Configuring Profiles

Configuring SMTP limit options

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see “Configuring session profiles” on page 482.

  1. Go to Profile > Session.
  2. Click New to create a new session profile or double click on an existing profile to edit it.
  3. Click the arrow to expand SMTP Limits.

Figure 203:SMTP limits

  1. Configure the following:

 

GUI item

Restrict number of EHLO/HELOs per session to

Restrict number of emails per session to Description

Enter the limit of SMTP greetings that a connecting SMTP server or client can perform before the FortiMail unit terminates the connection. Restricting the number of SMTP greetings allowed per session makes it more difficult for spammers to probe the email server for vulnerabilities. (More attempts results in a greater

number of terminated connections, which must then be re-initiated.)

Restrict number of recipients per email to Enter the limit of recipients to prevent mass mailing.
Cap message size (KB) at Enter the limit of the message size. Messages over the threshold size are rejected.

Note: When you configure domain settings under Mail Settings > Domains, you can also set the message size limit. Here is how the two settings work together:

•      For outgoing email (for information about email directions, see “Incoming versus outgoing email messages” on page 454), only the size limit in the session profile will be matched. If there is no session profile defined or no IP-based policy matched, the default size limit of 10 MB will be used.

•      For incoming email, the size limits in both the session profile and domain settings will be checked. If there is no session profile defined or no IP-based policy matched, the default size limit of 10 MB will be compared with the size limit in the domain settings. FortiMail will use the smaller size.

Enter the limit of email messages per session to prevent mass mailing.

 

Cap header size (KB) at

Maximum number of NOOPs allowed for each connection

Maximum number of RSETs allowed for each connection Enter the limit of the message header size. Messages with headers over the threshold size are rejected.

Enter the limit of NOOP commands permitted per SMTP session. Some spammers use NOOP commands to keep a long session alive. Legitimate sessions usually require few NOOPs.

Enter the limit of RSET commands permitted per SMTP session. Some spammers use RSET commands to try again after receiving error messages such as unknown recipient. Legitimate sessions should require few RSETs.

 

Configuring error handling options

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see “Configuring session profiles” on page 482.

  1. Go to Profile > Session.
  2. Click New to create a new session profile or double click on an existing profile to edit it.
  3. Click the arrow to expand Error Handling.

Configure Error Handling to specify how the FortiMail unit should handle connections from SMTP clients that are error-prone. Errors sometime indicate attempts to misuse the server. You can impose delays or drop connections if there are errors. Setting any of these values to 0 disables the limit.

       SMTP clients. Configuring error handling can improve performance by dropping connections with error-prone
Figure 204:Error handling 4. Configure the following:
GUI item Description
Number of ‘free’ errors allowed for each client Enter the number of number of errors permitted before the FortiMail unit imposes a delay. By default, five errors are permitted before the FortiMail unit imposes the first delay.

Delay for the first   Enter the delay time for the first error after the number of free non-free error (seconds) errors is reached.

Delay increment for Enter the number of seconds by which to increase the delay for subsequent errors each error after the first delay is imposed. (seconds)

Maximum number of          Enter the total number of errors the FortiMail unit accepts errors allowed for each          before dropping the connection. connection


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

6 thoughts on “Configuring Profiles

  1. Steve

    Hi, on these instructions it states “personal black lists and white lists” on page 620.”

    Where can i get the book to view page 620??

    Reply
  2. Laurent

    Hello,
    What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…

    Reply
    1. Mike Post author

      Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.

      Reply
  3. Dormond

    Hello,
    Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.

    Reply
  4. Laurent

    Hello,

    Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.