Skip to main content
kamarale
kamarale
New Member
March 28, 2025
Question

SSL inbound deep inspection for mail not working

  • March 28, 2025
  • 3 replies
  • 1628 views

Hello,

I have a SSL indound inspection that is not working for email traffic. The action is "Bypassed"

 

"Message SSL connection is bypassed" says on the SSL logs....

does anyone know what cold be the case?

On SSL profile we are inspecting ALL ports.

 

Thank you.

 

3 replies

AEK
SuperUser
AEK
SuperUser
March 28, 2025

Hi

Is the issue for SMTPS or SMTP with STARTTLS?

Are you using proxy based inspection mode?

Can you share a screenshot of the rule?

AEK
    kamarale
    kamaraleAuthor
    New Member
    April 1, 2025

    Hello AEK.

    It is SMTP with STARTTLS.

    The policy is in proxy-based mode. It is a classic policy only allowing port 25 to the destination server.

    Thank you!

    Regards

      AEK
      SuperUser
      AEK
      SuperUser
      April 1, 2025

      Hi Kamarale

      Please share the following screenshots:

      • The ssl inspection profile
      • Double-click on the related SSL log, the reason for bypass should be shown in the detailed logs
      AEK
        AEK
        SuperUser
        AEK
        SuperUser
        April 2, 2025

        Actually I have some doubt.

        As connection to port 25 starts by unencrypted communication then switches to TLS (via STARTTLS), it is possible that the message "SSL connection is bypassed" is generated at the first step (clear), not following STARTTLS.

        To make things clear, I think more tests are required, e.g.: you may send mail containing a malware test file (eicar) through a STARTTLS communication and see the behavior of your FGT's antispam. If it can catch it then your deep inspection is working properly once STARTTLS is initiated.

        AEK
        kamarale
        kamaraleAuthor
        New Member
        April 2, 2025

        Hello,

        We have tried that with openssl sending eicar and it passes. FGT does not see/block it....

        Thank you.

        AEK
        SuperUser
        AEK
        SuperUser
        April 2, 2025

        Hi

        Please have a look at this example and see if you didn't forget anything in your config.

        https://community.fortinet.com/t5/FortiGate/Technical-Tip-Inbound-email-to-mail-server-protected-by/ta-p/193515

        AEK
        AEK
        SuperUser
        AEK
        SuperUser
        April 3, 2025

        Hi Kamarale

        I made a test and it works as expected.

        The AV has scanned the attached file (my AV policy is just to reject encrypted archives, for test purpose).

        FG's AV logs below:

        avlog.png

         

        And the session from gmail was STARTTLS (confirmed from in gmail headers, as I have opened port 25 only).

        Gmail-TLS.png

         

        Can you test with "Fortinet_SSL" cert in your inspection profile? (just like I did in my test)

        AEK
        kamarale
        kamaraleAuthor
        New Member
        April 10, 2025

        Hello AEK,

        thank you for your time.

        Now is working, the action is "inspect" and not "bypassed" in the SSL logs.

        In the SSL profile I disabled "Inspect all ports" and that was it basically.....

        Dont know why but this fixed it.

        Regards

          Terms & ConditionsAccessibility statement