Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiMail 7.4.2 CLI Reference
    7.4.2
    7.6.1
    7.6.0
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    policy ip

    policy ip

    Use this command to create policies that apply profiles to SMTP connections based upon the IP addresses of SMTP clients and/or servers.

    Syntax

    config policy ip

    edit <policy_int>

    set action {proxy-bypass | reject | scan | temp-fail}

    set client-isdb <datasource>

    set client-ip-group <group_name>

    set client <client_ipv4mask>

    set client-type {ip-address |ip-group | ip-pool | isdb}

    set comment

    set exclusive {enable | disable}

    set profile-antispam <antispam-profile_name>

    set profile-antivirus <antivirus-profile_name>

    set profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

    set profile-content <content-profile_name>

    set profile-dlp

    set profile-ip-pool <ip-pool_name>

    set profile-session <session-profile_name>

    set server-ip-group <group_name>

    set server <smtp-server_ipv4mask>

    set server-ip-pool <ip-pool_str>

    set server-type {ip-address | ip-group | ip-pool}

    set smtp-diff-identity {enable | disable}

    set smtp-diff-identity-ldap

    set smtp-diff-identity-ldap-profile

    set status {enable | disable}

    set use-for-smtp-auth {enable | disable}

    end

    Variable

    Description

    Default

    <policy_int>

    Enter the index number of the IP-based policy.

    action {proxy-bypass | reject | scan | temp-fail}

    Enter an action for this policy:

    Proxy-bypass: Bypass the FortiMail unit’s scanning. This action is for transparent mode only.

    scan: Accept the connection and perform any scans configured in the profiles selected in this policy.

    reject: Reject the email and respond to the SMTP client with SMTP reply code 550, indicating a permanent failure.

    Fail Temporarily: Reject the email and respond to the SMTP client with SMTP reply code 451, indicating and indicate a temporary failure.

    scan

    client-isdb <datasource>

    Enter the name of an internet service provider.

    The Internet Service Database (ISDB) is a comprehensive public IP address database that combines IP address range, IP owner, service port number, and IP security credibility. The data comes from the FortiGuard service system. Information is regularly added to this database, for example, geographic location, IP reputation, popularity & DNS, and so on. All this information helps users define Internet security more effectively. You can use the contents of the database as criteria for inclusion or exclusion in a policy.

    Enter set client-isdb ? to view the full list of providers available.

    client-ip-group <group_name>

    Enter the IP group of the SMTP client to whose connections this policy will apply.

    client <client_ipv4mask>

    Enter the IP address and subnet mask of the SMTP client to whose connections this policy will apply.

    To match all clients, enter 0.0.0.0/0.

    192.168.224.15

    255.255.255.255

    client-type {ip-address |ip-group | ip-pool | isdb}

    Enter the client type.

    ip-address

    comment

    Enter a brief comment for the IP policy.

    exclusive {enable | disable}

    Enable to omit evaluation of matches with recipient-based policies, causing the FortiMail unit to disregard applicable recipient-based policies and apply only the IP-based policy.

    Disable to apply any matching recipient-based policy in addition to the IP-based policy. Any profiles selected in the recipient-based policy will override those selected in the IP-based policy.

    disable

    profile-antispam <antispam-profile_name>

    Enter the name of an outgoing antispam profile, if any, that this policy will apply.

    profile-antivirus <antivirus-profile_name>

    Enter the name of an antivirus profile, if any, that this policy will apply.

    profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

    Enter the type of the authentication profile that this policy will apply.

    The command profile-auth-<auth_type> appears for the type chosen. Enter the name of an authentication profile for the type.

    none

    profile-content <content-profile_name>

    Enter the name of the content profile that you want to apply to connections matching the policy.

    profile-dlp

    Enter the name of the DLP profile for this policy.

    profile-ip-pool <ip-pool_name>

    Enter the name of the IP pool profile that you want to apply to connections matching the policy.

    profile-session <session-profile_name>

    Enter the name of the session profile that you want to apply to connections matching the policy.

    server-ip-group <group_name>

    Enter the name of the IP group profile that you want to apply to connections matching the policy.

    This option is only available when the server-type is ip-group.

    server <smtp-server_ipv4mask>

    Enter the IP address and subnet mask of the SMTP server to whose connections this policy will apply.

    To match all servers, enter 0.0.0.0/0.

    This option applies only for FortiMail units operating in transparent mode. For other modes, the FortiMail unit receives the SMTP connection, and therefore acts as the server.

    0.0.0.0

    0.0.0.0

    server-ip-pool <ip-pool_str>

    Enter the name of the ip pool to whose connections this policy will apply. This option is only available when the server-type is ip-pool.

    server-type {ip-address | ip-group | ip-pool}

    Enter the SMTP server type o whose connections this policy will apply. Also configure server <smtp-server_ipv4mask>, server-ip-group <group_name>, and server-ip-pool <ip-pool_str>.

    ip-address

    smtp-diff-identity {enable | disable}

    Enable to allow the SMTP client to send email using a different sender email address (MAIL FROM:) than the user name that they used to authenticate.

    Disable to require that the sender email address in the SMTP envelope match the authenticated user name.

    disable

    smtp-diff-identity-ldap

    Verify SMTP sender identity with LDAP for authenticated email.

    disable

    smtp-diff-identity-ldap-profile

    LDAP profile for SMTP sender identity verification.

    disable

    status {enable | disable}

    Enable to apply this policy.

    enable

    use-for-smtp-auth {enable | disable}

    Enable to authenticate SMTP connections using the authentication profile configured in sensitive-data {...}.

    disable

    Related topics

    cloud-api profile antivirus

    policy access-control delivery

    policy recipient

    Previous
    Next

    policy ip

    policy ip

    Use this command to create policies that apply profiles to SMTP connections based upon the IP addresses of SMTP clients and/or servers.

    Syntax

    config policy ip

    edit <policy_int>

    set action {proxy-bypass | reject | scan | temp-fail}

    set client-isdb <datasource>

    set client-ip-group <group_name>

    set client <client_ipv4mask>

    set client-type {ip-address |ip-group | ip-pool | isdb}

    set comment

    set exclusive {enable | disable}

    set profile-antispam <antispam-profile_name>

    set profile-antivirus <antivirus-profile_name>

    set profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

    set profile-content <content-profile_name>

    set profile-dlp

    set profile-ip-pool <ip-pool_name>

    set profile-session <session-profile_name>

    set server-ip-group <group_name>

    set server <smtp-server_ipv4mask>

    set server-ip-pool <ip-pool_str>

    set server-type {ip-address | ip-group | ip-pool}

    set smtp-diff-identity {enable | disable}

    set smtp-diff-identity-ldap

    set smtp-diff-identity-ldap-profile

    set status {enable | disable}

    set use-for-smtp-auth {enable | disable}

    end

    Variable

    Description

    Default

    <policy_int>

    Enter the index number of the IP-based policy.

    action {proxy-bypass | reject | scan | temp-fail}

    Enter an action for this policy:

    Proxy-bypass: Bypass the FortiMail unit’s scanning. This action is for transparent mode only.

    scan: Accept the connection and perform any scans configured in the profiles selected in this policy.

    reject: Reject the email and respond to the SMTP client with SMTP reply code 550, indicating a permanent failure.

    Fail Temporarily: Reject the email and respond to the SMTP client with SMTP reply code 451, indicating and indicate a temporary failure.

    scan

    client-isdb <datasource>

    Enter the name of an internet service provider.

    The Internet Service Database (ISDB) is a comprehensive public IP address database that combines IP address range, IP owner, service port number, and IP security credibility. The data comes from the FortiGuard service system. Information is regularly added to this database, for example, geographic location, IP reputation, popularity & DNS, and so on. All this information helps users define Internet security more effectively. You can use the contents of the database as criteria for inclusion or exclusion in a policy.

    Enter set client-isdb ? to view the full list of providers available.

    client-ip-group <group_name>

    Enter the IP group of the SMTP client to whose connections this policy will apply.

    client <client_ipv4mask>

    Enter the IP address and subnet mask of the SMTP client to whose connections this policy will apply.

    To match all clients, enter 0.0.0.0/0.

    192.168.224.15

    255.255.255.255

    client-type {ip-address |ip-group | ip-pool | isdb}

    Enter the client type.

    ip-address

    comment

    Enter a brief comment for the IP policy.

    exclusive {enable | disable}

    Enable to omit evaluation of matches with recipient-based policies, causing the FortiMail unit to disregard applicable recipient-based policies and apply only the IP-based policy.

    Disable to apply any matching recipient-based policy in addition to the IP-based policy. Any profiles selected in the recipient-based policy will override those selected in the IP-based policy.

    disable

    profile-antispam <antispam-profile_name>

    Enter the name of an outgoing antispam profile, if any, that this policy will apply.

    profile-antivirus <antivirus-profile_name>

    Enter the name of an antivirus profile, if any, that this policy will apply.

    profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

    Enter the type of the authentication profile that this policy will apply.

    The command profile-auth-<auth_type> appears for the type chosen. Enter the name of an authentication profile for the type.

    none

    profile-content <content-profile_name>

    Enter the name of the content profile that you want to apply to connections matching the policy.

    profile-dlp

    Enter the name of the DLP profile for this policy.

    profile-ip-pool <ip-pool_name>

    Enter the name of the IP pool profile that you want to apply to connections matching the policy.

    profile-session <session-profile_name>

    Enter the name of the session profile that you want to apply to connections matching the policy.

    server-ip-group <group_name>

    Enter the name of the IP group profile that you want to apply to connections matching the policy.

    This option is only available when the server-type is ip-group.

    server <smtp-server_ipv4mask>

    Enter the IP address and subnet mask of the SMTP server to whose connections this policy will apply.

    To match all servers, enter 0.0.0.0/0.

    This option applies only for FortiMail units operating in transparent mode. For other modes, the FortiMail unit receives the SMTP connection, and therefore acts as the server.

    0.0.0.0

    0.0.0.0

    server-ip-pool <ip-pool_str>

    Enter the name of the ip pool to whose connections this policy will apply. This option is only available when the server-type is ip-pool.

    server-type {ip-address | ip-group | ip-pool}

    Enter the SMTP server type o whose connections this policy will apply. Also configure server <smtp-server_ipv4mask>, server-ip-group <group_name>, and server-ip-pool <ip-pool_str>.

    ip-address

    smtp-diff-identity {enable | disable}

    Enable to allow the SMTP client to send email using a different sender email address (MAIL FROM:) than the user name that they used to authenticate.

    Disable to require that the sender email address in the SMTP envelope match the authenticated user name.

    disable

    smtp-diff-identity-ldap

    Verify SMTP sender identity with LDAP for authenticated email.

    disable

    smtp-diff-identity-ldap-profile

    LDAP profile for SMTP sender identity verification.

    disable

    status {enable | disable}

    Enable to apply this policy.

    enable

    use-for-smtp-auth {enable | disable}

    Enable to authenticate SMTP connections using the authentication profile configured in sensitive-data {...}.

    disable

    Related topics

    cloud-api profile antivirus

    policy access-control delivery

    policy recipient

    Previous
    Next