<rule_name>

Enter the number that identifies the rule.

The identifier number may be different from the order of evaluation. FortiMail units evaluate policies in sequential order, starting at the top of the list. Only the first matching rule is applied. For example, if you enter: move 15 before 1 then rule 15 is evaluated for a match before rule 1. To show the order of evaluation for the list of rules, enter: config policy ip get

action {proxy-bypass | reject | scan | temp-fail}

Enter an action for this policy:

• proxy-bypass: Bypass the FortiMail unit’s scanning. This action is for transparent mode only.

• scan: Accept the connection and perform any scans configured in the profiles selected in this policy.

• reject: Reject the email and respond to the SMTP client with SMTP reply code 550, indicating a permanent failure.

• temp-fail: Reject the email and respond to the SMTP client with SMTP reply code 451, indicating and indicate a temporary failure.

comment "<comment_str>"

Enter a description or comment.

destination-ip-group <group_name>

Enter the name of the IP group of the SMTP servers.

This setting is only available when the destination-type {ip-address | ip-group} is ip-group.

destination-ip <smtp-server_ipv4mask>

Enter the IP address and subnet mask of the SMTP server.

To match all servers, enter 0.0.0.0/0.

This option applies only for FortiMail units operating in transparent mode. For other modes, the FortiMail unit receives the SMTP connection, and therefore acts as the server.

destination-type {ip-address | ip-group}

Select how you will define the destination IP address of the SMTP servers whose connections will match this policy. Also configure destination-ip <smtp-server_ipv4mask>, destination-ip-group <group_name>.

exclusive {enable | disable}

Enable to omit evaluation of matches with recipient-based policies, causing the FortiMail system to disregard applicable recipient-based policies and apply only the IP-based policy.

Disable to apply both the matching recipient-based policy and IP-based policy. Any profiles selected in the recipient-based policy will override those selected in the IP-based policy.

profile-antispam <profile_name>

Enter the name of an outgoing antispam profile, if any, that this policy will apply.

profile-antivirus <profile_name>

Enter the name of an antivirus profile, if any, that this policy will apply.

profile-auth-imap <profile_name>

Enter the name of an IMAP authentication profile.

This setting applies if profile-auth-type {imap | ldap | none | pop3 | radius | smtp} is imap.

profile-auth-ldap <profile_name>

Enter the name of an LDAP authentication profile.

This setting applies if profile-auth-type {imap | ldap | none | pop3 | radius | smtp} is ldap.

profile-auth-pop3 <profile_name>

Enter the name of a POP3 authentication profile.

This setting applies if profile-auth-type {imap | ldap | none | pop3 | radius | smtp} is pop3.

profile-auth-radius <profile_name>

Enter the name of a RADIUS authentication profile.

This setting applies if profile-auth-type {imap | ldap | none | pop3 | radius | smtp} is radius.

profile-auth-smtp <profile_name>

Enter the name of an SMTP authentication profile.

This setting applies if profile-auth-type {imap | ldap | none | pop3 | radius | smtp} is smtp.

profile-auth-type {imap | ldap | none | pop3 | radius | smtp}

Select the type of the authentication profile that this policy will apply, or select none if you do not want to apply authentication. Also configure the name of the profile in profile-auth-ldap <profile_name> etc.

profile-content <profile_name>

Enter the name of the content profile that you want to apply to connections matching the policy.

profile-dlp <profile_name>

Enter the name of the DLP profile that you want to apply to connections matching this policy.

profile-ip-pool <profile_name>

Enter the name of the IP pool profile that you want to apply to connections matching the policy.

profile-session <profile_name>

Enter the name of the session profile that you want to apply to connections matching the policy.

reverse-dns-pattern-regexp {no | yes}

Select whether the pattern that you enter in reverse-dns-pattern <source_pattern> will be interpreted as a regular expression.

reverse-dns-pattern <source_pattern>

To define which SMTP clients match this policy, depending on reverse-dns-pattern-regexp {no | yes}, enter either a:

• Complete or partial domain name. Wild card characters can be used to match multiple domain names. An asterisk ( * ) represents one or more characters. A question mark ( ? ) represents any single character. For example:

  *.example.???

  matches all sub-domains at example.com, example.net, example.org, or any other “example" domain ending with a three‑letter top-level domain name.

• Regular expression.

  To verify syntax and correct matching, use the validator in the GUI. See also regular expression syntax in the FortiMail Administration Guide.

Because the domain name in the SMTP session greeting (HELO/EHLO) is self-reported by the connecting SMTP client, it could be fake and the FortiMail unit does not trust it. Instead, the FortiMail does a reverse DNS lookup of the SMTP client’s IP address to discover its real domain name. This is compared to the pattern. If the domain name does not match the pattern, or if the reverse DNS query fails, then the policy does not match.

The domain name must be a valid top level domain (TLD). For example, .lab is not valid because it is reserved for testing on RFC 1918 private networks, not the Internet, and thus a reverse DNS query to public DNS servers on the Internet will always fail.

smtp-diff-identity-ldap-profile <profile_name>

Enter the name of the LDAP profile to use for SMTP sender identity verification.

This setting is only available if smtp-diff-identity-ldap {enable | disable} is enable.

smtp-diff-identity-ldap {enable | disable}

Enable or disable whether to verify the sender's identity with LDAP authentication.

smtp-diff-identity {enable | disable}

Enable to allow the SMTP client to send email using a different sender email address (MAIL FROM:) than the user name that they used to authenticate.

Disable to require that the sender email address in the SMTP envelope match the authenticated user name.

If smtp-eom-bare-lf-handling {allow | disallow | ignore} is ignore, then multiple email with different senders could be in the message body. To prevent impersonation, set this setting to disable.

source-geoip-group <group_name>

Enter the geographic IP group of the SMTP clients.

This setting is only available if source-type {geoip-group | ip-address | ip-group | isdb} is geoip-group.

source-ip-group <group_name>

Enter the IP group of the SMTP clients.

This setting is only available if source-type {geoip-group | ip-address | ip-group | isdb} is ip-group.

source-ip <client_ipv4mask>

Enter the IP address and subnet mask of the SMTP client.

To match all clients, enter 0.0.0.0/0.

source-isdb {8x8 ...}

Select a service name. The Internet Service Database (ISDB) is an automatically updated list of IP addresses and subnets used by popular services such as 8x8, Akamai, Microsoft 365, and more.

To display the list of options for currently known services, enter:

set sender-isdb ?

This setting is only available if source-type {geoip-group | ip-address | ip-group | isdb} is isdb.

source-type {geoip-group | ip-address | ip-group | isdb}

Select how you will define the source IP address of the SMTP clients whose connections will match this policy. Then configure the related setting such as source-isdb {8x8 ...}.

status {enable | disable}

Enable or disable the policy.