Manually exempting senders from greylisting
The Exempt tab displays manual greylist entries, which exempt email messages from the automatic greylisting process and its associated greylist delay period.
For more information on the automatic greylisting process, see “About greylisting” on page 624. For more information on manual greylist entries, see “Manual greylist entries” on page 628.
To access this part of the web UI, your administrator account’s:
- Domain must be System
- access profile must have Read or Read-Write permission to the Policy category
For details, see “About administrator account permissions and domains” on page 290.
To view and configure manual greylist entries
- Go to AntiSpam > Greylist > Exempt.
Figure 278:Exempt tab
GUI item Description
Recipient Pattern | Displays the pattern that defines a matching recipient address in the message envelope (RCPT TO:).
The prefix to the pattern indicates whether or not the Regular expression option is enabled for the entry. • R/: Regular expressions are enabled. • -/: Regular expressions are not enabled, but the pattern may use wild cards (* or ?). |
Sender
IP/Netmask |
Displays the IP address and netmask that defines SMTP clients (the last hop address) that match this entry.
0.0.0.0/0 matches all SMTP client IP addresses. |
Reverse DNS Pattern | Displays the pattern that defines a matching result when the FortiMail unit performs the reverse DNS lookup of the IP address of the SMTP client.
The prefix to the pattern indicates whether or not the Regular expression option is enabled for the entry. • R/: Regular expressions are enabled. • -/: Regular expressions are not enabled, but the pattern may use wild cards (* or ?). |
- Click New to add an entry or double-click an entry to modify it.
A dialog appears.
Figure 279: New Rule dialog
- Configure the following:
GUI item | Description |
Sender pattern | Enter the pattern that defines a matching sender email address in the message envelope (MAIL FROM:). To match any sender email address, enter either *, or, if Regular expression is enabled, .*.
You can create a pattern that matches multiple addresses either by: • including wild card characters (* or ?). An asterisk (*) matches one or more characters; a question mark (?) matches any single character. • using regular expressions. You must also enable the Regular expression option. For example, entering the pattern ??@*.com will match messages sent by any sender with a two-letter user name from any “.com” domain. |
Regular For any of the pattern options, select the accompanying Regular expression expression check box if you entered a pattern using regular expression syntax.
Recipient pattern Enter the pattern that defines a matching recipient address in the message envelope (RCPT TO:). To match any recipient email address, enter either *, or, if Regular expression is enabled, .*.
You can create a pattern that matches multiple addresses either by:
- including wild card characters (* or ?). An asterisk (*) matches one or more characters; a question mark (?) matches any single character.
- using regular expressions. You must also enable the Regular expression option.
For example, entering the pattern *@example.??? will match email sent to any recipient at example.com, example.net, example.org, or any other “example” top level domain.
GUI item | Description |
Sender IP/Netmask | Enter the IP address and netmask that defines SMTP clients that match this entry.
To match any SMTP client IP address, enter 0.0.0.0/0. You can create a pattern that matches multiple addresses by entering any bit mask other than /32. For example, entering 10.10.10.10/24 would match the 24-bit subnet of IP addresses starting with 10.10.10, and would appear in the list of manual greylist entries as 10.10.10.0/24. |
Reverse DNS pattern | Enter the pattern that defines valid host names for the IP address of the SMTP client (the last hop address).
Since the SMTP client can use a fake self-reported host name in its SMTP greeting (EHLO/HELO), you can use a reverse DNS lookup of the SMTP client’s IP address to get the real host name of the SMTP client. Then the FortiMail greylist scanner can compare the host name resulting from the reverse DNS query with the pattern that you specify. If the query result matches the specified pattern, the greylist exempt rule will apply, Otherwise, the rule will not apply. You can create a pattern that matches multiple addresses either by: • including wild card characters (* or ?). An asterisk (*) matches one or more characters; a question mark (?) matches any single character. • using regular expressions. You must also enable the Regular expression option. For example, entering the pattern mail*.com will match messages delivered by an SMTP client whose host name starts with “mail” and ending with “.com”. |
No pattern can be left blank in a greylist exempt rule. To have the FortiMail unit ignore a pattern, enter an asterisk (*) in the pattern field. For example, if you enter an asterisk in the Recipient Pattern field and do not enable Regular Expression, the asterisk matches all recipient addresses. This eliminates the recipient pattern as an item used to determine if the rule matches an email message.
Example: Manual greylist entries (exemptions)
Example Corporation uses a FortiMail unit that is operating in gateway mode, and uses greylisting to reduce the quantity of spam they receive at their protected domain, example.com.
Example Corporation wants to exempt some email from the initial greylist delay period by creating manual greylist entries (exemptions to the automatic greylisting process) that match trusted combinations of SMTP client IP addresses and recipient email addresses.
The manual greylist entries used by Example Corporation are shown in Figure 280.
Figure 280:A sample greylist exemption list
Rule 1
Example Corporation has a number of foreign offices. Email from these offices does not need to be greylisted.The IP addresses of email servers in the foreign offices vary, though their host names all begin with “mail” and end with “example.com”.
Rule 1 uses the recipient pattern and the reverse DNS pattern to exempt from the automatic greylisting process all email messages that are sent to recipients at example.com, and are being delivered by an email server with a host name beginning with “mail” and ending with “example.com”.
Rule 2
Example Corporation works closely with a partner organization, Example Org, whose email domain is example.org. Email from the example.org email servers does not need to be greylisted. The IP addresses of email servers for example.org are within the 172.20.120.0/24 subnet, and have a host name of mail.example.org.
Rule 2 uses the recipient pattern, sender IP/ netmask, and reverse DNS pattern to exempt from the automatic greylisting process all email messages that are sent to recipients at example.com by any email server whose IP address is between 172.20.120.1 and 172.20.120.255 and whose host name is mail.example.org.
Emails from at least one customer are still going to quarantine after being added to personal AND system safe list. What am I missing?