Fortinet white logo
Fortinet white logo

Administration Guide

Configuring the block lists and safe lists

Configuring the block lists and safe lists

The Security > Block/Safe List submenu lets you reject, discard, or allow email messages based on email addresses, domain names, and IP addresses. It also lets you back up and restore the block lists and safe lists.

Multiple types of block lists and safe lists exist: system-wide, per-domain, per-user, and per-session profile. There are several places in the web UI where you can configure these block lists and safe lists.

Note

In addition to FortiMail administrators being able to configure per-user block lists and safe lists, email users can configure their own per-user block list and safe list by going to the Preferences tab in FortiMail webmail. For more information, see the online help for FortiMail webmail.

For more information on order of execution, see Order of execution of block lists and safe lists.

All block and safe list entries are automatically sorted into alphabetical order, where wildcard characters (* and ?) and numbers sort before letters.

See also

Order of execution of block lists and safe lists

About block list and safe list address formats

Managing the global block and safe list

Managing the per-domain block lists and safe lists

Managing the personal block lists and safe lists

Configuring block list settings

Order of execution of block lists and safe lists

As one of the first steps to detect spam, FortiMail units evaluate whether an email message matches a block list or safe list entry.

Generally, safe lists take precedence over block lists. If the same entry appears in both lists, the entry will be safelisted. Similarly, system-wide lists generally take precedence over per-domain lists, while per-domain lists take precedence over per-user lists.

Configuring the block lists and safe lists displays the sequence in which the FortiMail unit evaluates email for matches with block list and safe list entries. If the FortiMail unit finds a match, it does not look for any additional matches, and cancels any remaining antispam scans of the message (but not the antivirus and content scans).

Block and safe list order of operations

Order

List

Examines

Action taken if match is found

1

System safe list

Sender address, Client IP

Accept message

2

System block list

Sender address, Client IP

Invoke block list action

3

Domain safe list

Sender address, Client IP

Accept message

4

Domain block list

Sender address, Client IP

Invoke block list action

5

Session recipient safe list

Recipient address

Accept message for matching recipients

6

Session recipient block list

Recipient address

Invoke block list action

7

Session sender safe list

Sender address, Client IP

Accept message for all recipients

8

Session sender block list

Sender address, Client IP

Invoke block list action

9

User safe list

Sender address, Client IP

Accept message for this recipient

10

User block list

Sender address, Client IP

Discard message

When the sender email address or domain is examined for a match:

  • email addresses and domain names in the list are compared to the sender address in the email envelope (MAIL FROM:), email header (From:) and (Reply-to:)
  • IP addresses are compared to the IP address of the SMTP client delivering the email, also known as the last hop address

When the recipient is examined for a match, email addresses and domain names in the list are compared to the recipient address in both the envelop and header. An IP address in a recipient safe or block list is not a valid entry, because IP addresses are not used.

System-wide, per-domain, and per-user block lists and safe lists are executed before any policy match. In contrast, per-session profile block lists and safe lists require that the traffic first match a policy. When configuring a session profile (see Configuring session profiles), you can create block and safe lists that will be used with the session profile. Session profiles are selected in IP-based policies, and as a result, per-session profile block lists and safe lists are not applied until the traffic matches an IP-based policy.

For information on order of execution relative to other antispam methods, see Order of execution.

See also

Configuring the block lists and safe lists

Managing the global block and safe list

Managing the per-domain block lists and safe lists

Managing the personal block lists and safe lists

Configuring block list settings

Order of execution

About block list and safe list address formats

Since the release of 7.0.0, FortiMail supports three block and safe list entry types:

  1. Email: Matches email address, supporting wildcard entries. Matches both header from and envelope from.

    Email entries must be entered in the following format:

    "user@example.com"

    Note

    Email entries prior to upgrading to 7.0.0 or higher utilize the following format

    "example.com"

    Such entries are automatically updated once FortiMail is upgraded to 7.0.0 or higher, in this example, "*@example.com".

  2. IP/Netmask: Matches IP/Netmasks, entered in the following format:

    "172.20.0.1/32"

    Note

    Prior to 7.0.0, only IP address was supported. Any such entries are automatically updated to those with a netmask, for example "172.20.0.1/32" once FortiMail is upgraded to 7.0.0 or higher.

    Supports CIDR notation.

  3. Reverse DNS: Enter the hostname/FQDN which will match reverse DNS lookup (PTR) results for connecting client MTA IPs.

Acceptable input for block and safe list entries may vary by the type of the block or safe list, but may be:

  • an IP address or subnet (CIDR notation is supported)
  • all or part of an email address using wildcards

Domain name portions (for example, example.com) and user name portions (for example, user1) may use wild cards (? and *).

Examples of valid block/safe list entries

Type

Example

Description

Email spammer@example.com Email from the sender spammer@example.com.
?ser1@example.com Email from any sender with any character preceding and including “ser1” at example.com.
*@example.com Email from any sender at example.com.
*@*.example.com Email from any sender at any subdomain of example.com.
hostname.example.com Email from client MTA IP which has PTR record resolving to hostname.example.com.
user1@ex?mple.com Email from the sender user1 in domains such as example.com, exemple.com, or exumple.com.
user1@*.com Email from the sender user1 at any .com domain.

IP/Netmask

172.16.1.0/24

Email from the IP subnet 172.16.1.0/24.

172.16.1.1/32

Email from client IP matching 172.16.1.1.

Reverse DNS hostname.example.com Hostname/FQDN matching reverse DNS lookup results for connecting client MTA IPs.

The following formats are not valid:

  • 172.168.1
  • example.com
  • @spam. example.com
See also

Order of execution of block lists and safe lists

Configuring the block lists and safe lists

Managing the global block and safe list

The System tab lets you configure system-wide block and safe lists to block or allow email by sender. It also lets you back up and restore the system-wide block and safe lists.

System-wide block lists and safe lists can also be tracked in terms of when they were created, when they last had a match or hit, and hit count. See To configure block list settings for more information.

Note

You can alternatively back up all system-wide, per-domain, and per-user block and safe lists together. For details, see Backup and restore.

Note

Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans, including SPF validation.

Note

Domain administrators can access the global block list and global safe list, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile.

To view the global block list or safe list, go to Security > Block/Safe List > System. The page displays two links:

  • Block List
  • Safe List
To add an entry to the system-wide block list or safe list
  1. Go to Security > Block/Safe List > System.
  2. Do one of the following:
  • To block email by sender, select Block from the List dropdown.
  • To allow email by sender, select Safe from the List dropdown.
  • Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
  • Click Create.
  • From the safe/block lists, you can also select Backup to back up the list or Restore to restore a backup list.
  • Caution

    Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.

    See also

    Configuring the block lists and safe lists

    Managing the per-domain block lists and safe lists

    Managing the personal block lists and safe lists

    Configuring block list settings

    Order of execution of block lists and safe lists

    About block list and safe list address formats

    Backup and restore

    Managing the per-domain block lists and safe lists

    The Domain tab lets you configure block and safe lists that are specific to a protected domain in order to block or allow email by sender. It also lets you back up and restore the per-domain block lists and safe lists.

    Note

    You can alternatively back up all system-wide, per-domain, and per-user block lists and safe lists together. For details, see Backup and restore.

    Note

    Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans.

    To view and edit per-domain block or safe lists
    1. Go to Security > Block/Safe List > Domain.
    2. GUI item

      Description

      Domain

      Displays the name of the protected domain to which the block list and safe list belong.

      For more information on protected domains, see Configuring protected domains.

      Block List

      Click the List icon to display, modify, back up, or restore the block list for the protected domain.

      Safe List

      Click the List icon to display, modify, back up, or restore the safe list for the protected domain.

    3. Click the Block List or Safe List icon.
    4. Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
    Caution

    Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.

    See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the personal block lists and safe lists

    Configuring block list settings

    Order of execution of block lists and safe lists

    About block list and safe list address formats

    Backup and restore

    Managing the personal block lists and safe lists

    Security > Block/Safe List > Personal lets you add or modify email users’ personal block or safe lists in order to block or allow email by sender. It also lets you back up and restore the per-user block lists and safe lists.

    Note

    In addition to FortiMail administrators configuring per-user block lists and safe lists, email users can configure their own per-user block list and safe list by going to the Preferences tab in FortiMail webmail. For more information, see the online help for FortiMail webmail.

    Note

    Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans.

    To view and add to personal block lists or safe lists
    1. Go to Security > Block/Safe List > Personal.
    2. Users in the selected domain will be displayed. In the Search box, type the user name of the email user whose per-user block list or safe list you want to modify, and click Enter to search the user.
    3. Select a use and click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
    4. Click Backup to back up the list or Restore to restore a backup list.
    Caution

    Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.

    Note

    If you add the user’s email address to the same user’s personal safe list, the FortiMail unit will ignore this entry. This is a precautious measure taken to guard against spammers from sending spam in disguise of that user’s email address as the sender address.

    See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Configuring block list settings

    Order of execution of block lists and safe lists

    About block list and safe list address formats

    Backup and restore

    Configuring block list settings

    The Setting tab lets you configure the action to take if an email message arrives from a blocklisted domain name, email address, or IP address. You may also enable or disable block-safe list tracking.

    The FortiMail unit will apply this action to email matching system-wide, per-domain, and per-session profile block lists.

    Note

    Domain administrators can configure the block list action, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile.

    To configure block list settings
    1. Go to Security > Block/Safe List > Setting.
    2. Select one of the following actions:
    • Reject: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied).
    • Discard: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.
    • Use AntiSpam profile setting: Use the actions configured in the antispam profile that you selected in the policy that matches the email message. For more information on actions, see Configuring antispam action profiles.
  • Select Enable Block/Safe list tracking to track various blocklist and safelist statistics, including creation time, last hit time, and hit count. These statistics are tracked under Security > Block/Safe List > System and Security > Block/Safe List > Domain.
  • Click Apply.
  • See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Managing the personal block lists and safe lists

    Order of execution of block lists and safe lists

    Configuring the block lists and safe lists

    Configuring the block lists and safe lists

    The Security > Block/Safe List submenu lets you reject, discard, or allow email messages based on email addresses, domain names, and IP addresses. It also lets you back up and restore the block lists and safe lists.

    Multiple types of block lists and safe lists exist: system-wide, per-domain, per-user, and per-session profile. There are several places in the web UI where you can configure these block lists and safe lists.

    Note

    In addition to FortiMail administrators being able to configure per-user block lists and safe lists, email users can configure their own per-user block list and safe list by going to the Preferences tab in FortiMail webmail. For more information, see the online help for FortiMail webmail.

    For more information on order of execution, see Order of execution of block lists and safe lists.

    All block and safe list entries are automatically sorted into alphabetical order, where wildcard characters (* and ?) and numbers sort before letters.

    See also

    Order of execution of block lists and safe lists

    About block list and safe list address formats

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Managing the personal block lists and safe lists

    Configuring block list settings

    Order of execution of block lists and safe lists

    As one of the first steps to detect spam, FortiMail units evaluate whether an email message matches a block list or safe list entry.

    Generally, safe lists take precedence over block lists. If the same entry appears in both lists, the entry will be safelisted. Similarly, system-wide lists generally take precedence over per-domain lists, while per-domain lists take precedence over per-user lists.

    Configuring the block lists and safe lists displays the sequence in which the FortiMail unit evaluates email for matches with block list and safe list entries. If the FortiMail unit finds a match, it does not look for any additional matches, and cancels any remaining antispam scans of the message (but not the antivirus and content scans).

    Block and safe list order of operations

    Order

    List

    Examines

    Action taken if match is found

    1

    System safe list

    Sender address, Client IP

    Accept message

    2

    System block list

    Sender address, Client IP

    Invoke block list action

    3

    Domain safe list

    Sender address, Client IP

    Accept message

    4

    Domain block list

    Sender address, Client IP

    Invoke block list action

    5

    Session recipient safe list

    Recipient address

    Accept message for matching recipients

    6

    Session recipient block list

    Recipient address

    Invoke block list action

    7

    Session sender safe list

    Sender address, Client IP

    Accept message for all recipients

    8

    Session sender block list

    Sender address, Client IP

    Invoke block list action

    9

    User safe list

    Sender address, Client IP

    Accept message for this recipient

    10

    User block list

    Sender address, Client IP

    Discard message

    When the sender email address or domain is examined for a match:

    • email addresses and domain names in the list are compared to the sender address in the email envelope (MAIL FROM:), email header (From:) and (Reply-to:)
    • IP addresses are compared to the IP address of the SMTP client delivering the email, also known as the last hop address

    When the recipient is examined for a match, email addresses and domain names in the list are compared to the recipient address in both the envelop and header. An IP address in a recipient safe or block list is not a valid entry, because IP addresses are not used.

    System-wide, per-domain, and per-user block lists and safe lists are executed before any policy match. In contrast, per-session profile block lists and safe lists require that the traffic first match a policy. When configuring a session profile (see Configuring session profiles), you can create block and safe lists that will be used with the session profile. Session profiles are selected in IP-based policies, and as a result, per-session profile block lists and safe lists are not applied until the traffic matches an IP-based policy.

    For information on order of execution relative to other antispam methods, see Order of execution.

    See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Managing the personal block lists and safe lists

    Configuring block list settings

    Order of execution

    About block list and safe list address formats

    Since the release of 7.0.0, FortiMail supports three block and safe list entry types:

    1. Email: Matches email address, supporting wildcard entries. Matches both header from and envelope from.

      Email entries must be entered in the following format:

      "user@example.com"

      Note

      Email entries prior to upgrading to 7.0.0 or higher utilize the following format

      "example.com"

      Such entries are automatically updated once FortiMail is upgraded to 7.0.0 or higher, in this example, "*@example.com".

    2. IP/Netmask: Matches IP/Netmasks, entered in the following format:

      "172.20.0.1/32"

      Note

      Prior to 7.0.0, only IP address was supported. Any such entries are automatically updated to those with a netmask, for example "172.20.0.1/32" once FortiMail is upgraded to 7.0.0 or higher.

      Supports CIDR notation.

    3. Reverse DNS: Enter the hostname/FQDN which will match reverse DNS lookup (PTR) results for connecting client MTA IPs.

    Acceptable input for block and safe list entries may vary by the type of the block or safe list, but may be:

    • an IP address or subnet (CIDR notation is supported)
    • all or part of an email address using wildcards

    Domain name portions (for example, example.com) and user name portions (for example, user1) may use wild cards (? and *).

    Examples of valid block/safe list entries

    Type

    Example

    Description

    Email spammer@example.com Email from the sender spammer@example.com.
    ?ser1@example.com Email from any sender with any character preceding and including “ser1” at example.com.
    *@example.com Email from any sender at example.com.
    *@*.example.com Email from any sender at any subdomain of example.com.
    hostname.example.com Email from client MTA IP which has PTR record resolving to hostname.example.com.
    user1@ex?mple.com Email from the sender user1 in domains such as example.com, exemple.com, or exumple.com.
    user1@*.com Email from the sender user1 at any .com domain.

    IP/Netmask

    172.16.1.0/24

    Email from the IP subnet 172.16.1.0/24.

    172.16.1.1/32

    Email from client IP matching 172.16.1.1.

    Reverse DNS hostname.example.com Hostname/FQDN matching reverse DNS lookup results for connecting client MTA IPs.

    The following formats are not valid:

    • 172.168.1
    • example.com
    • @spam. example.com
    See also

    Order of execution of block lists and safe lists

    Configuring the block lists and safe lists

    Managing the global block and safe list

    The System tab lets you configure system-wide block and safe lists to block or allow email by sender. It also lets you back up and restore the system-wide block and safe lists.

    System-wide block lists and safe lists can also be tracked in terms of when they were created, when they last had a match or hit, and hit count. See To configure block list settings for more information.

    Note

    You can alternatively back up all system-wide, per-domain, and per-user block and safe lists together. For details, see Backup and restore.

    Note

    Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans, including SPF validation.

    Note

    Domain administrators can access the global block list and global safe list, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile.

    To view the global block list or safe list, go to Security > Block/Safe List > System. The page displays two links:

    • Block List
    • Safe List
    To add an entry to the system-wide block list or safe list
    1. Go to Security > Block/Safe List > System.
    2. Do one of the following:
    • To block email by sender, select Block from the List dropdown.
    • To allow email by sender, select Safe from the List dropdown.
  • Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
  • Click Create.
  • From the safe/block lists, you can also select Backup to back up the list or Restore to restore a backup list.
  • Caution

    Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.

    See also

    Configuring the block lists and safe lists

    Managing the per-domain block lists and safe lists

    Managing the personal block lists and safe lists

    Configuring block list settings

    Order of execution of block lists and safe lists

    About block list and safe list address formats

    Backup and restore

    Managing the per-domain block lists and safe lists

    The Domain tab lets you configure block and safe lists that are specific to a protected domain in order to block or allow email by sender. It also lets you back up and restore the per-domain block lists and safe lists.

    Note

    You can alternatively back up all system-wide, per-domain, and per-user block lists and safe lists together. For details, see Backup and restore.

    Note

    Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans.

    To view and edit per-domain block or safe lists
    1. Go to Security > Block/Safe List > Domain.
    2. GUI item

      Description

      Domain

      Displays the name of the protected domain to which the block list and safe list belong.

      For more information on protected domains, see Configuring protected domains.

      Block List

      Click the List icon to display, modify, back up, or restore the block list for the protected domain.

      Safe List

      Click the List icon to display, modify, back up, or restore the safe list for the protected domain.

    3. Click the Block List or Safe List icon.
    4. Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
    Caution

    Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.

    See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the personal block lists and safe lists

    Configuring block list settings

    Order of execution of block lists and safe lists

    About block list and safe list address formats

    Backup and restore

    Managing the personal block lists and safe lists

    Security > Block/Safe List > Personal lets you add or modify email users’ personal block or safe lists in order to block or allow email by sender. It also lets you back up and restore the per-user block lists and safe lists.

    Note

    In addition to FortiMail administrators configuring per-user block lists and safe lists, email users can configure their own per-user block list and safe list by going to the Preferences tab in FortiMail webmail. For more information, see the online help for FortiMail webmail.

    Note

    Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a safe list entry of *.edu would allow all email from the .edu top level domain to bypass the FortiMail unit's other antispam scans.

    To view and add to personal block lists or safe lists
    1. Go to Security > Block/Safe List > Personal.
    2. Users in the selected domain will be displayed. In the Search box, type the user name of the email user whose per-user block list or safe list you want to modify, and click Enter to search the user.
    3. Select a use and click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.
    4. Click Backup to back up the list or Restore to restore a backup list.
    Caution

    Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.

    Note

    If you add the user’s email address to the same user’s personal safe list, the FortiMail unit will ignore this entry. This is a precautious measure taken to guard against spammers from sending spam in disguise of that user’s email address as the sender address.

    See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Configuring block list settings

    Order of execution of block lists and safe lists

    About block list and safe list address formats

    Backup and restore

    Configuring block list settings

    The Setting tab lets you configure the action to take if an email message arrives from a blocklisted domain name, email address, or IP address. You may also enable or disable block-safe list tracking.

    The FortiMail unit will apply this action to email matching system-wide, per-domain, and per-session profile block lists.

    Note

    Domain administrators can configure the block list action, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile.

    To configure block list settings
    1. Go to Security > Block/Safe List > Setting.
    2. Select one of the following actions:
    • Reject: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied).
    • Discard: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.
    • Use AntiSpam profile setting: Use the actions configured in the antispam profile that you selected in the policy that matches the email message. For more information on actions, see Configuring antispam action profiles.
  • Select Enable Block/Safe list tracking to track various blocklist and safelist statistics, including creation time, last hit time, and hit count. These statistics are tracked under Security > Block/Safe List > System and Security > Block/Safe List > Domain.
  • Click Apply.
  • See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Managing the personal block lists and safe lists

    Order of execution of block lists and safe lists