Configuring Profiles

Configuring connection settings

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see “Configuring session profiles” on page 482.

  1. Go to Profile > Session.
  2. Click New to create a new session profile or double click on an existing profile to edit it.
  3. Expand the Connection Settings section if needed. The options vary with the operation mode.

Figure 194:Connection settings (gateway mode and server mode)

Figure 195:Connection settings (transparent mode)

  1. Configure the following options to restrict the number and duration of connections to the FortiMail unit. When any of these limits are exceeded, the FortiMail unit blocks further connections. Setting any of these values to 0 disables the limit.
GUI item Description
Hide this box from the mail server

(transparent mode only)

Enable to preserve the IP address or domain name of the SMTP client in:

•      the SMTP greeting (HELO/EHLO) and in the Received: message headers of email messages

•      the client IP in email header

This masks the existence of the FortiMail unit.

Disable to replace the IP addresses or domain names with that of the FortiMail unit.

Note: Unless you enabled Take precedence over recipient based policy match in the IP-based policy, the Hide the transparent box option in the protected domain supersedes this option, and may prevent it from applying to incoming email messages.

Note: For full transparency, also enable “Hide the transparent box” on page 388.

Restrict the number of connections per client to Enter a limit the number of connections per client IP address, then enter the number of minutes that defines the time interval of the limit.
Maximum concurrent connections for each client Enter the maximum number of concurrent connections per client.
Maximum concurrent connections matching this profile Enter a limit to the number of concurrent connections per profile.
Connection idle timeout (seconds) Enter a limit to the number of seconds a client may be idle before the FortiMail unit drops the connection.
Do not let client connect to blacklisted SMTP servers (transparent mode only) Enable to prevent clients from connecting to SMTP servers that have been blacklisted in antispam profiles or, the FortiGuard AntiSpam service if enabled.

Configuring sender reputation options

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see “Configuring session profiles” on page 482.

You can also view the sender reputation statuses by going to Monitor > Sender Reputation. See “Viewing the sender reputation statuses” on page 197.

To configure sender reputation options

  1. Go to Profile > Session.
  2. Click New to create a new session profile or double click on an existing profile to edit it.
  3. Click the arrow to expand Sender Reputation.

Configure the sender reputation settings to restrict the number of email messages sent from SMTP clients based upon whether they have a reputation of sending an excessive number of email messages, email with invalid recipients, or email infected with viruses.

  1. Configure the following:
GUI item Description
Enable sender reputation checking Enable to accept or reject email based upon sender reputation scores.

The following options have no effect unless this option is enabled.

Throttle client at n Enter a sender reputation score over which the FortiMail unit will rate limit the number of email messages that can be sent by this SMTP client.

Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increases or decreases the sender reputation scores accordingly.

The enforced rate limit is either Restrict number of emails per hour to n or Restrict email to n percent of the previous hour, whichever value is greater.

Restrict number of emails per hour to n Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client.
Restrict email to n percent of the previous hour Enter the maximum number of email messages per hour that the FortiMail unit will accept from a throttled SMTP client, as a percentage of the number of email messages that the SMTP client sent during the previous hour.
Temporarily fail client at n Enter a sender reputation score over which the FortiMail unit will return a temporary failure error when the SMTP client attempts to initiate a connection.

Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increase or decrease the sender reputation scores accordingly.

Reject client at n Enter a sender reputation score over which the FortiMail unit will reject the email and reply to the SMTP client with SMTP reply code 550 when the SMTP client attempts to initiate a connection.

Entering 0 means no score limit and thus no action. But FortiMail still monitors the sender reputation and increase or decrease the sender reputation scores accordingly.

Check FortiGuard Black IP Enable to query the FortiGuard Antispam Service to determine at connection phase if the IP address of the SMTP server is blacklisted. And this action will happen during the connection phase.

In an antispam profile, you can also enable FortiGuard black IP checking. But that action happens after the entire message has been received by FortiMail.

Therefore, if this feature is enabled in a session profile and the action is reject, the performance will be improved.

6 thoughts on “Configuring Profiles

  1. Steve

    Hi, on these instructions it states “personal black lists and white lists” on page 620.”

    Where can i get the book to view page 620??

    Reply
  2. Laurent

    Hello,
    What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…

    Reply
    1. Mike Post author

      Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.

      Reply
  3. Dormond

    Hello,
    Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.

    Reply
  4. Laurent

    Hello,

    Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.