Fortinet black logo

Administration Guide

Viewing the greylist statuses

Viewing the greylist statuses

The Greylist submenu lets you monitor automatic greylisting exemptions, and email currently experiencing temporary failure of delivery due to greylisting.

Greylisting exploits the tendency of legitimate email servers to retry email delivery after an initial temporary failure, while spammers will typically abandon further delivery attempts to maximize spam throughput. The greylist scanner replies with a temporary failure for all email messages whose combination of sender email address, recipient email address, and SMTP client IP address is unknown. If an SMTP server retries to send the email message after the required greylist delay but before expiry, the FortiMail unit accepts the email and adds the combination of sender email address, recipient email address, and SMTP client IP address to the list of those known by the greylist scanner. Subsequent known email messages are accepted. For details on the greylisting mechanism, see About greylisting.

To use greylisting, you must enable the greylist scan in the antispam profile. For more information, see Managing antispam profiles.

Note

Enabling greylisting can improve performance by blocking most spam before it undergoes other, more resource-intensive antispam scans.

Note

Greylisting is bypassed if the SMTP client establishes an authenticated session (see Controlling email based on sender and recipient addresses, and Controlling email based on IP addresses), or if the matching access control rule’s Action is RELAY (see Order of execution).

You can configure the initial delay associated with greylisting, and manually exempt senders. For details, see Configuring the greylist TTL and initial delay and Manually exempting senders from greylisting.

Viewing the pending and individual automatic greylist entries

The Display tab lets you view pending and individual automatic greylist entries.

  • Pending greylist entries are those whose Status is not PASSTHROUGH. For email messages matching pending greylist entries, the FortiMail unit will reply to delivery attempts with a temporary failure code until the greylist delay period, indicated by Time to passthrough, has elapsed.
  • Individual greylist entries are those whose Status is PASSTHROUGH. For email messages matching pending greylist entries, the greylist scanner will allow the delivery attempt, and may create a consolidated automatic greylist entry. For information on consolidated entries, see Viewing the consolidated automatic greylist exemptions.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To view the greylist, go to Monitor > Greylist > Display.

Viewing the list of pending and individual greylist entries

GUI item

Description

Search

(button)

Click to filter the displayed entries. For details, see Filtering pending and individual automatic greylist entries.

IP

Lists the IP address of the SMTP client that delivered or attempted to deliver the email message.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Location

Lists the GeoIP locations/country names.

Sender

Lists the sender email address in the message envelope (MAIL FROM:), such as user1@example.com.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Recipient

Lists the recipient email address in the message envelope (RCPT TO:), such as user1@example.com.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Status

Lists the current action of the greylist scanner when the FortiMail unit receives a delivery attempt for an email message matching the entry.

  • TEMPFAIL: The greylisting delay period has not yet elapsed, and the FortiMail unit currently replies to delivery attempts with a temporary failure code. For information on configuring the greylist delay period, see Configuring the greylist TTL and initial delay.
  • PASSTHROUGH: The greylisting delay period has elapsed, and the greylist scanner will allow delivery attempts.

Time to passthrough

Lists the time and date when the greylisting delay period for a pending entry is scheduled to elapse. Delivery attempts after this date and time confirm the pending greylist entry, and the greylist scanner converts it to an individual automatic greylist entry. The greylist scanner may also consolidate individual greylist entries. For information on consolidated entries, see Viewing the consolidated automatic greylist exemptions.

N/A appears if the greylisting period has already elapsed.

Expire

Lists the time and date when the entry will expire. The greylist entry’s expiry time is determined by the following two factors:

  • Initial expiry period: After a greylist entry passes the greylist delay period and its status is changed to PASSTHROUGH, the entry’s initial expiry time is determined by the time you set with the CLI command set greylist-init-expiry-period under config antispam settings (for details, see the FortiMail CLI Reference). The default initial expiry time is 4 hours. If the initial expiry time elapses without an email message matching the automatic greylist entry, the entry expires. But the entry will not be removed.
  • TTL: Between the entry’s PASSTHROUGH time and initial expiry time, if the entry is hit again (the sender retries to send the message again), the entry’s expiry time will be reset by adding the TTL value (time to live) to the message’s “Received” time. Each time an email message matches the entry, the life of the entry is prolonged; in this way, entries that are in active use do not expire. If the TTL elapses without an email message matching the automatic greylist entry, the entry expires. But the entry will not be removed. For information on configuring the TTL, see Configuring the greylist TTL and initial delay.

Filtering pending and individual automatic greylist entries

You can filter the greylist entries on the Display tab based on sender email address, recipient email address, and/or the IP address of the SMTP client.

To filter the greylist entries
  1. Go to Monitor > Greylist > Display.
  2. Click Search.
  3. A dialog appears.

  4. Configure one or more of the following:
  5. GUI item

    Description

    Field

    Select one of the following columns in the greylist entries that you want to use to filter the display.

    • IP
    • Sender
    • Recipient

    Operation

    Select how the column’s contents will be matched, such as whether the row must contain the Value.

    Value

    Enter a pattern or exact value based on your selection in Field and Operation.

    • IP: Enter the IP address of the SMTP client, such as 172.16.1.10.
    • Sender: Enter the complete sender email address in the message envelope (MAIL FROM:), such as user1@example.com.
    • Recipient: Enter the complete recipient email address in the message envelope (RCPT TO:), such as user1@example.com.

    Case Sensitive

    Enable for case-sensitive filtering.

    Use an asterisk (*) to match multiple patterns, such as typing user* to match user1@example.com, user2@example.net, and so forth. Blank fields match any value. Regular expressions are not supported.

  6. Click Search.
  7. The Display tab appears again, but its contents are restricted to entries that match your filter criteria. To remove the filter criteria and display all entries, click the Display tab to refresh its view.

Viewing the consolidated automatic greylist exemptions

The Auto Exempt tab displays consolidated automatic greylist entries.

The FortiMail unit creates consolidated greylist entries from individual automatic greylist entries that meet consolidation requirements. For more information on individual automatic greylist entries, see Viewing the pending and individual automatic greylist entries. For more information on consolidation requirements, see Automatic greylist entries.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To view the list of consolidated entries, go to Monitor > Greylist > Auto Exempt.

Auto Exempt tab options

GUI item

Description

Search

(button)

Click to filter the displayed entries.

IP

Lists the /24 subnet of the IP address of the SMTP client that delivered or attempted to deliver the email message.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Location

Lists the GeoIP locations/country names.

Sender

Lists the domain name portion of the sender email address in the message envelope (MAIL FROM:), such as example.com.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Expire

Lists the time and date when the entry will expire, determined by adding the TTL value to the time the last matching message was received. For information on configuring the TTL, see Configuring the greylist TTL and initial delay.

Viewing the greylist statuses

The Greylist submenu lets you monitor automatic greylisting exemptions, and email currently experiencing temporary failure of delivery due to greylisting.

Greylisting exploits the tendency of legitimate email servers to retry email delivery after an initial temporary failure, while spammers will typically abandon further delivery attempts to maximize spam throughput. The greylist scanner replies with a temporary failure for all email messages whose combination of sender email address, recipient email address, and SMTP client IP address is unknown. If an SMTP server retries to send the email message after the required greylist delay but before expiry, the FortiMail unit accepts the email and adds the combination of sender email address, recipient email address, and SMTP client IP address to the list of those known by the greylist scanner. Subsequent known email messages are accepted. For details on the greylisting mechanism, see About greylisting.

To use greylisting, you must enable the greylist scan in the antispam profile. For more information, see Managing antispam profiles.

Note

Enabling greylisting can improve performance by blocking most spam before it undergoes other, more resource-intensive antispam scans.

Note

Greylisting is bypassed if the SMTP client establishes an authenticated session (see Controlling email based on sender and recipient addresses, and Controlling email based on IP addresses), or if the matching access control rule’s Action is RELAY (see Order of execution).

You can configure the initial delay associated with greylisting, and manually exempt senders. For details, see Configuring the greylist TTL and initial delay and Manually exempting senders from greylisting.

Viewing the pending and individual automatic greylist entries

The Display tab lets you view pending and individual automatic greylist entries.

  • Pending greylist entries are those whose Status is not PASSTHROUGH. For email messages matching pending greylist entries, the FortiMail unit will reply to delivery attempts with a temporary failure code until the greylist delay period, indicated by Time to passthrough, has elapsed.
  • Individual greylist entries are those whose Status is PASSTHROUGH. For email messages matching pending greylist entries, the greylist scanner will allow the delivery attempt, and may create a consolidated automatic greylist entry. For information on consolidated entries, see Viewing the consolidated automatic greylist exemptions.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To view the greylist, go to Monitor > Greylist > Display.

Viewing the list of pending and individual greylist entries

GUI item

Description

Search

(button)

Click to filter the displayed entries. For details, see Filtering pending and individual automatic greylist entries.

IP

Lists the IP address of the SMTP client that delivered or attempted to deliver the email message.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Location

Lists the GeoIP locations/country names.

Sender

Lists the sender email address in the message envelope (MAIL FROM:), such as user1@example.com.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Recipient

Lists the recipient email address in the message envelope (RCPT TO:), such as user1@example.com.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Status

Lists the current action of the greylist scanner when the FortiMail unit receives a delivery attempt for an email message matching the entry.

  • TEMPFAIL: The greylisting delay period has not yet elapsed, and the FortiMail unit currently replies to delivery attempts with a temporary failure code. For information on configuring the greylist delay period, see Configuring the greylist TTL and initial delay.
  • PASSTHROUGH: The greylisting delay period has elapsed, and the greylist scanner will allow delivery attempts.

Time to passthrough

Lists the time and date when the greylisting delay period for a pending entry is scheduled to elapse. Delivery attempts after this date and time confirm the pending greylist entry, and the greylist scanner converts it to an individual automatic greylist entry. The greylist scanner may also consolidate individual greylist entries. For information on consolidated entries, see Viewing the consolidated automatic greylist exemptions.

N/A appears if the greylisting period has already elapsed.

Expire

Lists the time and date when the entry will expire. The greylist entry’s expiry time is determined by the following two factors:

  • Initial expiry period: After a greylist entry passes the greylist delay period and its status is changed to PASSTHROUGH, the entry’s initial expiry time is determined by the time you set with the CLI command set greylist-init-expiry-period under config antispam settings (for details, see the FortiMail CLI Reference). The default initial expiry time is 4 hours. If the initial expiry time elapses without an email message matching the automatic greylist entry, the entry expires. But the entry will not be removed.
  • TTL: Between the entry’s PASSTHROUGH time and initial expiry time, if the entry is hit again (the sender retries to send the message again), the entry’s expiry time will be reset by adding the TTL value (time to live) to the message’s “Received” time. Each time an email message matches the entry, the life of the entry is prolonged; in this way, entries that are in active use do not expire. If the TTL elapses without an email message matching the automatic greylist entry, the entry expires. But the entry will not be removed. For information on configuring the TTL, see Configuring the greylist TTL and initial delay.

Filtering pending and individual automatic greylist entries

You can filter the greylist entries on the Display tab based on sender email address, recipient email address, and/or the IP address of the SMTP client.

To filter the greylist entries
  1. Go to Monitor > Greylist > Display.
  2. Click Search.
  3. A dialog appears.

  4. Configure one or more of the following:
  5. GUI item

    Description

    Field

    Select one of the following columns in the greylist entries that you want to use to filter the display.

    • IP
    • Sender
    • Recipient

    Operation

    Select how the column’s contents will be matched, such as whether the row must contain the Value.

    Value

    Enter a pattern or exact value based on your selection in Field and Operation.

    • IP: Enter the IP address of the SMTP client, such as 172.16.1.10.
    • Sender: Enter the complete sender email address in the message envelope (MAIL FROM:), such as user1@example.com.
    • Recipient: Enter the complete recipient email address in the message envelope (RCPT TO:), such as user1@example.com.

    Case Sensitive

    Enable for case-sensitive filtering.

    Use an asterisk (*) to match multiple patterns, such as typing user* to match user1@example.com, user2@example.net, and so forth. Blank fields match any value. Regular expressions are not supported.

  6. Click Search.
  7. The Display tab appears again, but its contents are restricted to entries that match your filter criteria. To remove the filter criteria and display all entries, click the Display tab to refresh its view.

Viewing the consolidated automatic greylist exemptions

The Auto Exempt tab displays consolidated automatic greylist entries.

The FortiMail unit creates consolidated greylist entries from individual automatic greylist entries that meet consolidation requirements. For more information on individual automatic greylist entries, see Viewing the pending and individual automatic greylist entries. For more information on consolidation requirements, see Automatic greylist entries.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To view the list of consolidated entries, go to Monitor > Greylist > Auto Exempt.

Auto Exempt tab options

GUI item

Description

Search

(button)

Click to filter the displayed entries.

IP

Lists the /24 subnet of the IP address of the SMTP client that delivered or attempted to deliver the email message.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Location

Lists the GeoIP locations/country names.

Sender

Lists the domain name portion of the sender email address in the message envelope (MAIL FROM:), such as example.com.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Expire

Lists the time and date when the entry will expire, determined by adding the TTL value to the time the last matching message was received. For information on configuring the TTL, see Configuring the greylist TTL and initial delay.