{default | incoming | outgoing}

Enter the name of the mail queue that you want to configure.

deadmail-expiry <days_int>

Enter the number of days to keep permanently undeliverable email in the dead mail folder. Dead mail has both incorrect recipient and sender email addresses, and can neither be delivered nor the sender notified via DSN.

Valid range is from 0 to 365. 0 means not to save email to the deal mail folder.

default-auth-domain <domain_name>

Enter the domain to use for default authentication.

defer-delivery-starttime <time_str>

Enter the time that the FortiMail unit will begin to process deferred oversized email, using the format hh:mm, where hh is the hour according to a 24-hour clock, and mm is the minutes.

defer-delivery-stoptime <time_str>

Enter the time that the FortiMail unit will stop processing deferred oversized email, using the format hh:mm, where hh is the hour according to a 24-hour clock, and mm is the minutes.

delivery-esmtp {no | yes}

Select either:

• yes: Disable the FortiMail unit from delivering email using ESMTP, and use standard SMTP instead.

• no: Enable the FortiMail unit to deliver email using ESMTP if the SMTP server to which it is connecting supports the protocol.

delivery-failure-conditions {dns-failure | mta-failure-permanant | mta-failure-temporary | network-failure-connection | network-failure-other}

Select which type of failed network connections that the backup relay should take over and retry. Also configure delivery-failure-handling-option {normal | relay-to-host}.

delivery-failure-handling-option {normal | relay-to-host}

Select what to do when email delivery fails temporarily or permanently.

• normal: Queue the email on FortiMail and use the mail queue settings.

• relay-to-host: Use another relay (backup relay) that you want to use for failed deliveries. Also configure delivery-failure-host <host_name>.

delivery-failure-host <host_name>

Enter a host to relay email when access to original mail host fails.

delivery-failure-min-age <minutes_int>

Enter the time in minutes the undelivered email should wait in the normal queue before trying the backup relay.

delivery-tracking-status {enable | disable}

Enable to record the following mail delivery statuses in the history log:

• Delivered

• Blocked

• Failed

• Queued

You can view queued email except IBE email in the history log from the right-click pop-up menu. For security reasons, IBE email cannot be viewed in the queue.

dsn-ehlo-option {host-name | domain-name | other-name}

Select which DSN EHLO/HELO argument to use:

• host-name: Use the host name of the FortiMail unit.

• domain-name: Use the local domain name of the FortiMail unit.

• other-name: Use a customized name specified in dsn-ehlo-other-name <name_str>.

dsn-ehlo-other-name <name_str>

If dsn-ehlo-option {host-name | domain-name | other-name} is other-name, use this command to enter the customized name.

dsn-email-attach-orig {enable | disable}

Enable to attach original email in delivery status notifications (DSN) or non-delivery reports (NDR).

dsn-email-customization-status {enable | disable}

Enable DSN and NDR customization.

dsn-extended-service-status {enable | disable}

Enable or disable extended DSN service.

dsn-failure-custom-status {enable | disable}

Enable or disable customization of the DSN failure message.

dsn-failure-status {enable | disable}

Enable or disable DSN failure messages.

dsn-regular-service-status {enable | disable}

Enable or disable regular DSN service to notify email users of delivery delays and/or failure.

If the email message triggers an antispam or antivirus profile, no DSN message will be sent. If it triggers a content profile, then a DSN message will be sent. The following are the potential states in which DSN messages are sent: SPF=Pass SPF=None SPF=Neutral SPF=PERM-Error SPF=TEMP-Error SPF=Sender Alignment DSN messages are not sent for the following potential states: SPF=Soft Fail SPF=Hard Fail

dsn-sender-address <email_str>

Enter the sender email address in DSN email messages sent by the FortiMail unit to notify email users of delivery failure.

If this field is empty, the FortiMail unit uses the default sender email address of postmaster@<domain_fqdn>, where <domain_fqdn> is the domain name of the FortiMail unit.

dsn-sender-displayname <name_str>

Enter the display name of the sender email address for DSN.

If this string is empty, the FortiMail unit uses the display name postmaster.

dsn-status {enable | disable}

Enable or disable delivery status notifications (DSN) or non-delivery reports (NDR) to notify email users of delivery delays and/or failure.

dsn-success-custom-status {enable | disable}

Enable or disable customization of the DSN success message.

dsn-warning-custom-status {enable | disable}

Enable or disable customization of the DSN warning message.

dsn-warning-status {enable | disable}

Enable or disable DSN warning messages.

imap-port <port_int>

Enter the port number on which the FortiMail unit’s IMAP server will listen for IMAP connections.

This option applies only if the FortiMail unit is operating in server mode.

imap-service {enable | disable}

Enable to allow IMAP service.

imaps-port <port_int>

Enter the port number on which the FortiMail unit’s IMAPS server will listen for secure IMAP connections.

This option applies only if the FortiMail unit is operating in server mode.

ip-pool-direction {all | exclude-internal-to-internal}

By default, IP pools in IP policies and domain settings will be applied to all email directions, including internal to internal, internal to external, external to internal, and external to external.

If you want to exempt IP pool usage for internal-to-internal email, select exclude-internal-to-internal.

IP pools in ACL delivery rules are still applied to internal-to-internal email.

ldap-domaincheck-auto-associate {enable | disable}

If ldap-domaincheck {enable | disable} is enable, select whether to enable or disable automatic creation of domain associations.

• enable: The FortiMail unit automatically adds the unknown domain as a domain associated of the protected domain selected in ldap-domaincheck-internal-domain <domain_str>.

• disable: If the DNS lookup of the unknown domain name is successful, the FortiMail unit routes the email to the IP address resolved for the domain name during the DNS lookup. Because the domain is not formally defined as a protected domain, the email is considered to be outgoing, and outgoing recipient-based policies are used to scan the email. For more information, see policy recipient.

ldap-domaincheck-internal-domain <domain_str>

If ldap-domaincheck {enable | disable} is enable, and ldap-domaincheck-auto-associate {enable | disable} is enable, enter name of the protected domain with which successfully verified domains will become associated.

ldap-domaincheck-profile <profile_str>

If ldap-domaincheck {enable | disable} is enable, enter the name of the LDAP profile to use when verifying unknown domains.

ldap-domaincheck {enable | disable}

Enable to verify the existence of domains that have not been configured as protected domains. Also configure ldap-domaincheck-profile <profile_str> and ldap-domaincheck-auto-associate {enable | disable}.

To verify the existence of unknown domains, the FortiMail unit queries an LDAP server for a user object that contains the email address. If the user object exists, the verification is successful, the action varies by configuration of ldap-domaincheck-auto-associate {enable | disable}.

pop3-port <port_int>

Enter the port number on which the FortiMail unit’s POP3 server will listen for POP3 connections.

This option applies only if the FortiMail unit is operating in server mode.

pop3-service {enable | disable}

Enable to allow POP3 service.

pop3s-port <port_int>

Enter the port number on which the FortiMail unit’s POP3 server will listen for secure POP3 connections.

This option applies only if the FortiMail unit is operating in server mode.

queue-dsn-timeout <days_int>

Select the maximum number of hours a delivery status notification (DSN) can remain in the default, incoming, or outgoing queues. After it reaches the maximum, the FortiMail unit moves the DSN email to the dead mail folder.

If this setting is 0, then the FortiMail unit does not retry for DSN.

Valid range is 0 to 10.

queue-max-delivery-attempt-on-dsn <tries_int>

Enter the maximum number of tries to send a delivery status notification (DSN) message in the mail queue. Valid range is 0 to 144. Entering 0 means no limit.

Alternatively, configure queue-timeout <hours_int>. FortiMail applies whichever occurs first.

queue-max-delivery-attempt <tries_int>

Enter the maximum number of tries to send an email in the default, incoming, or outgoing mail queues. Valid range is 0 to 144. Entering 0 means no limit.

Alternatively, configure queue-timeout <hours_int>. FortiMail applies whichever occurs first.

queue-regular-delivery-attempt <tries_int>

Enter the number of tries for a delivery in the default, incoming, or outgoing mail queues. If delivery is not successful, then the email is moved to a slow mail queue. Valid range is from 1 to 3.

Slow queues also try to use queue-retry <minutes_int>, but if FortiMail is busy and system resource usage is high, then slow queues have a lower priority than normal queues, so a retry in a slow queue might not occur exactly at the interval time.This allows the FortiMail unit to send valid email more quickly, instead of wasting system resources frequently retrying email that may be invalid (for example, email destined to an invalid MTA) or for an MTA that is too busy or undergoing maintenance. Slow queues are created automatically; you do not need to create them in config mail-queue.

queue-retry <minutes_int>

Enter the number of minutes between delivery retries for email in the deferred and spam mail queues.

Valid range is from 5 to 120.

This interval only applies to the 1st through 3rd delivery retries.On the 4th retry or later, 20 more minutes will be added for each retry. For example, if the time interval is set to 5 minutes, the 4th retry will be 25 minutes later, the 5th retry will be 45 minutes later, and the 6th retry will be 65 minutes later.

If system resource usage is very high, then retries may be slower than this interval.

queue-timeout <hours_int>

Enter the maximum number of hours that email can remain in the default, incoming, or outgoing mail queues. During this time, the FortiMail unit periodically retries to send the email.

If retries were not successful, and expiry occurs, then the FortiMail unit sends a final delivery status notification (DSN) email to notify the sender that the email was not deliverable.

Valid range is from 1 to 240.

Alternatively, configure queue-max-delivery-attempt <tries_int>. FortiMail applies whichever occurs first.

queue-warning <hours_int>

Select the number of hours after the 1^st delivery failure to deliver the 1^stdelivery status notification (DSN) message, notifying the sender that the email was delayed.

Valid range is from 1 to 24.

relay-server-name <relay_name>

Enter the name of the relay server that will deliver outgoing email. See also mailsetting relay-host-list.

relay-server-status {enable |disable}

If enabled, the relay server will be used to deliver outgoing email. If disabled, the FortiMail built-in MTA will be used.

show-acceptable-cert-ca {enable | disable}

Enable to show acceptable client certificate CA.

smtp-auth-over-tls {enable | disable}

Enable to accept the AUTH command to authenticate email users for connections using SMTP over TLS.

smtp-auth-smtps {enable | disable}

Enable to accept the AUTH command to authenticate email users for connections using SMTPS (SMTP with SSL).

smtp-auth {enable | disable}

Enable to accept the AUTH command to authenticate email users for connections using SMTP.

smtp-delivery-addr-pref {ipv4-ipv6 | ipv6-ipv4 | ipv4 | ipv6}

When FortiMail delivers email to a host name, it does DNS AAAA and A record lookup.

Use this command to specify the IPv4/IPv6 delivery preferences:

• ipv4-ipv6: Try to deliver to the IPv4 address first. If the IPv4 address is not accessible, try the IPv6 address. Because most MTAs support IPv4, this is the default setting.

• ipv6-ipv4: Try IPv6 first, then IPv4. However, if the AAAA record does not exist, the extra AAAA DNS lookup for IPv6 addresses will potentially cause slower email delivery.

• ipv4: Try IPv4 only. This setting is not recommended.

• ipv6: Try IPv6 only. This setting is not recommended.

smtp-delivery-queue-runner-option enhanced

Enable to allow smtpqd to run dynamically and more efficiently, without waiting other queue runners in the same batch to finish the delivery.

Without enable this feature, the queue runners are started in a batch. If one queue runner finishes its job first, it will stay idle and wait other queue runners in the same batch to finish their job. Then the queue controller will start a new batch of queue runners after the last queue runner finishes its job.

smtp-delivery-session-preference {domain | host}

Select how to handle recipient domain names that resolve to the same MTA:

• host: Send the emails to the server in the same SMTP session.

• domain: Send the emails in separate sessions.

  Select this option if you use Google business email service. It does not accept multiple destination domains per SMTP transaction, resulting in repeated delivery attempts and delayed email.

smtp-eom-bare-lf-handling {allow | disallow | ignore}

Normally, to signal the end of the email, the message body should end with an end-of-message (EOM):

<CR><LF>.<CR><LF>

where <CR> is a carriage return and <LF> is a line feed.

However in SMTP servers that are not RFC-compliant, or with attackers, the email does not end with a valid EOM. Instead its EOM is not complete, such as:

<LF>.<CR><LF>

and then continues with more email and attachments, often from other senders, nested within the same message body as an implicit pipeline. Attacks that use this are called SMTP smuggling.

Select either:

• allow: Accept the message body, but clean up and replace each bare LF or CR between email with a valid EOM, which splits the message body and normalizes the EOMs for downstream email servers and clients. Same behavior as FortiMail 7.4 and older.

  If a nested email is from a different sender, they may not be authenticated. To reduce this risk, you can use other features. For example, you could disable smtp-diff-identity {enable | disable} and enable dkim-checking {enable | disable}.

• ignore: Accept the message body, and keep the bare LF or CR between email as-is so that the message body is still together for downstream mail servers and clients.

• disallow: Reject the message body if it contains a bare LF or CR. This option is most secure, but is not compatible with non-standard email servers. If you want to disable explicit pipelining too, configure session-allow-pipelining {yes | no}.

For allow and ignore, FortiMail still requires that the last EOM is valid. It waits up to 3 minutes for it. If it does not occur, then the action may be different: allow: Rejects the last email only, with a log message that explains a bad pipeline. ignore: Rejects all email in the nested message body, with log messages that explain a bare LF or bare CR, similar to disallow.

smtp-max-connections <connections_int>

Enter the maximum number of concurrent SMTP connections that FortiMail can accept from the SMTP clients. See also conn-concurrent <connections_int>.

smtp-max-hop-count <hops_int>

Enter the maximum number of hops that FortiMail can accept from the SMTP connections. Valid range is 1 to 200.

smtp-msa-port <port_int>

Enter the port number on which the FortiMail unit listens for email clients to submit email for delivery.

smtp-msa {enable | disable}

Enable to allow your email clients to use SMTP for message submission on a separate TCP port number from deliveries or mail relay by MTAs.

For details on message submission by email clients as distinct from SMTP used by MTAs, see RFC 2476.

smtp-mtasts-status {check-all-domain | check-external-domain | disable}

Enable MTA Strict Transport Security (MTA-STS) domain checking:

• check-all-domain: FortiMail checks recipient domain MTA-STS records (including TLS version, format, and MTA-STS policy) for outgoing email to both internal and external domains.

• check-external-domain: FortiMail MTA-STS checking only when delivering outgoing emails to external domains.

• disable: Disable MTA-STS domain checking.

smtp-port <port_int>

Enter the port number on which the FortiMail unit’s SMTP server will listen for SMTP connections.

smtp-service {enable | disable}

Enable to allow SMTP service.

smtp-smtputf8 {enable | disable}

Enable for UTF-8 support in SMTP session commands and message headers. This allows non-ASCII characters in email addresses and international domain names (IDN) in EHLO hostnames and the domain parts of email addresses. For example, non-ASCII recipient email addresses must be followed by the SMTPUTF8 keyword:

RCPT TO: <pelé@example.com> SMTPUTF8

Disable if SMTP clients are not compatible with SMTPUTF8.

For details, see RFC 6530, RFC 6531, RFC 6532, and RFC 6533.

smtps-port <port_int>

Enter the port number on which the FortiMail unit’s built-in MTA listens for secure SMTP connections.

smtps-tls-status {enable | disable}

Enable to allow SSL- and TLS-secured connections from SMTP clients that request SSL/TLS.

When disabled, SMTP connections with the FortiMail unit’s built-in MTA must occur as clear text, unencrypted.

This setting must be enabled to be able to receive SMTPS connections. However, it does not require them. To enforce client use of SMTPS, see tls-profile <profile_name>. To view whether SSL/TLS is being used by each domain, see tls-tracking-status {enable | disable}.

timeout-connect <seconds_int>

Enter the maximum amount of time to wait, after the FortiMail unit initiates it, for the receiving SMTP server to establish the network connection. Valid range is 10 to 120.

This timeout applies to all SMTP connections, regardless of whether it is the first connection to that SMTP server or not.

timeout-greeting <seconds_int>

Enter the maximum amount of time to wait for an SMTP server to send SMTP reply code 220 to the FortiMail unit. Valid range is 10 to 360.

RFC 2821 recommends a timeout value of 5 minutes (300 seconds). For performance reasons, you may prefer to have a smaller timeout value, which reduces the amount of time spent waiting for sluggish SMTP servers. However, if this causes your FortiMail unit to be unable to successfully initiate an SMTP session with some SMTP servers, consider increasing the timeout.