<policy_int>

Enter the index number of the recipient-based policy.

auth-access-options {pop3 | smtp-auth | smtp-diff-identity | web}

Enter the method that email users matching this policy use to retrieve the contents of their per-recipient spam quarantine.

• pop3: Allow the email user to use POP3 to retrieve the contents of their per-recipient spam quarantine.
• smtp-auth: Use the authentication server selected in the authentication profile when performing SMTP authentication for connecting SMTP clients.
• smtp-diff-identity: Allow email when the SMTP client authenticates with a different user name than the one that appears in the envelope’s sender email address. You must also enter smtp-auth for this option to have any effect.
• web: Allow the email user to use FortiMail webmail (HTTP or HTTPS) to retrieve the contents of their per-recipient spam quarantine.

Note: Entering this option allows, but does not require, SMTP authentication. To enforce SMTP authentication for connecting SMTP clients, ensure that all access control rules require authentication.

certificate-required {yes | no}

If the email user’s web browser does not provide a valid personal certificate, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enter yes.

This setting only applies if pkiauth {enable | disable} is enable.

comment "<comment_str>"

Enter a comment or description.

direction {incoming | outgoing}

Select the direction of email traffic that this policy matches.

pkiauth {enable | disable}

Enable if you want to allow email users to log in to their per-recipient spam quarantine by presenting a certificate rather than a user name and password. Also configure pkiuser <user_str> and certificate-required {yes | no}.

pkiuser <user_str>

Enter the name of a PKI user, such as user1.

This setting only applies if pkiauth {enable | disable} is enable. Also configure config user pki.

profile-antispam <antispam-profile_name>

Enter the name of an antispam profile, if any, that this policy will apply.

profile-antivirus <antivirus-profile_name>

Enter the name of an antivirus profile, if any, that this policy will apply.

profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp}

Enter the type of the authentication profile that this policy will apply.

Depending on the type that you select, also configure profile-auth-imap <profile_name> etc.

profile-auth-imap <profile_name>

Select the name of a profile to use for authentication.

This setting is available only if profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp} is imap.

profile-auth-ldap <profile_name>

Select the name of a profile to use for authentication.

This setting is available only if profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp} is ldap.

profile-auth-pop3 <profile_name>

Select the name of a profile to use for authentication.

This setting is available only if profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp} is pop3.

profile-auth-radius<profile_name>

Select the name of a profile to use for authentication.

This setting is available only if profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp} is radius.

profile-auth-smtp <profile_name>

Select the name of a profile to use for authentication.

This setting is available only if profile-auth-type {imap | ldap | local | none | pop3 | radius | smtp} is smtp.

profile-dlp <profile_name>

Enter the name of the DLP profile that you want to apply to connections matching the policy.

profile-content <content-profile_name>

Enter the name of the content profile that you want to apply to connections matching the policy.

profile-resource <profile_name>

Enter the name of the resource profile that you want to apply to connections matching the policy.

profile-ldap-recipient <ldap-profile_name>

If recipient-type {email-user-group | import-group | import-user | ldap-group | user-regex | user-wildcard} is ldap-group, enter the name of an LDAP profile in which the group owner query has been enabled and configured.

profile-ldap-sender <ldap-profile_name>

If sender-type {email-user-group | import-group | import-user | ldap-group | user-regex | user-wildcard} is ldap-group, enter the name of an LDAP profile in which the group owner query has been enabled and configured.

recipient-domain <domain_str>

Enter the domain name of recipient email addresses that match this policy.

recipient-email-address-group <group_name>

Enter the group of recipient email addresses.

This setting is available only if recipient-type {email-user-group | import-group | import-user | ldap-group | user-regex | user-wildcard} is email-user-group.

recipient-exclusion-domain <domain-part_str>

Enter the domain name of recipient email addresses that you want to exclude.

This setting is available only if recipient-exclusion-type {email-address-group | user-regex | user-wildcard} is user-wildcard.

recipient-exclusion-email-address-group <group_name>

Select a group of email addresses you want to exclude.

This setting is available only if recipient-exclusion-type {email-address-group | user-regex | user-wildcard} is email-address-group.

recipient-exclusion-name <local-part-str>

Enter the local part (username) of recipient email addresses that you want to exclude.

This setting is available only if recipient-exclusion-type {email-address-group | user-regex | user-wildcard} is user-wildcard.

recipient-exclusion-regex <exclusion_pattern>

Enter a regular expression that matches only recipient email addresses that you want to exclude.

This setting is available only if recipient-exclusion-type {email-address-group | user-regex | user-wildcard} is user-regex.

recipient-exclusion-status {enable | disable}

Enable if you want to exclude some recipient email addresses from matching this policy.

recipient-exclusion-type {email-address-group | user-regex | user-wildcard}

Select how you want to define excluded recipient email addresses. Depending on which you select, also configure recipient-exclusion-name <local-part-str> etc.

This setting is available only if recipient-exclusion-status {enable | disable} is enable.

recipient-name <local-part_str>

Enter the local part (username) of recipient email addresses that match this policy.

recipient-regex <recipient_pattern>

Enter a regular expression that matches only the recipient email addresses that should match this policy.

This setting is only available when recipient-type {email-user-group | import-group | import-user | ldap-group | user-regex | user-wildcard} is regexp.

recipient-type {email-user-group | import-group | import-user | ldap-group | user-regex | user-wildcard}

Enter one of the following ways to define recipient (RCPT TO:) email addresses that match this policy.

Depending on which you select, also configure profile-ldap-recipient <ldap-profile_name>, recipient-regex <recipient_pattern>, etc.

sender-domain <domain_str>

Enter the domain name of sender email addresses that match this policy.

This setting is available only if sender-type {email-user-group | import-group | import-user | ldap-group | user-regex | user-wildcard} is user-wildcard.

sender-email-address-group <group_name>

Enter the group of sender email addresses.

This setting is available only if sender-type {email-user-group | import-group | import-user | ldap-group | user-regex | user-wildcard} is email-user-group.

sender-name <local-part_str>

Enter the local part (username) of sender email addresses that match this policy.

This setting is available only if sender-type {email-user-group | import-group | import-user | ldap-group | user-regex | user-wildcard} is user-wildcard.

sender-regex <sender_pattern>

Enter a regular expression that matches only the sender email addresses that should match this policy.

This setting is only available when sender-type {email-user-group | import-group | import-user | ldap-group | user-regex | user-wildcard} is regexp.

sender-type {email-user-group | import-group | import-user | ldap-group | user-regex | user-wildcard}

Select how to define sender (MAIL FROM:) email addresses that match this policy.

Depending on which you select, also configure profile-ldap-sender <ldap-profile_name>, sender-regex <sender_pattern>, etc.

smtp-diff-identity {enable | disable}

Enable to allow the SMTP client to send email using a different sender email address (MAIL FROM:) than the user name that they used to authenticate.

Disable to require that the sender email address in the SMTP envelope match the authenticated user name.

This setting is applicable only if smtp auth is used.

smtp-diff-identity-ldap {enable | disable}

Enable to allow the SMTP client to verify SMTP sender identity with LDAP for authenticated email.

This setting is applicable only if smtp auth is used.

smtp-diff-identity-ldap-profile <profile_name>

Enter the LDAP profile name for SMTP sender identity verification.

This setting is applicable only if smtp auth is used.