Configuring the block lists and safe lists
The Security > Block/Safe List submenu lets you reject, discard, or allow email messages based on email addresses, domain names, and IP addresses. It also lets you back up and restore the block lists and safe lists.
Multiple types of block lists and safe lists exist: system-wide, per-domain, per-user, and per-session profile. There are several places in the web UI where you can configure these block lists and safe lists.
- For system-wide, per-domain, and per-user block lists and safe lists, go to Security > Block/Safe List. For details, see Managing the global block and safe list, Managing the per-domain block lists and safe lists, and Managing the personal block lists and safe lists.
- For per-user block lists and safe lists, you can alternatively go to Domain & User > User > User Preferences. For details, see Configuring user preferences.
- For session profile block lists and safe lists, go to Profile > Session > Session and modify the session profile. For details, see Configuring session profiles.
In addition to FortiMail administrators being able to configure per-user block lists and safe lists, email users can configure their own per-user block list and safe list by going to the Preferences tab in FortiMail webmail. For more information, see the online help for FortiMail webmail. |
For more information on order of execution, see Order of execution of block lists and safe lists.
All block and safe list entries are automatically sorted into alphabetical order, where wildcard characters (* and ?) and numbers sort before letters.
See also
Order of execution of block lists and safe lists
About block list and safe list address formats
Managing the global block and safe list
Managing the per-domain block lists and safe lists
Managing the personal block lists and safe lists
Configuring the block list action
Order of execution of block lists and safe lists
As one of the first steps to detect spam, FortiMail units evaluate whether an email message matches a block list or safe list entry.
Generally, safe lists take precedence over block lists. If the same entry appears in both lists, the entry will be safelisted. Similarly, system-wide lists generally take precedence over per-domain lists, while per-domain lists take precedence over per-user lists.
Configuring the block lists and safe lists displays the sequence in which the FortiMail unit evaluates email for matches with block list and safe list entries. If the FortiMail unit finds a match, it does not look for any additional matches, and cancels any remaining antispam scans of the message (but not the antivirus and content scans).
Block and safe list order of operations
Order |
List |
Examines |
Action taken if match is found |
1 |
System safe list |
Sender address, Client IP |
Accept message |
2 |
System block list |
Sender address, Client IP |
Invoke block list action |
3 |
Domain safe list |
Sender address, Client IP |
Accept message |
4 |
Domain block list |
Sender address, Client IP |
Invoke block list action |
5 |
Session recipient safe list |
Recipient address |
Accept message for matching recipients |
6 |
Session recipient block list |
Recipient address |
Invoke block list action |
7 |
Session sender safe list |
Sender address, Client IP |
Accept message for all recipients |
8 |
Session sender block list |
Sender address, Client IP |
Invoke block list action |
9 |
User safe list |
Sender address, Client IP |
Accept message for this recipient |
10 |
User block list |
Sender address, Client IP |
Discard message |
When the sender email address or domain is examined for a match:
- email addresses and domain names in the list are compared to the sender address in the message envelope (
MAIL FROM:
) and message header (From:
) - IP addresses are compared to the IP address of the SMTP client delivering the email, also known as the last hop address
When the recipient is examined for a match, email addresses and domain names in the list are compared to the recipient address in both the envelop and header. An IP address in a recipient safe or block list is not a valid entry, because IP addresses are not used.
System-wide, per-domain, and per-user block lists and safe lists are executed before any policy match. In contrast, per-session profile block lists and safe lists require that the traffic first match a policy. When configuring a session profile (see Configuring session profiles), you can create block and safe lists that will be used with the session profile. Session profiles are selected in IP-based policies, and as a result, per-session profile block lists and safe lists are not applied until the traffic matches an IP-based policy.
For information on order of execution relative to other antispam methods, see Order of execution.
See also
Configuring the block lists and safe lists
Managing the global block and safe list
Managing the per-domain block lists and safe lists
Managing the personal block lists and safe lists
Configuring the block list action
About block list and safe list address formats
Acceptable input for block and safe list entries may vary by the type of the block or safe list, but may be:
- all or part of an IP address
- all or part of a domain name
- all or part of an email address
Domain name portions (for example, example.com) and user name portions (for example, user1) may use wild cards (?
and *
).
Examples of valid block/safe list entries
Example |
Description of match |
172.168.1 |
Email from the IP addresses 172.168.1.0/24 |
example.com |
Email from any sender at example.com, such as user1@example.com. |
spammer@example.com |
Email from the sender spammer@example.com |
?ser1@example.com |
Email from any sender name ending in “ser1” at example.com |
*@example.com |
Email from any sender at example.com |
user1@ex?mple.com |
Email from the sender user1 in domains such as example.com, exemple.com, or exumple.com |
user1@*.com |
Email from the sender user1 at any .com domain |
The following formats are not valid:
- 172.16.1.0
- 172.16.1.0/24
- @spam. example.com
See also
Order of execution of block lists and safe lists
Configuring the block lists and safe lists
Managing the global block and safe list
The System tab lets you configure system-wide block and safe lists to block or allow email by sender. It also lets you back up and restore the system-wide block and safe lists.
You can alternatively back up all system-wide, per-domain, and per-user block and safe lists together. For details, see Backup and restore. |
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Block/Safe List category. For details, see About administrator account permissions and domains.
Domain administrators can access the global block list and global safe list, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile. |
To view the global block list or safe list, go to Security > Block/Safe List > System. The page displays two links:
- Block List
- Safe List
To add an entry to the system-wide block list or safe list
- Go to Security > Block/Safe List > System.
- Do one of the following:
- To block email by sender, click Block List.
- To allow email by sender, click Safe List.
Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list. |
See also
Configuring the block lists and safe lists
Managing the per-domain block lists and safe lists
Managing the personal block lists and safe lists
Configuring the block list action
Order of execution of block lists and safe lists
About block list and safe list address formats
Managing the per-domain block lists and safe lists
The Domain tab lets you configure block and safe lists that are specific to a protected domain in order to block or allow email by sender. It also lets you back up and restore the per-domain block lists and safe lists.
You can alternatively back up all system-wide, per-domain, and per-user block lists and safe lists together. For details, see Backup and restore. |
Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of |
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Block/Safe List category. For details, see About administrator account permissions and domains.
To view and edit per-domain block or safe lists
- Go to Security > Block/Safe List > Domain.
- Click the Block List or Safe List icon.
- Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
GUI item |
Description |
Domain |
Displays the name of the protected domain to which the block list and safe list belong. For more information on protected domains, see Configuring protected domains. |
Block List |
Click the List icon to display, modify, back up, or restore the block list for the protected domain. |
Safe List |
Click the List icon to display, modify, back up, or restore the safe list for the protected domain. |
Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list. |
See also
Configuring the block lists and safe lists
Managing the global block and safe list
Managing the personal block lists and safe lists
Configuring the block list action
Order of execution of block lists and safe lists
About block list and safe list address formats
Managing the personal block lists and safe lists
Security > Block/Safe List > Personal lets you add or modify email users’ personal block or safe lists in order to block or allow email by sender. It also lets you back up and restore the per-user block lists and safe lists.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Block/Safe List category. For details, see About administrator account permissions and domains.
To view and add to personal block lists or safe lists
- Go to Security > Block/Safe List > Personal.
- Users in the selected domain will be displayed. In the Search box, type the user name of the email user whose per-user block list or safe list you want to modify, and click Enter to search the user.
- Select a use and click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
- Click Backup to back up the list or Restore to restore a backup list.
Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list. |
If you add the user’s email address to the same user’s personal safe list, the FortiMail unit will ignore this entry. This is a precautious measure taken to guard against spammers from sending spam in disguise of that user’s email address as the sender address. |
See also
Configuring the block lists and safe lists
Managing the global block and safe list
Managing the per-domain block lists and safe lists
Configuring the block list action
Order of execution of block lists and safe lists
About block list and safe list address formats
Configuring the block list action
The Blocklist Action tab lets you configure the action to take if an email message arrives from a blocklisted domain name, email address, or IP address.
The FortiMail unit will apply this action to email matching system-wide, per-domain, and per-session profile block lists.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Block/Safe List category. For details, see About administrator account permissions and domains.
Domain administrators can configure the block list action, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile. |
To configure block list actions
- Go to Security > Block/Safe List > Blocklist Action.
- Select one of the following:
- Reject: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (
Relaying denied
). - Discard: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.
- Use AntiSpam profile setting: Use the actions configured in the antispam profile that you selected in the policy that matches the email message. For more information on actions, see Configuring antispam action profiles.
See also
Configuring the block lists and safe lists
Managing the global block and safe list
Managing the per-domain block lists and safe lists