Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiMail 7.2.4 CLI Reference
    7.2.4
    7.6.1
    7.6.0
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    policy access-control delivery

    policy access-control delivery

    Use this command to configure delivery rules that apply to SMTP sessions being initiated by the FortiMail unit in order to deliver email.

    Delivery rules enable you to require TLS for the SMTP sessions the FortiMail unit initiates when sending email to other email servers. They also enable you to apply identity-based encryption (IBE) in the form of secure MIME (S/MIME).

    When initiating an SMTP session, the FortiMail unit compares each delivery rule to the domain name portion of the envelope recipient address (RCPT TO:), and to the IP address of the SMTP server receiving the connection. Rules are evaluated for a match in the order of their list sequence, from top to bottom. If a matching delivery rule does not exist, the email message is delivered. If a match is found, the FortiMail unit compares the TLS profile settings to the connection attributes and the email message is sent or the connection is not allowed, depending on the result; if an encryption profile is selected, its settings are applied. No subsequent delivery rules are applied. Only one delivery rule is ever applied to any given SMTP session.

    Syntax

    config policy access-control delivery

    edit <rule_id>

    set comment <string>

    set destination <ip&netmask_str>

    set encryption-profile <profile_str>

    set ip-pool-profile

    set recipient-pattern <pattern_str>

    set sender-pattern <pattern_str>

    set status {enable | disable}

    set tls-profile <profile_str>

    end

    Variable

    Description

    Default

    <rule_id>

    Enter the number identifying the rule.

    comment <string>

    Enter any comments for email delivery rules.

    destination <ip&netmask_str>

    Enter the IP address and netmask of the system to which the FortiMail unit is sending the email message. Use the netmask, the portion after the slash (/) to specify the matching subnet.

    For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

    Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

    To match any address, enter 0.0.0.0/0.

    0.0.0.0 0.0.0.0

    encryption-profile <profile_str>

    Enter an encryption profile to apply identity-based encryption, if a corresponding sender identity exists in the certificate bindings.

    For more information on encryption profiles, see the FortiMail Administration Guide.

    ip-pool-profile

    Enter the name of the IP pool profile.

    The IP pool profile will deliver incoming emails from FortiMail to the protected server.

    recipient-pattern <pattern_str>

    Enter a complete or partial envelope recipient (RCPT TO:) email address to match.

    Wild card characters allow you to enter partial patterns that can match multiple recipient email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.

    For example, the recipient pattern *@example.??? will match messages sent to any email user at example.com, example.net, example.org, or any other “example" domain ending with a three‑letter top-level domain name.

    recipient-pattern-type

    Enter the type of recipient pattern.

    sender-pattern <pattern_str>

    Enter a complete or partial envelope sender (MAIL FROM:) email address to match.

    Wild card characters allow you to enter partial patterns that can match multiple sender email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.

    For example, the sender pattern ??@*.com will match messages sent by any email user with a two letter email user name from any “.com" domain name.

    sender-pattern-type

    Enter the type of the sender-pattern.

    status {enable | disable}

    Enter enable to activate this rule.

    disable

    tls-profile <profile_str>

    Enter a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

    If the attributes match, the access control action is executed.

    If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

    For more information on TLS profiles, see the FortiMail Administration Guide.

    Related topics

    ms365 profile antivirus

    config policy delivery-control

    policy recipient

    Previous
    Next

    policy access-control delivery

    policy access-control delivery

    Use this command to configure delivery rules that apply to SMTP sessions being initiated by the FortiMail unit in order to deliver email.

    Delivery rules enable you to require TLS for the SMTP sessions the FortiMail unit initiates when sending email to other email servers. They also enable you to apply identity-based encryption (IBE) in the form of secure MIME (S/MIME).

    When initiating an SMTP session, the FortiMail unit compares each delivery rule to the domain name portion of the envelope recipient address (RCPT TO:), and to the IP address of the SMTP server receiving the connection. Rules are evaluated for a match in the order of their list sequence, from top to bottom. If a matching delivery rule does not exist, the email message is delivered. If a match is found, the FortiMail unit compares the TLS profile settings to the connection attributes and the email message is sent or the connection is not allowed, depending on the result; if an encryption profile is selected, its settings are applied. No subsequent delivery rules are applied. Only one delivery rule is ever applied to any given SMTP session.

    Syntax

    config policy access-control delivery

    edit <rule_id>

    set comment <string>

    set destination <ip&netmask_str>

    set encryption-profile <profile_str>

    set ip-pool-profile

    set recipient-pattern <pattern_str>

    set sender-pattern <pattern_str>

    set status {enable | disable}

    set tls-profile <profile_str>

    end

    Variable

    Description

    Default

    <rule_id>

    Enter the number identifying the rule.

    comment <string>

    Enter any comments for email delivery rules.

    destination <ip&netmask_str>

    Enter the IP address and netmask of the system to which the FortiMail unit is sending the email message. Use the netmask, the portion after the slash (/) to specify the matching subnet.

    For example, enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. This will appear as 10.10.10.0/24 in the access control rule table, with the 0 indicating that any value is matched in that position of the address.

    Similarly, 10.10.10.10/32 will appear as 10.10.10.10/32 and match only the 10.10.10.10 address.

    To match any address, enter 0.0.0.0/0.

    0.0.0.0 0.0.0.0

    encryption-profile <profile_str>

    Enter an encryption profile to apply identity-based encryption, if a corresponding sender identity exists in the certificate bindings.

    For more information on encryption profiles, see the FortiMail Administration Guide.

    ip-pool-profile

    Enter the name of the IP pool profile.

    The IP pool profile will deliver incoming emails from FortiMail to the protected server.

    recipient-pattern <pattern_str>

    Enter a complete or partial envelope recipient (RCPT TO:) email address to match.

    Wild card characters allow you to enter partial patterns that can match multiple recipient email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.

    For example, the recipient pattern *@example.??? will match messages sent to any email user at example.com, example.net, example.org, or any other “example" domain ending with a three‑letter top-level domain name.

    recipient-pattern-type

    Enter the type of recipient pattern.

    sender-pattern <pattern_str>

    Enter a complete or partial envelope sender (MAIL FROM:) email address to match.

    Wild card characters allow you to enter partial patterns that can match multiple sender email addresses. The asterisk (*) represents one or more characters and the question mark (?) represents any single character.

    For example, the sender pattern ??@*.com will match messages sent by any email user with a two letter email user name from any “.com" domain name.

    sender-pattern-type

    Enter the type of the sender-pattern.

    status {enable | disable}

    Enter enable to activate this rule.

    disable

    tls-profile <profile_str>

    Enter a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile.

    If the attributes match, the access control action is executed.

    If the attributes do not match, the FortiMail unit performs the Failure action configured in the TLS profile.

    For more information on TLS profiles, see the FortiMail Administration Guide.

    Related topics

    ms365 profile antivirus

    config policy delivery-control

    policy recipient

    Previous
    Next