deadmail-expiry <days_int>

Enter the number of days to keep permanently undeliverable email in the dead mail folder. Dead mail has both incorrect recipient and sender email addresses, and can neither be delivered nor the sender notified via DSN.

Valid range is from 1 to 365.

default-auth-domain <domain_name>

Enter the domain to use for default authentication.

{default | incoming | outgoing}

Enter the name of the mail queue that you want to configure.

defer-delivery-starttime <time_str>

Enter the time that the FortiMail unit will begin to process deferred oversized email, using the format hh:mm, where hh is the hour according to a 24-hour clock, and mm is the minutes.

defer-delivery-stoptime <time_str>

Enter the time that the FortiMail unit will stop processing deferred oversized email, using the format hh:mm, where hh is the hour according to a 24-hour clock, and mm is the minutes.

delivery-esmtp {no | yes}

Enter either:

• yes: Disable the FortiMail unit from delivering email using ESMTP, and use standard SMTP instead.

• no: Enable the FortiMail unit to deliver email using ESMTP if the SMTP server to which it is connecting supports the protocol.

delivery-failure-conditions {dns-failure | mta-failure-permanant | mta-failure-temporary | network-failure-connection | network-failure-other}

Select which type of failed network connections that the backup relay should take over and retry. Also configure delivery-failure-handling-option {normal | relay-to-host}.

delivery-failure-handling-option {normal | relay-to-host}

Select what to do when email delivery failstemporarily or permanently.

• normal: Queue the email on FortiMail and use the mail queue settings.

• relay-to-host: Use another relay (backup relay) that you want to use for failed deliveries. Also configure delivery-failure-host <host_name>.

delivery-failure-host <host_name>

Enter a host to relay email when access to original mail host fails.

delivery-failure-min-age <minutes_int>

Enter the time in minutes the undelivered email should wait in the normal queue before trying the backup relay.

delivery-tracking-status {enable | disable}

Enable to record the following mail delivery statuses in the history log:

• Delivered
• Blocked
• Failed
• Queued

You can view queued email except IBE email in the history log from the right-click pop-up menu. For security reasons, IBE email cannot be viewed in the queue.

dsn-ehlo-option {host-name | domain-name | other-name}

Specify the DSN EHLO/HELO argument to use:

• host-name: Use the host name of the FortiMail unit.
• domain-name: Use the local domain name of the FortiMail unit.
• other-name: Use a customized name specified in dsn-ehlo-other-name <name_str>.

dsn-ehlo-other-name <name_str>

If dsn-ehlo-option {host-name | domain-name | other-name} is other-name, use this command to enter the customized name.

dsn-email-attach-orig {enable | disable}

Enable to attach original email in delivery status notifications (DSN) or non-delivery reports (NDR).

dsn-email-customization-status {enable | disable}

Enable DSN and NDR customization.

dsn-sender-address <email_str>

Enter the sender email address in DSN email messages sent by the FortiMail unit to notify email users of delivery failure.

If this string is empty, the FortiMail unit sends DSN from the default sender email address of “postmaster@example.com", where “example.com" is the domain name of the FortiMail unit.

dsn-sender-displayname <name_str>

Enter the display name of the sender email address for DSN.

If this string is empty, the FortiMail unit uses the display name “postmaster".

dsn-status {enable | disable}

Enable to allow DSN email generation.

imap-service {enable | disable}

Enable to allow IMAP service.

ip-pool-direction {all | exclude-internal-to-internal}

By default, IP pools in IP policies and domain settings will be applied to all email directions, including internal to internal, internal to external, external to internal, and external to external.

You can exempt IP pool usage for internal-to-internal email using the exclude-internal-to-internal option.

Note: IP pools in ACL delivery rules are still applied to internal-to-internal email.

ldap-domaincheck {enable | disable}

Enable to verify the existence of domains that have not been configured as protected domains. Also configure ldap-domaincheck-profile <profile_str> and ldap-domaincheck-auto-associate {enable | disable}.

To verify the existence of unknown domains, the FortiMail unit queries an LDAP server for a user object that contains the email address. If the user object exists, the verification is successful, the action varies by configuration of ldap-domaincheck-auto-associate {enable | disable}.

ldap-domaincheck-auto-associate {enable | disable}

If ldap-domaincheck {enable | disable} is enable, select whether to enable or disable automatic creation of domain associations.

• enable: The FortiMail unit automatically adds the unknown domain as a domain associated of the protected domain selected in ldap-domaincheck-internal-domain <domain_str>.

• disable: If the DNS lookup of the unknown domain name is successful, the FortiMail unit routes the email to the IP address resolved for the domain name during the DNS lookup. Because the domain is not formally defined as a protected domain, the email is considered to be outgoing, and outgoing recipient-based policies are used to scan the email. For more information, see policy recipient.

ldap-domaincheck-internal-domain <domain_str>

If ldap-domaincheck {enable | disable} is enable, and ldap-domaincheck-auto-associate {enable | disable} is enable, enter name of the protected domain with which successfully verified domains will become associated.

ldap-domaincheck-profile <profile_str>

If ldap-domaincheck {enable | disable} is enable, enter the name of the LDAP profile to use when verifying unknown domains.

local-domain-name <local-domain_str>

Enter the name of the domain to which the FortiMail unit belongs, such as example.com.

This option applies only if the FortiMail unit is operating in server mode.

pop3-port <port_int>

Enter the port number on which the FortiMail unit’s POP3 server will listen for POP3 connections. The default port number is 110.

This option applies only if the FortiMail unit is operating in server mode.

pop3-service {enable | disable}

Enable to allow POP3 service.

queue-dsn-timeout <days_int>

Select the maximum number of hours a delivery status notification (DSN) can remain in the default, incoming, or outgoing queues. After it reaches the maximum, the FortiMail unit moves the DSN email to the dead mail folder.

If this setting is 0, then the FortiMail unit does not retry for DSN.

Valid range is 0 to 10.

queue-max-delivery-attempt <tries_int>

Enter the maximum number of tries to send an email in the default, incoming, or outgoing mail queues. Valid range is 0 to 144. Entering 0 means no limit.

Alternatively, configure queue-timeout <hours_int>. FortiMail applies whichever occurs first.

queue-max-delivery-attempt-on-dsn <tries_int>

Enter the maximum number of tries to send a delivery status notification (DSN) message in the mail queue. Valid range is 0 to 144. Entering 0 means no limit.

Alternatively, configure queue-timeout <hours_int>. FortiMail applies whichever occurs first.

queue-regular-delivery-attempt <tries_int>

Enter the number of tries for a delivery in the default, incoming, or outgoing mail queues. If delivery is not successful, then the email is moved to a slow mail queue.

Valid range is from 1 to 3.

Tip: Slow queues also try to use queue-retry <minutes_int>, but if FortiMail is busy and system resource usage is high, then slow queues have a lower priority than normal queues, so a retry in a slow queue might not occur exactly at the interval time.This allows the FortiMail unit to send valid email more quickly, instead of wasting system resources frequently retrying email that may be invalid (for example, email destined to an invalid MTA) or for an MTA that is too busy or undergoing maintenance.

Slow queues are created automatically; you do not need to create them in config mail-queue.

queue-retry <minutes_int>

Enter the number of minutes between delivery retries for email in the deferred and spam mail queues.

Valid range is from 5 to 120.

Note: This interval only applies to the 1^st through 3^rd delivery retries.On the 4^th retry or later, 20 more minutes will be added for each retry. For example, if the time interval is set to 5 minutes, the 4^th retry will be 25 minutes later, the 5^th retry will be 45 minutes later, and the 6^th retry will be 65 minutes later.

Note: If system resource usage is very high, then retries may be slower than this interval.

queue-timeout <hours_int>

Enter the maximum number of hours that email can remain in the default, incoming, or outgoing mail queues. During this time, the FortiMail unit periodically retries to send the email.

If retries were not successful, and expiry occurs, then the FortiMail unit sends a final delivery status notification (DSN) email to notify the sender that the email was not deliverable.

Valid range is from 1 to 240.

Alternatively, configure queue-max-delivery-attempt <tries_int>. FortiMail applies whichever occurs first.

queue-warning <hours_int>

Select the number of hours after the 1^st delivery failure to deliver the 1^stdelivery status notification (DSN) message, notifying the sender that the email was delayed.

Valid range is from 1 to 24.

relay-server-name <relay_name>

Enter the name of the relay server that will deliver outgoing email. See also mailsetting relay-host-list.

relay-server-status {enable |disable}

If enabled, the relay server will be used to deliver outgoing email. If disabled, the FortiMail built-in MTA will be used.

show-accept-cert-ca {enable | disable}

Enable to show acceptable client certificate CA.

smtp-auth {enable | disable}

Enable to accept the AUTH command to authenticate email users for connections using SMTP.

smtp-auth-over-tls {enable | disable}

Enable to accept the AUTH command to authenticate email users for connections using SMTP over TLS.

smtp-auth-smtps {enable | disable}

Enable to accept the AUTH command to authenticate email users for connections using SMTPS (SMTP with SSL).

smtp-delivery-addr-pref {ipv4-ipv6 | ipv6-ipv4 | ipv4 | ipv6}

When FortiMail delivers email to a host name, it does DNS AAAA and A record lookup.

Use this command to specify the IPv4/IPv6 delivery preferences:

• ipv4-ipv6: Try to deliver to the IPv4 address first. If the IPv4 address is not accessible, try the IPv6 address. Because most MTAs support IPv4, this is the default setting.
• ipv6-ipv4: Try IPv6 first, then IPv4. However, if the AAAA record does not exist, the extra AAAA DNS lookup for IPv6 addresses will potentially cause email delivery delay.
• ipv4: Try IPv4 only. This setting is not recommended.
• ipv6: Try IPv6 only. This setting is not recommended.

smtp-delivery-session-preference {domain | host}

Select how to handle recipient domain names that resolve to the same MTA:

• host: Send the emails to the server in the same SMTP session.

• domain: Send the emails in separate sessions.

  Tip: Select this option if you use Google business email service. It does not accept multiple destination domains per SMTP transaction, resulting in repeated delivery attempts and delayed email.

smtp-eom-bare-lf-handling {allow | disallow | ignore}

Normally, to signal the end of the email, the message body should end with an end-of-message (EOM):

<CR><LF>.<CR><LF>

where <CR> is a carriage return and <LF> is a line feed.

However in SMTP servers that are not RFC-compliant, or with attackers, the email does not end with a valid EOM. Instead its EOM is not complete, such as:

<LF>.<CR><LF>

and then continues with more email and attachments, often from other senders, nested within the same message body as an implicit pipeline. Attacks that use this are called SMTP smuggling.

Select either:

• allow: Accept the message body, but clean up and replace each bare LF or CR between email with a valid EOM, which splits the message body and normalizes the EOMs for downstream email servers and clients. Same behavior as FortiMail 7.4 and older.

  Caution: If a nested email is from a different sender, they may not be authenticated. To reduce this risk, you can use other features. For example, you could disable smtp-diff-identity {enable | disable} and enable dkim-checking {enable | disable}.

• ignore: Accept the message body, and keep the bare LF or CR between email as-is so that the message body is still together for downstream mail servers and clients.

• disallow: Reject the message body if it contains a bare LF or CR. This option is most secure, but is not compatible with non-standard email servers. If you want to disable explicit pipelining too, configure session-allow-pipelining {yes | no}.

Note: For allow and ignore, FortiMail still requires that the last EOM is valid. It waits up to 3 minutes for it. If it does not occur, then the action may be different:

• allow: Rejects the last email only, with a log message that explains a bad pipeline.

• ignore: Rejects all email in the nested message body, with log messages that explain a bare LF or bare CR, similar to disallow.

smtp-max-connections <connections_int>

Enter the maximum number of concurrent SMTP connections that FortiMail can accept from the SMTP clients.

smtp-max-hop-count <hops_int>

Enter the maximum number of hops that FortiMail can accept from the SMTP connections. Valid range is 1 to 200.

smtp-msa {enable | disable}

Enable to allow your email clients to use SMTP for message submission on a separate TCP port number from deliveries or mail relay by MTAs.

For details on message submission by email clients as distinct from SMTP used by MTAs, see RFC 2476.

smtp-msa-port <port_int>

Enter the TCP port number on which the FortiMail unit listens for email clients to submit email for delivery.

smtp-mtasts-status {check-all-domain | check-external-domain | disable}

Enable MTA Strict Transport Security (MTA-STS) domain checking:

• check-all-domain: FortiMail checks recipient domain MTA-STS records (including TLS version, format, and MTA-STS policy) for outgoing email to both internal and external domains.

• check-external-domain: FortiMail MTA-STS checking only when delivering outgoing emails to external domains.

• disable: Disable MTA-STS domain checking.

smtp-port <port_int>

Enter the port number on which the FortiMail unit’s SMTP server will listen for SMTP connections.

smtp-service {enable | disable}

Enable to allow SMTP service.

smtp-smtputf8 {enable | disable}

Enable for UTF-8 support in SMTP session commands and message headers. This allows non-ASCII characters in email addresses and international domain names (IDN) in EHLO hostnames and the domain parts of email addresses. For example, non-ASCII recipient email addresses must be followed by the SMTPUTF8 keyword:

RCPT TO: <pelé@example.com> SMTPUTF8

Disable if SMTP clients are not compatible with SMTPUTF8.

For details, see RFC 6530, RFC 6531, RFC 6532, and RFC 6533.

smtps-port <port_int>

Enter the port number on which the FortiMail unit’s built-in MTA listens for secure SMTP connections.

smtps-tls-status {enable | disable}

Enable to allow SSL- and TLS-secured connections from SMTP clients that request SSL/TLS.

When disabled, SMTP connections with the FortiMail unit’s built-in MTA must occur as clear text, unencrypted.

timeout-connect <seconds_int>

Enter the maximum amount of time to wait, after the FortiMail unit initiates it, for the receiving SMTP server to establish the network connection.

Valid range is 10 to 120.

Note: This timeout applies to all SMTP connections, regardless of whether it is the first connection to that SMTP server or not.