Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
maulishshah
Staff
Staff

Created on ‎10-28-2024 05:58 AM

Article Id 353323

Technical Tip: How to identify port 587 is open for smtp.office365.com

Description This article describes how to confirm what ports are open for smtp.office365.com.
Scope

FortiGate.
Solution

To identify whether the specific port is open or not, make sure the IP address is resolved for a particular FQDN.

 

Below is an example of smtp.office365.com:

 

nslookup
Default Server: dns1.fortiguard.net
Address: 96.45.45.45

> smtp.office365.com
Server: dns1.fortiguard.net
Address: 96.45.45.45

Non-authoritative answer:
Name: ooc-g2.tm-4.office.com
Addresses: 2603:1036:30a:1820::2
2603:1036:30a:180d::2
2603:1036:30a:1807::2
2603:1036:30a:814::2
2603:1036:30a:1827::2
2603:1036:30a:1806::2
2603:1036:30a:800::2
2603:1036:30a:1828::2
40.99.226.194
52.96.88.226
52.96.215.34
40.99.226.226
Aliases: smtp.office365.com
outlook.office365.com

Later, enable the Telnet command to verify whether FQDN is reachable on a particular port.


smtp.PNG

 

The above image confirms that port 587 is not allowed to communicate over the firewall.

 

Therefore, to check whether the traffic is allowed or not, run the following debug commands:

diagnose debug reset

diagnose debug filter dport 587

diagnose debug flow trace start 9999

diagnose debug enable

id=65308 trace_id=2 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=6, 10.99.99.2:61391->40.99.227.82:587) tun_id=0.0.0.0 from port18. flag [S], seq 3553077377, ack 0, win 64240"
id=65308 trace_id=2 func=init_ip_session_common line=5986 msg="allocate a new session-0005f456"
id=65308 trace_id=2 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.9.15.254 via port17"
id=65308 trace_id=2 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=3"
id=65308 trace_id=2 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"

The above debug output confirms that the traffic is getting denied by the firewall.

 

Therefore, create a policy to allow SMTP traffic for service 587.

service587.PNG

 

Try again: this time, the traffic will be allowed. 

 

The following is the connected output:

220 YT1PR01CA0064.outlook.office365.com Microsoft ESMTP MAIL Service ready at Mon, 28 Oct 2024 12:29:16 +0000 [08DCF738F5C99BE7]


Note: Sometimes the DNS server fails to resolve the correct IP that the Firewall has. Therefore, to troubleshoot more on the DNS server, see this article.
71
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.