Fortinet white logo
Fortinet white logo

Administration Guide

Configuring the block lists and safe lists

Configuring the block lists and safe lists

The Security > Block/Safe List submenu lets you reject, discard, or allow email messages based on email addresses, domain names, and IP addresses. It also lets you back up and restore the block lists and safe lists.

Multiple types of block lists and safe lists exist: system-wide, per-domain, per-user, and per-session profile. There are several places in the web UI where you can configure these block lists and safe lists.

Note

In addition to FortiMail administrators being able to configure per-user block lists and safe lists, email users can configure their own per-user block list and safe list by going to the Preferences tab in FortiMail webmail. For more information, see the online help for FortiMail webmail.

For more information on order of execution, see Order of execution of block lists and safe lists.

All block and safe list entries are automatically sorted into alphabetical order, where wildcard characters (* and ?) and numbers sort before letters.

See also

Order of execution of block lists and safe lists

About block list and safe list address formats

Managing the global block and safe list

Managing the per-domain block lists and safe lists

Managing the personal blocklists and safelists

Configuring the blocklist action

Order of execution of block lists and safe lists

As one of the first steps to detect spam, FortiMail units evaluate whether an email message matches a block list or safe list entry.

Generally, safe lists take precedence over block lists. If the same entry appears in both lists, the entry will be safelisted. Similarly, system-wide lists generally take precedence over per-domain lists, while per-domain lists take precedence over per-user lists.

Configuring the block lists and safe lists displays the sequence in which the FortiMail unit evaluates email for matches with block list and safe list entries. If the FortiMail unit finds a match, it does not look for any additional matches, and cancels any remaining antispam scans of the message (but not the antivirus and content scans).

Block and safe list order of operations

Order

List

Examines

Action taken if match is found

1

System safe list

Sender address, Client IP

Accept message

2

System block list

Sender address, Client IP

Invoke block list action

3

Domain safe list

Sender address, Client IP

Accept message

4

Domain block list

Sender address, Client IP

Invoke block list action

5

Session recipient safe list

Recipient address

Accept message for matching recipients

6

Session recipient block list

Recipient address

Invoke block list action

7

Session sender safe list

Sender address, Client IP

Accept message for all recipients

8

Session sender block list

Sender address, Client IP

Invoke block list action

9

User safe list

Sender address, Client IP

Accept message for this recipient

10

User block list

Sender address, Client IP

Discard message

When the sender email address or domain is examined for a match:

  • email addresses and domain names in the list are compared to the sender address in the message envelope (MAIL FROM:) and message header (From:)
  • IP addresses are compared to the IP address of the SMTP client delivering the email, also known as the last hop address

When the recipient is examined for a match, email addresses and domain names in the list are compared to the recipient address in both the envelop and header. An IP address in a recipient safe or block list is not a valid entry, because IP addresses are not used.

System-wide, per-domain, and per-user block lists and safe lists are executed before any policy match. In contrast, per-session profile block lists and safe lists require that the traffic first match a policy. When configuring a session profile (see Configuring session profiles), you can create block and safe lists that will be used with the session profile. Session profiles are selected in IP-based policies, and as a result, per-session profile block lists and safe lists are not applied until the traffic matches an IP-based policy.

For information on order of execution relative to other antispam methods, see Order of execution.

See also

Configuring the block lists and safe lists

Managing the global block and safe list

Managing the per-domain block lists and safe lists

Managing the personal blocklists and safelists

Configuring the blocklist action

Order of execution

About block list and safe list address formats

Acceptable input for block and safe list entries may vary by the type of the block or safe list, but may be:

  • all or part of an IP address
  • all or part of a domain name
  • all or part of an email address

Domain name portions (for example, example.com) and user name portions (for example, user1) may use wild cards (? and *).

Examples of valid block/safe list entries

Example

Description of match

172.168.1

Email from the IP addresses 172.168.1.0/24

example.com

Email from any sender at example.com, such as user1@example.com.

spammer@example.com

Email from the sender spammer@example.com

?ser1@example.com

Email from any sender name ending in “ser1” at example.com

*@example.com

Email from any sender at example.com

user1@ex?mple.com

Email from the sender user1 in domains such as example.com, exemple.com, or exumple.com

user1@*.com

Email from the sender user1 at any .com domain

The following formats are not valid:

  • 172.16.1.0
  • 172.16.1.0/24
  • @spam. example.com
See also

Order of execution of block lists and safe lists

Configuring the block lists and safe lists

Managing the global block and safe list

The System tab lets you configure system-wide block and safe lists to block or allow email by sender. It also lets you back up and restore the system-wide block and safe lists.

Note

You can alternatively back up all system-wide, per-domain, and per-user block and safe lists together. For details, see Backup and restore.

Note

Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans, including SPF validation.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Block/Safe List category. For details, see About administrator account permissions and domains.

Note

Domain administrators can access the global block list and global safe list, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile.

To view the global block list or safe list, go to Security > Block/Safe List > System. The page displays two links:

  • Block List
  • Safe List
To add an entry to the system-wide block list or safe list
  1. Go to Security > Block/Safe List > System.
  2. Do one of the following:
  • To block email by sender, click Block List.
  • To allow email by sender, click Safe List.
  • The dialogs that appear are identical except for the single line of description.
  • Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
  • Click Backup to back up the list or Restore to restore a backup list.
  • Caution

    Back up the blocklist and safe list before restoring a list. Restoring the blocklist and safe list overwrites any existing block or safelist.

    See also

    Configuring the block lists and safe lists

    Managing the per-domain block lists and safe lists

    Managing the personal blocklists and safelists

    Configuring the blocklist action

    Order of execution of block lists and safe lists

    About block list and safe list address formats

    Backup and restore

    Managing the per-domain block lists and safe lists

    The Domain tab lets you configure block and safelists that are specific to a protected domain in order to block or allow email by sender. It also lets you back up and restore the per-domain blocklists and safelists.

    Note

    You can alternatively back up all system-wide, per-domain, and per-user blocklists and safe lists together. For details, see Backup and restore.

    Note

    Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans.

    To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Block/Safe List category. For details, see About administrator account permissions and domains.

    To view and edit per-domain block or safe lists
    1. Go to Security > Block/Safe List > Domain.
    2. GUI item

      Description

      Domain

      Displays the name of the protected domain to which the block list and safe list belong.

      For more information on protected domains, see Configuring protected domains.

      Block List

      Click the List icon to display, modify, back up, or restore the block list for the protected domain.

      Safe List

      Click the List icon to display, modify, back up, or restore the safe list for the protected domain.

    3. Click the Block List or Safe List icon.
    4. Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
    Caution

    Back up the blocklist and safe list before restoring a list. Restoring the blocklist and safelist overwrites any existing block or safelist.

    See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the personal blocklists and safelists

    Configuring the blocklist action

    Order of execution of block lists and safe lists

    About block list and safe list address formats

    Backup and restore

    Managing the personal blocklists and safelists

    Security > Block/Safe List > Personal lets you add or modify email users’ personal block or safe lists in order to block or allow email by sender. It also lets you back up and restore the per-user block lists and safe lists.

    Note

    In addition to FortiMail administrators configuring per-user block lists and safe lists, email users can configure their own per-user block list and safe list by going to the Preferences tab in FortiMail webmail. For more information, see the online help for FortiMail webmail.

    Note

    Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans.

    To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Block/Safe List category. For details, see About administrator account permissions and domains.

    To view and add to personal block lists or safe lists
    1. Go to Security > Block/Safe List > Personal.
    2. Users in the selected domain will be displayed. In the Search box, type the user name of the email user whose per-user block list or safe list you want to modify, and click Enter to search the user.
    3. Select a use and click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
    4. Click Backup to back up the list or Restore to restore a backup list.
    Caution

    Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.

    Note

    If you add the user’s email address to the same user’s personal safe list, the FortiMail unit will ignore this entry. This is a precautious measure taken to guard against spammers from sending spam in disguise of that user’s email address as the sender address.

    See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Configuring the blocklist action

    Order of execution of block lists and safe lists

    About block list and safe list address formats

    Backup and restore

    Configuring the blocklist action

    The Blocklist Action tab lets you configure the action to take if an email message arrives from a blocklisted domain name, email address, or IP address.

    The FortiMail unit will apply this action to email matching system-wide, per-domain, and per-session profile block lists.

    Note

    For the personal level block lists, the only option is to discard. For more information, see Managing the personal blocklists and safelists.

    To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Block/Safe List category. For details, see About administrator account permissions and domains.

    Note

    Domain administrators can configure the block list action, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile.

    To configure block list actions
    1. Go to Security > Block/Safe List > Blocklist Action.
    2. Select one of the following:
    • Reject: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied).
    • Discard: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.
    • Use AntiSpam profile setting: Use the actions configured in the antispam profile that you selected in the policy that matches the email message. For more information on actions, see Configuring antispam action profiles.
  • Click Apply.
  • See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Managing the personal blocklists and safelists

    Order of execution of block lists and safe lists

    Configuring the block lists and safe lists

    Configuring the block lists and safe lists

    The Security > Block/Safe List submenu lets you reject, discard, or allow email messages based on email addresses, domain names, and IP addresses. It also lets you back up and restore the block lists and safe lists.

    Multiple types of block lists and safe lists exist: system-wide, per-domain, per-user, and per-session profile. There are several places in the web UI where you can configure these block lists and safe lists.

    Note

    In addition to FortiMail administrators being able to configure per-user block lists and safe lists, email users can configure their own per-user block list and safe list by going to the Preferences tab in FortiMail webmail. For more information, see the online help for FortiMail webmail.

    For more information on order of execution, see Order of execution of block lists and safe lists.

    All block and safe list entries are automatically sorted into alphabetical order, where wildcard characters (* and ?) and numbers sort before letters.

    See also

    Order of execution of block lists and safe lists

    About block list and safe list address formats

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Managing the personal blocklists and safelists

    Configuring the blocklist action

    Order of execution of block lists and safe lists

    As one of the first steps to detect spam, FortiMail units evaluate whether an email message matches a block list or safe list entry.

    Generally, safe lists take precedence over block lists. If the same entry appears in both lists, the entry will be safelisted. Similarly, system-wide lists generally take precedence over per-domain lists, while per-domain lists take precedence over per-user lists.

    Configuring the block lists and safe lists displays the sequence in which the FortiMail unit evaluates email for matches with block list and safe list entries. If the FortiMail unit finds a match, it does not look for any additional matches, and cancels any remaining antispam scans of the message (but not the antivirus and content scans).

    Block and safe list order of operations

    Order

    List

    Examines

    Action taken if match is found

    1

    System safe list

    Sender address, Client IP

    Accept message

    2

    System block list

    Sender address, Client IP

    Invoke block list action

    3

    Domain safe list

    Sender address, Client IP

    Accept message

    4

    Domain block list

    Sender address, Client IP

    Invoke block list action

    5

    Session recipient safe list

    Recipient address

    Accept message for matching recipients

    6

    Session recipient block list

    Recipient address

    Invoke block list action

    7

    Session sender safe list

    Sender address, Client IP

    Accept message for all recipients

    8

    Session sender block list

    Sender address, Client IP

    Invoke block list action

    9

    User safe list

    Sender address, Client IP

    Accept message for this recipient

    10

    User block list

    Sender address, Client IP

    Discard message

    When the sender email address or domain is examined for a match:

    • email addresses and domain names in the list are compared to the sender address in the message envelope (MAIL FROM:) and message header (From:)
    • IP addresses are compared to the IP address of the SMTP client delivering the email, also known as the last hop address

    When the recipient is examined for a match, email addresses and domain names in the list are compared to the recipient address in both the envelop and header. An IP address in a recipient safe or block list is not a valid entry, because IP addresses are not used.

    System-wide, per-domain, and per-user block lists and safe lists are executed before any policy match. In contrast, per-session profile block lists and safe lists require that the traffic first match a policy. When configuring a session profile (see Configuring session profiles), you can create block and safe lists that will be used with the session profile. Session profiles are selected in IP-based policies, and as a result, per-session profile block lists and safe lists are not applied until the traffic matches an IP-based policy.

    For information on order of execution relative to other antispam methods, see Order of execution.

    See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Managing the personal blocklists and safelists

    Configuring the blocklist action

    Order of execution

    About block list and safe list address formats

    Acceptable input for block and safe list entries may vary by the type of the block or safe list, but may be:

    • all or part of an IP address
    • all or part of a domain name
    • all or part of an email address

    Domain name portions (for example, example.com) and user name portions (for example, user1) may use wild cards (? and *).

    Examples of valid block/safe list entries

    Example

    Description of match

    172.168.1

    Email from the IP addresses 172.168.1.0/24

    example.com

    Email from any sender at example.com, such as user1@example.com.

    spammer@example.com

    Email from the sender spammer@example.com

    ?ser1@example.com

    Email from any sender name ending in “ser1” at example.com

    *@example.com

    Email from any sender at example.com

    user1@ex?mple.com

    Email from the sender user1 in domains such as example.com, exemple.com, or exumple.com

    user1@*.com

    Email from the sender user1 at any .com domain

    The following formats are not valid:

    • 172.16.1.0
    • 172.16.1.0/24
    • @spam. example.com
    See also

    Order of execution of block lists and safe lists

    Configuring the block lists and safe lists

    Managing the global block and safe list

    The System tab lets you configure system-wide block and safe lists to block or allow email by sender. It also lets you back up and restore the system-wide block and safe lists.

    Note

    You can alternatively back up all system-wide, per-domain, and per-user block and safe lists together. For details, see Backup and restore.

    Note

    Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans, including SPF validation.

    To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Block/Safe List category. For details, see About administrator account permissions and domains.

    Note

    Domain administrators can access the global block list and global safe list, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile.

    To view the global block list or safe list, go to Security > Block/Safe List > System. The page displays two links:

    • Block List
    • Safe List
    To add an entry to the system-wide block list or safe list
    1. Go to Security > Block/Safe List > System.
    2. Do one of the following:
    • To block email by sender, click Block List.
    • To allow email by sender, click Safe List.
  • The dialogs that appear are identical except for the single line of description.
  • Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
  • Click Backup to back up the list or Restore to restore a backup list.
  • Caution

    Back up the blocklist and safe list before restoring a list. Restoring the blocklist and safe list overwrites any existing block or safelist.

    See also

    Configuring the block lists and safe lists

    Managing the per-domain block lists and safe lists

    Managing the personal blocklists and safelists

    Configuring the blocklist action

    Order of execution of block lists and safe lists

    About block list and safe list address formats

    Backup and restore

    Managing the per-domain block lists and safe lists

    The Domain tab lets you configure block and safelists that are specific to a protected domain in order to block or allow email by sender. It also lets you back up and restore the per-domain blocklists and safelists.

    Note

    You can alternatively back up all system-wide, per-domain, and per-user blocklists and safe lists together. For details, see Backup and restore.

    Note

    Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans.

    To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Block/Safe List category. For details, see About administrator account permissions and domains.

    To view and edit per-domain block or safe lists
    1. Go to Security > Block/Safe List > Domain.
    2. GUI item

      Description

      Domain

      Displays the name of the protected domain to which the block list and safe list belong.

      For more information on protected domains, see Configuring protected domains.

      Block List

      Click the List icon to display, modify, back up, or restore the block list for the protected domain.

      Safe List

      Click the List icon to display, modify, back up, or restore the safe list for the protected domain.

    3. Click the Block List or Safe List icon.
    4. Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
    Caution

    Back up the blocklist and safe list before restoring a list. Restoring the blocklist and safelist overwrites any existing block or safelist.

    See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the personal blocklists and safelists

    Configuring the blocklist action

    Order of execution of block lists and safe lists

    About block list and safe list address formats

    Backup and restore

    Managing the personal blocklists and safelists

    Security > Block/Safe List > Personal lets you add or modify email users’ personal block or safe lists in order to block or allow email by sender. It also lets you back up and restore the per-user block lists and safe lists.

    Note

    In addition to FortiMail administrators configuring per-user block lists and safe lists, email users can configure their own per-user block list and safe list by going to the Preferences tab in FortiMail webmail. For more information, see the online help for FortiMail webmail.

    Note

    Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans.

    To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Block/Safe List category. For details, see About administrator account permissions and domains.

    To view and add to personal block lists or safe lists
    1. Go to Security > Block/Safe List > Personal.
    2. Users in the selected domain will be displayed. In the Search box, type the user name of the email user whose per-user block list or safe list you want to modify, and click Enter to search the user.
    3. Select a use and click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
    4. Click Backup to back up the list or Restore to restore a backup list.
    Caution

    Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.

    Note

    If you add the user’s email address to the same user’s personal safe list, the FortiMail unit will ignore this entry. This is a precautious measure taken to guard against spammers from sending spam in disguise of that user’s email address as the sender address.

    See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Configuring the blocklist action

    Order of execution of block lists and safe lists

    About block list and safe list address formats

    Backup and restore

    Configuring the blocklist action

    The Blocklist Action tab lets you configure the action to take if an email message arrives from a blocklisted domain name, email address, or IP address.

    The FortiMail unit will apply this action to email matching system-wide, per-domain, and per-session profile block lists.

    Note

    For the personal level block lists, the only option is to discard. For more information, see Managing the personal blocklists and safelists.

    To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Block/Safe List category. For details, see About administrator account permissions and domains.

    Note

    Domain administrators can configure the block list action, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile.

    To configure block list actions
    1. Go to Security > Block/Safe List > Blocklist Action.
    2. Select one of the following:
    • Reject: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied).
    • Discard: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.
    • Use AntiSpam profile setting: Use the actions configured in the antispam profile that you selected in the policy that matches the email message. For more information on actions, see Configuring antispam action profiles.
  • Click Apply.
  • See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Managing the personal blocklists and safelists

    Order of execution of block lists and safe lists