profile session
Use this command to create session profiles.
While, like antispam profiles, session profiles protect against spam, session profiles focus on the connection and envelope portion of the SMTP session, rather than the message header, body, or attachments.
Similar to access control rules or delivery rules, session profiles control aspects of sessions in an SMTP connection.
Syntax
config profile session
edit <profile_name>
set access-control <profile_name>
set block_encrypted {enable | disable}
set bypass-bounce-verification {enable | disable}
set check-client-ip-quick {enable | disable}
set conn-blocklisted {enable | disable}
set conn-concurrent <connections_int>
set conn-hiden {enable | disable}
set conn-idle-timeout <timeout_int>
set conn-total <connections_int>
set dkim-signing {enable | disable}
set dkim-signing-authenticated-only {enable | disable}
set dkim-validation {enable | disable}
set domain-key-validation {enable | disable}
set email-queue {default | incoming | no-preference | outgoing}
set endpoint-reputation {enable | disable}
set endpoint-reputation-action {reject | monitor}
set endpoint-reputation-blocklist-duration <duration_int>
set endpoint-reputation-blocklist-trigger <trigger_int>
set eom-ack {enable | disable}
set error-drop-after <errors_int>
set error-penalty-increment <penalty-increment_int>
set error-penalty-initial <penalty-initial_int>
set error-penalty-threshold <threshold_int>
set fortiguard-ip-check-mode {as-profile | as-profile-no-auth | client-connect | disable}
set limit-max-header-size <limit_int>
set limit-max-message-size <limit_int>
set limit-recipient <limit_int>
set number-of-messages <limit_int>
set number-of-recipients <limit_int>
set recipient-blocklist-status {enable | disable}
set recipient-rewrite-map <profile_name>
set recipient-safelist-status {enable | disable}
set remove-current-headers {enable | disable}
set remove-headers {enable | disable}
set remove-received-headers {enable | disable}
set sender-blocklist-status {enable | disable}
set sender-reputation-reject-score <threshold_int>
set sender-reputation-status {enable | disable}
set sender-reputation-tempfail-score <threshold_int>
set sender-reputation-throttle-number <rate_int>
set sender-reputation-throttle-percentage <percentage_int>
set sender-reputation-throttle-score <threshold_int>
set sender-rewrite-map <profile_name>
set sender-safelist-status {enable | disable}
set sender-verification {enable | disable}
set sender-verification-profile <profile_name>
set session-3way-check {enable | disable}
set session-action <content-action_profile>
set session-action-msg-type {accepted | all}
set session-allow-pipelining {yes | no}
set session-command-checking {enable | disable}
set session-disallow-encrypted {enable | disable}
set session-helo-char-validation {enable | disable}
set session-helo-domain-check {enable | disable}
set session-helo-rewrite-clientip {enable | disable}
set session-helo-rewrite-custom {enable | disable}
set session-helo-rewrite-custom-string <helo_str>
set session-prevent-open-relay {enable | disable}
set session-recipient-domain-check {enable | disable}
set session-reject-empty-domain {enable | disable}
set session-sender-domain-check {enable | disable}
set spf-validation {enable | disable}
set splice-status {enable | disable}
set splice-threshold
set splice-unit {seconds | kilobytes}
config header-removal-list
edit <key_str>
config recipient-blocklist
config recipient-safelist
config sender-blocklist
edit <sender_address_str>
config sender-safelist
edit <sender_address_str>
next
end
Variable |
Description |
Default |
Enter the name of the session profile. |
|
|
Enter a header key to remove it from email messages. |
|
|
Enter a blocklisted recipient email address to which this profile is applied. |
|
|
Enter a safelisted recipient email address to which this profile is applied. |
|
|
Enter a blocklisted sender email address to which this profile is applied. |
|
|
Enter a safelisted sender email address to which this profile is applied. |
|
|
Note: This feature is only available as part of the MTA advanced control feature. See Enter an access control profile to be used in a session profile. |
|
|
Enable to block TLS/MD5 commands so that email must pass unencrypted, enabling the FortiMail unit to scan the email for viruses and spam. Disable to pass TLS/MD5 commands, allowing encrypted email to pass. The FortiMail unit cannot scan encrypted email for viruses and spam. This option applies only if the FortiMail unit is operating in transparent mode. |
disable |
|
Select to, if bounce verification is enabled, omit verification of bounce address tags on incoming bounce messages. This bypass does not omit bounce address tagging of outgoing email. Alternatively, you can omit bounce verification according to the protected domain. For details, see config domain-setting. For information on enabling bounce address tagging and verification (BATV), see antispam bounce-verification. |
disable |
|
Enable to query the FortiGuard Antispam Service to determine if the IP address of the SMTP server is blocklisted. This action will happen during the connection phase. In an antispam profile, you can also enable FortiGuard block-IP checking. But that action happens after the entire message has been received by FortiMail. Therefore, if this feature is enabled in a session profile and the action is reject, the performance will be improved. |
disable |
|
Enable to prevent clients from using SMTP servers that have been blocklisted in antispam profiles or, if enabled, the FortiGuard AntiSpam service. This option applies only if the FortiMail unit is operating in transparent mode. |
disable |
|
Enter a limit to the number of concurrent connections per SMTP client. Additional connections are rejected. To disable the limit, enter |
0 |
|
Enter either of the following transparency behaviors:
This option applies only if the FortiMail unit is operating in transparent mode. For more information about the proxies and built-in MTA transparency, see the FortiMail Administration Guide. Note: Unless you have enabled exclusive {enable | disable} in config policy delivery-control, the hide (tp-hidden {no | yes} ) option in config domain-setting has precedence over this option, and may prevent it from applying to incoming email messages. Note: For full transparency, also set the hide (tp-hidden {no | yes} ) option in config domain-setting to |
disable |
|
Enter a limit to the number of seconds a client may be inactive before the FortiMail unit drops the connection. Set the value between 5-1200. |
30 |
|
This is a rate limit to the number of messages sent per client IP address per time interval (the default value is 30 minutes). You set the time interval using the command:
end To disable the limit, enter |
0 |
|
Enter a limit to the total number of concurrent connections from all sources. To disable the limit, enter |
0 |
|
Enable to sign outgoing email with a DKIM signature. This option requires that you first generate a domain key pair and publish the public key in the DNS record for the domain name of the protected domain. If you do not publish the public key, destination SMTP servers will not be able to validate your DKIM signature. For details on generating domain key pairs and publishing the public key, see the FortiMail Administration Guide. |
disable |
|
Enable to sign outgoing email with a DKIM signature only if the sender is authenticated. This option is available only if dkim-signing is |
disable |
|
Enable to, if a DKIM signature is present, query the DNS server that hosts the DNS record for the sender’s domain name to retrieve its public key to decrypt and verify the DKIM signature. An invalid signature increases the client sender reputation score and affect the deep header scan. A valid signature decreases the client sender reputation score. If the sender domain DNS record does not include DKIM information or the message is not signed, the FortiMail unit omits the DKIM signature validation. |
disable |
|
Enable if the DNS record for the domain name of the sender lists DomainKeys. An unauthorized client IP address increases the client sender reputation score. An authorized client IP address decreases the client sender reputation score. If the DNS record for the domain name of the sender does not publish DomainKeys information, the FortiMail unit omits the DomainKeys client IP address validation. |
disable |
|
email-addr-rewrite-options {envelope-from | envelope-from-as-key | envelope-to | header-from | header-to | reply-to} |
Specify which elements of the sender and recipient addresses to rewrite. For more details, see the session profile section in the FortiMail Administration Guide. |
|
Note: This feature is only available as part of the MTA advanced control feature. See Enter the email queue to use for the matching sessions. |
no-preference |
|
Enable to accept, monitor, or reject email based upon endpoint reputation scores. This option is designed for use with SMTP clients with dynamic IP addresses. It requires that your RADIUS server provide mappings between dynamic IP addresses and MSISDNs/subscriber IDs to the FortiMail unit. If this profile governs sessions of SMTP clients with static IP addresses, instead consider sender-reputation-status {enable | disable}. |
disable |
|
Enter either:
|
reject |
|
Enter the number of minutes that an MSISDN/subscriber ID will be prevented from sending email or MMS messages after they have been automatically blocklisted. |
0 |
|
Enter the MSISDN reputation score over which the FortiMail unit will add the MSISDN/subscriber ID to the automatic blocklist. The trigger score is relative to the period of time configured as the automatic blocklist window. |
5 |
|
Enable to acknowledge the end of message (EOM) signal immediately after receiving the carriage return and line feed (CRLF) characters that indicate the EOM, rather than waiting for antispam scanning to complete. If the FortiMail unit has not yet completed antispam scanning by the time that four (4) minutes has elapsed, it will return SMTP reply code 451( |
disable |
|
Enter the total number of errors the FortiMail unit will accept before dropping the connection. |
5 |
|
Enter the number of seconds by which to increase the delay for each error after the first delay is imposed. |
1 |
|
Enter the delay penalty in seconds for the first error after the number of “free" errors is reached. |
1 |
|
Enter the number of number of errors permitted before the FortiMail unit will penalize the SMTP client by imposing a delay. |
1 |
|
fortiguard-ip-check-mode {as-profile | as-profile-no-auth | client-connect | disable} |
Specify the FortiGuard IP reputation check mode:
|
as-profile |
Enter the limit of NOOP commands that are permitted per SMTP session. Some spammers use NOOP commands to keep a long session alive. Legitimate sessions usually require few NOOPs. Enter 0 to reset to the default value. |
10 |
|
Enter the limit of RSET commands that are permitted per SMTP session. Some spammers use RSET commands to try again after receiving error messages such as unknown recipient. Legitimate sessions should require few RSETs. To disable the limit, enter |
20 |
|
Enter the limit of email messages per session to prevent mass mailing. To disable the limit, enter |
10 |
|
Enter the limit of SMTP greetings that a connecting SMTP server or client can perform before the FortiMail unit terminates the connection. Restricting the number of SMTP greetings allowed per session makes it more difficult for spammers to probe the email server for vulnerabilities, as a greater number of attempts results in a greater number of terminated connections, which must then be re-initiated. Enter 0 to reset to the default value. |
3 |
|
Enter the limit of the message header size. If enabled, messages with headers over the threshold size are rejected. |
32 |
|
Enter the limit of the message size. If enabled, messages over the threshold size are rejected. |
10240 |
|
Enter the limit of message size in kilobytes (KB) . If enabled, messages over the threshold size are rejected. Note: If both this option and max-message-size <limit_int> in the protected domain are enabled, email size will be limited to whichever size is smaller. |
10240KB |
|
Enter the limit of recipients to prevent mass mailing. |
500 |
|
Enter a mail routing profile to be used in a session profile. |
|
|
Enter the number of message per client per time interval (the default value is 30 minutes). You set the time interval using the command:
end Enter 0 to disable the limit. |
0 |
|
Enter the number jof recipients per client per time interval (the default value is 30 minutes). You set the time interval using the command:
end Enter 0 to disable the limit. |
0 |
|
Enable to use an envelope recipient ( |
disable |
|
Note: This feature is only available as part of the MTA advanced control feature. See Enter an address rewrite profile to be used in a session profile. |
|
|
Enable to use an envelope recipient ( |
disable |
|
Note: This feature is only available as part of the MTA advanced control feature. See Enter a remote logging profile. Note that the remote logging profiles used here are the same as the system-wide remote logging profiles. |
|
|
Enable to remove headers that are inserted by the current unit. Note: This command is enabled by default for backwards compatibility with related subcommands |
enable |
|
Enable to remove other configured headers from email messages. |
disable |
|
Enable to remove all
|
disable |
|
Enable to use an envelope sender ( |
disable |
|
Enter a sender reputation score over which the FortiMail unit will return a rejection error code when the SMTP client attempts to initiate a connection. This option applies only if sender-reputation-status {enable | disable} is enabled. |
80 |
|
Enable to reject email based upon sender reputation scores. |
disable |
|
Enter a sender reputation score over which the FortiMail unit will return a temporary failure error code when the SMTP attempts to initiate a connection. This option applies only if sender-reputation-status {enable | disable} is enabled. |
55 |
|
Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client. |
5 |
|
Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client, as a percentage of the number of email messages that the sender sent during the previous hour. |
1 |
|
Enter the sender reputation score over which the FortiMail unit will rate limit the number of email messages that can be sent by this SMTP client. The enforced rate limit is either sender-reputation-throttle-number <rate_int> or sender-reputation-throttle-percentage <percentage_int> whichever value is greater. This option applies only if sender-reputation-status {enable | disable} is enabled. |
15 |
|
Note: This feature is only available as part of the MTA advanced control feature. See Enter an address rewrite profile to be used in a session profile. |
|
|
Enable to use an envelope sender ( |
disable |
|
Enable sender address verification with LDAP. |
disable |
|
Select the LDAP profile to use for sender address verification. |
|
|
Enable to reject the email if the domain name in the SMTP greeting ( Mismatching domain names is sometimes used by spammers to mask the true identity of their SMTP client. This check only affects unauthenticated sessions. |
disable |
|
Select a content action profile to apply upon session policy match. |
|
|
Define the message type to take session action. |
all |
|
Select one of the following behaviors for ESMTP command pipelining, which causes some SMTP commands to be accepted and processed as a batch, increasing performance over high-latency connections. When set to This option is available for gateway, server, and transparent mode. |
yes |
|
Enable to return SMTP reply code 503, rejecting the SMTP command, if the client or server uses SMTP commands that are syntactically incorrect.
In the following example, the invalid commands are highlighted in bold: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:41:15 GMT EHLO example.com 250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you RCPT TO:<user1@example.com> 503 5.0.0 Need MAIL before RCPT |
disable |
|
Enable to block TLS/MD5 commands so that email must pass unencrypted, enabling the FortiMail unit to scan the email for viruses and spam. Clear to pass TLS/MD5 commands, allowing encrypted email to pass. The FortiMail unit cannot scan encrypted email for viruses and spam. Note: This option applies only if the FortiMail unit is operating in transparent mode. |
disable |
|
Enable to return SMTP reply code 501, rejecting the SMTP greeting, if the client or server uses a greeting that contains a domain name with invalid characters. To avoid disclosure of a real domain name, spammers sometimes spoof an SMTP greeting domain name with random characters, rather than using a genuine, valid domain name. If this option is enabled, such connections are rejected. In the following example, the invalid command is highlighted in bold: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:30:20 GMT EHLO ^^&^&^#$ 501 5.0.0 Invalid domain name Valid characters for domain names include:
|
disable |
|
Enable to return SMTP reply code 501, rejecting the SMTP greeting, if the client or server uses a greeting that contains a domain name with invalid characters. To avoid disclosure of a real domain name, spammers sometimes spoof an SMTP greeting domain name with random characters, rather than using a genuine, valid domain name. If this option is enabled, such connections are rejected. In the following example, the invalid command is highlighted in bold: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:30:20 GMT EHLO ^^&^&^#$ 501 5.0.0 Invalid domain name Valid domain characters include:
|
disable |
|
Enable to rewrite the This option applies only if the FortiMail unit is operating in transparent mode. |
disable |
|
Enable to rewrite the This option applies only if the FortiMail unit is operating in transparent mode. |
disable |
|
Enter the replacement text for the |
|
|
Enable to block unauthenticated outgoing connections to unprotected mail servers in order to prevent clients from using open relays to send email. If clients from your protected domains are permitted to use open relays to send email, email from your domain could be blocklisted by other SMTP servers. This feature:
|
disable |
|
Enable to return SMTP reply code 550, rejecting the SMTP command, if the domain name portion of the recipient address is not a domain name that exists in either MX or A records. In the following example, the invalid command is highlighted in bold: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:48:32 GMT EHLO example.com 250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you MAIL FROM:<user1@fortinet.com> 250 2.1.0 <user1@fortinet.com>... Sender ok RCPT TO:<user2@example.com> 550 5.7.1 <user2@example.com>... Relaying denied. IP name lookup failed [192.168.1.1] This check only affects unauthenticated sessions. |
disable |
|
Enable to return SMTP reply code 553, rejecting the SMTP command, if a domain name does not follow the “@" symbol in the sender email address. Because the sender address is invalid and therefore cannot receive delivery status notifications (DSN), you may want to disable this feature. In the following example, the invalid command is highlighted in bold: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2007 14:48:32 GMT EHLO example.com 250-FortiMail-400.localdomain Hello [192.168.171.217], pleased to meet you MAIL FROM:<john@> 553 5.1.3 <john@>... Hostname required This check only affects unauthenticated sessions. |
disable |
|
Enable o return SMTP reply code 421, rejecting the SMTP command, if the domain name portion of the sender address is not a domain name that exists in either MX or A records. In the following example, the invalid command is highlighted in bold: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT EHLO 250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you MAIL FROM:<user1@example.com> 421 4.3.0 Could not resolve sender domain. |
disable |
|
Enable to, if the sender domain DNS record lists SPF authorized IP addresses, compare the client IP address to the IP addresses of authorized senders in the DNS record. An unauthorized client IP address increases the client sender reputation score. An authorized client IP address decreases the client sender reputation score. If the DNS record for the domain name of the sender does not publish SPF information, the FortiMail unit omits the SPF client IP address validation. |
disable |
|
Enable to permit splicing. Splicing enables the FortiMail unit to simultaneously scan an email and relay it to the SMTP server. This increases throughput and reduces the risk of a server timeout. If the FortiMail unit detects spam or a virus, it terminates the server connection and returns an error message to the sender, listing the spam or virus name and infected file name. Note: This option applies only if the FortiMail unit is operating in transparent mode. |
disable |
|
<integer> |
Enter a threshold value to switch to splice mode based on time (seconds) or data size (kilobytes) using splice-unit {seconds | kilobytes}. Note: This option applies only if the FortiMail unit is operating in transparent mode. |
0 |
Enter the time (seconds) or data size (kilobytes) for the Note: This option applies only if the FortiMail unit is operating in transparent mode. |
seconds |