FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
Dirty_Wizard_FTNT
Article Id 191707

Description
This document explains the greylisting process flow in FortiMail. For further information about greylisting:
Explanation of greylisting
About greylisting

1) SMTP client connects.
FortiMail collects the following information from the client: IP Address, MAIL FROM and RCPT TO. This is also known as the greylisting 'triplet'. 
 

 
2) Exemption checking.
FortiMail checks the following for matches. If a match is found, the message bypasses greylisting:
-System Safelist (note that Domain and Personal safelists do no bypass greylisting).
-Greylist Exempt entry (manual exempt) configured under AntiSpam > Greylist (5.3) or Security > Greylist (5.4).
-Greylist Auto Exempt entry. These are created when a previous message passes the greylisting process. Matching client IP subnet and sender domain. Viewed under Monitor > Greylist > Auto Exempt.
 

 
3) Rejection and Greylist database entry.

If no exemption is matched, the FortiMail returns a temp fail "451 4.3.2 Please try again later".
The client IP is recorded and rounded to a /24 subnet. If client IP is 172.16.20.22, the greylist entry is 172.16.20.0/24
The envelope MAIL FROM and RCPT TO addresses are recorded.
This 'triplet' is added to the greylist database. Viewable under Monitor > Greylist.
The Status here will be TEMPFAIL until the greylisting period elapses.
Subsequent delivery attempts will be rejected which match this entry until the greylisting period elapses.
The Status then changes to PASSTHROUGH.
If a delivery attempt matches an entry in the PASSTHROUGH state which has not expired (during greylist window, default 4 hours), it is accepted and the Auto Exempt entry is created.
You can use the CLI to change the default 4 hour greylist window. For more information, see the CLI command 'set greylist-init-expiry-period' under 'config antispam settings' in the FortiMail CLI Reference.

Considerations
Some clients, such as those of large, hosted email services like Gmail or Yahoo can have a hard time passing through the greylist process. 
This is because delivery attempts after the initial rejection can originate from client IPs which do not match the initial /24 subnet.
Resulting sometimes in continuous greylisting. The same issue can occur for Office 365 hosted domains.
 

 
It is advised to create Greylist Exempt entries for these domains.  Such as *@gmail.com.
For all Office 365 hosted domains, one can employ a reverse DNS pattern for client name: *.outbound.protection.outlook.com.

 

Contributors