New Member

Question

FortiMail 90% Access Control (OUTBOUND)

Forum|Forum|12 years ago
April 22, 2014
15 replies
21438 views

Hi, I have an FML that seems to be working fine for receiving email but when looking at the graph for outbound ermail it shows 80+ % if emails are blocked by Access Control - Relay denied. Some emails get out. When looking at the log I don' t see internal (Protected) email addresses in the from field. I also see on the status page that AV and VMWare are green checks but the AntiSpam is orange. I' ve changed the port from 53 to 8888 and 8889 but it makes no difference. I can resolve the service.fortiguard.net and can ping the IP that it resolves to. The FML is using only one interface which is connected to an FGT and the FGT allows all traffic from the FML to the internet and SMTP traffic to the Exchange server. Thanks for any help. Matt.

Bromont_FTNT

Staff

Regular outbound mail from your mail server (Exchange etc) is working ok? Sounds like spammers are trying to relay through you and the Fortimail is doing it' s job blocking all that. Next issue is your Fortiguard AS problem... Can you post a screenshot of the AS status as well as what' s under Maintenance --> Fortiguard What do you get with an IP query to Fortiguard?

MattlemonAuthor

New Member

Regular outbound mail from your mail server (Exchange etc) is working ok? Sounds like spammers are trying to relay through you and the Fortimail is doing it' s job blocking all that. Next issue is your Fortiguard AS problem... Can you post a screenshot of the AS status as well as what' s under Maintenance --> Fortiguard What do you get with an IP query to Fortiguard?

Hi, not all email from exchange is finding it' s way out but all incoming is fine. Screenshots attached. Thanks !

MattlemonAuthor

New Member

Connected DAONDUB-FML # DAONDUB-FML # exec nslookup name service.fortiguard.net Non-authoritative answer: service.fortiguard.net canonical name = guard.fortinet.net. Name: guard.fortinet.net Address: 208.91.112.196 Name: guard.fortinet.net Address: 208.91.112.198 DAONDUB-FML # exec ping 208.91.112.196 PING 208.91.112.196 (208.91.112.196): 56 data bytes 64 bytes from 208.91.112.196: icmp_seq=0 ttl=44 time=156.1 ms 64 bytes from 208.91.112.196: icmp_seq=1 ttl=44 time=156.0 ms 64 bytes from 208.91.112.196: icmp_seq=2 ttl=44 time=156.1 ms 64 bytes from 208.91.112.196: icmp_seq=3 ttl=44 time=156.0 ms 64 bytes from 208.91.112.196: icmp_seq=4 ttl=44 time=156.0 ms --- 208.91.112.196 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 156.0/156.0/156.1 ms DAONDUB-FML #

MattlemonAuthor

New Member

Licence info

MattlemonAuthor

New Member

FDN Status

Wu60384.jpg

MattlemonAuthor

New Member

Ping / Trace results

Qo40037.jpg

Bromont_FTNT

Staff

That first screenshot didn' t seem to make it through... For outbound mail from your mail server, are you able to find those messages that don' t make it out in the logs? try the following at CLI to get AS kickstarted again: #exec update now

MattlemonAuthor

New Member

That first screenshot didn' t seem to make it through... For outbound mail from your mail server, are you able to find those messages that don' t make it out in the logs? try the following at CLI to get AS kickstarted again: #exec update now

I can' t see the emails that didn' t make it through in the log. I ran the CLI update and it kicked off an update but made no difference to the A/S unfortunately.

Bromont_FTNT

Staff

E-mails that don' t make it through...they never make it through? Or they are delayed? Is your timezone correct?

MattlemonAuthor

New Member

Yup, the timezone is correct. The ones that don' t make it though don' t seem to get through at all but there are others that are delayed by an hour or two as well. Makes no sense.

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded