system mailserver
Use this command to configure system-wide mail settings.
Syntax
config system mailserver
edit {default | incoming | outgoing}
set queue-dsn-timeout <days_int>
set queue-max-delivery-attempt <tries_int>
set queue-max-delivery-attempt-on-dsn <tries_int>
end
set queue-regular-delivery-attempt <tries_int>
set deadmail-expiry <days_int>
set default-auth-domain <domain_name>
set defer-delivery-starttime <time_str>
set defer-delivery-stoptime <time_str>
set delivery-failure-handling-option {normal | relay-to-host}
set delivery-failure-host <host_name>
set delivery-failure-min-age <minutes_int>
set delivery-tracking-status {enable | disable}
set dsn-ehlo-option {host-name | domain-name | other-name}
set dsn-ehlo-other-name <name_str>
set dsn-email-attach-orig {enable | disable}
set dsn-email-customization-status {enable | disable}
set dsn-sender-address <email_str>
set dsn-sender-displayname <name_str>
set dsn-status {enable | disable}
set imap-service {enable | disable}
set ip-pool-direction {all | exclude-internal-to-internal}
set ldap-domaincheck {enable | disable}
set ldap-domaincheck-auto-associate {enable | disable}
set ldap-domaincheck-internal-domain <domain_str>
set ldap-domaincheck-profile <profile_str>
set local-domain-name <local-domain_str>
set pop3-service {enable | disable}
set relay-server-name <relay_name>
set relay-server-status {enable |disable}
set show-accept-cert-ca {enable | disable}
set smtp-auth {enable | disable}
set smtp-auth-over-tls {enable | disable}
set smtp-auth-smtps {enable | disable}
set smtp-delivery-addr-pref {ipv4-ipv6 | ipv6-ipv4 | ipv4 | ipv6}
set smtp-delivery-session-preference {domain | host}
set smtp-eom-bare-lf-handling {allow | disallow | ignore}
set smtp-max-connections <connections_int>
set smtp-max-hop-count <hops_int>
set smtp-msa {enable | disable}
set smtp-mtasts-status {check-all-domain | check-external-domain | disable}
set smtp-service {enable | disable}
set smtp-smtputf8 {enable | disable}
set smtps-tls-status {enable | disable}
set timeout-connect <seconds_int>
set timeout-greeting <seconds_int>
end
|
Variable |
Description |
Default |
|
Enter the number of days to keep permanently undeliverable email in the dead mail folder. Dead mail has both incorrect recipient and sender email addresses, and can neither be delivered nor the sender notified via DSN. Valid range is from 1 to 365. |
1 |
|
|
Enter the domain to use for default authentication. |
|
|
|
Enter the name of the mail queue that you want to configure. |
default |
|
|
Enter the time that the FortiMail unit will begin to process deferred oversized email, using the format |
00:00 |
|
|
Enter the time that the FortiMail unit will stop processing deferred oversized email, using the format |
00:00 |
|
|
Enter either:
|
no |
|
|
delivery-failure-conditions {dns-failure | mta-failure-permanant | mta-failure-temporary | network-failure-connection | network-failure-other} |
Select which type of failed network connections that the backup relay should take over and retry. Also configure delivery-failure-handling-option {normal | relay-to-host}. |
|
|
Select what to do when email delivery failstemporarily or permanently.
|
normal |
|
|
Enter a host to relay email when access to original mail host fails. |
|
|
|
Enter the time in minutes the undelivered email should wait in the normal queue before trying the backup relay. |
30 |
|
|
Enable to record the following mail delivery statuses in the history log:
You can view queued email except IBE email in the history log from the right-click pop-up menu. For security reasons, IBE email cannot be viewed in the queue. |
disable |
|
|
Specify the DSN
|
host-name |
|
|
If dsn-ehlo-option {host-name | domain-name | other-name} is |
|
|
|
Enable to attach original email in delivery status notifications (DSN) or non-delivery reports (NDR). |
disable |
|
|
Enable DSN and NDR customization. |
disable |
|
|
Enter the sender email address in DSN email messages sent by the FortiMail unit to notify email users of delivery failure. If this string is empty, the FortiMail unit sends DSN from the default sender email address of “postmaster@example.com", where “example.com" is the domain name of the FortiMail unit. |
|
|
|
Enter the display name of the sender email address for DSN. If this string is empty, the FortiMail unit uses the display name “postmaster". |
|
|
|
Enable to allow DSN email generation. |
disable |
|
|
Enable to allow IMAP service. |
enable |
|
|
By default, IP pools in IP policies and domain settings will be applied to all email directions, including internal to internal, internal to external, external to internal, and external to external. You can exempt IP pool usage for internal-to-internal email using the exclude-internal-to-internal option. Note: IP pools in ACL delivery rules are still applied to internal-to-internal email. |
|
|
|
Enable to verify the existence of domains that have not been configured as protected domains. Also configure ldap-domaincheck-profile <profile_str> and ldap-domaincheck-auto-associate {enable | disable}. To verify the existence of unknown domains, the FortiMail unit queries an LDAP server for a user object that contains the email address. If the user object exists, the verification is successful, the action varies by configuration of ldap-domaincheck-auto-associate {enable | disable}. |
disable |
|
|
If ldap-domaincheck {enable | disable} is
|
disable |
|
|
If ldap-domaincheck {enable | disable} is |
|
|
|
If ldap-domaincheck {enable | disable} is |
|
|
|
Enter the name of the domain to which the FortiMail unit belongs, such as This option applies only if the FortiMail unit is operating in server mode. |
|
|
|
Enter the port number on which the FortiMail unit’s POP3 server will listen for POP3 connections. The default port number is 110. This option applies only if the FortiMail unit is operating in server mode. |
110 |
|
|
Enable to allow POP3 service. |
enable |
|
|
Select the maximum number of hours a delivery status notification (DSN) can remain in the default, incoming, or outgoing queues. After it reaches the maximum, the FortiMail unit moves the DSN email to the dead mail folder. If this setting is Valid range is 0 to 10. |
5 |
|
|
Enter the maximum number of tries to send an email in the default, incoming, or outgoing mail queues. Valid range is 0 to 144. Entering 0 means no limit. Alternatively, configure queue-timeout <hours_int>. FortiMail applies whichever occurs first. |
0 |
|
|
Enter the maximum number of tries to send a delivery status notification (DSN) message in the mail queue. Valid range is 0 to 144. Entering 0 means no limit. Alternatively, configure queue-timeout <hours_int>. FortiMail applies whichever occurs first. |
0 |
|
|
Enter the number of tries for a delivery in the default, incoming, or outgoing mail queues. If delivery is not successful, then the email is moved to a slow mail queue. Valid range is from 1 to 3. Tip: Slow queues also try to use queue-retry <minutes_int>, but if FortiMail is busy and system resource usage is high, then slow queues have a lower priority than normal queues, so a retry in a slow queue might not occur exactly at the interval time.This allows the FortiMail unit to send valid email more quickly, instead of wasting system resources frequently retrying email that may be invalid (for example, email destined to an invalid MTA) or for an MTA that is too busy or undergoing maintenance. Slow queues are created automatically; you do not need to create them in config mail-queue. |
3 |
|
|
Enter the number of minutes between delivery retries for email in the deferred and spam mail queues. Valid range is from 5 to 120. Note: This interval only applies to the 1st through 3rd delivery retries.On the 4th retry or later, 20 more minutes will be added for each retry. For example, if the time interval is set to 5 minutes, the 4th retry will be 25 minutes later, the 5th retry will be 45 minutes later, and the 6th retry will be 65 minutes later. Note: If system resource usage is very high, then retries may be slower than this interval. |
15 |
|
|
Enter the maximum number of hours that email can remain in the default, incoming, or outgoing mail queues. During this time, the FortiMail unit periodically retries to send the email. If retries were not successful, and expiry occurs, then the FortiMail unit sends a final delivery status notification (DSN) email to notify the sender that the email was not deliverable. Valid range is from 1 to 240. Alternatively, configure queue-max-delivery-attempt <tries_int>. FortiMail applies whichever occurs first. |
72 |
|
|
Select the number of hours after the 1st delivery failure to deliver the 1stdelivery status notification (DSN) message, notifying the sender that the email was delayed. Valid range is from 1 to 24. |
2 |
|
|
Enter the name of the relay server that will deliver outgoing email. See also mailsetting relay-host-list. |
|
|
|
If enabled, the relay server will be used to deliver outgoing email. If disabled, the FortiMail built-in MTA will be used. |
disable |
|
|
Enable to show acceptable client certificate CA. |
enable |
|
|
Enable to accept the |
enable |
|
|
Enable to accept the |
enable |
|
|
Enable to accept the |
enable |
|
|
smtp-delivery-addr-pref {ipv4-ipv6 | ipv6-ipv4 | ipv4 | ipv6} |
When FortiMail delivers email to a host name, it does DNS AAAA and A record lookup. Use this command to specify the IPv4/IPv6 delivery preferences:
|
ipv4-ipv6 |
|
Select how to handle recipient domain names that resolve to the same MTA:
|
domain |
|
|
Normally, to signal the end of the email, the message body should end with an end-of-message (EOM): <CR><LF>.<CR><LF> where However in SMTP servers that are not RFC-compliant, or with attackers, the email does not end with a valid EOM. Instead its EOM is not complete, such as: <LF>.<CR><LF> and then continues with more email and attachments, often from other senders, nested within the same message body as an implicit pipeline. Attacks that use this are called SMTP smuggling. Select either:
Note: For
|
allow |
|
|
Enter the maximum number of concurrent SMTP connections that FortiMail can accept from the SMTP clients. |
Platform dependent |
|
|
Enter the maximum number of hops that FortiMail can accept from the SMTP connections. Valid range is 1 to 200. |
30 |
|
|
Enable to allow your email clients to use SMTP for message submission on a separate TCP port number from deliveries or mail relay by MTAs. For details on message submission by email clients as distinct from SMTP used by MTAs, see RFC 2476. |
disable |
|
|
Enter the TCP port number on which the FortiMail unit listens for email clients to submit email for delivery. |
587 |
|
|
smtp-mtasts-status {check-all-domain | check-external-domain | disable} |
Enable MTA Strict Transport Security (MTA-STS) domain checking:
|
disable |
|
Enter the port number on which the FortiMail unit’s SMTP server will listen for SMTP connections. |
25 |
|
|
Enable to allow SMTP service. |
disable |
|
|
Enable for UTF-8 support in SMTP session commands and message headers. This allows non-ASCII characters in
email addresses and international domain names (IDN) in RCPT TO: <pelé@example.com> SMTPUTF8 Disable if SMTP clients are not compatible with SMTPUTF8. For details, see RFC 6530, RFC 6531, RFC 6532, and RFC 6533. |
disable |
|
|
Enter the port number on which the FortiMail unit’s built-in MTA listens for secure SMTP connections. |
465 |
|
|
Enable to allow SSL- and TLS-secured connections from SMTP clients that request SSL/TLS. When disabled, SMTP connections with the FortiMail unit’s built-in MTA must occur as clear text, unencrypted. |
disable |
|
|
Enter the maximum amount of time to wait, after the FortiMail unit initiates it, for the receiving SMTP server to establish the network connection. Valid range is 10 to 120. Note: This timeout applies to all SMTP connections, regardless of whether it is the first connection to that SMTP server or not. |
30 |
|
|
Enter the maximum amount of time to wait for an SMTP server to send SMTP reply code 220 to the FortiMail unit. Valid range is 10 to 360. Note: RFC 2821 recommends a timeout value of 5 minutes (300 seconds). For performance reasons, you may prefer to have a smaller timeout value, which reduces the amount of time spent waiting for sluggish SMTP servers. However, if this causes your FortiMail unit to be unable to successfully initiate an SMTP session with some SMTP servers, consider increasing the timeout. |
30 |