domain

set type {room | equipment}

set display-name "<user_str>"

set management-users <user_email>

end

Variable	Description	Default
<resource_name>	Enter a name for the calendar resource. This name forms the local name of the calendar resource for the current domain, such as `calendar@example.com`.
description "<comment_str>"	Enter a description or comment.
display-name "<user_str>"	Enter a display name.
management-users <user_email>	Enter the management user's email address for the calendar resource.
type {room \| equipment}	Select the type of resource, either room or equipment.	room

config customized-message

Use this sub-command to configure domain-specific customized messages, such as disclaimers and personal quarantine report email templates.

These sub-commands are only available after you:

Select domain-specific customized messages in the protected domain:
- disclaimer-status {disabled | use-domain-setting | use-system-setting} is set to use-domain-setting
- domain-customized-message {enable | disable} is set to enable
Save the domain with the end command.

(When you create a protected domain, its domain-specific customized messages are not automatically initialized and prepopulated. Instead, initialization occurs upon the first time that you choose to use them, using the above procedure.)

Syntax

This sub-command is available from within the command domain.

config customized-message

edit disclaimer-insertion

config variable

end

config message

edit <disclaimer_name>

set format {html | multiline | text}

set disclaimer-convert-text-to-html-status {enable | disable}

set location {beginning | end}

set disclaimer-preview-orig-msg-status {enable | disable}

end

edit report-quarantine-summary

config variable

end

config email-template

edit {default | default-with-icons}

set env-from <sender_email>

set from <sender_email>

set subject "<subject_str>"

set html-body "<body-html_str>"

set text-body "<body-text_str>"

end

Variable	Description	Default
<variable_name>	Enter a variable name that you want to add or edit, such as `%%SENDER%%`.
<disclaimer_name>	Enter the name of the disclaimer message.
content "<text_str>"	Enter the value of the variable or custom message.	No default for new variables. Otherwise the value is from the default message.
description "<comment_str>"	Enter a comment or description.
display-name <gui-label_str>	Enter a label that will appear in the variable list when you click Insert Variables in the GUI while customizing a message or creating a variable. For example, you could enter `CompanyName` for the variable `%%COMPANY-NAME%%`.	No default for new variables. Otherwise the value is from the default message.
env-from <sender_email>	Enter the sender email address (`MAIL FROM:`) that will be used in the SMTP envelope. You can either enter text directly, or insert a variable such as `%%RELEASE_CONTROL_USER%%`. This setting is available only for email templates. Note: By default, the setting is empty. Some services such as Microsoft 365 do not accept an empty sender email address (`MAIL FROM:`).
from <sender_email>	Enter the sender email address (`From:`) that will be used in the message header. You can either enter text directly, or insert a variable such as `%%RELEASE_CONTROL_USER%%`. Can be up to 60 characters. This setting is available only for email templates.	%%RELEASE_CONTROL_USER%%
html-body "<body-html_str>"	Enter the body that will be used in the HTML format version of the email. Can be up to 4000 characters. This setting is available only for email templates.	HTML for the default message, using default variables.
subject "<subject_str>"	Enter the subject line that will be used in the email. You can either enter text directly, or insert a variable such as `%%SUBJECT%%`. Can be up to 250 characters. This setting is available only for email templates.	Subject line for the default message, using default variables.
text-body "<body-text_str>"	Enter the body that will be used in the plain text format version of the email. Can be up to 4000 characters. This setting is available only for email templates.	Plain text for the default message, using default variables.
format {html \| multiline \| text}	Select the format of the email. This setting is available only for email templates.	text
location {beginning \| end}	Select where in the message body to insert the custom message. This setting is available only if the custom message type is `disclaimer-insertion`. Note: This setting is ignored if the disclaimer is applied by an antispam action profile, antivirus action profile, or content action profile's `disclaimer-insertion-location {beginning \| end}` setting, and that location setting does not agree. For example, if this setting is `beginning`, but the other setting is `end`, then the disclaimer would appear at the end.	beginning
disclaimer-convert-text-to-html-status {enable \| disable}	Enable if either: disclaimers will use HTML `disclaimer-preview-orig-msg-status {enable \| disable}` is `enable` you want to convert the email to HTML for another reason Plain text email (MIME type `text/plain`) does not support HTML formatting. If you disable this setting, and the disclaimer is formatted with HTML such as colors and hyperlinks, then plain text email will show the raw HTML code instead of your formatting. Multipart email is not effected. This setting is available only if the custom message type is `disclaimer-insertion`.	disable
disclaimer-preview-orig-msg-status {enable \| disable}	Enable if you want the preview to use the original message's content. In email clients such as Microsoft Outlook, Apple Mail on iOS, and FortiMail webmail, message preview text appears in the message list and/or notification banners. Disable if you want the preview to start with the disclaimer. Original contents may still appear after the disclaimer if the disclaimer is short, depending on how much text the email client shows for the preview. This setting is available only if `location {beginning \| end}` is `beginning`, and if the custom message type is `disclaimer-insertion`. Note: This setting is ignored if both: `disclaimer-convert-text-to-html-status {enable \| disable}` is `disable` email is in plain text (MIME type `text/plain`) (HTML is required to control display of the preview.) This setting is also ignored if the disclaimer is applied by an antispam action profile, antivirus action profile, or content action profile, and that `disclaimer-insertion-location {beginning \| end}` setting is `end`. (Message previews only show the first few lines of an email, so they usually do not include disclaimers at the end.)	disable

config domain-info

Use this sub-command to configure customer account information for multi-tenancy.

Syntax

This sub-command is available from within the command domain.

config domain-info

set customer-name <customer_str>

set customer-email <customer_email>

set account-limit <users_int>

end

Variable	Description	Default
account-limit <users_int>	Enter the user account limit (0 means no limit).	0
comment "<comment_str>"	Enter a comment or description.
customer-email <customer_email>	Enter the customer email address.
customer-name <customer_str>	Enter the customer name.

config domain-setting

Use this sub-command to configure many settings for a protected domain.

Syntax

This sub-command is available from within the object domain.

config domain-setting

set relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain}

set is-sub-domain {enable | disable}

set main-domain <protected-domain_name>

set host {<smtp-server_fqdn> | <smtp-server_ipv4>}

set port <smtp-port_int>

set use-stmps {enable | disable}

set fallback-use-smtps {enable | disable}

set fallback-host {<smtp-server_fqdn> | <smtp-server_ipv4>}

set fallback-port <port_int>

set relay-ip-group <ip-group_name>

set ldap-domain-routing-profile <ldap-profile_name>

set mx-lookup-alt-domain-name <domain_str>

set domain-association-mxlookup {self | parent}

set relay-auth-status {enable | disable}

set relay-auth-username <username_str>

set relay-auth-password <password_str>

set relay-auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

set recipient-verification {disable | imported-user | ldap | smtp}

set alt-smtp-verification {enable | disable}

set alt-smtp-verification-host {<smtp-server_fqdn> | <smtp-server_ipv4>}

set alt-smtp-verification-port <port_int>

set alt-smtp-verification-smtps {enable | disable}

set smtp-mail-from-addr-status {use-system-setting | use-domain-setting}

set smtp-mail-from-addr <sender_email>

set recipient-verification-profile <profile_name>

set smtp-recipient-verification-command {rcpt | vrfy}

set smtp-recipient-verification-accept-reply-string "<accept_pattern>"

set recipient-verification-invalid-user-action {reject | discard}

set recipient-verification-background {disable | ldap | purge-inactive | smtp}

set recipient-verification-background-profile <ldap-profile_name>

set recipient-retention-period <days_int>

set tp-server-on-port <port_int>

set tp-hidden {no | yes}

set tp-use-domain-mta {yes | no}

set ldap-user-profile <profile_name>

set user-management-web-service-status {enable | disable}

set ldap-routing-status {enable | disable}

set ldap-routing-profile <ldap-profile_name>

set ldap-asav-status {enable | disable}

set ldap-asav-profile <ldap-profile_name>

set quarantine-report-to-individual {enable | disable}

set quarantine-report-to-alt {enable | disable}

set quarantine-report-to-alt-addr <recipient_email>

set quarantine-report-to-ldap-groupowner {enable | disable}

set ldap-groupowner-profile <ldap-profile_name>

set group-recipient-only {enable | disable}

set group-exclude-individual {enable | disable}

set quarantine-report-schedule-status {enable | disable}

set schedule-days {Sunday Monday Tuesday Wednesday Thursday Friday Saturday}

set schedule-hours {0 .. 23}

set quarantine-report-status {enable | disable}

set report-template-name <profile_name>

set arc-sealing-option {all | disable | incoming | outgoing}

set dkim-signing-option {all | disable | incoming | outgoing}

set dmarc-report-analysis-status {enable | disable | use-system-setting}

set dmarc-report-analysis-rua-address-mode {auto-discover | manual}

set dmarc-report-analysis-rua-address <recipient_email>

set dmarc-report-generation-status {enable | disable | monitor-only | use-system-setting}

set dmarc-report-generation-from-addr-localpart <localpart_str>

set domain

set disclaimer-status {disabled | use-domain-setting | use-system-setting}

set sender-addr-rate-ctrl-state {enable | disable}

set sender-addr-rate-ctrl-max-msgs-state {enable | disable}

set sender-addr-rate-ctrl-max-msgs <messages_int>

set sender-addr-rate-ctrl-max-recipients-state {enable | disable}

set sender-addr-rate-ctrl-max-recipients <recipients_int>

set sender-addr-rate-ctrl-max-size-state {enable | disable}

set sender-addr-rate-ctrl-max-size <size_int>

set sender-addr-rate-ctrl-max-spam-state {enable | disable}

set sender-addr-rate-ctrl-max-spam <spam_int>

set sender-addr-rate-notification-state {enable | disable}

set sender-addr-rate-notification-profile <profile_name>

config sender-addr-rate-ctrl-exempt

edit <rule_index>

set pattern-type {wildcard | regexp}

set sender-pattern <sender_pattern>

end

set sender-addr-rate-ctrl-action {none | reject | temp-fail}

set webmail-language <language_name>

set webmail-theme {Blue | Dark | Green | Light-Blue | Neutrino | Red | Use-system-setting}

set sso-status {enable | disable}

set sso-profile <profile_name>

set max-message-size <limit_int>

set addressbook {domain | none | system}

set greeting-with-host-name {domainname | hostname | othername}

set other-helo-greeting <hostname_str>

set ip-pool <pool_name>

set ip-pool-direction {outgoing | incoming | both}

set remove-outgoing-received-header {enable | disable}

set global-bayesian {enable | disable}

set bypass-bounce-verification {enable | disable}

set email-continuity-status {enable | disable}

set email-migration-status {enable | disable}

set is-service-domain {enable | disable}

set max-user-number <users_limit>

set max-user-quota <GB_int>

set disk-quota <GB_int>

set mail-access {webmail pop imap}

set webmail-service-type {full limited}

end

Variable

Description

Default

<rule_index>

Enter the number to identify the rule. To create a rule with the first available number, enter 0.

addressbook {domain | none | system}

Select whether to add newly created email users to the system address book, domain address book, or none.

This setting is available if operation-mode {gateway | server | transparent} is server.

domain

alt-smtp-verification-host {<smtp-server_fqdn> | <smtp-server_ipv4>}

Enter the fully qualified domain name (FQDN) or IP address of the SMTP server to use for recipient verification. Also configure alt-smtp-verification-port <port_int>.

This setting is not available in server mode. This setting applies if alt-smtp-verification {enable | disable} is enable.

alt-smtp-verification-port <port_int>

Enter the port number on which the SMTP server for recipient verification listens.

If you enable alt-smtp-verification-smtps {enable | disable}, then this setting automatically changes to the default port number for SMTPS (465), but can still be customized.

This setting is not available in server mode. This setting applies if alt-smtp-verification {enable | disable} is enable.

alt-smtp-verification-smtps {enable | disable}

Enable to use SMTPS (secure SMTP) for connections to the SMTP server for recipient verification.

This setting is not available in server mode. This setting applies if alt-smtp-verification {enable | disable} is enable.

alt-smtp-verification {enable | disable}

Enable to perform recipient verification with the SMTP server in alt-smtp-verification-host {<smtp-server_fqdn> | <smtp-server_ipv4>} instead of the protected domain's SMTP server.

This setting in not available in server mode. This setting applies if recipient-verification {disable | imported-user | ldap | smtp} is smtp.

disable

arc-sealing-option {all | disable | incoming | outgoing}

Select either:

disable:Do not sign.
incoming:Sign email sent between users in the same protected domain.
outgoing:Sign email sent from a protected domain to other external or protected domains. This includes email released from quarantine.
all: Sign both incoming and outgoing email.

This setting applies only if the ARC keys have been imported or generated.

disable

bypass-bounce-verification {enable | disable}

Enable to omit bounce address tag verification of email incoming to this protected domain.

Alternatively, you can enable bypass-bounce-verification {enable | disable} in the session profiles.

For information on enabling bounce address tagging and verification (BATV), see antispam bounce-verification.

Note: This setting does not omit bounce address tagging of outgoing email.

disable

comment "<comment_str>"

Enter a description or comment.

disclaimer-status {disabled | use-domain-setting | use-system-setting}

Select whether to:

use the system-wide disclaimer message. Also configure customized-message and system disclaimer-message.
use a a disclaimer message specific to this protected domain. Also configure config customized-message and config system disclaimer-message.
disable the disclaimer message for this protected domain

This setting applies if disclaimer-per-domain {enable | disable} is enable.

use-system-setting

disk-quota <GB_int>

Enter the disk quota in gigabytes (GB).

If the disk quota reaches 90% threshold, a warning email is sent to the domain customer email. If the maximum disk quota of this domain is exceeded, users of this domain will no longer receive any new email.

This setting is only available in server mode.

dkim-signing-option {all | disable | incoming | outgoing}

Select either:

disable:Do not sign.
incoming:Sign email sent between users in the same protected domain.
outgoing:Sign email sent from a protected domain to other external or protected domains. This includes email released from quarantine.
all: Sign both incoming and outgoing email.

This setting applies only if the DKIM keys have been imported or generated.

disable

dmarc-report-analysis-rua-address-mode {auto-discover | manual}

Select either:

auto-discover: FortiMail automatically queries the DNS server about the sender domain to determine that domain's authorized DMARC report recipient.

Note: If a sender does not have a valid DMARC RUA/RUF configured in the domain's DNS TXT record, then FortiMail cannot send them because there is no report recipient email address.
manual: Manually configure another DMARC report recipient. Also configure dmarc-report-analysis-rua-address <recipient_email>.

Tip: This option can be useful if, for example, the sender domain's DMARC record is misconfigured, and you want to send a report to show them how many email were rejected due to failed DMARC checks.

auto-discover

dmarc-report-analysis-rua-address <recipient_email>

Enter the recipient email address where FortiMail will send the DMARC report.

This setting applies only if dmarc-report-analysis-rua-address-mode {auto-discover | manual} is manual.

dmarc-report-analysis-status {enable | disable | use-system-setting}

Select either:

enable: Collect data about email validated by DMARC checks for email sent to this protected domain.
disable: Do not collect DMARC check data.
use-system-setting: Instead of using a domain-level setting, use the system-wide setting in status {enable | disable | monitor-only}.

disable

dmarc-report-generation-from-addr-localpart <localpart_str>

Enter the local part of the sender email address when FortiMail sends reports about DMARC checks to that domain name.

noreply

dmarc-report-generation-status {enable | disable | monitor-only | use-system-setting}

Select either:

enable: Send a report about email validated by DMARC checks.to the domain of the sender.
disable: Do not generate a DMARC report.
monitor-only: Do not generate a report.
use-system-setting: Instead of using a domain-level setting, use the system-wide setting in status {enable | disable | monitor-only}.

use-system-setting

domain-association-mxlookup {self | parent}

If a protected domain's relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is mx-lookup or mx-lookup-alt-domain, DNS MX records might be only for the main domain name, not for associated domains (see domain-association).

In this setting, select which domain name FortiMail should ask for in associated domains' DNS lookups, either:

self: The associated domain.
parent: This protected domain.

This setting is not available in server mode.

email-continuity-status {enable | disable}

Enable or disable email continuity.

disable

email-migration-status {enable | disable}

Enable email migration from an external server to this protected domain.

Email migration is used to move email user accounts and data from an external mail server to this FortiMail system. See the email migration workflow.

This setting is available only on server mode, after you have enabled email-migration-status {enable | disable}.

disable

fallback-host {<smtp-server_fqdn> | <smtp-server_ipv4>}

Enter the fully qualified domain name (FQDN) or IP address of the secondary SMTP server for this protected domain.

This SMTP server will be used if the primary SMTP server in host {<smtp-server_fqdn> | <smtp-server_ipv4>} is unreachable.

This setting is not available in server mode. This setting is used only if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is host.

fallback-port <port_int>

Enter the port number on which the secondary SMTP server listens.

If you enablefallback-use-smtps {enable | disable}, the port number automatically changes to the default port number for SMTPS (465), but can still be customized.

This setting is not available in server mode. This setting is used only if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is host.

fallback-use-smtps {enable | disable}

Enable to use SMTPS for connections originating from or destined for this protected server.

This setting is not available in server mode. This setting is used only if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is host.

disable

global-bayesian {enable | disable}

Enable to use the global Bayesian database instead of the Bayesian database for this protected domain.

If you do not need the Bayesian database to be specific to the protected domain, you may want to use the global Bayesian database instead in order to simplify database maintenance and training.

Disable to use the per-domain Bayesian database.

This setting does not apply if you have enabled use of personal Bayesian databases in an incoming antispam profile, and if the personal Bayesian database is mature. Instead, the FortiMail unit will use the personal Bayesian database.

disable

greeting-with-host-name {domainname | hostname | othername}

Select how the FortiMail unit will identify itself during the HELO or EHLO greeting of outgoing SMTP connections that it initiates, either:

domainname: The protected domain.

If the FortiMail unit will handle internal email messages (those for which both the sender and recipient addresses in the envelope contain the domain name of the protected domain), to use this option, you must also configure your protected SMTP server to use its host name for SMTP greetings. Failure to do this will result in dropped SMTP sessions, as both the FortiMail unit and the protected SMTP server will be using the same domain name when greeting each other.
hostname: The FortiMail unit's own host name.

By default, the FortiMail unit uses the domain name of the protected domain. If your FortiMail unit is protecting multiple domains and using IP pool addresses, select to use the system host name instead. This setting does not apply if email is incoming, according to the sender address in the envelope, from an unprotected domain.
othername: Use a name other than the domain name or host name, for the HELO/EHLO greeting. Also configure other-helo-greeting <hostname_str>.

hostname

group-exclude-individual {enable | disable}

Enable to omit sending the personal quarantine report to the original recipient email address if a group owner exists. This can be used to avoid duplicate reports when the group owner is also a member, or to delegate quarantine responsibilities to a specific person instead of notifying all members.

This setting applies if quarantine-report-to-ldap-groupowner {enable | disable} is enable.

disable

group-recipient-only {enable | disable}

Enable to send the personal quarantine report to the group owner if the original recipient email address was for a group.

This setting applies if quarantine-report-to-ldap-groupowner {enable | disable} is enable.

enable

host {<smtp-server_fqdn> | <smtp-server_ipv4>}

Enter the FQDN or IP address of the primary SMTP server for this protected domain. Also configure port <smtp-port_int> and use-stmps {enable | disable}.

If NAT (on FortiGate, in a "virtual IP") exists between FortiMail and the server, this is the external IP on the router or firewall instead.

If you have a mail relay between FortiMail and the mail server, this could be the relay instead of the mail server. Consider your network topology, directionality of the mail flow, and the operation mode of the FortiMail system. See recipient policy matching and inbound versus outbound email and how to avoid scanning email multiple times.

This setting is not available in server mode. This setting is used if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is host.

ip-pool-direction {outgoing | incoming | both}

Select the direction of SMTP traffic to use an IP pool for.

This setting is only available after you configure ip-pool <pool_name>.

ip-pool <pool_name>

You can use a pool of IP addresses as the source IP address when sending email from this domain, or as the destination IP address when receiving email destined to this domain, or as both the source and destination IP addresses.

If you want to use the IP pool as the source IP address for this protected domain, according to the sender’s email address in the envelope (MAIL FROM:), select the IP pool to use and select outgoing in ip-pool-direction {outgoing | incoming | both}.

If you want to use the IP pool as the destination IP address (virtual host) for this protected domain, according to the recipient’s email address in the envelope (RCPT TO:), select the IP pool to use and select incoming in ip-pool-direction {outgoing | incoming | both}. You must also configure the MX record to direct email to the IP pool addresses as well.
This feature can be used to support multiple virtual hosts on a single physical interface, so that different profiles can be applied to different host and logging for each host can be separated as well.

If you want to use the IP pool as both the destination and source IP address, select the IP pool to use and select both in ip-pool-direction {outgoing | incoming | both}.

Each email that the FortiMail unit sends will use the next IP address in the range. When the last IP address in the range is used, the next email will use the first IP address.

is-service-domain {enable | disable}

Enable to use this domain's SMTP server to deliver email.

disable

is-sub-domain {enable | disable}

Select to indicate whether or not the protected domain you are creating is a subdomain of an existing protected domain. If it is, then also configure main-domain <protected-domain_name>.

Subdomains, like their parent protected domains, can be selected when configuring policies specific to that subdomain. Unlike top-level protected domains, however, subdomains will be displayed as grouped under the parent protected domain when viewing the list of protected domains.

This setting is available only when another protected domain exists to select as the parent domain.

disable

ldap-asav-profile <ldap-profile_name>

Select the name of an LDAP profile where you have configured scan preferences (see asav-state {enable | disable}).

This setting applies if ldap-asav-status {enable | disable} is enable.

ldap-asav-status {enable | disable}

Enable to query an LDAP server for an email user’s preferences to enable or disable antispam, antivirus, and/or content processing for email messages destined for them. Also configure ldap-asav-profile <ldap-profile_name>.

disable

ldap-domain-routing-profile <ldap-profile_name>

Select the name of the LDAP profile that has the FQDN or IP address of the SMTP server you want to query (see domain-query <query_str>). Also configure port <smtp-port_int> and use-stmps {enable | disable}.

This setting is not available in server mode. This setting is available if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is ldap-domain-routing.

ldap-groupowner-profile <ldap-profile_name>

Select the name of an LDAP profile that will be used to send the personal quarantine report to a group owner (see group-owner {enable | disable}), rather than individual recipients.

This setting applies if quarantine-report-to-ldap-groupowner {enable | disable} is enable.

ldap-routing-profile <ldap-profile_name>

Select the name of an LDAP profile that will be used to perform mail routing (see routing-state {enable | disable}).

This setting applies if ldap-routing-status {enable | disable} is enable.

ldap-routing-status {enable | disable}

Enable or disable mail routing according to query results from an LDAP profile. Also configure ldap-routing-profile <ldap-profile_name>.

disable

ldap-user-profile <profile_name>

Select the name of an LDAP profile, if any, that will be used:

to expand alias email addresses (see alias-state {enable | disable})
to replace one email address with another (see address-map-state {enable | disable})
(server mode only) to determine the email users in the protected domain, instead of configuring them locally on FortiMail (see query '<query_str>')

This setting may be used together with SAML SSO, which provides authentication but not other mail-specific information about user accounts. See profile sso.

If the query fails or the LDAP server is not accessible, then FortiMail replies to the SMTP client with a temporary failure (SMTP 451 reply code).

mail-access {webmail pop imap}

Select which mail access protocols are allowed for email users in the protected domain: POP3, IMAP, and/or webmail (HTTP/HTTPS).

webmail

main-domain <protected-domain_name>

Select the protected domain that is the parent of this subdomain. For example, sales.example.com might be a subdomain of example.com.

This setting is available only when is-sub-domain {enable | disable} is enable.

max-message-size <limit_int>

Enable then type the limit in kilobytes (KB) of the message size. Email messages over the threshold size are rejected.

If both this setting and its equivalent setting in the session profile are enabled, then email size will be limited to whichever size is smaller.

204800

max-user-number <users_limit>

Enter the maximum number of email account in this protected domain.

max-user-quota <GB_int>

Enter the maximum disk quota, in megabytes (MB), for each email user in the protected domain.

This number, multiplied by the number in max-user-number <users_limit>, must not exceed the total in disk-quota <GB_int>.

mx-lookup-alt-domain-name <domain_str>

Enter the domain name to use when querying the DNS server for the protected domain's MX records.

This setting is not available in server mode. This setting is available if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is mx-lookup-alt-domain.

other-helo-greeting <hostname_str>

Enter the name to use for the SMTP greeting (HELO/EHLO).

This setting is available only if greeting-with-host-name {domainname | hostname | othername} is othername, and if operating in gateway mode or transparent mode.

pattern-type {wildcard | regexp}

Select whether the pattern matching engine will use wild cards (* or ?) or regular expressions. Also configure sender-pattern <sender_pattern>.

wildcard

port <smtp-port_int>

Enter the port number on which the primary SMTP server listens. If NAT (on FortiGate, this is called a "virtual IP") exists between FortiMail and the server, this is the port forward on the router or firewall instead.

If you enable use-stmps {enable | disable}, the port number automatically changes to the default port number for SMTPS (465), but can still be customized.

This setting is not available in server mode. This setting is used if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is host, ip-pool, or ldap-domain-routing.

quarantine-report-schedule-status {enable | disable}

Select which schedule to use when sending personal quarantine reports, either:

disable: Use the system-wide schedule (see antispam quarantine-report).
enable: Use a schedule that is specific to this protected domain. Also configure schedule-hours {0 .. 23} and schedule-days {Sunday Monday Tuesday Wednesday Thursday Friday Saturday}.

disable

quarantine-report-status {enable | disable}

Select which email template to use when sending personal quarantine reports, either:

disable: Use the system-wide template (see antispam quarantine-report).
enable: Use a template that is specific to this protected domain. Also configure report-template-name <profile_name>.

disable

quarantine-report-to-alt-addr <recipient_email>

Enter the alternative email address that will receive the personal quarantine report.

quarantine-report-to-alt {enable | disable}

Enable to send the personal quarantine report to a recipient email address other than the original recipients or group owner. Also configure quarantine-report-to-alt-addr <recipient_email>.

For example, you might delegate quarantine reports by sending them to an administrator whose email address is not in the protected domain, such as admin@lab.example.com.

disable

quarantine-report-to-individual {enable | disable}

Enable to send the personal quarantine report to all recipient email addresses in the original email.

enable

quarantine-report-to-ldap-groupowner {enable | disable}

Enable to send the personal quarantine report to a group owner, rather than the original recipient email addresses. Also configure ldap-groupowner-profile <ldap-profile_name>, group-exclude-individual {enable | disable}, and group-recipient-only {enable | disable}.

disable

recipient-retention-period <days_int>

Enter the retention period in days for inactive user accounts. Valid values are 15-180.

This setting is not available in server mode. This setting applies if recipient-verification-background {disable | ldap | purge-inactive | smtp} is purge-inactive.

recipient-verification-background-profile <ldap-profile_name>

Select an LDAP profile with a user query.

This setting is not available in server mode. This setting applies if recipient-verification-background {disable | ldap | purge-inactive | smtp} is ldap.

recipient-verification-background {disable | ldap | purge-inactive | smtp}

Every day, FortiMail can remove personal quarantine folders for which an email user account does not currently exist on the protected email server, or for stale accounts that are inactive. The time is configurable inbackend-verify <time_str>.

Select how to confirm that a personal quarantine is valid, either:

disable: Do not verify.
smtp: Connect to the protected domain's SMTP server (determined by relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain}).

Note: For stronger security, only allow FortiMail to connect to the SMTP server. Attackers can use VRFY commands in directory harvesting attacks to determine all valid senders in the domain, and target them.
ldap: Query a directory server such as Microsoft Entra ID or Active Directory. Also configure recipient-verification-background-profile <ldap-profile_name>.
purge-inactive: If an email user has been inactive for more than the time period in recipient-retention-period <days_int>, delete their personal quarantine.

This setting is not available in server mode.

Tip: To improve performance, disable this feature on the day after enabling recipient-verification {disable | imported-user | ldap | smtp}. Recipient verification prevents the creation of new quarantine folders for email user accounts that do not currently exist, so invalid quarantine accounts will only occur if when you delete email users.

recipient-verification-invalid-user-action {reject | discard}

Select which SMTP reply code to return to the client if the recipient is not valid.

This setting is not available for server mode. This setting applies if you have selected any recipient verification method in recipient-verification {disable | imported-user | ldap | smtp}.

reject

recipient-verification-profile <profile_name>

Select an LDAP profile with a user query to use for recipient verification.

This setting is not available for server mode. This setting applies if recipient-verification {disable | imported-user | ldap | smtp} is ldap.

recipient-verification {disable | imported-user | ldap | smtp}

FortiMail can confirm that the recipient email address in the message envelope (RCPT TO:) corresponds to an email user account that currently exists on the protected email server. If the recipient address is invalid, the FortiMail system will not try to deliver or quarantine the email. This prevents delivery retries, DSN, and quarantine of email messages for non-existent accounts, thereby conserving hard disk space and other system resources.

Select how to confirm that the recipient exists, either:

disable: Do not verify.
smtp: Connect to the protected domain's SMTP server (determined by relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain}) or, if alt-smtp-verification {enable | disable} is enable, an alternative SMTP server. Also configure:
Note: For stronger security, only allow FortiMail to connect to the SMTP server. Attackers can use VRFY commands in directory harvesting attacks to determine all valid senders in the domain, and target them.
ldap: Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also configure recipient-verification-profile <profile_name>.
imported-user: Verify with the list of users that has been synchronized to FortiMail.

If you select recipient verification, also configure recipient-verification-invalid-user-action {reject | discard}.

disable

relay-auth-password <password_str>

Enter the password for authentication with the SMTP server.

This setting is not available in server mode.

relay-auth-status {enable | disable}

Enable to use SMTP authentication for connections to this protected domain's SMTP server. Also configure relay-auth-username <username_str>, relay-auth-password <password_str>, and relay-auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}.

This setting is not available in server mode.

disable

relay-auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

Select the type of SMTP authentication, either:

auto: Automatically detect and use the most secure SMTP authentication type supported by the relay server.
plain: Unencrypted, scrambled password.
login: Unencrypted, scrambled password.
digest-md5: Encrypted hash of the password.
cram-md5: Encrypted hash of the password, with hash replay prevention, combined with a challenge and response mechanism.
ntlm: NT LAN Manager protocols with a hashed password.

This setting is not available in server mode.

auto

relay-auth-username <username_str>

Enter the username for authentication with the SMTP server.

This setting is not available in server mode.

relay-ip-group <ip-group_name>

Select the name of an IP group that defines the SMTP servers for the protected domain. Also configure port <smtp-port_int> and use-stmps {enable | disable}.

This setting is not available in server mode. This setting is available if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is ip-pool.

relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain}

Select how to define the SMTP server which will receive email for the protected domain from the FortiMail system, either:

host: One protected SMTP server and, if any, one fallback. Also configure host {<smtp-server_fqdn> | <smtp-server_ipv4>} and fallback-host {<smtp-server_fqdn> | <smtp-server_ipv4>}.
mx-lookup: Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, connections rotate to load balance between them.

Note: For performance reasons, DNS lookups are skipped in gateway and server mode unless the sending domain is blank.

Note: If an MX option is used, you may also be required to configure the FortiMail system to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode. See the setup instructions for gateway mode and setup instructions for transparent mode.
mx-lookup-alt-domain: Query the DNS server’s MX record of a domain name you specify for the FQDN or IP address of the SMTP server. If there are multiple MX records, connections rotate to load balance between them. Also configure mx-lookup-alt-domain-name <domain_str>.
ip-pool: Multiple protected SMTP servers. Connections rotate among them for load balancing. Also configure relay-ip-group <ip-group_name>.
ldap-domain-routing: Query the LDAP server for the FQDN or IP address of the SMTP server.Also configure ldap-domain-routing-profile <ldap-profile_name>.

This setting is not available in server mode.

host

remove-outgoing-received-header {enable | disable}

Enable to remove all Received: message headers that have been inserted by other MTAs (not FortiMail) from email whose:

sender email address belongs to this protected domain, and
recipient email address is outgoing (that is, does not belong to this protected domain); if there are multiple recipients, only the first recipient’s email address is used to determine whether an email is outgoing.

Alternatively, you can remove this header from any matching email using session profiles. See remove-received-headers {enable | disable}.

disable

report-template-name <profile_name>

Select which template to use for the personal quarantine reports for this protected domain.

This setting is available if quarantine-report-status {enable | disable} is enable.

schedule-days {Sunday Monday Tuesday Wednesday Thursday Friday Saturday}

Select the days of the week when the personal quarantine reports for this protected domain will be generated.

This setting is available if quarantine-report-schedule-status {enable | disable} is enable.

schedule-hours {0 .. 23}

Select the hour of the day when the personal quarantine reports for this protected domain will be generated. Valid range is from 0 to 23.

This setting is available if quarantine-report-schedule-status {enable | disable} is enable.

sender-addr-rate-ctrl-action {none | reject | temp-fail}

Select which SMTP reply code to send to an SMTP client when a user exceeds any of the sender address rate limits.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable.

sender-addr-rate-ctrl-max-msgs-state {enable | disable}

Enable to rate limit email from sender email addresses by maximum number of messages. Also configure sender-addr-rate-ctrl-max-msgs <messages_int>.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable.

disable

sender-addr-rate-ctrl-max-msgs <messages_int>

Enter the maximum number of emails per sender email address in each 30 minute time interval.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable, and if sender-addr-rate-ctrl-max-msgs <messages_int> is enable.

sender-addr-rate-ctrl-max-recipients-state {enable | disable}

Enable to rate limit email from sender email addresses by maximum number of unique recipient email addresses. Also configure sender-addr-rate-ctrl-max-recipients <recipients_int>.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable.

disable

sender-addr-rate-ctrl-max-recipients <recipients_int>

Enter the maximum number of unique email recipient addresses per sender email address in each 30 minute time interval.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable, and if sender-addr-rate-ctrl-max-recipients-state {enable | disable} is enable.

sender-addr-rate-ctrl-max-size-state {enable | disable}

Enable to rate limit email from sender email addresses by message size total. Also configure sender-addr-rate-ctrl-max-size <size_int>.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable.

disable

sender-addr-rate-ctrl-max-size <size_int>

Enter the maximum size, in megabytes (MB), per sender email address in each 30 minute time interval.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable, and if sender-addr-rate-ctrl-max-size-state {enable | disable} is enable.

100

sender-addr-rate-ctrl-max-spam-state {enable | disable}

Enable to rate limit email from sender email addresses by whether or not FortiMail detected spam from them. If the sender's email are often detected as spam, then it is probable that they are intentionally sending unwanted email or their account security has been compromised. Also configure sender-addr-rate-ctrl-max-spam <spam_int>.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable.

disable

sender-addr-rate-ctrl-max-spam <spam_int>

Enter the maximum number of email deemed to be spam by FortiMail that will be accepted per sender email address in each 30 minute time interval.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable, and if sender-addr-rate-ctrl-max-spam-state {enable | disable} is enable.

sender-addr-rate-ctrl-state {enable | disable}

Enable or disable rate limits based upon the sender email address for this protected domain. Also configure sender-addr-rate-ctrl-action {none | reject | temp-fail}, sender-regex "<sender_pattern>", etc.

disable

sender-addr-rate-notification-profile <profile_name>

Select which notification profile to use for sender address rate control in this protected domain.

This setting applies only if sender-addr-rate-notification-state {enable | disable} is enable.

sender-addr-rate-notification-state {enable | disable}

If the user directly connects to FortiMail to send email, then sender-addr-rate-ctrl-action {none | reject | temp-fail} will indicate to the user if their email was not accepted due to the sender address rate limit. Otherwise (or if you want to provide a detailed explanation), enable this setting to send an explanation email to the user. Also configure sender-addr-rate-notification-profile <profile_name>.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable.

disable

sender-pattern <sender_pattern>

Enter a pattern that matches sender email addresses that are exempt from sender address rate limits. Valid syntax varies by pattern-type {wildcard | regexp}.

smtp-mail-from-addr-status {use-system-setting | use-domain-setting}

Select which sender email address that the FortiMail will use during recipient verification, either:

use-system-setting: Use the system-level setting mail-from-addr <sender_email>.

Note: By default, the system-level setting is empty. Some services such as Microsoft 365 do not accept an empty sender email address (MAIL FROM:).
use-domain-setting: Use the protected domain-specific setting smtp-mail-from-addr <sender_email>.

This setting is available if recipient-verification {disable | imported-user | ldap | smtp} is smtp.

use-system-setting

smtp-mail-from-addr <sender_email>

Enter the sender email address, if any, that FortiMail will use in the SMTP envelope when connecting for recipient verification.

This setting in not available in server mode. This setting is available if recipient-verification {disable | imported-user | ldap | smtp} is smtp, and applies if smtp-mail-from-addr-status {use-system-setting | use-domain-setting} is use-domain-setting.

Note: Some services such as Microsoft 365 do not accept an empty sender email address (MAIL FROM:).

smtp-recipient-verification-accept-reply-string "<accept_pattern>"

When FortiMail queries the SMTP server for recipient verification:

If the SMTP reply code is 2xx, then the recipient exists.
If the SMTP reply code is not 2xx, then FortiMail will try to match the text with this pattern. If the text matches, the recipient exists.
Otherwise, the recipient is unknown.

For example, if the recipient is a group or mailing list such as marketing@example.com, then it is not an individual username, so the SMTP server may give a 550 reply code which is normally for errors, but is explained with a status code such as 5.2.0 and a message such as marketing@example.com is a group. To indicate that such email would actually be accepted, you could enter "is a group".

This setting in not available in server mode. This setting is available if recipient-verification {disable | imported-user | ldap | smtp} is smtp, and smtp-recipient-verification-command {rcpt | vrfy} is vrfy.

smtp-recipient-verification-command {rcpt | vrfy}

Select which SMTP command that the FortiMail system uses to query the SMTP server to verify that the recipient address is an email user account that currently exists, either:

RCPT TO:
VRFY. Also configure smtp-recipient-verification-accept-reply-string "<accept_pattern>".

This setting in not available in server mode. This setting is available if recipient-verification {disable | imported-user | ldap | smtp} is smtp.

rcpt

sso-profile <profile_name>

Select the name of an SSO profile.

sso-status {enable | disable}

Enable for users in the protected domain to be able to log in via the authentication server defined in a single sign-on (SSO) profile. Also configure sso-profile <profile_name>.

For details, see profile sso and system saml.

disable

tp-hidden {no | yes}

Enable to preserve the IP address or domain name of the SMTP client for incoming email messages in the:

SMTP greeting (HELO/EHLO) in the envelope
Received: message headers
IP addresses in the IP header

This masks the existence of the FortiMail system to the protected SMTP server.

Disable to replace the SMTP client’s IP address or domain name with that of the FortiMail system.

For example, an external SMTP client might have the IP address 172.168.1.1, and the FortiMailsystem might have the domain name fortimail.example.com. If the option is enabled, the message header would contain (difference highlighted in bold):

Received: from 192.168.1.1 (EHLO 172.16.1.1) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:12:40 -0800

Received: from smtpa ([172.16.1.2]) by [172.16.1.1] with SMTP id kAOFESEN001901 for <user1@external.example.com>; Fri, 24 Jul 2008 15:14:28 GMT

But if the option is disabled, the message headers would contain:

Received: from 192.168.1.1 (EHLO fortimail.example.com) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:17:45 -0800

Received: from smtpa ([172.16.1.2]) by fortimail.example.com with SMTP id kAOFJl4j002011 for <user1@external.example.com>; Fri, 24 Jul 2008 15:19:47 GMT

This setting is only available in transparent mode.

Tip: If the protected SMTP server applies rate limiting according to IP addresses, enabling this setting can improve performance. The rate limit will then be separate for each client connecting to the protected SMTP server, rather than shared among all connections handled by the FortiMail system.

Note: Unless you have enabled exclusive {enable | disable} in the IP-based policy, this setting overrides conn-hidden {enable | disable} in the session profile, and may prevent it from applying to incoming email messages.

tp-server-on-port <port_int>

Select the network interface (port) to which the protected SMTP server is connected.

This setting is only available in transparent mode.

Note: Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface.

tp-use-domain-mta {yes | no}

Enable to use the protected SMTP server, instead of the FortiMail built-in MTA, to deliver outgoing email messages from the SMTP clients whose sending MTA is the protected SMTP server.

For example, if the protected domain example.com has the SMTP server 192.168.1.1, and an SMTP client for user1@example.com connects to it to send email to user2@external.example.net, enabling this setting would cause the FortiMail system to pass the mail message via its built-in MTA to the protected SMTP server, which will deliver the message.

Disable to relay email using the built-in MTA to either the SMTP relay defined in config mailsetting relay-host-list, if any, or directly to the MTA that is the mail exchanger (MX) for the recipient email address’s (RCPT TO:) domain. The email may not actually go through the protected SMTP server, even though it was the relay originally specified by the SMTP client.

This setting does not affect incoming connections containing incoming email messages, which will always be handled by the built-in MTA. For details, see how to determine when FortiMail uses the proxies instead of the built-in MTA.

This setting is only available in transparent mode.

Note: This setting will be ignored for email that matches an antispam action profile, antivirus action profile, or content action profile where you have enabled alternate-host-status {enable | disable}.

use-stmps {enable | disable}

Enable to use SMTPS (secure SMTP) for connections to this protected domain's SMTP server.

disable

user-management-web-service-status {enable | disable}

Enable to use FortiMail to manage email user accounts that are stored on FortiAuthenticator.

This allows you to use accounts that are already defined in a centralized directory, instead of configuring them locally on FortiMail (see config user mail). This can be useful for larger deployments with many email addresses that would otherwise exceed the maximum number of users on FortiMail. Some account information that is FortiMail-specific, such as user preferences, may still be required to be configured locally.

This setting is available only in server mode. This setting is used if a FortiAuthenticator is selected in ldap-user-profile <profile_name>, and if its user-management-web-service-status {enable | disable} etc. settings are configured.

disable

webmail-language <language_name>

Select the language that the FortiMail unit will to display webmail and quarantine folder in the GUI for users. By default, the FortiMail unit uses the same language as the GUI for administrators.

webmail-service-type {full limited}

Select either:

full
limited: Email users can only change their passwords and configure mail forwarding. All other features will not be available.

webmail-theme {Blue | Dark | Green | Light-Blue | Neutrino | Red | Use-system-setting}

Select a default color theme for the webmail and quarantine GUI after users log in. Alternatively, you can set this default for all protected domains. See webmail-theme {Blue | Dark | Green | Light-Blue | Neutrino | Red}.

If webmail-theme-status {enable | disable} is enable, then after they log in, each user may choose a different theme.

Use-system-setting

config file filter

Use this sub-command to configure file filter options, including filtering by file extension type and Multipurpose Internet Mail Extension (MIME) type. File filters define the email attachment file types and file extensions to be scanned and are used in attachment scan rules.

Syntax

This sub-command is available from within the command domain.

config file filter

edit <file-type_str>

set extension <file-extension_pattern>

set mime-type <mime-type_str>

end

Variable	Description	Default
<file-type_str>	Enter a unique name for the file attachment type.
description "<comment_str>"	Enter a description or comment.
extension <file-extension_pattern>	Enter a file extension expressed as a wildcard pattern, for example: `.exe` `.dll`
mime-type <mime-type_str>	Enter a MIME type in the format `<category>/<format>`, in order to filter by file category and format. For example, to filter by image, and specifically for PNG, enter: set mime-type image/png To filter for all video formats, enter: set mime-type video/*

config policy recipient

Use this sub-command to configure a recipient-based policy for a protected domain. To configure system-wide policies, see policy recipient instead.

Syntax

This sub-command is available from within the command domain.

config policy recipient

edit <policy_index>

set sender-type {email-user-group | import-group | import-user | ldap-group | user-regex | user-wildcard}

set direction {incoming | outgoing}

set sender-name <local-part_str>

set sender-domain <domain_name>

set sender-regex "<sender_pattern>"

set sender-email-address-group <group_name>

set profile-ldap-sender <ldap-profile_name>

set sender-import-attribute-name <name_str>

set sender-import-attribute-value <value_str>

set sender-option {envelope-from | envelope-or-header-from | header-from}

set sender-exclusion-status {enable | disable}

set sender-exclusion-type {email-address-group | user-regex | user-wildcard}

set sender-exclusion-name "<local-part-str>"

set sender-exclusion-domain "<domain-part_str>"

set sender-exclusion-regex "<exclusion_pattern>"

set sender-exclusion-email-address-group <group_name>

set recipient-type {email-user-group | import-group | import-user | ldap-group | user-regex | user-wildcard}

set recipient-name "<local-part_str>"

set recipient-domain "<domain_str>"

set recipient-regex "<recipient_pattern>"

set recipient-email-address-group <group_name>

set profile-ldap-recipient <ldap-profile_name>

set recipient-import-attribute-name <name_str>

set recipient-import-attribute-value <value_str>

set recipient-exclusion-status {enable | disable}

set recipient-exclusion-type {email-address-group | user-regex | user-wildcard}

set recipient-exclusion-name "<local-part-str>"

set recipient-exclusion-domain "<domain-part_str>"

set recipient-exclusion-regex "<exclusion_pattern>"

set recipient-exclusion-email-address-group <group_name>

set profile-antispam <antispam_name>

set profile-antivirus <antivirus_name>

set profile-content <profile_name>

set profile-dlp <profile_name>

set profile-resource <profile_name>

set profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp}

set profile-auth-imap <imap_name>

set profile-auth-ldap <ldap_name>

set profile-auth-pop3 <pop3_name>

set profile-auth-radius <radius_name>

set profile-auth-smtp <smtp_name>

set auth-allow-smtp {enable | disable}

set pkiauth {enable | disable}

set pkiuser <user_name>

set certificate-required {yes | no}

set smtp-diff-identity {enable | disable}

set smtp-diff-identity-ldap {enable | disable}

set smtp-diff-identity-ldap-profile <profile_name>

end

Variable	Description	Default
<policy_index>	Enter the index number of the recipient-based policy. To view a list of existing entries, enter a question mark ( `?` ). Note: The ID is automatically assigned when the policy is created, and may be different from its order in the list. See the order of execution for policies.
auth-allow-smtp {enable \| disable}	Enable to allow the SMTP client to use the SMTP `AUTH` command to authenticate the connection. Disable to make SMTP authentication unavailable. This setting is available in gateway and transparent mode, and only if you have selected an authentication type in `profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}`. Note: This setting allows, but does not require, SMTP authentication. To enforce SMTP authentication, set `authenticated {any \| authenticated \| not-authenticated}` to `authenticated` in all access control rules that accept and scan traffic.
certificate-required {yes \| no}	Select either: `yes`: Require valid certificates only and disallow password-style fallback. `no`: Fall back to standard user name and password-style authentication if the email user’s web browser does not provide a valid personal certificate. This setting is available only if `direction {incoming \| outgoing}` is `incoming`, and applies only if `pkiauth {enable \| disable}` is `enable`.	no
comment "<comment_str>"	Enter a description or comment.
direction {incoming \| outgoing}	Select the direction of email that this policy matches, with respect to protected domains.	incoming
pkiauth {enable \| disable}	Enable if you want to allow webmail and personal quarantine users to log in by presenting a certificate rather than a user name and password. Also configure `pkiuser <user_name>` and `certificate-required {yes \| no}`. This setting is available only if `direction {incoming \| outgoing}` is `incoming`, and only for transparent and gateway mode.	disable
pkiuser <user_name>	Enter the name of a PKI user, such as `user1`, from `config user pki`. This setting only applies if `pkiauth {enable \| disable}` is `enable`.
profile-antispam <antispam_name>	Select which antispam profile, if any, to apply to email matching the policy. Tip: You can use an LDAP query to enable or disable antispam scanning on a per-user basis (`asav-state {enable \| disable}`).
profile-antivirus <antivirus_name>	Select which antivirus profile, if any, to apply to email matching the policy.
profile-auth-imap <imap_name>	Select an authentication profile. This setting is available only if `profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}` is `imap`.
profile-auth-ldap <ldap_name>	Select an authentication profile. This setting is available only if `profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}` is `ldap`.
profile-auth-pop3 <pop3_name>	Select an authentication profile. This setting is available only if `profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}` is `pop3`.
profile-auth-radius <radius_name>	Select an authentication profile. This setting is available only if `profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}` is `radius`.
profile-auth-smtp <smtp_name>	Select an authentication profile. This setting is available only if `profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}` is `smtp`.
profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}	Select the type of the authentication profile that FortiMail will use to authenticate email users: `none` (this effectively disables authentication) `local` (server mode only) `ldap` `smtp` `imap` `pop3` `radius` Depending on the type that you select, also configure `profile-auth-ldap <ldap_name>` etc. and, for SMTP access, configure `auth-allow-smtp {enable \| disable}`. Otherwise the authentication profile will only be used for HTTP or HTTPS access to personal quarantines (or, for server mode, webmail). See also the workflow for quarantines and workflow for email user authentication.	none
profile-content <profile_name>	Select which content profile, if any, to apply to the policy.
profile-dlp <profile_name>	Select which DLP profile, if any, to apply to email matching the policy.
profile-ldap-recipient <ldap-profile_name>	If `recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `ldap-group`, enter the name of an LDAP profile in which the group owner query has been enabled and configured.
profile-ldap-sender <ldap-profile_name>	If `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `ldap-group`, enter the name of an LDAP profile in which the group owner query has been enabled and configured.
profile-resource <profile_name>	Select which content profile, if any, to apply to email matching the policy. This setting is available only if FortiMail is operating in server mode or gateway mode.
profile-user-import-recipient <profile_name>	Select an import profile. Also configure `recipient-import-attribute-name <name_str>` and `recipient-import-attribute-value <value_str>`. This setting is available only if: operation mode is gateway or transparent `user-management {enable \| disable}` is `enable` (advanced management feature license) policy is domain-specific `recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `import-group` or `import-user`
profile-user-import-sender <profile_name>	Select an import profile. Also configure `sender-import-attribute-name <name_str>` and `sender-import-attribute-value <value_str>`. This setting is available only if: operation mode is gateway or transparent `user-management {enable \| disable}` is `enable` (advanced management feature license) policy is domain-specific `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `import-group` or `import-user`
recipient-domain "<domain_str>"	Enter the local part (username) of recipient email addresses that match this policy. This setting is available only if `recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `user-wildcard`.
recipient-email-address-group <group_name>	Enter the group of recipient email addresses. This setting is available only if `recipient-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `email-user-group`.
recipient-exclusion-domain "<domain-part_str>"	Enter the domain name of recipient email addresses that you want to exclude. This setting is available only if `recipient-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `user-wildcard`.	*
recipient-exclusion-email-address-group <group_name>	Enter the group membership attribute value as it appears in the LDAP directory. This setting is available only if `recipient-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `email-address-group`.
recipient-exclusion-name "<local-part-str>"	Enter the local part (username) of recipient email addresses that you want to exclude. This setting is available only if `recipient-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `user-wildcard`.	*
recipient-exclusion-regex "<exclusion_pattern>"	Enter a regular expression that matches only recipient email addresses that you want to exclude, such as: .*@example\.com This setting is available only if `recipient-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `user-regex`.
recipient-exclusion-status {enable \| disable}	Enable if you want to exclude some recipient email addresses from matching this policy. Also configure `recipient-exclusion-type {email-address-group \| user-regex \| user-wildcard}`.	disable
recipient-exclusion-type {email-address-group \| user-regex \| user-wildcard}	Select how you want to define excluded recipient email addresses. Depending on which you select, also configure `recipient-exclusion-name "<local-part-str>"` etc. This setting is available only if `recipient-exclusion-status {enable \| disable}` is `enable`.	user-wildcard
recipient-import-attribute-name <name_str>	Enter the name of attributes to match users from an import profile. This setting is available only if operation mode is gateway or transparent `user-management {enable \| disable}` is `enable` (advanced management feature license) policy is domain-specific `recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `import-group` or `import-user`
recipient-import-attribute-value <value_str>	Enter the value of attributes to match users from an import profile. This setting is available only if operation mode is gateway or transparent `user-management {enable \| disable}` is `enable` (advanced management feature license) policy is domain-specific `recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is`import-user`
recipient-name "<local-part_str>"	Enter the local part (username) of recipient email addresses that match this policy. This setting is available only if `recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `user-wildcard`.
recipient-regex "<recipient_pattern>"	Enter a regular expression that matches only the recipient email addresses that should match this policy. This setting is available if `recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `regexp`.	.*
recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}	Select how to define recipient (`RCPT TO:`) email addresses that match this policy. Depending on which you select, also configure `profile-ldap-recipient <ldap-profile_name>`, `recipient-regex "<recipient_pattern>"`, etc.	user
sender-domain <domain_name>	Enter the domain name of sender email addresses that match this policy. This setting is available only if `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `user-wildcard`.
sender-email-address-group <group_name>	Enter the group membership attribute value as it appears in the LDAP directory. This setting is available only if `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `email-user-group`. This setting is available only if `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `email-user-group`.
sender-exclusion-domain "<domain-part_str>"	Enter the domain name of sender email addresses that you want to exclude. This setting is available only if `sender-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `user-wildcard`.	*
sender-exclusion-email-address-group <group_name>	Select a group of email addresses you want to exclude. This setting is available only if `sender-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `email-address-group`.
sender-exclusion-name "<local-part-str>"	Enter the local part (username) of sender email addresses that you want to exclude. This setting is available only if `sender-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `user-wildcard`.	*
sender-exclusion-regex "<exclusion_pattern>"	Enter a regular expression that matches only sender email addresses that you want to exclude, such as: .*@example\.com This setting is available only if `sender-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `user-regex`.
sender-exclusion-status {enable \| disable}	Enable if you want to exclude some sender email addresses from matching this policy. Also configure `sender-exclusion-type {email-address-group \| user-regex \| user-wildcard}`. Sender exclusion settings apply only if `direction {incoming \| outgoing}` is `outgoing`.	disable
sender-exclusion-type {email-address-group \| user-regex \| user-wildcard}	Select how you want to define excluded sender email addresses. Depending on which you select, also configure `sender-exclusion-name "<local-part-str>"` etc. This setting is available only if `sender-exclusion-status {enable \| disable}` is `enable`.	user-wildcard
sender-import-attribute-name <name_str>	Enter the name of attributes to match users from an import profile. This setting is available only if operation mode is gateway or transparent `user-management {enable \| disable}` is `enable` (advanced management feature license) policy is domain-specific `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `import-group` or `import-user`
sender-import-attribute-value <value_str>	Enter the value of attributes to match users from an import profile. This setting is available only if operation mode is gateway or transparent `user-management {enable \| disable}` is `enable` (advanced management feature license) policy is domain-specific `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `import-user`
sender-name <local-part_str>	Enter the local part (username) of sender email addresses that match this policy. This setting is available only if sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard} is `user-wildcard`.
sender-option {envelope-from \| envelope-or-header-from \| header-from}	Select whether to match this policy based upon the sender email address that is in the SMTP envelope (`MAIL FROM:`) and/or message headers (`From:`). This setting is available only if enabled in recipient-policy-sender-option {envelope-from-only \| envelope-or-header-from}. Caution: Message headers may be rewritten or fake. Do not match policies based upon the email address in `From:` unless the upstream MTA is trusted to authenticate senders for this domain, including validating secondary email addresses and aliases. See also smtp-diff-identity-ldap {enable \| disable}.	envelope-from
sender-regex "<sender_pattern>"	Enter a regular expression that matches only the sender email addresses that should match this policy. This setting is only available when `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `regexp`.	.*
sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}	Select how to define sender (`MAIL FROM:`) email addresses that match this policy. Depending on which you select, also configure profile-ldap-sender <ldap-profile_name>, sender-regex "<sender_pattern>", etc.	user-wildcard
smtp-diff-identity {enable \| disable}	Disable to allow the SMTP client to send email using a different sender email address (`MAIL FROM:`) than the user name that they used to authenticate. This is often normal (for example, `jmartinez@example.com` might authenticate and send email on behalf of their department alias, `sales@example.com`), but it could be fraudulent, so often you should also configure smtp-diff-identity-ldap {enable \| disable}. Enable to require that the sender email address in the SMTP envelope matches the authenticated user name, and reply with an SMTP rejection code if they don't match. This setting is applicable only if profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}is not `none`.	disable
smtp-diff-identity-ldap {enable \| disable}	Enable to use a directory query to find and verify the sender's other email addresses. Also configure smtp-diff-identity-ldap-profile <profile_name>. This setting is applicable only if smtp-diff-identity {enable \| disable} is `disable`. Note: If verification succeeds, the sender email sender address in the SMTP envelope (`MAIL FROM:`) must still match the message header (`From:`). Both sender addresses must not be empty.	disable
smtp-diff-identity-ldap-profile <profile_name>	Select which LDAP profile to use for verifying an email user's other identities. This setting is applicable only if smtp-diff-identity-ldap {enable \| disable} is `enable`.
status {enable \| disable}	Enable to apply the policy.	enable

config profile user-import

Use this command to configure account synchronization to import users from LDAP or Microsoft 365, Entra ID, or Exchange servers.

Syntax

This sub-command is available from within the command domain.

config profile user-import

edit <profile_name>

set base-dn <base-DN_str>

set bind-dn <bind-DN_str>

set bind-password <password_str>

set description "<comment_str>"

set group-display-name <ldap-attribute_str>

set group-primary-address <ldap-attribute_str>

set group-query <query-filter_str>

set group-secondary-address <ldap-attribute_str>

set ldap-port <port_int>

set ldap-secure {enable | disable}

set ldap-server {<ldap-server_ipv4> | ldap-server_fqdn>}

set ldap-version {ver2 | ver3}

set ms365-application-id <application_str>

set ms365-application-secret <password_str>

set ms365-tenant-id <tenant_str>

set recurrence {daily | monthly | none | weekly}

set referrals-chase {enable | disable}

set schedule-hour <hour_int>

set schedule-days {Monday Tuesday Wednesday Thursday Friday Saturday Sunday}

set scope {base | one | sub}

set timeout <seconds_int>

set type {ldap | ms365}

set user-display-name <ldap-attribute_str>

set user-primary-address <ldap-attribute_str>

set user-query <query-filter_str>

set user-secondary-address <ldap-attribute_str>

end

Variable	Description	Default
base-dn <base-DN_str>	Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail unit will search for user objects, such as `ou=People,dc=example,dc=com`. User objects should be child nodes of this location.
bind-dn <bind-DN_str>	Enter the bind DN, such as `cn=FortiMailA,dc=example,dc=com`, of an LDAP user account with permissions to query the basedn.
bind-password <password_str>	Enter the password of `bind-dn <bind-DN_str>`.
description "<comment_str>"	Enter a description.
group-display-name <ldap-attribute_str>	Enter the LDAP group or mailing list display name attribute.
group-primary-address <ldap-attribute_str>	Enter the LDAP group or mailing list primary email address attribute.
group-query <query-filter_str>	Enter the LDAP group or mailing list query string.
group-secondary-address <ldap-attribute_str>	Enter the LDAP group or mailing list secondary email address attribute.
ldap-port <port_int>	Enter the port number of the LDAP server. The standard port number for LDAP is 389. The standard port number for SSL-secured LDAP is 636.	389
ldap-secure {enable \| disable}	Enable or disable (by default) a secure encrypted connection to the LDAP server.	disable
ldap-server {<ldap-server_ipv4> \| ldap-server_fqdn>}	Enter the fully qualified domain name (FQDN) or IP address of the directory server.
ldap-version {ver2 \| ver3}	Enter the LDAP server protocol version.	ver3
ms365-application-id <application_str>	Enter the Microsoft 365 application ID.
ms365-application-secret <password_str>	Enter the Microsoft 365 application secret.
ms365-tenant-id <tenant_str>	Enter the Microsoft 365 tenant ID.
recurrence {daily \| monthly \| none \| weekly}	Define the recurrence/schedule of the remote server synchronization.	none
referrals-chase {enable \| disable}	Enable or disable (by default) chasing of referrals.	disable
schedule-days {Monday Tuesday Wednesday Thursday Friday Saturday Sunday}	Enter the days on which synchronization will occur.
schedule-hour <hour_int>	Enter the hour of the day at which synchronization will occur, from 0 to 23.	1
scope {base \| one \| sub}	Define the search scope of the LDAP server; either base, one level, or subtree (by default).	sub
timeout <seconds_int>	Enter the query timeout limit in seconds. Valid range is from 60 to 600.	60
type {ldap \| ms365}	Enter the remote server profile type.	ldap
user-display-name <ldap-attribute_str>	Enter the LDAP user's display name attribute.
user-primary-address <ldap-attribute_str>	Enter the LDAP user's primary email address attribute.
user-query <query-filter_str>	Enter the LDAP query string to get all users.
user-secondary-address <ldap-attribute_str>	Enter the LDAP user's secondary email address attribute.

config system disclaimer-message

Use this command to configure which email will have domain-specific disclaimer messages.

A disclaimer message is text that is added to email to warn the recipient that the email contents may be confidential, or other information required by law, such as unsubscribe links or office addresses. However you could use this feature to insert other text and images, too.

If required, you can exclude some email so that they do not receive a disclaimer. See system disclaimer-exclude.

Disclaimer insertion may invalidate existing DKIM signatures, requiring an alternative ARC signature. See arc-sealing-option {all | disable | incoming | outgoing}.

If disclaimer-per-domain {enable | disable} is enabled, then for each protected domain, you can configure disclaimer-status {disabled | use-domain-setting | use-system-setting} and then select a customized message to use as a disclaimer that is specific to the protected domain. Alternatively, you can select disclaimers in action profiles (see profile content-action) to apply them only to email that match specific IP-based or recipient policies.

Syntax

config system disclaimer-message

edit <profile_index>

set sender-domain-type {all | external | internal}

set recipient-domain-type {all | external | internal}

set relationship-strength-status {enable | disable}

set relationship-strength {neutral | strong | weak}

set domain-customized-message {enable | disable}

set customized-message <customized-message_name>

end

Variable	Description	Default
<profile_index>	Enter a number for the entry.
customized-message <customized-message_name>	Select which domain-specific customized message to apply as the disclaimer. To customize the message, configure config customized-message (domain-specific) or customized-message (system-wide).	default
domain-customized-message {enable \| disable}	Enable to use a domain-specific disclaimer message. Also configure customized-message <customized-message_name>. Disable to use the system-wide disclaimer message.	disable
recipient-domain-type {all \| external \| internal}	Select which type of recipient domains will have the disclaimer message applied to their email.	internal
relationship-strength {neutral \| strong \| weak}	Select which sender-recipient relationship (SRR) score levels should trigger this disclaimer: `weak` `neutral` `strong` FortiGuard Social Database contains the social mapping of the email communication flow. For example, if `user1@1.example.com` and `user2@2.example.com` have regular communication, then their social relationship is strong; if they have no history of communication before, then their SRR is weak.	weak neutral strong
relationship-strength-status {enable \| disable}	(SRR) score levels to trigger this disclaimer. Also configure `relationship-strength {neutral \| strong \| weak}`.	disable
sender-domain-type {all \| external \| internal}	Select which type of sender domains will have the disclaimer message applied to their email.	external
status {enable \| disable}	Enable or disable the entry.	disable

config user mail

Use this sub-command to configure email user accounts.

Syntax

This sub-command is available from within the command domain.

config user mail

rename <old-user_name> to <new-user_name>

edit <user_name>

set type {local | ldap | radius}

set displayname "<name_str>"

set password "<password_str>"

set ldap-profile <profile_name>

set radius-profile <profile_name>

end

Variable

Description

Default

<old-user_name>

The existing user account that you want to rename.

status {enable | disable}

Enable or disable the email user account.

enable

<new-user_name>

Enter the new name for the user account.

Verify that the recipient has read and, if required, made backups of IBE secure email before you rename the account.

Preferences and mail data will be imported to the new user. However, because the new account name will no longer match the encrypted email's recipient address, the new user name will not be able to decrypt and read old encrypted email anymore.

<user_name>

Enter the user name of the email user, such as user1, whose mail will be locally deliverable on the FortiMail system.

For example, an email user may have numerous aliases, mail routing, and other email addresses on other systems in your network, such as accounting@example.com. However, the user name you enter in this setting reflects the email user’s account that they will use to log in to this FortiMail system at the selected domain; such as, jsmith if the email address is jsmith@example.com.

type {local | ldap | radius}

Select whether to authenticate the user via a remote authentication server, or user accounts defined locally on FortiMail. Depending on your selection, also configure <user_name> and password "<password_str>", or ldap-profile <profile_name>, or radius-profile <profile_name>.

displayname "<name_str>"

Enter the name of the user as it should appear in the From: field in the message header.

For example, an email user whose email address is user1@example.com may prefer that their display name be "J Zhang".

password "<password_str>"

Enter the password of the local email user.

This setting is used only if type {local | ldap | radius} is local. Also configure system password-policy.

ldap-profile <profile_name>

Select the name of an LDAP profile in which user authentication queries are enabled.

This setting is available only if type {local | ldap | radius} is ldap.

radius-profile <profile_name>

Select the name of a RADIUS profile in which user queries are enabled.

This setting is available only if type {local | ldap | radius} is radius.

Syntax

This command contains many sub-commands. Each sub-command, linked below, is documented in subsequent sections.

config domain

edit <domain_name>

config domain-setting ...

config system disclaimer-message ...

config customized-message ...

config domain-info ...

config profile authentication ...

config profile user-import ...

config user mail ...

config cal resource ...

config file filter ...

config profile notification ...

config policy recipient ...

config profile antispam-action ...

config profile antispam ...

config profile antivirus-action ...

config profile antivirus ...

config profile content-action ...

config profile content ...

config profile cousin-domain ...

config profile email-address-group ...

config profile impersonation ...

config profile weighted-analysis ...

config profile resource ...

end

Variable	Description	Default
<domain_name>	Enter the domain name of the protected domain. For example, if FortiMail will protect email addresses that end in `@example.com`, enter the protected domain name `example.com`. Generally, your protected domain will use a valid, globally-resolvable top-level domain (TLD) such as `.com`. Exceptions could include testing scenarios, where you have created a `.lab` mail domain on your private network to prevent accidental conflicts with live mail systems legitimately using their globally-resolvable FQDN.

Variable

Description

Default

<domain_name>

Enter the domain name of the protected domain.

For example, if FortiMail will protect email addresses that end in @example.com, enter the protected domain name example.com.

config cal resource

Use this sub-command to configure a resource for calendar shares in FortiMail webmail in a protected domain.

Syntax

This sub-command is available from within the command domain.

config cal resource

edit <resource_name>

set type {room | equipment}

set display-name "<user_str>"

set management-users <user_email>

end

Variable	Description	Default
<resource_name>	Enter a name for the calendar resource. This name forms the local name of the calendar resource for the current domain, such as `calendar@example.com`.
description "<comment_str>"	Enter a description or comment.
display-name "<user_str>"	Enter a display name.
management-users <user_email>	Enter the management user's email address for the calendar resource.
type {room \| equipment}	Select the type of resource, either room or equipment.	room

config customized-message

Use this sub-command to configure domain-specific customized messages, such as disclaimers and personal quarantine report email templates.

These sub-commands are only available after you:

Select domain-specific customized messages in the protected domain:
- disclaimer-status {disabled | use-domain-setting | use-system-setting} is set to use-domain-setting
- domain-customized-message {enable | disable} is set to enable
Save the domain with the end command.

Syntax

This sub-command is available from within the command domain.

config customized-message

edit disclaimer-insertion

config variable

end

config message

edit <disclaimer_name>

set format {html | multiline | text}

set disclaimer-convert-text-to-html-status {enable | disable}

set location {beginning | end}

set disclaimer-preview-orig-msg-status {enable | disable}

end

edit report-quarantine-summary

config variable

end

config email-template

edit {default | default-with-icons}

set env-from <sender_email>

set from <sender_email>

set subject "<subject_str>"

set html-body "<body-html_str>"

set text-body "<body-text_str>"

end

Variable	Description	Default
<variable_name>	Enter a variable name that you want to add or edit, such as `%%SENDER%%`.
<disclaimer_name>	Enter the name of the disclaimer message.
content "<text_str>"	Enter the value of the variable or custom message.	No default for new variables. Otherwise the value is from the default message.
description "<comment_str>"	Enter a comment or description.
display-name <gui-label_str>	Enter a label that will appear in the variable list when you click Insert Variables in the GUI while customizing a message or creating a variable. For example, you could enter `CompanyName` for the variable `%%COMPANY-NAME%%`.	No default for new variables. Otherwise the value is from the default message.
env-from <sender_email>	Enter the sender email address (`MAIL FROM:`) that will be used in the SMTP envelope. You can either enter text directly, or insert a variable such as `%%RELEASE_CONTROL_USER%%`. This setting is available only for email templates. Note: By default, the setting is empty. Some services such as Microsoft 365 do not accept an empty sender email address (`MAIL FROM:`).
from <sender_email>	Enter the sender email address (`From:`) that will be used in the message header. You can either enter text directly, or insert a variable such as `%%RELEASE_CONTROL_USER%%`. Can be up to 60 characters. This setting is available only for email templates.	%%RELEASE_CONTROL_USER%%
html-body "<body-html_str>"	Enter the body that will be used in the HTML format version of the email. Can be up to 4000 characters. This setting is available only for email templates.	HTML for the default message, using default variables.
subject "<subject_str>"	Enter the subject line that will be used in the email. You can either enter text directly, or insert a variable such as `%%SUBJECT%%`. Can be up to 250 characters. This setting is available only for email templates.	Subject line for the default message, using default variables.
text-body "<body-text_str>"	Enter the body that will be used in the plain text format version of the email. Can be up to 4000 characters. This setting is available only for email templates.	Plain text for the default message, using default variables.
format {html \| multiline \| text}	Select the format of the email. This setting is available only for email templates.	text
location {beginning \| end}	Select where in the message body to insert the custom message. This setting is available only if the custom message type is `disclaimer-insertion`. Note: This setting is ignored if the disclaimer is applied by an antispam action profile, antivirus action profile, or content action profile's `disclaimer-insertion-location {beginning \| end}` setting, and that location setting does not agree. For example, if this setting is `beginning`, but the other setting is `end`, then the disclaimer would appear at the end.	beginning
disclaimer-convert-text-to-html-status {enable \| disable}	Enable if either: disclaimers will use HTML `disclaimer-preview-orig-msg-status {enable \| disable}` is `enable` you want to convert the email to HTML for another reason Plain text email (MIME type `text/plain`) does not support HTML formatting. If you disable this setting, and the disclaimer is formatted with HTML such as colors and hyperlinks, then plain text email will show the raw HTML code instead of your formatting. Multipart email is not effected. This setting is available only if the custom message type is `disclaimer-insertion`.	disable
disclaimer-preview-orig-msg-status {enable \| disable}	Enable if you want the preview to use the original message's content. In email clients such as Microsoft Outlook, Apple Mail on iOS, and FortiMail webmail, message preview text appears in the message list and/or notification banners. Disable if you want the preview to start with the disclaimer. Original contents may still appear after the disclaimer if the disclaimer is short, depending on how much text the email client shows for the preview. This setting is available only if `location {beginning \| end}` is `beginning`, and if the custom message type is `disclaimer-insertion`. Note: This setting is ignored if both: `disclaimer-convert-text-to-html-status {enable \| disable}` is `disable` email is in plain text (MIME type `text/plain`) (HTML is required to control display of the preview.) This setting is also ignored if the disclaimer is applied by an antispam action profile, antivirus action profile, or content action profile, and that `disclaimer-insertion-location {beginning \| end}` setting is `end`. (Message previews only show the first few lines of an email, so they usually do not include disclaimers at the end.)	disable

config domain-info

Use this sub-command to configure customer account information for multi-tenancy.

Syntax

This sub-command is available from within the command domain.

config domain-info

set customer-name <customer_str>

set customer-email <customer_email>

set account-limit <users_int>

end

Variable	Description	Default
account-limit <users_int>	Enter the user account limit (0 means no limit).	0
comment "<comment_str>"	Enter a comment or description.
customer-email <customer_email>	Enter the customer email address.
customer-name <customer_str>	Enter the customer name.

config domain-setting

Use this sub-command to configure many settings for a protected domain.

Syntax

This sub-command is available from within the object domain.

config domain-setting

set relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain}

set is-sub-domain {enable | disable}

set main-domain <protected-domain_name>

set host {<smtp-server_fqdn> | <smtp-server_ipv4>}

set port <smtp-port_int>

set use-stmps {enable | disable}

set fallback-use-smtps {enable | disable}

set fallback-host {<smtp-server_fqdn> | <smtp-server_ipv4>}

set fallback-port <port_int>

set relay-ip-group <ip-group_name>

set ldap-domain-routing-profile <ldap-profile_name>

set mx-lookup-alt-domain-name <domain_str>

set domain-association-mxlookup {self | parent}

set relay-auth-status {enable | disable}

set relay-auth-username <username_str>

set relay-auth-password <password_str>

set relay-auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

set recipient-verification {disable | imported-user | ldap | smtp}

set alt-smtp-verification {enable | disable}

set alt-smtp-verification-host {<smtp-server_fqdn> | <smtp-server_ipv4>}

set alt-smtp-verification-port <port_int>

set alt-smtp-verification-smtps {enable | disable}

set smtp-mail-from-addr-status {use-system-setting | use-domain-setting}

set smtp-mail-from-addr <sender_email>

set recipient-verification-profile <profile_name>

set smtp-recipient-verification-command {rcpt | vrfy}

set smtp-recipient-verification-accept-reply-string "<accept_pattern>"

set recipient-verification-invalid-user-action {reject | discard}

set recipient-verification-background {disable | ldap | purge-inactive | smtp}

set recipient-verification-background-profile <ldap-profile_name>

set recipient-retention-period <days_int>

set tp-server-on-port <port_int>

set tp-hidden {no | yes}

set tp-use-domain-mta {yes | no}

set ldap-user-profile <profile_name>

set user-management-web-service-status {enable | disable}

set ldap-routing-status {enable | disable}

set ldap-routing-profile <ldap-profile_name>

set ldap-asav-status {enable | disable}

set ldap-asav-profile <ldap-profile_name>

set quarantine-report-to-individual {enable | disable}

set quarantine-report-to-alt {enable | disable}

set quarantine-report-to-alt-addr <recipient_email>

set quarantine-report-to-ldap-groupowner {enable | disable}

set ldap-groupowner-profile <ldap-profile_name>

set group-recipient-only {enable | disable}

set group-exclude-individual {enable | disable}

set quarantine-report-schedule-status {enable | disable}

set schedule-days {Sunday Monday Tuesday Wednesday Thursday Friday Saturday}

set schedule-hours {0 .. 23}

set quarantine-report-status {enable | disable}

set report-template-name <profile_name>

set arc-sealing-option {all | disable | incoming | outgoing}

set dkim-signing-option {all | disable | incoming | outgoing}

set dmarc-report-analysis-status {enable | disable | use-system-setting}

set dmarc-report-analysis-rua-address-mode {auto-discover | manual}

set dmarc-report-analysis-rua-address <recipient_email>

set dmarc-report-generation-status {enable | disable | monitor-only | use-system-setting}

set dmarc-report-generation-from-addr-localpart <localpart_str>

set domain

set disclaimer-status {disabled | use-domain-setting | use-system-setting}

set sender-addr-rate-ctrl-state {enable | disable}

set sender-addr-rate-ctrl-max-msgs-state {enable | disable}

set sender-addr-rate-ctrl-max-msgs <messages_int>

set sender-addr-rate-ctrl-max-recipients-state {enable | disable}

set sender-addr-rate-ctrl-max-recipients <recipients_int>

set sender-addr-rate-ctrl-max-size-state {enable | disable}

set sender-addr-rate-ctrl-max-size <size_int>

set sender-addr-rate-ctrl-max-spam-state {enable | disable}

set sender-addr-rate-ctrl-max-spam <spam_int>

set sender-addr-rate-notification-state {enable | disable}

set sender-addr-rate-notification-profile <profile_name>

config sender-addr-rate-ctrl-exempt

edit <rule_index>

set pattern-type {wildcard | regexp}

set sender-pattern <sender_pattern>

end

set sender-addr-rate-ctrl-action {none | reject | temp-fail}

set webmail-language <language_name>

set webmail-theme {Blue | Dark | Green | Light-Blue | Neutrino | Red | Use-system-setting}

set sso-status {enable | disable}

set sso-profile <profile_name>

set max-message-size <limit_int>

set addressbook {domain | none | system}

set greeting-with-host-name {domainname | hostname | othername}

set other-helo-greeting <hostname_str>

set ip-pool <pool_name>

set ip-pool-direction {outgoing | incoming | both}

set remove-outgoing-received-header {enable | disable}

set global-bayesian {enable | disable}

set bypass-bounce-verification {enable | disable}

set email-continuity-status {enable | disable}

set email-migration-status {enable | disable}

set is-service-domain {enable | disable}

set max-user-number <users_limit>

set max-user-quota <GB_int>

set disk-quota <GB_int>

set mail-access {webmail pop imap}

set webmail-service-type {full limited}

end

Variable

Description

Default

<rule_index>

Enter the number to identify the rule. To create a rule with the first available number, enter 0.

addressbook {domain | none | system}

Select whether to add newly created email users to the system address book, domain address book, or none.

This setting is available if operation-mode {gateway | server | transparent} is server.

domain

alt-smtp-verification-host {<smtp-server_fqdn> | <smtp-server_ipv4>}

Enter the fully qualified domain name (FQDN) or IP address of the SMTP server to use for recipient verification. Also configure alt-smtp-verification-port <port_int>.

This setting is not available in server mode. This setting applies if alt-smtp-verification {enable | disable} is enable.

alt-smtp-verification-port <port_int>

Enter the port number on which the SMTP server for recipient verification listens.

If you enable alt-smtp-verification-smtps {enable | disable}, then this setting automatically changes to the default port number for SMTPS (465), but can still be customized.

This setting is not available in server mode. This setting applies if alt-smtp-verification {enable | disable} is enable.

alt-smtp-verification-smtps {enable | disable}

Enable to use SMTPS (secure SMTP) for connections to the SMTP server for recipient verification.

This setting is not available in server mode. This setting applies if alt-smtp-verification {enable | disable} is enable.

alt-smtp-verification {enable | disable}

Enable to perform recipient verification with the SMTP server in alt-smtp-verification-host {<smtp-server_fqdn> | <smtp-server_ipv4>} instead of the protected domain's SMTP server.

This setting in not available in server mode. This setting applies if recipient-verification {disable | imported-user | ldap | smtp} is smtp.

disable

arc-sealing-option {all | disable | incoming | outgoing}

Select either:

disable:Do not sign.
incoming:Sign email sent between users in the same protected domain.
outgoing:Sign email sent from a protected domain to other external or protected domains. This includes email released from quarantine.
all: Sign both incoming and outgoing email.

This setting applies only if the ARC keys have been imported or generated.

disable

bypass-bounce-verification {enable | disable}

Enable to omit bounce address tag verification of email incoming to this protected domain.

Alternatively, you can enable bypass-bounce-verification {enable | disable} in the session profiles.

For information on enabling bounce address tagging and verification (BATV), see antispam bounce-verification.

Note: This setting does not omit bounce address tagging of outgoing email.

disable

comment "<comment_str>"

Enter a description or comment.

disclaimer-status {disabled | use-domain-setting | use-system-setting}

Select whether to:

use the system-wide disclaimer message. Also configure customized-message and system disclaimer-message.
use a a disclaimer message specific to this protected domain. Also configure config customized-message and config system disclaimer-message.
disable the disclaimer message for this protected domain

This setting applies if disclaimer-per-domain {enable | disable} is enable.

use-system-setting

disk-quota <GB_int>

Enter the disk quota in gigabytes (GB).

This setting is only available in server mode.

dkim-signing-option {all | disable | incoming | outgoing}

Select either:

disable:Do not sign.
incoming:Sign email sent between users in the same protected domain.
outgoing:Sign email sent from a protected domain to other external or protected domains. This includes email released from quarantine.
all: Sign both incoming and outgoing email.

This setting applies only if the DKIM keys have been imported or generated.

disable

dmarc-report-analysis-rua-address-mode {auto-discover | manual}

Select either:

auto-discover: FortiMail automatically queries the DNS server about the sender domain to determine that domain's authorized DMARC report recipient.

Note: If a sender does not have a valid DMARC RUA/RUF configured in the domain's DNS TXT record, then FortiMail cannot send them because there is no report recipient email address.
manual: Manually configure another DMARC report recipient. Also configure dmarc-report-analysis-rua-address <recipient_email>.

Tip: This option can be useful if, for example, the sender domain's DMARC record is misconfigured, and you want to send a report to show them how many email were rejected due to failed DMARC checks.

auto-discover

dmarc-report-analysis-rua-address <recipient_email>

Enter the recipient email address where FortiMail will send the DMARC report.

This setting applies only if dmarc-report-analysis-rua-address-mode {auto-discover | manual} is manual.

dmarc-report-analysis-status {enable | disable | use-system-setting}

Select either:

enable: Collect data about email validated by DMARC checks for email sent to this protected domain.
disable: Do not collect DMARC check data.
use-system-setting: Instead of using a domain-level setting, use the system-wide setting in status {enable | disable | monitor-only}.

disable

dmarc-report-generation-from-addr-localpart <localpart_str>

Enter the local part of the sender email address when FortiMail sends reports about DMARC checks to that domain name.

noreply

dmarc-report-generation-status {enable | disable | monitor-only | use-system-setting}

Select either:

enable: Send a report about email validated by DMARC checks.to the domain of the sender.
disable: Do not generate a DMARC report.
monitor-only: Do not generate a report.
use-system-setting: Instead of using a domain-level setting, use the system-wide setting in status {enable | disable | monitor-only}.

use-system-setting

domain-association-mxlookup {self | parent}

In this setting, select which domain name FortiMail should ask for in associated domains' DNS lookups, either:

self: The associated domain.
parent: This protected domain.

This setting is not available in server mode.

email-continuity-status {enable | disable}

Enable or disable email continuity.

disable

email-migration-status {enable | disable}

Enable email migration from an external server to this protected domain.

Email migration is used to move email user accounts and data from an external mail server to this FortiMail system. See the email migration workflow.

This setting is available only on server mode, after you have enabled email-migration-status {enable | disable}.

disable

fallback-host {<smtp-server_fqdn> | <smtp-server_ipv4>}

Enter the fully qualified domain name (FQDN) or IP address of the secondary SMTP server for this protected domain.

This SMTP server will be used if the primary SMTP server in host {<smtp-server_fqdn> | <smtp-server_ipv4>} is unreachable.

This setting is not available in server mode. This setting is used only if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is host.

fallback-port <port_int>

Enter the port number on which the secondary SMTP server listens.

If you enablefallback-use-smtps {enable | disable}, the port number automatically changes to the default port number for SMTPS (465), but can still be customized.

This setting is not available in server mode. This setting is used only if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is host.

fallback-use-smtps {enable | disable}

Enable to use SMTPS for connections originating from or destined for this protected server.

This setting is not available in server mode. This setting is used only if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is host.

disable

global-bayesian {enable | disable}

Enable to use the global Bayesian database instead of the Bayesian database for this protected domain.

If you do not need the Bayesian database to be specific to the protected domain, you may want to use the global Bayesian database instead in order to simplify database maintenance and training.

Disable to use the per-domain Bayesian database.

disable

greeting-with-host-name {domainname | hostname | othername}

Select how the FortiMail unit will identify itself during the HELO or EHLO greeting of outgoing SMTP connections that it initiates, either:

domainname: The protected domain.

If the FortiMail unit will handle internal email messages (those for which both the sender and recipient addresses in the envelope contain the domain name of the protected domain), to use this option, you must also configure your protected SMTP server to use its host name for SMTP greetings. Failure to do this will result in dropped SMTP sessions, as both the FortiMail unit and the protected SMTP server will be using the same domain name when greeting each other.
hostname: The FortiMail unit's own host name.

By default, the FortiMail unit uses the domain name of the protected domain. If your FortiMail unit is protecting multiple domains and using IP pool addresses, select to use the system host name instead. This setting does not apply if email is incoming, according to the sender address in the envelope, from an unprotected domain.
othername: Use a name other than the domain name or host name, for the HELO/EHLO greeting. Also configure other-helo-greeting <hostname_str>.

hostname

group-exclude-individual {enable | disable}

This setting applies if quarantine-report-to-ldap-groupowner {enable | disable} is enable.

disable

group-recipient-only {enable | disable}

Enable to send the personal quarantine report to the group owner if the original recipient email address was for a group.

This setting applies if quarantine-report-to-ldap-groupowner {enable | disable} is enable.

enable

host {<smtp-server_fqdn> | <smtp-server_ipv4>}

Enter the FQDN or IP address of the primary SMTP server for this protected domain. Also configure port <smtp-port_int> and use-stmps {enable | disable}.

If NAT (on FortiGate, in a "virtual IP") exists between FortiMail and the server, this is the external IP on the router or firewall instead.

This setting is not available in server mode. This setting is used if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is host.

ip-pool-direction {outgoing | incoming | both}

Select the direction of SMTP traffic to use an IP pool for.

This setting is only available after you configure ip-pool <pool_name>.

ip-pool <pool_name>

If you want to use the IP pool as both the destination and source IP address, select the IP pool to use and select both in ip-pool-direction {outgoing | incoming | both}.

Each email that the FortiMail unit sends will use the next IP address in the range. When the last IP address in the range is used, the next email will use the first IP address.

is-service-domain {enable | disable}

Enable to use this domain's SMTP server to deliver email.

disable

is-sub-domain {enable | disable}

Select to indicate whether or not the protected domain you are creating is a subdomain of an existing protected domain. If it is, then also configure main-domain <protected-domain_name>.

This setting is available only when another protected domain exists to select as the parent domain.

disable

ldap-asav-profile <ldap-profile_name>

Select the name of an LDAP profile where you have configured scan preferences (see asav-state {enable | disable}).

This setting applies if ldap-asav-status {enable | disable} is enable.

ldap-asav-status {enable | disable}

disable

ldap-domain-routing-profile <ldap-profile_name>

This setting is not available in server mode. This setting is available if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is ldap-domain-routing.

ldap-groupowner-profile <ldap-profile_name>

Select the name of an LDAP profile that will be used to send the personal quarantine report to a group owner (see group-owner {enable | disable}), rather than individual recipients.

This setting applies if quarantine-report-to-ldap-groupowner {enable | disable} is enable.

ldap-routing-profile <ldap-profile_name>

Select the name of an LDAP profile that will be used to perform mail routing (see routing-state {enable | disable}).

This setting applies if ldap-routing-status {enable | disable} is enable.

ldap-routing-status {enable | disable}

Enable or disable mail routing according to query results from an LDAP profile. Also configure ldap-routing-profile <ldap-profile_name>.

disable

ldap-user-profile <profile_name>

Select the name of an LDAP profile, if any, that will be used:

to expand alias email addresses (see alias-state {enable | disable})
to replace one email address with another (see address-map-state {enable | disable})
(server mode only) to determine the email users in the protected domain, instead of configuring them locally on FortiMail (see query '<query_str>')

This setting may be used together with SAML SSO, which provides authentication but not other mail-specific information about user accounts. See profile sso.

If the query fails or the LDAP server is not accessible, then FortiMail replies to the SMTP client with a temporary failure (SMTP 451 reply code).

mail-access {webmail pop imap}

Select which mail access protocols are allowed for email users in the protected domain: POP3, IMAP, and/or webmail (HTTP/HTTPS).

webmail

main-domain <protected-domain_name>

Select the protected domain that is the parent of this subdomain. For example, sales.example.com might be a subdomain of example.com.

This setting is available only when is-sub-domain {enable | disable} is enable.

max-message-size <limit_int>

Enable then type the limit in kilobytes (KB) of the message size. Email messages over the threshold size are rejected.

If both this setting and its equivalent setting in the session profile are enabled, then email size will be limited to whichever size is smaller.

204800

max-user-number <users_limit>

Enter the maximum number of email account in this protected domain.

max-user-quota <GB_int>

Enter the maximum disk quota, in megabytes (MB), for each email user in the protected domain.

This number, multiplied by the number in max-user-number <users_limit>, must not exceed the total in disk-quota <GB_int>.

mx-lookup-alt-domain-name <domain_str>

Enter the domain name to use when querying the DNS server for the protected domain's MX records.

This setting is not available in server mode. This setting is available if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is mx-lookup-alt-domain.

other-helo-greeting <hostname_str>

Enter the name to use for the SMTP greeting (HELO/EHLO).

This setting is available only if greeting-with-host-name {domainname | hostname | othername} is othername, and if operating in gateway mode or transparent mode.

pattern-type {wildcard | regexp}

Select whether the pattern matching engine will use wild cards (* or ?) or regular expressions. Also configure sender-pattern <sender_pattern>.

wildcard

port <smtp-port_int>

If you enable use-stmps {enable | disable}, the port number automatically changes to the default port number for SMTPS (465), but can still be customized.

quarantine-report-schedule-status {enable | disable}

Select which schedule to use when sending personal quarantine reports, either:

disable: Use the system-wide schedule (see antispam quarantine-report).
enable: Use a schedule that is specific to this protected domain. Also configure schedule-hours {0 .. 23} and schedule-days {Sunday Monday Tuesday Wednesday Thursday Friday Saturday}.

disable

quarantine-report-status {enable | disable}

Select which email template to use when sending personal quarantine reports, either:

disable: Use the system-wide template (see antispam quarantine-report).
enable: Use a template that is specific to this protected domain. Also configure report-template-name <profile_name>.

disable

quarantine-report-to-alt-addr <recipient_email>

Enter the alternative email address that will receive the personal quarantine report.

quarantine-report-to-alt {enable | disable}

Enable to send the personal quarantine report to a recipient email address other than the original recipients or group owner. Also configure quarantine-report-to-alt-addr <recipient_email>.

For example, you might delegate quarantine reports by sending them to an administrator whose email address is not in the protected domain, such as admin@lab.example.com.

disable

quarantine-report-to-individual {enable | disable}

Enable to send the personal quarantine report to all recipient email addresses in the original email.

enable

quarantine-report-to-ldap-groupowner {enable | disable}

disable

recipient-retention-period <days_int>

Enter the retention period in days for inactive user accounts. Valid values are 15-180.

This setting is not available in server mode. This setting applies if recipient-verification-background {disable | ldap | purge-inactive | smtp} is purge-inactive.

recipient-verification-background-profile <ldap-profile_name>

Select an LDAP profile with a user query.

This setting is not available in server mode. This setting applies if recipient-verification-background {disable | ldap | purge-inactive | smtp} is ldap.

recipient-verification-background {disable | ldap | purge-inactive | smtp}

Select how to confirm that a personal quarantine is valid, either:

disable: Do not verify.
smtp: Connect to the protected domain's SMTP server (determined by relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain}).

Note: For stronger security, only allow FortiMail to connect to the SMTP server. Attackers can use VRFY commands in directory harvesting attacks to determine all valid senders in the domain, and target them.
ldap: Query a directory server such as Microsoft Entra ID or Active Directory. Also configure recipient-verification-background-profile <ldap-profile_name>.
purge-inactive: If an email user has been inactive for more than the time period in recipient-retention-period <days_int>, delete their personal quarantine.

This setting is not available in server mode.

recipient-verification-invalid-user-action {reject | discard}

Select which SMTP reply code to return to the client if the recipient is not valid.

This setting is not available for server mode. This setting applies if you have selected any recipient verification method in recipient-verification {disable | imported-user | ldap | smtp}.

reject

recipient-verification-profile <profile_name>

Select an LDAP profile with a user query to use for recipient verification.

This setting is not available for server mode. This setting applies if recipient-verification {disable | imported-user | ldap | smtp} is ldap.

recipient-verification {disable | imported-user | ldap | smtp}

Select how to confirm that the recipient exists, either:

disable: Do not verify.
smtp: Connect to the protected domain's SMTP server (determined by relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain}) or, if alt-smtp-verification {enable | disable} is enable, an alternative SMTP server. Also configure:
Note: For stronger security, only allow FortiMail to connect to the SMTP server. Attackers can use VRFY commands in directory harvesting attacks to determine all valid senders in the domain, and target them.
ldap: Query an LDAP server to verify that the recipient address is an email user account that actually exists. Also configure recipient-verification-profile <profile_name>.
imported-user: Verify with the list of users that has been synchronized to FortiMail.

If you select recipient verification, also configure recipient-verification-invalid-user-action {reject | discard}.

disable

relay-auth-password <password_str>

Enter the password for authentication with the SMTP server.

This setting is not available in server mode.

relay-auth-status {enable | disable}

This setting is not available in server mode.

disable

relay-auth-type {auto | cram-md5 | digest-md5 | login | ntlm | plain}

Select the type of SMTP authentication, either:

auto: Automatically detect and use the most secure SMTP authentication type supported by the relay server.
plain: Unencrypted, scrambled password.
login: Unencrypted, scrambled password.
digest-md5: Encrypted hash of the password.
cram-md5: Encrypted hash of the password, with hash replay prevention, combined with a challenge and response mechanism.
ntlm: NT LAN Manager protocols with a hashed password.

This setting is not available in server mode.

auto

relay-auth-username <username_str>

Enter the username for authentication with the SMTP server.

This setting is not available in server mode.

relay-ip-group <ip-group_name>

Select the name of an IP group that defines the SMTP servers for the protected domain. Also configure port <smtp-port_int> and use-stmps {enable | disable}.

This setting is not available in server mode. This setting is available if relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain} is ip-pool.

relay-type {host | ip-pool | ldap-domain-routing | mx-lookup | mx-lookup-alt-domain}

Select how to define the SMTP server which will receive email for the protected domain from the FortiMail system, either:

host: One protected SMTP server and, if any, one fallback. Also configure host {<smtp-server_fqdn> | <smtp-server_ipv4>} and fallback-host {<smtp-server_fqdn> | <smtp-server_ipv4>}.
mx-lookup: Query the DNS server’s MX record of the protected domain name for the FQDN or IP address of the SMTP server. If there are multiple MX records, connections rotate to load balance between them.

Note: For performance reasons, DNS lookups are skipped in gateway and server mode unless the sending domain is blank.

Note: If an MX option is used, you may also be required to configure the FortiMail system to use a private DNS server whose MX and/or A records differ from that of a public DNS server. Requirements vary by the topology of your network and by the operating mode. See the setup instructions for gateway mode and setup instructions for transparent mode.
mx-lookup-alt-domain: Query the DNS server’s MX record of a domain name you specify for the FQDN or IP address of the SMTP server. If there are multiple MX records, connections rotate to load balance between them. Also configure mx-lookup-alt-domain-name <domain_str>.
ip-pool: Multiple protected SMTP servers. Connections rotate among them for load balancing. Also configure relay-ip-group <ip-group_name>.
ldap-domain-routing: Query the LDAP server for the FQDN or IP address of the SMTP server.Also configure ldap-domain-routing-profile <ldap-profile_name>.

This setting is not available in server mode.

host

remove-outgoing-received-header {enable | disable}

Enable to remove all Received: message headers that have been inserted by other MTAs (not FortiMail) from email whose:

sender email address belongs to this protected domain, and
recipient email address is outgoing (that is, does not belong to this protected domain); if there are multiple recipients, only the first recipient’s email address is used to determine whether an email is outgoing.

Alternatively, you can remove this header from any matching email using session profiles. See remove-received-headers {enable | disable}.

disable

report-template-name <profile_name>

Select which template to use for the personal quarantine reports for this protected domain.

This setting is available if quarantine-report-status {enable | disable} is enable.

schedule-days {Sunday Monday Tuesday Wednesday Thursday Friday Saturday}

Select the days of the week when the personal quarantine reports for this protected domain will be generated.

This setting is available if quarantine-report-schedule-status {enable | disable} is enable.

schedule-hours {0 .. 23}

Select the hour of the day when the personal quarantine reports for this protected domain will be generated. Valid range is from 0 to 23.

This setting is available if quarantine-report-schedule-status {enable | disable} is enable.

sender-addr-rate-ctrl-action {none | reject | temp-fail}

Select which SMTP reply code to send to an SMTP client when a user exceeds any of the sender address rate limits.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable.

sender-addr-rate-ctrl-max-msgs-state {enable | disable}

Enable to rate limit email from sender email addresses by maximum number of messages. Also configure sender-addr-rate-ctrl-max-msgs <messages_int>.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable.

disable

sender-addr-rate-ctrl-max-msgs <messages_int>

Enter the maximum number of emails per sender email address in each 30 minute time interval.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable, and if sender-addr-rate-ctrl-max-msgs <messages_int> is enable.

sender-addr-rate-ctrl-max-recipients-state {enable | disable}

Enable to rate limit email from sender email addresses by maximum number of unique recipient email addresses. Also configure sender-addr-rate-ctrl-max-recipients <recipients_int>.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable.

disable

sender-addr-rate-ctrl-max-recipients <recipients_int>

Enter the maximum number of unique email recipient addresses per sender email address in each 30 minute time interval.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable, and if sender-addr-rate-ctrl-max-recipients-state {enable | disable} is enable.

sender-addr-rate-ctrl-max-size-state {enable | disable}

Enable to rate limit email from sender email addresses by message size total. Also configure sender-addr-rate-ctrl-max-size <size_int>.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable.

disable

sender-addr-rate-ctrl-max-size <size_int>

Enter the maximum size, in megabytes (MB), per sender email address in each 30 minute time interval.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable, and if sender-addr-rate-ctrl-max-size-state {enable | disable} is enable.

100

sender-addr-rate-ctrl-max-spam-state {enable | disable}

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable.

disable

sender-addr-rate-ctrl-max-spam <spam_int>

Enter the maximum number of email deemed to be spam by FortiMail that will be accepted per sender email address in each 30 minute time interval.

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable, and if sender-addr-rate-ctrl-max-spam-state {enable | disable} is enable.

sender-addr-rate-ctrl-state {enable | disable}

disable

sender-addr-rate-notification-profile <profile_name>

Select which notification profile to use for sender address rate control in this protected domain.

This setting applies only if sender-addr-rate-notification-state {enable | disable} is enable.

sender-addr-rate-notification-state {enable | disable}

This setting applies only if sender-addr-rate-ctrl-state {enable | disable} is enable.

disable

sender-pattern <sender_pattern>

Enter a pattern that matches sender email addresses that are exempt from sender address rate limits. Valid syntax varies by pattern-type {wildcard | regexp}.

smtp-mail-from-addr-status {use-system-setting | use-domain-setting}

Select which sender email address that the FortiMail will use during recipient verification, either:

use-system-setting: Use the system-level setting mail-from-addr <sender_email>.

Note: By default, the system-level setting is empty. Some services such as Microsoft 365 do not accept an empty sender email address (MAIL FROM:).
use-domain-setting: Use the protected domain-specific setting smtp-mail-from-addr <sender_email>.

This setting is available if recipient-verification {disable | imported-user | ldap | smtp} is smtp.

use-system-setting

smtp-mail-from-addr <sender_email>

Enter the sender email address, if any, that FortiMail will use in the SMTP envelope when connecting for recipient verification.

Note: Some services such as Microsoft 365 do not accept an empty sender email address (MAIL FROM:).

smtp-recipient-verification-accept-reply-string "<accept_pattern>"

When FortiMail queries the SMTP server for recipient verification:

If the SMTP reply code is 2xx, then the recipient exists.
If the SMTP reply code is not 2xx, then FortiMail will try to match the text with this pattern. If the text matches, the recipient exists.
Otherwise, the recipient is unknown.

smtp-recipient-verification-command {rcpt | vrfy}

Select which SMTP command that the FortiMail system uses to query the SMTP server to verify that the recipient address is an email user account that currently exists, either:

RCPT TO:
VRFY. Also configure smtp-recipient-verification-accept-reply-string "<accept_pattern>".

This setting in not available in server mode. This setting is available if recipient-verification {disable | imported-user | ldap | smtp} is smtp.

rcpt

sso-profile <profile_name>

Select the name of an SSO profile.

sso-status {enable | disable}

Enable for users in the protected domain to be able to log in via the authentication server defined in a single sign-on (SSO) profile. Also configure sso-profile <profile_name>.

For details, see profile sso and system saml.

disable

tp-hidden {no | yes}

Enable to preserve the IP address or domain name of the SMTP client for incoming email messages in the:

SMTP greeting (HELO/EHLO) in the envelope
Received: message headers
IP addresses in the IP header

This masks the existence of the FortiMail system to the protected SMTP server.

Disable to replace the SMTP client’s IP address or domain name with that of the FortiMail system.

Received: from 192.168.1.1 (EHLO 172.16.1.1) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:12:40 -0800

Received: from smtpa ([172.16.1.2]) by [172.16.1.1] with SMTP id kAOFESEN001901 for <user1@external.example.com>; Fri, 24 Jul 2008 15:14:28 GMT

But if the option is disabled, the message headers would contain:

Received: from 192.168.1.1 (EHLO fortimail.example.com) (192.168.1.1) by smtp.external.example.com with SMTP; Fri, 24 Jul 2008 07:17:45 -0800

Received: from smtpa ([172.16.1.2]) by fortimail.example.com with SMTP id kAOFJl4j002011 for <user1@external.example.com>; Fri, 24 Jul 2008 15:19:47 GMT

This setting is only available in transparent mode.

tp-server-on-port <port_int>

Select the network interface (port) to which the protected SMTP server is connected.

This setting is only available in transparent mode.

Note: Selecting the wrong network interface will result in the FortiMail sending email traffic to the wrong network interface.

tp-use-domain-mta {yes | no}

Enable to use the protected SMTP server, instead of the FortiMail built-in MTA, to deliver outgoing email messages from the SMTP clients whose sending MTA is the protected SMTP server.

This setting is only available in transparent mode.

use-stmps {enable | disable}

Enable to use SMTPS (secure SMTP) for connections to this protected domain's SMTP server.

disable

user-management-web-service-status {enable | disable}

Enable to use FortiMail to manage email user accounts that are stored on FortiAuthenticator.

disable

webmail-language <language_name>

Select the language that the FortiMail unit will to display webmail and quarantine folder in the GUI for users. By default, the FortiMail unit uses the same language as the GUI for administrators.

webmail-service-type {full limited}

Select either:

full
limited: Email users can only change their passwords and configure mail forwarding. All other features will not be available.

webmail-theme {Blue | Dark | Green | Light-Blue | Neutrino | Red | Use-system-setting}

If webmail-theme-status {enable | disable} is enable, then after they log in, each user may choose a different theme.

Use-system-setting

config file filter

Syntax

This sub-command is available from within the command domain.

config file filter

edit <file-type_str>

set extension <file-extension_pattern>

set mime-type <mime-type_str>

end

Variable	Description	Default
<file-type_str>	Enter a unique name for the file attachment type.
description "<comment_str>"	Enter a description or comment.
extension <file-extension_pattern>	Enter a file extension expressed as a wildcard pattern, for example: `.exe` `.dll`
mime-type <mime-type_str>	Enter a MIME type in the format `<category>/<format>`, in order to filter by file category and format. For example, to filter by image, and specifically for PNG, enter: set mime-type image/png To filter for all video formats, enter: set mime-type video/*

config policy recipient

Use this sub-command to configure a recipient-based policy for a protected domain. To configure system-wide policies, see policy recipient instead.

Syntax

This sub-command is available from within the command domain.

config policy recipient

edit <policy_index>

set sender-type {email-user-group | import-group | import-user | ldap-group | user-regex | user-wildcard}

set direction {incoming | outgoing}

set sender-name <local-part_str>

set sender-domain <domain_name>

set sender-regex "<sender_pattern>"

set sender-email-address-group <group_name>

set profile-ldap-sender <ldap-profile_name>

set sender-import-attribute-name <name_str>

set sender-import-attribute-value <value_str>

set sender-option {envelope-from | envelope-or-header-from | header-from}

set sender-exclusion-status {enable | disable}

set sender-exclusion-type {email-address-group | user-regex | user-wildcard}

set sender-exclusion-name "<local-part-str>"

set sender-exclusion-domain "<domain-part_str>"

set sender-exclusion-regex "<exclusion_pattern>"

set sender-exclusion-email-address-group <group_name>

set recipient-type {email-user-group | import-group | import-user | ldap-group | user-regex | user-wildcard}

set recipient-name "<local-part_str>"

set recipient-domain "<domain_str>"

set recipient-regex "<recipient_pattern>"

set recipient-email-address-group <group_name>

set profile-ldap-recipient <ldap-profile_name>

set recipient-import-attribute-name <name_str>

set recipient-import-attribute-value <value_str>

set recipient-exclusion-status {enable | disable}

set recipient-exclusion-type {email-address-group | user-regex | user-wildcard}

set recipient-exclusion-name "<local-part-str>"

set recipient-exclusion-domain "<domain-part_str>"

set recipient-exclusion-regex "<exclusion_pattern>"

set recipient-exclusion-email-address-group <group_name>

set profile-antispam <antispam_name>

set profile-antivirus <antivirus_name>

set profile-content <profile_name>

set profile-dlp <profile_name>

set profile-resource <profile_name>

set profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp}

set profile-auth-imap <imap_name>

set profile-auth-ldap <ldap_name>

set profile-auth-pop3 <pop3_name>

set profile-auth-radius <radius_name>

set profile-auth-smtp <smtp_name>

set auth-allow-smtp {enable | disable}

set pkiauth {enable | disable}

set pkiuser <user_name>

set certificate-required {yes | no}

set smtp-diff-identity {enable | disable}

set smtp-diff-identity-ldap {enable | disable}

set smtp-diff-identity-ldap-profile <profile_name>

end

Variable	Description	Default
<policy_index>	Enter the index number of the recipient-based policy. To view a list of existing entries, enter a question mark ( `?` ). Note: The ID is automatically assigned when the policy is created, and may be different from its order in the list. See the order of execution for policies.
auth-allow-smtp {enable \| disable}	Enable to allow the SMTP client to use the SMTP `AUTH` command to authenticate the connection. Disable to make SMTP authentication unavailable. This setting is available in gateway and transparent mode, and only if you have selected an authentication type in `profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}`. Note: This setting allows, but does not require, SMTP authentication. To enforce SMTP authentication, set `authenticated {any \| authenticated \| not-authenticated}` to `authenticated` in all access control rules that accept and scan traffic.
certificate-required {yes \| no}	Select either: `yes`: Require valid certificates only and disallow password-style fallback. `no`: Fall back to standard user name and password-style authentication if the email user’s web browser does not provide a valid personal certificate. This setting is available only if `direction {incoming \| outgoing}` is `incoming`, and applies only if `pkiauth {enable \| disable}` is `enable`.	no
comment "<comment_str>"	Enter a description or comment.
direction {incoming \| outgoing}	Select the direction of email that this policy matches, with respect to protected domains.	incoming
pkiauth {enable \| disable}	Enable if you want to allow webmail and personal quarantine users to log in by presenting a certificate rather than a user name and password. Also configure `pkiuser <user_name>` and `certificate-required {yes \| no}`. This setting is available only if `direction {incoming \| outgoing}` is `incoming`, and only for transparent and gateway mode.	disable
pkiuser <user_name>	Enter the name of a PKI user, such as `user1`, from `config user pki`. This setting only applies if `pkiauth {enable \| disable}` is `enable`.
profile-antispam <antispam_name>	Select which antispam profile, if any, to apply to email matching the policy. Tip: You can use an LDAP query to enable or disable antispam scanning on a per-user basis (`asav-state {enable \| disable}`).
profile-antivirus <antivirus_name>	Select which antivirus profile, if any, to apply to email matching the policy.
profile-auth-imap <imap_name>	Select an authentication profile. This setting is available only if `profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}` is `imap`.
profile-auth-ldap <ldap_name>	Select an authentication profile. This setting is available only if `profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}` is `ldap`.
profile-auth-pop3 <pop3_name>	Select an authentication profile. This setting is available only if `profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}` is `pop3`.
profile-auth-radius <radius_name>	Select an authentication profile. This setting is available only if `profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}` is `radius`.
profile-auth-smtp <smtp_name>	Select an authentication profile. This setting is available only if `profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}` is `smtp`.
profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}	Select the type of the authentication profile that FortiMail will use to authenticate email users: `none` (this effectively disables authentication) `local` (server mode only) `ldap` `smtp` `imap` `pop3` `radius` Depending on the type that you select, also configure `profile-auth-ldap <ldap_name>` etc. and, for SMTP access, configure `auth-allow-smtp {enable \| disable}`. Otherwise the authentication profile will only be used for HTTP or HTTPS access to personal quarantines (or, for server mode, webmail). See also the workflow for quarantines and workflow for email user authentication.	none
profile-content <profile_name>	Select which content profile, if any, to apply to the policy.
profile-dlp <profile_name>	Select which DLP profile, if any, to apply to email matching the policy.
profile-ldap-recipient <ldap-profile_name>	If `recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `ldap-group`, enter the name of an LDAP profile in which the group owner query has been enabled and configured.
profile-ldap-sender <ldap-profile_name>	If `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `ldap-group`, enter the name of an LDAP profile in which the group owner query has been enabled and configured.
profile-resource <profile_name>	Select which content profile, if any, to apply to email matching the policy. This setting is available only if FortiMail is operating in server mode or gateway mode.
profile-user-import-recipient <profile_name>	Select an import profile. Also configure `recipient-import-attribute-name <name_str>` and `recipient-import-attribute-value <value_str>`. This setting is available only if: operation mode is gateway or transparent `user-management {enable \| disable}` is `enable` (advanced management feature license) policy is domain-specific `recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `import-group` or `import-user`
profile-user-import-sender <profile_name>	Select an import profile. Also configure `sender-import-attribute-name <name_str>` and `sender-import-attribute-value <value_str>`. This setting is available only if: operation mode is gateway or transparent `user-management {enable \| disable}` is `enable` (advanced management feature license) policy is domain-specific `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `import-group` or `import-user`
recipient-domain "<domain_str>"	Enter the local part (username) of recipient email addresses that match this policy. This setting is available only if `recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `user-wildcard`.
recipient-email-address-group <group_name>	Enter the group of recipient email addresses. This setting is available only if `recipient-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `email-user-group`.
recipient-exclusion-domain "<domain-part_str>"	Enter the domain name of recipient email addresses that you want to exclude. This setting is available only if `recipient-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `user-wildcard`.	*
recipient-exclusion-email-address-group <group_name>	Enter the group membership attribute value as it appears in the LDAP directory. This setting is available only if `recipient-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `email-address-group`.
recipient-exclusion-name "<local-part-str>"	Enter the local part (username) of recipient email addresses that you want to exclude. This setting is available only if `recipient-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `user-wildcard`.	*
recipient-exclusion-regex "<exclusion_pattern>"	Enter a regular expression that matches only recipient email addresses that you want to exclude, such as: .*@example\.com This setting is available only if `recipient-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `user-regex`.
recipient-exclusion-status {enable \| disable}	Enable if you want to exclude some recipient email addresses from matching this policy. Also configure `recipient-exclusion-type {email-address-group \| user-regex \| user-wildcard}`.	disable
recipient-exclusion-type {email-address-group \| user-regex \| user-wildcard}	Select how you want to define excluded recipient email addresses. Depending on which you select, also configure `recipient-exclusion-name "<local-part-str>"` etc. This setting is available only if `recipient-exclusion-status {enable \| disable}` is `enable`.	user-wildcard
recipient-import-attribute-name <name_str>	Enter the name of attributes to match users from an import profile. This setting is available only if operation mode is gateway or transparent `user-management {enable \| disable}` is `enable` (advanced management feature license) policy is domain-specific `recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `import-group` or `import-user`
recipient-import-attribute-value <value_str>	Enter the value of attributes to match users from an import profile. This setting is available only if operation mode is gateway or transparent `user-management {enable \| disable}` is `enable` (advanced management feature license) policy is domain-specific `recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is`import-user`
recipient-name "<local-part_str>"	Enter the local part (username) of recipient email addresses that match this policy. This setting is available only if `recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `user-wildcard`.
recipient-regex "<recipient_pattern>"	Enter a regular expression that matches only the recipient email addresses that should match this policy. This setting is available if `recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `regexp`.	.*
recipient-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}	Select how to define recipient (`RCPT TO:`) email addresses that match this policy. Depending on which you select, also configure `profile-ldap-recipient <ldap-profile_name>`, `recipient-regex "<recipient_pattern>"`, etc.	user
sender-domain <domain_name>	Enter the domain name of sender email addresses that match this policy. This setting is available only if `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `user-wildcard`.
sender-email-address-group <group_name>	Enter the group membership attribute value as it appears in the LDAP directory. This setting is available only if `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `email-user-group`. This setting is available only if `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `email-user-group`.
sender-exclusion-domain "<domain-part_str>"	Enter the domain name of sender email addresses that you want to exclude. This setting is available only if `sender-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `user-wildcard`.	*
sender-exclusion-email-address-group <group_name>	Select a group of email addresses you want to exclude. This setting is available only if `sender-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `email-address-group`.
sender-exclusion-name "<local-part-str>"	Enter the local part (username) of sender email addresses that you want to exclude. This setting is available only if `sender-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `user-wildcard`.	*
sender-exclusion-regex "<exclusion_pattern>"	Enter a regular expression that matches only sender email addresses that you want to exclude, such as: .*@example\.com This setting is available only if `sender-exclusion-type {email-address-group \| user-regex \| user-wildcard}` is `user-regex`.
sender-exclusion-status {enable \| disable}	Enable if you want to exclude some sender email addresses from matching this policy. Also configure `sender-exclusion-type {email-address-group \| user-regex \| user-wildcard}`. Sender exclusion settings apply only if `direction {incoming \| outgoing}` is `outgoing`.	disable
sender-exclusion-type {email-address-group \| user-regex \| user-wildcard}	Select how you want to define excluded sender email addresses. Depending on which you select, also configure `sender-exclusion-name "<local-part-str>"` etc. This setting is available only if `sender-exclusion-status {enable \| disable}` is `enable`.	user-wildcard
sender-import-attribute-name <name_str>	Enter the name of attributes to match users from an import profile. This setting is available only if operation mode is gateway or transparent `user-management {enable \| disable}` is `enable` (advanced management feature license) policy is domain-specific `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `import-group` or `import-user`
sender-import-attribute-value <value_str>	Enter the value of attributes to match users from an import profile. This setting is available only if operation mode is gateway or transparent `user-management {enable \| disable}` is `enable` (advanced management feature license) policy is domain-specific `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `import-user`
sender-name <local-part_str>	Enter the local part (username) of sender email addresses that match this policy. This setting is available only if sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard} is `user-wildcard`.
sender-option {envelope-from \| envelope-or-header-from \| header-from}	Select whether to match this policy based upon the sender email address that is in the SMTP envelope (`MAIL FROM:`) and/or message headers (`From:`). This setting is available only if enabled in recipient-policy-sender-option {envelope-from-only \| envelope-or-header-from}. Caution: Message headers may be rewritten or fake. Do not match policies based upon the email address in `From:` unless the upstream MTA is trusted to authenticate senders for this domain, including validating secondary email addresses and aliases. See also smtp-diff-identity-ldap {enable \| disable}.	envelope-from
sender-regex "<sender_pattern>"	Enter a regular expression that matches only the sender email addresses that should match this policy. This setting is only available when `sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}` is `regexp`.	.*
sender-type {email-user-group \| import-group \| import-user \| ldap-group \| user-regex \| user-wildcard}	Select how to define sender (`MAIL FROM:`) email addresses that match this policy. Depending on which you select, also configure profile-ldap-sender <ldap-profile_name>, sender-regex "<sender_pattern>", etc.	user-wildcard
smtp-diff-identity {enable \| disable}	Disable to allow the SMTP client to send email using a different sender email address (`MAIL FROM:`) than the user name that they used to authenticate. This is often normal (for example, `jmartinez@example.com` might authenticate and send email on behalf of their department alias, `sales@example.com`), but it could be fraudulent, so often you should also configure smtp-diff-identity-ldap {enable \| disable}. Enable to require that the sender email address in the SMTP envelope matches the authenticated user name, and reply with an SMTP rejection code if they don't match. This setting is applicable only if profile-auth-type {imap \| ldap \| local \| none \| pop3 \| radius \| smtp}is not `none`.	disable
smtp-diff-identity-ldap {enable \| disable}	Enable to use a directory query to find and verify the sender's other email addresses. Also configure smtp-diff-identity-ldap-profile <profile_name>. This setting is applicable only if smtp-diff-identity {enable \| disable} is `disable`. Note: If verification succeeds, the sender email sender address in the SMTP envelope (`MAIL FROM:`) must still match the message header (`From:`). Both sender addresses must not be empty.	disable
smtp-diff-identity-ldap-profile <profile_name>	Select which LDAP profile to use for verifying an email user's other identities. This setting is applicable only if smtp-diff-identity-ldap {enable \| disable} is `enable`.
status {enable \| disable}	Enable to apply the policy.	enable

config profile user-import

Use this command to configure account synchronization to import users from LDAP or Microsoft 365, Entra ID, or Exchange servers.

Syntax

This sub-command is available from within the command domain.

config profile user-import

edit <profile_name>

set base-dn <base-DN_str>

set bind-dn <bind-DN_str>

set bind-password <password_str>

set description "<comment_str>"

set group-display-name <ldap-attribute_str>

set group-primary-address <ldap-attribute_str>

set group-query <query-filter_str>

set group-secondary-address <ldap-attribute_str>

set ldap-port <port_int>

set ldap-secure {enable | disable}

set ldap-server {<ldap-server_ipv4> | ldap-server_fqdn>}

set ldap-version {ver2 | ver3}

set ms365-application-id <application_str>

set ms365-application-secret <password_str>

set ms365-tenant-id <tenant_str>

set recurrence {daily | monthly | none | weekly}

set referrals-chase {enable | disable}

set schedule-hour <hour_int>

set schedule-days {Monday Tuesday Wednesday Thursday Friday Saturday Sunday}

set scope {base | one | sub}

set timeout <seconds_int>

set type {ldap | ms365}

set user-display-name <ldap-attribute_str>

set user-primary-address <ldap-attribute_str>

set user-query <query-filter_str>

set user-secondary-address <ldap-attribute_str>

end

Variable	Description	Default
base-dn <base-DN_str>	Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail unit will search for user objects, such as `ou=People,dc=example,dc=com`. User objects should be child nodes of this location.
bind-dn <bind-DN_str>	Enter the bind DN, such as `cn=FortiMailA,dc=example,dc=com`, of an LDAP user account with permissions to query the basedn.
bind-password <password_str>	Enter the password of `bind-dn <bind-DN_str>`.
description "<comment_str>"	Enter a description.
group-display-name <ldap-attribute_str>	Enter the LDAP group or mailing list display name attribute.
group-primary-address <ldap-attribute_str>	Enter the LDAP group or mailing list primary email address attribute.
group-query <query-filter_str>	Enter the LDAP group or mailing list query string.
group-secondary-address <ldap-attribute_str>	Enter the LDAP group or mailing list secondary email address attribute.
ldap-port <port_int>	Enter the port number of the LDAP server. The standard port number for LDAP is 389. The standard port number for SSL-secured LDAP is 636.	389
ldap-secure {enable \| disable}	Enable or disable (by default) a secure encrypted connection to the LDAP server.	disable
ldap-server {<ldap-server_ipv4> \| ldap-server_fqdn>}	Enter the fully qualified domain name (FQDN) or IP address of the directory server.
ldap-version {ver2 \| ver3}	Enter the LDAP server protocol version.	ver3
ms365-application-id <application_str>	Enter the Microsoft 365 application ID.
ms365-application-secret <password_str>	Enter the Microsoft 365 application secret.
ms365-tenant-id <tenant_str>	Enter the Microsoft 365 tenant ID.
recurrence {daily \| monthly \| none \| weekly}	Define the recurrence/schedule of the remote server synchronization.	none
referrals-chase {enable \| disable}	Enable or disable (by default) chasing of referrals.	disable
schedule-days {Monday Tuesday Wednesday Thursday Friday Saturday Sunday}	Enter the days on which synchronization will occur.
schedule-hour <hour_int>	Enter the hour of the day at which synchronization will occur, from 0 to 23.	1
scope {base \| one \| sub}	Define the search scope of the LDAP server; either base, one level, or subtree (by default).	sub
timeout <seconds_int>	Enter the query timeout limit in seconds. Valid range is from 60 to 600.	60
type {ldap \| ms365}	Enter the remote server profile type.	ldap
user-display-name <ldap-attribute_str>	Enter the LDAP user's display name attribute.
user-primary-address <ldap-attribute_str>	Enter the LDAP user's primary email address attribute.
user-query <query-filter_str>	Enter the LDAP query string to get all users.
user-secondary-address <ldap-attribute_str>	Enter the LDAP user's secondary email address attribute.

config system disclaimer-message

Use this command to configure which email will have domain-specific disclaimer messages.

If required, you can exclude some email so that they do not receive a disclaimer. See system disclaimer-exclude.

Disclaimer insertion may invalidate existing DKIM signatures, requiring an alternative ARC signature. See arc-sealing-option {all | disable | incoming | outgoing}.

Syntax

config system disclaimer-message

edit <profile_index>

set sender-domain-type {all | external | internal}

set recipient-domain-type {all | external | internal}

set relationship-strength-status {enable | disable}

set relationship-strength {neutral | strong | weak}

set domain-customized-message {enable | disable}

set customized-message <customized-message_name>

end

Variable	Description	Default
<profile_index>	Enter a number for the entry.
customized-message <customized-message_name>	Select which domain-specific customized message to apply as the disclaimer. To customize the message, configure config customized-message (domain-specific) or customized-message (system-wide).	default
domain-customized-message {enable \| disable}	Enable to use a domain-specific disclaimer message. Also configure customized-message <customized-message_name>. Disable to use the system-wide disclaimer message.	disable
recipient-domain-type {all \| external \| internal}	Select which type of recipient domains will have the disclaimer message applied to their email.	internal
relationship-strength {neutral \| strong \| weak}	Select which sender-recipient relationship (SRR) score levels should trigger this disclaimer: `weak` `neutral` `strong` FortiGuard Social Database contains the social mapping of the email communication flow. For example, if `user1@1.example.com` and `user2@2.example.com` have regular communication, then their social relationship is strong; if they have no history of communication before, then their SRR is weak.	weak neutral strong
relationship-strength-status {enable \| disable}	(SRR) score levels to trigger this disclaimer. Also configure `relationship-strength {neutral \| strong \| weak}`.	disable
sender-domain-type {all \| external \| internal}	Select which type of sender domains will have the disclaimer message applied to their email.	external
status {enable \| disable}	Enable or disable the entry.	disable

config user mail

Use this sub-command to configure email user accounts.

Syntax

This sub-command is available from within the command domain.

config user mail

rename <old-user_name> to <new-user_name>

edit <user_name>