FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
vraev
Staff
Staff
Article Id 245012
Description

 

This article describes the common issues that could be observed with the connection to an SMTP server and how to troubleshoot it.

 

Scope

 

FortiAnalyzer.
FortiManager (with FortiAnalyzer feature enabled).

 

Solution

 

SMTP is a well-known protocol used to send emails based on RFC 5321. SMTP uses TCP/IP.


The common SMTP ports are:

 

TCP 25 is a common server-to-server SMTP port and can be (usually is) encrypted as well, using the STARTTLS command from the ESMTP options after the EHLO command.

 

This communication does not require username/password authentication, but the server might be using DKIM and many other AS methods to confirm the sender's identity.
In some cases, the AUTH options may be missing when connecting to port 25.

 

TCP 587 is more commonly used for client-to-server communication nowadays, especially over the Internet. It is operating the same way as port 25, except that AUTH option is available.

 

The ESMTP greeting is still in plain text, but after the client sends the STARTTLS command, the client negotiates TLS encryption parameters with the server.

 

In most cases, the server would accept both encrypted and non-encrypted connections. So, it is generally up to the client to request STATTLS and negotiate the TLS version and encryption algorithm.

 

If the server does not support the suggested TLS version and/or any of the client’s ciphers, the TLS handshake fails with a respective error from the client side.

 

TCP 465 is the standard SMTPS port that uses TLS encryption implicitly. This means that the TCP handshake is immediately followed by a TLS handshake.
In this case, the whole SMTP exchange is encrypted, including the greetings and ESMTP options.

 

Any custom TCP port can also be used for SMTP as configured on the server side.

 

FortiAnalyzer has configurable options defining the mail daemon SSL/TLS client behavior:

 

config system mail
    edit <yourservername>
        set secure-option ?
        default     Try STARTTLS, proceed as plain text communication otherwise.
        none        Communication will be in plain text format.
        smtps       Communication will be protected by SMTPS.
        starttls    Communication will be protected by STARTTLS.

 

From version 7.4.x, there is a new option to use a certificate instead of a user/password.

 

(1)# get
id : 1
auth : disable
auth-type : psk
from : (null)
passwd : *
port : 25
secure-option : default
server : (null)
user : (null)

    (1)# set auth enable

    (1)# set auth-type
    certificate Use local certificate to authenticate.
    psk Use username and password to authenticate.

 

NOTE: NTLM is not supported.

 

Common steps and tools for diagnosis of the issue:

The first step is to ping the server to understand if there is a routing/policy issue. Also, ICMP protocol should be allowed between the client and the server. The server must be allowed to respond to ICMP requests.

 

DNS issues are discussed under the following article: Troubleshoot: FortiAnalyzer unable resolve DNS to mail server.

 

From CLI under Windows, Linux/GNU is possible to use 'nslookup', 'dig', or 'host' these tools help understand the DNS issues. Other useful tools are 'traceroute' and 'ping' with -R for the record route.

 

The SMTP connection also should be allowed between the client and the server using TCP and the corresponding port in the configuration.

 

The following commands on the FortiAnalyzer will provide more information regarding the SMTP client application.

 

diagnose test application fazmaild ?

Fazmaild Daemon Test Usage:
2023-01-31 17:53:34    1: show PID and daemon status
2023-01-31 17:53:34    2: show runtime status
2023-01-31 17:53:34   90: pause sending mail
2023-01-31 17:53:34   91: resume sending mail
2023-01-31 17:53:34   99: restart fazmaild daemon

diagnose debug application fazmaild 255

diagnose debug timestamp enable
diagnose debug enable

jokey-fmg-esx03 # sendmail_loop:1143: total pending tasks: 0.
sendmail_loop:1126: no pending email request, last request time 1673349959, last sendmail time 0

diagnose debug disable <- To stop it
diagnose debug reset  

diagnose test connection <mailserver> <server-name> <mail-from> <mail-to>

 

How to setup the Mail server settings:

 

Vito_0-1675789184619.png


Examples:

 

The first example is when there is a routing issue with the server.

 

Vito_1-1675789184621.png

 

Vito_2-1675789184621.png

 

'execute ping and 'diagnose test' will return that the network is unreachable. In this case, the interface with the same network settings was disabled to present the issue.

 

The second example will show again a routing issue. A packet capture will be needed to confirm it.

 

Vito_3-1675789184622.png

 

Vito_4-1675789184622.png

 

Vito_5-1675789184626.png

 

It is possible to observe many retransmissions. The issue is due to inter-VLAN routing that is set up incorrectly. The ping is working as expected, but packet captures show that TCP retransmissions and DUP packets are exchanged.

 

The third example is showing when the setting for the user/password is wrong.

Vito_6-1675789184630.png

 

The fourth example is showing the expected behavior of connecting to port 25 with and without authentication.

 

Vito_7-1675789184634.png

 

Vito_8-1675789184639.png


For testing purposes only, the email server is allowed to accept sending an email without authentication, which is shown in the first picture. The second picture shows when using the user/password for the authentication.

Vito_9-1675789184640.png


Both emails were successfully created and received.

Related Articles:

Technical Tip: Configuring FortiManager and FortiAnalyzer to use GMAIL

Technical Note: How to configure email alerts for config and policy status changes on FortiManager

Technical Tip: Different application of local certificate for FortiManager/FortiAnalyzer

Technical Tip: How to set up Email Notifications with notification.fortinet.net

Troubleshoot: FortiAnalyzer unable resolve DNS to mail server

 

Docs: Mail Server

Docs: config system mail

Docs: cli reference - test