Skip to main content
bachri_faisal
bachri_faisal
New Member
May 24, 2013
Question

HELP!! STARTTLS/SMTPS error: connect failed=-1

  • May 24, 2013
  • 9 replies
  • 15684 views
Hi, After succesfully upgrade firmware from v4 MR3 Patch 1 to Patch 5, Fortimail can not relay email to Protected domain (internal email server). There an error message on email logs as follow. When SMTPS enabled, error message will be as follow: from=test@example.com, size=0, class=0, nrcpts=1, proto=SMTP, daemon=SMTP_MTA, relay=[xxx.xxx.xxx.xxx] from=test@example.com, size=88, class=0, nrcpts=1, msgid=<201305240412.r4O4CROY005339-r4O4CROb005339@xxxx-xxxx>, proto=SMTP, daemon=SMTP_MTA, relay=[xxx.xxx.xxx.xxx] SMTPS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1 to=xxx@xxx.xxx, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=31574, relay=xxxx.xx.xx. [xxx.xxx.xxx.xxx], dsn=2.0.0,stat=Sent When SMTPS disabled, error message will be as follow: from=test@example.com, size=0, class=0, nrcpts=1, proto=SMTP, daemon=SMTP_MTA, relay=[xxx.xxx.xxx.xxx] from=test@example.com, size=88, class=0, nrcpts=1, msgid=<201305240420.r4O4K4db005565-r4O4K4de005565@xxx-xxx>, proto=SMTP, daemon=SMTP_MTA, relay=[xxx.xxx.xxx.xxx] STARTTLS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1 to=xxx@xxxx.xxx, delay=00:00:06, xdelay=00:00:05, mailer=esmtp, pri=31574, relay=xxxx.xx.xx. [xxx.xxx.xxx.xxx], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake. How to solve this problem? Thanks for any help. Cheers, Faisal

    9 replies

    emnoc
    emnoc
    New Member
    May 24, 2013
    stat=Deferred: 403 4.7.0 TLS handshake.
    What' s your delivery policies and your security profile action? profile > security and the action upon failure ?
    bachri_faisal
    bachri_faisalAuthor
    New Member
    May 24, 2013
    There only TLS and Encryption menu tab inside Profile > Security. No delivery option and security profile option.
    bachri_faisal
    bachri_faisalAuthor
    New Member
    May 24, 2013
    I use Fortimail 100 with HA.
    emnoc
    emnoc
    New Member
    May 24, 2013
    You have to add some access-controls or how are you trying todo deploy ssl? See here;
    bachri_faisal
    bachri_faisalAuthor
    New Member
    May 25, 2013
    Oh..you mean policy access control & delivery. No delivery policy applied since installation.
    bachri_faisal
    bachri_faisalAuthor
    New Member
    May 27, 2013
    I did clean install and restore config to slave unit, but still no luck.
    bachri_faisal
    bachri_faisalAuthor
    New Member
    May 29, 2013
    Finally, by revert back to previous firmware version and restore configuration solved the problem. When try to re-upgrade and appear below error message on console. " Configuration file build number check failed. 4.00.495:4.00.534"
    emnoc
    emnoc
    New Member
    May 29, 2013
    Did you open a ticket with support? I had problems on my last upgrades for a few 100C and it was not a clean upgrade. Can' t remember what my problems where, but it was mainly with/mail being rejected. Maybe support might have a fix or a bug open on this.
    bachri_faisal
    bachri_faisalAuthor
    New Member
    May 30, 2013
    Yes, I opened a ticket for this issue. But the response take a day or two for each update ticket from me... Also, I tried to update the patch one by one with no problem from patch 1 to 4 except patch 5.
    ajmind
    ajmind
    New Member
    July 4, 2013
    This is really annoying! with v4 MR3 Patch Patch 5 the TLS behaviour was changed:
    TLS 1.1 and 1.2 support Started to support newer TLS versions in protocols such as SMTP(S), IMAP(S), POP3(S), HTTPS, and LDAPS for improved security.
    We do not need any specific delivery policies as we use our 100C as a gateway to the internet, behind Fortigate 60C and only as a forwarding mail system for our internal exchange servers. so no users are logging into that unit. Any advise were and how to modify the new patch 5 behaviour? Ajmind
    Terms & ConditionsAccessibility statement