Configuring session settings

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see “Configuring session profiles” on page 482.

1. Go to Profile > Session.
2. Click New to create a new session profile or double click on an existing profile to edit it.
3. Click the arrow to expand Session Settings.

Figure 199:Session settings (gateway mode and server mode)

Figure 200:Session settings (transparent mode)

• Configure the following:

GUI item

Description

Reject EHLO/HELO commands with invalid characters in the domain

Enable to return SMTP reply code 501, and to reject the SMTP greeting, if the client or server uses a greeting that contains a domain name with invalid characters. To avoid disclosure of a real domain name, spammers sometimes spoof an SMTP greeting domain name with random characters, rather than using a valid domain name. The following example shows invalid command in bold italics: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:30:20 GMT EHLO ^^&^&^#$ 501 5.0.0 Invalid domain name Valid characters for domain names include: •      alphanumerics (A to Z and 0 to 9) •      brackets ( [ and ] ) •      periods ( . ) •      dashes ( – ) •      underscores ( _ ) •      number symbols( # ) •      colons ( : )

Rewrite EHLO/HELO Enable to rewrite the domain name in the SMTP greeting domain to [n.n.n.n] IP (HELO/EHLO) to the IP address of the client to prevent domain string of the client    name spoofing. address

(transparent mode only)

GUI item                       Description

Rewrite EHLO/HELO Enable to rewrite the domain name in the SMTP greeting domain to (HELO/EHLO) to the specified value.

(transparent mode only)

Prevent encryption of the session (transparent mode only)	Enable to block STARTTLS/MD5 commands so that email connections cannot be TLS-encrypted. Caution: Disable this option only if you trust that SMTP clients connecting using TLS through the FortiMail unit will not be sources of viruses or spam. FortiMail units operating in transparent mode cannot scan encrypted connections traveling through them. Disabling this option could thereby permit viruses and spam to travel through the FortiMail unit.
Allow pipelining for the session (transparent mode only)	Enable to allow SMTP command pipelining. This lets multiple SMTP commands to be accepted and processed simultaneously, improving performance for high-latency connections. Disable to allow the SMTP client to send only a single command at a time during an SMTP session.
Enforce strict RFC compliance (transparent mode only)	Enable to limit pipelining support to strict compliance with RFC 2920, SMTP Service Extension for Command Pipelining. This option is effective only if Allow pipelining for the session is enabled.

Perform strict syntax Enable to return SMTP reply code 503, and to reject a SMTP checking command, if the client or server uses SMTP commands that are

syntactically incorrect.

EHLO or HELO, MAIL FROM:, RCPT TO: (can be multiple), and

DATA commands must be in that order. AUTH, STARTTLS, RSET, or NOOP commands can arrive at any time. Other commands, or commands in an unacceptable order, return a syntax error.

The following example shows invalid command in bold italics:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14

Feb 2008 13:41:15 GMT

EHLO example.com

250-FortiMail-400.localdomain Hello

[192.168.1.1], pleased to meet you

RCPT TO:<user1@example.com>

503 5.0.0 Need MAIL before RCPT

GUI item	Description
Switch to SPLICE mode after (transparent mode only)	Enable to use splice mode. Enter threshold value based on time (seconds) or data size (kilobytes). Splice mode lets the FortiMail unit simultaneously scan an email and relay it to the SMTP server. This increases throughput and reduces the risk of server timeout. If it detects spam or a virus, it terminates the server connection and returns an error message to the sender, listing the spam or virus name and infected file name.
ACK EOM before AntiSpam check	Enable to acknowledge the end of message (EOM) signal immediately after receiving the carriage return and line feed (CRLF) characters that indicate the EOM, rather than waiting for antispam scanning to complete. If the FortiMail unit does not completed antispam scanning within 4 minutes, it returns SMTP reply code 451(Try again later), resulting in no permanent problems, since according to RFC 2821, the minimum timeout value should be 10 minutes. However, in rare cases where the server or client’s timeout is shorter than 4 minutes, the sending client or server could time-out while waiting for the FortiMail unit to acknowledge the EOM command. Enabling this option prevents those rare cases.

Configuring unauthenticated session settings

This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see “Configuring session profiles” on page 482.

1. Go to Profile > Session.
2. Click New to create a new session profile or double click on an existing profile to edit it.
3. Click the arrow to expand Unauthenticated Session Settings.

Figure 201:Unauthenticated session settings (gateway mode and server mode)

Figure 202:Unauthenticated session settings (transparent mode)

4. Configure the following:

GUI item

Description

Check HELO/EHLO domain

Enable to return SMTP reply code 501, and reject the SMTP command, if the domain name accompanying the SMTP greeting is not a domain name that exists in either MX or A records. The following example shows the invalid command in bold italics: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 20 Nov 2013 10:42:07 -0500 ehlo abc.qq 250-FortiMail-400.localdomain Hello [172.20.140.195], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 10485760 250-DSN 250-AUTH LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 HELP mail from:aaa@333 550 5.5.0 Invalid EHLO/HELO domain. quit 221 2.0.0 FortiMail-400.localdomain closing connection Connection closed by foreign host.

Check sender domain Enable to return SMTP reply code 421, and reject the SMTP command, if the domain name portion of the sender address is not a domain name that exists in either MX or A records.

The following example shows the invalid command in bold italics:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT

EHLO

250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

MAIL FROM:<user1@example.com> 421 4.3.0 Could not resolve sender domain.

 

GUI item	Description
Check recipient domain	Enable to return SMTP reply code 550, and reject the SMTP command, if the domain name portion of the recipient address is not a domain name that exists in either MX or A records. The following example shows the invalid command in bold italics: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:48:32 GMT EHLO example.com 250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you MAIL FROM:<user1@fortinet.com> 250 2.1.0 <user1@fortinet.com>… Sender ok RCPT TO:<user2@example.com> 550 5.7.1 <user2@example.com>… Relaying denied. IP name lookup failed [192.168.1.1]
Reject empty domains	Enable to return SMTP reply code 553, and reject the SMTP command, if the HELO/EHLO greeting does not have a domain. The following example shows the invalid command in bold italics: 220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 20 Nov 2013 10:42:07 -0500 ehlo 250-FortiMail-400.localdomain Hello [172.20.140.195], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 10485760 250-DSN 250-AUTH LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 HELP mail from:aaa@333 550 5.5.0 Empty EHLO/HELO domain. quit 221 2.0.0 FortiMail-400.localdomain closing connection

GUI item                       Description

Prevent open relaying Enable to prevent clients from using open relays to send email by blocking sessions that are unauthenticated. (Unauthenticated

(transparent mode sessions are assumed to be occurring to an open relay.)

only)

If you permit SMTP clients to use open relays to send email, email from your domain could be blacklisted by other SMTP servers.

This option is effective only if you have enabled “Use client-specified SMTP server to send email” on page 422 for outgoing mail. Otherwise, the FortiMail unit forces clients to use the gateway you have defined as a relay server (see ““Configuring SMTP relay hosts” on page 373), if any, or the MTA of the domain name in the recipient email address (RCPT TO:), as determined using an MX lookup, so it is not possible for them to use an open relay.

Reject if recipient and Enable to reject the email if the domain name in the SMTP greeting helo domain match (HELO/EHLO) and recipient email address (RCPT TO:) match, but but sender domain is the domain name in the sender email address (MAIL FROM:) does different      not.

Mismatching domain names is sometimes used by spammers to mask the true identity of their SMTP client.