Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiMail 7.4.3 Administration Guide
    7.4.3
    7.6.1
    7.6.0
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.7
    6.2.0
    6.0.6
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    Configuring the block lists and safe lists

    Configuring the block lists and safe lists

    You can use safe lists and block lists as a simple way to reject, discard, or allow email messages based on email addresses, domain names, and SMTP client IP addresses.

    Note

    Use safe lists and block lists with caution. They can increase incorrect results.

    For example, a system-level safe list entry for *.edu email addresses allows email from all .edu top level domains. Sender email addresses in the SMTP envelope (MAIL FROM:) and message header (From:) can be fake, too. The result is that all spam from any .edu email address — real or fake — would bypass later antispam scans.

    Better approaches are to either:

    Do not safelist protected domain names. Sender email addresses can be faked, so they may not really belong to the protected domain. This could allow spammers to bypass antispam scans.

    Note

    Order of execution is configurable for safe lists and block lists. See the FortiMail CLI Reference. Default order is shown in Order of execution.

    By default, safe lists cause sender authentication (DKIM, SPF, DMARC) to be skipped, even though sender email addresses could be fake. This is configurable. See the FortiMail CLI Reference.

    Multiple scopes of block lists and safe lists exist. Locations vary.

    See also

    Order of execution

    About block list and safe list address formats

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Managing the personal block lists and safe lists

    Configuring block list settings

    About block list and safe list address formats

    Block lists and safe lists support these formats:

    1. Email: Matches email addresses. Wild cards (* to match multiple characters, or ? to match any one character) are supported.

      If you upgrade from a version before FortiMail 7.0.0, domain names are converted to an entry with a wild card username (for example, example.com to *@.example.com).

    2. IP/Netmask: Matches IP addresses or subnets. CIDR format is supported.

      If you upgrade from a version before FortiMail 7.0.0, IP addresses with no netmask are converted to a single host (for example, 10.0.0.5 to 10.0.0.5/32).

    3. Reverse DNS: Matches a hostname/FQDN from reverse DNS lookup (PTR record) results.

    Valid formats may vary by the type of the block or safe list.

    Note

    Avoid wild cards and large subnets if possible. They can accidentally match too much, increasing incorrect results.

    Examples of valid block/safe list entries

    Type

    Example

    Description
    Email spammer@example.com Email from the sender spammer@example.com.
    ?ser1@example.com Email from any sender with any character preceding and including “ser1” at example.com.
    *@example.com Email from any sender at example.com.
    *@*.example.com Email from any sender at any subdomain of example.com.
    hostname.example.com Email from client MTA IP which has PTR record resolving to hostname.example.com.
    user1@ex?mple.com Email from the sender user1 in domains such as example.com, exemple.com, or exumple.com.
    user1@*.com Email from the sender user1 at any .com domain.

    IP/Netmask

    172.16.1.0/24

    Email from the IP subnet 172.16.1.0/24.

    172.16.1.1/32

    Email from client IP matching 172.16.1.1.
    Reverse DNS hostname.example.com Hostname/FQDN matching reverse DNS lookup results for connecting client MTA IP addresses.

    The following formats are not valid:

    • 172.168.1
    • example.com
    • @spam. example.com
    See also

    Order of execution

    Configuring the block lists and safe lists

    Managing the global block and safe list

    You can configure system-wide block and safe lists to block or allow email by sender. You can also back up and restore the system-wide block and safe lists.

    System-wide block lists and safe lists can also be tracked in terms of when they were created, when they last had a match or hit, and hit count. See also To configure block list settings.

    Note

    Alternatively, you can back up all system-wide, per-domain, and per-user block and safe lists together. For details, see Backup and restore.
    Note

    Domain administrators can access the global block list and global safe list, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile.

    To configure the system-wide block list or safe list

    1. Go to Security > Block/Safe List > System.

    2. Either:

      • To block email by sender, select Block from the List dropdown.
      • To allow email by sender, select Safe from the List dropdown.

    3. Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.

    4. Click Create.

    5. From the safe/block lists, you can also select either Backup to back up the list or Restore to restore a backup list.

    Caution
    • Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.
    • Only CSV files with "pattern" and "comment" in the first line can be restored.
    See also

    Configuring the block lists and safe lists

    Managing the per-domain block lists and safe lists

    Managing the personal block lists and safe lists

    Configuring block list settings

    Order of execution

    About block list and safe list address formats

    Backup and restore

    Managing the per-domain block lists and safe lists

    You can configure block and safe lists that are specific to a protected domain in order to block or allow email by sender. It also lets you back up and restore the per-domain block lists and safe lists.

    Note

    Alternatively, you can back up all system-wide, per-domain, and per-user block and safe lists together. For details, see Backup and restore.

    To configure the per-domain block lists or safe lists

    1. Go to Security > Block/Safe List > Domain.

      GUI item

      Description

      Show domain association

      Enable to filter by domain association in the domain block/safe list.

      Domain

      Displays the name of the protected domain to which the block list and safe list belong.

      For more information on protected domains, see Configuring protected domains.

      Block List

      Click the List icon to display, modify, back up, or restore the block list for the protected domain.

      Safe List

      Click the List icon to display, modify, back up, or restore the safe list for the protected domain.

    2. Click the Block List or Safe List icon.

    3. Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.

    Caution

    Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.
    See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the personal block lists and safe lists

    Configuring block list settings

    Order of execution

    About block list and safe list address formats

    Backup and restore

    Managing the personal block lists and safe lists

    You can modify email users’ personal block or safe lists in order to block or allow email by sender.

    Note

    Alternatively, email users can also configure their own per-user block list and safe list: in FortiMail webmail, go to the Preferences tab. For more information, see the online help for FortiMail webmail.

    You can also back up and restore the per-user block lists and safe lists.

    Note

    Alternatively, you can back up all system-wide, per-domain, and per-user block and safe lists together. For details, see Backup and restore.

    To configure the per-user block lists or safe lists

    1. Go to Security > Block/Safe List > Personal.

    2. Users in the selected domain will be displayed. In the Search field, type the user name of the email user whose per-user block list or safe list you want to modify, and click Enter.

    3. Select a use and click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.

      Note

      If you add the user’s email address to the same user’s personal safe list, the FortiMail unit will ignore this entry. This prevents spammers from using that email address as a disguise to send spam.

    4. Click Backup to back up the list or Restore to restore a backup list.

    Caution

    Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.
    See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Configuring block list settings

    Order of execution

    About block list and safe list address formats

    Backup and restore

    Configuring block list settings

    The Setting tab lets you configure the action to take if an email message arrives from a blocklisted domain name, email address, or IP address. You may also enable or disable block/safe list tracking.

    The FortiMail unit will apply this action to email matching system-wide, per-domain, and per-session profile block lists.

    Note

    Domain administrators can configure the block list action, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile.

    To configure block list settings

    1. Go to Security > Block/Safe List > Setting.
    2. Select the action, either:
    • Reject: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied).
    • Discard: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.
    • Use AntiSpam profile settings: Use the actions configured in the antispam profile that you selected in the policy that matches the email message. See also Configuring antispam profiles and antispam action profiles.
  • Enable Block/Safe list tracking to track various blocklist and safelist statistics, including creation time, last hit time, and hit count. These statistics are tracked under Security > Block/Safe List > System and Security > Block/Safe List > Domain.
  • Enable Status under Auto Aging Of List Entries to apply automatic purging of system and domain block and safe lists that are listed for a defined Retention period (up to a maximum of 365 days).

    • Note

    Once Auto Aging Of List Entries is enabled and a Retention period is applied, you may manually remove any expired entries on-demand by using the Cleanup option from the system and domain block/safe lists.
  • Click Apply.
    • See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Managing the personal block lists and safe lists

    Order of execution

    Previous
    Next

    Configuring the block lists and safe lists

    Configuring the block lists and safe lists

    You can use safe lists and block lists as a simple way to reject, discard, or allow email messages based on email addresses, domain names, and SMTP client IP addresses.

    Note

    Use safe lists and block lists with caution. They can increase incorrect results.

    For example, a system-level safe list entry for *.edu email addresses allows email from all .edu top level domains. Sender email addresses in the SMTP envelope (MAIL FROM:) and message header (From:) can be fake, too. The result is that all spam from any .edu email address — real or fake — would bypass later antispam scans.

    Better approaches are to either:

    Do not safelist protected domain names. Sender email addresses can be faked, so they may not really belong to the protected domain. This could allow spammers to bypass antispam scans.

    Note

    Order of execution is configurable for safe lists and block lists. See the FortiMail CLI Reference. Default order is shown in Order of execution.

    By default, safe lists cause sender authentication (DKIM, SPF, DMARC) to be skipped, even though sender email addresses could be fake. This is configurable. See the FortiMail CLI Reference.

    Multiple scopes of block lists and safe lists exist. Locations vary.

    See also

    Order of execution

    About block list and safe list address formats

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Managing the personal block lists and safe lists

    Configuring block list settings

    About block list and safe list address formats

    Block lists and safe lists support these formats:

    1. Email: Matches email addresses. Wild cards (* to match multiple characters, or ? to match any one character) are supported.

      If you upgrade from a version before FortiMail 7.0.0, domain names are converted to an entry with a wild card username (for example, example.com to *@.example.com).

    2. IP/Netmask: Matches IP addresses or subnets. CIDR format is supported.

      If you upgrade from a version before FortiMail 7.0.0, IP addresses with no netmask are converted to a single host (for example, 10.0.0.5 to 10.0.0.5/32).

    3. Reverse DNS: Matches a hostname/FQDN from reverse DNS lookup (PTR record) results.

    Valid formats may vary by the type of the block or safe list.

    Note

    Avoid wild cards and large subnets if possible. They can accidentally match too much, increasing incorrect results.

    Examples of valid block/safe list entries

    Type

    Example

    Description
    Email spammer@example.com Email from the sender spammer@example.com.
    ?ser1@example.com Email from any sender with any character preceding and including “ser1” at example.com.
    *@example.com Email from any sender at example.com.
    *@*.example.com Email from any sender at any subdomain of example.com.
    hostname.example.com Email from client MTA IP which has PTR record resolving to hostname.example.com.
    user1@ex?mple.com Email from the sender user1 in domains such as example.com, exemple.com, or exumple.com.
    user1@*.com Email from the sender user1 at any .com domain.

    IP/Netmask

    172.16.1.0/24

    Email from the IP subnet 172.16.1.0/24.

    172.16.1.1/32

    Email from client IP matching 172.16.1.1.
    Reverse DNS hostname.example.com Hostname/FQDN matching reverse DNS lookup results for connecting client MTA IP addresses.

    The following formats are not valid:

    • 172.168.1
    • example.com
    • @spam. example.com
    See also

    Order of execution

    Configuring the block lists and safe lists

    Managing the global block and safe list

    You can configure system-wide block and safe lists to block or allow email by sender. You can also back up and restore the system-wide block and safe lists.

    System-wide block lists and safe lists can also be tracked in terms of when they were created, when they last had a match or hit, and hit count. See also To configure block list settings.

    Note

    Alternatively, you can back up all system-wide, per-domain, and per-user block and safe lists together. For details, see Backup and restore.
    Note

    Domain administrators can access the global block list and global safe list, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile.

    To configure the system-wide block list or safe list

    1. Go to Security > Block/Safe List > System.

    2. Either:

      • To block email by sender, select Block from the List dropdown.
      • To allow email by sender, select Safe from the List dropdown.

    3. Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.

    4. Click Create.

    5. From the safe/block lists, you can also select either Backup to back up the list or Restore to restore a backup list.

    Caution
    • Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.
    • Only CSV files with "pattern" and "comment" in the first line can be restored.
    See also

    Configuring the block lists and safe lists

    Managing the per-domain block lists and safe lists

    Managing the personal block lists and safe lists

    Configuring block list settings

    Order of execution

    About block list and safe list address formats

    Backup and restore

    Managing the per-domain block lists and safe lists

    You can configure block and safe lists that are specific to a protected domain in order to block or allow email by sender. It also lets you back up and restore the per-domain block lists and safe lists.

    Note

    Alternatively, you can back up all system-wide, per-domain, and per-user block and safe lists together. For details, see Backup and restore.

    To configure the per-domain block lists or safe lists

    1. Go to Security > Block/Safe List > Domain.

      GUI item

      Description

      Show domain association

      Enable to filter by domain association in the domain block/safe list.

      Domain

      Displays the name of the protected domain to which the block list and safe list belong.

      For more information on protected domains, see Configuring protected domains.

      Block List

      Click the List icon to display, modify, back up, or restore the block list for the protected domain.

      Safe List

      Click the List icon to display, modify, back up, or restore the safe list for the protected domain.

    2. Click the Block List or Safe List icon.

    3. Click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.

    Caution

    Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.
    See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the personal block lists and safe lists

    Configuring block list settings

    Order of execution

    About block list and safe list address formats

    Backup and restore

    Managing the personal block lists and safe lists

    You can modify email users’ personal block or safe lists in order to block or allow email by sender.

    Note

    Alternatively, email users can also configure their own per-user block list and safe list: in FortiMail webmail, go to the Preferences tab. For more information, see the online help for FortiMail webmail.

    You can also back up and restore the per-user block lists and safe lists.

    Note

    Alternatively, you can back up all system-wide, per-domain, and per-user block and safe lists together. For details, see Backup and restore.

    To configure the per-user block lists or safe lists

    1. Go to Security > Block/Safe List > Personal.

    2. Users in the selected domain will be displayed. In the Search field, type the user name of the email user whose per-user block list or safe list you want to modify, and click Enter.

    3. Select a use and click New to add an email address, domain name, or IP address of the sender you wish to add to the block or safe list. For information on valid formats, see About block list and safe list address formats.

      Note

      If you add the user’s email address to the same user’s personal safe list, the FortiMail unit will ignore this entry. This prevents spammers from using that email address as a disguise to send spam.

    4. Click Backup to back up the list or Restore to restore a backup list.

    Caution

    Back up the block list and safe list before restoring a list. Restoring the block list and safe list overwrites any existing block or safe list.
    See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Configuring block list settings

    Order of execution

    About block list and safe list address formats

    Backup and restore

    Configuring block list settings

    The Setting tab lets you configure the action to take if an email message arrives from a blocklisted domain name, email address, or IP address. You may also enable or disable block/safe list tracking.

    The FortiMail unit will apply this action to email matching system-wide, per-domain, and per-session profile block lists.

    Note

    Domain administrators can configure the block list action, and therefore could affect domains other than their own. If you do not want to permit this, do not provide Read-Write permission to the Block/Safe List category in domain administrators’ access profile.

    To configure block list settings

    1. Go to Security > Block/Safe List > Setting.
    2. Select the action, either:
    • Reject: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied).
    • Discard: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.
    • Use AntiSpam profile settings: Use the actions configured in the antispam profile that you selected in the policy that matches the email message. See also Configuring antispam profiles and antispam action profiles.
  • Enable Block/Safe list tracking to track various blocklist and safelist statistics, including creation time, last hit time, and hit count. These statistics are tracked under Security > Block/Safe List > System and Security > Block/Safe List > Domain.
  • Enable Status under Auto Aging Of List Entries to apply automatic purging of system and domain block and safe lists that are listed for a defined Retention period (up to a maximum of 365 days).

    • Note

    Once Auto Aging Of List Entries is enabled and a Retention period is applied, you may manually remove any expired entries on-demand by using the Cleanup option from the system and domain block/safe lists.
  • Click Apply.
    • See also

    Configuring the block lists and safe lists

    Managing the global block and safe list

    Managing the per-domain block lists and safe lists

    Managing the personal block lists and safe lists

    Order of execution

    Previous
    Next