Description
This document describes the common issues that could be observed with the connection to an SMTP server and how to troubleshoot it.
Scope
FortiAnalyzer.
FortiManager (with FortiAnalyzer feature enabled).
Solution
SMTP is a well-known protocol used to send emails based on RFC 5321. SMTP uses TCP/IP.
The common SMTP ports are:
TCP 25 is a common server-to-server SMTP port and can be (usually is) encrypted as well, using the STARTTLS command from the ESMTP options after the EHLO command.
This communication does not require username/password authentication, but the server might be using DKIM and many other AS methods to confirm the sender's identity.
In some cases, the AUTH options may be missing when connecting to port 25.
TCP 587 is more commonly used for client-to-server communication nowadays, especially over the Internet. It is operating the same way as port 25, except that AUTH option is available.
The ESMTP greeting is still in plain text, but after the client sends the STARTTLS command, the client negotiates TLS encryption parameters with the server.
In most cases, the server would accept both encrypted and non-encrypted connections. So, it is generally up to the client whether to request STATTLS and to negotiate the TLS version and encryption algorithm.
If the server does not support the suggested TLS version and/or any of the client’s ciphers, the TLS handshake fails with a respective error from the client side.
TCP 465 is the standard SMTPS port that uses TLS encryption implicitly. This means that the TCP handshake is immediately followed by a TLS handshake.
In this case, the whole SMTP exchange is encrypted, including the greetings and ESMTP options.
Any custom TCP port can also be used for SMTP as configured on the server side.
FortiAnalyzer has configurable options defining the mail daemon SSL/TLS client behavior:
# config system mail
edit <yourservername>
set secure-option ?
default Try STARTTLS, proceed as plain text communication otherwise.
none Communication will be in plain text format.
smtps Communication will be protected by SMTPS.
starttls Communication will be protected by STARTTLS.
NOTE: NTLM is not supported.
Common steps and tools for diagnosis of the issue:
The first step is to ping the server to understand if there is a routing/policy issue. Also, ICMP protocol should be allowed between the client and the server. The server must be allowed to respond to ICMP requests.
DNS issues are discussed under the following article: Troubleshoot: FortiAnalyzer unable resolve DNS to mail server.
From CLI under Windows, Linux/GNU is possible to use 'nslookup', 'dig', or 'host' these tools are helpful to understand the DNS issues. Other useful tools are 'traceroute' and 'ping' with -R for the record route.
The SMTP connection also should be allowed between the client and the server using TCP and the corresponding port in the configuration.
The following commands on the FortiAnalyzer will provide more information regarding the SMTP client application.
# diagnose test application fazmaild ?
Fazmaild Daemon Test Usage:
2023-01-31 17:53:34 1: show PID and daemon status
2023-01-31 17:53:34 2: show runtime status
2023-01-31 17:53:34 90: pause sending mail
2023-01-31 17:53:34 91: resume sending mail
2023-01-31 17:53:34 99: restart fazmaild daemon
# diagnose debug application fazmaild 255
# diagnose debug timestamp enable
# diagnose debug enable
jokey-fmg-esx03 # sendmail_loop:1143: total pending tasks: 0.
sendmail_loop:1126: no pending email request, last request time 1673349959, last sendmail time 0
# diagnose debug disable <- To stop it
# diagnose debug reset
# diagnose test connection <mailserver> <server-name> <mail-from> <mail-to>
How to setup the Mail server settings:
Examples:
The first example is when there is a routing issue with the server.
'execute ping and 'diagnose test' will return that the network is unreachable. In this case, the interface with the same network settings was disabled to present the issue.
The second example will show again a routing issue. A packet capture will be needed to confirm it.
It is possible to observe many retransmissions. The issue is due to inter-VLAN routing that is set up incorrectly. The ping is working as expected, but packet captures show that TCP retransmissions and DUP packets are exchanged.
The third example is showing when the setting for the user/password is wrong.
The fourth example is showing the expected behavior of connecting to port 25 with and without authentication.
For testing purposes only, the email server is allowed to accept sending an email without authentication, which is shown in the first picture. The second picture shows when using the user/password for the authentication.
Both emails were successfully created and received.
Related Articles:
Technical Tip: Configuring FortiManager and FortiAnalyzer to use GMAIL
Technical Note: How to configure email alerts for config and policy status changes on FortiManager
Technical Tip: Different application of local certificate for FortiManager/FortiAnalyzer
Technical Tip: How to set up Email Notifications with notification.fortinet.net
Troubleshoot: FortiAnalyzer unable resolve DNS to mail server
