policy access-control receive

Use this command to configure access control rules that apply to SMTP sessions being received by the FortiMail unit ( initiated by SMTP clients).

Access control rules, sometimes also called the access control list or ACL, specify whether the FortiMail unit will process and relay/proxy, reject, or discard email messages in SMTP sessions.

When an SMTP client tries to send email through the FortiMail unit, the FortiMail unit compares each access control rule to the commands used by the SMTP client during the SMTP session, such as:

sender email address in the SMTP envelope (MAIL FROM:)
recipient email address in the SMTP envelope (RCPT TO:)
authentication (AUTH)
session encryption (STARTTLS).

Rules are evaluated for a match in sequential order, from top to bottom of the list. If all attributes of a rule match, then the FortiMail unit applies the action in the rule or TLS profile, and stops match evaluation. Remaining access control rules, if any, are not applied.

Only one access control rule is applied to an SMTP session.

If no access control rules exist, or none match, then the action varies by whether the SMTP client authenticated:

Authenticated: Email is relayed/proxied.
Not authenticated: Default action is performed.

The default action varies by whether or not the recipient email address in the SMTP envelope (RCPT TO:) is a member of a protected domain:

Protected domain: Relay/proxy with greylisting.
Not protected domain:Reject.

Syntax

config policy access-control receive

edit <rule_id>

set action {discard | receive | reject | relay | safe | safe-relay}

set authenticated {any | authenticated | not-authenticated}

[set comment <description_str>]

set recipient-pattern <pattern_str>

set recipient-pattern-type {default | group | regexp}

set recipient-pattern-regexp {yes | no}

set recipient-pattern-group <group_name>

set reverse-dns-pattern <pattern_str>

set reverse-dns-pattern-regexp {yes | no}

set sender-ip-group <ip_group_name>

set sender-ip-mask <ip_netmask_str>

set sender-ip-type {ip-group | ip-mask}

set sender-pattern <pattern_str>

set sender-pattern-type {default | group | regexp}

set sender-pattern-group <group_name>

set sender-pattern-regexp {yes | no}

set status {enable | disable}

[set tls-profile <profile_str>]

end

Variable	Description	Default
<rule_id>	Enter the number identifying the rule.
action {discard \| receive \| reject \| relay \| safe \| safe-relay}	Enter the delivery action the FortiMail unit will perform for SMTP sessions matching this access control rule: `reject`: Reject delivery of the email (SMTP reply code `550 Relaying denied`). `discard`: Accept the email (SMTP reply code `250 OK`), but then silently delete it and do not deliver it. `relay`:Accept the email (SMTP reply code `250 OK`), regardless of authentication or protected domain. Do not greylist, but continue with remaining antispam and other scans. If all scans pass, the email is delivered. `safe`: Accept the email (SMTP reply code `250 OK`) if the sender authenticates or recipient belongs to a protected domain. Greylist, but skip remaining antispam scans and but continue with others such as antivirus. Otherwise, if the sender does not authenticate, or the recipient does not belong to a protected domain, then reject delivery of the email (SMTP reply code `554 5.7.1 Relaying denied`). In older FortiMail versions, this setting was named `bypass`. `safe-relay`: Like `safe`, except do not greylist. `receive`: Like `relay`, except greylist, and require authentication or protected domain. Otherwise, if the sender does not authenticate or the recipient does not belong to a protected domain, then FortiMail rejects (SMTP reply code `554 5.7.1 Relaying denied`). Tip: Usually, the `receive` action is used when you need to apply a TLS profile, but do not want to safelist nor allow outbound, which Relay does. If you do not need to apply a TLS profile, then a rule with this action is often not required because by default, email inbound to protected domains is relayed/proxied.	reject
authenticated {any \| authenticated \| not-authenticated}	Enter a value to indicate whether this rule applies only to messages delivered by clients that have authenticated with the FortiMail unit. `any`: Match or do not match this access control rule regardless of whether the client has authenticated with the FortiMail unit. `authenticated`: Match this access control rule only for clients that have authenticated with the FortiMail unit. `not-authenticated`: Match this access control rule only for clients that have not authenticated with the FortiMail unit.	any
comment <description_str>	Enter a descriptive comment. The comment will appears as a mouse-over tooltip in the ID column of the rule list.
recipient-pattern <pattern_str>	Enter a pattern that defines recipient email addresses which match this rule, surrounded in slashes and single quotes (such as `\'*\'` ).	*
recipient-pattern-type {default \| group \| regexp}	Enter the pattern type. `default`: This is the user defined pattern. Also configure recipient-pattern <pattern_str>. `group`: If you enter this option, configure recipient-pattern-group <group_name> . `regexp`: If you enter this option, configure recipient-pattern-regexp {yes \| no} .	default
recipient-pattern-regexp {yes \| no}	Enter `yes` to use regular expression syntax instead of wildcards to specify the recipient pattern. This option is available only when recipient-pattern-type {default \| group \| regexp} is `regexp`.
recipient-pattern-group <group_name>	Enter the group name to specify the recipient pattern. This option is available only when recipient-pattern-type {default \| group \| regexp} is `group`.
reverse-dns-pattern <pattern_str>	Enter a pattern to compare to the result of a reverse DNS look-up of the source IP address of the SMTP client attempting to send the email message. Because domain names in the SMTP session are self-reported by the connecting SMTP server and easy to fake, the FortiMail unit does not trust the domain name that an SMTP server reports. Instead, the FortiMail does a DNS lookup using the SMTP server’s IP address. The resulting domain name is compared to the reverse DNS pattern for a match. If the reverse DNS query fails, the access control rule match will also fail. If no other access control rule matches, the connection will be rejected(SMTP reply code `550 Relaying denied`). Wildcard characters allow you to enter partial patterns that can match multiple reverse DNS lookup results. An asterisk (``) represents one or more characters; a question mark (`?`) represents any single character. For example, the recipient pattern `mail.com` will match messages delivered by an SMTP server whose domain name starts with “mail" and ends with “.com". Note: Reverse DNS queries for access control rules require that the domain name be a valid top level domain (TLD). For example, “.lab" is not a valid top level domain name, and thus the FortiMail unit cannot successfully perform a reverse DNS query for it.	*
reverse-dns-pattern-regexp {yes \| no}	Enter `yes` to use regular expression syntax instead of wildcards to specify the reverse DNS pattern.	no
sender-ip-group <ip_group_name>	Enter the IP group of the SMTP client attempting to send the email message. This option only appears if you enter ip-group in sender-ip-type {ip-group \| ip-mask}.
sender-ip-mask <ip_netmask_str>	Enter the source IP address and netmask of the SMTP client attempting to send the email message. Use the netmask, the portion after the slash (`/`), to specify the matching subnet. For example, you can enter `10.10.10.10/24` to match a 24-bit subnet, or all addresses starting with 10.10.10. In the access control rule table, this appears as `10.10.10.0/24`, with the `0` indicating that any value is matched in that position of the address. Similarly, if you enter `10.10.10.10/32`, it appears as `10.10.10.10/32` because a 32-bit netmask only matches one address, 10.10.10.10 specifically. To match any address, enter `0.0.0.0/0`.	0.0.0.0 0.0.0.0
sender-ip-type {ip-group \| ip-mask}	Select the method of the SMTP client attempting to send the email message. Also configure sender-ip-mask <ip_netmask_str> and sender-ip-group <ip_group_name>.	ip-mask
sender-pattern <pattern_str>	Enter a pattern that defines sender email addresses which match this rule, surrounded in slashes and single quotes (such as `\'*\'` ). This option is only available if you enter `default` in sender-pattern-type {default \| group \| regexp}.	*
sender-pattern-type {default \| group \| regexp}	Enter the pattern type. `default`: This is the user defined pattern. Also configure sender-pattern <pattern_str>. `group`: If you enter this option, configure sender-pattern-group <group_name>. `regexp`: If you enter this option, configure sender-pattern-regexp {yes \| no}.	default
sender-pattern-group <group_name>	Enter the group name to match any email address in the group. This option is only available if you enter `group` in sender-pattern-type {default \| group \| regexp}.
sender-pattern-regexp {yes \| no}	Enter `yes` to use regular expression syntax instead of wildcards to specify the sender pattern. This option is only available if you enter `regexp` in sender-pattern-type {default \| group \| regexp}.	no
status {enable \| disable}	Enter `enable` to activate this rule.	enable
tls-profile <profile_str>	Enter a TLS profile to allow or reject the connection based on whether the communication session attributes match the settings in the TLS profile. If matching, then perform the access control rule action {discard \| receive \| reject \| relay \| safe \| safe-relay}. If not matching, then perform the TLS profile `failure` action instead. For more information on TLS profiles, see the FortiMail Administration Guide.