Troubleshooting Tip: Email alerts

Step 1: Verify WAN connectivity to the mail server.

Before investigating email configuration, confirm the FortiGate has a working path to the default mail server: notification.fortinet.net or fortinet-notifications.com.

execute ping fortinet-notifications.com

PING fortinet-notifications.com (208.91.114.151): 56 data bytes
64 bytes from 208.91.114.151: icmp_seq=0 ttl=55 time=146.9 ms
64 bytes from 208.91.114.151: icmp_seq=1 ttl=55 time=147.2 ms

If ping fails, confirm the WAN interface is up, that a default route exists, and that outbound firewall policy permits traffic from the FortiGate itself (not just through it). Confirm system DNS settings.

Step 2: Verify TCP connectivity on the mail port.

ICMP success does not guarantee the SMTP port is reachable.

Test the actual TCP connection:

 execute telnet 208.91.114.151 465

Working scenario:    

   Trying 208.91.114.151...

Connected to 208.91.114.151.

Non-working scenario:

Trying 208.91.114.151...

Connected to 208.91.114.151.

x.x.x.x is blocklisted by FortiGuard. This email from IP has been rejected. The email message was  detected as spam.

Connection closed by foreign host.

If the response displays the message seen above,  submit a request for re-evaluation to the FortiGuard team on the AntiSpam Blocklist Appeal form, and ensure to include the public source-IP used by the FortiGate.

Step 3: Review the email server configuration.

Check the existing configuration in FortiGate.

get system email-server

The following is an example of default settings:

type : custom
server : fortinet-notifications.com
port : 465
source-ip : 0.0.0.0
source-ip6 : ::
authenticate : disable
validate-server : disable
security : smtps
ssl-min-proto-version: default
interface-select-method: auto

Common configuration issues to check:

1. Outgoing interface not matching routing.

If the FortiGate has multiple WAN interfaces or uses SD-WAN, interface-select-method auto may select the wrong interface. Force it explicitly if needed:

config system email-server

    set interface-select-method specify

    set interface "wan1"

end

Available options:

set interface-select-method ?
auto      Set outgoing interface automatically.
sdwan     Set outgoing interface by SD-WAN or policy routing rules.
specify   Set outgoing interface manually.

2. Verify connectivity to a custom email server.

When the custom email server is used on FortiGate to send the emails out from the FortiGate for purposes like FortiToken Activation Email or Email Alerts, the emails may not be received on the user side.

Check the connection to the Email Server:

• Make sure FortiGate can reach the email server.
• Try to ping the email server to verify the connectivity.

execute ping <SMTP server IP>

If the ping succeeds, the FortiGate has a basic network path to the server. If it fails, investigate routing, firewall policy, and whether the server IP is correct in config system email-server.
Note that a successful ping only confirms ICMP reachability, it does not guarantee the SMTP port is open. Follow up with a telnet test on the configured port as described in Step 2.

3. Mail server is reachable only via IPsec tunnel.

If the SMTP server is beyond the IPsec tunnel, set the source IP in the email server settings of the FortiGate with the internal interface IP so that FortiGate can reach the server over the tunnel.

config system email-server

    ...

        set source-ip {ipv4-address}

    ...

end

4. Version-specific behavior (FortiOS 7.4.4 and later).

Starting from v7.4.4, the default email server changed from notification.fortinet.net to fortinet-notifications.com. This server is only available to registered FortiGate devices with an active FortiCare support contract.
Additionally, the reply-to address was updated to 'DoNotReply@fortinet-notifications.com' and is no longer user-configurable. To ensure alertmail functions correctly on 7.4.4+ and 7.6.0+, configure the username field to match:

   config alertemail setting
         set username "DoNotReply@fortinet-notifications.com"
   end

In newer versions (7.4.4+ and 7.6.0+), the 'reply-to' field is no longer configurable: Technical Tip: Unable to configure 'Default Reply To' via GUI and CLI.

Step 4: Confirm the alertmail recipient is configured.

Before running the debug commands, ensure the alertmail setting has a recipient:

config alertemail setting

    ...

    set mailto1 "test@example.com"

    ...

end

Refer to this article to configure it: Technical Tip: How to configure alert email settings.

Step 5: Enable debug and send a test email.

Run the following alert email debugs to see if there are any errors.

diagnose debug reset
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug application alertmail -1

• After enabling the email, try to send the activation mail again or trigger a test mail.

diagnose log alertmail test

Capture all output before disabling debug:

diagnose debug disable
diagnose debug reset

Step 6: Interpret the debug output.

A complete, successful SMTP exchange looks like this:

2024-11-25 00:04:42 Arrived msg(type 8, 818 bytes):XXXXXX@gmail.com <----- User's email.
/data2/tmp/ftm_qr_FTKMOB4B64FDA57B.png <----- QR code sent in the email.
FTM Activation on FortiGate <----- Message body (Beginning of the message).
Welcome to FortiToken Mobile - One-Time-Password software token.
Please visit https://docs.fortinet.com/ftoken.html
for instructions on how to install your FortiToken Mobile application on your device and activate your token.
You must use FortiToken Mobile version 2 or above to activate this token.
Your Activation Code, which you will need to enter on your device later, is

"EEIJEOT7WMAVXDHV"

Alternatively, use the attached QR code image to activate your token with the "Scan Barcode" feature of the app.
You must activate your token by:
Thu Nov 28 00:04:42 2024 (GMT-5:00) Eastern Time (US & Canada),
after which you will need to contact your system administrator to
re-enable your activation.

FortiGate

2024-11-25 00:04:42 mail_info:
from:notification.fortinet.net user:DoNotReply@notification.fortinet.net
2024-11-25 00:04:42 mail_info:
reverse path:DoNotReply@notification.fortinet.net
user name:DoNotReply <- Message body (End of the message).
2024-11-25 00:04:42 to[0]:XXXXXX@gmail.com
2024-11-25 00:04:42 <==_init_mail_info
2024-11-25 00:04:42 create session    <- SMTP session.        
2024-11-25 00:04:42 resolve notification.fortinet.net to 1 IP
2024-11-25 00:04:42 ==> send mail     <- FortiGate Sending the email.
2024-11-25 00:04:42 connecting to 208.91.114.151 port 465
2024-11-25 00:04:42 send mail 0xca410a0 session 0xca42460
2024-11-25 00:04:42 session_io_event: creating ssl structure for session 0xca42460
2024-11-25 00:04:42 ssl_init
2024-11-25 00:04:42 create_ssl_ctx
2024-11-25 00:04:42 create_ssl: 0x7f8106334000
2024-11-25 00:04:42 sessionn 0xca42460, SSL connected
2024-11-25 00:04:43 session: 0xca42460, rsp_state: greeting, code: 220
2024-11-25 00:04:43 session: 0xca42460, rsp_state: ehlo, code: 250
2024-11-25 00:04:43 session: 0xca42460, rsp_state: mail, code: 250
2024-11-25 00:04:43 session: 0xca42460, rsp_state: rcpt, code: 250
2024-11-25 00:04:43 session: 0xca42460, rsp_state: data, code: 354
2024-11-25 00:04:43 session: 0xca42460, rsp_state: data2, code: 250
2024-11-25 00:04:43 session: 0xca42460, rsp_state: quit, code: 221
2024-11-25 00:04:43 session finined   <- End of SMTP session.
2024-11-25 00:04:43 _session_on_destroy
2024-11-25 00:04:43 <== send mail success, m = 0xca410a0 s = 0xca42460 <----- Email successfully sent to destination.

• If, as per the debug, the 'send mail success' message appears, and the email is still not received, try changing the recipient email address to any public domain (Gmail or Yahoo).
• This is because sometimes spam filters are in place on the corporate email that block or archive emails.

If any failures or errors show in the debugs, check for the following things:

• If the credentials entered for the SMTP server and port number are correct.
• Verify the Protocol with the server as well (SMTP or SMTPS).
• Run a packet sniffer for the email server IP and see if there is bidirectional traffic.

diagnose sniffer packet any 'host <server IP> and port <port no>' 4 0 l

Common failure scenarios details with debug output: 

Scenario 1: SSL_connect failure (custom server, port/security mismatch)

If a custom SMTP server is configured with set security smtps but the server expects STARTTLS on port 587 rather than native SMTPS, the SSL handshake will fail. The debug shows the SSL structure being created but immediately failing to connect:

2024-12-31 10:19:58 connecting to 10.10.110.39 port 587
2024-12-31 10:19:58 session_io_event: creating ssl structure for session 0xaecf560
2024-12-31 10:19:58 create_ssl: 0x7f7de5174000
2024-12-31 10:19:58 error in SSL_connect (null)

The above error is seen when using an SSL-enabled security mode under the email-server settings as follows:

config system email-server
    set server "10.10.110.39"
    set port 587
    set source-ip 10.10.90.1
    set security smtps

To bypass this error, use 'set security none'.

Scenario 2: SSL_connect failure (default server, FortiGuard anti-spam blocklist).

A similar error in SSL_connect (null) can occur when using the default fortinet-notifications.com server if the FortiGate's public IP is blocklisted by FortiGuard Anti-Spam. Unlike the port mismatch scenario above, this occurs even with a correctly configured default setup:

connecting to 208.91.114.151 port 465
send mail 0xd2c57a0 session 0xd2c9810
session_io_event: creating ssl structure for session 0xd2c9810
create_ssl: 0x7fa3f1383000
session_io_event: creating ssl structure for session 0xd2c6600
create_ssl: 0x7fa3f1385000
error in SSL_connect (null)

_session_on_destroy

To verify, cross-check on the AntiSpam Service.

If it is found that the IP is marked as spam, contact the FortiGuard AntiSpam team via AntiSpam Contact Form to request whitelisting.

Scenario 3: SMTP authentication failure (code: 530 | code: 550).

In some cases, it is possible to see an error with 'code: 530', which states that the issue is with the server, specifically, the client would not be successfully authenticated by the server. This can also be confirmed by taking a packet capture in the firewall for the port that is being listened to by the email server.

024-09-02 21:53:38 create_ssl: 0x7f9561385000
2024-09-02 21:53:38 session 0xef79390, SSL connected
2024-09-02 21:53:39 session: 0xef79390, rsp_state: greeting, code: 220
2024-09-02 21:53:39 session: 0xef79390, rsp_state: ehlo, code: 250
2024-09-02 21:53:39 session: 0xef79390, rsp_state: mail, code: 530

And the error with 'code 550' is normally due to a few possibilities, such as a recipient address being invalid, poor sender reputation, a recipient sender block caused by a full inbox, and server policy limitations.

2025-12-02 17:04:48 create_ssl: 0x7face42800

2025-12-02 17:04:48 sessionn 0x2e677940, SSL connected

2025-12-02 17:04:48 session: 0x2e677940, rsp_state: ehlo, code: 250

2025-12-02 17:04:48 session: 0x2e677940, rsp_state: auth, code: 334

2025-12-02 17:04:49 session: 0x2e677940, rsp_state: auth2, code: 235

2025-12-02 17:04:49 session: 0x2e677940, rsp_state: mail, code: 550

Scenario 4: Sender and recipient address are identical.

In the alertmail debugs, check whether the sender and receiver email addresses are different. Sometimes, if the sender and receiver email addresses are the same, the email server blocks the email send request. See the example logs below where the sender and receiver email addresses are the same:

WIG-FGT-01 (global) # Arrived msg(type 6, 83 bytes):sajeermkit@gmail.com

AuthCode: 240126
Your authentication token code is 240126.

mail_info:
from:192.168.77.31 user:sajeermkit@gmail.com <- Sender.
mail_info:
reverse path:sajeermkit@gmail.com
user name:sajeermkit
to[0]:sajeermkit@gmail.com <- Receiver.

Scenario 5: Fortinet_Factory certificate failure.

As fortinet-notifications.com uses the Fortinet_Factory certificate to set up an SSL connection, the certificate must be valid. A broken certificate may result in the following debug output:

2025-12-30 14:54:13 connecting to 208.91.114.151 port 465
2025-12-30 14:54:13 send mail 0x55efcc7499a0 session 0x55efcc7540f0
2025-12-30 14:54:13 session_io_event: creating ssl structure for session 0x55efcc7540f0
2025-12-30 14:54:13 failed in create_ssl_ctx
2025-12-30 14:54:13 _session_on_destroy
2025-12-30 14:54:13 <== send mail failed, m = 0x55efcc7499a0 s = 0x55efcc7540f0

To verify, run the following command:

diagnose hardware certificate

Output:

Checking Fortinet_CA.cer integrality ........Passed
Checking Fortinet_Factory.cer integrality ........Passed
Checking Fortinet_Factory.cer key-pair integrality ........[Not Matched] <-----
Checking Fortinet_Factory.cer Serial-No. ........[Not Matched] <-----
Checking Fortinet_Factory.cer timeliness ........Passed
Checking Fortinet_Factory.key integrality ........Passed

As a workaround, failover to another FortiGate if the other unit does not have this issue.

Scenario 6: No debug output generated.

Sometimes it may happen that even after the debug commands are in place and the command diagnose log alertmail test

is run, there is no output generated. In those scenarios, check the alertmail process (especially in low-end devices)

diagnose sys top 2 99 10 | grep alertmail

If the CPU shows 99 percent constantly, try restarting the alertmail process:

diagnose sys kill 11 <pid> 

Scenario 7: Send mail failed with the following errors.

2026-04-08 16:42:08 <== send mail failed, m = 0x5598d77d0 s = 0x559d527d0
2026-04-08 16:42:08 session_io_event: creating ssl structure for session 0x559d840630
2026-04-08 16:42:08 create_ssl: 0x559d8086f0
2026-04-08 16:42:08 error in SSL_connect (null)
2026-04-08 16:42:08 _session_on_destroy

Arrange a maintenance window. Console access is needed for both units (if there is an HA cluster).

Prepare and verify a working TFTP server that can be used if formatting or image loading is required by a TAC engineer.

For information on TFTP server preparation, see Technical Tip: Formatting and loading FortiGate firmware image using TFTP.

Test each unit separately in standalone mode before forming the HA cluster and collecting new debug output (if there is an HA cluster). If one standalone unit shows the same problem, factory reset the unit with the issue and load back the backup configuration file, and test again. If both standalone units work correctly, proceed with forming the HA cluster again.

Note: If the process form above resolves the issue, this is an individual problem with the specific unit in use, and this is not reproducible in Fortinet's lab.

If the issue persists after reviewing the resource, open a case with TAC through the Fortinet Support Portal. Collect all debug files and the outputs of the commands listed above, and submit them with the TAC ticket along with the FortiGate configuration file.

Related articles: 

• Technical Tip: Default email server changes and unable to send alert email due to no valid support
• Technical Tip: How to configure alert email settings
• Technical Tip: Unable to send reports or activation email from FortiGate
• Troubleshooting Tip: Alertmail queries 
• Technical Tip: Send mail failed due to ‘buffer is full’ when trying to authenticate FortiToken Mobile 
• Technical Tip: Unable to configure 'Default Reply To' via GUI and CLI
• Technical Tip: How to configure email alerts with Gmail 
• Troubleshooting Tip: Alert email send status failed shows in system event logs when user trying to send FortiToken activation code