Viewing The Greylist Statuses

Viewing the greylist statuses

The Greylist submenu lets you monitor automatic greylisting exemptions, and email currently experiencing temporary failure of delivery due to greylisting.

Greylisting exploits the tendency of legitimate email servers to retry email delivery after an initial temporary failure, while spammers will typically abandon further delivery attempts to maximize spam throughput. The greylist scanner replies with a temporary failure for all email messages whose combination of sender email address, recipient email address, and SMTP client IP address is unknown. If an SMTP server retries to send the email message after the required greylist delay but before expiry, the FortiMail unit accepts the email and adds the combination of sender email address, recipient email address, and SMTP client IP address to the list of those known by the greylist scanner. Subsequent known email messages are accepted. For details on the greylisting mechanism, see “About greylisting” on page 624.

To use greylisting, you must enable the greylist scan in the antispam profile. For more information, see “Managing antispam profiles” on page 503.

Greylisting is bypassed if the SMTP client establishes an authenticated session (see “Bypass scan on SMTP authentication” on page 533, “Controlling email based on recipient addresses” on page 468, and “Controlling email based on IP addresses” on page 475), or if the matching access control rule’s Action is RELAY (see “Order of execution” on page 16).

You can configure the initial delay associated with greylisting, and manually exempt senders. For details, see “Configuring the grey list TTL and initial delay” on page 628 and “Manually exempting senders from greylisting” on page 630.

Viewing the pending and individual automatic greylist entries

The Display tab lets you view pending and individual automatic greylist entries.

  • Pending greylist entries are those whose Status is not PASSTHROUGH. For email messages matching pending greylist entries, the FortiMail unit will reply to delivery attempts with a temporary failure code until the greylist delay period, indicated by Time to passthrough, has elapsed.
  • Individual greylist entries are those whose Status is PASSTHROUGH. For email messages matching pending greylist entries, the greylist scanner will allow the delivery attempt, and may create a consolidated automatic greylist entry. For information on consolidated entries, see “Viewing the consolidated automatic greylist exemptions” on page 196.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Policy category

For details, see “About administrator account permissions and domains” on page 290.

To view the greylist, go to Monitor > Greylist > Display.

Figure 73:Display tab

Table 15:Viewing the list of pending and individual greylist entries

GUI item Description
Search

(button)

Click to filter the displayed entries. For details, see “Filtering pending and individual automatic greylist entries” on page 195.
IP Lists the IP address of the SMTP client that delivered or attempted to deliver the email message.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Sender Lists the sender email address in the message envelope (MAIL FROM:), such as user1@example.com.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Recipient Lists the recipient email address in the message envelope (RCPT TO:), such as user1@example.com.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Status Lists the current action of the greylist scanner when the FortiMail unit receives a delivery attempt for an email message matching the entry.

•      TEMPFAIL: The greylisting delay period has not yet elapsed, and the FortiMail unit currently replies to delivery attempts with a temporary failure code. For information on configuring the greylist delay period, see “Configuring the grey list TTL and initial delay” on page 628.

•      PASSTHROUGH: The greylisting delay period has elapsed, and the greylist scanner will allow delivery attempts.

Table 15:Viewing the list of pending and individual greylist entries

Time to passthrough Lists the time and date when the greylisting delay period for a pending entry is scheduled to elapse. Delivery attempts after this date and time confirm the pending greylist entry, and the greylist scanner converts it to an individual automatic greylist entry. The greylist scanner may also consolidate individual greylist entries. For information on consolidated entries, see “Viewing the consolidated automatic greylist exemptions” on page 196.

N/A appears if the greylisting period has already elapsed.

Expire Lists the time and date when the entry will expire. The greylist entry’s expiry time is determined by the following two factors:

•      Initial expiry period: After a greylist entry passes the greylist delay period and its status is changed to PASSTHROUGH, the entry’s initial expiry time is determined by the time you set with the CLI command

set greylist-init-expiry-period under config antispam

settings (for details, see the FortiMail CLI Reference). The default initial expiry time is 4 hours. If the initial expiry time elapses without an email message matching the automatic greylist entry, the entry expires and the greylist scanner removes the entry.

•      TTL: Between the entry’s PASSTHROUGH time and initial expiry time, if the entry is hit again (the sender retries to send the message again), the entry’s expiry time will be reset by adding the TTL value (time to live) to the message’s “Received” time. Each time an email message matches the entry, the life of the entry is prolonged; in this way, entries that are in active use do not expire. If the TTL elapses without an email message matching the automatic greylist entry, the entry expires and the greylist scanner removes the entry. For information on configuring the TTL, see “Configuring the grey list TTL and initial delay” on page 628.

Filtering pending and individual automatic greylist entries

You can filter the greylist entries on the Display tab based on sender email address, recipient email address, and/or the IP address of the SMTP client.

To filter the greylist entries 1. Go to Monitor > Greylist > Display.

  1. Click Search.

A dialog appears.

Figure 74:Search dialog

  1. Configure one or more of the following:
GUI item Description
Field Select one of the following columns in the greylist entries that you want to use to filter the display.

•      IP

•      Sender

•      Recipient

Operation Select how the column’s contents will be matched, such as whether the row must contain the Value.
Case Sensitive Enable for case-sensitive filtering.
Value Enter a pattern or exact value based on your selection in Field and Operation.

•      IP: Enter the IP address of the SMTP client, such as 172.16.1.10.

•      Sender: Enter the complete sender email address in the message envelope (MAIL FROM:), such as user1@example.com.

•      Recipient: Enter the complete recipient email address in the message envelope (RCPT TO:), such as user1@example.com.

Use an asterisk (*) to match multiple patterns, such as typing user* to match user1@example.com, user2@example.net, and so forth. Blank fields match any value.

Regular expressions are not supported.

  1. Click Search.

The Display tab appears again, but its contents are restricted to entries that match your filter criteria. To remove the filter criteria and display all entries, click the Display tab to refresh its view.

Viewing the consolidated automatic greylist exemptions

The Auto Exempt tab displays consolidated automatic greylist entries.

The FortiMail unit creates consolidated greylist entries from individual automatic greylist entries that meet consolidation requirements. For more information on individual automatic greylist entries, see “Viewing the pending and individual automatic greylist entries” on page 193. For more information on consolidation requirements, see “Automatic greylist entries” on page 627.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category For details, see “About administrator account permissions and domains” on page 290.

To view the list of consolidated entries, go to Monitor > Greylist > Auto Exempt.

Table 16:Auto Exempt tab options

GUI item Description
Search

(button)

Click to filter the displayed entries.
IP Lists the /24 subnet of the IP address of the SMTP client that delivered or attempted to deliver the email message.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Sender Lists the domain name portion of the sender email address in the message envelope (MAIL FROM:), such as example.com.

If the displayed entries are currently restricted by a search filter, a filter icon appears in the column heading. To remove the search filter, click the tab to refresh the display.

Expire Lists the time and date when the entry will expire, determined by adding the TTL value to the time the last matching message was received. For information on configuring the TTL, see “Configuring the grey list TTL and initial delay” on page 628.
This entry was posted in Administration Guides, FortiMail on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.