Configuring Profiles

Configuring session settings

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see “Configuring session profiles” on page 482.

  1. Go to Profile > Session.
  2. Click New to create a new session profile or double click on an existing profile to edit it.
  3. Click the arrow to expand Session Settings.

Figure 199:Session settings (gateway mode and server mode)

Figure 200:Session settings (transparent mode)

  • Configure the following:
GUI item Description
Reject EHLO/HELO commands with

invalid characters in the domain

Enable to return SMTP reply code 501, and to reject the SMTP greeting, if the client or server uses a greeting that contains a domain name with invalid characters.

To avoid disclosure of a real domain name, spammers sometimes spoof an SMTP greeting domain name with random characters, rather than using a valid domain name.

The following example shows invalid command in bold italics:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb

2008 13:30:20 GMT

EHLO ^^&^&^#$

501 5.0.0 Invalid domain name

Valid characters for domain names include:

•      alphanumerics (A to Z and 0 to 9)

•      brackets ( [ and ] )

•      periods ( . )

•      dashes ( – )

•      underscores ( _ )

•      number symbols( # )

•      colons ( : )

Rewrite EHLO/HELO Enable to rewrite the domain name in the SMTP greeting domain to [n.n.n.n] IP (HELO/EHLO) to the IP address of the client to prevent domain string of the client    name spoofing. address

(transparent mode only)

GUI item                       Description

Rewrite EHLO/HELO Enable to rewrite the domain name in the SMTP greeting domain to (HELO/EHLO) to the specified value.

(transparent mode only)

Prevent encryption of the session

(transparent mode only)

Enable to block STARTTLS/MD5 commands so that email connections cannot be TLS-encrypted.

Caution: Disable this option only if you trust that SMTP clients connecting using TLS through the FortiMail unit will not be sources of viruses or spam. FortiMail units operating in transparent mode cannot scan encrypted connections traveling through them. Disabling this option could thereby permit viruses and spam to travel through the FortiMail unit.

Allow pipelining for the session

(transparent mode only)

Enable to allow SMTP command pipelining. This lets multiple SMTP commands to be accepted and processed simultaneously, improving performance for high-latency connections.

Disable to allow the SMTP client to send only a single command at a time during an SMTP session.

Enforce strict RFC compliance

(transparent mode only)

Enable to limit pipelining support to strict compliance with RFC 2920, SMTP Service Extension for Command Pipelining.

This option is effective only if Allow pipelining for the session is enabled.

Perform strict syntax Enable to return SMTP reply code 503, and to reject a SMTP checking command, if the client or server uses SMTP commands that are

syntactically incorrect.

EHLO or HELO, MAIL FROM:, RCPT TO: (can be multiple), and

DATA commands must be in that order. AUTH, STARTTLS, RSET, or NOOP commands can arrive at any time. Other commands, or commands in an unacceptable order, return a syntax error.

The following example shows invalid command in bold italics:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14

Feb 2008 13:41:15 GMT

EHLO example.com

250-FortiMail-400.localdomain Hello

[192.168.1.1], pleased to meet you

RCPT TO:<user1@example.com>

503 5.0.0 Need MAIL before RCPT

GUI item Description
Switch to SPLICE mode after

(transparent mode only)

Enable to use splice mode. Enter threshold value based on time (seconds) or data size (kilobytes).

Splice mode lets the FortiMail unit simultaneously scan an email and relay it to the SMTP server. This increases throughput and reduces the risk of server timeout. If it detects spam or a virus, it terminates the server connection and returns an error message to the sender, listing the spam or virus name and infected file name.

ACK EOM before AntiSpam check Enable to acknowledge the end of message (EOM) signal immediately after receiving the carriage return and line feed (CRLF) characters that indicate the EOM, rather than waiting for antispam scanning to complete.

If the FortiMail unit does not completed antispam scanning within 4 minutes, it returns SMTP reply code 451(Try again later), resulting in no permanent problems, since according to RFC 2821, the minimum timeout value should be 10 minutes. However, in rare cases where the server or client’s timeout is shorter than 4 minutes, the sending client or server could time-out while waiting for the FortiMail unit to acknowledge the EOM command. Enabling this option prevents those rare cases.

Configuring unauthenticated session settings

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see “Configuring session profiles” on page 482.

  1. Go to Profile > Session.
  2. Click New to create a new session profile or double click on an existing profile to edit it.
  3. Click the arrow to expand Unauthenticated Session Settings.

Figure 201:Unauthenticated session settings (gateway mode and server mode)

Figure 202:Unauthenticated session settings (transparent mode)

  1. Configure the following:
GUI item Description
Check HELO/EHLO domain Enable to return SMTP reply code 501, and reject the SMTP command, if the domain name accompanying the SMTP greeting is not a domain name that exists in either MX or A records.

The following example shows the invalid command in bold italics:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 20

Nov 2013 10:42:07 -0500 ehlo abc.qq

250-FortiMail-400.localdomain Hello

[172.20.140.195], pleased to meet you

250-ENHANCEDSTATUSCODES

250-PIPELINING

250-8BITMIME

250-SIZE 10485760

250-DSN

250-AUTH LOGIN PLAIN

250-STARTTLS

250-DELIVERBY 250 HELP mail from:aaa@333

550 5.5.0 Invalid EHLO/HELO domain. quit

221 2.0.0 FortiMail-400.localdomain closing connection

Connection closed by foreign host.

Check sender domain Enable to return SMTP reply code 421, and reject the SMTP command, if the domain name portion of the sender address is not a domain name that exists in either MX or A records.

The following example shows the invalid command in bold italics:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT

EHLO

250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

MAIL FROM:<user1@example.com> 421 4.3.0 Could not resolve sender domain.

 

GUI item Description
Check recipient domain Enable to return SMTP reply code 550, and reject the SMTP command, if the domain name portion of the recipient address is not a domain name that exists in either MX or A records.

The following example shows the invalid command in bold italics:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:48:32 GMT

EHLO example.com

250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

MAIL FROM:<user1@fortinet.com> 250 2.1.0 <user1@fortinet.com>… Sender ok

RCPT TO:<user2@example.com>

550 5.7.1 <user2@example.com>… Relaying denied. IP name lookup failed [192.168.1.1]

Reject empty domains Enable to return SMTP reply code 553, and reject the SMTP command, if the HELO/EHLO greeting does not have a domain.

The following example shows the invalid command in bold italics:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 20

Nov 2013 10:42:07 -0500 ehlo

250-FortiMail-400.localdomain Hello

[172.20.140.195], pleased to meet you

250-ENHANCEDSTATUSCODES

250-PIPELINING

250-8BITMIME

250-SIZE 10485760

250-DSN

250-AUTH LOGIN PLAIN

250-STARTTLS

250-DELIVERBY 250 HELP mail from:aaa@333

550 5.5.0 Empty EHLO/HELO domain. quit

221 2.0.0 FortiMail-400.localdomain closing connection

GUI item                       Description

Prevent open relaying Enable to prevent clients from using open relays to send email by blocking sessions that are unauthenticated. (Unauthenticated

(transparent mode sessions are assumed to be occurring to an open relay.)

only)

If you permit SMTP clients to use open relays to send email, email from your domain could be blacklisted by other SMTP servers.

This option is effective only if you have enabled “Use client-specified SMTP server to send email” on page 422 for outgoing mail. Otherwise, the FortiMail unit forces clients to use the gateway you have defined as a relay server (see ““Configuring SMTP relay hosts” on page 373), if any, or the MTA of the domain name in the recipient email address (RCPT TO:), as determined using an MX lookup, so it is not possible for them to use an open relay.

Reject if recipient and Enable to reject the email if the domain name in the SMTP greeting helo domain match (HELO/EHLO) and recipient email address (RCPT TO:) match, but but sender domain is the domain name in the sender email address (MAIL FROM:) does different      not.

Mismatching domain names is sometimes used by spammers to mask the true identity of their SMTP client.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

6 thoughts on “Configuring Profiles

  1. Steve

    Hi, on these instructions it states “personal black lists and white lists” on page 620.”

    Where can i get the book to view page 620??

    Reply
  2. Laurent

    Hello,
    What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…

    Reply
    1. Mike Post author

      Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.

      Reply
  3. Dormond

    Hello,
    Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.

    Reply
  4. Laurent

    Hello,

    Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.