1s question do you need or expect any SMTP auth? ( 250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5 ) Yes no, just disable it in your mail profile? Unless your offering mali-relay to various src ip_address, than I would disable SMTP-auth imho As soon as you have SMTP authentication enable, than you will get a rash of dictionary attacker trying everything from admin, post,postmaster administrator, root , sales, info, etc...... you get the picture. Bad thing about this, the fortimail has no way to ban these src ip_address unless you use a fortigate and a some custom IPS rule. I wish they would incould some type of brute-force monitor and after a single address failed SMTP-AUTH like 20+ times in X , than you ban them like with a IPS quarantine ip_address does.

I' m re-writing and moving my blog around, but take a look at this. I push this out since I knew you or another will run across the same issue. http://socpuppet.blogspot.com/2014/07/howto-disable-smtp-auth-support.html FWIW; I don' t think the ip/access-policy is where/what enables the SMTP-AUTH but you can check. If you have a fortigate, I would write a SMTP-AUTH rule and block by tracking the server auth-failures and the destination address. This would give you a piece of mind and protection from any brute/dictionary or hybrid based attacks. note: One more auth that can be disable in the same fashion is ; config sys mailserver set smtp-auth-smtps disable end I believe that take care of the SSMTP port 465; cat services | grep smtp smtp 25/tcp mail ssmtp 465/tcp smtps # SMTP over SSL Check and confirm by using mxtoolbox as outline in that blog.