Description
This article describes the configuration requirements for using Amazon Simple Email Service with FortiAnalyzer.
SES SMTP interface allows only explicit SSL over port 587, or implicit SSL over port 465. The SES servers will not send a plain text SMTP greeting after connecting on these ports, and if the Mail Server configuration on FortiAnalyzer is using the default security setting, the connection will time out and fail after 30 seconds.
Scope
FortiAnalyzer.
Solution
To allow FortiAnalyzer to use Amazon SES as a mail server, it must connect using SMTPS. The Mail Server objects in FortiAnalyzer can be configured via GUI under System Settings -> Advanced -> Mail Server.
However, the required setting 'secure-option smtps' is only available via CLI. For example:
config system mail
edit "Amazon_SES"
set server "email-smtp.eu-central-1.amazonaws.com"
set port 465
set secure-option smtps
set auth enable
set user "AKIAUQELYWAIVTCJUTG3"
set passwd ****************************************
next
end
Note:
This configuration's SMTP user and password differ from the standard AWS credentials. The two types of credentials are not interchangeable.
For more information about obtaining SMTP credentials from AWS, see Obtaining Amazon SES SMTP credentials
Troubleshooting.
From the FortiAnalyzer side, use the following debug commands in CLI:
diag debug app alertmail 255
diag debug app fazmaild 255
diag debug enable
Note:
After the troubleshooting, make sure to stop the debugs using the command 'diag debug reset'.
Packet capture may also be useful when troubleshooting mail server connection issues. It can be configured in the FortiAnalyzer GUI under System Settings -> Network -> Packet Capture.
Related article:
Technical Tip: How to set up Email Notifications with notification.fortinet.net
