firewall : profile-protocol-options : config smtp
config smtp
Configure SMTP protocol options.
ports <port_number_list>
Enter a space-separated list of port numbers to scan for SMTP content.
inspect-all {enable | disable}
Enable to monitor all ports for the SMTP protocol. If you enable this option you can’t select a port.
options {fragmail | no‑content‑summary | oversize | splice}
Select one or more options apply to SMTP sessions. To select more than one, enter the option names separated by a space.
fragmail allow fragmented email. Fragmented email cannot be scanned for viruses.
no-content-summary — do not add content information from the dashboard.
oversize — block files that are over the file size limit.
splice — simultaneously scan a message and send it to the recipient. If the FortiGate unit detects a virus, it prematurely terminates the connection, and returns an error message to the sender, listing the virus and infected file name. splice is selected when scan is selected. With streaming mode enabled, select either Spam Action (Tagged or Discard) for SMTP spam. When streaming mode is disabled for SMTP, infected attachments are removed and the email is forwarded (without the attachment) to the SMTP server for delivery to the recipient.
Throughput is higher when streaming mode is enabled.
fragmail no-content-summary
oversize-limit <size_int>
Enter the maximum in-memory file size that will be scanned, in megabytes. If the file is larger than the oversize-limit, the file is passed or blocked depending on whether oversize is a selected SMTP option. The maximum file size for scanning in memory is 10% of the FortiGate unit’s RAM.
scan-bzip2 {enable | disable}
Enable to allow the antivirus engine to scan the contents of bzip2 compressed files. Requires antivirus engine 1.90 for full functionality. Bzip2 scanning is extemely CPU intensive. Unless this feature is required, leave scan-bzip2 disabled.
server_busy {enable | disable}
Enable this options so that when the FortiGate unit attempts to send an SMTP email but can’t because of a connection timeout or connection error it returns a 412 server busy error message to the email client attempting to send the message.
Usually the FortiGate unit accepts SMTP SYN from clients and immediately send back ACK before actually connecting with the real SMTP server. If the server responds back with NACK (service not available) the FortiGate-to-server connection drops, but the FortiGate-to-client connection will just hang until a timeout occurs. This causes particular problems for systems that use alternative servers, they may not move to the next server until the timeout occurs. Not all SMTP mail servers behave in this way, some use an SMTP HELO to confirm the connection is active and so do not have an issue with this behavior.
status {enable | disable}
Enable or disable SMTP protocol inspection.
uncompnestlimit <depth_int>
Set the maximum number of archives in depth the AV engine will scan with nested archives. The limit is from 2 to 100. The supported compression formats are arj, bzip2, cab, gzip, lha, lzh, msc, rar, tar, and zip. Bzip2 support is disabled by default.
uncompsizelimit <MB_int>
Set the maximum uncompressed file size that can be buffered to memory for virus scanning. Enter a value in megabytes between 1 and the maximum oversize threshold. Enter “?” to display the range for your FortiGate unit. Enter 0 for no limit (not recommended).