Fortinet black logo

Administration Guide

Configuring greylisting

Configuring greylisting

Go to Security > Greylist to configure greylisting and to view greylist-exempt senders.

This section contains the following topics:

About greylisting

Greylist scanning blocks spam based on the behavior of the sending server, rather than the content of the messages. When receiving an email from an unknown server, the FortiMail unit will temporarily reject the message. If the mail is legitimate, the originating server will try to send it again later (RFC 2821), at which time the FortiMail unit will accept it. Spammers will typically abandon further delivery attempts in order to maximize spam throughput.

Advantages of greylisting include:

  • Greylisting is low-maintenance, and does not require you to manually maintain IP address lists, block lists or safe lists, or word lists. The FortiMail unit automatically obtains and maintains the required information.
  • Spam blocked by greylisting never undergoes other antispam scans. This can save significant amounts of processing and storage resources. For this reason, enabling greylisting can improve FortiMail performance.
  • Even if a spammer adapts to greylisting by retrying to send spam, the greylist delay period can allow time for FortiGuard Antispam and DNSBL servers to discover and blocklist the spam source. By the time that the spammer finally succeeds in sending the email, other antispam scans are more likely to recognize it as spam.
Workflow of greylist scanning

Note

Greylisting is omitted if the matching access control rule’s Action is RELAY. For more information on antispam features’ order of execution, see Order of execution.

When an SMTP client first attempts to deliver an email message through the FortiMail unit, the greylist scanner examines the email message’s combination of:

  • sender email address in the message envelope (MAIL FROM:)
  • recipient email address in the message envelope (RCPT TO:)
  • IP address of the SMTP client

The greylist scanner then compares the combination of those attributes to manual and automatic greylist entries. The greylist scanner evaluates the email for matches in the following order:

  1. manual greylist entries, also known as exemptions (see Manual greylist entries)
  2. consolidated automatic greylist entries, also known as autoexempt entries (see Automatic greylist entries)
  3. individual automatic greylist entries, also known as greylist entries
Note

For more information on the types of greylist entries, see Automatic greylist entries and Automatic greylist entries.

According to the match results, the greylist scanner performs one of the following:

  • If a matching entry exists, the FortiMail unit continues with other configured antispam scans, and will accept the email if no other antispam scan determines that the email is spam. For automatic greylist entry matches, each accepted subsequent email also extends the expiry date of the automatic greylist entry according to the configured time to live (TTL). (Automatic greylist entries are discarded if no additional matching email messages are received by the expiry date.)
  • If no matching entry exists, the FortiMail unit creates a pending individual automatic greylist entry (see Viewing the pending and individual automatic greylist entries) to note that combination of sender, recipient, and client addresses, then replies to the SMTP client with a temporary failure code. During the greylist delay period after the initial delivery attempt, the FortiMail unit continues to reply to delivery attempts with a temporarily failure code. To confirm the pending automatic greylist entry and successfully send the email message, the SMTP client must retry delivery during the greylist window: after the delay period, but before the expiry of the pending entry.

Subsequent email messages matching a greylist entry are accepted by the greylist scanner without being subject to the greylisting delay.

For information on how the greylist scanner matches email messages, see Matching automatic greylist entries. For information on configuring the greylisting delay, window, and entry expiry/TTL, see Configuring the greylist TTL and initial delay.

Matching automatic greylist entries

While the email addresses in the message envelope must match exactly, the IP address of the SMTP client is a less specific match: any IP address on the /24 network will match.

For example, if an email server at 192.168.1.99 is known to the greylist scanner, its greylist entry contains the IP address 192.168.1.0 where 0 indicates that any value will match the last octet, and that any IP address starting with 192.168.1 will match that entry.

This greylist IP address matching mechanism restricts the number of IP addresses which can match the greylist entry while also minimizing potential issues with email server farms. Some large organizations use many email servers with IP addresses in the same class C subnet. If the first attempt to deliver email receives a temporary failure response, the second attempt may come from an email server with a different IP address. If an exact match were required, the greylist scanner would treat the second delivery attempt as a new delivery attempt unrelated to the first. Depending on the configuration of the email servers, the email message might never be delivered properly. Approximate IP address matching often prevents this problem.

For very large email server farms that require greater than a /24 subnet, you can manually create greylist exemptions. For more information, see Manual greylist entries.

Automatic greylist entries

The automatic greylisting process automatically creates, confirms pending entries, and expires automatic greylist entries, reducing the need for manual greylist entries. The automatic greylisting process can create three types of automatic greylist entries:

Pending entries are created on the initial delivery attempt, and track the email messages whose delivery attempts are currently experiencing the greylist delay period. They are converted to confirmed individual entries if a delivery attempt occurs after the greylist delay period, during the greylist window.

The automatic greylisting process can reduce the number of individual automatic greylist entries by consolidating similar entries after they have been confirmed during the greylisting window. Consolidation improves performance and greatly reduces the possibility of overflowing the maximum number of greylist entries.

Consolidated automatic greylist entries include only:

  • the domain name portion of the sender email address
  • the IP address of the SMTP client

They do not include the recipient email address, or the user name portion of the sender email address. By containing only the domain name portion and not the entire sender email address, a consolidated entry can match all senders from a single domain, rather than each sender having and matching their own individual automatic greylist entry. Similarly, by not containing the recipient email address, any recipient can share the same greylist entry. Because consolidated entries have broader match sets, they less likely to reach the time to live (TTL) than an individual automatic greylist entry.

For example, example.com and example.org each have 100 employees. The two organizations work together and employees of each company exchange email with many of their counterparts in the other company. If each example.com employee corresponds with 20 people from example.org, the FortiMail unit used by example.com will have 2000 greylist entries for the email received from example.org alone. By consolidating, these 2000 greylist entries are replaced by a single entry.

Not all individual automatic greylist entries can be consolidated. Because consolidated entries have fewer message attributes, more email messages may match each entry, some of which could contain different recipient email addresses and sender user names than those of the originally greylisted email messages. To prevent spam from taking advantage of the broader match sets, requirements for creation of consolidated entries are more strict than those of individual automatic greylist entries. FortiMail units will create a consolidated (autoexempt) entry only if the email:

  • does not match any manual greylist entry (exemption)
  • passes the automatic greylisting process
  • passes all configured antispam scans
  • passes all configured antivirus scans
  • passes all configured content scans
  • does not match any safe lists

If an email message fails to meet the above requirements, the FortiMail unit instead maintains the individual automatic greylist entry.

Note

If an email message matches a manual greylist entry, it is not subject to automatic greylisting and the FortiMail unit will not create an entry in the individual or consolidated automatic greylist or autoexempt list.

After an individual automatic greylist entry is consolidated, both the consolidated autoexempt entry and the original greylist entry will coexist for the length of the greylist TTL. Because email messages are compared to the autoexempt list before the greylist, subsequent matching email will reset only the expiry date of the autoexempt list entry, but not the expiry date of the original greylist entry. Eventually, the original greylist entry expires, leaving the automatic greylist entry.

Manual greylist entries

In some cases, you may want to manually configure some greylist entries. Manual greylist entries are exempt from the automatic greylisting process, and are therefore not subject to the greylist delay period and confirmation.

For example, a manual greylist entry can be useful when email messages are sent from an email server farm whose network is larger than /24. For very large email server farms, if a different email server attempts the delivery retry each time, the greylist scanner could perceive each retry as a first attempt, and automatic greylist entries could expire before the same email server retries delivery of the same email. To prevent this problem, you can manually create an exemption using common elements of the host names of the email servers.

For more information on creating manual greylist entries, see Manually exempting senders from greylisting.

Configuring the greylist TTL and initial delay

The Settings tab lets you configure time intervals used during the automatic greylisting process.

For more information on the automatic greylisting process, see About greylisting.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To configure greylisting intervals
  1. Go to Security > Greylist > Settings.
  2. Configure the following:

GUI item

Description

TTL

Enter the time to live (TTL) that determines the maximum amount of time that unused automatic greylist entries will be retained.

Expiration dates of automatic greylist entries are determined by the following two factors:

  • Initial expiry period: After a greylist entry passes the greylist delay period and its status is changed to PASSTHROUGH, the entry’s initial expiry time is determined by the time you set with the CLI command set greylist-init-expiry-period under config antispam settings. The default initial expiry time is 4 hours. If the initial expiry time elapses without an email message matching the automatic greylist entry, the entry expires. But the entry will not be removed.
  • TTL: Between the entry’s PASSTHROUGH time and initial expiry time, if the entry is hit again (the sender retries to send the message again), the entry’s expiry time will be reset by adding the TTL value (time to live) to the message’s “Received” time. Each time an email message matches the entry, the life of the entry is prolonged; in this way, entries that are in active use do not expire. If the TTL elapses without an email message matching the automatic greylist entry, the entry expires. But the entry will not be removed.

For more information on automatic greylist entries, see Viewing the greylist statuses.

Greylisting period

Enter the length of the greylist delay period.

For the initial delivery attempt, if no manual greylist entry (exemption) matches the email message, the FortiMail unit creates a pending automatic greylist entry, and replies with a temporary failure code. During the greylist delay period after this initial delivery attempt, the FortiMail unit continues to reply to additional delivery attempts with a temporary failure code.

After the greylist delay period elapses and before the pending entry expires (during the greylist window), any additional delivery attempts will confirm the entry and convert it to an individual automatic greylist entry. The greylist scanner will then allow delivery of subsequent matching email messages. For more information on pending and individual automatic greylist entries, see Viewing the pending and individual automatic greylist entries.

Note

You can use the CLI to change the default 4 hour greylist window. For more information, see the CLI command set greylist-init-expiry-period under config antispam settings in the FortiMail CLI Reference.

Manually exempting senders from greylisting

The Exempt tab displays manual greylist entries, which exempt email messages from the automatic greylisting process and its associated greylist delay period.

Note

Greylisting is omitted if the matching access control rule’s Action is RELAY. For more information on antispam features’ order of execution, see Order of execution.

For more information on the automatic greylisting process, see About greylisting. For more information on manual greylist entries, see Manual greylist entries.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To view and configure manual greylist entries
  1. Go to Security > Greylist > Exempt.
  2. GUI item

    Description

    Sender Pattern

    Displays the pattern that defines a matching sender address in the message envelope (MAIL FROM:).

    The prefix to the pattern indicates whether or not the Regular expression option is enabled for the entry.

    • R/: Regular expressions are enabled.
    • -/: Regular expressions are not enabled, but the pattern may use wild cards (* or ?).

    Recipient Pattern

    Displays the pattern that defines a matching recipient address in the message envelope (RCPT TO:).

    The prefix to the pattern indicates whether or not the Regular expression option is enabled for the entry.

    • R/: Regular expressions are enabled.
    • -/: Regular expressions are not enabled, but the pattern may use wild cards (* or ?).

    Sender IP/Netmask

    Displays the IP address and netmask that defines SMTP clients (the last hop address) that match this entry.

    0.0.0.0/0 matches all SMTP client IP addresses.

    Reverse DNS Pattern

    Displays the pattern that defines a matching result when the FortiMail unit performs the reverse DNS lookup of the IP address of the SMTP client.

    The prefix to the pattern indicates whether or not the Regular expression option is enabled for the entry.

    • R/: Regular expressions are enabled.
    • -/: Regular expressions are not enabled, but the pattern may use wild cards (* or ?).
  3. Click New to add an entry or double-click an entry to modify it.
  4. A dialog appears.

  5. Configure the following:
  6. GUI item

    Description

    Sender pattern

    Enter the pattern that defines a matching sender email address in the message envelope (MAIL FROM:). To match any sender email address, enter either *, or, if Regular expression is enabled, .*.

    You can create a pattern that matches multiple addresses either by:

    • including wild card characters (* or ?). An asterisk (*) matches one or more characters; a question mark (?) matches any single character.
    • using regular expressions. You must also enable the Regular expression option.

    For example, entering the pattern ??@*.com will match messages sent by any sender with a two-letter user name from any “.com” domain.

    Regular expression

    For any of the pattern options, select the accompanying Regular expression check box if you entered a pattern using regular expression syntax.

    Recipient pattern

    Enter the pattern that defines a matching recipient address in the message envelope (RCPT TO:). To match any recipient email address, enter either *, or, if Regular expression is enabled, .*.

    You can create a pattern that matches multiple addresses either by:

    • including wild card characters (* or ?). An asterisk (*) matches one or more characters; a question mark (?) matches any single character.
    • using regular expressions. You must also enable the Regular expression option.

    For example, entering the pattern *@example.??? will match email sent to any recipient at example.com, example.net, example.org, or any other “example” top level domain.

    Sender IP/Netmask

    Enter the IP address and netmask that defines SMTP clients that match this entry.

    To match any SMTP client IP address, enter 0.0.0.0/0.

    You can create a pattern that matches multiple addresses by entering any bit mask other than /32.

    For example, entering 10.10.10.10/24 would match the 24-bit subnet of IP addresses starting with 10.10.10, and would appear in the list of manual greylist entries as 10.10.10.0/24.

    Reverse DNS pattern

    Enter the pattern that defines valid host names for the IP address of the SMTP client (the last hop address).

    Since the SMTP client can use a fake self-reported host name in its SMTP greeting (EHLO/HELO), you can use a reverse DNS lookup of the SMTP client’s IP address to get the real host name of the SMTP client. Then the FortiMail greylist scanner can compare the host name resulting from the reverse DNS query with the pattern that you specify. If the query result matches the specified pattern, the greylist exempt rule will apply, Otherwise, the rule will not apply.

    You can create a pattern that matches multiple addresses either by:

    • including wild card characters (* or ?). An asterisk (*) matches one or more characters; a question mark (?) matches any single character.
    • using regular expressions. You must also enable the Regular expression option.

    For example, entering the pattern mail*.com will match messages delivered by an SMTP client whose host name starts with “mail” and ending with “.com”.

No pattern can be left blank in a greylist exempt rule. To have the FortiMail unit ignore a pattern, enter an asterisk (*) in the pattern field. For example, if you enter an asterisk in the Recipient Pattern field and do not enable Regular Expression, the asterisk matches all recipient addresses. This eliminates the recipient pattern as an item used to determine if the rule matches an email message.

See also

Configuring the block lists and safe lists

Managing the global block and safe list

Example: Manual greylist entries (exemptions)

Example Corporation uses a FortiMail unit that is operating in gateway mode, and uses greylisting to reduce the quantity of spam they receive at their protected domain, example.com.

Example Corporation wants to exempt some email from the initial greylist delay period by creating manual greylist entries (exemptions to the automatic greylisting process) that match trusted combinations of SMTP client IP addresses and recipient email addresses.

The manual greylist entries used by Example Corporation are shown in Rule 1.

Rule 1

Example Corporation has a number of foreign offices. Email from these offices does not need to be greylisted.The IP addresses of email servers in the foreign offices vary, though their host names all begin with “mail” and end with “example.com”.

Rule 1 uses the recipient pattern and the reverse DNS pattern to exempt from the automatic greylisting process all email messages that are sent to recipients at example.com, and are being delivered by an email server with a host name beginning with “mail” and ending with “example.com”.

Rule 2

Example Corporation works closely with a partner organization, Example Org, whose email domain is example.org. Email from the example.org email servers does not need to be greylisted. The IP addresses of email servers for example.org are within the 172.20.120.0/24 subnet, and have a host name of mail.example.org.

Rule 2 uses the recipient pattern, sender IP/ netmask, and reverse DNS pattern to exempt from the automatic greylisting process all email messages that are sent to recipients at example.com by any email server whose IP address is between 172.20.120.1 and 172.20.120.255 and whose host name is mail.example.org.

Configuring greylisting

Go to Security > Greylist to configure greylisting and to view greylist-exempt senders.

This section contains the following topics:

About greylisting

Greylist scanning blocks spam based on the behavior of the sending server, rather than the content of the messages. When receiving an email from an unknown server, the FortiMail unit will temporarily reject the message. If the mail is legitimate, the originating server will try to send it again later (RFC 2821), at which time the FortiMail unit will accept it. Spammers will typically abandon further delivery attempts in order to maximize spam throughput.

Advantages of greylisting include:

  • Greylisting is low-maintenance, and does not require you to manually maintain IP address lists, block lists or safe lists, or word lists. The FortiMail unit automatically obtains and maintains the required information.
  • Spam blocked by greylisting never undergoes other antispam scans. This can save significant amounts of processing and storage resources. For this reason, enabling greylisting can improve FortiMail performance.
  • Even if a spammer adapts to greylisting by retrying to send spam, the greylist delay period can allow time for FortiGuard Antispam and DNSBL servers to discover and blocklist the spam source. By the time that the spammer finally succeeds in sending the email, other antispam scans are more likely to recognize it as spam.
Workflow of greylist scanning

Note

Greylisting is omitted if the matching access control rule’s Action is RELAY. For more information on antispam features’ order of execution, see Order of execution.

When an SMTP client first attempts to deliver an email message through the FortiMail unit, the greylist scanner examines the email message’s combination of:

  • sender email address in the message envelope (MAIL FROM:)
  • recipient email address in the message envelope (RCPT TO:)
  • IP address of the SMTP client

The greylist scanner then compares the combination of those attributes to manual and automatic greylist entries. The greylist scanner evaluates the email for matches in the following order:

  1. manual greylist entries, also known as exemptions (see Manual greylist entries)
  2. consolidated automatic greylist entries, also known as autoexempt entries (see Automatic greylist entries)
  3. individual automatic greylist entries, also known as greylist entries
Note

For more information on the types of greylist entries, see Automatic greylist entries and Automatic greylist entries.

According to the match results, the greylist scanner performs one of the following:

  • If a matching entry exists, the FortiMail unit continues with other configured antispam scans, and will accept the email if no other antispam scan determines that the email is spam. For automatic greylist entry matches, each accepted subsequent email also extends the expiry date of the automatic greylist entry according to the configured time to live (TTL). (Automatic greylist entries are discarded if no additional matching email messages are received by the expiry date.)
  • If no matching entry exists, the FortiMail unit creates a pending individual automatic greylist entry (see Viewing the pending and individual automatic greylist entries) to note that combination of sender, recipient, and client addresses, then replies to the SMTP client with a temporary failure code. During the greylist delay period after the initial delivery attempt, the FortiMail unit continues to reply to delivery attempts with a temporarily failure code. To confirm the pending automatic greylist entry and successfully send the email message, the SMTP client must retry delivery during the greylist window: after the delay period, but before the expiry of the pending entry.

Subsequent email messages matching a greylist entry are accepted by the greylist scanner without being subject to the greylisting delay.

For information on how the greylist scanner matches email messages, see Matching automatic greylist entries. For information on configuring the greylisting delay, window, and entry expiry/TTL, see Configuring the greylist TTL and initial delay.

Matching automatic greylist entries

While the email addresses in the message envelope must match exactly, the IP address of the SMTP client is a less specific match: any IP address on the /24 network will match.

For example, if an email server at 192.168.1.99 is known to the greylist scanner, its greylist entry contains the IP address 192.168.1.0 where 0 indicates that any value will match the last octet, and that any IP address starting with 192.168.1 will match that entry.

This greylist IP address matching mechanism restricts the number of IP addresses which can match the greylist entry while also minimizing potential issues with email server farms. Some large organizations use many email servers with IP addresses in the same class C subnet. If the first attempt to deliver email receives a temporary failure response, the second attempt may come from an email server with a different IP address. If an exact match were required, the greylist scanner would treat the second delivery attempt as a new delivery attempt unrelated to the first. Depending on the configuration of the email servers, the email message might never be delivered properly. Approximate IP address matching often prevents this problem.

For very large email server farms that require greater than a /24 subnet, you can manually create greylist exemptions. For more information, see Manual greylist entries.

Automatic greylist entries

The automatic greylisting process automatically creates, confirms pending entries, and expires automatic greylist entries, reducing the need for manual greylist entries. The automatic greylisting process can create three types of automatic greylist entries:

Pending entries are created on the initial delivery attempt, and track the email messages whose delivery attempts are currently experiencing the greylist delay period. They are converted to confirmed individual entries if a delivery attempt occurs after the greylist delay period, during the greylist window.

The automatic greylisting process can reduce the number of individual automatic greylist entries by consolidating similar entries after they have been confirmed during the greylisting window. Consolidation improves performance and greatly reduces the possibility of overflowing the maximum number of greylist entries.

Consolidated automatic greylist entries include only:

  • the domain name portion of the sender email address
  • the IP address of the SMTP client

They do not include the recipient email address, or the user name portion of the sender email address. By containing only the domain name portion and not the entire sender email address, a consolidated entry can match all senders from a single domain, rather than each sender having and matching their own individual automatic greylist entry. Similarly, by not containing the recipient email address, any recipient can share the same greylist entry. Because consolidated entries have broader match sets, they less likely to reach the time to live (TTL) than an individual automatic greylist entry.

For example, example.com and example.org each have 100 employees. The two organizations work together and employees of each company exchange email with many of their counterparts in the other company. If each example.com employee corresponds with 20 people from example.org, the FortiMail unit used by example.com will have 2000 greylist entries for the email received from example.org alone. By consolidating, these 2000 greylist entries are replaced by a single entry.

Not all individual automatic greylist entries can be consolidated. Because consolidated entries have fewer message attributes, more email messages may match each entry, some of which could contain different recipient email addresses and sender user names than those of the originally greylisted email messages. To prevent spam from taking advantage of the broader match sets, requirements for creation of consolidated entries are more strict than those of individual automatic greylist entries. FortiMail units will create a consolidated (autoexempt) entry only if the email:

  • does not match any manual greylist entry (exemption)
  • passes the automatic greylisting process
  • passes all configured antispam scans
  • passes all configured antivirus scans
  • passes all configured content scans
  • does not match any safe lists

If an email message fails to meet the above requirements, the FortiMail unit instead maintains the individual automatic greylist entry.

Note

If an email message matches a manual greylist entry, it is not subject to automatic greylisting and the FortiMail unit will not create an entry in the individual or consolidated automatic greylist or autoexempt list.

After an individual automatic greylist entry is consolidated, both the consolidated autoexempt entry and the original greylist entry will coexist for the length of the greylist TTL. Because email messages are compared to the autoexempt list before the greylist, subsequent matching email will reset only the expiry date of the autoexempt list entry, but not the expiry date of the original greylist entry. Eventually, the original greylist entry expires, leaving the automatic greylist entry.

Manual greylist entries

In some cases, you may want to manually configure some greylist entries. Manual greylist entries are exempt from the automatic greylisting process, and are therefore not subject to the greylist delay period and confirmation.

For example, a manual greylist entry can be useful when email messages are sent from an email server farm whose network is larger than /24. For very large email server farms, if a different email server attempts the delivery retry each time, the greylist scanner could perceive each retry as a first attempt, and automatic greylist entries could expire before the same email server retries delivery of the same email. To prevent this problem, you can manually create an exemption using common elements of the host names of the email servers.

For more information on creating manual greylist entries, see Manually exempting senders from greylisting.

Configuring the greylist TTL and initial delay

The Settings tab lets you configure time intervals used during the automatic greylisting process.

For more information on the automatic greylisting process, see About greylisting.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To configure greylisting intervals
  1. Go to Security > Greylist > Settings.
  2. Configure the following:

GUI item

Description

TTL

Enter the time to live (TTL) that determines the maximum amount of time that unused automatic greylist entries will be retained.

Expiration dates of automatic greylist entries are determined by the following two factors:

  • Initial expiry period: After a greylist entry passes the greylist delay period and its status is changed to PASSTHROUGH, the entry’s initial expiry time is determined by the time you set with the CLI command set greylist-init-expiry-period under config antispam settings. The default initial expiry time is 4 hours. If the initial expiry time elapses without an email message matching the automatic greylist entry, the entry expires. But the entry will not be removed.
  • TTL: Between the entry’s PASSTHROUGH time and initial expiry time, if the entry is hit again (the sender retries to send the message again), the entry’s expiry time will be reset by adding the TTL value (time to live) to the message’s “Received” time. Each time an email message matches the entry, the life of the entry is prolonged; in this way, entries that are in active use do not expire. If the TTL elapses without an email message matching the automatic greylist entry, the entry expires. But the entry will not be removed.

For more information on automatic greylist entries, see Viewing the greylist statuses.

Greylisting period

Enter the length of the greylist delay period.

For the initial delivery attempt, if no manual greylist entry (exemption) matches the email message, the FortiMail unit creates a pending automatic greylist entry, and replies with a temporary failure code. During the greylist delay period after this initial delivery attempt, the FortiMail unit continues to reply to additional delivery attempts with a temporary failure code.

After the greylist delay period elapses and before the pending entry expires (during the greylist window), any additional delivery attempts will confirm the entry and convert it to an individual automatic greylist entry. The greylist scanner will then allow delivery of subsequent matching email messages. For more information on pending and individual automatic greylist entries, see Viewing the pending and individual automatic greylist entries.

Note

You can use the CLI to change the default 4 hour greylist window. For more information, see the CLI command set greylist-init-expiry-period under config antispam settings in the FortiMail CLI Reference.

Manually exempting senders from greylisting

The Exempt tab displays manual greylist entries, which exempt email messages from the automatic greylisting process and its associated greylist delay period.

Note

Greylisting is omitted if the matching access control rule’s Action is RELAY. For more information on antispam features’ order of execution, see Order of execution.

For more information on the automatic greylisting process, see About greylisting. For more information on manual greylist entries, see Manual greylist entries.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To view and configure manual greylist entries
  1. Go to Security > Greylist > Exempt.
  2. GUI item

    Description

    Sender Pattern

    Displays the pattern that defines a matching sender address in the message envelope (MAIL FROM:).

    The prefix to the pattern indicates whether or not the Regular expression option is enabled for the entry.

    • R/: Regular expressions are enabled.
    • -/: Regular expressions are not enabled, but the pattern may use wild cards (* or ?).

    Recipient Pattern

    Displays the pattern that defines a matching recipient address in the message envelope (RCPT TO:).

    The prefix to the pattern indicates whether or not the Regular expression option is enabled for the entry.

    • R/: Regular expressions are enabled.
    • -/: Regular expressions are not enabled, but the pattern may use wild cards (* or ?).

    Sender IP/Netmask

    Displays the IP address and netmask that defines SMTP clients (the last hop address) that match this entry.

    0.0.0.0/0 matches all SMTP client IP addresses.

    Reverse DNS Pattern

    Displays the pattern that defines a matching result when the FortiMail unit performs the reverse DNS lookup of the IP address of the SMTP client.

    The prefix to the pattern indicates whether or not the Regular expression option is enabled for the entry.

    • R/: Regular expressions are enabled.
    • -/: Regular expressions are not enabled, but the pattern may use wild cards (* or ?).
  3. Click New to add an entry or double-click an entry to modify it.
  4. A dialog appears.

  5. Configure the following:
  6. GUI item

    Description

    Sender pattern

    Enter the pattern that defines a matching sender email address in the message envelope (MAIL FROM:). To match any sender email address, enter either *, or, if Regular expression is enabled, .*.

    You can create a pattern that matches multiple addresses either by:

    • including wild card characters (* or ?). An asterisk (*) matches one or more characters; a question mark (?) matches any single character.
    • using regular expressions. You must also enable the Regular expression option.

    For example, entering the pattern ??@*.com will match messages sent by any sender with a two-letter user name from any “.com” domain.

    Regular expression

    For any of the pattern options, select the accompanying Regular expression check box if you entered a pattern using regular expression syntax.

    Recipient pattern

    Enter the pattern that defines a matching recipient address in the message envelope (RCPT TO:). To match any recipient email address, enter either *, or, if Regular expression is enabled, .*.

    You can create a pattern that matches multiple addresses either by:

    • including wild card characters (* or ?). An asterisk (*) matches one or more characters; a question mark (?) matches any single character.
    • using regular expressions. You must also enable the Regular expression option.

    For example, entering the pattern *@example.??? will match email sent to any recipient at example.com, example.net, example.org, or any other “example” top level domain.

    Sender IP/Netmask

    Enter the IP address and netmask that defines SMTP clients that match this entry.

    To match any SMTP client IP address, enter 0.0.0.0/0.

    You can create a pattern that matches multiple addresses by entering any bit mask other than /32.

    For example, entering 10.10.10.10/24 would match the 24-bit subnet of IP addresses starting with 10.10.10, and would appear in the list of manual greylist entries as 10.10.10.0/24.

    Reverse DNS pattern

    Enter the pattern that defines valid host names for the IP address of the SMTP client (the last hop address).

    Since the SMTP client can use a fake self-reported host name in its SMTP greeting (EHLO/HELO), you can use a reverse DNS lookup of the SMTP client’s IP address to get the real host name of the SMTP client. Then the FortiMail greylist scanner can compare the host name resulting from the reverse DNS query with the pattern that you specify. If the query result matches the specified pattern, the greylist exempt rule will apply, Otherwise, the rule will not apply.

    You can create a pattern that matches multiple addresses either by:

    • including wild card characters (* or ?). An asterisk (*) matches one or more characters; a question mark (?) matches any single character.
    • using regular expressions. You must also enable the Regular expression option.

    For example, entering the pattern mail*.com will match messages delivered by an SMTP client whose host name starts with “mail” and ending with “.com”.

No pattern can be left blank in a greylist exempt rule. To have the FortiMail unit ignore a pattern, enter an asterisk (*) in the pattern field. For example, if you enter an asterisk in the Recipient Pattern field and do not enable Regular Expression, the asterisk matches all recipient addresses. This eliminates the recipient pattern as an item used to determine if the rule matches an email message.

See also

Configuring the block lists and safe lists

Managing the global block and safe list

Example: Manual greylist entries (exemptions)

Example Corporation uses a FortiMail unit that is operating in gateway mode, and uses greylisting to reduce the quantity of spam they receive at their protected domain, example.com.

Example Corporation wants to exempt some email from the initial greylist delay period by creating manual greylist entries (exemptions to the automatic greylisting process) that match trusted combinations of SMTP client IP addresses and recipient email addresses.

The manual greylist entries used by Example Corporation are shown in Rule 1.

Rule 1

Example Corporation has a number of foreign offices. Email from these offices does not need to be greylisted.The IP addresses of email servers in the foreign offices vary, though their host names all begin with “mail” and end with “example.com”.

Rule 1 uses the recipient pattern and the reverse DNS pattern to exempt from the automatic greylisting process all email messages that are sent to recipients at example.com, and are being delivered by an email server with a host name beginning with “mail” and ending with “example.com”.

Rule 2

Example Corporation works closely with a partner organization, Example Org, whose email domain is example.org. Email from the example.org email servers does not need to be greylisted. The IP addresses of email servers for example.org are within the 172.20.120.0/24 subnet, and have a host name of mail.example.org.

Rule 2 uses the recipient pattern, sender IP/ netmask, and reverse DNS pattern to exempt from the automatic greylisting process all email messages that are sent to recipients at example.com by any email server whose IP address is between 172.20.120.1 and 172.20.120.255 and whose host name is mail.example.org.