<policy_index>

Enter the index number of the recipient-based policy.

To view a list of existing entries, enter a question mark ( ? ).

Note: The ID is automatically assigned when the policy is created, and may be different from its order in the list. See the order of execution for policies.

auth-allow-smtp {enable | disable}

Enable to allow the SMTP client to use the SMTP AUTH command to authenticate the connection.

Disable to make SMTP authentication unavailable.

This setting is available in gateway and transparent mode, and only if you have selected an authentication type in profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp}.

Note: This setting allows, but does not require, SMTP authentication. To enforce SMTP authentication, set authenticated {any | authenticated | not-authenticated} to authenticated in all access control rules that accept and scan traffic.

certificate-required {yes | no}

Select yes to require valid certificates only and disallow password-style fallback.

Select no to fall back to standard user name and password-style authentication if the email user’s web browser does not provide a valid personal certificate.

This setting is available only if direction {incoming | outgoing} is incoming, and applies only if pkiauth {enable | disable} is enable.

comment "<comment_str>"

Enter a comment or description.

direction {incoming | outgoing}

Select the direction of email that this policy matches, with respect to protected domains.

pkiauth {enable | disable}

Enable if you want to allow webmail and personal quarantine users to log in by presenting a certificate rather than a user name and password. Also configure pkiuser <user_str> and certificate-required {yes | no}.

This setting is available only if direction {incoming | outgoing} is incoming, and only for transparent and gateway mode.

pkiuser <user_str>

Enter the name of a PKI user, such as user1, from config user pki.

This setting only applies if pkiauth {enable | disable} is enable.

profile-antispam <antispam-profile_name>

Select which antispam profile, if any, to apply to email matching the policy.

Tip: You can use an LDAP query to enable or disable antispam scanning on a per-user basis (asav-state {enable | disable}).

profile-antivirus <antivirus-profile_name>

Select which antivirus profile, if any, to apply to email matching the policy.

profile-auth-imap <profile_name>

Select an authentication profile.

This setting is available only if profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp} is imap.

profile-auth-ldap <profile_name>

Select an authentication profile.

This setting is available only if profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp} is ldap.

profile-auth-pop3 <profile_name>

Select an authentication profile.

This setting is available only if profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp} is pop3.

profile-auth-radius<profile_name>

Select an authentication profile.

This setting is available only if profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp} is radius.

profile-auth-smtp <profile_name>

Select an authentication profile.

This setting is available only if profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp} is smtp.

profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp}

Select the type of the authentication profile that FortiMail will use to authenticate email users:

• none (this effectively disables authentication)

• local (server mode only)

• ldap

• smtp

• imap

• pop3

• radius

Depending on the type that you select, also configure profile-auth-ldap <profile_name> etc. and, for SMTP access, configure auth-allow-smtp {enable | disable}. Otherwise the authentication profile will only be used for HTTP or HTTPS access to personal quarantines (or, for server mode, webmail). See also the workflow for quarantines and workflow for email user authentication.

profile-content <content-profile_name>

Select which content profile, if any, to apply to email matching the policy.

profile-dlp <profile_name>

Select which DLP profile, if any, to apply to email matching the policy.

profile-ldap-recipient <ldap-profile_name>

If recipient-type {email-user-group | ldap-group | user-regex | user-wildcard} is ldap-group, enter the name of an LDAP profile in which the group owner query has been enabled and configured.

profile-ldap-sender <ldap-profile_name>

If sender-type {email-user-group | ldap-group | user-regex | user-wildcard} is ldap-group, enter the name of an LDAP profile in which the group owner query has been enabled and configured.

profile-resource <profile_name>

Select which content profile, if any, to apply to email matching the policy.

This setting is available only if FortiMail is operating in server mode or gateway mode.

recipient-domain "<domain_str>"

Enter the local part (username) of recipient email addresses that match this policy.

This setting is available only if recipient-type {email-user-group | ldap-group | user-regex | user-wildcard} is user-wildcard.

recipient-email-address-group <group_name>

Enter the group of recipient email addresses.

This setting is available only if recipient-exclusion-type {email-address-group | user-regex | user-wildcard} is email-user-group.

recipient-exclusion-domain "<domain-part_str>"

Enter the domain name of recipient email addresses that you want to exclude.

This setting is available only if recipient-exclusion-type {email-address-group | user-regex | user-wildcard} is user-wildcard.

recipient-exclusion-email-address-group <group_name>

Enter the group membership attribute value as it appears in the LDAP directory.

This setting is available only if recipient-exclusion-type {email-address-group | user-regex | user-wildcard} is email-address-group.

recipient-exclusion-name "<local-part-str>"

Enter the local part (username) of recipient email addresses that you want to exclude.

This setting is available only if recipient-exclusion-type {email-address-group | user-regex | user-wildcard} is user-wildcard.

recipient-exclusion-regex "<exclusion_pattern>"

Enter a regular expression that matches only recipient email addresses that you want to exclude, such as:

.*@example\.com

This setting is available only if recipient-exclusion-type {email-address-group | user-regex | user-wildcard} is user-regex.

recipient-exclusion-status {enable | disable}

Enable if you want to exclude some recipient email addresses from matching this policy. Also configure recipient-exclusion-type {email-address-group | user-regex | user-wildcard}.

recipient-exclusion-type {email-address-group | user-regex | user-wildcard}

Select how you want to define excluded recipient email addresses. Depending on which you select, also configure recipient-exclusion-name "<local-part-str>" etc.

This setting is available only if recipient-exclusion-status {enable | disable} is enable.

recipient-name "<local-part_str>"

Enter the local part (username) of recipient email addresses that match this policy.

This setting is available only if recipient-type {email-user-group | ldap-group | user-regex | user-wildcard} is user-wildcard.

recipient-regex "<recipient_pattern>"

Enter a regular expression that matches only the recipient email addresses that should match this policy.

This setting is available if recipient-type {email-user-group | ldap-group | user-regex | user-wildcard} is regexp.

recipient-type {email-user-group | ldap-group | user-regex | user-wildcard}

Select how to define recipient (RCPT TO:) email addresses that match this policy.

Depending on which you select, also configure profile-ldap-recipient <ldap-profile_name>, recipient-regex "<recipient_pattern>", etc.

sender-domain "<domain_str>"

Enter the domain name of sender email addresses that match this policy.

This setting is available only if sender-type {email-user-group | ldap-group | user-regex | user-wildcard} is user-wildcard.

sender-email-address-group <group_name>

Enter the group membership attribute value as it appears in the LDAP directory.

This setting is available only if sender-type {email-user-group | ldap-group | user-regex | user-wildcard} is email-user-group.

This setting is available only if sender-type {email-user-group | ldap-group | user-regex | user-wildcard} is email-user-group.

sender-exclusion-domain "<domain-part_str>"

Enter the domain name of sender email addresses that you want to exclude.

This setting is available only if sender-exclusion-type {email-address-group | user-regex | user-wildcard} is user-wildcard.

sender-exclusion-email-address-group <group_name>

Select a group of email addresses you want to exclude.

This setting is available only if sender-exclusion-type {email-address-group | user-regex | user-wildcard} is email-address-group.

sender-exclusion-name "<local-part-str>"

Enter the local part (username) of sender email addresses that you want to exclude.

This setting is available only if sender-exclusion-type {email-address-group | user-regex | user-wildcard} is user-wildcard.

sender-exclusion-regex "<exclusion_pattern>"

Enter a regular expression that matches only sender email addresses that you want to exclude, such as:

.*@example\.com

This setting is available only if sender-exclusion-type {email-address-group | user-regex | user-wildcard} is user-regex.

sender-exclusion-status {enable | disable}

Enable if you want to exclude some sender email addresses from matching this policy. Also configure sender-exclusion-type {email-address-group | user-regex | user-wildcard}.

Sender exclusion settings apply only if direction {incoming | outgoing} is outgoing.

sender-exclusion-type {email-address-group | user-regex | user-wildcard}

Select how you want to define excluded sender email addresses. Depending on which you select, also configure sender-exclusion-name "<local-part-str>" etc.

This setting is available only if sender-exclusion-status {enable | disable} is enable.

sender-name "<local-part_str>"

Enter the local part (username) of sender email addresses that match this policy.

This setting is available only if sender-type {email-user-group | ldap-group | user-regex | user-wildcard} is user-wildcard.

sender-option {envelope-from | header-from | envelope-or-header-from}

Select which sender email addresses to compare for a policy match, either:

• envelope-from: Sender email address in the SMTP envelope (MAIL FROM:).

• header-from: Sender email address in the message header (From:).

  Caution: Message headers may be rewritten or fake. Do not match policies with an action to allow based upon the email address in From: unless the upstream MTA is trusted to authenticate senders for this domain, including validating secondary email addresses and aliases. To do this, you can use smtp-diff-identity-ldap {enable | disable}.

• envelope-from-or-header-from: Either the envelope or the message header.

  These values are often the same, but it is normal if these values do not match in some cases, such as aliases (distribution lists) or senders with secondary email addresses or multiple different identities.

This setting is available only if recipient-policy-sender-option {envelope-from-only | envelope-or-header-from} is envelope-from-or-header-from.

sender-regex "<sender_pattern>"

Enter a regular expression that matches only the sender email addresses that should match this policy.

This setting is only available when sender-type {email-user-group | ldap-group | user-regex | user-wildcard} is regexp.

sender-type {email-user-group | ldap-group | user-regex | user-wildcard}

Select how to define sender (MAIL FROM:) email addresses that match this policy.

Depending on which you select, also configure profile-ldap-sender <ldap-profile_name>, sender-regex "<sender_pattern>", etc.

smtp-diff-identity-ldap-profile <profile_name>

Select which LDAP profile to use for verifying an email user's other identities.

This setting is applicable only if smtp-diff-identity-ldap {enable | disable} is enable.

smtp-diff-identity-ldap {enable | disable}

Enable to use a directory query to find and verify the sender's other email addresses. Also configure smtp-diff-identity-ldap-profile <profile_name>.

This setting is applicable only if smtp-diff-identity {enable | disable} is disable.

Note: If verification succeeds, the sender email sender address in the SMTP envelope (MAIL FROM:) must still match the message header (From:). Both sender addresses must not be empty.

smtp-diff-identity {enable | disable}

Disable to allow the SMTP client to send email using a different sender email address (MAIL FROM:) than the user name that they used to authenticate. This is often normal (for example, jmartinez@example.com might authenticate and send email on behalf of their department alias, sales@example.com), but it could be fraudulent, so often you should also configure smtp-diff-identity-ldap {enable | disable}.

Enable to require that the sender email address in the SMTP envelope matches the authenticated user name, and reply with an SMTP rejection code if they don't match.

This setting is applicable only if profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp} is not none.