Order of execution of block lists and safe lists
As one of the first steps to detect spam, FortiMail units evaluate whether an email message matches a block list or safe list entry.
Generally, safe lists take precedence over block lists. If the same entry appears in both lists, the entry will be safelisted. Similarly, system-wide lists generally take precedence over per-domain lists, while per-domain lists take precedence over per-user lists.
Table 48 displays the sequence in which the FortiMail unit evaluates email for matches with block list and safe list entries. If the FortiMail unit finds a match, it does not look for any additional matches, and cancels any remaining antispam scans of the message (but not the antivirus and content scans).
Table 48: Block and safe list order of operations
Order | List | Examines | Action taken if match is found |
1 | System safe list | Sender address, Client IP | Accept message |
2 | System block list | Sender address, Client IP | Invoke block list action |
3 | Domain safe list | Sender address, Client IP | Accept message |
4 | Domain block list | Sender address, Client IP | Invoke block list action |
5 | Session recipient safe list | Recipient address | Accept message for matching recipients |
6 | Session recipient block list | Recipient address | Invoke block list action |
7 | Session sender safe list | Sender address, Client IP | Accept message for all recipients |
8 | Session sender block list | Sender address, Client IP | Invoke block list action |
9 | User safe list | Sender address, Client IP | Accept message for this recipient |
10 | User block list | Sender address, Client IP | Discard message |
When the sender email address or domain is examined for a match:
• email addresses and domain names in the list are compared to the sender address in the message envelope (MAIL FROM:) and message header (From:)
• IP addresses are compared to the IP address of the SMTP client delivering the email, also known as the last hop address
When the recipient is examined for a match, email addresses and domain names in the list are compared to the recipient address in both the envelop and header. An IP address in a recipient safe or block list is not a valid entry, because IP addresses are not used.
System-wide, per-domain, and per-user block lists and safe lists are executed before any policy match. In contrast, per-session profile block lists and safe lists require that the traffic first match a policy. When configuring a session profile (see
“Configuring session profiles”), you can create block and safe lists that will be used with the session profile. Session profiles are selected in IP-based policies, and as a result, per-session profile block lists and safe lists are not applied until the traffic matches an IP-based policy.
For information on order of execution relative to other antispam methods, see
“Order of execution”.