connections if there are errors. Setting any of these values to 0 disables the limit.

Configuring error handling can improve performance by dropping connections with error-prone SMTP clients.

Configure the following:

GUI item	Description
Number of 'free' errors allowed for each client	Enter the number of errors permitted before the FortiMail unit imposes a delay.
Delay for the first non-free error (seconds)	Enter the delay time for the first error after the number of free errors is reached.
Delay increment for subsequent errors (seconds)	Enter the number of seconds by which to increase the delay for each error after the first delay is imposed.
Maximum number of errors allowed for each connection	Enter the total number of errors the FortiMail unit accepts before dropping the connection. By default, five errors are permitted before the FortiMail unit drops the connection.

Configuring header manipulation options

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

Go to Profile > Session > Session.
Click New to create a new session profile or double click on an existing profile to edit it.
Click the arrow to expand Header Manipulation.

Email processing software and hardware can add extra lines to the message header of each email message. When multiple lines are added, this can significantly increase the size of the email message. You can configure header manipulation settings to reduce the number of message headers.

Configure the following:

GUI item	Description
Remove received header	Enable to remove all `Received:` message headers from email messages. You can alternatively remove this header on a per-domain basis. For details, see Remove received header of outgoing email.
Remove headers	Enable to remove other configured headers from email messages, then click Edit to configure which headers should be removed.
Remove headers inserted by this unit	Enable to remove the headers that are inserted by this FortiMail unit. The above two options are to remove headers inserted by previous MTAs.

GUI item

Description

Remove received header

Enable to remove all Received: message headers from email messages.

You can alternatively remove this header on a per-domain basis. For details, see Remove received header of outgoing email.

Remove headers

Enable to remove other configured headers from email messages, then click Edit to configure which headers should be removed.

Remove headers inserted by this unit

Enable to remove the headers that are inserted by this FortiMail unit. The above two options are to remove headers inserted by previous MTAs.

Configuring list options

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

Go to Profile > Session > Session.
Click New to create a new session profile or double click on an existing profile to edit it.
Click the arrow to expand Lists.

Configure the sender and recipient block lists and safe lists, if any, to sue with the session profile. Block and safe lists are separate for each session profile, and apply only to traffic controlled by the IP-based policy to which the session profile is applied.

Email addresses in each block list or safe list are arranged in alphabetical order. For more information on how blocklisted email addresses are handled, see Order of execution of block lists and safe lists.

If you require regular expression support for safelisting and blocklisting sender and recipient email addresses in the envelope, do not configure safe and block lists in the session profile. Instead, configure access control rules and message delivery rules. For more information, see Managing the address book (server mode only).

Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans, including SPF validation.

Configure the following:

GUI item	Description
Enable sender safe list checking	Enable to check the sender addresses in the email envelope (`MAIL FROM:`), email header (`From:`) and (`Reply-to:`) against the safe list in the SMTP sessions to which this profile is applied, then click Edit to define the safelisted email addresses.
Enable sender block list checking	Enable to check the sender addresses in the email envelope (`MAIL FROM:`), email header (`From:`) and (`Reply-to:`) against the block list in the SMTP sessions to which this profile is applied, then click Edit to define the blocklisted email addresses.
Allow recipients on this list	Enable to check the recipient addresses in the email envelope (`RCPT TO:`) against the safe list in the SMTP sessions to which this profile is applied, then click Edit to define safelisted email addresses.
Disallow recipients on this list	Enable to check the recipient addresses in the email envelope (`RCPT TO:`) against the block list in the SMTP sessions to which this profile is applied, then click Edit to define blocklisted email addresses.

Configuring advanced MTA control settings

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see Configuring session profiles.

In addition to global MTA settings, you can configure the following MTA settings in a session profile. These session-specific MTA settings will overwrite the global settings configured elsewhere.

This feature is licensed based and is hidden by default. To use this feature, you must select Enable MTA advanced control under System > FortiGuard > Licensed Feature > Advanced Management.

You may also enable the feature by entering the following CLI command:

config system global

set mta-adv-ctrl-status enable

end

After this feature is enabled, the following options will appear in the session profile settings. In addition, four new tabs (Address Rewrite, Mail Routing, Access Control, and DSN) will also appear under Profile > Session.

Go to Profile > Session > Session.
Click New to create a new session profile or double click on an existing profile to edit it.
Click the arrow to expand Advanced Control.
Configure the following:

GUI item	Description
Email queue	Select which email queue to use for the matching sessions. For other general queue settings, see Configuring mail queue settings.
Rewrite sender address	Select an Address Rewrite profile to rewrite the sender address and specify which sender address to rewrite: Envelope From, Header From, or Header Reply-to. Select Use Envelope From value for selected headers if you want to use the Envelope From value to rewrite the Header From and/or Header Reply-to. Click New to create a new profile. For details about configuring Address Rewrite profiles, see Configuring address rewrite profiles in the session profile.
Rewrite recipient address	Select an Address Rewrite profile to rewrite the recipient address and specify which recipient address to rewrite: Envelope recipient or Header To and CC. Note that if you set to deliver or quarantine the unmodified copy of email when you configure the action profile preferences, the envelope recipient/RCPT TO will still be rewritten. Click New to create a new profile. For details about configuring Address Rewrite profiles, see Configuring address rewrite profiles in the session profile.
Mail routing	Select a mail routing profile or click New to create one. For details about creating mail routing profiles, see Configuring mail routing profiles in a session profile.
Access control	Select an access control profile or click New to create one. For details, see Configuring access control profiles in a session profile.
DSN	Select a DNS profile or click New to create one. For details, see Configuring DSN profiles in a session profile.
Remote logging	Select a remote logging profile or click New to create one. Note that the remote logging profiles used here are the same as the system-wide remote logging profiles. For details, see Logging to a Syslog server or FortiAnalyzer unit.

Configuring address rewrite profiles in the session profile

If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the Address Rewrite tab will appear.

To configure an address rewrite profile to be used in a session profile

Go to Profile > Session > Address Rewrite.
Click New.
Enter a profile name.
Click New to enter the address rewrite rules.

For Rewrite type, select Local if you are configuring direct rewrite from the original address to another specific address. Then specify the original address and the address you want to rewrite to. If you want to keep the local part or the domain part of the original address, click Insert Variable to insert the variable for the local part or the domain part.
Select LDAP if you want to rewrite the original address to the user’s external email address and display name that are stored on an LDAP server when the email “Envelope From”, “Header From”, or “Reply-to” matches a sender rewrite pattern. Then specify the original address and the LDAP profile. For information about LDAP server configuration, see Configuring address mapping options.

Click Create.

Configuring mail routing profiles in a session profile

If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the Mail Routing tab will appear.

To configure a mail routing profile to be used in a session profile

Go to Profile > Session > Mail Routing.
Click New.
Enter a profile name.
Click New to configure the mail routing settings.
In the popup window, specify the sender pattern, recipient pattern, and the relay type:

Host: Relay the matched sessions to the specified SMTP server.
MX Record (alternative domain): Query the DNS server’s MX record of a domain name you specify for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them. Also specify the alternate domain name.
MX Record (this domain): Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them.
Relay Host: Relay to a pre-defined relay host.

Specify the SMTP port number. The default port is 25.

Click Create.

Configuring access control profiles in a session profile

If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the Access Control tab will appear.

To configure an access control profile to be used in a session profile

Go to Profile > Session > Access Control.
Click New.
Enter a profile name.
Click New to configure the access control rule.
In the popup window, configure the rule settings. These setting are identical to the system-wide access control rule settings. For details, see Configuring access control rules.
Click Create.

Configuring DSN profiles in a session profile

If you enable the advanced MTA control feature in session profiles (see Configuring advanced MTA control settings), the DSN tab will appear. Configure this setting to overwrite the global setting configured in Configuring mail queue settings.

To configure a DSN profile to be used in a session profile

Go to Profile > Session > DSN.
Click New.
Enter a profile name.
Specify if you want to send DSN email and the maximum number of retries.
Click Create.