Configuring the block lists and safe lists

The Security > Block/Safe List submenu lets you reject, discard, or allow email messages based on email addresses, domain names, and IP addresses. It also lets you back up and restore the block lists and safe lists.

Multiple types of block lists and safe lists exist: system-wide, per-domain, per-user, and per-session profile. There are several places in the web UI where you can configure these block lists and safe lists.

For system-wide, per-domain, and per-user block lists and safe lists, go to Security > Block/Safe List. For details, see Managing the global block and safe list, Managing the per-domain block lists and safe lists, and Managing the personal block lists and safe lists.
For per-user block lists and safe lists, you can alternatively go to Domain & User > User > User Preference. For details, see Configuring user preferences.
For session profile block lists and safe lists, go to Profile > Session > Session and modify the session profile. For details, see Configuring session profiles.

In addition to FortiMail administrators being able to configure per-user block lists and safe lists, email users can configure their own per-user block list and safe list by going to the Preferences tab in FortiMail webmail. For more information, see the online help for FortiMail webmail.

For more information on order of execution, see Order of execution of block lists and safe lists.

All block and safe list entries are automatically sorted into alphabetical order, where wildcard characters (* and ?) and numbers sort before letters.

About block list and safe list address formats

Managing the global block and safe list

Managing the per-domain block lists and safe lists

Managing the personal block lists and safe lists

Configuring the block list action

Order of execution of block lists and safe lists

As one of the first steps to detect spam, FortiMail units evaluate whether an email message matches a block list or safe list entry.

Generally, safe lists take precedence over block lists. If the same entry appears in both lists, the entry will be safelisted. Similarly, system-wide lists generally take precedence over per-domain lists, while per-domain lists take precedence over per-user lists.

Configuring the block lists and safe lists displays the sequence in which the FortiMail unit evaluates email for matches with block list and safe list entries. If the FortiMail unit finds a match, it does not look for any additional matches, and cancels any remaining antispam scans of the message (but not the antivirus and content scans).

Block and safe list order of operations

Order	List	Examines	Action taken if match is found
1	System safe list	Sender address, Client IP	Accept message
2	System block list	Sender address, Client IP	Invoke block list action
3	Domain safe list	Sender address, Client IP	Accept message
4	Domain block list	Sender address, Client IP	Invoke block list action
5	Session recipient safe list	Recipient address	Accept message for matching recipients
6	Session recipient block list	Recipient address	Invoke block list action
7	Session sender safe list	Sender address, Client IP	Accept message for all recipients
8	Session sender block list	Sender address, Client IP	Invoke block list action
9	User safe list	Sender address, Client IP	Accept message for this recipient
10	User block list	Sender address, Client IP	Discard message

When the sender email address or domain is examined for a match:

email addresses and domain names in the list are compared to the sender address in the message envelope (MAIL FROM:) and message header (From:)
IP addresses are compared to the IP address of the SMTP client delivering the email, also known as the last hop address

When the recipient is examined for a match, email addresses and domain names in the list are compared to the recipient address in both the envelop and header. An IP address in a recipient safe or block list is not a valid entry, because IP addresses are not used.

System-wide, per-domain, and per-user block lists and safe lists are executed before any policy match. In contrast, per-session profile block lists and safe lists require that the traffic first match a policy. When configuring a session profile (see Configuring session profiles), you can create block and safe lists that will be used with the session profile. Session profiles are selected in IP-based policies, and as a result, per-session profile block lists and safe lists are not applied until the traffic matches an IP-based policy.

For information on order of execution relative to other antispam methods, see Order of execution.

Managing the global block and safe list

Managing the per-domain block lists and safe lists

Managing the personal block lists and safe lists

Configuring the block list action

Order of execution

About block list and safe list address formats

Acceptable input for block and safe list entries may vary by the type of the block or safe list, but may be:

all or part of an IP address
all or part of a domain name
all or part of an email address

Domain name portions (for example, example.com) and user name portions (for example, user1) may use wild cards (? and *).

Examples of valid block/safe list entries

Example	Description of match
172.168.1	Email from the IP addresses 172.168.1.0/24
example.com	Email from any sender at example.com, such as user1@example.com.
spammer@example.com	Email from the sender spammer@example.com
?ser1@example.com	Email from any sender name ending in “ser1” at example.com
*@example.com	Email from any sender at example.com
user1@ex?mple.com	Email from the sender user1 in domains such as example.com, exemple.com, or exumple.com
user1@*.com	Email from the sender user1 at any .com domain

The following formats are not valid:

172.16.1.0
172.16.1.0/24
@spam. example.com

Managing the global block and safe list

The System tab lets you configure system-wide block and safe lists to block or allow email by sender. It also lets you back up and restore the system-wide block and safe lists.

You can alternatively back up all system-wide, per-domain, and per-user block and safe lists together. For details, see Backup and restore.

Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans, including SPF validation.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Block/Safe List category. For details, see About administrator account permissions and domains.

Domain administrators can access the global block list and global safe list, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile.

To view the global block list or safe list, go to Security > Block/Safe List > System. The page displays two links:

Block List
Safe List

To add an entry to the system-wide block list or safe list

Go to Security > Block/Safe List > System.
Do one of the following:

To block email by sender, click Block List.
To allow email by sender, click Safe List.

The dialogs that appear are identical except for the single line of description.

Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.

Click Backup to back up the list or Restore to restore a backup list.

Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.

Managing the per-domain block lists and safe lists

The Domain tab lets you configure block and safe lists that are specific to a protected domain in order to block or allow email by sender. It also lets you back up and restore the per-domain block lists and safe lists.

You can alternatively back up all system-wide, per-domain, and per-user block lists and safe lists together. For details, see Backup and restore.

To view and edit per-domain block or safe lists

Go to Security > Block/Safe List > Domain.

GUI item	Description
Domain	Displays the name of the protected domain to which the block list and safe list belong. For more information on protected domains, see Configuring protected domains.
Block List	Click the List icon to display, modify, back up, or restore the block list for the protected domain.
Safe List	Click the List icon to display, modify, back up, or restore the safe list for the protected domain.

Click the Block List or Safe List icon.
Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.

Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.

Managing the personal block lists and safe lists

Security > Block/Safe List > Personal lets you add or modify email users’ personal block or safe lists in order to block or allow email by sender. It also lets you back up and restore the per-user block lists and safe lists.

In addition to FortiMail administrators configuring per-user block lists and safe lists, email users can configure their own per-user block list and safe list by going to the Preferences tab in FortiMail webmail. For more information, see the online help for FortiMail webmail.

To view and add to personal block lists or safe lists

Go to Security > Block/Safe List > Personal.
Users in the selected domain will be displayed. In the Search box, type the user name of the email user whose per-user block list or safe list you want to modify, and click Enter to search the user.
Select a use and click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
Click Backup to back up the list or Restore to restore a backup list.

Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.

If you add the user’s email address to the same user’s personal safe list, the FortiMail unit will ignore this entry. This is a precautious measure taken to guard against spammers from sending spam in disguise of that user’s email address as the sender address.

Configuring the block list action

The Blocklist Action tab lets you configure the action to take if an email message arrives from a blocklisted domain name, email address, or IP address.

The FortiMail unit will apply this action to email matching system-wide, per-domain, and per-session profile block lists.

Domain administrators can configure the block list action, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile.

To configure block list actions

Go to Security > Block/Safe List > Blocklist Action.
Select one of the following:

Reject: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied).
Discard: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.
Use AntiSpam profile setting: Use the actions configured in the antispam profile that you selected in the policy that matches the email message. For more information on actions, see Configuring antispam action profiles.

Click Apply.