<name>

Enter a variable name that you want to add or edit, such as %%SENDER%%.

content

Enter the content for the variable.

display-name

Enter the display name for the variable. For example, the display name for %%SENDER%% can be From.

from <string>

Enter the replacement message for the From field of the quarantine summary.

html-body <string>

Enter the replacement message for the email body of the quarantine summary in HTML code.

subject <string>

Enter the replacement message for the subject field of the quarantine summary.

addressbook {domain | none | system}

Select whether to add newly created email users to the system address book, domain address book, or none.

This setting is available only if operation-mode {gateway | server | transparent} is server.

bypass-bounce-verification {enable | disable}

Enable to omit bounce address tag verification of email incoming to this protected domain.

This bypass does not omit bounce address tagging of outgoing email.

comment "<comment_str>"

Enter a description or comment.

disclaimer-status {disabled | use-domain-setting | use-system-setting}

Select whether to use the system-wide disclaimer message (see system disclaimer-message), a disclaimer message specific to this protected domain, or to disable the disclaimer message for this protected domain. Also configure customized-message.

disk-quota <GB_int>

Enter the disk quota in gigabytes (GB).

If the disk quota reaches 90% threshold, a warning email is sent to the domain customer email. If the maximum disk quota of this domain is exceeded, users of this domain will no longer receive any new email.

Note: This option is only available in server mode.

dmarc-report-analysis-rua-address <recipient_email>

Enter the recipient email address where FortiMail will send the DMARC report.

This setting applies only if dmarc-report-analysis-rua-address-mode {auto-discover | manual} is manual.

dmarc-report-analysis-rua-address-mode {auto-discover | manual}

Select either:

• auto-discover: FortiMail automatically queries the DNS server about the sender domain to determine that domain's authorized DMARC report recipient.

  Note: If a sender does not have a valid DMARC RUA/RUF configured in the domain's DNS TXT record, then FortiMail cannot send them because there is no report recipient email address.

• manual: Manually configure another DMARC report recipient. Also configure dmarc-report-analysis-rua-address <recipient_email>.

  Tip: This option can be useful if, for example, the sender domain's DMARC record is misconfigured, and you want to send a report to show them how many email were rejected due to failed DMARC checks.

dmarc-report-analysis-status {enable | disable | use-system-setting}

Select either:

• enable: Collect data about email validated by DMARC checks for email sent to this protected domain.
• disable: Do not collect DMARC check data.
• use-system-setting: Instead of using a domain-level setting, use the system-wide setting in status {enable | disable | monitor-only}.

dmarc-failure-action {use-policy-action | use-profile-action | use-profile-action-with-none | use-system-setting}

Select either:

• use-policy-action: Use the actions specified in the policy option of the sender's DMARC record.

• use-profile-action: Use the action specified in the antispam profile.

• use-profile-action-with-none: If the policy option in the sender's DMARC record is p=none, use that action. Else use the action in the antispam profile.

• use-system-setting: Instead of using a domain-level setting, use the system-wide setting dmarc-failure-action {use-policy-action | use-profile-action | use-profile-action-with-none}.

dmarc-report-generation-status {enable | disable | monitor-only | use-system-setting}

Select either:

• enable: Send a report about email validated by DMARC checks.to the domain of the sender.
• disable: Do not generate a DMARC report.
• monitor-only: Do not generate a report.
• use-system-setting: Instead of using a domain-level setting, use the system-wide setting in status {enable | disable | monitor-only}.

dmarc-report-generation-from-addr-localpart <localpart_str>

Enter the local part of the sender email address when FortiMail sends reports about DMARC checks to that domain name.

fallback-host {<smtp-server_fqdn> | <smtp-server_ipv4>}

Enter the fully qualified domain name (FQDN) or IP address of the secondary SMTP server for this protected domain.

This SMTP server will be used if the primary SMTP server is unreachable.

Note: This setting is not available in server mode.

fallback-port <port_int>

Enter the port number on which the failover SMTP server listens.

If you enable Use SMTPS, Port automatically changes to the default port number for SMTPS, but can still be customized.

The default SMTP port number is 25; the default SMTPS port number is 465.

Note: This setting is not available in server mode.

fallback-use-smtps {enable | disable}

Enable to use SMTPS for connections originating from or destined for this protected server.

Note: This setting is not available in server mode.

global-bayesian {enable | disable}

Enable to use the global Bayesian database instead of the Bayesian database for this protected domain.

If you do not need the Bayesian database to be specific to the protected domain, you may want to use the global Bayesian database instead in order to simplify database maintenance and training.

Disable to use the per-domain Bayesian database.

This option does not apply if you have enabled use of personal Bayesian databases in an incoming antispam profile, and if the personal Bayesian database is mature. Instead, the FortiMail unit will use the personal Bayesian database.

greeting-with-host-name {domainname | hostname | othername}

Select how the FortiMail unit will identify itself during the HELO or EHLO greeting of outgoing SMTP connections that it initiates.

• domainname: The FortiMail unit will identify itself using the domain name for this protected domain.

  If the FortiMail unit will handle internal email messages (those for which both the sender and recipient addresses in the envelope contain the domain name of the protected domain), to use this option, you must also configure your protected SMTP server to use its host name for SMTP greetings. Failure to do this will result in dropped SMTP sessions, as both the FortiMail unit and the protected SMTP server will be using the same domain name when greeting each other.

• hostname: The FortiMail unit will identify itself using its own host name.

  By default, the FortiMail unit uses the domain name of the protected domain. If your FortiMail unit is protecting multiple domains and using IP pool addresses, select to use the system host name instead. This setting does not apply if email is incoming, according to the sender address in the envelope, from an unprotected domain.

• othername: Use a name other than the domain name or host name, for the HELO/EHLO greeting. Also configure other-helo-greeting <hostname_str>.

host <host_name>

Enter the host name or IP address and port number of the mail exchanger (MX) for this protected domain.

If relay-type is mx-lookup (this domain) or mx-lookup-alt-domain (alternative domain), this information is determined dynamically by querying the MX record of the DNS server, and this field will be empty.

Note: This setting is not available in server mode.

ip-pool <pool_name>

You can use a pool of IP addresses as the source IP address when sending email from this domain, or as the destination IP address when receiving email destined to this domain, or as both the source and destination IP addresses.

If you want to use the IP pool as the source IP address for this protected domain, according to the sender’s email address in the envelope (MAIL FROM:), select the IP pool to use and select outgoing in ip-pool-direction {outgoing | incoming | both}.

If you want to use the IP pool as the destination IP address (virtual host) for this protected domain, according to the recipient’s email address in the envelope (RCPT TO:), select the IP pool to use and select incoming in ip-pool-direction {outgoing | incoming | both}. You must also configure the MX record to direct email to the IP pool addresses as well.
This feature can be used to support multiple virtual hosts on a single physical interface, so that different profiles can be applied to different host and logging for each host can be separated as well.

If you want to use the IP pool as both the destination and source IP address, select the IP pool to use and select both in ip-pool-direction {outgoing | incoming | both}.

Each email that the FortiMail unit sends will use the next IP address in the range. When the last IP address in the range is used, the next email will use the first IP address.

ip-pool-direction {outgoing | incoming | both}

Select the direction of SMTP traffic to use an IP pool for.

This setting is only available after you configure ip-pool <pool_name>.

is-sub-domain {enable | disable}

Enable to indicate the protected domain you are creating is a subdomain of an existing protected domain, then also configure Main domain.

Subdomains, like their parent protected domains, can be selected when configuring policies specific to that subdomain. Unlike top-level protected domains, however, subdomains will be displayed as grouped under the parent protected domain when viewing the list of protected domains.

This option is available only when another protected domain exists to select as the parent domain.

ldap-asav-profile <ldap-profile_name>

Enter the name of an LDAP profile which you have enabled and configured.

ldap-asav-status {enable | disable}

Enable to query an LDAP server for an email user’s preferences to enable or disable antispam and/or antivirus processing for email messages destined for them.

ldap-domain-routing-port <port_int>

Enter the port number on which the SMTP servers in the LDAP profile listen.

If you enable ldap-domain-routing-smtps {enable |disable}, this setting automatically changes to the default port number for SMTPS, but can still be customized.

The default SMTP port number is 25; the default SMTPS port number is 465.

This option is valid when relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is ldap-domain-routing.

ldap-domain-routing-profile <ldap-profile_name>

Select the name of the LDAP profile that has the FQDN or IP address of the SMTP server you want to query. Also configure ldap-domain-routing-port <port_int> and ldap-domain-routing-smtps {enable |disable}.

This setting is valid when relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is ldap-domain-routing.

ldap-domain-routing-smtps {enable |disable}

Enable to use SMTPS for connections originating from or destined for this protected server.

This option is valid when relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is ldap-domain-routing.

ldap-groupowner-profile <ldap-profile_name>

Select an LDAP profile to send the quarantine report to a group owner, rather than individual recipients.

ldap-routing-profile <ldap-profile_name>

Select an LDAP profile for mail routing.

ldap-routing-status {enable | disable}

Enable or disable mail routing according to query results from the LDAP profile.

ldap-user-profile <profile_name>

Select the name of an LDAP profile in which you have configured, enabling you to authenticate email users and expand alias email addresses or replace one email address with another by using an LDAP query to retrieve alias members.

max-message-size <limit_int>

Enable then type the limit in kilobytes (KB) of the message size. Email messages over the threshold size are rejected.

Note: If both this setting and its equivalent setting in the session profile are enabled, then email size will be limited to whichever size is smaller.

other-helo-greeting <hostname_str>

After you set greeting-with-host-name {domainname | hostname | othername} to othername, use this command to specify the name to use for the SMTP greeting (HELO/EHLO).

Note: This setting is not available in server mode.

port <smtp-port_int>

Enter the SMTP port number of the mail server.

Note: This setting is not available in server mode.

quarantine-report-schedule-status {enable | disable}

Enable or disable domain-level quarantine report schedule setting.

The quarantine report settings for a protected domain are a subset of the system-wide quarantine report settings.

For example, if the system settings for schedule include only Monday and Thursday, when you are setting the schedule for the quarantine reports of the protected domain, you will only be able to select either Monday or Thursday.

quarantine-report-status {enable | disable}

Enable or disable domain-level quarantine report.

quarantine-report-to-alt {enable | disable}

Enable or disable sending domain-level quarantine report to a recipient other than the individual recipients or group owner. For example, you might delegate quarantine reports by sending them to an administrator whose email address is not locally deliverable to the protected domain, such as admin@lab.example.com.

quarantine-report-to-alt-addr <recipient_email>

Enter the email address that will receive the quarantine report.

quarantine-report-to-individual {enable | disable}

Enable to send quarantine reports to the same email address as the original email's recipient.

quarantine-report-to-ldap-groupowner {enable | disable}

Enable to send quarantine reports to the LDAP group owner, as determined by query results from the specified LDAP profile.

recipient-retention-period <days_int>

Enter the retention period in days for inactive user accounts. Valid values are 15-180. If an account has been inactive for more than the designated period, the account is purged.

recipient-verification {disable | ldap | smtp}

Select a method of confirming that the recipient email address in the message envelope (RCPT TO:) corresponds to an email user account that actually exists on the protected email server. If the recipient address is invalid, the FortiMail unit will reject the email. This prevents quarantine email messages for non-existent accounts, thereby conserving quarantine hard disk space.

• disable: Do not verify that the recipient address is an email user account that actually exists.
• smtp: Query the SMTP server using the SMTP RCPT TO: command to verify that the recipient address is an email user account that actually exists. You can also choose to use the SMTP VRFY command to do the verification. This feature is available on the GUI when you create a domain.
  If you want to query an SMTP server other than the one you have defined as the protected SMTP server, also enable Use alternative server, then enter the IP address or FQDN of the server in the field next to it. Also configure Port with the TCP port number on which the SMTP server listens, and enable Use SMTPS if you want to use SMTPS for recipient address verification connections with the server.
• ldap: Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also select the LDAP profile that will be used to query the LDAP server.

Note: This option can cause a performance impact that may be noticeable during peak traffic times. For a lesser performance impact, you can alternatively periodically automatically remove quarantined email messages for invalid email user accounts, rather than actively preventing them during each email message.

Note: Spam often contains invalid recipient addresses. If you have enabled spam quarantining, but have not prevented or scheduled the periodic removal of quarantined email messages for invalid email accounts, the FortiMail hard disk may be rapidly consumed during peak traffic times, resulting in refused SMTP connections when the hard disk becomes full. To prevent this, enable either this option or the periodic removal of invalid quarantine accounts.

recipient-verification-background {disable | ldap | purge-inactive | smtp}

Select a method by which to periodically remove quarantined spam for which an email user account does not actually exist on the protected email server.

• disable: Do not verify that the recipient address is an email user account that actually exists.

• ldap: Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also select the LDAP profile that will be used to query the LDAP server.
  If you select either Use SMTP server or Use LDAP server, at 4:00 AM daily (unless configured for another time, using the CLI), the FortiMail unit queries the server to verify the existence of email user accounts. If an email user account does not currently exist, the FortiMail unit removes all spam quarantined for that email user account.

• purge-inactive: Checks how many days an email user account has been inactive. If an account has been inactive for more than the designated period, the account is purged.

• smtp: Query the SMTP server to verify that the recipient address is an email user account that actually exists.

Note: If you have also enabled recipient-verification, the FortiMail unit is prevented from forming quarantine accounts for email user accounts that do not really exist on the protected email server. In that case, invalid quarantine accounts are never formed, and this option may not be necessary, except when you delete email user accounts on the protected email server. If this is the case, you can improve the performance of the FortiMail unit by disabling this option.

Note: Spam often contains invalid recipient addresses. If you have enabled spam quarantining, but have not prevented or scheduled the periodic removal of quarantined email messages for invalid email accounts, the FortiMail hard disk may be rapidly consumed during peak traffic times, resulting in refused SMTP connections when the hard disk becomes full. To prevent this, enable either this option or verification of recipient addresses.

recipient-verification-background-profile <ldap-profile_name>

Enter the LDAP profile used to query the LDAP server to verify that the recipient address is an email user account that actually exists.

Note: This setting is not available for server mode.

recipient-verification-invalid-user-action {reject | discard}

Select which action to take if the recipient is not valid.

Note: This setting is not available for server mode.

relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain}

Select from one of the following methods of defining which SMTP server will receive email from the FortiMail unit that is destined for the protected domain:

• host: Configure the connection to one protected SMTP server or, if any, one fallback.
• ldap-domain-routing: Query the LDAP server for the FQDN or IP address of the SMTP server. For more information about domain lookup, see domain-query <query_str>.
• mx-lookup: Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them.
• mx-lookup-alt-domain: Query the DNS server’s MX record of a domain name you specify for the FQDN or IP address of the SMTP server. If there are multiple MX records, the FortiMail unit will load balance between them.
• ip-pool: Configure the connection to rotate among one or many protected SMTP servers.

Note: If an MX option is used, you may also be required to configure the FortiMail unit to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode of the FortiMail unit.

• Gateway mode: A private DNS server is required. On the private DNS server, configure the MX record with the FQDN of the SMTP server that you are protecting for this domain, causing the FortiMail unit to route email to the protected SMTP server. This is different from how a public DNS server should be configured for that domain name, where the MX record usually should contain the FQDN of the FortiMail unit itself, causing external SMTP servers to route email through the FortiMail unit. Additionally, if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall, on the private DNS server, configure the protected SMTP server’s A record with its private IP address, while on the public DNS server, configure the FortiMail unit’s A record with its public IP address.
• Transparent mode: A private DNS server is required if both the FortiMail unit and the SMTP server are behind a NAT device such as a router or firewall. On the private DNS server, configure the protected SMTP server’s A record with its private IP address. On the public DNS server, configure the protected SMTP server’s A record with its public IP address. Do not modify the MX record.

Note: This setting is not available in server mode.

remove-outgoing-received-header {enable | disable}

Enable to remove all Received: message headers that have been inserted by other MTAs (not FortiMail) from email whose:

• sender email address belongs to this protected domain, and
• recipient email address is outgoing (that is, does not belong to this protected domain); if there are multiple recipients, only the first recipient’s email address is used to determine whether an email is outgoing.

Alternatively, you can remove this header from any matching email using session profiles. See remove-received-headers {enable | disable}.

sender-addr-rate-ctrl-max-msgs <messages_int>

Enter the maximum number of messages per sender address per half an hour.

sender-addr-rate-ctrl-max-msgs-state {enable | disable}

Enable the option of maximum number of messages per sender address per half an hour.

sender-addr-rate-ctrl-max-size <size_int>

Enter the maximum number of megabytes per sender per half an hour.

sender-addr-rate-ctrl-max-size-state {enable | disable}

Enable the option of maximum number of megabytes (MB) per sender per half an hour.

sender-addr-rate-ctrl-state {enable | disable}

Enable sender address rate control per sender email address.

smtp-recipient-verification-command {rcpt | vrfy}

Specify the command that the FortiMail unit uses to query the SMTP server to verify that the recipient address is an email user account that actually exists. The default command that the FortiMail unit uses is RCPT TO:.

This option is only available after you set recipient-verification {disable | ldap | smtp} to smtp.

smtp-recipient-verification-accept-reply-string <accept_str>

When FortiMail queries the SMTP server for recipient verification:

If the reply code of the VRFY command is 2xx, the recipient exists.

If the reply code is not 2xx, then FortiMail will try to match the accept string you specified with the reply string. If the strings match, the recipient exists.

Otherwise, the recipient is unknown.

For example, if the recipient is a group or mailing list, FortiMail will receive a 550 error code and a reply string. Depending on what reply string you get, you can specify a string to match the reply string.

For example, if the recipient is marketing@example.com, the reply string might say something like “marketing@example.com is a group”. In this case, if you specify “is a group” as the accept string and thus this string matches the string or part of the string in the reply string, FortiMail will deem the query successful and pass the email.

This command is available only when you set smtp-recipient-verification-command to vrfy.

Note: This setting is not available in server mode.

sso-status {enable | disable}

Enable for users in the protected domain to be able to log in via the authentication server defined in a single sign-on (SSO) profile.

When SSO is enabled for webmail users, CalDAV and WebDAV authentication will not function. They only support simple local password authentication.

sso-profile <profile_name>

Enter the name of an SSO profile to use.

tp-hidden {no | yes}

Enable to preserve the IP address or domain name of the SMTP client for incoming email messages in the:

• SMTP greeting (HELO/EHLO) in the envelope
• Received: message headers of email messages
• IP addresses in the IP header

This masks the existence of the FortiMail unit to the protected SMTP server.

Disable to replace the SMTP client’s IP address or domain name with that of the FortiMail unit.

For example, an external SMTP client might have the IP address 172.168.1.1, and the FortiMail unit might have the domain name fortimail.example.com. If the option is enabled, the message header would contain (difference highlighted in bold):

Received: from 192.168.1.1 (EHLO 172.16.1.1) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:12:40 -0800

Received: from smtpa ([172.16.1.2]) by [172.16.1.1] with SMTP id kAOFESEN001901 for <user1@external.example.com>; Fri, 24 Jul 2008 15:14:28 GMT

But if the option is disabled, the message headers would contain:

Received: from 192.168.1.1 (EHLO fortimail.example.com) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:17:45 -0800

Received: from smtpa ([172.16.1.2]) by fortimail.example.com with SMTP id kAOFJl4j002011 for <user1@external.example.com>; Fri, 24 Jul 2008 15:19:47 GMT

Note: This option does not apply to email messages sent from protected domains to protected domains, meaning that the FortiMail unit will not be hidden even if this option is enabled.

Note: This setting is only available in transparent mode.

tp-server-on-port <port_int>

Select the network interface (physical port) to which the protected SMTP server is connected.

Note: Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface.

Note: This setting is only available in transparent mode.

tp-use-domain-mta {yes | no}

Enable to proxy SMTP clients’ incoming connections when sending outgoing email messages via the protected SMTP server.

Note: This option is only available in transparent mode.

For example, if the protected domain example.com has the SMTP server 192.168.1.1, and an SMTP client for user1@example.com connects to it to send email to user2@external.example.net, enabling this option would cause the FortiMail unit to proxy the connection through to the protected SMTP server.

Disable to relay email using the built-in MTA to either the defined SMTP relay, if any, or directly to the MTA that is the mail exchanger (MX) for the recipient email address’s (RCPT TO:) domain. The email may not actually travel through the protected SMTP server, even though it was the relay originally specified by the SMTP client.

This option does not affect incoming connections containing incoming email messages, which will always be handled by the built-in MTA.

Note: This setting will be ignored for email that matches an antispam or content profile where you have enabled alternate-host {<relay_fqdn> | <relay_ipv4>}.

use-stmps {enable | disable}

Enable to use SMTPS to relay email to the mail server.

Note: This setting is not available in server mode.

webmail-language <language_name>

Select the language that the FortiMail unit will to display webmail and quarantine folder in the GUI for users. By default, the FortiMail unit uses the same language as the GUI for administrators.

<policy_index>

Type the index number of the policy.

To view a list of existing entries, enter a question mark ( ? ).

auth-access-options {pop3 smtp‑auth smtp‑diff-identity web}

Type one or more of the following:

smtp-diff-identity: Allow email when the SMTP client authenticates with a different user name than the one that appears in the envelope’s sender email address. You must also enter smtpauth for this option to have any effect.

web: Allow the email user to use FortiMail webmail (HTTP or HTTPS) to retrieve the contents of their per-recipient spam quarantine.

pop3: Allow the email user to use POP3 to retrieve the contents of their per-recipient spam quarantine.

smtp-auth: Use the authentication server selected in the authentication profile when performing SMTP authentication for connecting SMTP clients.
Note: Entering this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication.

certificate-required {yes | no}

(transparent and gateway mode only)

If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enable this option.

comment

Enter a comment for the recipient policy

direction

Enter whether the direction of mail traffic is incoming or outgoing.

pkiauth {enable | disable}

(transparent and gateway mode only)

Enable if you want to allow email users to log in to their per-recipient spam quarantine by presenting a certificate rather than a user name and password.

pkiuser <user_name>

(transparent and gateway mode only)

Enter the name of the PKI user entry, or select a user you defined before.

This is not required to be the same as the administrator or email user’s account name, although you may find it helpful to do so.

For example, you might have an administrator account named admin1.You might therefore find it most straightforward to also name the PKI user admin1, making it easy to remember which account you intended to use these PKI settings.

profile-antispam <antispam_name>

Select a antispam profile that you want to apply to the policy.

profile-antivirus <antivirus_name>

Select an antivirus profile that you want to apply to the policy.

profile-auth-type {imap | local | ldap | pop3 | smtp | radius}

If you want email users to be able to authenticate using an external authentication server, first specify the profile type (SMTP, POP3, IMAP,RADIUS, or LDAP), then specify which profile to use.

For example:

set profile-auth-type ldap

set profile-auth-ldap ldap_profile1

profile-auth-imap <imap_name>

Type the name of an IMAP authentication profile.

This command is applicable only if you have enabled use of an IMAP authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}.

profile-auth-ldap <ldap_name>

Type the name of an LDAP authentication profile.

This command is applicable only if you have enabled use of an LDAP authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}.

profile-auth-pop3 <pop3_name>

Type the name of a POP3 authentication profile.

This command is applicable only if you have enabled use of a POP3 authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}.

profile-auth-smtp <smtp_name>

Type the name of an SMTP authentication profile.

This command is applicable only if you have enabled use of an SMTP authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}.

profile-auth-radius <radius_name>

Type the name of a RADIUS authentication profile.

This command is applicable only if you have enabled use of a RADIUS authentication profile using profile-auth-type {imap | local | ldap | pop3 | smtp | radius}.

profile-content <profile_name>

Select which content profile you want to apply to the policy.

profile-dlp

Enter the DLP profile for the policy.

profile-resource <profile_name>

Select which resource profile you want to apply to the policy.

This option is only available in server mode.

profile-ldap <profile_name>

If you set the recipient type as “ldap-group", you can select an LDAP profile.

recipient-domain <domain>

Enter the domain part of the recipient email address.

recipient-name <name_str>

Enter the local part of the recipient email address or a pattern with wild cards.

recipient-type {ldap-group | local-group | user}

Select one of the following ways to define recipient (RCPT TO:) email addresses that match this policy. This setting applies to the incoming policies only.

user: Select this option and then use the above command to enter the local part of the recipient email address.

local-group: Select this option and then specify the local group under this domain.

ldap-group: Select this option and then select an LDAP profile.

sender-domain <domain_name>

Enter the domain part of the sender email address. For example, example.com.

sender-name <local-part_str>

Enter the local part of the sender email address. For example, user1.

sender-type {ldap‑group | local-group | user}

Select one of the following ways to define which sender (MAIL FROM:)email addresses match this policy.

user: Select this option and then use the above command to enter the local part of the sender email address.

local-group: Select this option and then specify the local group under this domain.

ldap-group: Select this option and then select an LDAP profile.

Note: This setting applies to the outgoing policies only.

smtp-diff-identity

Rejects different smtp sender identity.

smtp-diff-identity-ldap

Verify smtp sender identity with LDAP for authenticated email.

smtp-diff-identity-ldap-profile

LDAP profile for SMTP sender identity verification.

base-dn <string>

Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail unit will search for user objects, such as ou=People,dc=example,dc=com.

User objects should be child nodes of this location.

bind-dn <string>

Enter the bind DN, such as cn=FortiMailA,dc=example,dc=com, of an LDAP user account with permissions to query the basedn.

bind-password <password>

Enter the password of bind-dn <string>.

description <string>

Enter a description.

group-display-name <string>

Enter the LDAP group/mailing list display name attribute.

group-primary-address <string>

Enter the LDAP group/mailing list primary email address attribute.

group-query <string>

Enter the LDAP group/mailinglistquery string.

group-secondary-address <string>

Enter the LDAP group/mailing list secondary email address attribute.

ldap-port <integer>

Enter the TCP port number of the LDAP server.

The standard port number for LDAP is 389. The standard port number for SSL-secured LDAP is 636.

ldap-secure {enable | disable}

Enable or disable (by default) a secure encrypted connection to the LDAP server.

ldap-server <string>

Enter the fully qualified domain name (FQDN) or IP address of the LDAP server.

ldap-version {ver2 | ver3}

Enter the LDAP server protocol version.

ms365-application-id <string>

Enter the Microsoft 365 application ID.

ms365-application-secret <password>

Enter the Microsoft 365 application secret.

ms365-tenant-id <password>

Enter the Microsoft 365 tenant ID.

recurrence {daily | monthly | none | weekly}

Define the recurrence/schedule of the remote server synchronization.

referrals-chase {enable | disable}

schedule-hour <integer>

Enter the hour of the day at which synchronization will occur. Set the value between 0-23.

scope {base | one | sub}

Define the search scope of the LDAP server; either base, one level, or subtree (by default).

timeout <integer>

Enter the query timeout limit in seconds. Valid range is from 60 to 600.

type {ldap | ms365}

Enter the remote server profile type.

user-display-name <string>

Enter the LDAP user's display name attribute.

user-primary-address <string>

Enter the LDAP user's primary email address attribute.

user-query <string>

Enter the LDAP query string to get all users.

<old-user_name>

The existing user account that you want to rename.

<new-user_name>

The new name for the user account.

<user_name>

Enter the user name of an email user, such as user1. This is also the local-part of the email user’s primary email address.

type {local | ldap}

Select whether to authenticate the user via a remote authentication server, or user accounts defined locally on FortiMail.

displayname <name_str>

Enter the display name of the local email user, such as 'User One'.

password <pwd_str>

Enter the password of the local email user.

This setting is used only if type {ldap | ms365} is local.