[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6251
  • Last Modified:

Email Stopped at fortinet

Hello
Emails are getting stuck at the Fortinet FW. Our email server shows this log:
no mail sent during session from [10.10.125.254] <-- that is Fortinets IP address.

For emails server we have an Exchange and a Linux box behind the Fortinet.
so Firtinet --> 1. Exchange 2. Linux
Fortinet is new to me, but I am experienced with email.. Seems that emails are getting stuck but I don't know where to check.

0
mechanicus01
Asked:
mechanicus01
  • 6
  • 4
  • 4
  • +1
2 Solutions
 
joelsplaceCommented:
Fortigate firewalls have a nice ui.  They have sections for A/V scanning of email and some have spam filtering options.  Did it work and then stop?  You'll need to check the routing rules in the Fortigate to make sure it is forwarding to your mail servers.  Mine don't have the spam filter option so I can't help there.  Fortigates also have an activity log you can look through to see what it is doing.
Your error seems to indicate that a session is setup but no mail is being transferred.
I'm guessing that you have 2 mail servers one Exchange and one Linux.  Is it possible that the external IPs for each are reversed so that the mail for the Linux domain is mapped to Exchange?
The way I set ours up is with a virtual IP mapping from outside public IP to inside private IP and then opened the appropriate ports connected to that virtual IP.
I did have a problem one time where the virtual IP mapping was lost somehow and the firewall rules were still there.  It wouldn't work but it looked fine while messing around in the rules and ports.
0
 
SommerblinkCommented:
You will need to have a Virtual IP configured for the public IP address of your Email server. (Firewall/Virtual IP). Make sure that this is either a 1-to-1 NAT (eg: no port is listed for the VIP) or if there is a port listed, that it is port 25 for both extenal and mapped.

You will need to have a policy (Firewall/Policy) where you have a rule that allows traffic from WAN to Internal, using the source ALL, and the destination is this VIP.

Also, since your logs are showing the internal interface of the firewall, verses the source address of the sender, make sure that in this policy, you have disabled NAT.

Also, if you want to send your config. This can be captured by opening up the console window and typing in the command "show".
0
 
mechanicus01Author Commented:
Ok. I 'll check those.

But here is the thing.
We are setting up an SNMP software with email client that's configured to the Linux email server much like an Outlook client configuration.

The set up is Fortinet --> 1. Exchange.com 2. Linux.net (Exchange.com and Linux.net are email domains)
Both email domains receive the emails without any problem when sending emails from the LAN or from the Internet , but
an SMTP  test from the SNMP software hits the Linux email server but shows as "no mail sent".

Telnet on port 25 from a machine where SNMP software is installed successfully logs hits Linux.net, but the SNMP test seems to come from the Fortinet. Is there a way to TcpTraceRoute port 25 from the machine where is SNMP software is installed?
 
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
joelsplaceCommented:
With this new info you probably want to disregard all the previous suggestions.
Since mail works SMTP is setup correctly.
SNMP is a different animal entirely.  It will have to be setup on it's own.  I think it's UDP port 161 and 162.
0
 
joelsplaceCommented:
If your SNMP software is using SMTP then you probably just have something wrong in the credentials it's sending assuming your mail server is setup to not be an open relay.
0
 
mechanicus01Author Commented:
The SNMP is using an Email Client to connect to the Linux.net email server and on the Linux box I have the SNMP software added as relay. But still the SNMP email client is using valid credentials. it connects fine but somehow is routing SMTP connection to the Fortinet. Is there a TcpTraceRoute for port 25 for a Windows machine that you know of?
I would like to test the route the packets are taking
0
 
mechanicus01Author Commented:
Am testing again, how can I filter only SMTP from a certain IP in the console windows in Fortinet?
0
 
SommerblinkCommented:
This SNMP software which sends emails, is it in front of the Fortigate? (External to your LAN?) I'm confused where this computer resides.

Regardless of if it is in front of the firewall, the easiest way to test SMTP connectivity is to open command prompt (you said it was a windows machine) and type in "telnet [FQDN or IP of Linux] 25".

You should be greeted with the SMTP banner from the Linux server.

If you are on the same side of the firewall (and more specifically the same subnet as the Linux server), then the firewall will not affect this at all.

If it is in front of it, then you will still need to follow my suggestion and joelsplace to take a look at the policy in the firewall which allows communication from the outside to reach your linux server on the inside.
0
 
SommerblinkCommented:
Oh, if this computer is Windows 2008/Vista or greater, telnet client is not installed by default.

On a server, open up Server Manager and go to Features and install Telnet Client. If you are on Vista/7, open up "Turn Windows Features on or off" and tick the box next to Telnet Client.

This will not require a reboot.
0
 
joelsplaceCommented:
He already said telnet from the box the program is on works (3rd post)
0
 
mechanicus01Author Commented:
type in "telnet [FQDN or IP of Linux] 25". <--I did from the LAN and from another subset and both are successful.

Those tests above were tested in front of the Fortinet... How can i get the logs or trace from Fortinet or even a tcpdump?
0
 
SommerblinkCommented:
Ok, sorry for the bad reading. Re-read the third message.

The problem may be in the policy which controls SNMP. Look for a policy on the Fortigate (Firewall/Policy) and find a policy which controls SNMP. On that policy, see if under the NAT section, that Enable NAT is ticked. This may be the reason why you are seeing the Firewall's internal IP register with your Linux server.

(This was my first suggestion, but I though we were talking about SMTP them.)
0
 
xananduCommented:
fortinet provides a tool for troubleshooting these issues. it is under the diag debug command
diag debug flow.
try it on some selective traffic that you can control, (eg, testing on the main web browsing rule is probably a bad idea) like a ping to a specific ip from your desktop to get an idea on how it works.

NOTE OF WARNING: doing anything in any kind of diag or debug tree in a switch, router, firewall or other networking hardware is POTENTIALLY a risky maneuver, there is a reason these commands are rarely documented, to prevent people from toying with them. poorly written sniffing filters can cause routers and switches to crash. you have been warned.

now that we have gotten the legalese out of the way here is a generic version of me testing connectivity to a known allowed port on the internet (port 25)
diag debug reset
diag debug enable
diag debug flow filter saddr <your ip address>
diag debug flow filter daddr <destination ip address>
diag debug flow filter dport <distination port>
diag debug flow show console enable
diag debug flow trace start

now you generate traffic to the destination on that port, and you will see the internal mechanics of when the routing engine hands it off to the firewall, how the firewall decides whcih IPS/IDS rules to process, and what happens with the packet.

dont forget to diag debug disable and diag debug reset at the end to ensure your diag debug tree is reset to defaults so you dont run up your CPU

the output of the command looks like the following
id=36871 trace_id=1 msg="vd-root received a packet(proto=6, <source ip address>:18687-><destination ip address>:25) from port1."
id=36871 trace_id=1 msg="allocate a new session-0168b728"
id=36871 trace_id=1 msg="find a route: gw-<gateway's ip address> via <interface to gateway"
id=36871 trace_id=1 msg="Allowed by <Firewall policy Number>:"

if it hits anything funny, like nats, ips, or antivirus, it will be listed in this output.

Hope it helps.
0
 
mechanicus01Author Commented:
Still checking..
0
 
mechanicus01Author Commented:
Thanks
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 6
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now