<profile_name>

Enter the name that identifies the profile.

comment "<comment_str>"

Enter a description or comment.

<policy_name>

Enter the number that identifies the policy.

Note: The identifier number may be different from the order of evaluation. FortiMail units evaluate these policies in sequential order, starting at the top of the list. Only the first matching policy is applied.

For example, if you enter:

move 15 before 1

then policy 15 is evaluated for a match before policy 1.

To show the order of evaluation for the list of policies, enter:

get

Select which action the FortiMail unit will perform for SMTP sessions that match this policy:

• reject: Reject delivery of the email (SMTP reply code 550 Relaying denied).
• discard: Accept the email (SMTP reply code 250 OK), but then silently delete it and do not deliver it.
• relay:Accept the email (SMTP reply code 250 OK), regardless of authentication or protected domain. Do not greylist, but continue with remaining antispam and other scans. If all scans pass, the email is delivered.

• safe: Accept the email (SMTP reply code 250 OK) if the sender authenticates or recipient belongs to a protected domain. Greylist, but skip remaining antispam scans and but continue with others such as antivirus.

  Otherwise, if the sender does not authenticate, or the recipient does not belong to a protected domain, then reject delivery of the email (SMTP reply code 554 5.7.1 Relaying denied).

  In older FortiMail versions, this setting was named bypass.

• safe-relay: Like safe, except do not greylist.

• receive: Like relay, except greylist, and require authentication or protected domain.

  Otherwise, if the sender does not authenticate or the recipient does not belong to a protected domain, then FortiMail rejects (SMTP reply code 554 5.7.1 Relaying denied).

  Tip: Usually, the receive action is used when you need to apply a TLS profile, but do not want to safelist nor allow outbound, which relay does. If you do not need to apply a TLS profile, then a policy with this action is often not required because by default, email inbound to protected domains is relayed/proxied.

authenticated {any | authenticated | not-authenticated}

Select whether to match this policy based upon whether SMTP clients have authenticated with the FortiMail unit, either:

• any: Ignore authentication status.
• authenticated: Match this policy if the SMTP client has authenticated.
• not-authenticated: Match this policy if the SMTP client has not authenticated.

recipient-pattern <recipient_pattern>

Enter an email address or pattern. Formatting is the same as sender-pattern <sender_pattern>.

This setting is available only when recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is default or regexp.

recipient-pattern-group <group_name>

Enter the group of recipient email addresses.

This setting is available only if recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is group.

recipient-pattern-ldap-groupname <group_name>

Enter the group of recipient email addresses that is in the directory server.

This setting is available only if recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is ldap.

recipient-pattern-ldap-profile <profile_name>

Enter an LDAP profile.

This setting is available only if recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is ldap.

Note: Use $m in the LDAP query string to match recipient email addresses.

recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

Select how you will define the recipient email addresses that match the policy.

Options are the same as sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}.

reverse-dns-pattern <mta-fqdn_pattern>

To define which SMTP clients match this policy, depending on reverse-dns-pattern-regexp {yes | no}, enter either a:

• Complete or partial domain name. Wild card characters can be used to match multiple domain names. An asterisk (*) represents one or more characters. A question mark (?) represents any single character. For example:

  *.example.???

  matches all sub-domains at example.com, example.net, example.org, or any other “example" domain ending with a three‑letter top-level domain name.

• Regular expression.

  Tip: To validate syntax and correct matching, you can use the validator in the FortiMail GUI. For details, see the FortiMail Administration Guide.

Because the domain name in the SMTP session greeting (HELO/EHLO) is self-reported by the connecting SMTP client, it could be fake and the FortiMail unit does not trust it. Instead, the FortiMail does a reverse DNS lookup of the SMTP client’s IP address to discover its real domain name. This is compared to the pattern. If the domain name does not match the pattern, or if the reverse DNS query fails, then the policy does not match.

Note: The domain name must be a valid top level domain (TLD). For example, “.lab” is not valid because it is reserved for testing on private networks, not the Internet, and thus a reverse DNS query to DNS servers on the Internet will always fail.

reverse-dns-pattern-regexp {yes | no}

Select yes if you want to use regular expression syntax in reverse-dns-pattern <mta-fqdn_pattern>.

sender-geoip-group <group_name>

Select a geographic IP address group.

This setting is only available if sender-ip-type {geoip-group | ip-group | ip-mask} is geoip-group.

sender-ip-group <ip_group_name>

Enter the IP group of the SMTP client attempting to send the email message.

This setting is only available if sender-ip-type {geoip-group | ip-group | ip-mask} is ip-group.

sender-ip-mask <sender_ipv4/mask>

Enter the IP address and netmask of the SMTP client.

For example, you can enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. In the access control policy table, this appears as 10.10.10.0/24, with the 0 indicating that any value is matched in that position of the address.

Similarly, if you enter 10.10.10.10/32, it appears as 10.10.10.10/32 because a 32-bit netmask only matches one address, 10.10.10.10 specifically.

To match any address, enter 0.0.0.0/0.

This setting is only available if sender-ip-type {geoip-group | ip-group | ip-mask} is ip-mask.

sender-ip-type {geoip-group | ip-group | ip-mask}

Select how you will define the source IP address of SMTP clients that match this policy, either:

• ip-mask: An IP address and netmask. Also configure sender-ip-mask <sender_ipv4/mask>.
• ip-group:An IP address group. Also configure sender-ip-group <ip_group_name>.
• geoip-group: A geographic IP address group. Also configure sender-geoip-group <group_name>.
• isdb: A service name in the Internet Service Database (ISDB) from FortiGuard. Also configure sender-isdb {8x8 ...}.

sender-isdb {8x8 ...}

Select a service name. The Internet Service Database (ISDB) from FortiGuard is an automatically updated list of IP addresses and subnets used by popular services such as 8x8, Akamai, Microsoft 365, and more.

To display the list of options for currently known services, enter:

set sender-isdb ?

This setting is only available if sender-ip-type {geoip-group | ip-group | ip-mask} is isdb.

sender-pattern <sender_pattern>

Depending on your selection in sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}:

• For default: Enter a complete or partial email address. Wild card characters can be used to match multiple email addresses. An asterisk (*) represents one or more characters. A question mark (?) represents any single character. For example:

  *@example.???

  matches all email addresses at example.com, example.net, example.org, or any other “example" domain ending with a three‑letter top-level domain name.

• For regexp: Enter regular expression.

  Tip: To validate syntax and correct matching, you can use the validator in the FortiMail GUI. For details, see the FortiMail Administration Guide.

This setting is only available if sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is default or regexp.

sender-pattern-group <group_name>

Enter the group of recipient email addresses.

This setting is available only if sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is group.

sender-pattern-ldap-groupname <group_name>

Enter the group of recipient email addresses that is in the directory server.

This setting is available only if sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is ldap.

Note: Use $s in the LDAP query string to match sender email addresses.

sender-pattern-ldap-profile <profile_name>

Enter an LDAP profile.

This setting is available only if sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is ldap.

sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

Select how you will define the sender email addresses that match the policy, either:

• default: An email address or wild card pattern that can match multiple email addresses. Also configure sender-pattern <sender_pattern>.
• external: Email addresses that are not at a protected domain.
• group: A group of email addresses configured on the FortiMail unit. Also configure sender-pattern-group <group_name>.
• internal: Email addresses that are at a protected domain.
• ldap: A group of email addresses configured on a directory server such as Microsoft Active Directory. Also configure sender-pattern-ldap-profile <profile_name> and sender-pattern-ldap-groupname <group_name>.

• ldap-query: An LDAP query to a directory server such as Microsoft Active Directory. Also configure sender-pattern-ldap-profile <profile_name>.

  Note: Use $s in the query string to match sender addresses.

  For example, to reject senders that are not in the recipient's allowed sender list:

  1. Create an ACL policy and in sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}, select ldap-query.

  2. Select an LDAP profile where this user query string is used:

     &(mail=$m)(!(allowedSenders=$s)))

  3. In action {discard | receive | reject | relay | safe | safe-relay}, select reject.

  For each recipient ($m), this will match a sender ($s) that is not (!) in their allowedSenders list, and the action will reject it.

• regexp: A regular expression. Also configure sender-pattern <sender_pattern>.

  Tip: To validate syntax and correct matching, you can use the validator in the FortiMail GUI. For details, see the FortiMail Administration Guide.

status {enable | disable}

Enable or disable the policy.