Configuring header manipulation options
This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see “Configuring session profiles” on page 482.
- Go to Profile > Session.
- Click New to create a new session profile or double click on an existing profile to edit it.
- Click the arrow to expand Header Manipulation.
Email processing software and hardware can add extra lines to the message header of each email message. When multiple lines are added, this can significantly increase the size of the email message. You can configure header manipulation settings to reduce the number of message headers.
Figure 205:Header manipulation
- Configure the following:
GUI item | Description |
Remove received header | Enable to remove all Received: message headers from email messages.
You can alternatively remove this header on a per-domain basis. For details, see “Remove received header of outgoing email” on page 391. |
Remove headers | Enable to remove other configured headers from email messages, then click Edit to configure which headers should be removed. |
Configuring list options
This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see “Configuring session profiles” on page 482.
- Go to Profile > Session.
- Click New to create a new session profile or double click on an existing profile to edit it.
- Click the arrow to expand Lists.
Configure the sender and recipient black lists and white lists, if any, to sue with the session profile. Black and white lists are separate for each session profile, and apply only to traffic controlled by the IP-based policy to which the session profile is applied.
Email addresses in each black list or white list are arranged in alphabetical order. For more information on how blacklisted email addresses are handled, see “Order of execution of black lists and white lists” on page 614.
If you require regular expression support for whitelisting and blacklisting sender and recipient email addresses in the envelope, do not configure white and black lists in the session profile. Instead, configure access control rules and message delivery rules. For more information, see “Managing the address book (server mode only)” on page 402.
Use black and white lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a white list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit’s other antispam scans.
- Configure the following:
GUI item | Description |
Enable sender white list checking | Enable to check the sender addresses in the email envelope (MAIL FROM:) and email header (From:) against the white list in the SMTP sessions to which this profile is applied, then click Edit to define the whitelisted email addresses. |
Enable sender black list checking | Enable to check the sender addresses in the email envelope (MAIL FROM:) and email header (From:) against the black list in the SMTP sessions to which this profile is applied, then click Edit to define the blacklisted email addresses. |
Allow recipients on this list | Enable to check the recipient addresses in the email envelope
(RCPT TO:) and email header (To:) against the white list in the SMTP sessions to which this profile is applied, then click Edit to define whitelisted email addresses. |
Disallow recipients on this list | Enable to check the recipient addresses in the email envelope
(RCPT TO:) and email header (To:) against the black list in the SMTP sessions to which this profile is applied, then click Edit to define blacklisted email addresses. |
Configuring advanced MTA control settings
This procedure is part of the session profile configuration process. For general procedures about how to configure a session profile, see “Configuring session profiles” on page 482.
In addition to global MTA settings, you can configure the following MTA settings in a session profile. These session-specific MTA settings will overwrite the global settings configured elsewhere.
By default, this feature is hidden. To use this feature, you must enable it by using the following CLI command: config system global set mta-adv-ctrl-status enable
end
After this feature is enabled, the following options will appear in the session profile settings. In addition, four new tabs (Address Rewrite, Mail Routing, Access Control, and DSN) will also appear under Profile > Session.
Figure 206:Advance MTA control options in session profile
- Go to Profile > Session.
- Click New to create a new session profile or double click on an existing profile to edit it.
- Click the arrow to expand Advanced Control.
- Configure the following:
GUI item | Description |
Email queue | Select which email queue to use for the matching sessions. For other general queue settings, see “Configuring mail queue setting” on page 370. |
Rewrite sender address | Select a Address Rewrite profile to rewrite the sender address.
Click New to create a new profile. For details about configuring Address Rewrite profiles, see “Configuring address rewrite profiles in the session profile” on page 502. |
Rewrite recipient address | Select a Address Rewrite profile to rewrite the recipient address.
Click New to create a new profile. For details about configuring Address Rewrite profiles, see “Configuring address rewrite profiles in the session profile” on page 502. |
Mail routing | Select a mail routing profile or click New to create one. For details about creating mail routing profiles, see “Configuring mail routing profiles in a session profile” on page 502. |
Access control | Select an access control profile or click New to create one. For details, see “Configuring access control profiles in a session profile” on page 502. |
DSN | Select a DNS profile or click New to create one. For details, see “Configuring DSN profiles in a session profile” on page 503. |
Remote logging | Select a remote logging profile or click New to create one. Note that the remote logging profiles used here are the same as the system-wide remote logging profiles. For details, see “Configuring logging to a Syslog server or FortiAnalyzer unit” on page 674. |
Configuring address rewrite profiles in the session profile
If you enable the advanced MTA control feature in session profiles (see “Configuring advanced MTA control settings” on page 500), the Address Rewrite tab will appear.
To configure an address rewrite profile to be used in a session profile
- Go to Profile > Session > Address Rewrite.
- Click New.
- Enter a profile name.
- Click New to enter the address entries.
- In the popup window, enter the original address and the address you want to rewrite to. If you want to keep the local part or the domain part of the original address, click Insert Variable to insert the variable for the local part or the domain part.
- Click Create.
Hi, on these instructions it states “personal black lists and white lists” on page 620.”
Where can i get the book to view page 620??
https://docs.fortinet.com/d/fortimail-5.4.0-administration-guide
That is a PDF version of the FortiMail documentation. 620 is referenced there.
Hello,
What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…
Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.
Hello,
Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.
Hello,
Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.