Matching greylist entries

While the email addresses in the message envelope must match exactly, the IP address of the SMTP client is a less specific match: any IP address on the /24 network will match.

For example, if an email server at 192.168.1.99 is known to the greylist scanner, its greylist entry contains the IP address 192.168.1.0 where 0 indicates that any value will match the last octet, and that any IP address starting with 192.168.1 will match that entry.

This greylist IP address matching mechanism restricts the number of IP addresses which can match the greylist entry while also minimizing potential issues with email server farms. Some large organizations use many email servers with IP addresses in the same class C subnet. If the first attempt to deliver email receives a temporary failure response, the second attempt may come from an email server with a different IP address. If an exact match were required, the greylist scanner would treat the second delivery attempt as a new delivery attempt unrelated to the first. Depending on the configuration of the email servers, the email message might never be delivered properly. Approximate IP address matching often prevents this problem.

For very large email server farms that require greater than a /24 subnet, you can manually create greylist exemptions. For more information, see “Manual greylist entries” on page 628.

Automatic greylist entries

The automatic greylisting process automatically creates, confirms pending entries, and expires automatic greylist entries, reducing the need for manual greylist entries. The automatic greylisting process can create three types of automatic greylist entries:

• pending (see “Viewing the pending and individual automatic greylist entries” on page 193)
• individual (see “Viewing the pending and individual automatic greylist entries” on page 193)
• consolidated (see “Viewing the consolidated automatic greylist exemptions” on page 196)

Pending entries are created on the initial delivery attempt, and track the email messages whose delivery attempts are currently experiencing the greylist delay period. They are converted to confirmed individual entries if a delivery attempt occurs after the greylist delay period, during the greylist window.

The automatic greylisting process can reduce the number of individual automatic greylist entries by consolidating similar entries after they have been confirmed during the greylisting window. Consolidation improves performance and greatly reduces the possibility of overflowing the maximum number of greylist entries.

Consolidated automatic greylist entries include only:

• the domain name portion of the sender email address
• the IP address of the SMTP client

They do not include the recipient email address, or the user name portion of the sender email address. By containing only the domain name portion and not the entire sender email address, a consolidated entry can match all senders from a single domain, rather than each sender having and matching their own individual automatic greylist entry. Similarly, by not containing the recipient email address, any recipient can share the same greylist entry. Because consolidated entries have broader match sets, they less likely to reach the time to live (TTL) than an individual automatic greylist entry.

For example, example.com and example.org each have 100 employees. The two organizations work together and employees of each company exchange email with many of their counterparts in the other company. If each example.com employee corresponds with 20 people from example.org, the FortiMail unit used by example.com will have 2000 greylist entries for the email received from example.org alone. By consolidating, these 2000 greylist entries are replaced by a single entry.

Not all individual automatic greylist entries can be consolidated. Because consolidated entries have fewer message attributes, more email messages may match each entry, some of which could contain different recipient email addresses and sender user names than those of the originally greylisted email messages. To prevent spam from taking advantage of the broader match sets, requirements for creation of consolidated entries are more strict than those of individual automatic greylist entries. FortiMail units will create a consolidated entry only if the email:

• does not match any manual greylist entry (exemption)
• passes the automatic greylisting process
• passes all configured antispam scans
• passes all configured antivirus scans
• passes all configured content scans
• does not match any white lists

If an email message fails to meet the above requirements, the FortiMail unit instead maintains the individual automatic greylist entry.

After a greylist entry is consolidated, both the consolidated entry and the original greylist entry will coexist for the length of the greylist TTL. Because email messages are compared to the autoexempt list before the greylist, subsequent matching email will reset only the expiry date of the autoexempt list entry, but not the expiry date of the original greylist entry. Eventually, the original greylist entry expires, leaving the automatic greylist entry.

Manual greylist entries

In some cases, you may want to manually configure some greylist entries. Manual greylist entries are exempt from the automatic greylisting process, and are therefore not subject to the greylist delay period and confirmation.

For example, a manual greylist entry can be useful when email messages are sent from an email server farm whose network is larger than /24. For very large email server farms, if a different email server attempts the delivery retry each time, the greylist scanner could perceive each retry as a first attempt, and automatic greylist entries could expire before the same email server retries delivery of the same email. To prevent this problem, you can manually create an exemption using common elements of the host names of the email servers.

For more information on creating manual greylist entries, see “Manually exempting senders from greylisting” on page 630.

Configuring the grey list TTL and initial delay

The Settings tab lets you configure time intervals used during the automatic greylisting process. For more information on the automatic greylisting process, see “About greylisting” on page 624.

To access this part of the web UI, your administrator account’s:

• Domain must be System
• access profile must have Read or Read-Write permission to the Policy category

For details, see “About administrator account permissions and domains” on page 290.

To configure greylisting intervals

1. Go to AntiSpam > Greylist > Settings.

Figure 277:Settings tab

2. Configure the following:

GUI item	Description
TTL	Enter the time to live (TTL) that determines the maximum amount of time that unused automatic greylist entries will be retained. Expiration dates of automatic greylist entries are determined by the following two factors: •      Initial expiry period: After a greylist entry passes the greylist delay period and its status is changed to PASSTHROUGH, the entry’s initial expiry time is determined by the time you set with the CLI command set greylist-init-expiry-period under config antispam settings (see the FortiMail CLI Reference). The default initial expiry time is 4 hours. If the initial expiry time elapses without an email message matching the automatic greylist entry, the entry expires and the greylist scanner removes the entry. •      TTL: Between the entry’s PASSTHROUGH time and initial expiry time, if the entry is hit again (the sender retries to send the message again), the entry’s expiry time will be reset by adding the TTL value (time to live) to the message’s “Received” time. Each time an email message matches the entry, the life of the entry is prolonged; in this way, entries that are in active use do not expire. If the TTL elapses without an email message matching the automatic greylist entry, the entry expires and the greylist scanner removes the entry. For more information on automatic greylist entries, see “Viewing the greylist statuses” on page 192. The value must be between 1 and 60 days. The default value is 36 days.
Greylisting period	Enter the length of the greylist delay period. For the initial delivery attempt, if no manual greylist entry (exemption) matches the email message, the FortiMail unit creates a pending automatic greylist entry, and replies with a temporary failure code. During the greylist delay period after this initial delivery attempt, the FortiMail unit continues to reply to additional delivery attempts with a temporary failure code. After the greylist delay period elapses and before the pending entry expires (during the greylist window), any additional delivery attempts will confirm the entry and convert it to an individual automatic greylist entry. The greylist scanner will then allow delivery of subsequent matching email messages. For more information on pending and individual automatic greylist entries, see “Viewing the pending and individual automatic greylist entries” on page 193. The value must be between 1 and 120 minutes. The default value is 1 minute.

You can use the CLI to change the default 4 hour greylist window. For more information, see the

CLI command set greylist-init-expiry-period under config antispam settings in the FortiMail CLI Reference.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!