policy access-control receive

Use this command to configure access control policies that apply to SMTP sessions being received by the FortiMail unit (initiated by SMTP clients).

Access control policies, sometimes also called the access control list or ACL, specify whether the FortiMail unit will process and relay/proxy, reject, or discard email messages in SMTP sessions.

When an SMTP client tries to send email through the FortiMail unit, the FortiMail unit compares each access control policy to the commands used by the SMTP client during the SMTP session, such as the:

sender email address in the SMTP envelope (MAIL FROM:)
recipient email address in the SMTP envelope (RCPT TO:)
domain name of the SMTP client that is delivering the email (HELO/EHLO)
authentication (AUTH)
session encryption (STARTTLS)

Policies are evaluated for a match in sequential order, from top to bottom of the list. If all attributes of a policy match, then the FortiMail unit applies the action in the policy or TLS profile, and stops match evaluation. Remaining access control policies, if any, are not applied.

Only one access control policy is applied to an SMTP session.

If no access control rules exist, or none match, then the action varies by whether the SMTP client authenticated:

Authenticated: Email is relayed/proxied.
Not authenticated: Default action is performed.

The default action varies by whether or not the recipient email address in the SMTP envelope (RCPT TO:) is a member of a protected domain:

Protected domain: Relay/proxy with greylisting.
Not protected domain:Reject.

Syntax

config policy access-control receive

edit <policy_name>

[set comment "<comment_str>"]

set status {enable | disable}

set sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

set sender-pattern <sender_pattern>

set sender-pattern-group <group_name>

set sender-pattern-ldap-groupname <group_name>

set sender-pattern-ldap-profile <profile_name>

set recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

set recipient-pattern <recipient_pattern>

set recipient-pattern-group <group_name>

set recipient-pattern-ldap-groupname <group_name>

set recipient-pattern-ldap-profile <profile_name>

set sender-ip-type {geoip-group | ip-group | ip-mask | isdb | ldap-query}

set sender-geoip-group <group_name>

set sender-ip-group <ip-group_name>

set sender-ip-mask <client_ipv4/mask>

set sender-isdb {8x8 ...}

set sender-ip-ldap-profile <profile_name>

set reverse-dns-type {ldap-query | regexp | wildcard}

set reverse-dns-pattern <client-fqdn_pattern>

set reverse-dns-ldap-profile <profile_name>

set forged-ip-check {any | fail | pass}

set authenticated {any | authenticated | not-authenticated}

set tls-profile <profile_name>

set action {discard | receive | reject | relay | safe | safe-relay}

end

Variable	Description	Default
<policy_name>	Enter the number that identifies the policy. Note: The identifier number may be different from the order of evaluation. FortiMail units evaluate these policies in sequential order, starting at the top of the list. Only the first matching policy is applied. For example, if you enter: move 15 before 1 then policy 15 is evaluated for a match before policy 1. To show the order of evaluation for the list of policies, enter: config policy access-control receive get
action {discard \| receive \| reject \| relay \| safe \| safe-relay}	Select which action the FortiMail unit will perform for SMTP sessions that match this policy: `reject`: Reject delivery of the email (SMTP reply code `550 Relaying denied`). `discard`: Accept the email (SMTP reply code `250 OK`), but then silently delete it and do not deliver it. `relay`: Accept the email (SMTP reply code `250 OK`), regardless of authentication or protected domain. Do not greylist, but continue with remaining antispam and other scans. `safe`: Accept the email (SMTP reply code `250 OK`) if the sender authenticates or recipient belongs to a protected domain. Greylist, but skip remaining antispam scans. Continue other scans such as antivirus. Otherwise, if the sender does not authenticate, or the recipient does not belong to a protected domain, then reject delivery of the email (SMTP reply code `554 5.7.1 Relaying denied`). In older FortiMail versions, this setting was named `bypass`. `safe-relay`: Like `relay`, do not greylist, but also skip remaining antispam scans. `receive`: Like `relay`, but greylist, and require authentication or protected domain. Otherwise, if the sender does not authenticate or the recipient does not belong to a protected domain, then FortiMail rejects (SMTP reply code `554 5.7.1 Relaying denied`). Tip:`receive` is usually used when you need to apply a TLS profile, but do not want to safelist nor allow outbound, which `relay` does. If you do not need to apply a TLS profile, then a policy with this action is often not required because by default, email inbound to protected domains is relayed/proxied.	reject
authenticated {any \| authenticated \| not-authenticated}	Select whether to match this policy based upon whether SMTP clients have authenticated with the FortiMail unit, either: `any`: Ignore authentication status. `authenticated`: Match this policy if the SMTP client has authenticated. `not-authenticated`: Match this policy if the SMTP client has not authenticated.	any
comment "<comment_str>"	Enter a description or comment. If a comment exists, it is displayed as a tool tip when you mouse-over the ID column in the list of policies in the GUI.
forged-ip-check {any \| fail \| pass}	When the forged IP check is enabled, FortiMail will perform a reverse (PTR record) lookup on the IP address of a connecting host to get a hostname. It will then perform a forward (A record) lookup on that hostname, and compare the returned IP address to that of the connecting host. If they do not match, then the IP address of the connecting host is considered "forged". Select which of the following forged IP check result will be matched to this policy: `any`: Ignore the check result. `fail`: Match this policy if the check is a fail. `pass`: Match this policy if the check is a pass. If the DNS queries fail, or the result does not match this setting, then the policy does not match. Note: The domain name must be a valid top level domain (TLD). For example, “.lab” is not valid because it is reserved for testing on RFC 1918 private networks, not the Internet. Thus a reverse DNS query to public DNS servers on the Internet will always fail.	any
recipient-pattern <recipient_pattern>	Enter an email address or pattern. Formatting is the same as sender-pattern <sender_pattern>. This setting is available only when recipient-pattern-type {default \| external \| group \| internal \| ldap \| ldap-query \| regexp} is `default` or `regexp`.	*
recipient-pattern-group <group_name>	Enter the group of recipient email addresses. This setting is available only if recipient-pattern-type {default \| external \| group \| internal \| ldap \| ldap-query \| regexp} is `group`.
recipient-pattern-ldap-groupname <group_name>	Enter the group of recipient email addresses that is in the directory server. This setting is available only if recipient-pattern-type {default \| external \| group \| internal \| ldap \| ldap-query \| regexp} is `ldap`.
recipient-pattern-ldap-profile <profile_name>	Enter an LDAP profile. This setting is available only if recipient-pattern-type {default \| external \| group \| internal \| ldap \| ldap-query \| regexp} is `ldap`. Note: Use `$m` in the LDAP query string to match recipient email addresses.
recipient-pattern-type {default \| external \| group \| internal \| ldap \| ldap-query \| regexp}	Select how you will define the recipient email addresses that match the policy. Options are the same as sender-pattern-type {default \| external \| group \| internal \| ldap \| ldap-query \| regexp}.	default
reverse-dns-ldap-profile <profile_name>	Enter an LDAP profile. This setting is available only if reverse-dns-type {ldap-query \| regexp \| wildcard} is `ldap-query`. Note: Use `$h` in the query string to match the FQDN.
reverse-dns-pattern <client-fqdn_pattern>	Depending on which pattern you selected in reverse-dns-type {ldap-query \| regexp \| wildcard}, enter either a: Complete or partial domain name. Wild card characters can be used to match multiple FQDNs. An asterisk (``) represents one or more characters. A question mark (`?`) represents any single character. For example: .example.??? matches all sub-domains at example.com, example.net, example.org, or any other “example" domain ending with a three‑letter top-level domain name. Regular expression. Tip: To validate syntax and correct matching, you can use the validator in the FortiMail GUI. For details, see the FortiMail Administration Guide. This setting is available only if reverse-dns-type {ldap-query \| regexp \| wildcard} is `regexp` or `wildcard`.	*
reverse-dns-type {ldap-query \| regexp \| wildcard}	Select how you will define the FQDN of SMTP clients that match this policy, either: `wildcard`: Complete or partial domain name. Wild card characters can be used to match multiple FQDNs. Also configure reverse-dns-pattern <client-fqdn_pattern>. `regex`: Regular expression. Also configure reverse-dns-pattern <client-fqdn_pattern>. `ldap-query`: Select the LDAP query to a directory server such as Microsoft Active Directory. Also configure reverse-dns-ldap-profile <profile_name>. Because the domain name in the SMTP session greeting (`HELO/EHLO`) is self-reported by the connecting SMTP client, it could be fake and the FortiMail unit does not trust it. Instead, the FortiMail does a reverse DNS (`PTR` record) lookup of the SMTP client’s IP address to discover its real domain name. This is compared to the pattern or LDAP query results. If the domain name does not match, or if the reverse DNS query fails, then the policy does not match. Note: The domain name must be a valid top level domain (TLD). For example, “.lab” is not valid because it is reserved for testing on RFC 1918 private networks, not the Internet. Thus a reverse DNS query to public DNS servers on the Internet will always fail.	wildcard
sender-geoip-group <group_name>	Select a geographic IP address group. This setting is only available if sender-ip-type {geoip-group \| ip-group \| ip-mask \| isdb \| ldap-query} is `geoip-group`.
sender-ip-group <ip-group_name>	Enter the IP group of the SMTP client attempting to send the email message. This option only appears if sender-ip-type {geoip-group \| ip-group \| ip-mask \| isdb \| ldap-query} is `ip-group`.
sender-ip-mask <client_ipv4/mask>	Enter the IP address and netmask of the SMTP client. For example, you can enter `10.10.10.10/24` to match a 24-bit subnet, or all addresses starting with 10.10.10. In the policy list, this appears as `10.10.10.0/24`, with the `0` indicating that any value is matched in that position of the address. Similarly, if you enter `10.10.10.10/32`, it appears as `10.10.10.10/32` because a 32-bit netmask only matches one address, 10.10.10.10 specifically. To match any address, enter `0.0.0.0/0`. This setting is only available if sender-ip-type {geoip-group \| ip-group \| ip-mask \| isdb \| ldap-query} is `ip-mask`.	0.0.0.0/0
sender-ip-type {geoip-group \| ip-group \| ip-mask \| isdb \| ldap-query}	Select how you will define the source IP address of SMTP clients that match this policy, either: `ip-mask`: An IP address and netmask. Also configure sender-ip-mask <client_ipv4/mask>. `ip-group`:An IP address group. Also configure sender-ip-group <ip-group_name>. `geoip-group`: A geographic IP address group. Also configure sender-geoip-group <group_name>. `isdb`: A service name in the Internet Service Database (ISDB) from FortiGuard. Also configure sender-isdb {8x8 ...}. `ldap-query`: An LDAP query to a directory server such as Microsoft Active Directory. Also configure sender-ip-ldap-profile <profile_name>.	ip-mask
sender-ip-ldap-profile <profile_name>	Enter an LDAP profile. This setting is available only if sender-ip-type {geoip-group \| ip-group \| ip-mask \| isdb \| ldap-query} is `ldap-query`. Note:Use `$h` in the query string to match the IP address.
sender-isdb {8x8 ...}	Select a service name. The Internet Service Database (ISDB) from FortiGuard is an automatically updated list of IP addresses and subnets used by popular services such as 8x8, Akamai, Microsoft 365, and more. To display the list of options for currently known services, enter: set sender-isdb ? This setting is only available if sender-ip-type {geoip-group \| ip-group \| ip-mask \| isdb \| ldap-query} is `isdb`.	8x8
sender-pattern <sender_pattern>	Depending on your selection in sender-pattern-type {default \| external \| group \| internal \| ldap \| ldap-query \| regexp}: For `default`: Enter a complete or partial email address. Wild card characters can be used to match multiple email addresses. An asterisk (``) represents one or more characters. A question mark (`?`) represents any single character. For example: @example.??? matches all email addresses at example.com, example.net, example.org, or any other “example" domain ending with a three‑letter top-level domain name. For `regexp`: Enter a regular expression. Tip: To validate syntax and correct matching, you can use the validator in the FortiMail GUI. For details, see the FortiMail Administration Guide. This setting is only available if sender-pattern-type {default \| external \| group \| internal \| ldap \| ldap-query \| regexp} is `default` or `regexp`.	*
sender-pattern-group <group_name>	Enter the group of recipient email addresses. This setting is available only if sender-pattern-type {default \| external \| group \| internal \| ldap \| ldap-query \| regexp} is `group`.
sender-pattern-ldap-groupname <group_name>	Enter the group of recipient email addresses that is in the directory server. This setting is available only if sender-pattern-type {default \| external \| group \| internal \| ldap \| ldap-query \| regexp} is `ldap`. Note: Use `$s` in the LDAP query string to match sender email addresses.
sender-pattern-ldap-profile <profile_name>	Enter an LDAP profile. This setting is available only if sender-pattern-type {default \| external \| group \| internal \| ldap \| ldap-query \| regexp} is `ldap`.
sender-pattern-type {default \| external \| group \| internal \| ldap \| ldap-query \| regexp}	Select how you will define the sender email addresses that match the policy, either: `default`: An email address or wild card pattern that can match multiple email addresses. Also configure sender-pattern <sender_pattern>. `external`: Email addresses that are not at a protected domain. `group`: A group of email addresses configured on the FortiMail unit. Also configure sender-pattern-group <group_name>. `internal`: Email addresses that are at a protected domain. `ldap`: A group of email addresses configured on a directory server such as Microsoft Active Directory. Also configure sender-pattern-ldap-profile <profile_name> and sender-pattern-ldap-groupname <group_name>. `ldap-query`: An LDAP query to a directory server such as Microsoft Active Directory. Also configure sender-pattern-ldap-profile <profile_name>. Note: Use `$s` in the query string to match sender addresses. For example, to reject senders that are not in the recipient's allowed sender list: Create an ACL policy and in sender-pattern-type {default \| external \| group \| internal \| ldap \| ldap-query \| regexp}, select `ldap-query`. Select an LDAP profile where this user query string is used: `&(mail=$m)(!(allowedSenders=$s)))` In action {discard \| receive \| reject \| relay \| safe \| safe-relay}, select `reject`. For each recipient (`$m`), this will match a sender (`$s`) that is not (`!`) in their `allowedSenders` list, and the action will reject it. `regexp`: A regular expression that can match multiple email addresses. Also configure sender-pattern <sender_pattern>.	default
status {enable \| disable}	Enable or disable the policy.	enable
tls-profile <profile_name>	If you want to allow or reject the connection based on whether the session attributes matches TLS profile, then select the TLS profile. Match: Perform the selection in action {discard \| receive \| reject \| relay \| safe \| safe-relay}. No Match: Perform the selection in action {fail \| tempfail} in the TLS profile.