<policy_name>

Enter the number that identifies the policy.

The identifier number may be different from the order of evaluation. FortiMail units evaluate these policies in sequential order, starting at the top of the list. Only the first matching policy is applied.

For example, if you enter:

move 15 before 1

then policy 15 is evaluated for a match before policy 1.

To show the order of evaluation for the list of policies, enter:

get

action {discard | receive | reject | relay | safe | safe-relay}

Select which action the FortiMail system will perform for SMTP sessions that match this policy:

• reject: Reject delivery of the email (SMTP reply code 550 Relaying denied).

• discard: Accept the email (SMTP reply code 250 OK), but then silently delete it and do not deliver it.

• relay: Accept the email (SMTP reply code 250 OK), regardless of authentication or protected domain. Do not greylist, but continue with remaining antispam and other scans.

• safe: Accept the email (SMTP reply code 250 OK) if the sender authenticates or recipient belongs to a protected domain. Greylist, but skip remaining antispam scans. Continue other scans such as antivirus.

  Otherwise, if the sender does not authenticate, or the recipient does not belong to a protected domain, then reject delivery of the email (SMTP reply code 554 5.7.1 Relaying denied).

  In older FortiMail versions, this setting was named bypass.

• safe-relay: Like relay, do not greylist, but also skip remaining antispam scans.

• receive: Like relay, but greylist, and require authentication or protected domain.

  Otherwise, if the sender does not authenticate or the recipient does not belong to a protected domain, then FortiMail rejects (SMTP reply code 554 5.7.1 Relaying denied).

  receive is usually used when you need to apply a TLS profile, but do not want to safelist nor allow outbound, which relay does. If you do not need to apply a TLS profile, then a policy with this action is often not required because by default, email inbound to protected domains is relayed/proxied.

authenticated {any | authenticated | not-authenticated}

Select whether to match this policy based upon whether SMTP clients have authenticated with the FortiMail system, either:

• any: Ignore authentication status.

• authenticated: Match this policy if the SMTP client has authenticated.

• not-authenticated: Match this policy if the SMTP client has not authenticated.

comment "<comment_str>"

Enter a description or comment.

forged-ip-check {any | fail | pass}

When the forged IP check is enabled, FortiMail will perform a reverse (PTR record) lookup on the IP address of a connecting host to get a hostname. It will then perform a forward (A record) lookup on that hostname, and compare the returned IP address to that of the connecting host. If they do not match, then the IP address of the connecting host is considered to be forged.

Select which of the following forged IP check results will be matched to this policy:

• pass: Match this policy if the check passes.

• fail: Match this policy if the check fails.

• any: Ignore the check result.

If the DNS queries fail, or the result does not match this setting, then the policy does not match.

The domain name must be a valid top level domain (TLD). For example, “.lab” is not valid because it is reserved for testing on RFC 1918 private networks, not the Internet. Thus a reverse DNS query to public DNS servers on the Internet will always fail.

recipient-pattern-group <group_name>

Enter the group of recipient email addresses.

This setting is available only if recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is group.

recipient-pattern-ldap-groupname <group_name>

Enter the group of recipient email addresses that is in the directory server.

This setting is available only if recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is ldap.

recipient-pattern-ldap-profile <profile_name>

Select which LDAP profile to use.

This setting is available only if recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is ldap.

Use $m in the LDAP query string to match recipient email addresses.

recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

Select how you will define the recipient email addresses that match the policy.

Options are the same as sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}.

recipient-pattern <recipient_pattern>

Enter an email address or pattern. Formatting is the same as sender-pattern <sender_pattern>.

This setting is available only when recipient-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is default or regexp.

reverse-dns-ldap-profile <profile_name>

Select which LDAP profile to use.

This setting is available only if reverse-dns-type {ldap-query | regexp | wildcard} is ldap-query.

Note: Use $h in the query string to match the FQDN.

reverse-dns-pattern <client-fqdn_pattern>

Depending on which pattern you selected in reverse-dns-type {ldap-query | regexp | wildcard}, enter either a:

• Complete or partial domain name. Wild card characters can be used to match multiple FQDNs. An asterisk (*) represents one or more characters. A question mark (?) represents any single character. For example:

  *.example.???

  matches all sub-domains at example.com, example.net, example.org, or any other “example" domain ending with a three‑letter top-level domain name.

• Regular expression.

  Tip: To validate syntax and correct matching, you can use the validator in the FortiMail GUI. For details, see the FortiMail Administration Guide.

This setting is available only if reverse-dns-type {ldap-query | regexp | wildcard} is regexp or wildcard.

reverse-dns-type {ldap-query | regexp | wildcard}

Select how you will define the FQDN of SMTP clients that match this policy, either:

• wildcard: Complete or partial domain name. Wild card characters can be used to match multiple FQDNs. Also configure reverse-dns-pattern <client-fqdn_pattern>.

• regex: Regular expression. Also configure reverse-dns-pattern <client-fqdn_pattern>.

• ldap-query: Select the LDAP query to a directory server such as Microsoft Active Directory. Also configure reverse-dns-ldap-profile <profile_name>.

Because the domain name in the SMTP session greeting (HELO/EHLO) is self-reported by the connecting SMTP client, it could be fake and the FortiMail unit does not trust it. Instead, the FortiMail does a reverse DNS (PTR record) lookup of the SMTP client’s IP address to discover its real domain name. This is compared to the pattern or LDAP query results. If the domain name does not match, or if the reverse DNS query fails, then the policy does not match.

Note: The domain name must be a valid top level domain (TLD). For example, “.lab” is not valid because it is reserved for testing on RFC 1918 private networks, not the Internet. Thus a reverse DNS query to public DNS servers on the Internet will always fail.

sender-geoip-group <group_name>

Select a geographic IP address group.

This setting is only available if sender-ip-type {geoip-group | ip-group | ip-mask | isdb | ldap-query} is geoip-group.

sender-ip-group <ip-group_name>

Enter the IP group of the SMTP client attempting to send the email message.

This option only appears if sender-ip-type {geoip-group | ip-group | ip-mask | isdb | ldap-query} is ip-group.

sender-ip-ldap-profile <profile_name>

Select which LDAP profile to use.

This setting is available only if sender-ip-type {geoip-group | ip-group | ip-mask | isdb | ldap-query} is ldap-query.

Note:Use $h in the query string to match the IP address.

sender-ip-mask <client_ipv4/mask>

Enter the IP address and netmask of the SMTP client.

For example, you can enter 10.10.10.10/24 to match a 24-bit subnet, or all addresses starting with 10.10.10. In the policy list, this appears as 10.10.10.0/24, with the 0 indicating that any value is matched in that position of the address.

Similarly, if you enter 10.10.10.10/32, it appears as 10.10.10.10/32 because a 32-bit netmask only matches one address, 10.10.10.10 specifically.

To match any address, enter 0.0.0.0/0.

This setting is only available if sender-ip-type {geoip-group | ip-group | ip-mask | isdb | ldap-query} is ip-mask.

sender-ip-type {geoip-group | ip-group | ip-mask | isdb | ldap-query}

Select how you will define the source IP address of SMTP clients that match this policy, either:

• ip-mask: An IP address and netmask. Also configure sender-ip-mask <client_ipv4/mask>.

• ip-group:An IP address group. Also configure sender-ip-group <ip-group_name>.

• geoip-group: A geographic IP address group. Also configure sender-geoip-group <group_name>.

• isdb: A service name in the Internet Service Database (ISDB) from FortiGuard. Also configure sender-isdb {8x8 ...}.

• ldap-query: An LDAP query to a directory server such as Microsoft Active Directory. Also configure sender-ip-ldap-profile <profile_name>.

sender-isdb {8x8 ...}

Select a service name. The Internet Service Database (ISDB) from FortiGuard is an automatically updated list of IP addresses and subnets used by popular services such as 8x8, Akamai, Microsoft 365, and more.

To display the list of options for currently known services, enter:

set sender-isdb ?

This setting is only available if sender-ip-type {geoip-group | ip-group | ip-mask | isdb | ldap-query} is isdb.

sender-option {envelope-from | header-from | envelope-or-header-from}

Select which sender email addresses to compare for a policy match, either:

• envelope-from: Sender email address in the SMTP envelope (MAIL FROM:).

• header-from: Sender email address in the message header (From:).

  Caution: Message headers may be rewritten or fake. Do not match policies with an action to allow based upon the email address in From: unless the upstream MTA is trusted to authenticate senders for this domain, including validating secondary email addresses and aliases. To do this, you can use smtp-diff-identity-ldap {enable | disable}.

• envelope-from-or-header-from: Either the envelope or the message header.

  These values are often the same, but it is normal if these values do not match in some cases, such as aliases (distribution lists) or senders with secondary email addresses or multiple different identities.

This setting is available only if access-control-sender-option {envelope-from-only | envelope-or-header-from} is envelope-from-or-header-from.

sender-pattern-group <group_name>

Enter the group of recipient email addresses.

This setting is available only if sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is group.

sender-pattern-ldap-groupname <group_name>

Enter the group of recipient email addresses that is in the directory server.

This setting is available only if sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is ldap.

Note: Use $s in the LDAP query string to match sender email addresses.

sender-pattern-ldap-profile <profile_name>

Select which LDAP profile to use.

This setting is available only if sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is ldap.

sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}

Select how you will define the sender email addresses that match the policy, either:

• default: An email address or wild card pattern that can match multiple email addresses. Also configure sender-pattern <sender_pattern>.

• external: Email addresses that are not at a protected domain.

• group: A group of email addresses configured on the FortiMail unit. Also configure sender-pattern-group <group_name>.

• internal: Email addresses that are at a protected domain.

• ldap: A group of email addresses configured on a directory server such as Microsoft Active Directory. Also configure sender-pattern-ldap-profile <profile_name> and sender-pattern-ldap-groupname <group_name>.

• ldap-query: An email address configured on a directory server such as Microsoft Active Directory. Also configure sender-pattern-ldap-profile <profile_name>.

  Note: Use $s in the query string to match sender addresses.

  For example, to reject senders that are not in the recipient's allowed sender list:

  1. Create an ACL policy and in sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}, select ldap-query.
  2. Select an LDAP profile where this user query string is used:
  3. &(mail=$m)(!(allowedSenders=$s)))
  4. In action {discard | receive | reject | relay | safe | safe-relay}, select reject.

  For each recipient ($m), this will match a sender ($s) that is not (!) in their allowedSenders list, and the action will reject it.

• regexp: A regular expression that can match multiple email addresses. Also configure sender-pattern <sender_pattern>.

sender-pattern <sender_pattern>

Depending on your selection in sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp}:

• For default: Enter a complete or partial email address. Wild card characters can be used to match multiple email addresses. An asterisk (*) represents one or more characters. A question mark (?) represents any single character. For example:

  *@example.???

  matches all email addresses at example.com, example.net, example.org, or any other “example" domain ending with a three‑letter top-level domain name.

• For regexp: Enter a regular expression.

  Tip: To validate syntax and correct matching, you can use the validator in the FortiMail GUI. For details, see the FortiMail Administration Guide.

This setting is only available if sender-pattern-type {default | external | group | internal | ldap | ldap-query | regexp} is default or regexp.

status {enable | disable}

Enable or disable the policy.